Bug 785036
| Summary: | ecryptfs-utils can't find renamed blowfish kernel modules in >= 3.2 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ling Li <liling> |
| Component: | ecryptfs-utils | Assignee: | Michal Hlavinka <mhlavink> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | esandeen, gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, mhlavink |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ecryptfs-utils-96-1.fc17 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-03-08 21:24:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ling Li
2012-01-27 03:10:09 UTC
There are now two kinds of blowfish drivers in the 3.2 kernel. blowfish_generic is the previously existing one renamed, and there is an assembly version for x86_64 as well. Can you paste the errors you are seeing, and the dmesg of your working mount from the previous kernel? Here's what I did/saw with the 3.2 kernel: # ecryptfs-add-passphrase --fnek Passphrase: Inserted auth tok with sig [4c0c36bbcda400d6] into the user session keyring Inserted auth tok with sig [d697d8aafc7fde3d] into the user session keyring # mount encrypted encrypted -t ecryptfs Select key type to use for newly created files: 1) passphrase 2) openssl 3) tspi 4) pkcs11-helper Selection: 1 Passphrase: Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded) 2) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 3) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 4) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) There's no "blowfish" option. Passing "-o ecryptfs_cipher=blowfish" in the mount command leads to some bad option error. With kernel 3.1.9, the only dmesg of mounting the ecryptfs is this line: [23314.085489] SELinux: initialized (dev ecryptfs, type ecryptfs), uses genfs_contexts There are no new messages in /var/log/messages from the mounting. Thanks. If you run 'sudo modprobe blowfish' before you mount the filesystem, the blowfish option will be presented. I'll look at why this isn't done automatically as with previous kernels. You are right. It shows up. (I remember I did that once but somehow it didn't find blowfish; I must have used a wrong cmd.) This seems to be a bug in ecryptfs-utils.
During init, ecryptfs-utils will look at /proc/crypto to gather the already loaded ciphers. Some of the aes modules are built into the kernel, so those are already picked up from there, however the blowfish cipher isn't built in or auto-loaded by anything in either kernel version.
It's next form of cipher discovery has a map of ciphers and kernel module names in src/libecryptfs/cipher_list.c that contains (among others):
{"blowfish", "blowfish.ko", 16, 16, 56, 2, 1},
and during init it will loop over this map and look for modules in /lib/modules/`uname -r`/kernel/crypto and see if those .ko files exist. If they do, it presents the cipher name as available. If the .ko doesn't exist in that directory, it doesn't present that cipher as an option.
With the 3.1.x series of kernels, blowfish.ko is present so it's available. With the renames/additions mentioned in comment #1, that specific .ko name isn't present so the cipher isn't available.
Ideally, ecryptfs would be looking at modaliases instead of actual file names, because the 3.2 (and future) kernels still maintain the 'blowfish' modalias on blowfish_generic.ko. The newly added optimized blowfish-x86_64.ko has the same alias as well. That whole list of module names seems fairly stale at this point and should probably either be updated or removed.
I'm reassigning this to ecryptfs-utils for now. The workaround is to modprobe the cipher you want if it isn't already listed before trying to mount an ecryptfs filesystem. Until ecryptfs-utils is updated, any system with a 3.2 or newer kernel will have this issue, so that will shortly include all 3 Fedora releases.
I've checked /lib/modules/`uname -r`/modules.alias and it seems it's not usable. It contains only modules with aliases like "alias blowfish blowfish_generic" but modules with no aliases are not there, so we still have to check them somehow. So, in the end, I've just added missing blowfish and twofish module names. ecryptfs-utils-95-2.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/ecryptfs-utils-95-2.fc15 ecryptfs-utils-95-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/ecryptfs-utils-95-2.fc16 Package ecryptfs-utils-95-2.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing ecryptfs-utils-95-2.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-1674/ecryptfs-utils-95-2.fc16 then log in and leave karma (feedback). ecryptfs-utils-96-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/ecryptfs-utils-96-1.fc16 ecryptfs-utils-96-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/ecryptfs-utils-96-1.fc15 ecryptfs-utils-96-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/ecryptfs-utils-96-1.fc17 ecryptfs-utils-96-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. ecryptfs-utils-96-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. ecryptfs-utils-96-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |