Bug 2108404

Summary: [RHEL9 ] cryptsetup resize failed with cipher capi:cbc(aes)-essiv:sha3-256
Product: Red Hat Enterprise Linux 9 Reporter: guazhang <guazhang>
Component: cryptsetupAssignee: Ondrej Kozina <okozina>
Status: CLOSED ERRATA QA Contact: guazhang <guazhang>
Severity: medium Docs Contact:
Priority: high    
Version: 9.1CC: agk, dkeefe, jbrassow, msnitzer, okozina, prajnoha
Target Milestone: rcKeywords: Triaged
Target Release: 9.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cryptsetup-2.6.0-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2110810 (view as bug list) Environment:
Last Closed: 2023-05-09 08:23:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: cryptsetup-2.6.0
Embargoed:
Bug Depends On:    
Bug Blocks: 2110810    

Description guazhang@redhat.com 2022-07-19 02:20:05 UTC 
Description of problem:
resize crypt device failed if use cipher capi:cbc(aes)-essiv:sha3-256, please have a look if hit a bug

Version-Release number of selected component (if applicable):
5.14.0-124.el9.x86_64
cryptsetup-2.4.3-4.el9.x86_64

How reproducible:
always

Steps to Reproduce:
# echo passwdpasswd | cryptsetup --cipher 'capi:cbc(aes)-essiv:sha3-256' --type 'luks2'   luksFormat /dev/loop0   -q
# echo passwdpasswd | cryptsetup --type 'luks2'  open /dev/loop0 bBoD  -q
# echo 'passwdpasswd' | cryptsetup -q  resize bBoD  --size 819200
Mismatching parameters on device bBoD.



Actual results:


Expected results:


Additional info:

[root@storageqe-69 ~]# echo 'passwdpasswd' | cryptsetup -q  resize bBoD  --size 819200 --debug
# cryptsetup 2.5.0-rc1 processing "cryptsetup -q resize bBoD --size 819200 --debug"
# Verifying parameters for command resize.
# Running command resize.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device context by device bBoD.
# Initialising device-mapper backend library.
# dm version   [ opencount flush ]   [16384] (*1)
# dm versions   [ opencount flush ]   [16384] (*1)
# Detected dm-ioctl version 4.46.0.
# Detected dm-zero version 1.1.0.
# Detected dm-verity version 1.8.0.
# Detected dm-crypt version 1.24.0.
# Detected dm-integrity version 1.10.0.
# Device-mapper backend running with UDEV support enabled.
# dm status bBoD  [ opencount noflush ]   [16384] (*1)
# Releasing device-mapper backend.
# Trying to open and read device /dev/loop0 with direct-io.
# Allocating context for crypt device /dev/loop0.
# Trying to open and read device /dev/loop0 with direct-io.
# Initialising device-mapper backend library.
# dm table bBoD  [ opencount flush securedata ]   [16384] (*1)
# Trying to open and read device /dev/loop0 with direct-io.
# dm deps bBoD  [ opencount flush ]   [16384] (*1)
# Crypto backend (OpenSSL 3.0.1 14 Dec 2021 [default][legacy]) initialized in cryptsetup library version 2.5.0-rc1.
# Detected kernel Linux 5.14.0-124.el9.x86_64 x86_64.
# Reloading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/loop0.
# Opening lock resource file /run/cryptsetup/L_7:0
# Verifying lock handle for /dev/loop0.
# Device /dev/loop0 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/loop0
# Verifying locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:f2a63cd3ec0497c9b601c14fad86e9b7cb4f84f04d211b575e7197b01aee547d (on-disk)
# Checksum:f2a63cd3ec0497c9b601c14fad86e9b7cb4f84f04d211b575e7197b01aee547d (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/loop0
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:5ef869644ee6a9a49a3cf100a13fe52fe7aafaca12bb4c01db556b6787356912 (on-disk)
# Checksum:5ef869644ee6a9a49a3cf100a13fe52fe7aafaca12bb4c01db556b6787356912 (in-memory)
# Device size 10737418240, offset 16777216.
# Device /dev/loop0 READ lock released.
# PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# dm table bBoD  [ opencount flush securedata ]   [16384] (*1)
# Trying to open and read device /dev/loop0 with direct-io.
# Checking volume passphrase using token (any type) -1.
No usable token is available.
# STDIN descriptor passphrase entry requested.
# Checking volume passphrase [keyslot -1] using passphrase.
# Keyslot 0 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Running keyslot key derivation.
# Reading keyslot area [0x8000].
# Acquiring read lock for device /dev/loop0.
# Opening lock resource file /run/cryptsetup/L_7:0
# Verifying lock handle for /dev/loop0.
# Device /dev/loop0 READ lock taken.
# Reusing open ro fd on device /dev/loop0
# Device /dev/loop0 READ lock released.
# Verifying key from keyslot 0, digest 0.
# Loading key (32 bytes, type logon) in thread keyring.
Key slot 0 unlocked.
# Resizing device bBoD to 819200 sectors.
# dm table bBoD  [ opencount flush securedata ]   [16384] (*1)
# Trying to resize underlying loop device /dev/loop0.
# Calculated device size is 819200 sectors (RW), offset 32768.
# dm table bBoD  [ opencount flush securedata ]   [16384] (*1)
# Trying to open and read device /dev/loop0 with direct-io.
# Cipher specs do not match.
Mismatching parameters on device bBoD.
# Releasing crypt device /dev/loop0 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/loop0.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).
[root@storageqe-69 ~]#
Comment 1 Ondrej Kozina 2022-07-25 09:11:11 UTC 
> (...)
> # Cipher specs do not match.
> Mismatching parameters on device bBoD.
> (...)

Yup, there's a bug in compare function that supposed to check if resized device matches metadata device. It's unable to compare correctly cipher specification passed in capi format.
Comment 2 Ondrej Kozina 2022-10-20 14:40:59 UTC 
Fixed with https://gitlab.com/cryptsetup/cryptsetup/-/commit/3e4c69a01709d35322ffa17c5360608907a207d7
Comment 7 guazhang@redhat.com 2022-12-01 00:45:39 UTC 
Hi

cryptsetup-2.6.0-1.el9.x86_64

[root@intel-chiefriver-02 host]#  echo passwdpasswd | cryptsetup --cipher 'capi:cbc(aes)-essiv:sha3-256' --type 'luks2'   luksFormat /dev/loop0   -q --pbkdf-force-iterations 1000000 
[root@intel-chiefriver-02 host]# echo passwdpasswd | cryptsetup --type 'luks2'  open /dev/loop0 bBoD  -q
[root@intel-chiefriver-02 host]# lsblk
NAME                                MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
loop0                                 7:0    0     2G  0 loop  
└─bBoD                              253:3    0     2G  0 crypt 
loop1                                 7:1    0     3G  0 loop  
sda                                   8:0    0 149.1G  0 disk  
├─sda1                                8:1    0     1G  0 part  /boot
└─sda2                                8:2    0   148G  0 part  
  ├─rhel_intel--chiefriver--02-root 253:0    0    70G  0 lvm   /
  ├─rhel_intel--chiefriver--02-swap 253:1    0   7.8G  0 lvm   [SWAP]
  └─rhel_intel--chiefriver--02-home 253:2    0  70.2G  0 lvm   /home
sr0                                  11:0    1  1024M  0 rom   
[root@intel-chiefriver-02 host]# echo 'passwdpasswd' | cryptsetup -q  resize bBoD  --size 819200
[root@intel-chiefriver-02 host]# lsblk
NAME                                MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
loop0                                 7:0    0     2G  0 loop  
└─bBoD                              253:3    0   400M  0 crypt 
loop1                                 7:1    0     3G  0 loop  
sda                                   8:0    0 149.1G  0 disk  
├─sda1                                8:1    0     1G  0 part  /boot
└─sda2                                8:2    0   148G  0 part  
  ├─rhel_intel--chiefriver--02-root 253:0    0    70G  0 lvm   /
  ├─rhel_intel--chiefriver--02-swap 253:1    0   7.8G  0 lvm   [SWAP]
  └─rhel_intel--chiefriver--02-home 253:2    0  70.2G  0 lvm   /home
sr0                                  11:0    1  1024M  0 rom   
[root@intel-chiefriver-02 host]# 

the fixed package test pass.
Comment 11 errata-xmlrpc 2023-05-09 08:23:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (cryptsetup bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2534