[SOLVED]How to use hardware ciphers with cryptsetup on STM32MP153C ?

MJerm.1 · ‎2022-07-06

I have problem with partition encryption on STM32MP153C with hardware ciphers. I use custom initramfs with installed: coreutils keyutils lvm2 e2fsprogs-mke2fs util-linux cryptsetup

cryptodev-module cryptodev-tests

I was also configure all crypto modules:

In kernel defconfig:

CONFIG_CRYPTO_DEV_STM32_CRC=m

CONFIG_CRYPTO_DEV_STM32_HASH=m

CONFIG_CRYPTO_DEV_STM32_CRYP=m

And device tree:

&hash1 {

status = "okay";

};

&cryp1 {

status = "okay";

};

&crc1 {

status = "okay";

};

All drivers are visible:

grep -B1 -A2 stm32 /proc/crypto|grep -v kernel

name : xts(aes)

driver : xts(stm32-ecb-aes)

module : xts

priority : 200

--

name : crc32c

driver : stm32-crc32

priority : 200

--

name : crc32

driver : stm32-crc32

priority : 200

--

name : ccm(aes)

driver : stm32-ccm-aes

priority : 200

--

name : gcm(aes)

driver : stm32-gcm-aes

priority : 200

--

name : cbc(des3_ede)

driver : stm32-cbc-des3

priority : 200

--

name : ecb(des3_ede)

driver : stm32-ecb-des3

priority : 200

--

name : cbc(des)

driver : stm32-cbc-des

priority : 200

--

name : ecb(des)

driver : stm32-ecb-des

priority : 200

--

name : ctr(aes)

driver : stm32-ctr-aes

priority : 200

--

name : cbc(aes)

driver : stm32-cbc-aes

priority : 200

--

name : ecb(aes)

driver : stm32-ecb-aes

priority : 200

I encrypted partition with command:

cryptsetup luksFormat /dev/mmcblk0p6 , but with default cipher

It isn't a problem to open, copy image, and mount, but it is not hardware cipher, and system is very slow.

How to use hardware accelerators?

I tried:

cryptsetup --type luks2 --cipher "ecb(aes)" --hash sha256 --iter-time 2000 --key-size 256 --pbkdf argon2id --use-urandom --verify-passphrase luksFormat /dev/mmcblk0p6

But with error:

error adding target to table

device-mapper: reload ioctl on failed: Invalid argument

Failed to setup dm-crypt key mapping for device /dev/mmcblk0p6.

Check that kernel supports ecb(aes)-cbc-plain cipher (check syslog for more info).

How to use hardware ciphers?

MJerm.1 · ‎2022-07-07

I used before "y" instead of "m". I can change
Priorities for ST are set to 200, other 100
Configs with ARM are disabled
CONFIG_MD=y, CONFIG_BLK_DEV_DM=y, CONFIG_DM_CRYPT=y, CONFIG_CRYPTO_CRYPTD=m
Device mapper work ok if i use a default cipher for luksFormat

Default cipher for luksFormat is aes-xts-plain64 , my question is strictly for setting hardware cipher for lukssetup. I read, that i can use all from /proc/crypto, but i dont know how. I have not found any example

In https://wiki.st.com/stm32mpu/index.php?title=Crypto_API_overview&stableid=47163 is information that it is possible

EDIT:

Ok, i found this:

cipher: Encryption block cipher.

Cipher can be specified directly using this format: cipher[:keycount]-chainmode-ivmode[:ivopts].

or with kernel crypto API format (selected by capi: prefix): capi:cipher_api_spec-ivmode[:ivopts].

Example (direct specification): aes, twofish, serpent.

Example (crypto API specification): capi:cbc(aes)-essiv:sha256, capi:xts(aes)-plain64

In https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt ->Mapping table for crypt target

It works well with command:

cryptsetup --type luks2 --cipher "capi:cbc(aes)-essiv:sha256" --hash sha256 --iter-time 2000 --key-size 256 --pbkdf argon2id --use-urandom --verify-passphrase luksFormat /dev/mmcblk0p7

Maybe someone will use it. I will test possible ciphers. It already looks better than the default.

View solution in original post

Kevin HUBER · ‎2022-07-07

Hello @MJerm.1 ,

Usually, I recommend to build your linux with the following CONFIG as built-in (not like module):

CONFIG_CRYPTO_DEV_STM32_CRC=y

CONFIG_CRYPTO_DEV_STM32_HASH=y

CONFIG_CRYPTO_DEV_STM32_CRYP=y

"y" instead of module "m".

If you do again the command "cat /proc/crypto", you must be able to see that the priority of the STM32 Hardware has a bigger values in priority. Which means that by default the HW crypto will be used, because the priority is 200 and the priority of the generic aes is 100.

If you want to be sure to not use the arm software implementation that if I remember well, has also a priority of 200, you can remove these CONFIG from "make menuconfig":

CONFIG_CRYPTO_AES_ARM

CONFIG_CRYPTO_AES_ARM_BS

CONFIG_CRYPTO_AES_ARM_CE

If you already generated the modules ARM and copied them on the board, you should remove them from

/lib/modules/<yourKernelVersion>/kernel/arch/arm/crypto/

---------

Regarding cryptsetup, I never used it by myself, but I can see in the error:

Failed to setup dm-crypt key mapping for device /dev/mmcblk0p6.

Did you enabled the CONFIG:

CONFIG_MD=y

CONFIG_BLK_DEV_DM=y

CONFIG_DM_CRYPT=y

These 3 CONFIG enable the support of the device mapper and the crypt function used by dmsetup. It should fixes the issue that you encounter.

Normally, CRYPTO_CRYPTD will be automatically enabled too.

Tell me if you still have the error after enabling dm_crypt ;)

Hope it helps,

Regards,

Kevin

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

MJerm.1 · ‎2022-07-07

I used before "y" instead of "m". I can change
Priorities for ST are set to 200, other 100
Configs with ARM are disabled
CONFIG_MD=y, CONFIG_BLK_DEV_DM=y, CONFIG_DM_CRYPT=y, CONFIG_CRYPTO_CRYPTD=m
Device mapper work ok if i use a default cipher for luksFormat

Default cipher for luksFormat is aes-xts-plain64 , my question is strictly for setting hardware cipher for lukssetup. I read, that i can use all from /proc/crypto, but i dont know how. I have not found any example

In https://wiki.st.com/stm32mpu/index.php?title=Crypto_API_overview&stableid=47163 is information that it is possible

EDIT:

Ok, i found this:

cipher: Encryption block cipher.

Cipher can be specified directly using this format: cipher[:keycount]-chainmode-ivmode[:ivopts].

or with kernel crypto API format (selected by capi: prefix): capi:cipher_api_spec-ivmode[:ivopts].

Example (direct specification): aes, twofish, serpent.

Example (crypto API specification): capi:cbc(aes)-essiv:sha256, capi:xts(aes)-plain64

In https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt ->Mapping table for crypt target

It works well with command:

cryptsetup --type luks2 --cipher "capi:cbc(aes)-essiv:sha256" --hash sha256 --iter-time 2000 --key-size 256 --pbkdf argon2id --use-urandom --verify-passphrase luksFormat /dev/mmcblk0p7

Maybe someone will use it. I will test possible ciphers. It already looks better than the default.

Kevin HUBER · ‎2022-07-20

Hello @MJerm.1 ,

Thank you for having taking time to explain your solution and to have provided the link with the information. It will surely help other users :).

Regards,

Kevin

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.