CAAM & dmsetup:using tk(cbc(aes))-essiv:sha256

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CAAM & dmsetup:using tk(cbc(aes))-essiv:sha256

Jump to solution
1,706 Views
Alexander_iv
Contributor II

Hello,

Is it possible to use cbc(aes)-essiv encryption with tagged keys?

What was I doing?

I'm working with CAAM on iMX6UL. During tests, I prepared three images on my host machine. They were encrypted with the same symmetric key but with different ciphers:

  • ecb(aes)
  • cbc(aes)-plain
  • cbc(aes)-essiv:sha256.

Later, I created the black key from my symmetric key and mounted images on a device. ecb(aes) & cbc(aes)-plain images work well. But cbc(aes)-essiv:sha256 triggers 5-10 seconds freeze, and later mount operation fails. 

Mounting the image using my symmetric key directly (without caam-keygen & keyctl) works well. So, I'm sure that the image is prepared correctly.

But I'm unsure if it is possible to use cbc(aes)-essiv with tagged keys? Is this method supported? 

Examples:

1. This is how I executed dmsetup on a host during the image preparation. 

 

dmsetup -v create encrypted-tmp --table "0 16384 crypt capi:cbc(aes)-essiv:sha256 782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A 0 /dev/loop0 0 1 sector_size:512"

 

2. This is how I configured dmsetup on a device to use tagged keys:

 

dmsetup -v create encrypted --table "0 16384 crypt capi:tk(cbc(aes))-essiv:sha256 :52:logon:mountkey: 0 /dev/loop5 0 1 sector_size:512"

 

Here I added tk prefix before cbc. And specify key name from keyctl. This method causes errors on the mount.

 

[ 2833.734136] udevd[2649]: conflicting device node '/dev/mapper/encrypted' found, link to '/dev/dm-5' will not be created
[ 2840.665864] EXT2-fs (dm-5): error: ext2_check_descriptors: Block bitmap for group 0 not in group (block 3863103938)!
[ 2840.665889] EXT2-fs (dm-5): group descriptors corrupted

 

3. This is how I configured dmsetup to use symmetric key directly:

 

dmsetup -v create encrypted --table "0 16384 crypt capi:cbc(aes)-essiv:sha256 782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A 0 /dev/loop5 0 1 sector_size:512

 

In that case, everything works fine.

 

Thanks

 

Labels (3)
Tags (3)
0 Kudos
Reply
1 Solution
1,601 Views
Alexander_iv
Contributor II

Hello @Harvey021 

Thanks for your answer


I could mount an encrypted partition created locally on a device (without exporting/importing images/keys from a host). In this case, everything works fine. That is enough to conclude cipher is working. And I made a mistake in earlier stages, like preparation or manual importing/exporting data.

 

 

View solution in original post

0 Kudos
Reply
4 Replies
1,621 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi @Alexander_iv 

Have you tried to modify the device mapper node (conflicting device node '/dev/mapper/encrypted' found) with another device node name?

 

Best regards

Harvey

0 Kudos
Reply
1,602 Views
Alexander_iv
Contributor II

Hello @Harvey021 

Thanks for your answer


I could mount an encrypted partition created locally on a device (without exporting/importing images/keys from a host). In this case, everything works fine. That is enough to conclude cipher is working. And I made a mistake in earlier stages, like preparation or manual importing/exporting data.

 

 

0 Kudos
Reply
1,486 Views
souellet
Contributor I

Hello,

Did you really get tk(cbc(aes)-essiv:sha256 to work?

I couldn't get it to work. After some investigation, it seem that the sha256 is computed on the back key, which is different after every boot.

 

0 Kudos
Reply
1,478 Views
Alexander_iv
Contributor II

Hello, @souellet 

In my case, the cbc(aes)-essiv worked only until the next reboot. So that matches your results. I just stopped to dig deeper because aes-cbc was enough.

PS: Also, I didn't try essiv on a locked board.

 

0 Kudos
Reply