<div dir="ltr">Hi <div class="gmail-moz-forward-container"> I'm having some trouble using dm-verity for a squashfs root file system that seems to be related to the Atmel SHA hw accelerator in the kernel, CONFIG_CRYPTO_DEV_ATMEL_SHA Some info about my setup: * I'm using a board with a SAMA5D4 CPU. * I'm using Yocto rocko for building an image for that device. The idea is that Using the 4.14.14 Kernel, Integrity checking using Kernel crypto fails with Atmel SHA hw accelerator enabled in kernel. By disabling it, `CONFIG_CRYPTO_DEV_ATMEL_SHA=n`, and using the software sha256 algo, integrity checking works as expected. This is my kernel config [3] Using the 4.8.4 Kernel and Atmel SHA hw accelerator enabled, everything was ok. This is what triggers the error during verified boot: status=`veritysetup create vroot $root_dev $verity_dev --hash-offset $hashoffset $root_hash` mount /dev/mapper/vroot /mnt/ mount_ok=`cat /proc/mounts | grep mnt` if [ -z "$mount_ok" ] ; then echo "Failed to mount $root_dev on mnt/" else echo "Switch rootfs" exec switch_root -c /dev/console /mnt /sbin/init fi The mount operation fails: device-mapper: verity: 179:4: metadata block 2 is corrupted EXT4-fs (dm-0): unable to read superblock device-mapper: verity: 179:4: metadata block 2 is corrupted EXT4-fs (dm-0): unable to read superblock device-mapper: verity: 179:4: metadata block 2 is corrupted EXT4-fs (dm-0): unable to read superblock device-mapper: verity: 179:4: metadata block 2 is corrupted SQUASHFS error: squashfs_read_data failed to read block 0x0 squashfs: SQUASHFS error: unable to read squashfs_super_block device-mapper: verity: 179:4: metadata block 2 is corrupted FAT-fs (dm-0): unable to read boot sector mount: mounting /dev/mapper/vroot on /mnt/ failed: Input/output error Failed to mount /dev/mmcblk0p4 on mnt/ reboot: Restarting system Reboot failed -- System halted Using veritysetup to verify the integrity against the hashes is successful, as it's not using the kernel for that ... So it looks like it something changed from 4.8.4 to 4.14.14. Using the 4.14.14 kernel, I removed the patches that were applied on the atmel-sha.c file in the kernel, one by one, until I got the version from the 4.8.4 </div><div class="gmail-moz-forward-container">Basically I reverted the changes from here:<a href="https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/drivers/crypto/atmel-sha.c?h=v4.14.14" class="external-link" rel="nofollow" title="Follow link">https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/drivers/crypto/atmel-sha.c?h=v4.14.14</a> </div><div class="gmail-moz-forward-container">until I got this:<a href="https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/drivers/crypto/atmel-sha.c?h=v4.8.4" class="external-link" rel="nofollow" title="Follow link"> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/drivers/crypto/atmel-sha.c?h=v4.8.4</a></div><div class="gmail-moz-forward-container"> It still didn't work. I assumed something there broke the hashing, not the case. It was still not working with all those commits reverted. Furthermore, using the Cryptodev-linux module [1], and the sample [2], adapted to use sha256, I tested the output hashes, with CONFIG_CRYPTO_DEV_ATMEL_SHA enabled and then disabled. I got the same results in both cases, hardware and software algorithm. So it doesn't look like the SHA hw accelerator is broken. Any help is appreciated ! Thanks in advanced and have a nice day. </div> [1] <a href="http://cryptodev-linux.org/documentation.html">http://cryptodev-linux.org/documentation.html</a> [2] <a href="https://github.com/nmav/cryptodev-linux/blob/master/examples/sha.c">https://github.com/nmav/cryptodev-linux/blob/master/examples/sha.c</a> [3] <a class="gmail-moz-txt-link-freetext" href="https://gist.githubusercontent.com/gmircea/6e1cc029ef5ed7a16b0fedb8b9524f66/raw/eece8a8faadd2de9373e150ef1daf3cf25f4135c/.config">https://gist.githubusercontent.com/gmircea/6e1cc029ef5ed7a16b0fedb8b9524f66/raw/eece8a8faadd2de9373e150ef1daf3cf25f4135c/.config</a> </div>