All of lore.kernel.org
 help / color / mirror / Atom feed
* [dm-crypt] libcryptsetup kernel feature detection fails on boot
@ 2014-07-22 22:36 Thomas Bächler
  2014-07-23  7:45 ` Milan Broz
  0 siblings, 1 reply; 3+ messages in thread
From: Thomas Bächler @ 2014-07-22 22:36 UTC (permalink / raw)
  To: dm-crypt, Milan Broz

[-- Attachment #1: Type: text/plain, Size: 1397 bytes --]

Since cryptsetup 1.6.5, libcryptsetup fails to detect the kernel's
features on boot. In particular, whenever the dm-crypt module is not
loaded before configuring a mapping with libcryptsetup, the
allow_discards option is not used.

# rmmod dm_crypt

# /usr/lib/systemd/systemd-cryptsetup attach test /dev/loop0 none
allow-discards,tries=0
Please enter passphrase for disk test! ****
Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/loop0.

# cryptsetup status test
/dev/mapper/test is active.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  device:  /dev/loop0
  loop:    /tmp/testfile
  offset:  4096 sectors
  size:    405504 sectors
  mode:    read/write

# /usr/lib/systemd/systemd-cryptsetup detach test

# /usr/lib/systemd/systemd-cryptsetup attach test /dev/loop0 none
allow-discards,tries=0
Please enter passphrase for disk test! ****
Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/loop0.

# cryptsetup status test
/dev/mapper/test is active.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 256 bits
  device:  /dev/loop0
  loop:    /tmp/testfile
  offset:  4096 sectors
  size:    405504 sectors
  mode:    read/write
  flags:   discards

The culprit seems to be dm_check_versions() in lib/libdevmapper.c - the
version number returned here differs when dm_crypt is not loaded.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 884 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [dm-crypt] libcryptsetup kernel feature detection fails on boot
  2014-07-22 22:36 [dm-crypt] libcryptsetup kernel feature detection fails on boot Thomas Bächler
@ 2014-07-23  7:45 ` Milan Broz
  2014-07-24 20:20   ` Milan Broz
  0 siblings, 1 reply; 3+ messages in thread
From: Milan Broz @ 2014-07-23  7:45 UTC (permalink / raw)
  To: Thomas Bächler, dm-crypt, Milan Broz

On 23.7.2014 0:36, Thomas Bächler wrote:
> Since cryptsetup 1.6.5, libcryptsetup fails to detect the kernel's
> features on boot. In particular, whenever the dm-crypt module is not
> loaded before configuring a mapping with libcryptsetup, the
> allow_discards option is not used.

Hm, yes, that's possible... dmcrypt is now needed only on activation
(previaously it was loaded earlier perhaps).

Well, the workaround for now is probably to always load dmcrypt module,
I'll try to fix it soon.

Milan

p.s.

FYI there are more problems discovered by the userspace header processing
in 1.6.5 (I expected these appears when introducing truecrypt format which
uses the same logic but unfortunately that was not the case).

- with SELinux in enforcing mode (and proper policy, in Fedora this applies
only to systemd-cryptsetup which is labeled as init process) it fails
to activate volumes.
Apparently kernel crypto API socket was never labeled properly(!)
(kernel selinux subsystem bug, patch on the way upstream).
See https://bugzilla.redhat.com/show_bug.cgi?id=1115120

- with some crazy configuration we hit the problem that some hash algorithm
are not available in userspace (whirlpool256 for example) so when
used in ESSIV it fails. There was conservative approach to fallback to old
mode, unfortunately I did not implement it correctly for this case.
See https://code.google.com/p/cryptsetup/issues/detail?id=222

So anyway, expect cryptsetup 1.6.6 to fix these...

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [dm-crypt] libcryptsetup kernel feature detection fails on boot
  2014-07-23  7:45 ` Milan Broz
@ 2014-07-24 20:20   ` Milan Broz
  0 siblings, 0 replies; 3+ messages in thread
From: Milan Broz @ 2014-07-24 20:20 UTC (permalink / raw)
  To: Thomas Bächler, dm-crypt

On 07/23/2014 09:45 AM, Milan Broz wrote:
> On 23.7.2014 0:36, Thomas Bächler wrote:
>> Since cryptsetup 1.6.5, libcryptsetup fails to detect the kernel's
>> features on boot. In particular, whenever the dm-crypt module is not
>> loaded before configuring a mapping with libcryptsetup, the
>> allow_discards option is not used.
> 
> Hm, yes, that's possible... dmcrypt is now needed only on activation
> (previaously it was loaded earlier perhaps).
> 
> Well, the workaround for now is probably to always load dmcrypt module,
> I'll try to fix it soon.

It is fixed in devel git now. Thanks.

(The main problem with detection of features is that without device-mapper
target module loaded there is no way to get the version. And using only
kernel version is not enough, e.g. RHEL systems often backports features.)

Milan

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-07-24 20:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-22 22:36 [dm-crypt] libcryptsetup kernel feature detection fails on boot Thomas Bächler
2014-07-23  7:45 ` Milan Broz
2014-07-24 20:20   ` Milan Broz

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.