Re: [PATCH v2 0/7] dm-integrity: asynchronous hash support

[Ingo Franzki <ifranzki@linux.ibm.com>]

On 18.09.2025 17:00, Harald Freudenberger wrote:
> On 2025-09-11 17:58, Mikulas Patocka wrote:
>> On Thu, 11 Sep 2025, Ingo Franzki wrote:
>>
>>> >> So, it looks like a dm-crypt bug.
>>> >>
>>> >> Please, revert my patches and run the same test on a clean 6.17.0-rc5 just
>>> >> to verify that the patches do not introduce the bug.
>>> >
>>> > With your patches reverted the combined mode fails the same way as with your patches.
>>> > So they did not introduce the bug.
>>>
>>> Mikulas, do you have any idea what could be causing this errors?
>>> Is it that dm-crypt is not properly dealing with async-only HMAC ciphers?
>>> Async-only encryption ciphers seem to work fine in dm-crypt, since LUKS with PAES (but no integrity) works fine, and PAES is an async-onky cipher.
>>> LUKS with sync-HMAC ciphers (e.g. clear key HMAC) also works fine, even in combination with PAES.
>>
>> Yes, I think that it's a problem with async HMAC. The bug is probably
>> either in dm-crypt or in the crypto library.
>>
>> Do you have some other (non-dm-crypt-related) workload that uses the
>> async authentication, so that we can determine whether the bug is in
>> dm-crypt or crypto?
>>
>> Otherwise, would it be possible to give us a virtual machine on the
>> mainframe to debug this issue?
>>
>> Mikulas
> 
> So here is now an out-of-tree kernel module build which offers a pseudo phmac-sha256
> for testing and debugging purpose. In the end this is just a asynch (ahash) wrapper
> around the hmac-sha256 shash crypto subsystem implementation. It should compile and
> be usable on all platforms (s390, x64, arm, ...).
> 
> I ran dm-integrity tests with this and all worked fine. Ingo ran dm-crypt tests
> where he combined aes-cbc encryption with phmac-sha256 integrity and saw hangs
> on cryptsetup open. He also reported that these issues are different to what he
> saw with the 'real' phmac in combination with aes encryption. A short glimpse gives
> me the impression that there is a job blocking the system's workqueue. However, I
> could not find any indication that the pseudo phmac is not working properly.

Here is what I did (after insmod'ing the pseudo phmac cipher).
I did this on a s390x system, but it should behave the same on x86.

# cryptsetup luksFormat --type luks2 --integrity phmac-sha256 --integrity-key-size 256  /dev/loop0
# cryptsetup luksOpen /dev/loop0 int-loop

Note: To use the above cryptsetup commands with phmac you might need the code from this cryptsetup PR, otherwise it won't accept phmac as integrity algorithm: https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/693

The luksOpen step hangs forever and the following messages are shown in syslog after a while:

Sep 19 02:43:29 fedora systemd-udevd[500]: dm-1: Worker [2720] processing SEQNUM=1272 is taking a long time
Sep 19 02:45:29 fedora systemd-udevd[500]: dm-1: Worker [2720] processing SEQNUM=1272 killed

Still the luksOpen keeps hanging, and a lot of kworkers are hanging around as well: 

# ps -ef
...
root        2679    1987  2 02:42 pts/0    00:00:04 cryptsetup luksOpen /dev/loop0 int-loop
root        2712       2  0 02:42 ?        00:00:00 [kworker/R-kdmflush/251:0]
root        2713       2  0 02:42 ?        00:00:00 [kworker/R-dm-integrity-metadata]
root        2714       2  0 02:42 ?        00:00:00 [kworker/R-dm-integrity-wait]
root        2715       2  0 02:42 ?        00:00:00 [kworker/R-dm-integrity-offload]
root        2716       2  0 02:42 ?        00:00:00 [kworker/R-dm-integrity-commit]
root        2717       2  0 02:42 ?        00:00:00 [kworker/R-dm-integrity-writer]
root        2718     500  0 02:42 ?        00:00:00 (udev-worker)
root        2719     500  0 02:42 ?        00:00:00 (udev-worker)
root        2720     500  0 02:42 ?        00:00:00 [(udev-worker)]
root        2726       2  0 02:42 ?        00:00:00 [kworker/R-kdmflush/251:1]
root        2727       2  0 02:42 ?        00:00:00 [kworker/R-kcryptd_io-251:1-1]
root        2728       2  0 02:42 ?        00:00:00 [kworker/R-kcryptd-251:1-1]
root        2729       2  0 02:42 ?        00:00:00 [dmcrypt_write/251:1]
...

# dmsetup table
int-loop: 0 351128 crypt capi:authenc(phmac(sha256),xts(aes))-plain64 :96:logon:cryptsetup:239c87ad-8c23-4cdb-943f-947737e9cf5c-d0 0 251:0 0 2 integrity:32:aead integrity_key_size:32
int-loop_dif: 0 351128 integrity 7:0 32768 32 J 6 interleave_sectors:32768 buffer_sectors:128 journal_sectors:3168 journal_watermark:50 commit_time:10000 fix_padding

# lsblk
NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
loop0            7:0    0   200M  0 loop
└─int-loop_dif 251:0    0 171.4M  0 crypt


> 
> For instructions on how to build and use the module see the README in the tgz archive.
> 
> Thanks to all
> Harald Freudenberger
> 
> 


-- 
Ingo Franzki
eMail: ifranzki@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/