eCryptfs

ecryptfs-utils can't find renamed blowfish kernel modules in >= 3.2

Bug #922821 reported by Tyler Hicks
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
eCryptfs
Fix Released
Medium
Sergio Peña
ecryptfs-utils (Fedora)
Fix Released
Undecided
ecryptfs-utils (Ubuntu)
Fix Released
Medium
Dustin Kirkland 

Bug Description

Originally reported in the Fedora bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=785036

The blowfish kernel module name changed. We're looking for the old blowfish.ko, but blowfish_generic.ko seems to be used in 3.2 kernels.

Revision history for this message
In , Ling (ling-redhat-bugs) wrote :

ecryptfs doesn't provide blowfish as one of the cipher options. Rebooting into an old kernel (e.g., 3.1.9) solves the problem. Does this mean the blowfish encryption module is removed from the kernel 3.2.1?

Revision history for this message
In , Josh (josh-redhat-bugs) wrote :

There are now two kinds of blowfish drivers in the 3.2 kernel. blowfish_generic is the previously existing one renamed, and there is an assembly version for x86_64 as well.

Can you paste the errors you are seeing, and the dmesg of your working mount from the previous kernel?

Revision history for this message
In , Ling (ling-redhat-bugs) wrote :

Here's what I did/saw with the 3.2 kernel:

# ecryptfs-add-passphrase --fnek
Passphrase:
Inserted auth tok with sig [4c0c36bbcda400d6] into the user session keyring
Inserted auth tok with sig [d697d8aafc7fde3d] into the user session keyring

# mount encrypted encrypted -t ecryptfs
Select key type to use for newly created files:
 1) passphrase
 2) openssl
 3) tspi
 4) pkcs11-helper
Selection: 1
Passphrase:
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
 2) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 3) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 4) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)

There's no "blowfish" option. Passing "-o ecryptfs_cipher=blowfish" in the mount command leads to some bad option error.

With kernel 3.1.9, the only dmesg of mounting the ecryptfs is this line:

[23314.085489] SELinux: initialized (dev ecryptfs, type ecryptfs), uses genfs_contexts

There are no new messages in /var/log/messages from the mounting.

Thanks.

Revision history for this message
In , Josh (josh-redhat-bugs) wrote :

If you run 'sudo modprobe blowfish' before you mount the filesystem, the blowfish option will be presented.

I'll look at why this isn't done automatically as with previous kernels.

Revision history for this message
In , Ling (ling-redhat-bugs) wrote :

You are right. It shows up. (I remember I did that once but somehow it didn't find blowfish; I must have used a wrong cmd.)

Revision history for this message
In , Josh (josh-redhat-bugs) wrote :

This seems to be a bug in ecryptfs-utils.

During init, ecryptfs-utils will look at /proc/crypto to gather the already loaded ciphers. Some of the aes modules are built into the kernel, so those are already picked up from there, however the blowfish cipher isn't built in or auto-loaded by anything in either kernel version.

It's next form of cipher discovery has a map of ciphers and kernel module names in src/libecryptfs/cipher_list.c that contains (among others):

        {"blowfish", "blowfish.ko", 16, 16, 56, 2, 1},

and during init it will loop over this map and look for modules in /lib/modules/`uname -r`/kernel/crypto and see if those .ko files exist. If they do, it presents the cipher name as available. If the .ko doesn't exist in that directory, it doesn't present that cipher as an option.

With the 3.1.x series of kernels, blowfish.ko is present so it's available. With the renames/additions mentioned in comment #1, that specific .ko name isn't present so the cipher isn't available.

Ideally, ecryptfs would be looking at modaliases instead of actual file names, because the 3.2 (and future) kernels still maintain the 'blowfish' modalias on blowfish_generic.ko. The newly added optimized blowfish-x86_64.ko has the same alias as well. That whole list of module names seems fairly stale at this point and should probably either be updated or removed.

I'm reassigning this to ecryptfs-utils for now. The workaround is to modprobe the cipher you want if it isn't already listed before trying to mount an ecryptfs filesystem. Until ecryptfs-utils is updated, any system with a 3.2 or newer kernel will have this issue, so that will shortly include all 3 Fedora releases.

Tyler Hicks (tyhicks)
Changed in ecryptfs-utils (Ubuntu):
status: New → Triaged
Revision history for this message
In , Michal (michal-redhat-bugs) wrote :

I've checked /lib/modules/`uname -r`/modules.alias and it seems it's not usable. It contains only modules with aliases like "alias blowfish blowfish_generic" but modules with no aliases are not there, so we still have to check them somehow. So, in the end, I've just added missing blowfish and twofish module names.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

ecryptfs-utils-95-2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/ecryptfs-utils-95-2.fc15

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

ecryptfs-utils-95-2.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/ecryptfs-utils-95-2.fc16

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

Package ecryptfs-utils-95-2.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ecryptfs-utils-95-2.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-1674/ecryptfs-utils-95-2.fc16
then log in and leave karma (feedback).

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

ecryptfs-utils-96-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/ecryptfs-utils-96-1.fc16

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

ecryptfs-utils-96-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/ecryptfs-utils-96-1.fc15

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

ecryptfs-utils-96-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ecryptfs-utils-96-1.fc17

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

ecryptfs-utils-96-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

ecryptfs-utils-96-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

ecryptfs-utils-96-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.

Sergio Peña (sergio-pena)
Changed in ecryptfs:
assignee: nobody → Sergio Peña (sergio-pena)
status: Triaged → In Progress
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Thanks Sergio! Looks good to me. Committing to trunk, r683. This will be in ecryptfs-utils 97.

Changed in ecryptfs-utils (Ubuntu):
importance: Undecided → Medium
status: Triaged → In Progress
assignee: nobody → Dustin Kirkland (kirkland)
Changed in ecryptfs:
status: In Progress → Fix Committed
Changed in ecryptfs-utils (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.3 KiB)

This bug was fixed in the package ecryptfs-utils - 97-0ubuntu1

---------------
ecryptfs-utils (97-0ubuntu1) quantal; urgency=low

  [ Kees Cook ]
  * src/pam_ecryptfs/pam_ecryptfs.c: LP: #938326
    - exit, rather than return to prevent duplicate processes

  [ Andreas Raster ]
  * src/desktop/ecryptfs-find:
    - $mounts was quoted once too often

  [ George Wilson ]
  * src/key_mod/ecryptfs_key_mod_openssl.c,
    src/key_mod/ecryptfs_key_mod_pkcs11_helper.c,
    src/key_mod/ecryptfs_key_mod_tspi.c: LP: #937331
    - IBM would like to grant a license exception for key modules that
      require linking to OpenSSL. The change should make the modules
      shippable by Linux distributions

  [ Dustin Kirkland ]
  * debian/copyright:
    - note the GPLv2 SSL exception granted by IBM for the key modules
  * debian/control, debian/copyright, doc/manpage/ecryptfs.7,
    doc/manpage/ecryptfs-add-passphrase.1, doc/manpage/ecryptfsd.8,
    doc/manpage/ecryptfs-generate-tpm-key.1, doc/manpage/ecryptfs-
    insert-wrapped-passphrase-into-keyring.1, doc/manpage/ecryptfs-
    manager.8, doc/manpage/ecryptfs-mount-private.1,
    doc/manpage/ecryptfs-recover-private.1, doc/manpage/ecryptfs-rewrap-
    passphrase.1, doc/manpage/ecryptfs-rewrite-file.1,
    doc/manpage/ecryptfs-setup-private.1, doc/manpage/ecryptfs-setup-
    swap.1, doc/manpage/ecryptfs-stat.1, doc/manpage/ecryptfs-umount-
    private.1, doc/manpage/ecryptfs-unwrap-passphrase.1,
    doc/manpage/ecryptfs-wrap-passphrase.1,
    doc/manpage/mount.ecryptfs.8, doc/manpage/mount.ecryptfs_private.1,
    doc/manpage/pam_ecryptfs.8, doc/manpage/umount.ecryptfs.8,
    doc/manpage/umount.ecryptfs_private.1, README,
    src/utils/mount.ecryptfs.c:
    - use the new ecryptfs.org website where appropriate
  * debian/control:
    - update to suggest zescrow-client
  * precise

  [ Sergio Peña ]
  * src/libecryptfs/cipher_list.c: LP: #922821
    - add the new name of the blowfish cipher (linux >= 3.2)
  * src/include/ecryptfs.h, src/libecryptfs/main.c,
    src/utils/mount.ecryptfs.c: LP: #917509
    - use execl() to mount ecryptfs
    - this allows us to support any arbitrary mount options in
      /etc/fstab

  [ Tyler Hicks ]
  * doc/manpage/ecryptfs.7:
    - Remove the note saying that the passphrase and openssl key modules are
      available by default. That's true upstream but not always true in distro
      builds.
  * tests/run_tests.sh:
    - Make upper and lower mount point arguments optional by automatically
      creating directories in /tmp by default.
    - Make it possible to run only userspace tests without having to specify
      unused mount information
    - Accept a comma-separated list of lower filesystems to test on and loop
      through all kernel tests for each lower filesystem
    - Accept a comma-separated list of tests to run
  * tests/lib/etl_funcs.sh:
    - Unset $ETL_DISK just before etl_remove_disk() successfully returns
  * tests/userspace/Makefile.am:
    - Also build 'make check' tests when building with --enable-tests
  * include/ecryptfs.h, libecryptfs/Makefile.am,
    libecryptfs/cipher_list.c, libecryptfs/module_mgr.c,
    utils/io.h: LP: #994813
    - remove overly ...

Read more...

Changed in ecryptfs-utils (Ubuntu):
status: Fix Committed → Fix Released
Dustin Kirkland  (kirkland)
Changed in ecryptfs:
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in ecryptfs-utils (Fedora):
importance: Unknown → Undecided
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.