Is Core20's OP-TEE FDE broken?

ruhan.vanderberg · May 15, 2023, 11:52am

Hello there,

I am debugging on why my encrypted volumes is not being decrypted, with dm-mapper bugging out at boot trying to decrypt the disk:

[    7.294007] random: systemd-cryptse: uninitialized urandom read (4 bytes read)
[    7.391692] device-mapper: table: 253:0: crypt: unknown target type
[    7.399494] device-mapper: ioctl: error adding target to table
[   71.652114] random: crng init donek /dev/disk/by-partuuid/f87930c6-04: (press TAB for no echo)

When I mount my SDcard to a linux box, it seems that the LUKS information cannot be read properly?

Hexdumping the first 512 bytes of said partition yields:

Is this correct? The installer does report that it is creating the volumes here, not sure if done properly.

May 15 10:27:56 ubuntu snapd[1501]: patch.go:64: Patching system state level 6 to sublevel 1...
May 15 10:27:56 ubuntu snapd[1501]: patch.go:64: Patching system state level 6 to sublevel 2...
May 15 10:27:56 ubuntu snapd[1501]: patch.go:64: Patching system state level 6 to sublevel 3...
May 15 10:27:56 ubuntu snapd[1501]: daemon.go:247: started snapd/2.59.2 (series 16) ubuntu-core/20 (arm64) linux/5.15.71-gaaf0bc0caeea-dir.
May 15 10:27:56 ubuntu snapd[1501]: daemon.go:340: adjusting startup timeout by 35s (pessimistic estimate of 30s plus 5s per snap)
May 15 10:27:56 ubuntu snapd[1501]: backends.go:58: AppArmor status: apparmor is enabled and all features are available
May 15 10:27:56 ubuntu systemd[1]: Started Snap Daemon.
May 15 10:27:57 ubuntu snapd[1501]: devicestate.go:194: installing unasserted kernel mydevboard-kernel"
May 15 10:28:01 ubuntu snapd[1501]: devicestate.go:194: installing unasserted gadget mydevboard-gadget"
May 15 10:28:04 ubuntu snapd[1501]: picfg.go:170: ignoring pi-config settings: configuration cannot be applied: unsupported system mode
[   43.823368] systemd[1]: snap.mydevboard-kernel.hook.fde-setup.8ad1b0ba-bb2d-4fd4-a785-369f9bac43c7.scope: Succeeded.
[   43.825670] snapd[1501]: handlers_install.go:368: create and deploy partitions
[   43.825936] snapd[1501]: install.go:222: installing a new system
[   43.826129] snapd[1501]: install.go:223:         gadget data from: /snap/mydevboard-gadget/x1
[   43.826337] snapd[1501]: install.go:224:         encryption: cryptsetup
May 15 10:28:08 ubuntu snapd[1501]: handlers_install.go:368: create and deploy partitions
May 15 10:28:08 ubuntu snapd[1501]: install.go:222: installing a new system
May 15 10:28:08 ubuntu snapd[1501]: install.go:223:         gadget data from: /snap/mydevboard-gadget/x1
May 15 10:28:08 ubuntu snapd[1501]: install.go:224:         encryption: cryptsetup
[   44.560859] snapd[1501]: install.go:324: created new partition /dev/mmcblk1p2 for structure #2 ("ubuntu-boot") (size 500 MiB) with role system-boot
May 15 10:28:08 ubuntu snapd[1501]: install.go:324: created new partition /dev/mmcblk1p2 for structure #2 ("ubuntu-boot") (size 500 MiB) with role system-boot
[   45.525285] systemd[1]: run-snapd-gadget\x2dinstall-dev\x2dmmcblk1p2.mount: Succeeded.
[   45.534614] snapd[1501]: install.go:324: created new partition /dev/mmcblk1p3 for structure #3 ("ubuntu-save") (size 16 MiB) with role system-save
[   45.534925] snapd[1501]: install.go:127: encrypting partition device /dev/mmcblk1p3
May 15 10:28:09 ubuntu snapd[1501]: install.go:324: created new partition /dev/mmcblk1p3 for structure #3 ("ubuntu-save") (size 16 MiB) with role system-save
May 15 10:28:09 ubuntu snapd[1501]: install.go:127: encrypting partition device /dev/mmcblk1p3
[   47.399574] snapd[1501]: install.go:155: encrypted filesystem device /dev/mapper/ubuntu-save
May 15 10:28:11 ubuntu snapd[1501]: install.go:155: encrypted filesystem device /dev/mapper/ubuntu-save
[   47.597492] snapd[1501]: install.go:324: created new partition /dev/mmcblk1p4 for structure #4 ("ubuntu-data") (size 28.45 GiB) with role system-data
[   47.597688] snapd[1501]: install.go:127: encrypting partition device /dev/mmcblk1p4
May 15 10:28:11 ubuntu snapd[1501]: install.go:324: created new partition /dev/mmcblk1p4 for structure #4 ("ubuntu-data") (size 28.45 GiB) with role system-data
May 15 10:28:11 ubuntu snapd[1501]: install.go:127: encrypting partition device /dev/mmcblk1p4
[   49.456532] snapd[1501]: install.go:155: encrypted filesystem device /dev/mapper/ubuntu-data
May 15 10:28:13 ubuntu snapd[1501]: install.go:155: encrypted filesystem device /dev/mapper/ubuntu-data
[   56.659209] snapd[1501]: handlers_install.go:390: make system runnable
May 15 10:28:20 ubuntu snapd[1501]: handlers_install.go:390: make system runnable
[   70.986187] systemd[1]: systemd-hostnamed.service: Succeeded.
[   71.313528] systemd[1]: systemd-timedated.service: Succeeded.
[   83.439146] systemd[1]: Started snap.mydevboard-kernel.hook.fde-setup.15d8d3cc-4a40-49f9-89fe-33219a0cde9b.scope.
M/TA: FDE cmd_id = 0x1
[   84.018359] systemd[1]: snap.mydevboard-kernel.hook.fde-setup.15d8d3cc-4a40-49f9-89fe-33219a0cde9b.scope: Succeeded.
[   84.107434] systemd[1]: Started snap.mydevboard-kernel.hook.fde-setup.fb231ab8-5c29-4031-b4fc-b8e7417fc796.scope.
M/TA: FDE cmd_id = 0x1
[   84.706270] systemd[1]: snap.mydevboard-kernel.hook.fde-setup.fb231ab8-5c29-4031-b4fc-b8e7417fc796.scope: Succeeded.
[   84.798137] systemd[1]: Started snap.mydevboard-kernel.hook.fde-setup.3f6fd166-cc7b-41b0-9f04-552500f72a68.scope.
M/TA: FDE cmd_id = 0x1
[   85.388602] systemd[1]: snap.mydevboard-kernel.hook.fde-setup.3f6fd166-cc7b-41b0-9f04-552500f72a68.scope: Succeeded.

This is on a SDCard, to be later done on a eMMC device. @ondra Does this look OK to you? Sorry to tag you on this, I’m trying to figure out whats wrong and how I can fix it, been bothering me all-week last week.

EDIT: To add more detail, it seems that the cipher aes, mode xts-plain64 is used, but the filesystem is mapped as a SHA256 encrypted container? Got this log here below, after mashing the “Return/Enter” key a few times.

[   67.692719] the-tool[287]: 2023/05/15 15:02:50.929906 main.go:63: execution error: cannot unlock encrypted partition: cannot activate with platform protected keys:
[FAILED] Failed to start the-tool.service.
[   67.717066] the-tool[287]: - /run/mnt/ubuntu-boot/device/fde/ubuntu-data.sealed-key: cannot activate volume: systemd-cryptsetup failed with:
See 'systemctl status the-tool.service' for details.
[   67.732351] the-tool[287]: -----
[  OK  ] Stopped target Local Encrypted Volumes.
[  OK  ] Stopped target Login Prompts (Pre).
[   67.772629] the-tool[287]: WARNING: Locking directory /run/cryptsetup is missing!
[   67.812559] the-tool[287]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-partuuid/3bbf9ef1-04.
[   67.832186] the-tool[287]: device-mapper: reload ioctl on   failed: Invalid argument
[   67.848177] the-tool[287]: Failed to activate with key file '/dev/stdin'. (Key file missing?)
[   67.864161] the-tool[287]: Too many attempts to activate; giving up.
[   67.880158] the-tool[287]: -----
[   67.892768] the-tool[287]: and activation with recovery key failed: cannot decode recovery key: incorrectly formatted: insufficient characters
[   67.916517] the-tool[287]: error: cannot unlock encrypted partition: cannot activate with platform protected keys:
[   67.936172] the-tool[287]: - /run/mnt/ubuntu-boot/device/fde/ubuntu-data.sealed-key: cannot activate volume: systemd-cryptsetup failed with:
[   67.960488] the-tool[287]: -----
[   67.972175] the-tool[287]: WARNING: Locking directory /run/cryptsetup is missing!
[   67.988188] the-tool[287]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-partuuid/3bbf9ef1-04.
[   68.008179] the-tool[287]: device-mapper: reload ioctl on   failed: Invalid argument
[   68.024174] the-tool[287]: Failed to activate with key file '/dev/stdin'. (Key file missing?)
[   68.040163] the-tool[287]: Too many attempts to activate; giving up.
[   68.056163] the-tool[287]: -----
[   68.068163] the-tool[287]: and activation with recovery key failed: cannot decode recovery key: incorrectly formatted: insufficient characters
[  OK  ] Stopped target Paths.

ruhan.vanderberg · May 16, 2023, 3:41pm

For more information,

I’m using Core20’s latest ubuntu-core-initrd deb package here (51.7-arm64): https://launchpad.net/~snappy-dev/+archive/ubuntu/image/+packages?field.name_filter=ubuntu-core-initramfs&field.status_filter=&field.series_filter=focal

Latest stable snapd version, ( as of 16-05-2023) and a 5.15.71 kernel, patched with some Ubuntu-Core specific apparmor patches found here: https://github.com/RuhanSA079/UbuntuCore-5.15.y-kernelpatch/

@ogra Do you know if there’s someone else working on this, or is Ondra the only guy that can assist in this matter? I am testing this on a Variscite IMX8MP VAR-SOM devkit, with the Symphony base-board. BR

ogra · May 16, 2023, 3:43pm

i fear @ondra is the expert here …

ondra · June 5, 2023, 5:34pm

Hi @ruhan.vanderberg Sorry for the late reply. I have not seen this one before. But judging from the similar issue I have faced before it could be related to the regression we had in ubuntu-core-initramfs. It caused udev race condition where we were accessing things that did not exist yet. Errors were all over the map. Can you try to make clean build of your kernel snap and see if you are still seeing this issue?

cheers Ondra

ruhan.vanderberg · June 6, 2023, 7:34am

Hello, thank you for the reply.

Yes, I still face this issue, even after the changes on your PoC commit on LP. (Compiled this last-night) Could you tell me what your build-setup is like? I am using Snapcraft 7.4.0, (due to the kernel plugin missing, so had to use your kernel plugin found on Github) Using a Focal Multipass VM.

Should I try to migrate to Snapcraft edge and try again without the external kernel plugin? I am using Ubuntu Core initramfs 51.7 like I mentioned before.

ruhan.vanderberg · June 6, 2023, 12:54pm

Progress update:

Using edge snapcraft, compiled the kernel snap on a Raspberry Pi 4, running Ubuntu Focal/20.04. Was struggling with missing packages on cross-compile, so I did it on a Pi4. (Painfully slow!)

Seems that no errors were thrown, w.r.t FDE start errors: Boot log: (After install and encryption)

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[    0.000000] Linux version 5.10.72-g3e26d88c2ac5-dirty (ubuntu@uc-arm64builder) (aarch64-linux-gnu-gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #1 SMP PREEMPT Tue Jun 6 10:10:16 UTC 2023
[    0.000000] Machine model: Variscite VAR-SOM-MX8M-PLUS on Symphony Board
[    0.000000] efi: UEFI not found.
[    0.000000] [Firmware Bug]: Kernel image misaligned at boot, please fix your bootloader!
[    0.000000] Reserved memory: created DMA memory pool at 0x0000000094300000, size 1 MiB
[    0.000000] OF: reserved mem: initialized node vdev0buffer@94300000, compatible id shared-dma-pool
[    0.000000] NUMA: No NUMA configuration found
[    0.000000] NUMA: Faking a node at [mem 0x0000000040000000-0x000000013fffffff]
[    0.000000] NUMA: NODE_DATA [mem 0x13f853700-0x13f855fff]
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x0000000040000000-0x00000000ffffffff]
[    0.000000]   DMA32    empty
[    0.000000]   Normal   [mem 0x0000000100000000-0x000000013fffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000040000000-0x0000000055ffffff]
[    0.000000]   node   0: [mem 0x0000000058000000-0x00000000923fffff]
[    0.000000]   node   0: [mem 0x0000000092400000-0x00000000a43fffff]
[    0.000000]   node   0: [mem 0x00000000a4400000-0x000000013fffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x000000013fffffff]
[    0.000000] cma: Reserved 32 MiB at 0x00000000fe000000
[    0.000000] psci: probing for conduit method from DT.
[    0.000000] psci: PSCIv1.1 detected in firmware.
[    0.000000] psci: Using standard PSCI v0.2 function IDs
[    0.000000] psci: Trusted OS migration not required
[    0.000000] psci: SMC Calling Convention v1.2
[    0.000000] percpu: Embedded 23 pages/cpu s56856 r8192 d29160 u94208
[    0.000000] Detected VIPT I-cache on CPU0
[    0.000000] CPU features: detected: ARM erratum 845719
[    0.000000] CPU features: detected: GIC system register CPU interface
[    0.000000] CPU features: kernel page table isolation forced ON by KASLR
[    0.000000] CPU features: detected: Kernel page table isolation (KPTI)
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 1024000
[    0.000000] Policy zone: Normal
[    0.000000] Kernel command line: fde_helper=enabled console=ttymxc1,115200 snapd_recovery_mode=run panic=-1 systemd.gpt_auto=0 rd.systemd.unit=basic.target
[    0.000000] Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes, linear)
[    0.000000] Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes, linear)
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] software IO TLB: mapped [mem 0x00000000fa000000-0x00000000fe000000] (64MB)
[    0.000000] Memory: 3638564K/4161536K available (17920K kernel code, 1542K rwdata, 6968K rodata, 3008K init, 589K bss, 490204K reserved, 32768K cma-reserved)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] rcu: Preemptible hierarchical RCU implementation.
[    0.000000] rcu:     RCU event tracing is enabled.
[    0.000000] rcu:     RCU restricting CPUs from NR_CPUS=256 to nr_cpu_ids=4.
[    0.000000]  Trampoline variant of Tasks RCU enabled.
[    0.000000]  Tracing variant of Tasks RCU enabled.
[    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
[    0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4
[    0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[    0.000000] GICv3: GIC: Using split EOI/Deactivate mode
[    0.000000] GICv3: 160 SPIs implemented
[    0.000000] GICv3: 0 Extended SPIs implemented
[    0.000000] GICv3: Distributor has no Range Selector support
[    0.000000] GICv3: 16 PPIs implemented
[    0.000000] GICv3: CPU0: found redistributor 0 region 0:0x0000000038880000
[    0.000000] ITS: No ITS available, not enabling LPIs
[    0.000000] random: get_random_bytes called from start_kernel+0x31c/0x4e0 with crng_init=0
[    0.000000] arch_timer: cp15 timer(s) running at 8.00MHz (phys).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x1d854df40, max_idle_ns: 440795202120 ns
[    0.000003] sched_clock: 56 bits at 8MHz, resolution 125ns, wraps every 2199023255500ns
[    0.000453] Console: colour dummy device 80x25
[    0.000513] Calibrating delay loop (skipped), value calculated using timer frequency.. 16.00 BogoMIPS (lpj=32000)
[    0.000527] pid_max: default: 32768 minimum: 301
[    0.000598] LSM: Security Framework initializing
[    0.000615] Yama: becoming mindful.
[    0.000679] AppArmor: AppArmor initialized
[    0.000722] Mount-cache hash table entries: 8192 (order: 4, 65536 bytes, linear)
[    0.000740] Mountpoint-cache hash table entries: 8192 (order: 4, 65536 bytes, linear)
[    0.002012] rcu: Hierarchical SRCU implementation.
[    0.003381] EFI services will not be available.
[    0.003552] smp: Bringing up secondary CPUs ...
[    0.003932] Detected VIPT I-cache on CPU1
[    0.003956] GICv3: CPU1: found redistributor 1 region 0:0x00000000388a0000
[    0.003990] CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
[    0.004429] Detected VIPT I-cache on CPU2
[    0.004447] GICv3: CPU2: found redistributor 2 region 0:0x00000000388c0000
[    0.004467] CPU2: Booted secondary processor 0x0000000002 [0x410fd034]
[    0.004871] Detected VIPT I-cache on CPU3
[    0.004887] GICv3: CPU3: found redistributor 3 region 0:0x00000000388e0000
[    0.004909] CPU3: Booted secondary processor 0x0000000003 [0x410fd034]
[    0.004968] smp: Brought up 1 node, 4 CPUs
[    0.004995] SMP: Total of 4 processors activated.
[    0.005004] CPU features: detected: 32-bit EL0 Support
[    0.005010] CPU features: detected: CRC32 instructions
[    0.005020] CPU features: detected: 32-bit EL1 Support
[    0.013830] CPU: All CPU(s) started at EL2
[    0.013854] alternatives: patching kernel code
[    0.015143] devtmpfs: initialized
[    0.024287] KASLR disabled due to lack of seed
[    0.024435] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.024448] futex hash table entries: 1024 (order: 4, 65536 bytes, linear)
[    0.025516] pinctrl core: initialized pinctrl subsystem
[    0.026004] DMI not present or invalid.
[    0.026406] NET: Registered protocol family 16
[    0.033449] DMA: preallocated 512 KiB GFP_KERNEL pool for atomic allocations
[    0.034490] DMA: preallocated 512 KiB GFP_KERNEL|GFP_DMA pool for atomic allocations
[    0.035549] DMA: preallocated 512 KiB GFP_KERNEL|GFP_DMA32 pool for atomic allocations
[    0.035602] audit: initializing netlink subsys (disabled)
[    0.035792] audit: type=2000 audit(0.032:1): state=initialized audit_enabled=0 res=1
[    0.036383] thermal_sys: Registered thermal governor 'step_wise'
[    0.036387] thermal_sys: Registered thermal governor 'power_allocator'
[    0.036763] cpuidle: using governor menu
[    0.037092] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[    0.037167] ASID allocator initialised with 32768 entries
[    0.038443] Serial: AMBA PL011 UART driver
[    0.038507] imx mu driver is registered.
[    0.038530] imx rpmsg driver is registered.
[    0.073760] imx8mp-pinctrl 30330000.pinctrl: initialized IMX pinctrl driver
[    0.092460] HugeTLB registered 1.00 GiB page size, pre-allocated 0 pages
[    0.092476] HugeTLB registered 32.0 MiB page size, pre-allocated 0 pages
[    0.092484] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages
[    0.092492] HugeTLB registered 64.0 KiB page size, pre-allocated 0 pages
[    0.093480] cryptd: max_cpu_qlen set to 1000
[    0.096686] ACPI: Interpreter disabled.
[    0.097647] iommu: Default domain type: Translated
[    0.097787] vgaarb: loaded
[    0.098064] SCSI subsystem initialized
[    0.098407] usbcore: registered new interface driver usbfs
[    0.098442] usbcore: registered new interface driver hub
[    0.098478] usbcore: registered new device driver usb
[    0.100007] mc: Linux media interface: v0.10
[    0.100036] videodev: Linux video capture interface: v2.00
[    0.100103] pps_core: LinuxPPS API ver. 1 registered
[    0.100111] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.100130] PTP clock support registered
[    0.100300] EDAC MC: Ver: 3.0.0
[    0.101418] FPGA manager framework
[    0.101505] Advanced Linux Sound Architecture Driver Initialized.
[    0.101983] Bluetooth: Core ver 2.22
[    0.102008] NET: Registered protocol family 31
[    0.102015] Bluetooth: HCI device and connection manager initialized
[    0.102027] Bluetooth: HCI socket layer initialized
[    0.102035] Bluetooth: L2CAP socket layer initialized
[    0.102051] Bluetooth: SCO socket layer initialized
[    0.102067] NetLabel: Initializing
[    0.102073] NetLabel:  domain hash size = 128
[    0.102080] NetLabel:  protocols = UNLABELED CIPSOv4 CALIPSO
[    0.102138] NetLabel:  unlabeled traffic allowed by default
[    0.103232] clocksource: Switched to clocksource arch_sys_counter
[    0.103389] VFS: Disk quotas dquot_6.6.0
[    0.103436] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[    0.103870] AppArmor: AppArmor Filesystem Enabled
[    0.103904] pnp: PnP ACPI: disabled
[    0.110111] NET: Registered protocol family 2
[    0.110256] IP idents hash table entries: 65536 (order: 7, 524288 bytes, linear)
[    0.111948] tcp_listen_portaddr_hash hash table entries: 2048 (order: 3, 32768 bytes, linear)
[    0.111998] TCP established hash table entries: 32768 (order: 6, 262144 bytes, linear)
[    0.112206] TCP bind hash table entries: 32768 (order: 7, 524288 bytes, linear)
[    0.112631] TCP: Hash tables configured (established 32768 bind 32768)
[    0.112731] UDP hash table entries: 2048 (order: 4, 65536 bytes, linear)
[    0.112811] UDP-Lite hash table entries: 2048 (order: 4, 65536 bytes, linear)
[    0.112991] NET: Registered protocol family 1
[    0.113331] RPC: Registered named UNIX socket transport module.
[    0.113337] RPC: Registered udp transport module.
[    0.113343] RPC: Registered tcp transport module.
[    0.113350] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.113361] PCI: CLS 0 bytes, default 64
[    0.113531] Trying to unpack rootfs image as initramfs...
[    0.358878] Freeing initrd memory: 19180K
[    0.359716] hw perfevents: enabled with armv8_pmuv3 PMU driver, 7 counters available
[    0.360379] kvm [1]: IPA Size Limit: 40 bits
[    0.361865] kvm [1]: GICv3: no GICV resource entry
[    0.361871] kvm [1]: disabling GICv2 emulation
[    0.361889] kvm [1]: GIC system register CPU interface enabled
[    0.361959] kvm [1]: vgic interrupt IRQ9
[    0.362067] kvm [1]: Hyp mode initialized successfully
[    0.365048] Initialise system trusted keyrings
[    0.365159] workingset: timestamp_bits=42 max_order=20 bucket_order=0
[    0.371000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.371845] NFS: Registering the id_resolver key type
[    0.371869] Key type id_resolver registered
[    0.371875] Key type id_legacy registered
[    0.371953] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[    0.371963] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[    0.371984] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[    0.372309] 9p: Installing v9fs 9p2000 file system support
[    0.408790] Key type asymmetric registered
[    0.408798] Asymmetric key parser 'x509' registered
[    0.408827] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 244)
[    0.408915] io scheduler mq-deadline registered
[    0.408924] io scheduler kyber registered
[    0.411322] samsung-hdmi-phy 32fdff00.hdmiphy: failed to get phy apb clk: -517
[    0.415960] EINJ: ACPI disabled.
[    0.427037] imx-sdma 30bd0000.dma-controller: firmware found.
[    0.427193] imx-sdma 30bd0000.dma-controller: loaded firmware 4.5
[    0.429056] mxs-dma 33000000.dma-apbh: initialized
[    0.431429] Bus freq driver module loaded
[    0.437589] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[    0.439930] 30860000.serial: ttymxc0 at MMIO 0x30860000 (irq = 32, base_baud = 1500000) is a IMX
[    0.440707] 30880000.serial: ttymxc2 at MMIO 0x30880000 (irq = 33, base_baud = 5000000) is a IMX
[    0.441294] 30890000.serial: ttymxc1 at MMIO 0x30890000 (irq = 34, base_baud = 1500000) is a IMX
[    1.549756] printk: console [ttymxc1] enabled
[    1.554799] 30a60000.serial: ttymxc3 at MMIO 0x30a60000 (irq = 40, base_baud = 1500000) is a IMX
[    1.565941] imx-lcdifv3 32fc6000.lcd-controller: No irq get, ret=-517
[    1.575445] imx-hdmi-pavi 32fc4000.hdmi-pai-pvi: No pvi clock get
[    1.592862] brd: module loaded
[    1.769012] loop: module loaded
[    1.773425] megasas: 07.714.04.00-rc1
[    1.778645] imx ahci driver is registered.
[    1.787904] libphy: Fixed MDIO Bus: probed
[    1.793349] tun: Universal TUN/TAP device driver, 1.6
[    1.799218] thunder_xcv, ver 1.0
[    1.802497] thunder_bgx, ver 1.0
[    1.805768] nicpf, ver 1.0
[    1.809950] pps pps0: new PPS source ptp0
[    1.828902] libphy: fec_enet_mii_bus: probed
[    1.833627] fec 30be0000.ethernet eth0: registered PHC device 0
[    1.842022] hclge is initializing
[    1.845376] hns3: Hisilicon Ethernet Network Driver for Hip08 Family - version
[    1.852606] hns3: Copyright (c) 2017 Huawei Corporation.
[    1.857969] e1000: Intel(R) PRO/1000 Network Driver
[    1.862853] e1000: Copyright (c) 1999-2006 Intel Corporation.
[    1.868638] e1000e: Intel(R) PRO/1000 Network Driver
[    1.873611] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[    1.879571] igb: Intel(R) Gigabit Ethernet Network Driver
[    1.884976] igb: Copyright (c) 2007-2014 Intel Corporation.
[    1.890586] igbvf: Intel(R) Gigabit Virtual Function Network Driver
[    1.896860] igbvf: Copyright (c) 2009 - 2012 Intel Corporation.
[    1.902973] sky2: driver version 1.30
[    1.907429] imx-dwmac 30bf0000.ethernet: IRQ eth_lpi not found
[    1.913356] imx-dwmac 30bf0000.ethernet: no reset control found
[    1.919442] imx-dwmac 30bf0000.ethernet: User ID: 0x10, Synopsys ID: 0x51
[    1.926246] imx-dwmac 30bf0000.ethernet:     DWMAC4/5
[    1.931051] imx-dwmac 30bf0000.ethernet: DMA HW capability register supported
[    1.938195] imx-dwmac 30bf0000.ethernet: RX Checksum Offload Engine supported
[    1.945337] imx-dwmac 30bf0000.ethernet: TX Checksum insertion supported
[    1.952046] imx-dwmac 30bf0000.ethernet: Wake-Up On Lan supported
[    1.958195] imx-dwmac 30bf0000.ethernet: Enable RX Mitigation via HW Watchdog Timer
[    1.965893] imx-dwmac 30bf0000.ethernet: Enabled Flow TC (entries=8)
[    1.972264] imx-dwmac 30bf0000.ethernet: Enabling HW TC (entries=256, max_off=256)
[    1.979847] imx-dwmac 30bf0000.ethernet: Using 34 bits DMA width
[    1.986465] imx-dwmac 30bf0000.ethernet: Cannot register the MDIO bus
[    1.992924] imx-dwmac 30bf0000.ethernet: stmmac_dvr_probe: MDIO bus (id: 0) registration failed
[    2.001911] usbcore: registered new interface driver r8152
[    2.007675] VFIO - User Level meta-driver version: 0.3
[    2.019042] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    2.025621] ehci-pci: EHCI PCI platform driver
[    2.030116] ehci-platform: EHCI generic platform driver
[    2.035587] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    2.041794] ohci-pci: OHCI PCI platform driver
[    2.046276] ohci-platform: OHCI generic platform driver
[    2.052311] usbcore: registered new interface driver uas
[    2.057689] usbcore: registered new interface driver usb-storage
[    2.063767] usbcore: registered new interface driver usbserial_generic
[    2.070323] usbserial: USB Serial support registered for generic
[    2.076362] usbcore: registered new interface driver ftdi_sio
[    2.082128] usbserial: USB Serial support registered for FTDI USB Serial Device
[    2.089477] usbcore: registered new interface driver usb_serial_simple
[    2.096033] usbserial: USB Serial support registered for carelink
[    2.102146] usbserial: USB Serial support registered for zio
[    2.107825] usbserial: USB Serial support registered for funsoft
[    2.113858] usbserial: USB Serial support registered for flashloader
[    2.120231] usbserial: USB Serial support registered for google
[    2.126172] usbserial: USB Serial support registered for libtransistor
[    2.132727] usbserial: USB Serial support registered for vivopay
[    2.138756] usbserial: USB Serial support registered for moto_modem
[    2.145047] usbserial: USB Serial support registered for motorola_tetra
[    2.151684] usbserial: USB Serial support registered for novatel_gps
[    2.158061] usbserial: USB Serial support registered for hp4x
[    2.163829] usbserial: USB Serial support registered for suunto
[    2.169770] usbserial: USB Serial support registered for siemens_mpi
[    2.176155] usbcore: registered new interface driver usb_ehset_test
[    2.185224] input: 30370000.snvs:snvs-powerkey as /devices/platform/soc@0/30000000.bus/30370000.snvs/30370000.snvs:snvs-powerkey/input/input0
[    2.199378] i2c /dev entries driver
[    2.204124] Driver for 1-wire Dallas network protocol.
[    2.212459] device-mapper: ioctl: 4.43.0-ioctl (2020-10-01) initialised: dm-devel@redhat.com
[    2.220995] Bluetooth: HCI UART driver ver 2.3
[    2.225456] Bluetooth: HCI UART protocol H4 registered
[    2.230604] Bluetooth: HCI UART protocol BCSP registered
[    2.235946] Bluetooth: HCI UART protocol LL registered
[    2.241092] Bluetooth: HCI UART protocol ATH3K registered
[    2.246517] Bluetooth: HCI UART protocol Three-wire (H5) registered
[    2.252892] Bluetooth: HCI UART protocol Broadcom registered
[    2.258578] Bluetooth: HCI UART protocol QCA registered
[    2.264045] EDAC MC: ECC not enabled
[    2.269002] sdhci: Secure Digital Host Controller Interface driver
[    2.275200] sdhci: Copyright(c) Pierre Ossman
[    2.280254] Synopsys Designware Multimedia Card Interface Driver
[    2.286942] sdhci-pltfm: SDHCI platform and OF driver helper
[    2.293926] sdhci-esdhc-imx 30b40000.mmc: voltage-ranges unspecified
[    2.294103] sdhci-esdhc-imx 30b50000.mmc: voltage-ranges unspecified
[    2.295810] sdhci-esdhc-imx 30b60000.mmc: voltage-ranges unspecified
[    2.313339] ledtrig-cpu: registered to indicate activity on CPUs
[    2.320209] SMCCC: SOC_ID: ARCH_SOC_ID not implemented, skipping ....
[    2.327170] usbcore: registered new interface driver usbhid
[    2.332422] mmc2: SDHCI controller on 30b60000.mmc [30b60000.mmc] using ADMA
[    2.332717] mmc0: SDHCI controller on 30b40000.mmc [30b40000.mmc] using ADMA
[    2.332752] usbhid: USB HID core driver
[    2.356197] optee: probing for conduit method.
[    2.360669] optee: revision 3.19
[    2.362119] optee: dynamic shared memory is enabled
[    2.370651] optee: initialized driver
[    2.377534] Galcore version 6.4.3.p2.336687
[    2.412835] [drm] Initialized vivante 1.0.0 20170808 for 40000000.mix_gpu_ml on minor 0
[    2.422517] hantrodec 0 : module inserted. Major = 234
[    2.424280] mmc2: new HS400 Enhanced strobe MMC card at address 0001
[    2.428343] hantrodec 1 : module inserted. Major = 234
[    2.435542] mmcblk2: mmc2:0001 AJTD4R 14.6 GiB
[    2.440821] hantroenc: HW at base <0000000038320000> with ID <0x80006200>
[    2.444011] mmcblk2boot0: mmc2:0001 AJTD4R partition 1 4.00 MiB
[    2.450651] hx280enc: module inserted. Major <511>
[    2.456705] mmcblk2boot1: mmc2:0001 AJTD4R partition 2 4.00 MiB
[    2.464041] NET: Registered protocol family 26
[    2.467983] mmcblk2rpmb: mmc2:0001 AJTD4R partition 3 4.00 MiB, chardev (235:0)
[    2.472149] NET: Registered protocol family 10
[    2.480625]  mmcblk2: p1 p2 p3 p4
[    2.484380] Segment Routing with IPv6
[    2.490496] NET: Registered protocol family 17
[    2.495696] Bluetooth: RFCOMM TTY layer initialized
[    2.500598] Bluetooth: RFCOMM socket layer initialized
[    2.505759] Bluetooth: RFCOMM ver 1.11
[    2.509545] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[    2.514870] Bluetooth: BNEP filters: protocol multicast
[    2.520110] Bluetooth: BNEP socket layer initialized
[    2.525081] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[    2.531009] Bluetooth: HIDP socket layer initialized
[    2.536703] 8021q: 802.1Q VLAN Support v1.8
[    2.540917] lib80211: common routines for IEEE802.11 drivers
[    2.546718] 9pnet: Installing 9P2000 support
[    2.551023] tsn generic netlink module v1 init...
[    2.555812] Key type dns_resolver registered
[    2.561097] registered taskstats version 1
[    2.565216] Loading compiled-in X.509 certificates
[    2.572801] Key type encrypted registered
[    2.576833] AppArmor: AppArmor sha1 policy hashing enabled
[    2.604297] gpio-38 (scl): enforced open drain please flag it properly in DT/ACPI DSDT/board file
[    2.622554] nxp-pca9450 0-0025: pca9450bc probed.
[    2.627440] i2c i2c-0: IMX I2C adapter registered
[    2.632732] gpio-146 (scl): enforced open drain please flag it properly in DT/ACPI DSDT/board file
[    2.642630] pca953x 2-0020: supply vcc not found, using dummy regulator
[    2.649351] pca953x 2-0020: using no AI
[    2.662786] i2c i2c-2: IMX I2C adapter registered
[    2.668077] gpio-148 (scl): enforced open drain please flag it properly in DT/ACPI DSDT/board file
[    2.677776] i2c i2c-3: IMX I2C adapter registered
[    2.683010] gpio-156 (scl): enforced open drain please flag it properly in DT/ACPI DSDT/board file
[    2.701203] i2c i2c-5: IMX I2C adapter registered
[    2.707168] imx8mq-usb-phy 381f0040.usb-phy: supply vbus not found, using dummy regulator
[    2.715778] imx8mq-usb-phy 382f0040.usb-phy: supply vbus not found, using dummy regulator
[    2.724250] samsung-hdmi-phy 32fdff00.hdmiphy: failed to get phy apb clk: -517
[    2.749025] SoC: i.MX8MP revision 1.1
[    2.752994] imx-cpufreq-dt imx-cpufreq-dt: cpu speed grade 5 mkt segment 0 supported-hw 0x20 0x1
[    2.763716] imx-lcdifv3 32fc6000.lcd-controller: No irq get, ret=-517
[    2.771996] imx-sdma 30e10000.dma-controller: firmware found.
[    2.779754] random: fast init done
[    2.783776] spi0.0: ttySC1 at I/O 0x1 (irq = 85, base_baud = 921600) is a SC16IS752
[    2.794535] imx-dwmac 30bf0000.ethernet: IRQ eth_lpi not found
[    2.800468] imx-dwmac 30bf0000.ethernet: no reset control found
[    2.806831] imx-dwmac 30bf0000.ethernet: User ID: 0x10, Synopsys ID: 0x51
[    2.813631] imx-dwmac 30bf0000.ethernet:     DWMAC4/5
[    2.818433] imx-dwmac 30bf0000.ethernet: DMA HW capability register supported
[    2.825577] imx-dwmac 30bf0000.ethernet: RX Checksum Offload Engine supported
[    2.832716] imx-dwmac 30bf0000.ethernet: TX Checksum insertion supported
[    2.839422] imx-dwmac 30bf0000.ethernet: Wake-Up On Lan supported
[    2.845520] imx-dwmac 30bf0000.ethernet: Enable RX Mitigation via HW Watchdog Timer
[    2.853178] imx-dwmac 30bf0000.ethernet: Enabled Flow TC (entries=8)
[    2.859539] imx-dwmac 30bf0000.ethernet: Enabling HW TC (entries=256, max_off=256)
[    2.867112] imx-dwmac 30bf0000.ethernet: Using 34 bits DMA width
[    2.919548] libphy: stmmac: probed
[    2.928487] xhci-hcd xhci-hcd.0.auto: xHCI Host Controller
[    2.934001] xhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 1
[    2.941992] xhci-hcd xhci-hcd.0.auto: hcc params 0x0220fe6c hci version 0x110 quirks 0x0000002021810010
[    2.951415] xhci-hcd xhci-hcd.0.auto: irq 71, io mem 0x38200000
[    2.957425] xhci-hcd xhci-hcd.0.auto: xHCI Host Controller
[    2.962919] xhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 2
[    2.970581] xhci-hcd xhci-hcd.0.auto: Host supports USB 3.0 SuperSpeed
[    2.977759] hub 1-0:1.0: USB hub found
[    2.981531] hub 1-0:1.0: 1 port detected
[    2.985662] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
[    2.994662] hub 2-0:1.0: USB hub found
[    2.998434] hub 2-0:1.0: 1 port detected
[    3.005255] sdhci-esdhc-imx 30b50000.mmc: voltage-ranges unspecified
[    3.008243] imx-drm display-subsystem: bound imx-lcdifv3-crtc.0 (ops lcdifv3_crtc_ops)
[    3.011669] sdhci-esdhc-imx 30b50000.mmc: Got CD GPIO
[    3.019823] dwhdmi-imx 32fd8000.hdmi: Detected HDMI TX controller v2.13a with HDCP (samsung_dw_hdmi_phy2)
[    3.034518] dwhdmi-imx 32fd8000.hdmi: registered DesignWare HDMI I2C bus driver
[    3.042436] imx-drm display-subsystem: bound 32fd8000.hdmi (ops dw_hdmi_imx_ops)
[    3.050342] [drm] Initialized imx-drm 1.0.0 20120507 for display-subsystem on minor 1
[    3.056551] mmc1: SDHCI controller on 30b50000.mmc [30b50000.mmc] using ADMA
[    3.058217] imx-drm display-subsystem: [drm] Cannot find any crtc or sizes
[    3.074162] imx-drm display-subsystem: [drm] Cannot find any crtc or sizes
[    3.094527] ALSA device list:
[    3.097504]   No soundcards found.
[    3.101660] Freeing unused kernel memory: 3008K
[    3.106285] Run /init as init process
[    3.121248] systemd[1]: System time before build time, advancing clock.
[    3.132263] systemd[1]: systemd 245 running in system mode. (+PAM +AUDIT +SELINUX -IMA +APPARMOR -SMACK -SYSVINIT -UTMP +LIBCRYPTSETUP -GCRYPT -GNUTLS +ACL -XZ +LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)
[    3.153932] systemd[1]: Detected architecture arm64.
[    3.158911] systemd[1]: Running in initial RAM disk.

Welcome to Linux!

[    3.203379] systemd[1]: No hostname configured.
[    3.207952] systemd[1]: Set hostname to <ubuntu>.
[    3.212746] random: systemd: uninitialized urandom read (16 bytes read)
[    3.219414] systemd[1]: Initializing machine ID from random generator.
[    3.328043] random: systemd: uninitialized urandom read (16 bytes read)
[    3.334916] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[  OK  ] Started Dispatch Password …ts to Console Directory Watch.
[    3.359371] random: systemd: uninitialized urandom read (16 bytes read)
[    3.366080] systemd[1]: Reached target Local Encrypted Volumes.
[  OK  ] Reached target Local Encrypted Volumes.
[    3.387658] systemd[1]: Reached target Paths.
[  OK  ] Reached target Paths.
[    3.403369] systemd[1]: Reached target Slices.
[  OK  ] Reached target Slices.
[    3.419356] systemd[1]: Reached target Swap.
[  OK  ] Reached target Swap.
[    3.435489] systemd[1]: Listening on initctl Compatibility Named Pipe.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[    3.460532] systemd[1]: Listening on Journal Audit Socket.
[  OK  ] Listening on Journal Audit Socket.
[    3.484202] systemd[1]: Listening on Journal Socket (/dev/log).
[  OK  ] Listening on Journal Socket (/dev/log).
[    3.507968] systemd[1]: Listening on Journal Socket.
[  OK  ] Listening on Journal Socket.
[    3.527633] systemd[1]: Listening on udev Control Socket.
[  OK  ] Listening on udev Control Socket.
[    3.547603] systemd[1]: Listening on udev Kernel Socket.
[  OK  ] Listening on udev Kernel Socket.
[    3.567420] systemd[1]: Reached target Sockets.
[  OK  ] Reached target Sockets.
[    3.586987] systemd[1]: Mounting Huge Pages File System...
         Mounting Huge Pages File System...
[    3.610526] systemd[1]: Mounting POSIX Message Queue File System...
         Mounting POSIX Message Queue File System...
[    3.634651] systemd[1]: Mounting Kernel Debug File System...
         Mounting Kernel Debug File System...
[    3.655693] systemd[1]: Condition check resulted in Kernel Trace File System being skipped.
[    3.666927] systemd[1]: Mounting Temporary Directory (/tmp)...
         Mounting Temporary Directory (/tmp)...
[    3.692694] systemd[1]: Starting Journal Service...
         Starting Journal Service...
[    3.711420] systemd[1]: Condition check resulted in Create list of static device nodes for the current kernel being skipped.
[    3.722945] systemd[1]: Condition check resulted in Boot Process Profiler being skipped.
[    3.731283] systemd[1]: Condition check resulted in Rebuild Hardware Database being skipped.
[    3.742641] systemd[1]: Starting Load Kernel Modules...
         Starting Load Kernel Modules...
[    3.761698] systemd[1]: Starting Create System Users...
         Starting Create System Users...
[    3.781722] systemd[1]: Starting udev Coldplug all Devices...
         Starting udev Coldplug all Devices...
[    3.802002] systemd[1]: Started Journal Service.
[  OK  ] Started Journal Service.
[  OK  ] Mounted Huge Pages File System.
[  OK  ] Mounted POSIX Message Queue File System.
[  OK  ] Mounted Kernel Debug File System.
[  OK  ] Mounted Temporary Directory (/tmp).
[  OK  ] Finished Load Kernel Modules.
[  OK  ] Finished Create System Users.
[  OK  ] Reached target Local File Systems.
         Mounting Kernel Configuration File System...
         Starting Flush Journal to Persistent Storage...
[    3.967998] systemd-journald[239]: Received client request to flush runtime journal.
         Starting Apply Kernel Variables...
         Starting Create Static Device Nodes in /dev...
[  OK  ] Mounted Kernel Configuration File System.
[  OK  ] Finished Flush Journal to Persistent Storage.
[  OK  ] Finished Apply Kernel Variables.
[  OK  ] Finished Create Static Device Nodes in /dev.
         Starting Create Volatile Files and Directories...
         Starting udev Kernel Device Manager...
[  OK  ] Finished Create Volatile Files and Directories.
[  OK  ] Started udev Kernel Device Manager.
         Starting Rebuild Journal Catalog...
[  OK  ] Finished Rebuild Journal Catalog.
         Starting Update is Completed...
[  OK  ] Finished Update is Completed.
[  OK  ] Finished udev Coldplug all Devices.
         Starting udev Wait for Complete Device Initialization...
[  OK  ] Finished udev Wait for Complete Device Initialization.
[  OK  ] Reached target System Initialization.
[  OK  ] Started Daily Cleanup of Temporary Directories.
[  OK  ] Reached target Basic System.
[  OK  ] Reached target Timers.
         Starting Wait for the Ubuntu Core chooser trigger...
         Starting the-tool.service...
[    4.884968] the-tool[290]: 2023/06/06 11:51:25.766422 cmd_initramfs_mounts.go:1339: waiting up to 1m0s for label ubuntu-boot to appear
[    4.908277] the-tool[290]: 2023/06/06 11:51:25.766622 cmd_initramfs_mounts.go:1354: label "/dev/disk/by-label/ubuntu-boot" found
[  OK  ] Created slice system-systemd\x2dfsck.slice.
[  OK  ] Listening on fsck to fsckd communication Socket.
         Starting File System Check on /dev/mmcblk2p2...
[  OK  ] Started File System Check Daemon to report status.
[  OK  ] Finished File System Check on /dev/mmcblk2p2.
         Mounting /run/mnt/ubuntu-boot...
[  OK  ] Mounted /run/mnt/ubuntu-boot.
[    5.289256] the-tool[290]: 2023/06/06 11:51:26.171293 cmd_initramfs_mounts.go:1681: generating mounts for Ubuntu Core system, run mode
         Starting File System Check on /dev/mmcblk2p1...
[  OK  ] Finished File System Check on /dev/mmcblk2p1.
         Mounting /run/mnt/ubuntu-seed...
[    5.620358] EXT4-fs (mmcblk2p1): mounted filesystem with ordered data mode. Opts: (null)
[  OK  ] Mounted /run/mnt/ubuntu-seed.
         Starting /usr/sbin/fde-reveal-key...
M/TA: FDE cmd_id = 0x2
[  OK  ] Started /usr/sbin/fde-reveal-key.
[    6.323305] device-mapper: table: 253:0: crypt: unknown target type
[    6.329735] device-mapper: ioctl: error adding target to table
Please enter the recovery key for disk /dev/disk/by-partuuid/a730c89f-04:
Please enter the recovery key for disk /dev/disk/by-partuuid/a730c89f-04:
Please enter the recovery key for disk /dev/disk/by-partuuid/a730c89f-04:
         Starting /usr/sbin/fde-reveal-key...
M/TA: FDE cmd_id = 0x3
[  OK  ] Started /usr/sbin/fde-reveal-key.
[   18.724195] the-tool[290]: 2023/06/06 11:51:39.605413 main.go:63: execution error: cannot unlock encrypted partition: cannot activate with platform protected keys:
[FAILED] Failed to start the-tool.service.
See 'systemctl status the-tool.service' for details.
[   18.748892] the-tool[290]: - /run/mnt/ubuntu-boot/device/fde/ubuntu-data.sealed-key: cannot activate volume: systemd-cryptsetup failed with:
[  OK  ] Stopped target Local Encrypted Volumes.
[  OK  ] Stopped target Login Prompts (Pre).
[   18.796559] the-tool[290]: -----
[  OK  ] Stopped target Paths.
[  OK  ] Stopped target Slices.
[  OK  ] Stopped target Sockets.
[  OK  ] Stopped target Timers.
[   18.832886] the-tool[290]: WARNING: Locking directory /run/cryptsetup is missing!
[   18.896546] the-tool[290]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-partuuid/a730c89f-04.
[  OK  ] Closed initctl Compatibility Named Pipe.
[   18.896797] the-tool[290]: device-mapper: reload ioctl on   failed: Invalid argument
[   18.940603] the-tool[290]: Failed to activate with key file '/dev/stdin'. (Key file missing?)
         Stopping Dispatch Password Requests to Console...
         Stopping File System Check Daemon to report status...
[   18.940920] the-tool[290]: Too many attempts to activate; giving up.
[   18.988600] the-tool[290]: -----
[  OK  ] Stopped Apply Kernel Variables.
[  OK  ] Stopped Load Kernel Modules.
[   18.988902] the-tool[290]: and activation with recovery key failed: cannot decode recovery key: incorrectly formatted: insufficient characters
[   19.036562] the-tool[290]: error: cannot unlock encrypted partition: cannot activate with platform protected keys:
[   19.056517] the-tool[290]: - /run/mnt/ubuntu-boot/device/fde/ubuntu-data.sealed-key: cannot activate volume: systemd-cryptsetup failed with:
[   19.080514] the-tool[290]: -----
[   19.092779] the-tool[290]: WARNING: Locking directory /run/cryptsetup is missing!
[   19.108175] the-tool[290]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-partuuid/a730c89f-04.
[   19.128514] the-tool[290]: device-mapper: reload ioctl on   failed: Invalid argument
[   19.144185] the-tool[290]: Failed to activate with key file '/dev/stdin'. (Key file missing?)
[   19.160183] the-tool[290]: Too many attempts to activate; giving up.
[   19.176178] the-tool[290]: -----
[   19.188180] the-tool[290]: and activation with recovery key failed: cannot decode recovery key: incorrectly formatted: insufficient characters

U-Boot log:

U-Boot SPL 2022.04 (Jun 05 2023 - 09:21:01 +0000)
SEC0:  RNG instantiated
Normal Boot
Trying to boot from BOOTROM
Boot Stage: Primary boot
image offset 0x8000, pagesize 0x200, ivt offset 0x0
Failed to find node!, err: -1!
Failed to find node!, err: -1!
NOTICE:  BL31: v2.6(release):
NOTICE:  BL31: Built : 09:21:49, Jun  5 2023


U-Boot 2022.04 (Jun 05 2023 - 09:21:01 +0000)

CPU:   i.MX8MP[8] rev1.1 1800 MHz (running at 1200 MHz)
CPU:   Commercial temperature grade (0C to 95C) at 36C
Reset cause: POR
Model: Variscite VAR-SOM-MX8M-PLUS on Symphony-board
DRAM:  4 GiB
PTN5150: Vendor ID [0x3], Version ID [0x1], Addr [I2C2 0x3d]
Core:  174 devices, 22 uclasses, devicetree: separate
MMC:   FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from nowhere... OK
In:    serial
Out:   serial
Err:   serial
SEC0:  RNG instantiated

 BuildInfo:
  - ATF


Part number: VSM-MX8MP-303
Production date: 2023 Jan 11
flash target is MMC:2
Net:   Could not get PHY for FEC1: addr 5
Could not get PHY for FEC1: addr 5
No ethernet found.

Fastboot: Normal
Normal Boot
Hit any key to stop autoboot:  0
Loading core state...
Kernel boot-log, blah, blah...

ondra · June 9, 2023, 11:53pm

I am building natively on arm64, but also as reference cross building on amd64. Otherwise it’s just standard lxd container.

Can you tell me why are you using my “PoC” commit? This is branch where I am experimenting with future snap-bootstrap features, it’s definitely not something I would recommend for production. You also seem to be using kernel 5.10 which I do not remember ever to support or test…

What is your target hw? I am quire curious, because it seems like you are using i.MX8 plus you require FDE. This does not seems like some smart home DIY project Your kernel cmd line has even fde_helper=enabled which something I developed for very specific scenario. What is your deployment/update strategy?

cheers Ondra

ruhan.vanderberg · June 10, 2023, 7:37am

Hello there.

Apologies if I sounded intrusive by looking through your commits, but the company I work for, gifted me a devkit, a Variscite IMX8MP SoM devkit, which rarely happens.

I set a personal challenge to make it run Core20, and googled, looked through a few snapcraft yaml commits as a template to start from, and I came across your Github repo, and saw some extra lines that appeared to be implementing FDE, and I sought to do the same on my side.

I had some extra time on my hands, and was eagerly trying to get Core20 running. I can boot Core20 on my devkit without the Full Disk Encryption hooks.

The plan is actually a smart home devkit, which has some very sensitive secrets which I like to keep a secret, so no production use-case, really.

I just saw your PoC commit, and was just thinking that I missed something, given that something was not working, so just an experiment. Same result, unfortunately.

Very early on, I saw the fde-helper line you added to the imx-uboot code, and since my code was not working, I thought that maybe that I missed something, and added it into my u-boot bootloader commandline, and since not touched it anymore.

For my deployment/update strategy, I just build the snaps on a AMD64 machine, and then build a image with a model, and flash that image to a SDCard, pop it into the devkit, and boot it. I plan to move this whole implementation to the eMMC, when everything is working, then I can reuse my Sdcard for other devkits

It appears that I need to start over again with FDE, since there’s so many variables in there.

I will try to build an older kernel, but I thought that 5.10 would be supported by Ubuntu Core, but appears not to be the case?

Early last year, I built Core18 for a Raspberry Pi 2W, so I made a AppArmor patch for 5.10, which was the fastest/most convenient to use at this time, supported by the Pi foundation, and was the fastest to start off with that devkit of mine, since they had a 5.10 kernel.

Patch: https://github.com/RuhanSA079/UbuntuCore-5.10-kernelpatch (Feel free to use it if you like)