我在嵌入式 Linux 设备上并尝试为我的 rootfs 打开加密的 squashfs。
该图像是在主机(构建代理)上创建的,从那里我可以打开并使用内容,所以我知道图像是正确的。当我尝试从嵌入式 Linux 的 initramfs 打开图像时,出现错误:
root# cryptsetup open ./rootfs.sqfs.img rootfs
# cryptsetup 2.5.0 processing "/usr/sbin/cryptsetup --debug open ./rootfs.sqfs.img rootfs"
# Verifying parameters for command open.
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device ./rootfs.sqfs.img.
# Trying to open and read device ./rootfs.sqfs.img with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device ./rootfs.sqfs.img.
Cannot initialize crypto backend.
Device ./rootfs.sqfs.img is not a valid LUKS device.
# Releasing crypt device ./rootfs.sqfs.img context.
# Releasing device-mapper backend.
# Unlocking memory.
一些在线搜索听起来这个错误是由缺少内核模块引起的,但我拥有已列出的所有模块。我启用了以下加密模块:
CONFIG_CRYPTO_SHA1_ARM=y
CONFIG_CRYPTO_SHA256_ARM=y
CONFIG_CRYPTO_SHA512_ARM=y
CONFIG_CRYPTO_AES_ARM=y
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_BLKCIPHER=y
CONFIG_CRYPTO_BLKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_RNG_DEFAULT=y
CONFIG_CRYPTO_AKCIPHER2=y
CONFIG_CRYPTO_AKCIPHER=y
CONFIG_CRYPTO_KPP2=y
CONFIG_CRYPTO_KPP=y
CONFIG_CRYPTO_ACOMP2=y
CONFIG_CRYPTO_RSA=y
CONFIG_CRYPTO_ECDH=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_USER=y
CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_NULL2=y
CONFIG_CRYPTO_WORKQUEUE=y
CONFIG_CRYPTO_CRYPTD=y
CONFIG_CRYPTO_AUTHENC=y
CONFIG_CRYPTO_CCM=y
CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_SEQIV=y
CONFIG_CRYPTO_ECHAINIV=y
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CTR=y
CONFIG_CRYPTO_CTS=y
CONFIG_CRYPTO_ECB=y
CONFIG_CRYPTO_XTS=y
CONFIG_CRYPTO_KEYWRAP=y
CONFIG_CRYPTO_CMAC=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_CRC32C=y
CONFIG_CRYPTO_GHASH=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_RMD128=y
CONFIG_CRYPTO_RMD160=y
CONFIG_CRYPTO_RMD256=y
CONFIG_CRYPTO_RMD320=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_ARC4=y
CONFIG_CRYPTO_DES=y
CONFIG_CRYPTO_DEFLATE=y
CONFIG_CRYPTO_LZO=y
CONFIG_CRYPTO_ZSTD=y
CONFIG_CRYPTO_ANSI_CPRNG=y
CONFIG_CRYPTO_DRBG_MENU=y
CONFIG_CRYPTO_DRBG_CTR=y
CONFIG_CRYPTO_DRBG=y
CONFIG_CRYPTO_JITTERENTROPY=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
CONFIG_CRYPTO_USER_API_RNG=y
CONFIG_CRYPTO_USER_API_AEAD=y
CONFIG_CRYPTO_HASH_INFO=y
CONFIG_CRYPTO_HW=y
CONFIG_CRYPTO_DEV_ATMEL_AES=y
CONFIG_CRYPTO_DEV_ATMEL_TDES=y
我的内核中也有设备映射器支持(dm_crypt)。所有选项均内置于内核中,因此问题并非来自未加载的模块。
在嵌入式 Linux 系统上安装了 cryptsetup 版本 2.5.0。主机安装了2.2.2版本。嵌入式Linux运行内核4.19.231。
让 cryptsetup 能够将其映射到,我还缺少什么/dev/mapper/rootfs?
编辑:
以为我正在使用内核后端,不知道如何检查嵌入式 Linux 系统。
在主机上运行它似乎使用 openssl (见下文),我的 initramfs 不包含 openssl,因此如果它尝试使用 openssl 而不是内核,这可能是我的问题。
# cryptsetup 2.2.2 processing "cryptsetup --debug open rootfs.sqfs.img rootfs"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device rootfs.sqfs.img.
# Trying to open and read device rootfs.sqfs.img with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device rootfs.sqfs.img.
# Crypto backend (OpenSSL 1.1.1f 31 Mar 2020) initialized in cryptsetup library version 2.2.2.
# Detected kernel Linux 5.15.0-58-generic x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device rootfs.sqfs.img.
# Verifying lock handle for rootfs.sqfs.img.
# Device rootfs.sqfs.img READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device rootfs.sqfs.img
# Veryfing locked device handle (regular file)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:a69c54af714a6d46ac5a514399ebe367012a233d742d2f2913a7b5979ae70441 (on-disk)
# Checksum:a69c54af714a6d46ac5a514399ebe367012a233d742d2f2913a7b5979ae70441 (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device rootfs.sqfs.img
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:d1a6fae45d92dd47f5a99e11e6d157bc6ba0140fc2bd62ebc1fb9dad0414f0ff (on-disk)
# Checksum:d1a6fae45d92dd47f5a99e11e6d157bc6ba0140fc2bd62ebc1fb9dad0414f0ff (in-memory)
# Device size 68157440, offset 16777216.
# Device rootfs.sqfs.img READ lock released.
# PBKDF argon2i, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# Activating volume rootfs using token -1.
# Interactive passphrase entry requested.
Enter passphrase for rootfs.sqfs.img:
# Activating volume rootfs [keyslot -1] using passphrase.
# dm version [ opencount flush ] [16384] (*1)
# dm versions [ opencount flush ] [16384] (*1)
# Detected dm-ioctl version 4.45.0.
# Detected dm-crypt version 1.23.0.
# Device-mapper backend running with UDEV support enabled.
# dm status rootfs [ opencount noflush ] [16384] (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Reading keyslot area [0x8000].
# Acquiring read lock for device rootfs.sqfs.img.
# Verifying lock handle for rootfs.sqfs.img.
# Device rootfs.sqfs.img READ lock taken.
# Reusing open ro fd on device rootfs.sqfs.img
# Device rootfs.sqfs.img READ lock released.
# Verifying key from keyslot 0, digest 0.
# Loading key (64 bytes, type logon) in thread keyring.
# dm versions [ opencount flush ] [16384] (*1)
# dm status rootfs [ opencount noflush ] [16384] (*1)
# Allocating a free loop device.
# Trying to open and read device /dev/loop27 with direct-io.
# Calculated device size is 100352 sectors (RW), offset 32768.
# DM-UUID is CRYPT-LUKS2-606147e882c040c3ae6c7a346a4f5b43-rootfs
# Udev cookie 0xd4da08f (semid 32788) created
# Udev cookie 0xd4da08f (semid 32788) incremented to 1
# Udev cookie 0xd4da08f (semid 32788) incremented to 2
# Udev cookie 0xd4da08f (semid 32788) assigned to CREATE task(0) with flags DISABLE_LIBRARY_FALLBACK (0x20)
# dm create rootfs CRYPT-LUKS2-606147e882c040c3ae6c7a346a4f5b43-rootfs [ opencount flush ] [16384] (*1)
# dm reload rootfs [ opencount flush securedata ] [16384] (*1)
# dm resume rootfs [ opencount flush securedata ] [16384] (*1)
# rootfs: Stacking NODE_ADD (253,2) 0:6 0660 [trust_udev]
# rootfs: Stacking NODE_READ_AHEAD 256 (flags=1)
# Udev cookie 0xd4da08f (semid 32788) decremented to 1
# Udev cookie 0xd4da08f (semid 32788) waiting for zero
# Udev cookie 0xd4da08f (semid 32788) destroyed
# rootfs: Skipping NODE_ADD (253,2) 0:6 0660 [trust_udev]
# rootfs: Processing NODE_READ_AHEAD 256 (flags=1)
# rootfs (253:2): read ahead is 256
# rootfs: retaining kernel read ahead of 256 (requested 256)
Key slot 0 unlocked.
# Releasing crypt device rootfs.sqfs.img context.
# Releasing device-mapper backend.
# Closing read only fd for rootfs.sqfs.img.
# Closed loop /dev/loop27 (rootfs.sqfs.img).
# Unlocking memory.
Command successful.
[解决了]
我的问题是由于我使用 musl-libc 和 lvm2 所需的 glibc 而引起的。切换到 glibc 后,cryptsetup 能够加载正确的后端。
答案1
我的问题是由于我使用 musl-libc 和 lvm2 所需的 glibc 而引起的。切换到 glibc 后,cryptsetup 能够加载 cryptsetup 的正确后端。