[dm-crypt] libcryptsetup kernel feature detection fails on boot

Milan Broz gmazyland at gmail.com
Wed Jul 23 09:45:31 CEST 2014

On 23.7.2014 0:36, Thomas Bächler wrote:
> Since cryptsetup 1.6.5, libcryptsetup fails to detect the kernel's
> features on boot. In particular, whenever the dm-crypt module is not
> loaded before configuring a mapping with libcryptsetup, the
> allow_discards option is not used.

Hm, yes, that's possible... dmcrypt is now needed only on activation
(previaously it was loaded earlier perhaps).

Well, the workaround for now is probably to always load dmcrypt module,
I'll try to fix it soon.



FYI there are more problems discovered by the userspace header processing
in 1.6.5 (I expected these appears when introducing truecrypt format which
uses the same logic but unfortunately that was not the case).

- with SELinux in enforcing mode (and proper policy, in Fedora this applies
only to systemd-cryptsetup which is labeled as init process) it fails
to activate volumes.
Apparently kernel crypto API socket was never labeled properly(!)
(kernel selinux subsystem bug, patch on the way upstream).
See https://bugzilla.redhat.com/show_bug.cgi?id=1115120

- with some crazy configuration we hit the problem that some hash algorithm
are not available in userspace (whirlpool256 for example) so when
used in ESSIV it fails. There was conservative approach to fallback to old
mode, unfortunately I did not implement it correctly for this case.
See https://code.google.com/p/cryptsetup/issues/detail?id=222

So anyway, expect cryptsetup 1.6.6 to fix these...

More information about the dm-crypt mailing list