From: Milan Broz <gmazyland@gmail.com>
To: Adam Pigg <adam@piggz.co.uk>, dm-crypt@saout.de
Subject: Re: [dm-crypt] Help with dm-crypt/luks on mediatek device
Date: Fri, 2 Oct 2020 12:21:32 +0200 [thread overview]
Message-ID: <d5e95847-c864-f9b4-7c88-0e9d8a6e080b@gmail.com> (raw)
In-Reply-To: <43289151.68iqNxZmNP@linux-f1uu>
Hi,
the reported problems seems like you have misconfigured kernel or related tools.
I can only suggest you to split debugging to several steps to isolate the problems
(I guess is is not only one problem here).
But otherwise this is quite specific issue, maybe some specific platform list
(or dm-devel) would be more appropriate.
On 30/09/2020 22:23, Adam Pigg wrote:
> Im porting the linux based SailfishOS to a mediatek based phone. All is good,
> except for enabling the encryption support. The UI tools arnt working, ad
> neither is a basic command line setup, so im hoping if I can fix the command
> line issues, the UI will just work. As far as i can tell, I have the
> appropriate CONFIG* options, but cant be 100% sure. Here is what is happening,
> any suggestions greatly appreciated.
>
> cryptsetup luksFormat /dev/mmcblk1p1
>
> WARNING!
> ========
> This will overwrite data on /dev/mmcblk1p1 irrevocably.
>
> Are you sure? (Type uppercase yes): YES
> Enter passphrase for /dev/mmcblk1p1:
> Verify passphrase:
> device-mapper: reload ioctl on failed: Operation not permitted
So the device-mapper subsystem does not work. First be sure
it is working without any crypto:
0) You have to bee root with CAP_SYSADMIN capability, otherwise device-mapper
IOCTLs will be rejected.
1) Use dmsetup (if you are able to compile libdevmapper library, this should trivial.
2) Try to setup simple device-mapper device that does not require userspace interaction,
for example dm-zero (of size 8 sectors, IOW 4kB):
# dmsetup create test --table "0 8 zero"
# dmsetup table test
0 8 zero
# blockdev --getsz /dev/mapper/test
8
# dmsetup remove test
This must work (you need dm-zero module though; if not available, repeat with "error" mandatory target).
If you see failures, the problem is in device-mapper kernel subsystem configuration.
You are not using udev, so device nodes are created by libdevmapper library.
ALso check SELinux and similar access control (if used) etc.
3) Once above works, try to introduce dm-crypt (replace /dev/sdb with your device), this will
map first 4kB as ciphertext device (the key is intentionally not random here :)
# dmsetup create test --table "0 8 crypt aes-xts-plain64 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff 0 /dev/sdb 0"
# dmsetup table --showkeys
test: 0 8 crypt aes-xts-plain64 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff 0 8:16 0
# dmsetup remove test
If it works, kernel support should be ok, now run cryptsetup again and if it is failing, report full debug log again.
Milan
> Failed to setup dm-crypt key mapping for device /dev/mmcblk1p1.
> Check that kernel supports aes-xts-plain64 cipher (check syslog for more
> info).
> device-mapper: remove ioctl on temporary-cryptsetup-4149 failed: No such
> device or address
> device-mapper: table ioctl on failed: No such device or address
> device-mapper: remove ioctl on temporary-cryptsetup-4149 failed: No such
> device or address
> device-mapper: table ioctl on failed: No such device or address
> device-mapper: remove ioctl on temporary-cryptsetup-4149 failed: No such
> device or address
> device-mapper: table ioctl on failed: No such device or address
> device-mapper: remove ioctl on temporary-cryptsetup-4149 failed: No such
> device or address
> device-mapper: table ioctl on failed: No such device or address
> device-mapper: remove ioctl on temporary-cryptsetup-4149 failed: No such
> device or address
>
> ---
>
> [root@VollaPhone nemo]# cryptsetup --debug luksFormat /dev/mmcblk1p1
> # cryptsetup 2.1.0 processing "cryptsetup --debug luksFormat /dev/mmcblk1p1"
> # Running command luksFormat.
> # Locking memory.
> # Installing SIGINT/SIGTERM handler.
> # Unblocking interruption on signal.
> # Allocating context for crypt device /dev/mmcblk1p1.
> # Trying to open and read device /dev/mmcblk1p1 with direct-io.
> # Initialising device-mapper backend library.
>
> WARNING!
> ========
> This will overwrite data on /dev/mmcblk1p1 irrevocably.
>
> Are you sure? (Type uppercase yes): YES
> # Interactive passphrase entry requested.
> Enter passphrase for /dev/mmcblk1p1:
> Verify passphrase:
> # Crypto backend (OpenSSL 1.0.2o-fips 27 Mar 2018) initialized in cryptsetup
> library version 2.1.0.
> # Detected kernel Linux 4.4.146+ aarch64.
> # PBKDF argon2i, hash sha256, time_ms 2000 (iterations 0), max_memory_kb
> 1048576, parallel_threads 4.
> # Formatting device /dev/mmcblk1p1 as type LUKS2.
> # Topology: IO (512/0), offset = 0; Required alignment is 1048576 bytes.
> # Checking if cipher aes-xts-plain64 is usable.
> # Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
> # Using dmcrypt to access keyslot area.
> # Calculated device size is 1 sectors (RW), offset 0.
> # dm version [ opencount flush ] [16384] (*1)
> # dm versions [ opencount flush ] [16384] (*1)
> # Detected dm-ioctl version 4.34.0.
> # Detected dm-verity version 1.4.0.
> # Detected dm-crypt version 1.14.1.
> # Device-mapper backend running with UDEV support disabled.
> # DM-UUID is CRYPT-TEMP-temporary-cryptsetup-17590
> # dm create temporary-cryptsetup-17590 CRYPT-TEMP-temporary-cryptsetup-17590 [
> opencount flush ] [16384] (*1)
> # dm reload temporary-cryptsetup-17590 [ opencount flush readonly securedata
> ] [16384] (*1)
> device-mapper: reload ioctl on failed: Operation not permitted
> # dm remove temporary-cryptsetup-17590 [ opencount flush readonly securedata
> ] [16384] (*1)
> # temporary-cryptsetup-17590: Stacking NODE_DEL
> # temporary-cryptsetup-17590: Processing NODE_DEL
> Failed to setup dm-crypt key mapping for device /dev/mmcblk1p1.
> Check that kernel supports aes-xts-plain64 cipher (check syslog for more
> info).
> # dm versions [ opencount flush ] [16384] (*1)
> # dm remove temporary-cryptsetup-17590 [ opencount flush retryremove ]
> [16384] (*1)
> device-mapper: remove ioctl on temporary-cryptsetup-17590 failed: No such
> device or address
> # WARNING: other process locked internal device temporary-cryptsetup-17590,
> retrying remove.
> # dm versions [ opencount flush ] [16384] (*1)
> # dm table temporary-cryptsetup-17590 [ opencount flush securedata ]
> [16384] (*1)
> device-mapper: table ioctl on failed: No such device or address
> # dm remove temporary-cryptsetup-17590 [ opencount flush retryremove ]
> [16384] (*1)
> device-mapper: remove ioctl on temporary-cryptsetup-17590 failed: No such
> device or address
> # WARNING: other process locked internal device temporary-cryptsetup-17590,
> retrying remove.
> # dm versions [ opencount flush ] [16384] (*1)
> # dm table temporary-cryptsetup-17590 [ opencount flush securedata ]
> [16384] (*1)
> device-mapper: table ioctl on failed: No such device or address
> # dm remove temporary-cryptsetup-17590 [ opencount flush retryremove ]
> [16384] (*1)
> device-mapper: remove ioctl on temporary-cryptsetup-17590 failed: No such
> device or address
> # WARNING: other process locked internal device temporary-cryptsetup-17590,
> retrying remove.
> # dm versions [ opencount flush ] [16384] (*1)
> # dm table temporary-cryptsetup-17590 [ opencount flush securedata ]
> [16384] (*1)
> device-mapper: table ioctl on failed: No such device or address
> # dm remove temporary-cryptsetup-17590 [ opencount flush retryremove ]
> [16384] (*1)
> device-mapper: remove ioctl on temporary-cryptsetup-17590 failed: No such
> device or address
> # WARNING: other process locked internal device temporary-cryptsetup-17590,
> retrying remove.
> # dm versions [ opencount flush ] [16384] (*1)
> # dm table temporary-cryptsetup-17590 [ opencount flush securedata ]
> [16384] (*1)
> device-mapper: table ioctl on failed: No such device or address
> # dm remove temporary-cryptsetup-17590 [ opencount flush retryremove ]
> [16384] (*1)
> device-mapper: remove ioctl on temporary-cryptsetup-17590 failed: No such
> device or address
> # Releasing crypt device /dev/mmcblk1p1 context.
> # Releasing device-mapper backend.
> # Unlocking memory.
> Command failed with code -1 (wrong or missing parameters).
>
>
> ---
>
> Kernel messages when this happens:
> Sep 30 16:03:44 VollaPhone kernel: [dm-crypt] dev path: /dev/mmcblk1p1,
> type: -1
> Sep 30 16:03:44 VollaPhone kernel: [dm-crypt] dev path: /dev/mmcblk1p1,
> type: -1
> Sep 30 16:03:44 VollaPhone kernel: device-mapper: table: 252:2: crypt:
> Unknown error
> Sep 30 16:03:44 VollaPhone kernel: device-mapper: ioctl: error adding
> target to table
>
> ---
>
> [root@VollaPhone nemo]# cat /proc/crypto
> name : cbc(aes)
> driver : cbc(aes-ce)
> module : kernel
> priority : 250
> refcnt : 1
> selftest : passed
> internal : no
> type : blkcipher
> blocksize : 16
> min keysize : 16
> max keysize : 32
> ivsize : 16
> geniv : <default>
>
> name : hmac(sha256)
> driver : hmac(sha256-ce)
> module : kernel
> priority : 200
> refcnt : 2
> selftest : passed
> internal : no
> type : shash
> blocksize : 64
> digestsize : 32
>
> name : ghash
> driver : ghash-generic
> module : kernel
> priority : 100
> refcnt : 1
> selftest : passed
> internal : no
> type : shash
> blocksize : 16
> digestsize : 16
>
> name : jitterentropy_rng
> driver : jitterentropy_rng
> module : kernel
> priority : 100
> refcnt : 1
> selftest : passed
> internal : no
> type : rng
> seedsize : 0
>
> name : stdrng
> driver : drbg_nopr_hmac_sha256
> module : kernel
> priority : 207
> refcnt : 1
> selftest : passed
> internal : no
> type : rng
> seedsize : 0
>
> name : stdrng
> driver : drbg_nopr_hmac_sha512
> module : kernel
> priority : 206
> refcnt : 1
> selftest : passed
> internal : no
> type : rng
> seedsize : 0
>
> name : stdrng
> driver : drbg_nopr_hmac_sha384
> module : kernel
> priority : 205
> refcnt : 1
> selftest : passed
> internal : no
> type : rng
> seedsize : 0
>
> name : stdrng
> driver : drbg_nopr_hmac_sha1
> module : kernel
> priority : 204
> refcnt : 1
> selftest : passed
> internal : no
> type : rng
> seedsize : 0
>
> name : stdrng
> driver : drbg_pr_hmac_sha256
> module : kernel
> priority : 203
> refcnt : 1
> selftest : passed
> internal : no
> type : rng
> seedsize : 0
>
> name : stdrng
> driver : drbg_pr_hmac_sha512
> module : kernel
> priority : 202
> refcnt : 1
> selftest : passed
> internal : no
> type : rng
> seedsize : 0
>
> name : stdrng
> driver : drbg_pr_hmac_sha384
> module : kernel
> priority : 201
> refcnt : 1
> selftest : passed
> internal : no
> type : rng
> seedsize : 0
>
> name : stdrng
> driver : drbg_pr_hmac_sha1
> module : kernel
> priority : 200
> refcnt : 1
> selftest : passed
> internal : no
> type : rng
> seedsize : 0
>
> name : lzo
> driver : lzo-generic
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : no
> type : compression
>
> name : crc32c
> driver : crc32c-generic
> module : kernel
> priority : 100
> refcnt : 3
> selftest : passed
> internal : no
> type : shash
> blocksize : 1
> digestsize : 4
>
> name : deflate
> driver : deflate-generic
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : no
> type : compression
>
> name : ecb(arc4)
> driver : ecb(arc4)-generic
> module : kernel
> priority : 100
> refcnt : 1
> selftest : passed
> internal : no
> type : blkcipher
> blocksize : 1
> min keysize : 1
> max keysize : 256
> ivsize : 0
> geniv : <default>
>
> name : arc4
> driver : arc4-generic
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : no
> type : cipher
> blocksize : 1
> min keysize : 1
> max keysize : 256
>
> name : aes
> driver : aes-generic
> module : kernel
> priority : 100
> refcnt : 1
> selftest : passed
> internal : no
> type : cipher
> blocksize : 16
> min keysize : 16
> max keysize : 32
>
> name : twofish
> driver : twofish-generic
> module : kernel
> priority : 100
> refcnt : 1
> selftest : passed
> internal : no
> type : cipher
> blocksize : 16
> min keysize : 16
> max keysize : 32
>
> name : des3_ede
> driver : des3_ede-generic
> module : kernel
> priority : 100
> refcnt : 1
> selftest : passed
> internal : no
> type : cipher
> blocksize : 8
> min keysize : 24
> max keysize : 24
>
> name : des
> driver : des-generic
> module : kernel
> priority : 100
> refcnt : 1
> selftest : passed
> internal : no
> type : cipher
> blocksize : 8
> min keysize : 8
> max keysize : 8
>
> name : poly_hash
> driver : poly_hash-generic
> module : kernel
> priority : 100
> refcnt : 1
> selftest : passed
> internal : no
> type : shash
> blocksize : 0
> digestsize : 16
>
> name : sha384
> driver : sha384-generic
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : no
> type : shash
> blocksize : 128
> digestsize : 48
>
> name : sha512
> driver : sha512-generic
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : no
> type : shash
> blocksize : 128
> digestsize : 64
>
> name : sha224
> driver : sha224-generic
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : no
> type : shash
> blocksize : 64
> digestsize : 28
>
> name : sha256
> driver : sha256-generic
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : no
> type : shash
> blocksize : 64
> digestsize : 32
>
> name : sha1
> driver : sha1-generic
> module : kernel
> priority : 0
> refcnt : 2
> selftest : passed
> internal : no
> type : shash
> blocksize : 64
> digestsize : 20
>
> name : md5
> driver : md5-generic
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : no
> type : shash
> blocksize : 64
> digestsize : 16
>
> name : digest_null
> driver : digest_null-generic
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : no
> type : shash
> blocksize : 1
> digestsize : 0
>
> name : compress_null
> driver : compress_null-generic
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : no
> type : compression
>
> name : ecb(cipher_null)
> driver : ecb-cipher_null
> module : kernel
> priority : 100
> refcnt : 1
> selftest : passed
> internal : no
> type : blkcipher
> blocksize : 1
> min keysize : 0
> max keysize : 0
> ivsize : 0
> geniv : <default>
>
> name : cipher_null
> driver : cipher_null-generic
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : no
> type : cipher
> blocksize : 1
> min keysize : 0
> max keysize : 0
>
> name : xts(aes)
> driver : xts-aes-ce
> module : kernel
> priority : 300
> refcnt : 1
> selftest : passed
> internal : no
> type : ablkcipher
> async : yes
> blocksize : 16
> min keysize : 32
> max keysize : 64
> ivsize : 16
> geniv : <default>
>
> name : ctr(aes)
> driver : ctr-aes-ce
> module : kernel
> priority : 300
> refcnt : 1
> selftest : passed
> internal : no
> type : ablkcipher
> async : yes
> blocksize : 1
> min keysize : 16
> max keysize : 32
> ivsize : 16
> geniv : <default>
>
> name : cbc(aes)
> driver : cbc-aes-ce
> module : kernel
> priority : 300
> refcnt : 1
> selftest : passed
> internal : no
> type : ablkcipher
> async : yes
> blocksize : 16
> min keysize : 16
> max keysize : 32
> ivsize : 16
> geniv : <default>
>
> name : ecb(aes)
> driver : ecb-aes-ce
> module : kernel
> priority : 300
> refcnt : 1
> selftest : passed
> internal : no
> type : ablkcipher
> async : yes
> blocksize : 16
> min keysize : 16
> max keysize : 32
> ivsize : 0
> geniv : <default>
>
> name : __xts-aes-ce
> driver : __driver-xts-aes-ce
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : yes
> type : blkcipher
> blocksize : 16
> min keysize : 32
> max keysize : 64
> ivsize : 16
> geniv : <default>
>
> name : __ctr-aes-ce
> driver : __driver-ctr-aes-ce
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : yes
> type : blkcipher
> blocksize : 1
> min keysize : 16
> max keysize : 32
> ivsize : 16
> geniv : <default>
>
> name : __cbc-aes-ce
> driver : __driver-cbc-aes-ce
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : yes
> type : blkcipher
> blocksize : 16
> min keysize : 16
> max keysize : 32
> ivsize : 16
> geniv : <default>
>
> name : __ecb-aes-ce
> driver : __driver-ecb-aes-ce
> module : kernel
> priority : 0
> refcnt : 1
> selftest : passed
> internal : yes
> type : blkcipher
> blocksize : 16
> min keysize : 16
> max keysize : 32
> ivsize : 0
> geniv : <default>
>
> name : aes
> driver : aes-ce
> module : kernel
> priority : 250
> refcnt : 1
> selftest : passed
> internal : no
> type : cipher
> blocksize : 16
> min keysize : 16
> max keysize : 32
>
> name : poly_hash
> driver : poly_hash-ce
> module : kernel
> priority : 300
> refcnt : 1
> selftest : passed
> internal : no
> type : shash
> blocksize : 0
> digestsize : 16
>
> name : sha256
> driver : sha256-ce
> module : kernel
> priority : 200
> refcnt : 3
> selftest : passed
> internal : no
> type : shash
> blocksize : 64
> digestsize : 32
>
> name : sha224
> driver : sha224-ce
> module : kernel
> priority : 200
> refcnt : 1
> selftest : passed
> internal : no
> type : shash
> blocksize : 64
> digestsize : 28
>
> [root@VollaPhone nemo]#
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
>
next prev parent reply other threads:[~2020-10-02 10:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-30 20:23 [dm-crypt] Help with dm-crypt/luks on mediatek device Adam Pigg
2020-10-02 10:21 ` Milan Broz [this message]
2021-09-14 15:42 ` [dm-crypt] " Adam Pigg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d5e95847-c864-f9b4-7c88-0e9d8a6e080b@gmail.com \
--to=gmazyland@gmail.com \
--cc=adam@piggz.co.uk \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.