Ubuntu
cryptsetup package

cryptdisks problem, script fails to load architecture dependent aes kernel module

Bug #154392 reported by kampi
4
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[preface] everything worked perfect with feisty and the latest 2.6.20 kernel included in feisty[/preface]

* encrypted /home on /dev/hda6 with lukscrypt and aes
* /etc/fstab:
/dev/mapper/hda6 /home auto defaults 1 2

* /etc/crypttab:
hda6 /dev/hda6 none luks,check=ext2,retry=5

while booting feisty asked me for the password and everthing worked.

gusty does not mount the device:
mount: special device /dev/mapper/hda6 does not exist

and I think that is because the kernel does not include 'aes'. when I try to start '/etc/init.d/cryptdisks' I get:
* Starting remaining crypto disks....
ls: /lib/modules/2.6.22-14-powerpc/kernel/arch/*/*/aes*.ko: No such file or directory.

and my disk uses aes. 'cryptsetup luksDump /dev/hda6':
Cipher name: aes

btw: mounting "by hand" (cryptsetup luksOpen /dev/hda6 hda6 && mount /home) works.

Revision history for this message
kampi (kampi) wrote :

I found the solution for this problem: /lib/cryptsetup/cryptdisks.functions searches for the aes-module at the wrong place. I replaced the following line and now everything works as expected.

Revision history for this message
lasse (lasselassi) wrote :

With newest Hardy 8.04 installation on a PowerPC (Mac G4), this problem still persists and totally blocks usage of encrypted disks!

The problem is with cryptdisk.functions trying to load an architecture optimized aes module, which does not exists on PowerPC architecture. This is why this problem does not appear on x86 machines (and probably x64) because the script does find a module in /lib/modules/'uname -r'/kernel/arch/*/*/aes*.ko. On ppc machines, there is no such module and the script aborts at that point.

cryptdisks.functions needs to be fixed so that when looking for an architecture optimized aes module, it does not fail if there is none. This is not a fatal error, since an optmized module is not necessary for dm-crypt to function!

Please fix this, don't forget about the PPC users!

lasse (lasselassi)
Changed in cryptsetup:
status: Incomplete → Confirmed
Revision history for this message
SwissSign Operations Team (ubuntu-bugs-swisssign) wrote :

This fails with exceptional uselessness if you (as I am) are using a kernel which does not allow module loading at all.

The check for a kernel module in the file system should only be carried out if no aes ciphers are found in /proc/crypto.

Probably as so:
+++/lib/cryptsetup/cryptdisks.functions:

load_optimized_aes_module () {
        local asm_module modulesdir
+
+ # only load if not already loaded
+ local drv_loaded=`cat /proc/crypto | grep driver\ *:\ *aes-`
+ if [ -z "$drv_loaded" ]; then

        # find directory with kernel modules
        modulesdir="/lib/modules/`uname -r`"
        # Add assembly optimized AES module if it exists
        asm_module=`ls -1 "$modulesdir"/kernel/arch/*/*/aes*.ko`
        if [ $asm_module ];then
           insmod $asm_module 2>/dev/null || true
        fi
+
+ fi
}

Additionally the check should be weakened to not fail if the module does not load:

+++/lib/cryptsetup/cryptdisks.functions:
do_start () {
        local dst src key opts result

        modprobe -qb dm-mod || true
        modprobe -qb dm-crypt || true
        dmsetup mknodes > /dev/null 2>&1 || true
        log_action_begin_msg "Starting $INITSTATE crypto disks"
- load_optimized_aes_module
+ load_optimized_aes_module || true
        mount_fs

Revision history for this message
Reinhard Tartler (siretart) wrote :

SwissSign operations team: your comment indicates another issue as reported here in this bug. please file a new bug about this and attach your patch as file there. thanks.

Reinhard Tartler (siretart)
Changed in cryptsetup:
status: Confirmed → Fix Committed
Revision history for this message
Reinhard Tartler (siretart) wrote :

package has reached intrepid now

Changed in cryptsetup:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.