Hello Stefan,
But then the vfs_cbe requests to have a all zero key encrypted which due to the ICV added by hardware black key handling fails. We cannot seam to find out where the request originates or why vfs_cbe would ever encrypt any key, let alone a key of all zeros.
Whenever the CBE writes the current superblock back to the block device it first has to encrypt the current and the previous(!) key as both are stored within the superblock on the block-device. This is necessary because you may stop the CBE during rekeying and it needs the previous key to complete the operation as there are still blocks encypted with the old key around.
So I assume in your case the previous key was not yet used and therefor is initialized to a default value that, as it happens, is all zeros and the CBE wants to write the superblock back (it does so on every 'sync' request), which is why you encounter this unexpected request.
Regards Josef