Modify

Opened 6 years ago

Last modified 4 years ago

#10787 new defect

cryptsetup luksOpen fails to create xts dm-crypt mapping.

Reported by: fredrik.ohrn@… Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:

Description

Using snapshot build r29732 on AGV2+W (brcm63xx) cryptsetup fails to set up the dm-crypt mapping.

root@OpenWrt:/# cryptsetup luksDump /dev/sda
LUKS header information for /dev/sda

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain
Hash spec:      sha1
Payload offset: 2056
...

root@OpenWrt:/# cryptsetup luksOpen /dev/sda usbstick
Enter passphrase for /dev/sda: 
[  980.084000] device-mapper: table: 254:0: crypt: Error allocating crypto tfm
[  980.092000] device-mapper: ioctl: error adding target to table
device-mapper: reload ioctl failed: No such file or directory
Failed to setup dm-crypt key mapping for device /dev/sda.
Check that kernel supports aes-xts-plain cipher (check syslog for more info).
Failed to read from key storage.

Entering a bogus password gives the exact same error message instead of the expected "No key available with this passphrase." so I guess that the problem is with cryptsetup rather than the kernel.

Opening the USB stick worked fine on the old r29732 snapshot I had installed previously and it works fine on a desktop PC.

Attachments (2)

lsmod.txt (3.9 KB) - added by fredrik.ohrn@… 6 years ago.
Output from lsmod.
crypto.txt (664 bytes) - added by fredrik.ohrn@… 6 years ago.
Output from /proc/crypto

Download all attachments as: .zip

Change History (9)

Changed 6 years ago by fredrik.ohrn@…

Output from lsmod.

Changed 6 years ago by fredrik.ohrn@…

Output from /proc/crypto

comment:1 Changed 5 years ago by fredrik.ohrn@…

Tested again on the attitude adjustment beta and the problem remains.

comment:2 Changed 5 years ago by anonymous

Testing some more, aes-cbc-essiv:sha256 doesn't work either.

Curiously neither sha1 nor sha256 are listed in /proc/crypto, I wonder if missing sha support is the reason.

comment:3 Changed 5 years ago by fredrik.ohrn@…

With a lot of trial and error I've figured it out, additional kernel module packages need to be installed manually.

To use aes-cbc-plain install kmod-crypto-aes, kmod-crypto-cbc and kmod-crypto-iv.

To use aes-xts-plain install kmod-crypto-aes, kmod-crypto-xts and kmod-crypto-iv.

Using aes-cbc-essiv:sha256 is not possible because there is no kmod-crypto-sha256 package. I didn't test aes-cbc-essiv:md5 and aes-cbc-essiv:sha1 but they probably work since there are packages for md5 and sha1.

It would be really helpful if cryptsetup depended on the relevant kernel packages, or if there was some clearly labeled meta packages for the various disk encryption schemes to pull in dependencies.

comment:4 Changed 4 years ago by anonymous

+1, same "trial and error" process here, same result... additionally, the lvm2-dependency is not needed (and won't even fit in smaller devices)

comment:5 Changed 4 years ago by anonymous

comment:6 Changed 4 years ago by anonymous

Another +1, this thread helped me a lot. These are the packages I've built and installed:

kmod-crypto-aes_3.8.13-1_lantiq.ipk
kmod-crypto-cbc_3.8.13-1_lantiq.ipk
kmod-crypto-xts_3.8.13-1_lantiq.ipk
kmod-crypto-sha1_3.8.13-1_lantiq.ipk
kmod-crypto-iv_3.8.13-1_lantiq.ipk
kmod-crypto-ecb_3.8.13-1_lantiq.ipk
kmod-crypto-hash_3.8.13-1_lantiq.ipk
kmod-crypto-misc_3.8.13-1_lantiq.ipk
kmod-crypto-rng_3.8.13-1_lantiq.ipk
kmod-crypto-wq_3.8.13-1_lantiq.ipk
kmod-crypto-hash_3.8.13-1_lantiq.ipk
kmod-crypto-md5_3.8.13-1_lantiq.ipk
kmod-crypto-md4_3.8.13-1_lantiq.ipk
kmod-crypto-sha256_3.8.13-1_lantiq.ipk
kmod-crypto-core_3.8.13-1_lantiq.ipk

cryptsetup_1.4.1-1_lantiq.ipk
libdevmapper_2.02.96-1_lantiq.ipk
kmod-dm_3.8.13-1_lantiq.ipk
libgcrypt_1.5.0-1_lantiq.ipk
libgpg-error_1.9-1_lantiq.ipk
lvm2_2.02.96-1_lantiq.ipk
libuuid_2.21.2-2_lantiq.ipk
libblkid_2.21.2-2_lantiq.ipk
libreadline_6.2-1_lantiq.ipk

kmod-crypto-manager_3.8.13-1_lantiq.ipk
kmod-crypto-pcompress_3.8.13-1_lantiq.ipk

kmod-loop-aes_3.8.13+3.6e-1_lantiq.ipk

comment:7 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.