SUSE-RU-2026:21350-1: important: Recommended update for cryptsetup, s390-tools
SLE-UPDATES
null at suse.de
Mon Apr 27 16:30:57 UTC 2026
# Recommended update for cryptsetup, s390-tools
Announcement ID: SUSE-RU-2026:21350-1
Release Date: 2026-04-24T10:13:38Z
Rating: important
References:
* bsc#1241612
* bsc#1258506
* bsc#1261772
* bsc#1261824
* bsc#1262221
* jsc#PED-14586
* jsc#PED-15488
* jsc#PED-15889
Affected Products:
* SUSE Linux Micro 6.2
An update that contains three features and has five fixes can now be installed.
## Description:
This update for cryptsetup, s390-tools fixes the following issues:
Changes in cryptsetup:
* Update to 2.8.4: (jsc#PED-15889)
* Fix integritysetup resize (grow) of the device if integrity bitmap mode is
used. Increasing the integrity device in bitmap mode did not work as
integritysetup incorrectly used journal settings that were not applicable.
* Fix device size status reports in cryptsetup and integritysetup. If the
device uses a sector size larger than 512 bytes, the newly reported byte
sizes (introduced in 2.8.0) in the status report were incorrectly displayed.
* BITLK: Fix unlocking BitLocker device with recovery passphrase. If the
recovery passphrase was present in the first keyslot, the device failed to
unlock. This bug was introduced in 2.8.2 with Clear Key support.
* Update to 2.8.3:
* Stable bug-fix release with minor extensions.
* Update to 2.8.2:
* BITLK: Fix for BitLocker metadata validation on big-endian systems.
* Update to 2.8.1:
* Fix status and deactivation of TCRYPT (VeraCrypt compatible) devices that
use chained ciphers.
* Fix unlocking BITLK (BitLocker compatible) devices with multibyte UTF8
characters in the passphrase.
* Do not allow activation of the LUKS2 device if the used keyslot is not
encrypted (it uses a null cipher).
* Such a configuration cannot be created by cryptsetup, but can be crafted outside of it.
* Null cipher is sometimes used to create an empty container for later reencryption.
* Only an empty passphrase can activate such a container (the same as in LUKS1).
* Do not silently decrease PBKDF parallel cost (threads) if set by an option.
* The maximum parallel cost is limited to 4 threads.
* Fixes to configuration and installation scripts.
* Meson and autoconf tools now properly support --prefix option for temporary directory installation.
* Multiple fixes and cleanups to config.h for compatibility between Meson and autoconf.
* Fix the luks2-external-tokens-path Meson option to work the same as in autoconf.
* Fix Meson install for tool binaries, install fvault2Open man page and include test/fuzz/meson.build in release.
* Major update to manual pages.
* Try to explain the PBKDF hardcoded limits.
* Add a better explanation for automatic integrity tag recalculation.
* Mention crypt/verity/integritytab.
* Remove or reformulate some misleading warnings present only with old and no longer supported kernels.
* Clarify that some commands do not wipe data and unify OPAL reset wording.
* Clarify the --label option.
* There are also many other grammar and stylistic fixes to unify the man-page style.
* Fixes for false-positive and annoying (optional) warnings added in recent
compilers.
* Update to 2.8.0:
* Full release notes in:
* https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/v2.8.0-ReleaseNotes
* Introduce support for inline mode (use HW sectors with additional hardware
metadata space).
* Finalize use of keyslot context API.
* Make all keyslot context types fully self-contained.
* Add --key-description and --new-key-description cryptsetup options.
* Support more precise keyslot selection in reencryption initialization.
* Allow reencryption to resume using token and volume keys.
* Cryptsetup repair command now tries to check LUKS keyslot areas for
corruption.
* Opal2 SED: PSID keyfile is now expected to be 32 alphanumeric characters.
* Opal2: Avoid the Erase method and use Secure Erase for locking range.
* Opal2: Fix some error description (in debug only).
* Opal2: Do not allow deferred deactivation.
* Allow --reduce-device-size and --device-size combination for reencryption
(encrypt) action.
* Fix the userspace storage backend to support kernel "capi:" cipher
specification format.
* Disallow conversion from LUKS2 to LUKS1 if kernel "capi:" cipher
specification is used.
* Explicitly disallow kernel "capi:" cipher specification format for LUKS2
keyslot encryption.
* Do not allow conversion of LUKS2 to LUKS1 if an unbound keyslot is present.
* cryptsetup: Adjust the XTS key size for kernel "capi:" cipher specification.
* Remove keyslot warning about possible failure due to low memory.
* Do not limit Argon2 KDF memory cost on systems with more than 4GB of
available memory.
* Properly report out of memory error for cryptographic backends implementing
Argon2.
* Avoid KDF2 memory cost overflow on 32-bit platforms.
* Do not use page size as a fallback for device block size.
* veritysetup: Check hash device size in advance.
* Print a better error message for unsupported LUKS2 AEAD device resize.
* Optimize LUKS2 metadata writes.
* veritysetup: support --error-as-corruption option.
* Report all sizes in status and dump command output in the correct units.
* Add --integrity-key-size option to cryptsetup.
* Support trusted and encrypted keyrings for plain devices.
* Support plain format resize with a keyring key.
* TCRYPT: Clear mapping of system-encrypted partitions.
* TCRYPT: Print all information from the decrypted metadata header in the
tcryptDump command.
* Always lock the volume key structure in memory.
* Do not run direct-io read check on block devices.
* Fix a possible segfault in deferred deactivation.
* Exclude cipher allocation time from the cryptsetup benchmark.
* Add Mbed-TLS optional crypto backend.
* Fix the wrong preprocessor use of #ifdef for config.h processed by Meson.
* Reorganize license files. The license text files are now in docs/licenses.
The COPYING file in the root directory is the default license.
* Remove cc-by-sa-4.0.txt as already shipped now in docs/licenses and named as
COPYING.CC-BY-SA-4.0.
* Libcryptsetup API extensions. The libcryptsetup API is backward compatible
with all existing symbols. Due to the self-contained memory allocation,
these symbols have the new version:
* crypt_keyslot_context_init_by_passphrase;
* crypt_keyslot_context_init_by_keyfile;
* crypt_keyslot_context_init_by_token;
* crypt_keyslot_context_init_by_volume_key;
* crypt_keyslot_context_init_by_signed_key;
* crypt_keyslot_context_init_by_keyring;
* crypt_keyslot_context_init_by_vk_in_keyring;
* New symbols:
* crypt_format_inline
* crypt_get_old_volume_key_size
* crypt_reencrypt_init_by_keyslot_context
* crypt_safe_memcpy
* New defines:
* CRYPT_ACTIVATE_HIGH_PRIORITY
* CRYPT_ACTIVATE_ERROR_AS_CORRUPTION
* CRYPT_ACTIVATE_INLINE_MODE
* CRYPT_REENCRYPT_CREATE_NEW_DIGEST
* New requirement flag:
* CRYPT_REQUIREMENT_INLINE_HW_TAGS
* Add a dependency on device-mapper to libcryptsetup12 to install the required
device-mapper udev rules. [bsc#1241612]
Changes in s390-tools:
* Applied a patch to remove phmac_s390 kernel module load from dracut
* Applied tools-combined modified patch (bsc#1262221)
* Amended SUSE's 'pkey.conf'
* Re-vendor-ed vendor.tar.zst
* Applied patches (bsc#1261824, bsc#1261772)
* Replace sort_field option with sort
* hyptop opts Fix long command line option abbreviations
* Refactored the spec file for transactional and immutable OS
* Modernized the .spec file for transactional and immutable OS environments.
* Removed legacy suse_version and sle_version conditionals, standardizing on
UsrMerge paths.
* Replaced manual %pre group creations with systemd-sysusers configuration for
ts-shell, zkeyadm, and cpacfstats.
* Replaced hardcoded /var/log directory management with systemd-tmpfiles
configuration.
* Removed obsolete systemctl daemon-reload calls and consolidate standard
%service_* systemd macros.
* Dropped brittle dynamic file list generation (find/grep) in favor of
explicit and deterministic %files declarations.
* Resolved "File listed twice" conflicts between the main package and chreipl-
fcp-mpath subpackage.
* Added missing BuildRequires for systemd-rpm-macros and sysuser-tools.
* Fixed unpackaged files errors for mdevctl callouts, shell completions, and
root /lib helpers.
* Changed BuildArch to noarch for the chreipl-fcp-mpath subpackage.
* Added files (renamed from *.opensuse)
* 59-graf.rules
* dasd_configure
* dasd_reload
* detach_disks.sh
* iucv_configure
* killcdl
* mkdump.pl
* README.SUSE
* virtsetup.sh
* vmlogrdr.service
* Removed obolete files
* 59-graf.rules.opensuse
* 59-graf.rules.suse
* dasd_configure.opensuse
* dasd_configure.suse
* dasd_reload.opensuse
* dasd_reload.suse
* detach_disks.sh.opensuse
* detach_disks.sh.suse
* iucv_configure.opensuse
* iucv_configure.suse
* killcdl.opensuse
* killcdl.suse
* mkdump.pl.opensuse
* mkdump.pl.suse
* README.SUSE.opensuse
* README.SUSE.suse
* virtsetup.sh.opensuse
* virtsetup.sh.suse
* vmlogrdr.service.opensuse
* vmlogrdr.service.suse
* Upgrade s390-tools to version 2.41.0 (jsc#PED-14586, jsc#PED-15488)
* Changes of existing tools:
* chreipl: Make --bootparms work for ECKD re-IPL
* cpacfstats: Add 'unauthorized' state to CPU-MF counters
* cpictl: Detect RHCOS using VARIANT_ID
* hsci: Automatically set appropriate MTU for HSCI
* libutil: Add util_readlink() and util_readlinkat() helpers
* libutil: Add util_startswith() to util_str
* libutil: Add utility parsing functions
* lschp: Add support for structured output (--format)
* lsreipl: Suppress 'clear' output if not supported
* pvimg: Add '\--format text' support to 'pvimg info'
* pvimg: Add '\--print-schema ' option to 'pvimg info'
* pvimg: Add '\--show-secrets' flag to 'pvimg info'
* pvimg: Provide improved JSON output to 'pvimg info --format json'
* pvinfo: Improve User experience on non-SE enabled systems
* zipl/ngdump: Ensure ext4 file system is used on dump partition
* zkey: Add support for integrity protected disks using HMAC keys
* Bug Fixes:
* cpumf/pai: Handle different size of perf_event_attr
* lscss: Fix memory leak
* zipl: Fix dump job on tape devices
* Amended the .spec file (bsc#1258506)
* "Installing" all shipped rules from etc/udev/rules.d to
/usr/lib/udev/rules.d
* BuildRequires: cryptsetup-devel >= 2.8.2
* Updated the code for IBM z17 machine type 9176:
* read_values.c
* cputype
* Renamed cputype.1 to cputype.8 and amended
* Amended read_values.8
* "Improved" the read_values.c:
* Added functionalities for '-a' and '-L attributes'
* Reworked and combined all s390-tools patches (jsc#PED-14586)
* Applied new combined patches
* Removed obsolete patches
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.2
zypper in -t patch SUSE-SL-Micro-6.2-642=1
## Package List:
* SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64)
* libcryptsetup12-2.8.4-160000.1.1
* cryptsetup-2.8.4-160000.1.1
* libcryptsetup12-debuginfo-2.8.4-160000.1.1
* cryptsetup-debuginfo-2.8.4-160000.1.1
* cryptsetup-debugsource-2.8.4-160000.1.1
* SUSE Linux Micro 6.2 (s390x)
* s390-tools-debugsource-2.41.0-160000.1.1
* libkmipclient1-debuginfo-2.41.0-160000.1.1
* s390-tools-2.41.0-160000.1.1
* s390-tools-debuginfo-2.41.0-160000.1.1
* libekmfweb1-debuginfo-2.41.0-160000.1.1
* libkmipclient1-2.41.0-160000.1.1
* libekmfweb1-2.41.0-160000.1.1
* SUSE Linux Micro 6.2 (noarch)
* s390-tools-genprotimg-data-2.41.0-160000.1.1
## References:
* https://bugzilla.suse.com/show_bug.cgi?id=1241612
* https://bugzilla.suse.com/show_bug.cgi?id=1258506
* https://bugzilla.suse.com/show_bug.cgi?id=1261772
* https://bugzilla.suse.com/show_bug.cgi?id=1261824
* https://bugzilla.suse.com/show_bug.cgi?id=1262221
* https://jira.suse.com/browse/PED-14586
* https://jira.suse.com/browse/PED-15488
* https://jira.suse.com/browse/PED-15889
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260427/fa2002af/attachment.htm>
More information about the sle-updates
mailing list