Hello,
Is it possible to use cbc(aes)-essiv encryption with tagged keys?
What was I doing?
I'm working with CAAM on iMX6UL. During tests, I prepared three images on my host machine. They were encrypted with the same symmetric key but with different ciphers:
Later, I created the black key from my symmetric key and mounted images on a device. ecb(aes) & cbc(aes)-plain images work well. But cbc(aes)-essiv:sha256 triggers 5-10 seconds freeze, and later mount operation fails.
Mounting the image using my symmetric key directly (without caam-keygen & keyctl) works well. So, I'm sure that the image is prepared correctly.
But I'm unsure if it is possible to use cbc(aes)-essiv with tagged keys? Is this method supported?
Examples:
1. This is how I executed dmsetup on a host during the image preparation.
dmsetup -v create encrypted-tmp --table "0 16384 crypt capi:cbc(aes)-essiv:sha256 782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A 0 /dev/loop0 0 1 sector_size:512"
2. This is how I configured dmsetup on a device to use tagged keys:
dmsetup -v create encrypted --table "0 16384 crypt capi:tk(cbc(aes))-essiv:sha256 :52:logon:mountkey: 0 /dev/loop5 0 1 sector_size:512"
Here I added tk prefix before cbc. And specify key name from keyctl. This method causes errors on the mount.
[ 2833.734136] udevd[2649]: conflicting device node '/dev/mapper/encrypted' found, link to '/dev/dm-5' will not be created
[ 2840.665864] EXT2-fs (dm-5): error: ext2_check_descriptors: Block bitmap for group 0 not in group (block 3863103938)!
[ 2840.665889] EXT2-fs (dm-5): group descriptors corrupted
3. This is how I configured dmsetup to use symmetric key directly:
dmsetup -v create encrypted --table "0 16384 crypt capi:cbc(aes)-essiv:sha256 782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A 0 /dev/loop5 0 1 sector_size:512
In that case, everything works fine.
Thanks
解決済! 解決策の投稿を見る。
Hello @Harvey021
Thanks for your answer
I could mount an encrypted partition created locally on a device (without exporting/importing images/keys from a host). In this case, everything works fine. That is enough to conclude cipher is working. And I made a mistake in earlier stages, like preparation or manual importing/exporting data.
Have you tried to modify the device mapper node (conflicting device node '/dev/mapper/encrypted' found) with another device node name?
Best regards
Harvey
Hello @Harvey021
Thanks for your answer
I could mount an encrypted partition created locally on a device (without exporting/importing images/keys from a host). In this case, everything works fine. That is enough to conclude cipher is working. And I made a mistake in earlier stages, like preparation or manual importing/exporting data.
Hello,
Did you really get tk(cbc(aes)-essiv:sha256 to work?
I couldn't get it to work. After some investigation, it seem that the sha256 is computed on the back key, which is different after every boot.
Hello, @souellet
In my case, the cbc(aes)-essiv worked only until the next reboot. So that matches your results. I just stopped to dig deeper because aes-cbc was enough.
PS: Also, I didn't try essiv on a locked board.