Hello there,
I am debugging on why my encrypted volumes is not being decrypted, with dm-mapper bugging out at boot trying to decrypt the disk:
[ 7.294007] random: systemd-cryptse: uninitialized urandom read (4 bytes read)
[ 7.391692] device-mapper: table: 253:0: crypt: unknown target type
[ 7.399494] device-mapper: ioctl: error adding target to table
[ 71.652114] random: crng init donek /dev/disk/by-partuuid/f87930c6-04: (press TAB for no echo)
When I mount my SDcard to a linux box, it seems that the LUKS information cannot be read properly?
Hexdumping the first 512 bytes of said partition yields:
Is this correct? The installer does report that it is creating the volumes here, not sure if done properly.
May 15 10:27:56 ubuntu snapd[1501]: patch.go:64: Patching system state level 6 to sublevel 1...
May 15 10:27:56 ubuntu snapd[1501]: patch.go:64: Patching system state level 6 to sublevel 2...
May 15 10:27:56 ubuntu snapd[1501]: patch.go:64: Patching system state level 6 to sublevel 3...
May 15 10:27:56 ubuntu snapd[1501]: daemon.go:247: started snapd/2.59.2 (series 16) ubuntu-core/20 (arm64) linux/5.15.71-gaaf0bc0caeea-dir.
May 15 10:27:56 ubuntu snapd[1501]: daemon.go:340: adjusting startup timeout by 35s (pessimistic estimate of 30s plus 5s per snap)
May 15 10:27:56 ubuntu snapd[1501]: backends.go:58: AppArmor status: apparmor is enabled and all features are available
May 15 10:27:56 ubuntu systemd[1]: Started Snap Daemon.
May 15 10:27:57 ubuntu snapd[1501]: devicestate.go:194: installing unasserted kernel mydevboard-kernel"
May 15 10:28:01 ubuntu snapd[1501]: devicestate.go:194: installing unasserted gadget mydevboard-gadget"
May 15 10:28:04 ubuntu snapd[1501]: picfg.go:170: ignoring pi-config settings: configuration cannot be applied: unsupported system mode
[ 43.823368] systemd[1]: snap.mydevboard-kernel.hook.fde-setup.8ad1b0ba-bb2d-4fd4-a785-369f9bac43c7.scope: Succeeded.
[ 43.825670] snapd[1501]: handlers_install.go:368: create and deploy partitions
[ 43.825936] snapd[1501]: install.go:222: installing a new system
[ 43.826129] snapd[1501]: install.go:223: gadget data from: /snap/mydevboard-gadget/x1
[ 43.826337] snapd[1501]: install.go:224: encryption: cryptsetup
May 15 10:28:08 ubuntu snapd[1501]: handlers_install.go:368: create and deploy partitions
May 15 10:28:08 ubuntu snapd[1501]: install.go:222: installing a new system
May 15 10:28:08 ubuntu snapd[1501]: install.go:223: gadget data from: /snap/mydevboard-gadget/x1
May 15 10:28:08 ubuntu snapd[1501]: install.go:224: encryption: cryptsetup
[ 44.560859] snapd[1501]: install.go:324: created new partition /dev/mmcblk1p2 for structure #2 ("ubuntu-boot") (size 500 MiB) with role system-boot
May 15 10:28:08 ubuntu snapd[1501]: install.go:324: created new partition /dev/mmcblk1p2 for structure #2 ("ubuntu-boot") (size 500 MiB) with role system-boot
[ 45.525285] systemd[1]: run-snapd-gadget\x2dinstall-dev\x2dmmcblk1p2.mount: Succeeded.
[ 45.534614] snapd[1501]: install.go:324: created new partition /dev/mmcblk1p3 for structure #3 ("ubuntu-save") (size 16 MiB) with role system-save
[ 45.534925] snapd[1501]: install.go:127: encrypting partition device /dev/mmcblk1p3
May 15 10:28:09 ubuntu snapd[1501]: install.go:324: created new partition /dev/mmcblk1p3 for structure #3 ("ubuntu-save") (size 16 MiB) with role system-save
May 15 10:28:09 ubuntu snapd[1501]: install.go:127: encrypting partition device /dev/mmcblk1p3
[ 47.399574] snapd[1501]: install.go:155: encrypted filesystem device /dev/mapper/ubuntu-save
May 15 10:28:11 ubuntu snapd[1501]: install.go:155: encrypted filesystem device /dev/mapper/ubuntu-save
[ 47.597492] snapd[1501]: install.go:324: created new partition /dev/mmcblk1p4 for structure #4 ("ubuntu-data") (size 28.45 GiB) with role system-data
[ 47.597688] snapd[1501]: install.go:127: encrypting partition device /dev/mmcblk1p4
May 15 10:28:11 ubuntu snapd[1501]: install.go:324: created new partition /dev/mmcblk1p4 for structure #4 ("ubuntu-data") (size 28.45 GiB) with role system-data
May 15 10:28:11 ubuntu snapd[1501]: install.go:127: encrypting partition device /dev/mmcblk1p4
[ 49.456532] snapd[1501]: install.go:155: encrypted filesystem device /dev/mapper/ubuntu-data
May 15 10:28:13 ubuntu snapd[1501]: install.go:155: encrypted filesystem device /dev/mapper/ubuntu-data
[ 56.659209] snapd[1501]: handlers_install.go:390: make system runnable
May 15 10:28:20 ubuntu snapd[1501]: handlers_install.go:390: make system runnable
[ 70.986187] systemd[1]: systemd-hostnamed.service: Succeeded.
[ 71.313528] systemd[1]: systemd-timedated.service: Succeeded.
[ 83.439146] systemd[1]: Started snap.mydevboard-kernel.hook.fde-setup.15d8d3cc-4a40-49f9-89fe-33219a0cde9b.scope.
M/TA: FDE cmd_id = 0x1
[ 84.018359] systemd[1]: snap.mydevboard-kernel.hook.fde-setup.15d8d3cc-4a40-49f9-89fe-33219a0cde9b.scope: Succeeded.
[ 84.107434] systemd[1]: Started snap.mydevboard-kernel.hook.fde-setup.fb231ab8-5c29-4031-b4fc-b8e7417fc796.scope.
M/TA: FDE cmd_id = 0x1
[ 84.706270] systemd[1]: snap.mydevboard-kernel.hook.fde-setup.fb231ab8-5c29-4031-b4fc-b8e7417fc796.scope: Succeeded.
[ 84.798137] systemd[1]: Started snap.mydevboard-kernel.hook.fde-setup.3f6fd166-cc7b-41b0-9f04-552500f72a68.scope.
M/TA: FDE cmd_id = 0x1
[ 85.388602] systemd[1]: snap.mydevboard-kernel.hook.fde-setup.3f6fd166-cc7b-41b0-9f04-552500f72a68.scope: Succeeded.
This is on a SDCard, to be later done on a eMMC device. @ondra Does this look OK to you? Sorry to tag you on this, I’m trying to figure out whats wrong and how I can fix it, been bothering me all-week last week.
EDIT: To add more detail, it seems that the cipher aes, mode xts-plain64 is used, but the filesystem is mapped as a SHA256 encrypted container? Got this log here below, after mashing the “Return/Enter” key a few times.
[ 67.692719] the-tool[287]: 2023/05/15 15:02:50.929906 main.go:63: execution error: cannot unlock encrypted partition: cannot activate with platform protected keys:
[FAILED] Failed to start the-tool.service.
[ 67.717066] the-tool[287]: - /run/mnt/ubuntu-boot/device/fde/ubuntu-data.sealed-key: cannot activate volume: systemd-cryptsetup failed with:
See 'systemctl status the-tool.service' for details.
[ 67.732351] the-tool[287]: -----
[ OK ] Stopped target Local Encrypted Volumes.
[ OK ] Stopped target Login Prompts (Pre).
[ 67.772629] the-tool[287]: WARNING: Locking directory /run/cryptsetup is missing!
[ 67.812559] the-tool[287]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-partuuid/3bbf9ef1-04.
[ 67.832186] the-tool[287]: device-mapper: reload ioctl on failed: Invalid argument
[ 67.848177] the-tool[287]: Failed to activate with key file '/dev/stdin'. (Key file missing?)
[ 67.864161] the-tool[287]: Too many attempts to activate; giving up.
[ 67.880158] the-tool[287]: -----
[ 67.892768] the-tool[287]: and activation with recovery key failed: cannot decode recovery key: incorrectly formatted: insufficient characters
[ 67.916517] the-tool[287]: error: cannot unlock encrypted partition: cannot activate with platform protected keys:
[ 67.936172] the-tool[287]: - /run/mnt/ubuntu-boot/device/fde/ubuntu-data.sealed-key: cannot activate volume: systemd-cryptsetup failed with:
[ 67.960488] the-tool[287]: -----
[ 67.972175] the-tool[287]: WARNING: Locking directory /run/cryptsetup is missing!
[ 67.988188] the-tool[287]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-partuuid/3bbf9ef1-04.
[ 68.008179] the-tool[287]: device-mapper: reload ioctl on failed: Invalid argument
[ 68.024174] the-tool[287]: Failed to activate with key file '/dev/stdin'. (Key file missing?)
[ 68.040163] the-tool[287]: Too many attempts to activate; giving up.
[ 68.056163] the-tool[287]: -----
[ 68.068163] the-tool[287]: and activation with recovery key failed: cannot decode recovery key: incorrectly formatted: insufficient characters
[ OK ] Stopped target Paths.