Modify

Opened 7 years ago

Last modified 4 years ago

#7727 new enhancement

LUKS crypto support for use with cryptsetup

Reported by: ddxx0n Owned by: developers
Priority: normal Milestone: Features Paradise
Component: kernel Version: Trunk
Keywords: luks cryptsetup dm-crypt sha256 xts Cc:

Description

The existing cryptsetup package cannot do anything due to missing kernel modules. This is unfortunate because the current router generation is able to encrypt an attached usb drive without significant performance loss.

The attached patch adds the crypto mapper target (explicity excluded before for one reason or another) and the recommended LUKS modes (current xts-plain and legacy aes-cbc-essiv:sha256). Tested an working fine, for documentation seee http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS

Attachments (1)

luks.patch (2.8 KB) - added by ddxx0n 7 years ago.
block and kernel crypto modules and cryptsetup dependencies

Download all attachments as: .zip

Change History (18)

Changed 7 years ago by ddxx0n

block and kernel crypto modules and cryptsetup dependencies

comment:1 follow-up: Changed 7 years ago by anonymous

I tested the patch on r22777.

CONFIG_CRYPTO_GF128MUL is a dependency of xts. I think it's compiled but not packaged, so I added a new crypto-gf128mul package as a dependency of xts in the same file.

I have yet to provide the patch, but the change is trivial.

comment:2 in reply to: ↑ 1 Changed 7 years ago by ddxx0n

Replying to anonymous:

I have yet to provide the patch, but the change is trivial.

You're welcome to enhance/fix the patch, I'd like to see it included in trunk. By the way, enabling CONFIG_BUSYBOX_CONFIG_FEATURE_VOLUMEID_LUKS=y is a good idea, too.

comment:3 Changed 7 years ago by eschoeller@…

For anyone poking around here ... see:
/changeset/22916.html
/changeset/22915.html

Support for dm-crypt and XTS cipher have been added. Also read more here:
https://forum.openwrt.org/viewtopic.php?id=24234

I'm not sure if these two changes completely resolve the issue yet or not.

comment:4 Changed 7 years ago by anonymous

CONFIG_BUSYBOX_CONFIG_FEATURE_VOLUMEID_LUKS=y is the only thing missing. Don't know what it's good for though, it WFM without that option.

comment:5 Changed 7 years ago by anonymous

I tried Backfire 10.03.1-rc4, and dm-crypt is there, but still seems to need cbc-essiv:sha256 or something: I also installed sha256_generic kernel module, and it still doesn't want to mount an encrypted ext4 drive (plain ext4 is ok). What am I missing?

comment:6 Changed 7 years ago by anonymous

Please add cbc-essiv:sha256 also in addition to XTS cipher suite, because the former is the default on ubuntu and debian encrypted drive installations. thanks!

comment:7 Changed 6 years ago by antivirtel

Still doesn't work for me.

Message:

device-mapper: reload ioctl failed: Invalid argument
Failed to setup dm-crypt key mapping for device /dev/sda9.
Check that kernel supports aes-cbc-null cipher (check syslog for more info).
Failed to read from key storage.

comment:8 Changed 6 years ago by anonymous

same here not working with Backfire (10.03.1, r29592)

also see #8784 for same issue

device-mapper: reload ioctl failed: Invalid argument
Failed to setup dm-crypt key mapping for device /dev/sda1.
Check that kernel supports aes-cbc-essiv:sha256 cipher (check syslog for more info).
Failed to read from key storage.

root@OpenWrt:~# opkg list-installed | sort

base-files - 43.32-r29592
busybox - 1.15.3-3.4
crda - 1.1.1-1
cryptsetup - 1.3.1-1
dnsmasq - 2.55-6.1
dropbear - 0.53.1-5
firewall - 2-34.8
hotplug2 - 1.0-beta-3
iptables - 1.4.6-3.1
iptables-mod-conntrack - 1.4.6-3.1
iptables-mod-nat - 1.4.6-3.1
iw - 0.9.22-2
kernel - 2.6.32.27-1
kmod-ath - 2.6.32.27+2011-11-15-1
kmod-ath9k - 2.6.32.27+2011-11-15-1
kmod-ath9k-common - 2.6.32.27+2011-11-15-1
kmod-button-hotplug - 2.6.32.27-1
kmod-cfg80211 - 2.6.32.27+2011-11-15-1
kmod-crc-ccitt - 2.6.32.27-1
kmod-crc16 - 2.6.32.27-1
kmod-crypto-aes - 2.6.32.27-1
kmod-crypto-arc4 - 2.6.32.27-1
kmod-crypto-core - 2.6.32.27-1
kmod-crypto-hmac - 2.6.32.27-1
kmod-crypto-misc - 2.6.32.27-1
kmod-crypto-sha1 - 2.6.32.27-1
kmod-dm - 2.6.32.27-1
kmod-fs-ext4 - 2.6.32.27-1
kmod-fs-mbcache - 2.6.32.27-1
kmod-input-core - 2.6.32.27-1
kmod-input-gpio-buttons - 2.6.32.27-1
kmod-input-polldev - 2.6.32.27-1
kmod-ipt-conntrack - 2.6.32.27-1
kmod-ipt-core - 2.6.32.27-1
kmod-ipt-nat - 2.6.32.27-1
kmod-ipt-nathelper - 2.6.32.27-1
kmod-leds-gpio - 2.6.32.27-1
kmod-mac80211 - 2.6.32.27+2011-11-15-1
kmod-nls-base - 2.6.32.27-1
kmod-nls-utf8 - 2.6.32.27-1
kmod-ppp - 2.6.32.27-1
kmod-pppoe - 2.6.32.27-1
kmod-scsi-core - 2.6.32.27-1
kmod-usb-core - 2.6.32.27-1
kmod-usb-ohci - 2.6.32.27-1
kmod-usb-storage - 2.6.32.27-1
kmod-usb2 - 2.6.32.27-1
libblkid - 1.41.11-1
libc - 0.9.30.1-43.32
libdevmapper - 2.02.86-1
libgcc - 4.3.3+cs-43.32
libgcrypt - 1.4.5-1
libgpg-error - 1.7-1
libip4tc - 1.4.6-3.1
libiwinfo - 18
libiwinfo-lua - 18
liblua - 5.1.4-7
libncurses - 5.7-2
libnl-tiny - 0.1-1
libpopt - 1.7-5
libreadline - 5.2-2
libuci - 12012009.7-4
libuci-lua - 12012009.7-4
libuuid - 1.41.11-1
libxtables - 1.4.6-3.1
lua - 5.1.4-7
luci - 0.10.0-1
luci-app-firewall - 0.10.0-1
luci-i18n-english - 0.10.0-1
luci-lib-core - 0.10.0-1
luci-lib-ipkg - 0.10.0-1
luci-lib-lmo - 0.10.0-1
luci-lib-nixio - 0.10.0-1
luci-lib-sys - 0.10.0-1
luci-lib-web - 0.10.0-1
luci-mod-admin-core - 0.10.0-1
luci-mod-admin-full - 0.10.0-1
luci-proto-core - 0.10.0-1
luci-proto-ppp - 0.10.0-1
luci-sgi-cgi - 0.10.0-1
luci-theme-base - 0.10.0-1
luci-theme-openwrt - 0.10.0-1
lvm2 - 2.02.86-1
mtd - 13
opkg - 576-2
ppp - 2.4.4-16.1
ppp-mod-pppoe - 2.4.4-16.1
swconfig - 9
uci - 12012009.7-4
udevtrigger - 106-1
uhttpd - 28
wireless-tools - 29-4
wpad-mini - 20111103-2

root@OpenWrt:~# lsmod | sort

Module                  Size  Used by    Not tainted
aes_generic            30256  0 
arc4                     816  2 
ath                    14160  3 ath9k,ath9k_common,ath9k_hw
ath9k                  86656  0 
ath9k_common            1200  1 ath9k
ath9k_hw              338384  2 ath9k,ath9k_common
button_hotplug          2576  0 
cbc                     2016  0 
cfg80211              139760  3 ath9k,ath,mac80211
compat                 16496  3 ath9k,mac80211,cfg80211
crc16                    976  1 ext4
crc_ccitt                976  1 ppp_async
deflate                 1360  0 
dm_log                  7280  2 dm_mirror,dm_region_hash
dm_mirror              10752  0 
dm_mod                 48544  2 dm_mirror,dm_log
dm_region_hash          5632  1 dm_mirror
ecb                     1328  0 
ehci_hcd               31456  0 
ext4                  210496  0 
gpio_buttons            2128  0 
hmac                    2304  0 
input_core             17056  4 button_hotplug,gpio_buttons,input_polldev
input_polldev           1360  1 gpio_buttons
ip_tables               8544  4 iptable_nat,iptable_raw,iptable_mangle,iptable_filter
ipt_LOG                 4176  0 
ipt_MASQUERADE           992  1 
ipt_REJECT              1680  2 
iptable_filter           768  1 
iptable_mangle           992  1 
iptable_nat             2768  1 
iptable_raw              656  1 
jbd2                   36544  1 ext4
leds_gpio               1456  0 
mac80211              229696  1 ath9k
mbcache                 3920  1 ext4
nf_conntrack           38848 12 nf_nat_tftp,nf_conntrack_tftp,nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,xt_NOTRACK,xt_state,nf_conntrack_ipv4
nf_conntrack_ftp        4640  1 nf_nat_ftp
nf_conntrack_ipv4       7920  9 iptable_nat,nf_nat
nf_conntrack_irc        2512  1 nf_nat_irc
nf_conntrack_tftp       2400  1 nf_nat_tftp
nf_defrag_ipv4           624  1 nf_conntrack_ipv4
nf_nat                 10912  5 nf_nat_tftp,nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,iptable_nat
nf_nat_ftp              1328  0 
nf_nat_irc               816  0 
nf_nat_tftp              432  0 
nls_base                4800  2 nls_utf8,usbcore
nls_utf8                 816  0 
ohci_hcd               16912  0 
ppp_async               6400  0 
ppp_generic            18864  3 pppoe,pppox,ppp_async
pppoe                   8304  0 
pppox                   1216  1 pppoe
scsi_mod               68272  2 usb_storage,sd_mod
sd_mod                 21696  0 
sha256_generic          9056  0 
slhc                    4160  1 ppp_generic
usb_storage            32720  0 
usbcore                97616  4 usb_storage,ohci_hcd,ehci_hcd
x_tables                9296 13 ipt_MASQUERADE,iptable_nat,xt_NOTRACK,xt_state,ipt_REJECT,xt_TCPMSS,ipt_LOG,xt_comment,xt_multiport,xt_mac,xt_limit,ip_tables,xt_tcpudp
xt_NOTRACK               544  0 
xt_TCPMSS               2560  1 
xt_comment               464  0 
xt_limit                1008  1 
xt_mac                   576  0 
xt_multiport            1792  0 
xt_state                 768  6 
xt_tcpudp               1760  4

comment:9 Changed 6 years ago by anonymous

Same here:

root@OpenWrt:~$ cryptsetup luksOpen /dev/sda1 secret
Enter passphrase for /dev/sda1:
device-mapper: reload ioctl failed: Invalid argument
Failed to setup dm-crypt key mapping for device /dev/sda1.
Check that kernel supports aes-cbc-essiv:sha256 cipher (check syslog for more info).
Failed to read from key storage.

Please, can anyone solve it? I really need this feature. Thanks in advance.

comment:11 Changed 6 years ago by antivirtel <antivirtel@…>

Thanks anonymus, but it is 404, please use paste sites like: http://paste2.org

comment:12 Changed 6 years ago by antivirtel <antivirtel@…>

comment:13 follow-up: Changed 6 years ago by anonymous

Sry for bad link.
http://eko.one.pl/?p=openwrt-crypto
The thing is write: "insmod aes256_generic" then all works like a charm :) But the performance is horrible with my 400 MHz Atheros :(

comment:14 in reply to: ↑ 13 Changed 6 years ago by anonymous

Replying to anonymous:

Sry for bad link.
http://eko.one.pl/?p=openwrt-crypto
The thing is write: "insmod aes256_generic" then all works like a charm :) But the performance is horrible with my 400 MHz Atheros :(

What exact cipher are you using? I still can't succeed.

comment:15 Changed 5 years ago by anonymous

it's still broken in 12.09RC1, what a frustration ..

comment:16 Changed 5 years ago by anonymous

try installing there modules:

opkg install kmod-crypto-aes kmod-crypto-cbc kmod-crypto-core kmod-crypto-hash kmod-crypto-iv kmod-crypto-manager kmod-crypto-misc kmod-crypto-ocf kmod-crypto-rng kmod-crypto-user kmod-crypto-wq kmod-dm kmod-fs-ext4

last one for the ext2/ext3/ext4 fs support

but i've got working ONLY regular cryptsetup (without LUKS header), LUKS gives me an error:

cryptsetup luksFormat test

WARNING!
========
This will overwrite data on test irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Device /dev/loop1 is not a valid LUKS device.
Error re-reading LUKS header after update on device /dev/loop1.

all ciphers are working fine, I've tried mounting other luks container formatted in Ubuntu 12.04, mounting it under OpenWRT worked just fine.

comment:17 Changed 4 years ago by anonymous

still broken. see also /ticket/10787.html

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.