Bug 785036 - ecryptfs-utils can't find renamed blowfish kernel modules in >= 3.2
Summary: ecryptfs-utils can't find renamed blowfish kernel modules in >= 3.2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: ecryptfs-utils
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Michal Hlavinka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-27 03:10 UTC by Ling Li
Modified: 2012-03-09 04:54 UTC (History)
7 users (show)

Fixed In Version: ecryptfs-utils-96-1.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-08 21:24:17 UTC
Type: ---


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 922821 0 None None None Never

Description Ling Li 2012-01-27 03:10:09 UTC
ecryptfs doesn't provide blowfish as one of the cipher options.  Rebooting into an old kernel (e.g., 3.1.9) solves the problem.  Does this mean the blowfish encryption module is removed from the kernel 3.2.1?

Comment 1 Josh Boyer 2012-01-27 16:58:31 UTC
There are now two kinds of blowfish drivers in the 3.2 kernel.  blowfish_generic is the previously existing one renamed, and there is an assembly version for x86_64 as well.

Can you paste the errors you are seeing, and the dmesg of your working mount from the previous kernel?

Comment 2 Ling Li 2012-01-27 17:14:48 UTC
Here's what I did/saw with the 3.2 kernel:

# ecryptfs-add-passphrase --fnek
Passphrase: 
Inserted auth tok with sig [4c0c36bbcda400d6] into the user session keyring
Inserted auth tok with sig [d697d8aafc7fde3d] into the user session keyring

# mount encrypted encrypted -t ecryptfs
Select key type to use for newly created files: 
 1) passphrase
 2) openssl
 3) tspi
 4) pkcs11-helper
Selection: 1
Passphrase: 
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
 2) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 3) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 4) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)

There's no "blowfish" option.  Passing "-o ecryptfs_cipher=blowfish" in the mount command leads to some bad option error.


With kernel 3.1.9, the only dmesg of mounting the ecryptfs is this line:

[23314.085489] SELinux: initialized (dev ecryptfs, type ecryptfs), uses genfs_contexts

There are no new messages in /var/log/messages from the mounting.

Thanks.

Comment 3 Josh Boyer 2012-01-27 20:06:28 UTC
If you run 'sudo modprobe blowfish' before you mount the filesystem, the blowfish option will be presented.

I'll look at why this isn't done automatically as with previous kernels.

Comment 4 Ling Li 2012-01-27 20:16:47 UTC
You are right.  It shows up.  (I remember I did that once but somehow it didn't find blowfish;  I must have used a wrong cmd.)

Comment 5 Josh Boyer 2012-01-27 20:49:02 UTC
This seems to be a bug in ecryptfs-utils.  

During init, ecryptfs-utils will look at /proc/crypto to gather the already loaded ciphers.  Some of the aes modules are built into the kernel, so those are already picked up from there, however the blowfish cipher isn't built in or auto-loaded by anything in either kernel version.

It's next form of cipher discovery has a map of ciphers and kernel module names in src/libecryptfs/cipher_list.c that contains (among others):

        {"blowfish", "blowfish.ko", 16, 16, 56, 2, 1},

and during init it will loop over this map and look for modules in /lib/modules/`uname -r`/kernel/crypto and see if those .ko files exist.  If they do, it presents the cipher name as available.  If the .ko doesn't exist in that directory, it doesn't present that cipher as an option.

With the 3.1.x series of kernels, blowfish.ko is present so it's available.  With the renames/additions mentioned in comment #1, that specific .ko name isn't present so the cipher isn't available.

Ideally, ecryptfs would be looking at modaliases instead of actual file names, because the 3.2 (and future) kernels still maintain the 'blowfish' modalias on blowfish_generic.ko.  The newly added optimized blowfish-x86_64.ko has the same alias as well.  That whole list of module names seems fairly stale at this point and should probably either be updated or removed.

I'm reassigning this to ecryptfs-utils for now.  The workaround is to modprobe the cipher you want if it isn't already listed before trying to mount an ecryptfs filesystem.  Until ecryptfs-utils is updated, any system with a 3.2 or newer kernel will have this issue, so that will shortly include all 3 Fedora releases.

Comment 6 Michal Hlavinka 2012-02-09 17:09:25 UTC
I've checked /lib/modules/`uname -r`/modules.alias and it seems it's not usable. It contains only modules with aliases like "alias blowfish blowfish_generic" but modules with no aliases are not there, so we still have to check them somehow. So, in the end, I've just added missing blowfish and twofish module names.

Comment 7 Fedora Update System 2012-02-14 13:10:02 UTC
ecryptfs-utils-95-2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/ecryptfs-utils-95-2.fc15

Comment 8 Fedora Update System 2012-02-14 13:10:15 UTC
ecryptfs-utils-95-2.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/ecryptfs-utils-95-2.fc16

Comment 9 Fedora Update System 2012-02-15 11:30:31 UTC
Package ecryptfs-utils-95-2.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ecryptfs-utils-95-2.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-1674/ecryptfs-utils-95-2.fc16
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2012-02-21 11:20:22 UTC
ecryptfs-utils-96-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/ecryptfs-utils-96-1.fc16

Comment 11 Fedora Update System 2012-02-21 11:20:32 UTC
ecryptfs-utils-96-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/ecryptfs-utils-96-1.fc15

Comment 12 Fedora Update System 2012-02-21 11:20:41 UTC
ecryptfs-utils-96-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ecryptfs-utils-96-1.fc17

Comment 13 Fedora Update System 2012-03-08 21:24:17 UTC
ecryptfs-utils-96-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2012-03-08 21:27:52 UTC
ecryptfs-utils-96-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2012-03-09 04:54:50 UTC
ecryptfs-utils-96-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.