Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 309221 - sys-fs/cryptsetup-1.0.6-r2 (also 1.1.0) fails to create encrypted device when ESSIV is requested
Summary: sys-fs/cryptsetup-1.0.6-r2 (also 1.1.0) fails to create encrypted device when...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Gentoo's Team for Core System packages
Depends on:
Reported: 2010-03-13 05:03 UTC by aabugher
Modified: 2010-06-16 09:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

kernel configuration (.config) (config,36.64 KB, text/plain)
2010-03-13 06:28 UTC, aabugher

Note You need to log in before you can comment on or make changes to this bug.
Description aabugher 2010-03-13 05:03:56 UTC
When cryptsetup is invoked with essiv requested, I get this on stdout:

Command failed: device-mapper: reload ioctl failed: Invalid argument

This shows up in dmesg:

device-mapper: table: 254:0: crypt: Error initializing ESSIV hash
device-mapper: ioctl: error adding target to table
device-mapper: ioctl: device doesn't appear to be in the dev hash table.

No file is created in /dev/mapper/ .  This seems to be triggered only and always by specifying essiv.  Examples:

cryptsetup -c serpent-cbc-essiv:whirlpool -h whirlpool -y create crypt_sdc1 /dev/sdc1
cryptsetup -c aes-cbc-essiv:sha1 -h sha1 -y create crypt_sdc1 /dev/sdc1

Both of the above fail with the same results, while these succeed:

cryptsetup -c aes-cbc-plain:sha1 -h sha1 -y create crypt_sdc1 /dev/sdc1
cryptsetup -c serpent-cbc-plain:whirlpool -h whirlpool -y create crypt_sdc1 /dev/sdc1

I have tested this under kernel 2.6.29 (gentoo hardened) and 2.6.33 ( with identical results, using cryptsetup 1.0.6-r2.  I also tried cryptsetup 1.1.0 under kernel 2.6.33 (  This yielded a small change in output.  The following line is no longer displayed:

device-mapper: ioctl: device doesn't appear to be in the dev hash table.

This appears to be the only change.  Still no new file in /dev/mapper/ .

Reproducible: Always

Steps to Reproduce:
1.Invoke cryptsetup, specifying essiv.
Actual Results:  
No device file created in /dev/mapper/

Expected Results:  
/dev/mapper/[device name] created.

System is hardened/selinux profile.  SELinux is strict/enforcing.  PaX is enabled.  System was built with a general "harden first, make operable second" approach.  It is otherwise completely functional, though.

emerge --info follows:

Portage (selinux/2007.0/x86/hardened, gcc-4.3.4, glibc-2.10.1-r1, 2.6.33_2010.03.12 i686)
System uname: Linux-2.6.33_2010.03.12-i686-AMD_Athlon-tm-_XP_2200+-with-gentoo-1.12.13
Timestamp of tree: Thu, 04 Mar 2010 06:15:01 +0000
app-shells/bash:     4.0_p35
dev-lang/python:     2.6.4-r1
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63-r1
sys-devel/automake:  1.10.3, 1.11.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc:       4.3.4
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.30-r1
CFLAGS="-march=i686 -O2 -pipe -fforce-addr -fomit-frame-pointer"
CONFIG_PROTECT="/etc/DIR_COLORS /etc/fstab /etc/group /etc/hosts /etc/make.conf /etc/passwd /etc/profile /etc/resolv.conf /etc/resolv.conf.head /etc/ssh /etc/sudoers"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=i686 -O2 -pipe -fforce-addr -fomit-frame-pointer"
FEATURES="assume-digests distlocks fixpackages gpg loadpolicy news parallel-fetch protect-owned sandbox selinux sesandbox severe sfperms strict stricter suidctl unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="3dnow 3dnowext bash-completion berkdb cli cracklib crypt cxx dri fortran gnutls hardened iconv mmx mmxext modules mudflap ncurses nethack offensive openmp pam pcre perl pic pppd python readline reflection selinux session spl sse ssl tcpd x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" 
Comment 1 aabugher 2010-03-13 06:28:07 UTC
Created attachment 223367 [details]
kernel configuration (.config)
Comment 2 Vasilis Lourdas 2010-04-27 11:01:07 UTC
I confirm this behavior:

cryptsetup -c aes-xts-essiv --debug -y -s 512 luksFormat /dev/sda8                                                                                # cryptsetup 1.1.0 processing "cryptsetup -c aes-xts-essiv --debug -y -s 512 luksFormat /dev/sda8"
# Locking memory.

This will overwrite data on /dev/sda8 irrevocably.

Are you sure? (Type uppercase yes): YES
# Allocating crypt device /dev/sda8 context.
# Trying to open and read device /dev/sda8.
# Initialising device-mapper backend.
# Timeout set to 0 miliseconds.
# Password retry count set to 0.
# Iteration time set to 1000 miliseconds.
# Password verification enabled.
Enter LUKS passphrase:
Verify passphrase:
# Formatting device /dev/sda8 as type LUKS1.
# Generating LUKS header version 1 using hash sha1, aes, xts-essiv, MK 64 bytes
# PBKDF2: 392001 iterations per second using hash sha1.
# Data offset 4040, UUID xxxxxxxxxxxxxx, digest iterations 47750
# Updating LUKS header of size 1024 on device /dev/sda8
# Reading LUKS header of size 1024 from device /dev/sda8
# Adding new keyslot -1 using volume key.
# Calculating data for key slot 0
# Key slot 0 use 191406 password iterations.
# Using hash sha1 for AF in key slot 0, 4000 stripes
# Updating key slot 0 [0x1000] area on device /dev/sda8.
# DM-UUID is CRYPT-TEMP-temporary-cryptsetup-2644
# dm create temporary-cryptsetup-2644 CRYPT-TEMP-temporary-cryptsetup-2644 OF   [16384]
# temporary-cryptsetup-2644: Stacking NODE_ADD (254,0) 0:0 0600
# dm reload temporary-cryptsetup-2644  OF   [16384]
device-mapper: reload ioctl failed: Invalid argument
# dm remove temporary-cryptsetup-2644  OF   [16384]
# temporary-cryptsetup-2644: Stacking NODE_DEL (replaces other stacked ops)
Failed to setup dm-crypt key mapping for device /dev/sda8.
Check that kernel supports aes-xts-essiv cipher (check syslog for more info).
# Releasing crypt device /dev/sda8 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code 5: Failed to setup dm-crypt key mapping for device /dev/sda8.
Check that kernel supports aes-xts-essiv cipher (check syslog for more info).

Using the latest cryptsetup version. All crypto related stuff is compiled as modules for the kernel.
Comment 3 Mathias Weigt 2010-06-16 08:29:11 UTC
the same here with cryptsetup-1.0.6-r2 and aes-xts-plain or twofish-xts-plain
Kernel: 2.6.32-r7 and all crypt-stuff as modules...
Comment 4 Mathias Weigt 2010-06-16 09:42:14 UTC
Updating to cryptsetup-1.1.1 helped. aes-xts-plain is working now.