[UBUNTU 25.04] lszcrypt output shows no cards because ap module has to be loaded manually

[ Impact ]

s390: Build ap driver into the kernel

The adjunct processor (AP) bus driver is currently configured as a loadable module.
This leads to a bug on systems that rely on early access to hardware
cryptographic resources. In particular, encrypted root filesystems using secure keys
may fail to boot if the AP module is not available at boot.

Fix the issue by building the AP driver into the kernel.

[ Fix ]

The issue can be fixed by building the AP driver into the kernel:
CONFIG_AP=y

[ Test Plan ]

Run the command lszcrypt.
This should display the current state of crypto hardware
even without explicitly load the ap module.

[ Regression Potential ]

The now built-in driver is small and unlikely to cause problems unless the target environment is extremely memory-constrained or the kernel image size approaches bootloader limits (rare on IBM Z mainframes).

---

== Comment: #0 - Grgo Mariani <email address hidden> - 2025-06-23 00:28:40 ==
---Problem Description---
Previously kernel built-in module ap now has to be loaded manually. This means that lszcrypt output will show no cards and pkey functionality cannot be used before the module is loaded.

Terminal output shows:

$ lszcrypt -V
lszcrypt: Crypto device driver not available.
$ modprobe ap
$ lszcrypt -V
CARD.DOM TYPE MODE STATUS REQUESTS PENDING HWTYPE QDEPTH FUNCTIONS DRIVER
--------------------------------------------------------------------------------------------
00 CEX7A Accelerator online 0 0 13 08 -MC-A-N-F- cex4card
00.0017 CEX7A Accelerator online 0 0 13 08 -MC-A-N-F- cex4queue
$ modinfo ap
filename: /lib/modules/6.14.0-22-generic/kernel/drivers/s390/crypto/ap.ko.zst
license: GPL
description: Adjunct Processor Bus driver
author: IBM Corporation
srcversion: 99B7B128E77089951FE3C3A
depends:
intree: Y
name: ap
vermagic: 6.14.0-22-generic SMP mod_unload modversions
sig_id: PKCS#7
signer: Build time autogenerated kernel key

---Additional Hardware Info---
CEX cards attached.

---Debugger---
A debugger is not configured

---Steps to Reproduce---
 Install the distro (ubuntu 25.04) and run the following commands:
$ lszcrypt
$ modinfo ap
$ modprobe ap
$ lszcrypt

---uname output---
Linux SYSTEM 6.14.0-22-generic #22-Ubuntu SMP Wed May 21 13:32:46 UTC 2025 s390x s390x s390x GNU/Linux

Contact Information = <email address hidden> <email address hidden>

Machine Type = Manufacturer: IBM Type: 8561 Model: 701 T01

System Dump Info:
  The system is not configured to capture a system dump.

Stack trace output:
 no

Oops output:
 no

== Comment: #2 - Holger Dengler <email address hidden> - 2025-06-23 02:25:11 ==
The architecture default-configurations all configure ap as built-in. If a distribution decides to do it different, they should be aware of such regression cases. In my opinion, it is the responsibility of the distro to fix this. Either by change the configuration for ap or by loading the ap module explicitly.

There is also another aspect: if customres use encrypted disks with paes, it might also be necessary to include the ap module in the initramfs and load it explicitly there as well. Otherwise it will be hard to decrypt the disk, if secure keys are used.

== Comment: #3 - Grgo Mariani <email address hidden> - 2025-06-23 03:30:40 ==
Good catch, the ap module is not listed in the initrd

$ lsinitramfs /boot/initrd.img-$(uname -r) | grep ap
usr/lib/modules/6.14.0-22-generic/kernel/drivers/base/regmap
usr/lib/modules/6.14.0-22-generic/kernel/drivers/base/regmap/regmap-mmio.ko.zst
usr/lib/modules/6.14.0-22-generic/kernel/drivers/md/dm-snapshot.ko.zst
etc/console-setup/cached_UTF-8_del.kmap.gz
usr/bin/mkswap
usr/bin/loadkmap
usr/bin/dumpkmap
usr/lib/multipath/libprioontap.so
usr/lib/s390x-linux-gnu/libcap-ng.so.0
usr/lib/s390x-linux-gnu/libcap-ng.so.0.0.0
usr/lib/s390x-linux-gnu/libcap.so.2
usr/lib/s390x-linux-gnu/libcap.so.2.73
usr/lib/s390x-linux-gnu/libdevmapper-event.so.1.02.1
usr/lib/s390x-linux-gnu/libdevmapper.so.1.02.1