[dm-crypt] unknown version

[dm-crypt] unknown version

[Julien Lepiller]

Hello,

I am trying to use cryptsetup with a disk that has been encrypted some
time ago. I'm using Linux From Scratch, and built cryptsetup myself.
What I see when I run luksOpen is the following (all commands are run
as root) :

# cryptsetup 1.7.1 processing "cryptsetup --debug luksOpen /dev/sda1
hdd"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device /dev/sda1 context.
# Trying to open and read device /dev/sda1 with direct-io.
# Initialising device-mapper backend library.
# Trying to load LUKS1 crypt type from device /dev/sda1.
# Crypto backend (gcrypt 1.7.0) initialized in cryptsetup library
version 1.7.1.
# Detected kernel Linux 4.4.6 x86_64.
# Reading LUKS header of size 1024 from device /dev/sda1
# Key length 32, device size 1953521664 sectors, header size 2050
sectors.
# Timeout set to 0 miliseconds.
# Password retry count set to 3.
# Password verification disabled.
# Iteration time set to 2000 miliseconds.
# Activating volume hdd [keyslot -1] using [none] passphrase.
# dm version   OF   [16384] (*1)
# device-mapper: version ioctl on  failed: Permission denied
# Incompatible libdevmapper (unknown version) and kernel driver
(unknown version).
Cannot initialize device-mapper. Is dm_mod kernel module loaded?
# Releasing crypt device /dev/sda1 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code 22: Invalid argument

dm_mod has been built in the kernel :

dmsetup targets
log-writes       v1.0.0
thin-pool        v1.16.0
thin             v1.16.0
raid             v1.7.0
zero             v1.1.0
mirror           v1.14.0
snapshot-merge   v1.4.0
snapshot-origin  v1.9.0
snapshot         v1.15.0
multipath        v1.10.0
crypt            v1.14.1
striped          v1.5.1
linear           v1.2.1
error            v1.3.0

and 
crw------- 1 root root 10, 236 Apr 22 08:21 /dev/mapper/control

I tried cryptsetup luksDump /dev/sda1:
LUKS header information for /dev/sda1

Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha1
Payload offset:	4096
MK bits:       	256
MK digest:     	d7 cf af d6 18 9b 0a 69 1c b0 94 68 7f e7 47 75
a4 07 48 1d MK
salt:       	2f e0 a4 56 ff 3e 7a e6 c0 80 4a 5e
74 ee a8 be 89 11 d7 ca 94 82 2d cf 6f f7 60 70 91 d3 14 67 
MK iterations: 	34500
UUID:          	972b1f20-e15d-4e40-8914-9f10b689bbdc

Key Slot 0: ENABLED
	Iterations:         	138251
	Salt:               	db 73 e2 21 04 a7 03 28 88 4d 7e ec
be cb fa ed d7 3f 6e 44 d0 9d 92 4f 35 b0 91 e4 c8 f7 0b 46 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

libdevmapper is (I think) provided by the lvm2 package, version
1.02.149.

So the question is: how can I make this work, and what else should I
provide to you so you can help me?

Thank you for any help you could provide.

Re: [dm-crypt] unknown version

[Milan Broz]

On 04/22/2016 02:01 PM, Julien Lepiller wrote:
> Hello,
> 
> I am trying to use cryptsetup with a disk that has been encrypted some
> time ago. I'm using Linux From Scratch, and built cryptsetup myself.
> What I see when I run luksOpen is the following (all commands are run
> as root) :
> 
> # cryptsetup 1.7.1 processing "cryptsetup --debug luksOpen /dev/sda1
> hdd"
...
> # Activating volume hdd [keyslot -1] using [none] passphrase.
> # dm version   OF   [16384] (*1)
> # device-mapper: version ioctl on  failed: Permission denied

This looks like you cannot access something (/dev/mapper/control?)
and then it just fails because of this initial failure.

Do you have SElinux switched on?

What is output of "dmsetup version" - does it work?

Milan

Re: [dm-crypt] unknown version

[Julien Lepiller]

On Sat, 23 Apr 2016 10:45:52 +0200
Milan Broz <gmazyland@gmail.com> wrote:

> On 04/22/2016 02:01 PM, Julien Lepiller wrote:
> > Hello,
> > 
> > I am trying to use cryptsetup with a disk that has been encrypted
> > some time ago. I'm using Linux From Scratch, and built cryptsetup
> > myself. What I see when I run luksOpen is the following (all
> > commands are run as root) :
> > 
> > # cryptsetup 1.7.1 processing "cryptsetup --debug luksOpen /dev/sda1
> > hdd"  
> ...
> > # Activating volume hdd [keyslot -1] using [none] passphrase.
> > # dm version   OF   [16384] (*1)
> > # device-mapper: version ioctl on  failed: Permission denied  
> 
> This looks like you cannot access something (/dev/mapper/control?)
> and then it just fails because of this initial failure.
> 
> Do you have SElinux switched on?
> 
> What is output of "dmsetup version" - does it work?
> 
> Milan

Thank you for your answer, the output of the command is:

Library version:   1.02.121 (2016-04-01)
Driver version:    4.34.0

Selinux is switched off (I tried to use it, so I have the libraries,
but it just does not work at all), and their is nothing in journald.

Re: [dm-crypt] unknown version

[Milan Broz]

On 04/23/2016 03:17 PM, Julien Lepiller wrote:
> On Sat, 23 Apr 2016 10:45:52 +0200
> Milan Broz <gmazyland@gmail.com> wrote:
> 
>> On 04/22/2016 02:01 PM, Julien Lepiller wrote:
>>> Hello,
>>>
>>> I am trying to use cryptsetup with a disk that has been encrypted
>>> some time ago. I'm using Linux From Scratch, and built cryptsetup
>>> myself. What I see when I run luksOpen is the following (all
>>> commands are run as root) :
>>>
>>> # cryptsetup 1.7.1 processing "cryptsetup --debug luksOpen /dev/sda1
>>> hdd"  
>> ...
>>> # Activating volume hdd [keyslot -1] using [none] passphrase.
>>> # dm version   OF   [16384] (*1)
>>> # device-mapper: version ioctl on  failed: Permission denied  
>>
>> This looks like you cannot access something (/dev/mapper/control?)
>> and then it just fails because of this initial failure.
>>
>> Do you have SElinux switched on?
>>
>> What is output of "dmsetup version" - does it work?
>>
>> Milan
> 
> Thank you for your answer, the output of the command is:
> 
> Library version:   1.02.121 (2016-04-01)
> Driver version:    4.34.0
> 
> Selinux is switched off (I tried to use it, so I have the libraries,
> but it just does not work at all), and their is nothing in journald.

Ok, so device mapper works.

So if it is not SElinux, something is preventing ioctl to run.
(The error is internal libdevmapper error.)

Do you compile libgcrypt yourself with POSIX capabilities enabled?

If so, gcrypt drops privileges for the whole calling process...
see comment in lib/crypto_backend/crypto_gcrypt.c:

/* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities,
 * it drops all privileges during secure memory initialisation.
 * For now, the only workaround is to disable secure memory in gcrypt.
 * cryptsetup always need at least cap_sys_admin privilege for dm-ioctl
 * and it locks its memory space anyway.
 */
#if 0


If it is your case, please do not use capabilities in gcrypt or
try to change define above in cryptsetup source as a workaroung and recompile it.

Thanks,
Milan

Re: [dm-crypt] unknown version

[Julien Lepiller]

On Sat, 23 Apr 2016 18:51:52 +0200
Milan Broz <gmazyland@gmail.com> wrote:

> On 04/23/2016 03:17 PM, Julien Lepiller wrote:
> > On Sat, 23 Apr 2016 10:45:52 +0200
> > Milan Broz <gmazyland@gmail.com> wrote:
> >   
> >> On 04/22/2016 02:01 PM, Julien Lepiller wrote:  
> >>> Hello,
> >>>
> >>> I am trying to use cryptsetup with a disk that has been encrypted
> >>> some time ago. I'm using Linux From Scratch, and built cryptsetup
> >>> myself. What I see when I run luksOpen is the following (all
> >>> commands are run as root) :
> >>>
> >>> # cryptsetup 1.7.1 processing "cryptsetup --debug
> >>> luksOpen /dev/sda1 hdd"    
> >> ...  
> >>> # Activating volume hdd [keyslot -1] using [none] passphrase.
> >>> # dm version   OF   [16384] (*1)
> >>> # device-mapper: version ioctl on  failed: Permission denied    
> >>
> >> This looks like you cannot access something (/dev/mapper/control?)
> >> and then it just fails because of this initial failure.
> >>
> >> Do you have SElinux switched on?
> >>
> >> What is output of "dmsetup version" - does it work?
> >>
> >> Milan  
> > 
> > Thank you for your answer, the output of the command is:
> > 
> > Library version:   1.02.121 (2016-04-01)
> > Driver version:    4.34.0
> > 
> > Selinux is switched off (I tried to use it, so I have the libraries,
> > but it just does not work at all), and their is nothing in
> > journald.  
> 
> Ok, so device mapper works.
> 
> So if it is not SElinux, something is preventing ioctl to run.
> (The error is internal libdevmapper error.)
> 
> Do you compile libgcrypt yourself with POSIX capabilities enabled?
> 
> If so, gcrypt drops privileges for the whole calling process...
> see comment in lib/crypto_backend/crypto_gcrypt.c:
> 
> /* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities,
>  * it drops all privileges during secure memory initialisation.
>  * For now, the only workaround is to disable secure memory in gcrypt.
>  * cryptsetup always need at least cap_sys_admin privilege for
> dm-ioctl
>  * and it locks its memory space anyway.
>  */
> #if 0
> 
> 
> If it is your case, please do not use capabilities in gcrypt or
> try to change define above in cryptsetup source as a workaroung and
> recompile it.
> 
> Thanks,
> Milan

I rebuilt libgcrypt without posix capabilities, and it now works. Thank
you so much for your help!