Notification
Risk classification
HIPER (High Impact and/or Pervasive)
Risk categories
Function Loss
Abstract
IJ35178 - Encrypted logical volumes unable to mount
Description
First Issued: November 11, 2021 Updated: December 14, 2021 |Update: New iFixes provided for all AIX levels. The previous iFixes were not cumulative, and the new iFixes are intended to supplant the previous fixes.
For logical volumes encrypted on a system without IJ35178 applied (referred to as 'Version 0' encrypted LVs), changing the in_core_enabled setting with the acfo command can result in garbage data being read from or written to the LV due to a difference in the encryption/decryption method used with in_core_enabled. This behavior can cause file systems to fail to mount, or applications that use raw LVs to fail to run. Reverting to the original in_core_enabled setting used when the LV was first encrypted restores access to the LV data.
To determine the version of an encrypted LV, run the following command:
hdcryptmgr showmd <lv_name>
.....
..... Tue Oct 5 00:52:35 2021
..... Device type : LV
..... Device name : fslv00
.....
..... Tue Oct 5 00:52:35 2021
..... Device type : LV
..... Device name : fslv00
.....
=============== B: LV HEADER ==[minor: 1]==
Version : 0
...
Encryption status : Fully encrypted
Data crypto algorithm : AES_XTS
=============== E: LV HEADER ================
Version : 0
...
Encryption status : Fully encrypted
Data crypto algorithm : AES_XTS
=============== E: LV HEADER ================
...
Recommended Action
For systems with encrypted LVs, we recommend installing a fix for IJ35178 as soon as possible to ensure newly encrypted LVs are created by using the new encryption method (referred to as 'Version 1'), which is compatible with both in_core_enabled settings.
To allow toggling between in_core_enabled settings and maintain future compatibility, after installing the fix, we recommend any 'Version 0' volumes be decrypted and encrypted again, becoming 'Version 1' volumes, with the following commands:
1. hdcryptmgr crypt2plain <lv_name>
2. hdcryptmgr plain2crypt <lv_name>
To allow toggling between in_core_enabled settings and maintain future compatibility, after installing the fix, we recommend any 'Version 0' volumes be decrypted and encrypted again, becoming 'Version 1' volumes, with the following commands:
1. hdcryptmgr crypt2plain <lv_name>
2. hdcryptmgr plain2crypt <lv_name>
Affected AIX Levels and Recommended Fixes
| Minimum Affected Level | Maximum Affected Level | Fixing Level | Interim Fix |
|---|---|---|---|
| 7200-05-00 bos.hdcrypt 7.2.5.0 |
7200-05-03-2148 bos.hdcrypt 7.2.5.102 |
7200-05-04-2219 IJ35178 |
iFix |
| Note: Installation of these fixes requires a reboot. | |||
This table describes which active levels are affected and where to obtain fixes.
Before the APAR fix is available, an interim fix (iFix) is available for each affected level.
The available interim fixes might apply only to the latest Service Packs. If a custom interim fix is required, contact IBM Support.
The interim fixes can be downloaded from the same location by using FTP, HTTP, or HTTPS.
Date first published
11 November 2021
[{"Risk Classification":"HIPER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
19 April 2022
UID
ibm16494777