[dm-devel] [PATCH v2 0/4] crypto: switch to crypto API for ESSIV generation

Milan Broz gmazyland at gmail.com
Wed Jun 19 13:08:41 UTC 2019 

On 19/06/2019 14:49, Ard Biesheuvel wrote:
> On Wed, 19 Jun 2019 at 14:36, Ard Biesheuvel <ard.biesheuvel at linaro.org> wrote:
>>
>> On Wed, 19 Jun 2019 at 13:33, Milan Broz <gmazyland at gmail.com> wrote:
>>>
>>> On 19/06/2019 13:16, Ard Biesheuvel wrote:
>>>>> Try
>>>>>   cryptsetup open --type plain -c null /dev/sdd test -q
>>>>> or
>>>>>   dmsetup create test --table " 0 417792 crypt cipher_null-ecb - 0 /dev/sdd 0"
>>>>>
>>>>> (or just run full cryptsetup testsuite)
>>>>>
>>>>
>>>> Is that your mode-test script?
>>>>
>>>> I saw some errors about the null cipher, but tbh, it looked completely
>>>> unrelated to me, so i skipped those for the moment. But now, it looks
>>>> like it is related after all.
>>>
>>> This was triggered by align-test, mode-test fails the same though.
>>>
>>> It is definitely related, I think you just changed the mode parsing in dm-crypt.
>>> (cipher null contains only one dash I guess).
>>>
>>
>> On my unpatched 4.19 kernel, mode-test gives me
>>
>> $ sudo ./mode-test
>> aes                            PLAIN:[table OK][status OK]
>> LUKS1:[table OK][status OK] CHECKSUM:[OK]
>> aes-plain                      PLAIN:[table OK][status OK]
>> LUKS1:[table OK][status OK] CHECKSUM:[OK]
>> null                           PLAIN:[table OK][status OK]
>> LUKS1:[table OK][status OK] CHECKSUM:[OK]
>> cipher_null                    PLAIN:[table FAIL]
>>  Expecting cipher_null-ecb got cipher_null-cbc-plain.
>> FAILED at line 64 ./mode-test
>>
>> which is why I commented out those tests in the first place.
>>
>> I can reproduce the crash after I re-enable them again, so I will need
>> to look into that. But something seems to be broken already.
>> Note that this is running on arm64 using a kconfig based on the Debian kernel.
> 
> Actually, could this be an issue with cryptsetup being out of date? On
> another arm64 system with a more recent distro, it works fine

Ah yes, it was changed because we hardened dm-crypt mode validation in kernel
https://gitlab.com/cryptsetup/cryptsetup/commit/aeea93fa9553ad70ed57f273aecb233113b204d6#f40cab3037a50bf28ce20d8aae52bfa6a0c0e2c4_137_137

So either use test form the released version of cryptsetup (all version are here)
https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/

Or better use upstream git, we added a lot of tests anyway.

Milan

More information about the dm-devel mailing list