encrypted swap on raid1 not working

jjletho · April 6, 2021, 3:07pm

Hi,
I’m doing some installation tests with LEAP 15.3 BETA and I encountered a problem with encrypted swap.
The layout I choosed for my swap is raid1 with an encrypted swap over it, recreated at boot time with a random key. This layout is supported by the yast installer and I already used it in the past (LEAP 15.2, LEAP 42, etc…).

This time the installer gave me an error during the filesystem creation. I told it to ignore and continue and the resulting system was bootable but without swap.

I checked the relevant configuration files:

/etc/fstab


...
/dev/mapper/cr_swap                        swap       swap   defaults             0  0
...

/etc/crypttab


...
cr_swap /dev/md2        /dev/urandom    swap
...

Config files looks fine, it seems that the installer has done its job.

I tried to restart crypttab service with this result:


systemctl restart cryptsetup.target 
Please enter passphrase for disk cr_swap on swap: *********               
A dependency job for cryptsetup.target failed. See 'journalctl -xe' for details

journalctl -xe

The job identifier is 4086 and the job result is failed.
Apr 06 14:53:03 opensuse153 systemd[1]: Dependency failed for Local Encrypted Volumes.
Subject: A start job for unit cryptsetup.target has failed
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
A start job for unit cryptsetup.target has finished with a failure.
The job identifier is 4071 and the job result is dependency.
Apr 06 14:53:03 opensuse153 systemd[1]: cryptsetup.target: Job cryptsetup.target/start failed with result 'dependency'.
Apr 06 14:53:03 opensuse153 systemd[1]: Reached target Block Device Preparation for /dev/mapper/cr_swap.
Subject: A start job for unit blockdev@dev-mapper-cr_swap.target has finished successfully
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
A start job for unit blockdev@dev-mapper-cr_swap.target has finished successfully.
The job identifier is 4225.
Apr 06 14:53:03 opensuse153 systemd[1]: Stopped target Block Device Preparation for /dev/mapper/cr_swap.
Subject: A stop job for unit blockdev@dev-mapper-cr_swap.target has finished
Defined-By: systemd
Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
A stop job for unit blockdev@dev-mapper-cr_swap.target has finished.
The job identifier is 4231 and the job result is done.

It is very strange because it should not ask me for a password, it should use /dev/urandom.

After that I tried to create the same setup manually:


cryptsetup --debug open --type plain /dev/md2 cr_swap
# cryptsetup 2.3.4 processing "cryptsetup --debug open --type plain /dev/md2 cr_swap"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/md2.
# Trying to open and read device /dev/md2 with direct-io.
# Initialising device-mapper backend library.
# Formatting device /dev/md2 as type PLAIN.
# Crypto backend (OpenSSL 1.1.1d  10 Sep 2019) initialized in cryptsetup library version 2.3.4.
# Detected kernel Linux 5.3.18-52-default x86_64.
# Interactive passphrase entry requested.
Enter passphrase for /dev/md2: 
# Activating volume cr_swap [keyslot -1] using passphrase.
# dm version    opencount flush ]   [16384] (*1)
# dm versions    opencount flush ]   [16384] (*1)
# Detected dm-ioctl version 4.42.0.
# Detected dm-crypt version 1.22.0.
# Device-mapper backend running with UDEV support enabled.
# dm status cr_swap   opencount noflush ]   [16384] (*1)
# Plain: hashing passphrase using ripemd160.
# Trying to activate PLAIN device cr_swap using cipher aes-cbc-essiv:sha256.
# dm versions    opencount flush ]   [16384] (*1)
# dm status cr_swap   opencount noflush ]   [16384] (*1)
# Calculated device size is 2097024 sectors (RW), offset 0.
# DM-UUID is CRYPT-PLAIN-cr_swap
# Udev cookie 0xd4d22b9 (semid 17) created
# Udev cookie 0xd4d22b9 (semid 17) incremented to 1
# Udev cookie 0xd4d22b9 (semid 17) incremented to 2
# Udev cookie 0xd4d22b9 (semid 17) assigned to CREATE task(0) with flags DISABLE_LIBRARY_FALLBACK         (0x20)
# dm create cr_swap CRYPT-PLAIN-cr_swap  opencount flush ]   [16384] (*1)
# dm reload cr_swap   opencount flush securedata ]   [16384] (*1)
device-mapper: reload ioctl on   failed: No such file or directory
# Udev cookie 0xd4d22b9 (semid 17) decremented to 1
# Udev cookie 0xd4d22b9 (semid 17) incremented to 2
# Udev cookie 0xd4d22b9 (semid 17) assigned to REMOVE task(2) with flags DISABLE_LIBRARY_FALLBACK         (0x20)
# dm remove cr_swap   opencount flush securedata ]   [16384] (*1)
# dm versions    opencount flush ]   [16384] (*1)
# dm status cr_swap   opencount noflush ]   [16384] (*1)
# Udev cookie 0xd4d22b9 (semid 17) decremented to 1
# Udev cookie 0xd4d22b9 (semid 17) waiting for zero
# Udev cookie 0xd4d22b9 (semid 17) destroyed
# Releasing crypt device /dev/md2 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).

It fails again. It looks like device mapper is missing something, but what?

In the same machine I have a luks encrypted device (with password) which is working fine. The problem seems related to plain encrypted device (swap with random key should be implemented as a plain ecrypted device)

Any ideas? Any similar experiences?

Thank you in advance

nrickert · April 6, 2021, 4:44pm

This needs a bug report.

I have done this with Leap 15.2, but I had not tried with Leap 15.3. If I find some time, I might experiment.

nrickert · April 6, 2021, 9:52pm

Okay, I have now tested this, in a KVM virtual machine. Note that I am not using RAID here.

The installer seemed to do everything right, until it got to the final install. Then it complained about the problem. I told it to continue anyway. More complaints. I had to tell it to continue several times.

I eventually finished up with a good install.

On boot: it requested a password for the swap partition. I used “CTRL-D” to skip that. It continued to boot. The booted system did not have any swap (I used the “free” command to check that).

I then configured the Leap 15.2 update repo as an additional repo. And I installed kernel-default-5.3.18-lp152.66.2 from there.

Rebooting, I used the grub menu to boot with that Leap 15.2 kernel. And it booted just fine with the swap working as it should.

This seems to be a kernel problem with Leap 15.3. I’ll open a bug report shortly.

nrickert · April 6, 2021, 10:21pm

Reported as Bug 1184419.

jjletho · April 8, 2021, 9:54pm

Great, thank you very much. I’m available if some tests are needed.

nrickert · April 8, 2021, 11:45pm

I’ll suggest that you add yourself to the bug report.

Just login to the bugzilla – the name/password that you use for opensuse forums should also work there.

I think it adds you to the CC list (so you get copies of changes) by default. But you can make sure that the box “Add me to the CC list” is checked. Then click “Save Changes”.

nrickert · April 20, 2021, 7:01am

It looks as if this should work with the latest updates.

Boot your system. Update “kernel-default”, “kernel-default-extra” and “kernel-default-optional”.

When booted with the newer kernel, the swap should work. And you might as well update everything while you are about it.