Is Core20's OP-TEE FDE broken?

Hello there,

I am debugging on why my encrypted volumes is not being decrypted, with dm-mapper bugging out at boot trying to decrypt the disk:

[    7.294007] random: systemd-cryptse: uninitialized urandom read (4 bytes read)
[    7.391692] device-mapper: table: 253:0: crypt: unknown target type
[    7.399494] device-mapper: ioctl: error adding target to table
[   71.652114] random: crng init donek /dev/disk/by-partuuid/f87930c6-04: (press TAB for no echo)

When I mount my SDcard to a linux box, it seems that the LUKS information cannot be read properly?

Hexdumping the first 512 bytes of said partition yields: image

Is this correct? The installer does report that it is creating the volumes here, not sure if done properly.

May 15 10:27:56 ubuntu snapd[1501]: patch.go:64: Patching system state level 6 to sublevel 1...
May 15 10:27:56 ubuntu snapd[1501]: patch.go:64: Patching system state level 6 to sublevel 2...
May 15 10:27:56 ubuntu snapd[1501]: patch.go:64: Patching system state level 6 to sublevel 3...
May 15 10:27:56 ubuntu snapd[1501]: daemon.go:247: started snapd/2.59.2 (series 16) ubuntu-core/20 (arm64) linux/5.15.71-gaaf0bc0caeea-dir.
May 15 10:27:56 ubuntu snapd[1501]: daemon.go:340: adjusting startup timeout by 35s (pessimistic estimate of 30s plus 5s per snap)
May 15 10:27:56 ubuntu snapd[1501]: backends.go:58: AppArmor status: apparmor is enabled and all features are available
May 15 10:27:56 ubuntu systemd[1]: Started Snap Daemon.
May 15 10:27:57 ubuntu snapd[1501]: devicestate.go:194: installing unasserted kernel mydevboard-kernel"
May 15 10:28:01 ubuntu snapd[1501]: devicestate.go:194: installing unasserted gadget mydevboard-gadget"
May 15 10:28:04 ubuntu snapd[1501]: picfg.go:170: ignoring pi-config settings: configuration cannot be applied: unsupported system mode
[   43.823368] systemd[1]: snap.mydevboard-kernel.hook.fde-setup.8ad1b0ba-bb2d-4fd4-a785-369f9bac43c7.scope: Succeeded.
[   43.825670] snapd[1501]: handlers_install.go:368: create and deploy partitions
[   43.825936] snapd[1501]: install.go:222: installing a new system
[   43.826129] snapd[1501]: install.go:223:         gadget data from: /snap/mydevboard-gadget/x1
[   43.826337] snapd[1501]: install.go:224:         encryption: cryptsetup
May 15 10:28:08 ubuntu snapd[1501]: handlers_install.go:368: create and deploy partitions
May 15 10:28:08 ubuntu snapd[1501]: install.go:222: installing a new system
May 15 10:28:08 ubuntu snapd[1501]: install.go:223:         gadget data from: /snap/mydevboard-gadget/x1
May 15 10:28:08 ubuntu snapd[1501]: install.go:224:         encryption: cryptsetup
[   44.560859] snapd[1501]: install.go:324: created new partition /dev/mmcblk1p2 for structure #2 ("ubuntu-boot") (size 500 MiB) with role system-boot
May 15 10:28:08 ubuntu snapd[1501]: install.go:324: created new partition /dev/mmcblk1p2 for structure #2 ("ubuntu-boot") (size 500 MiB) with role system-boot
[   45.525285] systemd[1]: run-snapd-gadget\x2dinstall-dev\x2dmmcblk1p2.mount: Succeeded.
[   45.534614] snapd[1501]: install.go:324: created new partition /dev/mmcblk1p3 for structure #3 ("ubuntu-save") (size 16 MiB) with role system-save
[   45.534925] snapd[1501]: install.go:127: encrypting partition device /dev/mmcblk1p3
May 15 10:28:09 ubuntu snapd[1501]: install.go:324: created new partition /dev/mmcblk1p3 for structure #3 ("ubuntu-save") (size 16 MiB) with role system-save
May 15 10:28:09 ubuntu snapd[1501]: install.go:127: encrypting partition device /dev/mmcblk1p3
[   47.399574] snapd[1501]: install.go:155: encrypted filesystem device /dev/mapper/ubuntu-save
May 15 10:28:11 ubuntu snapd[1501]: install.go:155: encrypted filesystem device /dev/mapper/ubuntu-save
[   47.597492] snapd[1501]: install.go:324: created new partition /dev/mmcblk1p4 for structure #4 ("ubuntu-data") (size 28.45 GiB) with role system-data
[   47.597688] snapd[1501]: install.go:127: encrypting partition device /dev/mmcblk1p4
May 15 10:28:11 ubuntu snapd[1501]: install.go:324: created new partition /dev/mmcblk1p4 for structure #4 ("ubuntu-data") (size 28.45 GiB) with role system-data
May 15 10:28:11 ubuntu snapd[1501]: install.go:127: encrypting partition device /dev/mmcblk1p4
[   49.456532] snapd[1501]: install.go:155: encrypted filesystem device /dev/mapper/ubuntu-data
May 15 10:28:13 ubuntu snapd[1501]: install.go:155: encrypted filesystem device /dev/mapper/ubuntu-data
[   56.659209] snapd[1501]: handlers_install.go:390: make system runnable
May 15 10:28:20 ubuntu snapd[1501]: handlers_install.go:390: make system runnable
[   70.986187] systemd[1]: systemd-hostnamed.service: Succeeded.
[   71.313528] systemd[1]: systemd-timedated.service: Succeeded.
[   83.439146] systemd[1]: Started snap.mydevboard-kernel.hook.fde-setup.15d8d3cc-4a40-49f9-89fe-33219a0cde9b.scope.
M/TA: FDE cmd_id = 0x1
[   84.018359] systemd[1]: snap.mydevboard-kernel.hook.fde-setup.15d8d3cc-4a40-49f9-89fe-33219a0cde9b.scope: Succeeded.
[   84.107434] systemd[1]: Started snap.mydevboard-kernel.hook.fde-setup.fb231ab8-5c29-4031-b4fc-b8e7417fc796.scope.
M/TA: FDE cmd_id = 0x1
[   84.706270] systemd[1]: snap.mydevboard-kernel.hook.fde-setup.fb231ab8-5c29-4031-b4fc-b8e7417fc796.scope: Succeeded.
[   84.798137] systemd[1]: Started snap.mydevboard-kernel.hook.fde-setup.3f6fd166-cc7b-41b0-9f04-552500f72a68.scope.
M/TA: FDE cmd_id = 0x1
[   85.388602] systemd[1]: snap.mydevboard-kernel.hook.fde-setup.3f6fd166-cc7b-41b0-9f04-552500f72a68.scope: Succeeded.

This is on a SDCard, to be later done on a eMMC device. @ondra Does this look OK to you? Sorry to tag you on this, I’m trying to figure out whats wrong and how I can fix it, been bothering me all-week last week.

EDIT: To add more detail, it seems that the cipher aes, mode xts-plain64 is used, but the filesystem is mapped as a SHA256 encrypted container? Got this log here below, after mashing the “Return/Enter” key a few times.

[   67.692719] the-tool[287]: 2023/05/15 15:02:50.929906 main.go:63: execution error: cannot unlock encrypted partition: cannot activate with platform protected keys:
[FAILED] Failed to start the-tool.service.
[   67.717066] the-tool[287]: - /run/mnt/ubuntu-boot/device/fde/ubuntu-data.sealed-key: cannot activate volume: systemd-cryptsetup failed with:
See 'systemctl status the-tool.service' for details.
[   67.732351] the-tool[287]: -----
[  OK  ] Stopped target Local Encrypted Volumes.
[  OK  ] Stopped target Login Prompts (Pre).
[   67.772629] the-tool[287]: WARNING: Locking directory /run/cryptsetup is missing!
[   67.812559] the-tool[287]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-partuuid/3bbf9ef1-04.
[   67.832186] the-tool[287]: device-mapper: reload ioctl on   failed: Invalid argument
[   67.848177] the-tool[287]: Failed to activate with key file '/dev/stdin'. (Key file missing?)
[   67.864161] the-tool[287]: Too many attempts to activate; giving up.
[   67.880158] the-tool[287]: -----
[   67.892768] the-tool[287]: and activation with recovery key failed: cannot decode recovery key: incorrectly formatted: insufficient characters
[   67.916517] the-tool[287]: error: cannot unlock encrypted partition: cannot activate with platform protected keys:
[   67.936172] the-tool[287]: - /run/mnt/ubuntu-boot/device/fde/ubuntu-data.sealed-key: cannot activate volume: systemd-cryptsetup failed with:
[   67.960488] the-tool[287]: -----
[   67.972175] the-tool[287]: WARNING: Locking directory /run/cryptsetup is missing!
[   67.988188] the-tool[287]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-partuuid/3bbf9ef1-04.
[   68.008179] the-tool[287]: device-mapper: reload ioctl on   failed: Invalid argument
[   68.024174] the-tool[287]: Failed to activate with key file '/dev/stdin'. (Key file missing?)
[   68.040163] the-tool[287]: Too many attempts to activate; giving up.
[   68.056163] the-tool[287]: -----
[   68.068163] the-tool[287]: and activation with recovery key failed: cannot decode recovery key: incorrectly formatted: insufficient characters
[  OK  ] Stopped target Paths.

For more information,

I’m using Core20’s latest ubuntu-core-initrd deb package here (51.7-arm64): https://launchpad.net/~snappy-dev/+archive/ubuntu/image/+packages?field.name_filter=ubuntu-core-initramfs&field.status_filter=&field.series_filter=focal

Latest stable snapd version, ( as of 16-05-2023) and a 5.15.71 kernel, patched with some Ubuntu-Core specific apparmor patches found here: https://github.com/RuhanSA079/UbuntuCore-5.15.y-kernelpatch/

@ogra Do you know if there’s someone else working on this, or is Ondra the only guy that can assist in this matter? I am testing this on a Variscite IMX8MP VAR-SOM devkit, with the Symphony base-board. BR

i fear @ondra is the expert here …

1 Like