2022-07-06 03:20 AM
I have problem with partition encryption on STM32MP153C with hardware ciphers. I use custom initramfs with installed: coreutils keyutils lvm2 e2fsprogs-mke2fs util-linux cryptsetup
cryptodev-module cryptodev-tests
I was also configure all crypto modules:
In kernel defconfig:
CONFIG_CRYPTO_DEV_STM32_CRC=m
CONFIG_CRYPTO_DEV_STM32_HASH=m
CONFIG_CRYPTO_DEV_STM32_CRYP=m
And device tree:
&hash1 {
status = "okay";
};
&cryp1 {
status = "okay";
};
&crc1 {
status = "okay";
};
All drivers are visible:
grep -B1 -A2 stm32 /proc/crypto|grep -v kernel
name : xts(aes)
driver : xts(stm32-ecb-aes)
module : xts
priority : 200
--
name : crc32c
driver : stm32-crc32
priority : 200
--
name : crc32
driver : stm32-crc32
priority : 200
--
name : ccm(aes)
driver : stm32-ccm-aes
priority : 200
--
name : gcm(aes)
driver : stm32-gcm-aes
priority : 200
--
name : cbc(des3_ede)
driver : stm32-cbc-des3
priority : 200
--
name : ecb(des3_ede)
driver : stm32-ecb-des3
priority : 200
--
name : cbc(des)
driver : stm32-cbc-des
priority : 200
--
name : ecb(des)
driver : stm32-ecb-des
priority : 200
--
name : ctr(aes)
driver : stm32-ctr-aes
priority : 200
--
name : cbc(aes)
driver : stm32-cbc-aes
priority : 200
--
name : ecb(aes)
driver : stm32-ecb-aes
priority : 200
I encrypted partition with command:
cryptsetup luksFormat /dev/mmcblk0p6 , but with default cipher
It isn't a problem to open, copy image, and mount, but it is not hardware cipher, and system is very slow.
How to use hardware accelerators?
I tried:
cryptsetup --type luks2 --cipher "ecb(aes)" --hash sha256 --iter-time 2000 --key-size 256 --pbkdf argon2id --use-urandom --verify-passphrase luksFormat /dev/mmcblk0p6
But with error:
error adding target to table
device-mapper: reload ioctl on failed: Invalid argument
Failed to setup dm-crypt key mapping for device /dev/mmcblk0p6.
Check that kernel supports ecb(aes)-cbc-plain cipher (check syslog for more info).
How to use hardware ciphers?
Solved! Go to Solution.
2022-07-07 11:05 PM
Default cipher for luksFormat is aes-xts-plain64 , my question is strictly for setting hardware cipher for lukssetup. I read, that i can use all from /proc/crypto, but i dont know how. I have not found any example
In https://wiki.st.com/stm32mpu/index.php?title=Crypto_API_overview&stableid=47163 is information that it is possible
EDIT:
Ok, i found this:
cipher: Encryption block cipher.
Cipher can be specified directly using this format: cipher[:keycount]-chainmode-ivmode[:ivopts].
or with kernel crypto API format (selected by capi: prefix): capi:cipher_api_spec-ivmode[:ivopts].
Example (direct specification): aes, twofish, serpent.
Example (crypto API specification): capi:cbc(aes)-essiv:sha256, capi:xts(aes)-plain64
In https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt ->Mapping table for crypt target
It works well with command:
cryptsetup --type luks2 --cipher "capi:cbc(aes)-essiv:sha256" --hash sha256 --iter-time 2000 --key-size 256 --pbkdf argon2id --use-urandom --verify-passphrase luksFormat /dev/mmcblk0p7
Maybe someone will use it. I will test possible ciphers. It already looks better than the default.
2022-07-07 06:09 AM
Hello @MJerm.1 ,
Usually, I recommend to build your linux with the following CONFIG as built-in (not like module):
CONFIG_CRYPTO_DEV_STM32_CRC=y
CONFIG_CRYPTO_DEV_STM32_HASH=y
CONFIG_CRYPTO_DEV_STM32_CRYP=y
"y" instead of module "m".
If you do again the command "cat /proc/crypto", you must be able to see that the priority of the STM32 Hardware has a bigger values in priority. Which means that by default the HW crypto will be used, because the priority is 200 and the priority of the generic aes is 100.
If you want to be sure to not use the arm software implementation that if I remember well, has also a priority of 200, you can remove these CONFIG from "make menuconfig":
CONFIG_CRYPTO_AES_ARM
CONFIG_CRYPTO_AES_ARM_BS
CONFIG_CRYPTO_AES_ARM_CE
If you already generated the modules ARM and copied them on the board, you should remove them from
/lib/modules/<yourKernelVersion>/kernel/arch/arm/crypto/
---------
Regarding cryptsetup, I never used it by myself, but I can see in the error:
Failed to setup dm-crypt key mapping for device /dev/mmcblk0p6.
Did you enabled the CONFIG:
CONFIG_MD=y
CONFIG_BLK_DEV_DM=y
CONFIG_DM_CRYPT=y
These 3 CONFIG enable the support of the device mapper and the crypt function used by dmsetup. It should fixes the issue that you encounter.
Normally, CRYPTO_CRYPTD will be automatically enabled too.
Tell me if you still have the error after enabling dm_crypt ;)
Hope it helps,
Regards,
Kevin
2022-07-07 11:05 PM
Default cipher for luksFormat is aes-xts-plain64 , my question is strictly for setting hardware cipher for lukssetup. I read, that i can use all from /proc/crypto, but i dont know how. I have not found any example
In https://wiki.st.com/stm32mpu/index.php?title=Crypto_API_overview&stableid=47163 is information that it is possible
EDIT:
Ok, i found this:
cipher: Encryption block cipher.
Cipher can be specified directly using this format: cipher[:keycount]-chainmode-ivmode[:ivopts].
or with kernel crypto API format (selected by capi: prefix): capi:cipher_api_spec-ivmode[:ivopts].
Example (direct specification): aes, twofish, serpent.
Example (crypto API specification): capi:cbc(aes)-essiv:sha256, capi:xts(aes)-plain64
In https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt ->Mapping table for crypt target
It works well with command:
cryptsetup --type luks2 --cipher "capi:cbc(aes)-essiv:sha256" --hash sha256 --iter-time 2000 --key-size 256 --pbkdf argon2id --use-urandom --verify-passphrase luksFormat /dev/mmcblk0p7
Maybe someone will use it. I will test possible ciphers. It already looks better than the default.
2022-07-20 09:41 AM
Hello @MJerm.1 ,
Thank you for having taking time to explain your solution and to have provided the link with the information. It will surely help other users :).
Regards,
Kevin