Cryptsetup Kernel Modules

[vzhilov]

Hello! I just got new Asus RT-AC86U router and wanted to run disk encryption.

I have installed losetup and cryptsetup.

In order to compile dm-mod.ko I have forked asuswrt-merlin on my Linux Mint 18.3 (Ubuntu 16.04) machine. I have followed this manual (https://github.com/RMerl/asuswrt-merlin/wiki/Compile-Firmware-from-source-using-Ubuntu) to prepare for compilation. Then I put

CONFIG_MD=y
CONFIG_DM_CRYPT=m ​

to

~/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1/config_base.6a​

After then I used

make rt-ac86u​

and the whole thing compiled just fine and as result I got the needed dm-mod.ko module.

However when I copied it to the router and tried

insmode entware/home/dm-mod.ko​

I get

insmod: can't insert 'entware/home/dm-mod.ko': unknown symbol in module, or unknown parameter​

While I think I compiled using the correct environment. Is there something I did wrong?

 

[Fitz Mutch]

When you say CONFIG_MD=y, I think it adds built-in functions to the Linux kernel.

 

[vzhilov]

When you say CONFIG_MD=y, I think it adds built-in functions to the Linux kernel.

Ok, I have just tried to put CONFIG_MD=m and re-compile, I didn't get dm-mod.ko module at all.

 

[Fitz Mutch]

Ok, I have just tried to put CONFIG_MD=m and re-compile, I didn't get dm-mod.ko module at all.

You cannot say this CONFIG_MD=m. See drivers/md/Kconfig, the CONFIG_MD setting is defined as bool(Y/N), not tristate(Y/N/M).
https://github.com/RMerl/asuswrt-me....02hnd/kernel/linux-4.1/drivers/md/Kconfig#L1

 

[vzhilov]

Ok, I have tried all 3 options by now including CONFIG_MD=n but I only get dm-mod.ko module compiled with CONFIG_MD=y and non with other options.

Then I have noticed that my clock is 2 days ahead so I have corrected it and re-mopile again just in case. I got an warning that maybe not everything compiled due to clock shift. Then I ereased the asuswrt-merlin.ng directory and copied it again. Then I re-compiled. on insmod dm-mod.ko I still get the same error:

admin@RT-AC86U-C828:/tmp/mnt/flash# insmod entware/home/dm-mod.ko
insmod: can't insert 'entware/home/dm-mod.ko': unknown symbol in module, or unknown parameter

I'm attaching the module I got just in case anyone would like to try it out on his RT-AC86 router. Just remove the txt extention.

So I compile this module using Kernel 4.1 from repository files. The curent asuswrt-merlin.ng kernel is 4.1.27 so it should work but it doesn't.

 

[Fitz Mutch]

See this. There are more kernel switches for what you do.

LUKS Encrypted USB Drive HOWTO
https://github.com/RMerl/asuswrt-merlin/wiki/LUKS-Encrypted-USB-Drive-HOWTO

 

[vzhilov]

See this. There are more kernel switches for what you do.

LUKS Encrypted USB Drive HOWTO
https://github.com/RMerl/asuswrt-merlin/wiki/LUKS-Encrypted-USB-Drive-HOWTO

Yes, thank you.

In fact I have this

CONFIG_MD=y
CONFIG_BLK_DEV_MD=m
CONFIG_BLK_DEV_DM=m
CONFIG_DM_CRYPT=m

CONFIG_CRYPTO_XTS=m
CONFIG_CRYPTO_SHA256=m
​

in my config_base.6a file. But for some reason I get less modules compiled as the result as the link says. I get

in kernel-4.1/drivers/md/ I get:

dm-mod.ko
md-mod.ko
dm-crypt.ko​

All of them give the error excpet insmode md-mod.ko

but in kernet-4.1/crypto/ I get only

xts.ko​

and no other modules.

 

[vzhilov]

But just to start with I need to get dm-mod.ko somehow so I can insmod it. Then we will see what's next pops up

 

[john9527]

Try using modprobe instead of insmod. modprobe handles dependencies where insmod does not.

 

[vzhilov]

Try using modprobe instead of insmod. modprobe handles dependencies where insmod does not.

Thank you for answering this. Still no luck as I can't copy the module to /lib/modules/4.1.27/kernel on the router as the router file system is read-only:

admin@RT-AC86U-C828:/tmp/home/root# modprobe dm_mod
modprobe: module dm_mod not found in modules.dep
admin@RT-AC86U-C828:/tmp/home/root# depmod
depmod: can't open 'modules.dep': Read-only file system​

 

[vzhilov]

Oh, I get what I can do. Since I have compiled the whole thing from source this is not neccesary for my just to take few modules out and transfer it to the router, I can just take the whole new image and burn the whole thing into the router.

So I did that, then modprobe dm_mode worked!

So then I did:

dd if=/dev/zero of=./crypto.img bs=1M count=512
losetup /dev/loop1 ./crypto.img
cryptsetup -y --key-size 256 luksFormat /dev/loop1​

And I got the new error:

admin@RT-AC86U-C828:/tmp/home/root# cryptsetup -y --key-size 256 luksFormat /dev
/loop1

WARNING!
========
This will overwrite data on /dev/loop1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Failed to access temporary keystore device.
cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed.
Aborted
​

Am I missing any other modules that I had to compile for cryptsetup to work?

 

[Fitz Mutch]

Am I missing any other modules that I had to compile for cryptsetup to work?

Try both switches "--verbose --debug", to see more information?

Try cryptsetup-openssl package instead? If this alternate package works for you, then the problem is either libgcrypt or libgpg-error packages compiled for aarch64.

I can see the problem here. https://github.com/Entware/entware-...gpg-error/patches/500-entware-archs.patch#L23
Just needs to handle it properly on aarch64 platform: {"aarch64-openwrt-linux-gnu", "aarch64-unknown-linux-gnu"}

Lastly, if cryptsetup w/libgcrypt segfaults on aarch64, I think the fix is to compile libgcrypt with --disable-arm-crypto-support. Due to a libgcrypt bug with the armv8 crypto extensions???

 

[vzhilov]

Thank you very much. I think I'm close here. I didn't try cryptsetup-openssl yet but I was able to get program on cryptsetup. After the system reboot I started to get success on my commands but still with some errors.

I made two volumes on my flash drive: sda1 and sda2. I installed Entware on sda1. And I'm trying to crypt sda2 now. So I do:

cryptsetup --verbose --debug -y --key-size 256 luksFormat /dev/sda2

And I get:

admin@RT-AC86U-C828:/tmp/home/root# cryptsetup --verbose --debug -y --key-size 2
56 luksFormat /dev/sda2
# cryptsetup 1.7.5 processing "cryptsetup --verbose --debug -y --key-size 256 luksFormat /dev/sda2"
# Running command luksFormat.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
# Allocating crypt device /dev/sda2 context.
# Trying to open and read device /dev/sda2 with direct-io.
# Initialising device-mapper backend library.
# Timeout set to 0 miliseconds.
# Iteration time set to 2000 milliseconds.
# Interactive passphrase entry requested.
Enter passphrase:
Verify passphrase:
# Formatting device /dev/sda2 as type LUKS1.
# Crypto backend (gcrypt 1.6.6) initialized in cryptsetup library version 1.7.5.
# Detected kernel Linux 4.1.27 aarch64.
# Topology: IO (512/0), offset = 0; Required alignment is 1048576 bytes.
# Checking if cipher aes-xts-plain64 is usable.
# Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
# Using dmcrypt to access keyslot area.
# Calculated device size is 1 sectors (RW), offset 0.
# dm version [ opencount flush ] [16384] (*1)
# dm versions [ opencount flush ] [16384] (*1)
# Detected dm-crypt version 1.14.1, dm-ioctl version 4.31.0.
# Device-mapper backend running with UDEV support disabled.
# DM-UUID is CRYPT-TEMP-temporary-cryptsetup-1814
# dm create temporary-cryptsetup-1814 CRYPT-TEMP-temporary-cryptsetup-1814 [ opencount flush ] [16384] (*1)
# dm reload temporary-cryptsetup-1814 [ opencount flush readonly securedata ] [16384] (*1)
# dm resume temporary-cryptsetup-1814 [ opencount flush readonly securedata ] [16384] (*1)
# temporary-cryptsetup-1814: Stacking NODE_ADD (253,0) 0:0 0600
# temporary-cryptsetup-1814: Stacking NODE_READ_AHEAD 2048 (flags=1)
# temporary-cryptsetup-1814: Processing NODE_ADD (253,0) 0:0 0600
# Created /dev/mapper/temporary-cryptsetup-1814
# temporary-cryptsetup-1814: Processing NODE_READ_AHEAD 2048 (flags=1)
# temporary-cryptsetup-1814 (253:0): read ahead is 256
# temporary-cryptsetup-1814 (253:0): Setting read ahead to 2048
# dm remove temporary-cryptsetup-1814 [ opencount flush retryremove ] [16384] (*1)
# temporary-cryptsetup-1814: Stacking NODE_DEL
# temporary-cryptsetup-1814: Processing NODE_DEL
# Removed /dev/mapper/temporary-cryptsetup-1814
# Generating LUKS header version 1 using hash sha256, aes, xts-plain64, MK 32 bytes
# KDF pbkdf2, hash sha256: 182044 iterations per second (256-bits key).
# Data offset 4096, UUID 6b470e76-6034-4c93-9df1-f4cd982deb70, digest iterations 44250
# Updating LUKS header of size 1024 on device /dev/sda2
# Key length 32, device size 3928568 sectors, header size 2050 sectors.
# Reading LUKS header of size 1024 from device /dev/sda2
# Key length 32, device size 3928568 sectors, header size 2050 sectors.
# Adding new keyslot -1 using volume key.
# Calculating data for key slot 0
# KDF pbkdf2, hash sha256: 182044 iterations per second (256-bits key).
# Key slot 0 use 355554 password iterations.
# Using hash sha256 for AF in key slot 0, 4000 stripes
# Updating key slot 0 [0x1000] area.
# Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
# Using dmcrypt to access keyslot area.
# Calculated device size is 250 sectors (RW), offset 8.
# DM-UUID is CRYPT-TEMP-temporary-cryptsetup-1814
# dm create temporary-cryptsetup-1814 CRYPT-TEMP-temporary-cryptsetup-1814 [ opencount flush ] [16384] (*1)
# dm reload temporary-cryptsetup-1814 [ opencount flush securedata ] [16384] (*1)
# dm resume temporary-cryptsetup-1814 [ opencount flush securedata ] [16384] (*1)
# temporary-cryptsetup-1814: Stacking NODE_ADD (253,0) 0:0 0600
# temporary-cryptsetup-1814: Stacking NODE_READ_AHEAD 2048 (flags=1)
# temporary-cryptsetup-1814: Processing NODE_ADD (253,0) 0:0 0600
# Created /dev/mapper/temporary-cryptsetup-1814
# temporary-cryptsetup-1814: Processing NODE_READ_AHEAD 2048 (flags=1)
# temporary-cryptsetup-1814 (253:0): read ahead is 256
# temporary-cryptsetup-1814 (253:0): Setting read ahead to 2048
# dm remove temporary-cryptsetup-1814 [ opencount flush retryremove ] [16384] (*1)
# temporary-cryptsetup-1814: Stacking NODE_DEL
# temporary-cryptsetup-1814: Processing NODE_DEL
# Removed /dev/mapper/temporary-cryptsetup-1814
# Key slot 0 was enabled in LUKS header.
# Updating LUKS header of size 1024 on device /dev/sda2
# Key length 32, device size 3928568 sectors, header size 2050 sectors.
# Reading LUKS header of size 1024 from device /dev/sda2
# Key length 32, device size 3928568 sectors, header size 2050 sectors.
# Releasing crypt device /dev/sda2 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command successful.
cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed.
Aborted​

So it said "Successful" but then gave some error. However I see that LUKS volume is created:

admin@RT-AC86U-C828:/tmp/home/root# cryptsetup luksOpen /dev/sda2 crypted
Enter passphrase for /dev/sda2:
cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed.
Aborted
admin@RT-AC86U-C828:/tmp/home/root# ls /dev/mapper/c*
control crypted​

While I get the same error the device-mapper is there.

admin@RT-AC86U-C828:/tmp/home/root# mkfs.ext3 -j /dev/mapper/crypted
mke2fs 1.42.13 (17-May-2015)
Creating filesystem with 490559 4k blocks and 122640 inodes
Filesystem UUID: 99a84dd4-cebd-42d4-9e96-9f294bf94dce
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912

Allocating group tables: done
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done​

But here at the end I can't get it mounted:

admin@RT-AC86U-C828:/tmp/home/root# mkdir /mnt/crypted
admin@RT-AC86U-C828:/tmp/home/root# mount /dev/mapper/crypted /mnt/crypted/
mount: mounting /dev/mapper/crypted on /mnt/crypted/ failed: Invalid argument​

Can that constant error cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed be the cause of that?

 

[Fitz Mutch]

Can that constant error cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed be the cause of that?

That assert is happening in libgpg-error, here:
https://dev.gnupg.org/source/libgpg...;6eb80abcde5ad776379069871e4156b28ef69712$139

Try this:
opkg remove cryptsetup
opkg install cryptsetup-openssl

There is problems with libgcrypt and libgpg-error on aarch64 platform. The cryptsetup-openssl package does not depend on libgcrypt and libgpg-error, so this may work better for you. If you want to use regular cryptsetup, you must recompile libgcrypt and libgpg-error with the fixes I mentioned above.

 

[vzhilov]

Thank you. I did that. I don't mind using cryptsetup-openssl. This is probably the same strong encryption, right? And the parameter ---key-size 256 enough, correct? I just realised I don't put any algorythm, is any default used then?

So per your instruction everything went well with success and no errors... but again except the last mount command:

admin@RT-AC86U-C828:/tmp/home/root# mount /dev/mapper/crypted /mnt/crypted/
mount: mounting /dev/mapper/crypted on /mnt/crypted/ failed: Invalid argument​

I have also tried the whole thing with /dev/loop1 (losetup) and all goes through fine but gives the same mount error.

 

[Fitz Mutch]

admin@RT-AC86U-C828:/tmp/home/root# mount /dev/mapper/crypted /mnt/crypted/
mount: mounting /dev/mapper/crypted on /mnt/crypted/ failed: Invalid argument

I have also tried the whole thing with /dev/loop1 (losetup) and all goes through fine but gives the same mount error.

Verify the kernel modules loaded?
modprobe dm-mod
modprobe dm-crypt
modprobe gf128mul
modprobe xts
modprobe sha256_generic

 

[vzhilov]

Verify the kernel modules loaded?
modprobe dm-mod
modprobe dm-crypt
modprobe gf128mul
modprobe xts
modprobe sha256_generic

I don't have two: gf128mul and sha256_generic

I do have:

CONFIG_CRYPTO=y
CONFIG_CRYPTO_GF128MUL=m
CONFIG_CRYPTO_SHA256=m

in my

~/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1/config_base.6a

But I don't get those two modules after the compilation, while I get all the other needed modules

 

[dvohwinkel]

Can I ask why you would need an encrypted filesystem on a router? Just an educational exercise? Not that there is anything wrong with that, just curious.

 

[vzhilov]

Can I ask why you would need an encrypted filesystem on a router? Just an educational exercise? Not that there is anything wrong with that, just curious.

I want to try using it as a samba server for a small office instead of buying an addtional equipment just for that purpose

 

[Fitz Mutch]

I don't have two: gf128mul and sha256_generic

Might want to put it back, for this settings.
CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_SHA256=y