The content of this topic has been archived on 30 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Hi,
Has anyone successfully created an encrypted filesystem in Backfire using 'cryptsetup' ?
A simple shot at this:
root@OpenWrt:/# cryptsetup -y create secure /dev/sda3
Enter passphrase:<SomeGreatPassphrase>
Verify passphrase:<SomeGreatPassphrase>
device-mapper: table: 254:0: crypt: unknown target type
device-mapper: ioctl: error adding target to table
device-mapper: reload ioctl failed: Invalid argumentDoesn't look so good!
I have not tried creating one, but I did manage to get it to mount one. I saw similar error messages to yours and it was due to two reasons.
1) By default, Backfire does not include the module "dm-crypt" in the 10.03 binaries from the website. This module is needed in order for cryptsetup to work properly.
2) The cipher that I was using (aes-xts-plain) was also not included in the binaries. Depending on what cipher you need, you may not need to do anything about this.
So to solve this, I had to build Backfire from source and make sure that these modules were included in the build. It was a bit more tricky than I had anticipated, but at least it works now.
I have not tried creating one, but I did manage to get it to mount one. [...] By default, Backfire does not include the module "dm-crypt" in the 10.03 binaries from the website [...] I had to build Backfire from source and make sure that these modules were included in the build. It was a bit more tricky than I had anticipated, but at least it works now.
Can you describe how you did this? You used the word "tricky", so I guess that you know what to set up in the correct way.
Regards,
Daniel
Sure,
I had to change a section of the file, package/kernel/modules/block.mk from this:
define KernelPackage/dm
SUBMENU:=$(BLOCK_MENU)
TITLE:=Device Mapper
# All the "=n" are unnecessary, they're only there
# to stop the config from asking the question.
# MIRROR is M because I've needed it for pvmove.
KCONFIG:= \
CONFIG_BLK_DEV_MD=n \
CONFIG_DM_DEBUG=n \
CONFIG_DM_CRYPT=n \
CONFIG_DM_UEVENT=n \
CONFIG_DM_DELAY=n \
CONFIG_DM_MULTIPATH=n \
CONFIG_DM_ZERO=n \
CONFIG_DM_SNAPSHOT=n \
CONFIG_DM_LOG_USERSPACE=n \
CONFIG_MD=y \
CONFIG_BLK_DEV_DM \
CONFIG_DM_MIRROR
FILES:=$(LINUX_DIR)/drivers/md/dm-*.$(LINUX_KMOD_SUFFIX)
AUTOLOAD:=$(call AutoLoad,30,dm-mod dm-log dm-region-hash dm-mirror)
endef
define KernelPackage/dm/description
Kernel module necessary for LVM2 support
endef
$(eval $(call KernelPackage,dm))
to this:
define KernelPackage/dm
SUBMENU:=$(BLOCK_MENU)
TITLE:=Device Mapper
# All the "=n" are unnecessary, they're only there
# to stop the config from asking the question.
# MIRROR is M because I've needed it for pvmove.
KCONFIG:= \
CONFIG_BLK_DEV_MD=n \
CONFIG_DM_DEBUG=n \
CONFIG_DM_UEVENT=n \
CONFIG_DM_DELAY=n \
CONFIG_DM_MULTIPATH=n \
CONFIG_DM_ZERO=n \
CONFIG_DM_SNAPSHOT=n \
CONFIG_DM_LOG_USERSPACE=n \
CONFIG_MD=y \
CONFIG_BLK_DEV_DM \
CONFIG_DM_CRYPT \
CONFIG_DM_MIRROR
FILES:=$(LINUX_DIR)/drivers/md/dm-*.$(LINUX_KMOD_SUFFIX)
AUTOLOAD:=$(call AutoLoad,30,dm-mod dm-log dm-region-hash dm-mirror dm-crypt)
endef
define KernelPackage/dm/description
Kernel module necessary for LVM2 support
endef
$(eval $(call KernelPackage,dm))
Notice how CONFIG_DM_CRYPT has been added to the configuration and the module has been added to the AUTOLOAD section. That was it to get dm-crypt working. If you need help with the cipher too, let me know.
Sure,
Notice how CONFIG_DM_CRYPT has been added to the configuration and the module has been added to the AUTOLOAD section. That was it to get dm-crypt working. If you need help with the cipher too, let me know.
I'm interested to know how you enabled CONFIG_CRYPTO_XTS. I see how you could add an entry in crypto.mk, but not what dependencies this module has.
Yes, you are on the right track. This is what I added to the crypto.mk:
define KernelPackage/crypto-xts
$(call KernelPackage/crypto/Depends,)
TITLE:=XTS cipher CryptoAPI module
KCONFIG:= \
CONFIG_CRYPTO_GF128MUL \
CONFIG_CRYPTO_XTS
FILES:= \
$(LINUX_DIR)/crypto/xts.$(LINUX_KMOD_SUFFIX) \
$(LINUX_DIR)/crypto/gf128mul.$(LINUX_KMOD_SUFFIX)
AUTOLOAD:=$(call AutoLoad,09, \
gf128mul \
xts \
)
endef
$(eval $(call KernelPackage,crypto-xts))
I figured out the dependencies by trying to load the kernel module into my running openWRT kernel and seeing what the insmod command said was missing. There are probably better ways of doing it, but at least it worked.
Thanks mr_gobble !
By the way, here is a related open issue (with patch) I found : https://dev.openwrt.org/ticket/7727
My current status is: (using Backfire (r24038)
root@debricked:/# cryptsetup luksOpen /dev/sda1 datamonster
Enter passphrase for /dev/sda1:
device-mapper: reload ioctl failed: Invalid argument
Failed to setup dm-crypt key mapping for device /dev/sda1.
Check that kernel supports aes-cbc-essiv:sha256 cipher (check syslog for more info).
Failed to read from key storage.while syslog reads
Jan 12 21:33:27 debricked user.err kernel: device-mapper: table: 254:0: crypt: unknown target type
Jan 12 21:33:27 debricked user.warn kernel: device-mapper: ioctl: error adding target to tableand luksDump is
root@debricked:/# cryptsetup luksDump /dev/sda1
LUKS header information for /dev/sda1
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 2056
MK bits: 256
MK digest: 1b 04 12 f1 24 82 ae 05 8d 70 ac fb c0 f6 d2 a4 46 22 4c 7a
MK salt: b1 eb cb f2 bf 07 c8 71 ce 78 ac 24 36 26 da 8f
ca c4 02 16 19 74 e0 a8 a2 7b 53 ae 3c 6d 99 ab
MK iterations: 36000
UUID: a16b38e9-11b7-464c-9e85-23800e1a0715
Key Slot 0: ENABLED
Iterations: 144360
Salt: b1 c5 e9 6b a1 73 13 af 04 21 cd 7f 84 97 02 a5
97 70 fb 59 75 c7 9e d6 d6 55 09 9d 26 80 3f 54
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLEDany suggestions most welcome.
cheers,
aleph0
Did you make the changes suggested by mr_gobble? I got it working.
# cryptsetup luksOpen /dev/sda4 secure
Enter passphrase for /dev/sda4:
Key slot 0 unlocked.# cryptsetup luksDump /dev/sda4
LUKS header information for /dev/sda4
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
....
Key Slot 0: ENABLED
Iterations: 16380
....
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLEDCheck to make sure you have the following modules available on your device: cbc,ecb,deflate,aes_generic,sha256_generic,arc4.
I can't say for sure which of those are required, but I have all of them loaded. I have a feeling you will be missing the sha256_generic module.
I have all the modules you listed except sha256_generic.
I did not compile my own system, I am using:
http://downloads.openwrt.org/backfire/1 … pgrade.bin
If you say I need to compile my own, I'll need a little more guidance *please*
thank you,
aleph0
PS there is no source package here: http://downloads.openwrt.org/backfire/10.03.1-rc4/
(Last edited by aleph0 on 12 Jan 2011, 23:26)
it's not that I'm unwilling to try, but this is confusing stuff.
I downloaded the sources, got confused in the 'make menuconfig' stage and can't compile and don't know why:
aleph0@espresso:~/Downloads/backfire$ V=99 make
make[1] world
make[2] tools/install
make[3] -C tools/gmp compile
make[3] -C tools/gmp install
make[3] -C tools/mpfr compile
make[3] -C tools/mpfr install
make[3] -C tools/m4 compile
make[3] -C tools/m4 install
make[3] -C tools/autoconf compile
make[3] -C tools/autoconf install
make[3] -C tools/automake compile
make[3] -C tools/automake install
............
make[3] -C tools/mtd-utils compile
make[3] -C tools/mtd-utils install
make[3] -C tools/mkimage compile
make[3] -C tools/mkimage install
make[3] -C tools/firmware-utils compile
make -r world: build failed. Please re-run make with V=99 to see what's going on
make: *** [world] Error 1So the question arises? can I get around all this recompiling if I encrypt the disks with a different cypher? (They are empty at the moment.)
aleph0
(Last edited by aleph0 on 13 Jan 2011, 00:09)
To use cbc-essiv:sha256 you need to compile your own image. If you haven't done it before, you may have a little bit of a learning curve ahead of you. Not only do you need to build your own image, but you need to make some modifications (those listed above by mr_gobble) to tell the build root system to build the correct sha256 module. I would say, start with trying to use a different cipher first, but I can't make a recommendation on which one you should try. Trial by error always works best for me! Unfortunately I don't have a whole lot of time to help out with image build instructions right now. Maybe in a week. start reading up on buildroot if you want to dive into the image building process. The openwrt wiki is somewhat helpful.
The sha256_generic kernel module is included in the package kmod-crypto-misc. 
Got it working, too.
nevertheless i am absolutely unable to use an encrypted swap.
If i try more or less all processes on my router randomly die at some time.
Can anyone confirm this?
Hi!
I'm suffering from the same issue with 10.03.1, I've installed all kmod-crypto-* packages; I googled around, and asked on IRC:
# cryptsetup luksOpen /dev/sda9 num9
Enter passphrase for /dev/sda9:
device-mapper: reload ioctl failed: Invalid argument
Failed to setup dm-crypt key mapping for device /dev/sda9.
Check that kernel supports aes-cbc-null cipher (check syslog for more info).
Failed to read from key storage.Kernel Log
device-mapper: table: 254:0: crypt: unknown target type
device-mapper: ioctl: error adding target to tableSystem Log
user.err kernel: device-mapper: table: 254:0: crypt: unknown target type
user.warn kernel: device-mapper: ioctl: error adding target to table/proc/crypto
# cat /proc/crypto
name : michael_mic
driver : michael_mic-generic
module : michael_mic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 8
digestsize : 8
name : cbc(cipher_null)
driver : cbc(cipher_null-generic)
module : cbc
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 0
max keysize : 0
ivsize : 1
geniv : <default>
name : ecb(arc4)
driver : ecb(arc4-generic)
module : ecb
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 1
max keysize : 256
ivsize : 0
geniv : <default>
name : cbc(aes)
driver : cbc(aes-generic)
module : cbc
priority : 100
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : hmac(sha1)
driver : hmac(sha1-generic)
module : hmac
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : hmac(md5)
driver : hmac(md5-generic)
module : hmac
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 16
name : cbc(des3_ede)
driver : cbc(des3_ede-generic)
module : cbc
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 24
max keysize : 24
ivsize : 8
geniv : <default>
name : cbc(des)
driver : cbc(des-generic)
module : cbc
priority : 0
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 8
min keysize : 8
max keysize : 8
ivsize : 8
geniv : <default>
name : compress_null
driver : compress_null-generic
module : crypto_null
priority : 0
refcnt : 1
selftest : passed
type : compression
name : digest_null
driver : digest_null-generic
module : crypto_null
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 1
digestsize : 0
name : ecb(cipher_null)
driver : ecb-cipher_null
module : crypto_null
priority : 100
refcnt : 1
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 0
max keysize : 0
ivsize : 0
geniv : <default>
name : cipher_null
driver : cipher_null-generic
module : crypto_null
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 1
min keysize : 0
max keysize : 0
name : sha1
driver : sha1-generic
module : sha1_generic
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 20
name : md5
driver : md5-generic
module : md5
priority : 0
refcnt : 1
selftest : passed
type : shash
blocksize : 64
digestsize : 16
name : des3_ede
driver : des3_ede-generic
module : des_generic
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8
min keysize : 24
max keysize : 24
name : des
driver : des-generic
module : des_generic
priority : 0
refcnt : 1
selftest : passed
type : cipher
blocksize : 8lsmod
Module Size Used by Tainted: P
hifn_795x 14304 0
michael_mic 1552 0
cryptosoft 8368 0
cryptodev 10048 0
ocf 20736 2 cryptosoft,cryptodev
crypto_null 1648 0
usb_storage 32720 2
ohci_hcd 16912 0
xt_IMQ 704 2
imq 2624 0
nf_nat_tftp 432 0
nf_conntrack_tftp 2400 1 nf_nat_tftp
nf_nat_irc 816 0
nf_conntrack_irc 2512 1 nf_nat_irc
nf_nat_ftp 1328 0
nf_conntrack_ftp 4640 1 nf_nat_ftp
xt_policy 1936 0
xt_esp 768 0
ipt_ah 688 0
xt_HL 1280 0
xt_hl 896 0
xt_MARK 496 11
ipt_ECN 1312 0
xt_CLASSIFY 496 0
xt_time 1552 0
xt_tcpmss 992 0
xt_statistic 816 0
xt_mark 512 11
xt_length 672 5
ipt_ecn 976 0
xt_DSCP 1392 0
xt_dscp 1008 0
xt_string 880 0
xt_layer7 10368 2
ipt_MASQUERADE 992 1
iptable_nat 2768 1
nf_nat 10912 5 nf_nat_tftp,nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,iptable_nat
xt_CONNMARK 768 2
xt_recent 5536 0
xt_helper 816 0
xt_conntrack 2016 0
xt_connmark 656 0
xt_connbytes 1232 0
xt_NOTRACK 544 0
iptable_raw 656 1
xt_state 768 3
nf_conntrack_ipv4 7920 10 iptable_nat,nf_nat
nf_defrag_ipv4 624 1 nf_conntrack_ipv4
nf_conntrack 38848 18 nf_nat_tftp,nf_conntrack_tftp,nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,nf_conntrack_ftp,xt_layer7,ipt_MASQUERADE,iptable_nat,nf_nat,xt_CONNMARK,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,xt_NOTRACK,xt_state,nf_conntrack_ipv4
ehci_hcd 31456 0
sd_mod 21696 3
pppoe 8304 0
pppox 1216 1 pppoe
ipt_REJECT 1680 2
xt_TCPMSS 2560 1
ipt_LOG 4176 0
xt_comment 464 0
xt_multiport 1792 0
xt_mac 576 0
xt_limit 1008 1
iptable_mangle 992 1
iptable_filter 768 1
ip_tables 8544 4 iptable_nat,iptable_raw,iptable_mangle,iptable_filter
xt_tcpudp 1760 8
x_tables 9296 38 xt_IMQ,xt_policy,xt_esp,ipt_ah,xt_HL,xt_hl,xt_MARK,ipt_ECN,xt_CLASSIFY,xt_time,xt_tcpmss,xt_statistic,xt_mark,xt_length,ipt_ecn,xt_DSCP,xt_dscp,xt_string,xt_layer7,ipt_MASQUERADE,iptable_nat,xt_CONNMARK,xt_recent,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,xt_NOTRACK,xt_state,ipt_REJECT,xt_TCPMSS,ipt_LOG,xt_comment,xt_multiport,xt_mac,xt_limit,ip_tables,xt_tcpudp
ipcomp 1440 0
xfrm4_tunnel 1008 0
xfrm4_mode_tunnel 1152 0
xfrm4_mode_transport 656 0
xfrm4_mode_beet 1392 0
esp4 4064 0
ah4 2960 0
tunnel4 1616 1 xfrm4_tunnel
ext3 91312 1
jbd 31376 1 ext3
ppp_async 6400 0
ppp_generic 18864 3 pppoe,pppox,ppp_async
slhc 4160 1 ppp_generic
loop 51824 0
xfrm_user 15600 0
xfrm_ipcomp 2640 1 ipcomp
af_key 24432 0
dm_mirror 10752 0
dm_region_hash 5632 1 dm_mirror
dm_log 7280 2 dm_mirror,dm_region_hash
dm_mod 48544 2 dm_mirror,dm_log
ath9k 86656 0
ath9k_common 1200 1 ath9k
ath9k_hw 338384 2 ath9k,ath9k_common
ath 14160 3 ath9k,ath9k_common,ath9k_hw
nls_utf8 816 0
mac80211 229696 1 ath9k
usbcore 97616 4 usb_storage,ohci_hcd,ehci_hcd
ts_fsm 2608 0
ts_bm 1456 0
ts_kmp 1344 0
scsi_mod 68272 2 usb_storage,sd_mod
nls_base 4800 2 nls_utf8,usbcore
mbcache 3920 0
crc16 976 0
crc_ccitt 976 1 ppp_async
cfg80211 139760 3 ath9k,ath,mac80211
compat 16496 3 ath9k,mac80211,cfg80211
sha1_generic 1376 0
md5 4112 0
hmac 2304 0
des_generic 19152 1 hifn_795x
authenc 5216 0
arc4 816 2
aes_generic 30256 4
deflate 1360 0
ecb 1328 0
cbc 2016 0
leds_gpio 1456 0
button_hotplug 2576 0
gpio_buttons 2128 0
input_polldev 1360 1 gpio_buttons
input_core 17056 4 button_hotplug,gpio_buttons,input_polldevPlease help!
(Last edited by antivirtel on 12 Feb 2012, 18:13)
Added System Log outputs, as requested by iNdefiNite.
The discussion might have continued from here.