[pkg-cryptsetup-devel] Bug#883595: Bug#883595: cryptsetup: Cannot mount encrypted root using XTS on kernel 4.10 onwards
Guilhem Moulin
guilhem at debian.org
Tue Dec 5 19:58:48 UTC 2017
Control: retitle -1 xts module should depend on ecb
Control: reassign -1 src:linux 4.10.1-1
Control: affects -1 cryptsetup
On Tue, 05 Dec 2017 at 14:16:42 +0000, Francis Russell wrote:
> Apparently from Linux 4.10 onwards, the ecb module became a dependency
> of xts[1]. I am running a custom kernel in which both XTS and ECB are
> built as modules (kernel config attached for 4.14.3). However, ECB does
> not appear in the initrd, causing the system to be unable to mount the
> encrypted root.
The issue was reported against cryptsetup's upstream BTS earlier this
year: https://gitlab.com/cryptsetup/cryptsetup/issues/319 .
> It's unclear to me how this dependency should be picked up.
The xts module needs to explicitly depend on ecb. AFAICT Milan's patch
[0] has been applied to 4.14.0-1-amd64, but modinfo(8) still doesn't
list ecb in its dependencies, so the initramfs hook file doesn't pull it
automatically.
In the meantime, a workaround is to manually add ‘ecb’ to
/etc/initramfs-tools/modules. Doesn't seem needed on systems with
AES-NI support, though; there I don't have ecb in the initrd, and
$ grep '^driver\s*:\s*xts' /proc/crypto
driver : xts-aes-aesni
while on a system without AES-NI support:
$ grep '^driver\s*:\s*xts' /proc/crypto
driver : xts(ecb(aes-asm))
--
Guilhem.
[0] https://marc.info/?l=linux-crypto-vger&m=148783562211457&w=4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20171205/122a0957/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list