Description of problem: redhat 8.0 contains the kernel modules required to create aes encrypted loop devices (cryptoloop, loop, cryptoapi and cipher-aes). however, the mount and losetup binaries do not know how to address these capabilities. Version-Release number of selected component (if applicable): 2.11r-10 How reproducible: Every time. Steps to Reproduce: # this bash script illustrates the BUG. # execute these commands in an interactive bash shell as root. # you will see the BUG! messages reported (see below). # on a BUG free system this script should run without any BUG!s # decide on how big the encrrypted data store should be (in K). # 2M seems to be the smallest size that an ext3 filesystem # can fit in. size=$((2 * 1024)) # decide on where the encrypted data store should be. # write random background to $crypt so that the encrypted data does # not stand out. # a new file in an existing filesystem crypt=/tmp/crypt dd if=/dev/urandom bs=1K count=$size of=$crypt 2>/dev/null cryptremove="rm $crypt" # make sure the cryptoloop and needed cipher modules are loaded. # cipher-aes is bundled with redhat linux 8.0. # as of this writing, the following (abbreviated) # /lib/modules/$(uname -r)/modules.dep dependencies exist # cipher-aes: cryptoapi # cryptoloop: cryptoapi loop modprobe cryptoloop modprobe cipher-aes # choose the encryption type and parameters encryption=aes keybits=256 # make an encrypted ext3 filesystem in $crypt # temporarily using the first available loop device for access. # losetup will interactively prompt for a password. false for loop in /dev/loop*; do losetup -e $encryption -k $keybits $loop $crypt && break; done (($?)) && echo "BUG! losetup does not support this encryption" # Password: mke2fs -j $loop losetup -d $loop # choose where we want this filesystem mounted and make mount point mount=/mnt/${crypt##*/} mkdir -p $mount # mount $crypt at $mount using an implicit loop device # configured for the same encryption as above. # mount will interactively prompt for a password # (which must match above). # we can determine what loop device was used by inspecting # /proc/mounts. # /etc/mtab (mount -l) does not have the needed information. mount $crypt $mount \ -o loop,encryption=$encryption,keybits=$keybits || echo "BUG! mount does not support this encryption" # Password: loop=$(awk '$2 == "'$mount'" {print $1}' /proc/mounts) # unmount $crypt (the redhat linux 8.0 umount works fine) umount $crypt # cleanup # remove the mount point # remove ecrypted data store rmdir $mount $removecrypt Actual results: the following error is reported: BUG! losetup does not support this encryption Expected results: no errors should have been reported Additional info: # here are some notes to myself regarding the problem # and a workaround # the redhat linux 8.0 cryptoapi support for encrypted filesystems # is lacking. # in particular, the /sbin/losetup and /bin/mount commands are # inadequate. # build adequate losetup and mount binaries from patched source { # normally, losetup and mount are packaged as part of util-linux rpm -q util-linux util-linux-2.11r-10 # but, in the case of redhat linux 8.0, they are missing from # util-linux # and are instead in their own dedicated packages rpm -ql $(rpm -qf /sbin/losetup | tee /dev/tty) losetup-2.11r-10 /sbin/losetup /usr/share/man/man8/losetup.8.gz rpm -ql $(rpm -qf /bin/mount | tee /dev/tty) mount-2.11r-10 /bin/mount /bin/umount /sbin/swapoff /sbin/swapon /usr/share/man/man5/fstab.5.gz /usr/share/man/man5/nfs.5.gz /usr/share/man/man8/mount.8.gz /usr/share/man/man8/swapoff.8.gz /usr/share/man/man8/swapon.8.gz /usr/share/man/man8/umount.8.gz # note that all of these packages share the same util-linux # version 2.11r-10 # i believe that this version contains redhat specific # modifications of # public version 2.11r p=util-linux v=2.11r # we can find a public util-linux package of this version # (which includes losetup and mount) # at http://www.kernel.org h=http://www.kernel.org # do you need an http proxy? export http_proxy=proxy.ext.ray.com # get the source under, say, /var/tmp cd /var/tmp rm -rf $p-$v wget -q -O - $h/pub/linux/utils/$p/$p-$v.tar.gz | tar xzf - # we can also get a patch to this source that will enable losetup # and mount to use the cryptoapi modules (this is what we need). # get this patch, apply it and build this package wget -q -O - \ $h/pub/linux/kernel/people/hvr/$p-patch-int/$p-$v.patch.gz | gzip -dc | (cd $p-$v; patch -p1; make) # where our new losetup and mount are bin=$p-$v/mount # note the difference in the man pages for losetup and mount # they both support cryptoapi. # note also that the new mount command does not support the # (redhat) -O option and, as such, is not suitable for use by # /etc/rc.d/rc.sysinit! man $bin/losetup.8 man $bin/mount.8 # install the losetup and mount commands with .crypt suffixes # so as not to clobber originals that are still needed. # install -bCp -oroot -groot -m0755 $bin/losetup /sbin/ # install -bCp -oroot -groot -m4755 $bin/mount /bin/ install -bCp -oroot -groot -m0755 $bin/losetup \ /sbin/losetup.crypt install -bCp -oroot -groot -m4755 $bin/mount \ /bin/mount.crypt } # to test, make a small aes encrypted ext3 filesystem { # decide on how big the encrypted data store should be (in K). # 57K seems to be the smallest size that an ext2 filesystem # can fit in. # 2048K seems to be the smallest size that an ext3 filesystem # can fit in. size=$((2 * 1024)) # decide on where the encrypted data store should be. # write random background to $crypt so that the encrypted data # does not stand out. # pick a method: # a new file in an existing filesystem crypt=/tmp/crypt dd if=/dev/urandom bs=1K count=$size of=$crypt 2>/dev/null cryptremove="rm $crypt" # an existing, unused, hard disk partition crypt=/dev/hdb1 dd if=/dev/urandom of=$crypt 2>/dev/null cryptremove= # a new logical volume in an existing volume group. # note that the size will get rounded up to the next physical # extent boundary (4M, by default). crypt=/dev/vg00/home2 lvcreate -L ${size}K -n ${crypt##*/} ${crypt%/*} dd if=/dev/urandom of=$crypt 2>/dev/null cryptremove="lvremove -f $crypt" # look at a hex dump of the random data in $crypt xxd $crypt # make sure the cryptoloop and needed cipher modules are loaded. # cipher-aes is bundled with redhat linux 8.0. # as of this writing, the following (abbreviated) # /lib/modules/$(uname -r)/modules.dep dependencies exist # cipher-aes: cryptoapi # cryptoloop: cryptoapi loop modprobe cryptoloop modprobe cipher-aes # choose the encryption type and parameters encryption=aes keybits=256 # make an encrypted ext3 filesystem in $crypt # temporarily using the first available loop device for access. # losetup will interactively prompt for a password. false for loop in /dev/loop*; do losetup.crypt -e $encryption -k $keybits $loop $crypt && break; done (($?)) && echo "no available loop device found" # Password: mke2fs -j $loop losetup.crypt -d $loop # choose where we want this filesystem mounted and make # the mount point mount=/mnt/${crypt##*/} mkdir -p $mount # mount $crypt at $mount using an implicit loop device # configured for the same encryption as above. # mount will interactively prompt for a password # (which must match above). # we can determine what loop device was used by inspecting # /proc/mounts. # /etc/mtab (mount -l) does not have the needed information. mount.crypt $crypt $mount \ -o loop,encryption=$encryption,keybits=$keybits # Password: loop=$(awk '$2 == "'$mount'" {print $1}' /proc/mounts) # test # fill the filesystem with a file of zeros # and compare a hex dump of $crypt with a hex dump of $loop dd if=/dev/zero of=$mount/zero xxd $loop xxd $crypt rm $mount/zero # test # time how long it takes to fill the filesystem with a file of # random data and read it back. # don't time how long it takes to create the random data. # compare this with how long it takes to do the same with a file # in /tmp # the numbers i see do not make sense to me (?). # there must be something wrong with my test. io() { dd if=$1 of=$2 count=$3 2>/dev/null dd if=$2 of=/dev/null 2>/dev/null sync; rm $2 } count=$(dd if=/dev/zero of=$mount/count 2>&1 | awk -F+ 'NR==2 {print $1}') rm $mount/count dd if=/dev/urandom count=$count of=/tmp/urandom 2>/dev/null sync; time io /tmp/urandom $mount/urandom $count time io /tmp/urandom /var/tmp/urandom $count rm /tmp/urandom # unmount $crypt (the redhat linux 8.0 umount works fine) umount $crypt # cleanup # remove the mount point # remove ecrypted data store rmdir $mount $removecrypt } # mount encrypted filesystem at boot time { # in order for this to work, we would have to replace the # /bin/mount # original with the one built above. # we don't do this because the one build does not support the # -O option # used by /etc/rc.d/rc.sysinit # (we don't want to change /etc/rc.d/rc.sysinit). # ideally, this would be done by an fstab line like the following # (expanding the shell variables with the values used above): $crypt $mount ext3 user,loop,encryption=$encryption,keybits=$keybits 0 0 # however, this will not work because /etc/rc.d/rc.sysinit does # not have the required kernel modules loaded when it attempts to # mount all local filesystems. # this problem can be fixed by putting the following lines into # an executable /etc/rc.modules file: modprobe cryptoloop >/dev/null 2>&1 modprobe cipher-aes >/dev/null 2>&1 # this still will not work because the mount command built above # does not support the -O option that /etc/rc.d/rc.sysinit uses! # instead, add the fstab line as follows # (expanding the shell variables with the values used above): # this mount will not be done automatically at boot time so we # need not replace /bin/mount. $crypt $mount ext3 noauto,user,exec,loop,encryption=$encryption,keybits=$keybits 0 0 # any user (that knows the password) may manually mount this # filesystem mount.crypt $mount # if we really need for it to be mounted automatically at boot # time we will have to write a boot time script to execute the # above command. }
Created attachment 90470 [details] Patch to spec for util-linux-2.11y-6 (Phoebe) to add cryptoapi
Created attachment 90471 [details] Implementation of cryptoapi support util-linux-2.11r.patch.bz2 from http://www.kernel.org/pub/linux/kernel/people/hvr/util-linux-patch-int/ reworked to apply cleanly in util-linux-2.11y-6 spec file
Attached patches to add the cryptoapi support to util-linux. - get and install util-linux-2.11y-6.src.rpm (Phoebe) - save attachment 90471 [details] as util-linux-2.11r-cryptoapi-81574.patch in SOURCES - apply attachment 90470 [details] as patch to SPECS/util-linux.spec - "rpm -ba SPECS/util-linux.spec"
I can't find a trace of the cryptoapi support in the util-linux-2.11y-9 (Shrike) source RPM. Will the owner or submitter please update the version to 9? Patches for util-linux-2.11y-9 in progress, will post when tested.
Created attachment 91065 [details] Patch to spec for util-linux-2.11y-9 (Shrike) to add cryptoapi Updated the spec file for Shrike and verified that the patch doesn't need to be updated. The shell script in the defect still works with the updated RPMs produced, and my encrypted filesystems produced with the previous version also work.
- get and install util-linux-2.11y-9.src.rpm - save attachment 90471 [details] as util-linux-2.11r-cryptoapi-81574.patch in SOURCES - apply attachment 91065 [details] as patch to SPECS/util-linux.spec - "rpm -ba SPECS/util-linux.spec"
I see references here to Red Hat Linux 9 (Shrike). Does this imply that this bug is fixed on this release? If so, then I must be missing something. What? I was still able to use my workaround and build a working mount.crypt and losetup.crypt from 2.11r sources.
No, RH9 (Shrike) doesn't support the CryptoAPI enhancements to mount and losetup. I created a source RPM patch for Phoebe and updated it for Shrike in the hopes that RH will add that support in a future release, as I very seriously doubt that they will add it to RH8.0 or 9.
With the patch files mentioned in the comments above anything worked (encrypted file system). I wrote a "HOW-TO" and put it online. If somebody want to setup an encrypted file system with RH9, it may be helpful. The HOWTO can be found here: http://www.q-vadis.net/index.php?mID=stories&lng=en&art=5
patches and instruction work here on Redhat 9 Additional Comment #6 needs this change: - rpmbuild -ba Specs/util-linux.spec
*** This bug has been marked as a duplicate of 56698 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.