What's new

Cryptsetup Kernel Modules

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

vzhilov

Occasional Visitor
Hello! I just got new Asus RT-AC86U router and wanted to run disk encryption.

I have installed losetup and cryptsetup.

In order to compile dm-mod.ko I have forked asuswrt-merlin on my Linux Mint 18.3 (Ubuntu 16.04) machine. I have followed this manual (https://github.com/RMerl/asuswrt-merlin/wiki/Compile-Firmware-from-source-using-Ubuntu) to prepare for compilation. Then I put

CONFIG_MD=y
CONFIG_DM_CRYPT=m

to

~/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1/config_base.6a

After then I used

make rt-ac86u

and the whole thing compiled just fine and as result I got the needed dm-mod.ko module.

However when I copied it to the router and tried

insmode entware/home/dm-mod.ko

I get

insmod: can't insert 'entware/home/dm-mod.ko': unknown symbol in module, or unknown parameter

While I think I compiled using the correct environment. Is there something I did wrong?
 
When you say CONFIG_MD=y, I think it adds built-in functions to the Linux kernel.
 
Ok, I have tried all 3 options by now including CONFIG_MD=n but I only get dm-mod.ko module compiled with CONFIG_MD=y and non with other options.

Then I have noticed that my clock is 2 days ahead so I have corrected it and re-mopile again just in case. I got an warning that maybe not everything compiled due to clock shift. Then I ereased the asuswrt-merlin.ng directory and copied it again. Then I re-compiled. on insmod dm-mod.ko I still get the same error:

admin@RT-AC86U-C828:/tmp/mnt/flash# insmod entware/home/dm-mod.ko
insmod: can't insert 'entware/home/dm-mod.ko': unknown symbol in module, or unknown parameter

I'm attaching the module I got just in case anyone would like to try it out on his RT-AC86 router. Just remove the txt extention.

So I compile this module using Kernel 4.1 from repository files. The curent asuswrt-merlin.ng kernel is 4.1.27 so it should work but it doesn't.
 

Attachments

  • dm-mod.ko.txt
    2 MB · Views: 450
See this. There are more kernel switches for what you do.

LUKS Encrypted USB Drive HOWTO
https://github.com/RMerl/asuswrt-merlin/wiki/LUKS-Encrypted-USB-Drive-HOWTO

Yes, thank you.

In fact I have this

CONFIG_MD=y
CONFIG_BLK_DEV_MD=m
CONFIG_BLK_DEV_DM=m
CONFIG_DM_CRYPT=m

CONFIG_CRYPTO_XTS=m
CONFIG_CRYPTO_SHA256=m
in my config_base.6a file. But for some reason I get less modules compiled as the result as the link says. I get

in kernel-4.1/drivers/md/ I get:

dm-mod.ko
md-mod.ko
dm-crypt.ko​

All of them give the error excpet insmode md-mod.ko

but in kernet-4.1/crypto/ I get only

xts.ko​

and no other modules.
 
But just to start with I need to get dm-mod.ko somehow so I can insmod it. Then we will see what's next pops up :)
 
Try using modprobe instead of insmod. modprobe handles dependencies where insmod does not.
 
Try using modprobe instead of insmod. modprobe handles dependencies where insmod does not.

Thank you for answering this. Still no luck as I can't copy the module to /lib/modules/4.1.27/kernel on the router as the router file system is read-only:

admin@RT-AC86U-C828:/tmp/home/root# modprobe dm_mod
modprobe: module dm_mod not found in modules.dep
admin@RT-AC86U-C828:/tmp/home/root# depmod
depmod: can't open 'modules.dep': Read-only file system
 
Oh, I get what I can do. Since I have compiled the whole thing from source this is not neccesary for my just to take few modules out and transfer it to the router, I can just take the whole new image and burn the whole thing into the router.

So I did that, then modprobe dm_mode worked!

So then I did:

dd if=/dev/zero of=./crypto.img bs=1M count=512
losetup /dev/loop1 ./crypto.img
cryptsetup -y --key-size 256 luksFormat /dev/loop1

And I got the new error:

admin@RT-AC86U-C828:/tmp/home/root# cryptsetup -y --key-size 256 luksFormat /dev
/loop1

WARNING!
========
This will overwrite data on /dev/loop1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Failed to access temporary keystore device.
cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed.
Aborted

Am I missing any other modules that I had to compile for cryptsetup to work?
 
Am I missing any other modules that I had to compile for cryptsetup to work?
Try both switches "--verbose --debug", to see more information?

Try cryptsetup-openssl package instead? If this alternate package works for you, then the problem is either libgcrypt or libgpg-error packages compiled for aarch64.

I can see the problem here. https://github.com/Entware/entware-...gpg-error/patches/500-entware-archs.patch#L23
Just needs to handle it properly on aarch64 platform: {"aarch64-openwrt-linux-gnu", "aarch64-unknown-linux-gnu"}

Lastly, if cryptsetup w/libgcrypt segfaults on aarch64, I think the fix is to compile libgcrypt with --disable-arm-crypto-support. Due to a libgcrypt bug with the armv8 crypto extensions???
 
Last edited:
Thank you very much. I think I'm close here. I didn't try cryptsetup-openssl yet but I was able to get program on cryptsetup. After the system reboot I started to get success on my commands but still with some errors.

I made two volumes on my flash drive: sda1 and sda2. I installed Entware on sda1. And I'm trying to crypt sda2 now. So I do:

cryptsetup --verbose --debug -y --key-size 256 luksFormat /dev/sda2

And I get:

admin@RT-AC86U-C828:/tmp/home/root# cryptsetup --verbose --debug -y --key-size 2
56 luksFormat /dev/sda2
# cryptsetup 1.7.5 processing "cryptsetup --verbose --debug -y --key-size 256 luksFormat /dev/sda2"
# Running command luksFormat.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
# Allocating crypt device /dev/sda2 context.
# Trying to open and read device /dev/sda2 with direct-io.
# Initialising device-mapper backend library.
# Timeout set to 0 miliseconds.
# Iteration time set to 2000 milliseconds.
# Interactive passphrase entry requested.
Enter passphrase:
Verify passphrase:
# Formatting device /dev/sda2 as type LUKS1.
# Crypto backend (gcrypt 1.6.6) initialized in cryptsetup library version 1.7.5.
# Detected kernel Linux 4.1.27 aarch64.
# Topology: IO (512/0), offset = 0; Required alignment is 1048576 bytes.
# Checking if cipher aes-xts-plain64 is usable.
# Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
# Using dmcrypt to access keyslot area.
# Calculated device size is 1 sectors (RW), offset 0.
# dm version [ opencount flush ] [16384] (*1)
# dm versions [ opencount flush ] [16384] (*1)
# Detected dm-crypt version 1.14.1, dm-ioctl version 4.31.0.
# Device-mapper backend running with UDEV support disabled.
# DM-UUID is CRYPT-TEMP-temporary-cryptsetup-1814
# dm create temporary-cryptsetup-1814 CRYPT-TEMP-temporary-cryptsetup-1814 [ opencount flush ] [16384] (*1)
# dm reload temporary-cryptsetup-1814 [ opencount flush readonly securedata ] [16384] (*1)
# dm resume temporary-cryptsetup-1814 [ opencount flush readonly securedata ] [16384] (*1)
# temporary-cryptsetup-1814: Stacking NODE_ADD (253,0) 0:0 0600
# temporary-cryptsetup-1814: Stacking NODE_READ_AHEAD 2048 (flags=1)
# temporary-cryptsetup-1814: Processing NODE_ADD (253,0) 0:0 0600
# Created /dev/mapper/temporary-cryptsetup-1814
# temporary-cryptsetup-1814: Processing NODE_READ_AHEAD 2048 (flags=1)
# temporary-cryptsetup-1814 (253:0): read ahead is 256
# temporary-cryptsetup-1814 (253:0): Setting read ahead to 2048
# dm remove temporary-cryptsetup-1814 [ opencount flush retryremove ] [16384] (*1)
# temporary-cryptsetup-1814: Stacking NODE_DEL
# temporary-cryptsetup-1814: Processing NODE_DEL
# Removed /dev/mapper/temporary-cryptsetup-1814
# Generating LUKS header version 1 using hash sha256, aes, xts-plain64, MK 32 bytes
# KDF pbkdf2, hash sha256: 182044 iterations per second (256-bits key).
# Data offset 4096, UUID 6b470e76-6034-4c93-9df1-f4cd982deb70, digest iterations 44250
# Updating LUKS header of size 1024 on device /dev/sda2
# Key length 32, device size 3928568 sectors, header size 2050 sectors.
# Reading LUKS header of size 1024 from device /dev/sda2
# Key length 32, device size 3928568 sectors, header size 2050 sectors.
# Adding new keyslot -1 using volume key.
# Calculating data for key slot 0
# KDF pbkdf2, hash sha256: 182044 iterations per second (256-bits key).
# Key slot 0 use 355554 password iterations.
# Using hash sha256 for AF in key slot 0, 4000 stripes
# Updating key slot 0 [0x1000] area.
# Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
# Using dmcrypt to access keyslot area.
# Calculated device size is 250 sectors (RW), offset 8.
# DM-UUID is CRYPT-TEMP-temporary-cryptsetup-1814
# dm create temporary-cryptsetup-1814 CRYPT-TEMP-temporary-cryptsetup-1814 [ opencount flush ] [16384] (*1)
# dm reload temporary-cryptsetup-1814 [ opencount flush securedata ] [16384] (*1)
# dm resume temporary-cryptsetup-1814 [ opencount flush securedata ] [16384] (*1)
# temporary-cryptsetup-1814: Stacking NODE_ADD (253,0) 0:0 0600
# temporary-cryptsetup-1814: Stacking NODE_READ_AHEAD 2048 (flags=1)
# temporary-cryptsetup-1814: Processing NODE_ADD (253,0) 0:0 0600
# Created /dev/mapper/temporary-cryptsetup-1814
# temporary-cryptsetup-1814: Processing NODE_READ_AHEAD 2048 (flags=1)
# temporary-cryptsetup-1814 (253:0): read ahead is 256
# temporary-cryptsetup-1814 (253:0): Setting read ahead to 2048
# dm remove temporary-cryptsetup-1814 [ opencount flush retryremove ] [16384] (*1)
# temporary-cryptsetup-1814: Stacking NODE_DEL
# temporary-cryptsetup-1814: Processing NODE_DEL
# Removed /dev/mapper/temporary-cryptsetup-1814
# Key slot 0 was enabled in LUKS header.
# Updating LUKS header of size 1024 on device /dev/sda2
# Key length 32, device size 3928568 sectors, header size 2050 sectors.
# Reading LUKS header of size 1024 from device /dev/sda2
# Key length 32, device size 3928568 sectors, header size 2050 sectors.
# Releasing crypt device /dev/sda2 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command successful.
cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed.
Aborted​

So it said "Successful" but then gave some error. However I see that LUKS volume is created:

admin@RT-AC86U-C828:/tmp/home/root# cryptsetup luksOpen /dev/sda2 crypted
Enter passphrase for /dev/sda2:
cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed.
Aborted
admin@RT-AC86U-C828:/tmp/home/root# ls /dev/mapper/c*
control crypted​

While I get the same error the device-mapper is there.

admin@RT-AC86U-C828:/tmp/home/root# mkfs.ext3 -j /dev/mapper/crypted
mke2fs 1.42.13 (17-May-2015)
Creating filesystem with 490559 4k blocks and 122640 inodes
Filesystem UUID: 99a84dd4-cebd-42d4-9e96-9f294bf94dce
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912

Allocating group tables: done
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done​

But here at the end I can't get it mounted:

admin@RT-AC86U-C828:/tmp/home/root# mkdir /mnt/crypted
admin@RT-AC86U-C828:/tmp/home/root# mount /dev/mapper/crypted /mnt/crypted/
mount: mounting /dev/mapper/crypted on /mnt/crypted/ failed: Invalid argument​

Can that constant error cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed be the cause of that?
 
Can that constant error cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed be the cause of that?
That assert is happening in libgpg-error, here:
https://dev.gnupg.org/source/libgpg...;6eb80abcde5ad776379069871e4156b28ef69712$139

Try this:
opkg remove cryptsetup
opkg install cryptsetup-openssl

There is problems with libgcrypt and libgpg-error on aarch64 platform. The cryptsetup-openssl package does not depend on libgcrypt and libgpg-error, so this may work better for you. If you want to use regular cryptsetup, you must recompile libgcrypt and libgpg-error with the fixes I mentioned above.
 
Thank you. I did that. I don't mind using cryptsetup-openssl. This is probably the same strong encryption, right? And the parameter ---key-size 256 enough, correct? I just realised I don't put any algorythm, is any default used then?

So per your instruction everything went well with success and no errors... but again except the last mount command:

admin@RT-AC86U-C828:/tmp/home/root# mount /dev/mapper/crypted /mnt/crypted/
mount: mounting /dev/mapper/crypted on /mnt/crypted/ failed: Invalid argument​

I have also tried the whole thing with /dev/loop1 (losetup) and all goes through fine but gives the same mount error.
 
admin@RT-AC86U-C828:/tmp/home/root# mount /dev/mapper/crypted /mnt/crypted/
mount: mounting /dev/mapper/crypted on /mnt/crypted/ failed: Invalid argument

I have also tried the whole thing with /dev/loop1 (losetup) and all goes through fine but gives the same mount error.
Verify the kernel modules loaded?
modprobe dm-mod
modprobe dm-crypt
modprobe gf128mul
modprobe xts
modprobe sha256_generic
 
Verify the kernel modules loaded?
modprobe dm-mod
modprobe dm-crypt
modprobe gf128mul
modprobe xts
modprobe sha256_generic

I don't have two: gf128mul and sha256_generic

I do have:

CONFIG_CRYPTO=y
CONFIG_CRYPTO_GF128MUL=m
CONFIG_CRYPTO_SHA256=m

in my

~/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1/config_base.6a

But I don't get those two modules after the compilation, while I get all the other needed modules
 
Last edited:
Can I ask why you would need an encrypted filesystem on a router? Just an educational exercise? Not that there is anything wrong with that, just curious.
 
Can I ask why you would need an encrypted filesystem on a router? Just an educational exercise? Not that there is anything wrong with that, just curious.

I want to try using it as a samba server for a small office instead of buying an addtional equipment just for that purpose
 
I don't have two: gf128mul and sha256_generic
Might want to put it back, for this settings.
CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_SHA256=y
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top