1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Cryptsetup Kernel Modules

Discussion in 'Asuswrt-Merlin' started by vzhilov, May 15, 2018.

  1. vzhilov

    vzhilov Occasional Visitor

    Joined:
    May 15, 2018
    Messages:
    13
    Hello! I just got new Asus RT-AC86U router and wanted to run disk encryption.

    I have installed losetup and cryptsetup.

    In order to compile dm-mod.ko I have forked asuswrt-merlin on my Linux Mint 18.3 (Ubuntu 16.04) machine. I have followed this manual (https://github.com/RMerl/asuswrt-merlin/wiki/Compile-Firmware-from-source-using-Ubuntu) to prepare for compilation. Then I put

    CONFIG_MD=y
    CONFIG_DM_CRYPT=m

    to

    ~/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1/config_base.6a

    After then I used

    make rt-ac86u

    and the whole thing compiled just fine and as result I got the needed dm-mod.ko module.

    However when I copied it to the router and tried

    insmode entware/home/dm-mod.ko

    I get

    insmod: can't insert 'entware/home/dm-mod.ko': unknown symbol in module, or unknown parameter

    While I think I compiled using the correct environment. Is there something I did wrong?
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    438
    Location:
    Portsmouth
    When you say CONFIG_MD=y, I think it adds built-in functions to the Linux kernel.
     
  4. vzhilov

    vzhilov Occasional Visitor

    Joined:
    May 15, 2018
    Messages:
    13
    Ok, I have just tried to put CONFIG_MD=m and re-compile, I didn't get dm-mod.ko module at all.
     
  5. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    438
    Location:
    Portsmouth
  6. vzhilov

    vzhilov Occasional Visitor

    Joined:
    May 15, 2018
    Messages:
    13
    Ok, I have tried all 3 options by now including CONFIG_MD=n but I only get dm-mod.ko module compiled with CONFIG_MD=y and non with other options.

    Then I have noticed that my clock is 2 days ahead so I have corrected it and re-mopile again just in case. I got an warning that maybe not everything compiled due to clock shift. Then I ereased the asuswrt-merlin.ng directory and copied it again. Then I re-compiled. on insmod dm-mod.ko I still get the same error:

    [email protected]:/tmp/mnt/flash# insmod entware/home/dm-mod.ko
    insmod: can't insert 'entware/home/dm-mod.ko': unknown symbol in module, or unknown parameter

    I'm attaching the module I got just in case anyone would like to try it out on his RT-AC86 router. Just remove the txt extention.

    So I compile this module using Kernel 4.1 from repository files. The curent asuswrt-merlin.ng kernel is 4.1.27 so it should work but it doesn't.
     

    Attached Files:

  7. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    438
    Location:
    Portsmouth
  8. vzhilov

    vzhilov Occasional Visitor

    Joined:
    May 15, 2018
    Messages:
    13
    Yes, thank you.

    In fact I have this

    CONFIG_MD=y
    CONFIG_BLK_DEV_MD=m
    CONFIG_BLK_DEV_DM=m
    CONFIG_DM_CRYPT=m

    CONFIG_CRYPTO_XTS=m
    CONFIG_CRYPTO_SHA256=m
    in my config_base.6a file. But for some reason I get less modules compiled as the result as the link says. I get

    in kernel-4.1/drivers/md/ I get:

    dm-mod.ko
    md-mod.ko
    dm-crypt.ko​

    All of them give the error excpet insmode md-mod.ko

    but in kernet-4.1/crypto/ I get only

    xts.ko​

    and no other modules.
     
  9. vzhilov

    vzhilov Occasional Visitor

    Joined:
    May 15, 2018
    Messages:
    13
    But just to start with I need to get dm-mod.ko somehow so I can insmod it. Then we will see what's next pops up :)
     
  10. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,225
    Location:
    United States
    Try using modprobe instead of insmod. modprobe handles dependencies where insmod does not.
     
    vzhilov likes this.
  11. vzhilov

    vzhilov Occasional Visitor

    Joined:
    May 15, 2018
    Messages:
    13
    Thank you for answering this. Still no luck as I can't copy the module to /lib/modules/4.1.27/kernel on the router as the router file system is read-only:

    [email protected]:/tmp/home/root# modprobe dm_mod
    modprobe: module dm_mod not found in modules.dep
    [email protected]:/tmp/home/root# depmod
    depmod: can't open 'modules.dep': Read-only file system
     
  12. vzhilov

    vzhilov Occasional Visitor

    Joined:
    May 15, 2018
    Messages:
    13
    Oh, I get what I can do. Since I have compiled the whole thing from source this is not neccesary for my just to take few modules out and transfer it to the router, I can just take the whole new image and burn the whole thing into the router.

    So I did that, then modprobe dm_mode worked!

    So then I did:

    dd if=/dev/zero of=./crypto.img bs=1M count=512
    losetup /dev/loop1 ./crypto.img
    cryptsetup -y --key-size 256 luksFormat /dev/loop1

    And I got the new error:

    [email protected]:/tmp/home/root# cryptsetup -y --key-size 256 luksFormat /dev
    /loop1

    WARNING!
    ========
    This will overwrite data on /dev/loop1 irrevocably.

    Are you sure? (Type uppercase yes): YES
    Enter passphrase:
    Verify passphrase:
    Failed to access temporary keystore device.
    cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed.
    Aborted

    Am I missing any other modules that I had to compile for cryptsetup to work?
     
  13. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    438
    Location:
    Portsmouth
    Try both switches "--verbose --debug", to see more information?

    Try cryptsetup-openssl package instead? If this alternate package works for you, then the problem is either libgcrypt or libgpg-error packages compiled for aarch64.

    I can see the problem here. https://github.com/Entware/entware-...gpg-error/patches/500-entware-archs.patch#L23
    Just needs to handle it properly on aarch64 platform: {"aarch64-openwrt-linux-gnu", "aarch64-unknown-linux-gnu"}

    Lastly, if cryptsetup w/libgcrypt segfaults on aarch64, I think the fix is to compile libgcrypt with --disable-arm-crypto-support. Due to a libgcrypt bug with the armv8 crypto extensions???
     
    Last edited: May 17, 2018
  14. vzhilov

    vzhilov Occasional Visitor

    Joined:
    May 15, 2018
    Messages:
    13
    Thank you very much. I think I'm close here. I didn't try cryptsetup-openssl yet but I was able to get program on cryptsetup. After the system reboot I started to get success on my commands but still with some errors.

    I made two volumes on my flash drive: sda1 and sda2. I installed Entware on sda1. And I'm trying to crypt sda2 now. So I do:

    cryptsetup --verbose --debug -y --key-size 256 luksFormat /dev/sda2

    And I get:

    [email protected]:/tmp/home/root# cryptsetup --verbose --debug -y --key-size 2
    56 luksFormat /dev/sda2
    # cryptsetup 1.7.5 processing "cryptsetup --verbose --debug -y --key-size 256 luksFormat /dev/sda2"
    # Running command luksFormat.
    # Locking memory.
    # Installing SIGINT/SIGTERM handler.
    # Unblocking interruption on signal.

    WARNING!
    ========
    This will overwrite data on /dev/sda2 irrevocably.

    Are you sure? (Type uppercase yes): YES
    # Allocating crypt device /dev/sda2 context.
    # Trying to open and read device /dev/sda2 with direct-io.
    # Initialising device-mapper backend library.
    # Timeout set to 0 miliseconds.
    # Iteration time set to 2000 milliseconds.
    # Interactive passphrase entry requested.
    Enter passphrase:
    Verify passphrase:
    # Formatting device /dev/sda2 as type LUKS1.
    # Crypto backend (gcrypt 1.6.6) initialized in cryptsetup library version 1.7.5.
    # Detected kernel Linux 4.1.27 aarch64.
    # Topology: IO (512/0), offset = 0; Required alignment is 1048576 bytes.
    # Checking if cipher aes-xts-plain64 is usable.
    # Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
    # Using dmcrypt to access keyslot area.
    # Calculated device size is 1 sectors (RW), offset 0.
    # dm version [ opencount flush ] [16384] (*1)
    # dm versions [ opencount flush ] [16384] (*1)
    # Detected dm-crypt version 1.14.1, dm-ioctl version 4.31.0.
    # Device-mapper backend running with UDEV support disabled.
    # DM-UUID is CRYPT-TEMP-temporary-cryptsetup-1814
    # dm create temporary-cryptsetup-1814 CRYPT-TEMP-temporary-cryptsetup-1814 [ opencount flush ] [16384] (*1)
    # dm reload temporary-cryptsetup-1814 [ opencount flush readonly securedata ] [16384] (*1)
    # dm resume temporary-cryptsetup-1814 [ opencount flush readonly securedata ] [16384] (*1)
    # temporary-cryptsetup-1814: Stacking NODE_ADD (253,0) 0:0 0600
    # temporary-cryptsetup-1814: Stacking NODE_READ_AHEAD 2048 (flags=1)
    # temporary-cryptsetup-1814: Processing NODE_ADD (253,0) 0:0 0600
    # Created /dev/mapper/temporary-cryptsetup-1814
    # temporary-cryptsetup-1814: Processing NODE_READ_AHEAD 2048 (flags=1)
    # temporary-cryptsetup-1814 (253:0): read ahead is 256
    # temporary-cryptsetup-1814 (253:0): Setting read ahead to 2048
    # dm remove temporary-cryptsetup-1814 [ opencount flush retryremove ] [16384] (*1)
    # temporary-cryptsetup-1814: Stacking NODE_DEL
    # temporary-cryptsetup-1814: Processing NODE_DEL
    # Removed /dev/mapper/temporary-cryptsetup-1814
    # Generating LUKS header version 1 using hash sha256, aes, xts-plain64, MK 32 bytes
    # KDF pbkdf2, hash sha256: 182044 iterations per second (256-bits key).
    # Data offset 4096, UUID 6b470e76-6034-4c93-9df1-f4cd982deb70, digest iterations 44250
    # Updating LUKS header of size 1024 on device /dev/sda2
    # Key length 32, device size 3928568 sectors, header size 2050 sectors.
    # Reading LUKS header of size 1024 from device /dev/sda2
    # Key length 32, device size 3928568 sectors, header size 2050 sectors.
    # Adding new keyslot -1 using volume key.
    # Calculating data for key slot 0
    # KDF pbkdf2, hash sha256: 182044 iterations per second (256-bits key).
    # Key slot 0 use 355554 password iterations.
    # Using hash sha256 for AF in key slot 0, 4000 stripes
    # Updating key slot 0 [0x1000] area.
    # Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
    # Using dmcrypt to access keyslot area.
    # Calculated device size is 250 sectors (RW), offset 8.
    # DM-UUID is CRYPT-TEMP-temporary-cryptsetup-1814
    # dm create temporary-cryptsetup-1814 CRYPT-TEMP-temporary-cryptsetup-1814 [ opencount flush ] [16384] (*1)
    # dm reload temporary-cryptsetup-1814 [ opencount flush securedata ] [16384] (*1)
    # dm resume temporary-cryptsetup-1814 [ opencount flush securedata ] [16384] (*1)
    # temporary-cryptsetup-1814: Stacking NODE_ADD (253,0) 0:0 0600
    # temporary-cryptsetup-1814: Stacking NODE_READ_AHEAD 2048 (flags=1)
    # temporary-cryptsetup-1814: Processing NODE_ADD (253,0) 0:0 0600
    # Created /dev/mapper/temporary-cryptsetup-1814
    # temporary-cryptsetup-1814: Processing NODE_READ_AHEAD 2048 (flags=1)
    # temporary-cryptsetup-1814 (253:0): read ahead is 256
    # temporary-cryptsetup-1814 (253:0): Setting read ahead to 2048
    # dm remove temporary-cryptsetup-1814 [ opencount flush retryremove ] [16384] (*1)
    # temporary-cryptsetup-1814: Stacking NODE_DEL
    # temporary-cryptsetup-1814: Processing NODE_DEL
    # Removed /dev/mapper/temporary-cryptsetup-1814
    # Key slot 0 was enabled in LUKS header.
    # Updating LUKS header of size 1024 on device /dev/sda2
    # Key length 32, device size 3928568 sectors, header size 2050 sectors.
    # Reading LUKS header of size 1024 from device /dev/sda2
    # Key length 32, device size 3928568 sectors, header size 2050 sectors.
    # Releasing crypt device /dev/sda2 context.
    # Releasing device-mapper backend.
    # Unlocking memory.
    Command successful.
    cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed.
    Aborted​

    So it said "Successful" but then gave some error. However I see that LUKS volume is created:

    [email protected]:/tmp/home/root# cryptsetup luksOpen /dev/sda2 crypted
    Enter passphrase for /dev/sda2:
    cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed.
    Aborted
    [email protected]:/tmp/home/root# ls /dev/mapper/c*
    control crypted​

    While I get the same error the device-mapper is there.

    [email protected]:/tmp/home/root# mkfs.ext3 -j /dev/mapper/crypted
    mke2fs 1.42.13 (17-May-2015)
    Creating filesystem with 490559 4k blocks and 122640 inodes
    Filesystem UUID: 99a84dd4-cebd-42d4-9e96-9f294bf94dce
    Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912

    Allocating group tables: done
    Writing inode tables: done
    Creating journal (8192 blocks): done
    Writing superblocks and filesystem accounting information: done​

    But here at the end I can't get it mounted:

    [email protected]:/tmp/home/root# mkdir /mnt/crypted
    [email protected]:/tmp/home/root# mount /dev/mapper/crypted /mnt/crypted/
    mount: mounting /dev/mapper/crypted on /mnt/crypted/ failed: Invalid argument​

    Can that constant error cryptsetup: posix-lock.c:137: get_lock_object: Assertion `!"sizeof lock obj"' failed be the cause of that?
     
  15. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    438
    Location:
    Portsmouth
    That assert is happening in libgpg-error, here:
    https://dev.gnupg.org/source/libgpg...;6eb80abcde5ad776379069871e4156b28ef69712$139

    Try this:
    opkg remove cryptsetup
    opkg install cryptsetup-openssl

    There is problems with libgcrypt and libgpg-error on aarch64 platform. The cryptsetup-openssl package does not depend on libgcrypt and libgpg-error, so this may work better for you. If you want to use regular cryptsetup, you must recompile libgcrypt and libgpg-error with the fixes I mentioned above.
     
    vzhilov likes this.
  16. vzhilov

    vzhilov Occasional Visitor

    Joined:
    May 15, 2018
    Messages:
    13
    Thank you. I did that. I don't mind using cryptsetup-openssl. This is probably the same strong encryption, right? And the parameter ---key-size 256 enough, correct? I just realised I don't put any algorythm, is any default used then?

    So per your instruction everything went well with success and no errors... but again except the last mount command:

    [email protected]:/tmp/home/root# mount /dev/mapper/crypted /mnt/crypted/
    mount: mounting /dev/mapper/crypted on /mnt/crypted/ failed: Invalid argument​

    I have also tried the whole thing with /dev/loop1 (losetup) and all goes through fine but gives the same mount error.
     
  17. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    438
    Location:
    Portsmouth
    Verify the kernel modules loaded?
    modprobe dm-mod
    modprobe dm-crypt
    modprobe gf128mul
    modprobe xts
    modprobe sha256_generic
     
  18. vzhilov

    vzhilov Occasional Visitor

    Joined:
    May 15, 2018
    Messages:
    13
    I don't have two: gf128mul and sha256_generic

    I do have:

    CONFIG_CRYPTO=y
    CONFIG_CRYPTO_GF128MUL=m
    CONFIG_CRYPTO_SHA256=m

    in my

    ~/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1/config_base.6a

    But I don't get those two modules after the compilation, while I get all the other needed modules
     
    Last edited: May 18, 2018
  19. dvohwinkel

    dvohwinkel Regular Contributor

    Joined:
    Feb 19, 2016
    Messages:
    131
    Can I ask why you would need an encrypted filesystem on a router? Just an educational exercise? Not that there is anything wrong with that, just curious.
     
  20. vzhilov

    vzhilov Occasional Visitor

    Joined:
    May 15, 2018
    Messages:
    13
    I want to try using it as a samba server for a small office instead of buying an addtional equipment just for that purpose
     
  21. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    438
    Location:
    Portsmouth
    Might want to put it back, for this settings.
    CONFIG_CRYPTO_GF128MUL=y
    CONFIG_CRYPTO_SHA256=y
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!