Hello,
Is it possible to use cbc(aes)-essiv encryption with tagged keys?
What was I doing?
I'm working with CAAM on iMX6UL. During tests, I prepared three images on my host machine. They were encrypted with the same symmetric key but with different ciphers:
- ecb(aes)
- cbc(aes)-plain
- cbc(aes)-essiv:sha256.
Later, I created the black key from my symmetric key and mounted images on a device. ecb(aes) & cbc(aes)-plain images work well. But cbc(aes)-essiv:sha256 triggers 5-10 seconds freeze, and later mount operation fails.
Mounting the image using my symmetric key directly (without caam-keygen & keyctl) works well. So, I'm sure that the image is prepared correctly.
But I'm unsure if it is possible to use cbc(aes)-essiv with tagged keys? Is this method supported?
Examples:
1. This is how I executed dmsetup on a host during the image preparation.
dmsetup -v create encrypted-tmp --table "0 16384 crypt capi:cbc(aes)-essiv:sha256 782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A 0 /dev/loop0 0 1 sector_size:512"
2. This is how I configured dmsetup on a device to use tagged keys:
dmsetup -v create encrypted --table "0 16384 crypt capi:tk(cbc(aes))-essiv:sha256 :52:logon:mountkey: 0 /dev/loop5 0 1 sector_size:512"
Here I added tk prefix before cbc. And specify key name from keyctl. This method causes errors on the mount.
[ 2833.734136] udevd[2649]: conflicting device node '/dev/mapper/encrypted' found, link to '/dev/dm-5' will not be created
[ 2840.665864] EXT2-fs (dm-5): error: ext2_check_descriptors: Block bitmap for group 0 not in group (block 3863103938)!
[ 2840.665889] EXT2-fs (dm-5): group descriptors corrupted
3. This is how I configured dmsetup to use symmetric key directly:
dmsetup -v create encrypted --table "0 16384 crypt capi:cbc(aes)-essiv:sha256 782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A 0 /dev/loop5 0 1 sector_size:512
In that case, everything works fine.
Thanks
