[pkg-cryptsetup-devel] Bug#948593: Unable to open LUKS device (error allocating crypto tfm) for aes / cbc-essiv:sha256 sha1 LUKS header
Guilhem Moulin
guilhem at debian.org
Tue Jan 14 01:31:45 GMT 2020
Control: retitle -1 cryptsetup-initramfs: Can't open aes-cbc-essiv:sha256 dm-crypt targets with a 5.4 kernel and an initramfs built with MODULES=dep
Control: found -1 2:1.6.6-5
Control: tag -1 pending
Hi,
On Mon, 13 Jan 2020 at 08:47:43 +0100, Didier 'OdyX' Raboud wrote:
>> Devices formatted since 2:1.6.1-1 (June 2013) use XTS by default and
>> AFAICT aren't affected. For other devices and when the initramfs is built
>> with MODULES!="most" I guess we should change populate_CRYPTO_MODULES() so
>> the ivmode is appended too, not only cipher+chainmode+ivopts.
>
> https://sources.debian.org/src/cryptsetup/2:2.2.2-1/debian/initramfs/hooks/cryptroot/?hl=318#L318
>
> That'd be useful yes!
This should fix it: https://salsa.debian.org/cryptsetup-team/cryptsetup/commit/6b75e4bda81ec63f42c46368e7b078c827ef0aad .
AFAICT all versions of the initramfs hook are affected since 2006 (but
only on 5.4 kernels and for initramfs images built with MODULES=dep).
Kernel modules named after the IV generator are now added to the
initramfs image when found under /kernel/crypto/. If there is no
matching modules (for instance with aes-cbc-essiv:sha256 on older
kernels, or with aes-xts-plain64 on any kernel) the initramfs image
should be identical.
Cheers,
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20200114/d5f003fb/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list