[yocto] Integrity checking fails with Atmel SHA hw accelerator enabled
Mircea Gliga
mircea.gliga at vitheia.com
Wed Feb 21 00:25:51 PST 2018
Hi
I'm having some trouble using dm-verity for a squashfs root file system
that seems to be related to the
Atmel SHA hw accelerator in the kernel, CONFIG_CRYPTO_DEV_ATMEL_SHA
Some info about my setup:
* I'm using a board with a SAMA5D4 CPU.
* I'm using Yocto rocko for building an image for that device.
The idea is that Using the 4.14.14 Kernel, Integrity checking using
Kernel crypto fails with Atmel SHA hw accelerator enabled in kernel.
By disabling it, `CONFIG_CRYPTO_DEV_ATMEL_SHA=n`, and using the software
sha256 algo, integrity checking works as expected.
This is my kernel config:
https://gist.githubusercontent.com/gmircea/6e1cc029ef5ed7a16b0fedb8b9524f66/raw/eece8a8faadd2de9373e150ef1daf3cf25f4135c/.config
Using the 4.8.4 Kernel and Atmel SHA hw accelerator enabled, everything
was ok.
So it looks like the new commits, from 4.8.4 to 4.14.14, on atmel-sha.c
(or at least I assume that may be a possible source of the problem)
changes the behavior and breaks our use case:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/drivers/crypto/atmel-sha.c?h=v4.8.4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/drivers/crypto/atmel-sha.c?h=v4.14.14
This is what triggers the error during verified boot:
status=`veritysetup create vroot $root_dev $verity_dev --hash-offset
$hashoffset $root_hash`
mount /dev/mapper/vroot /mnt/
mount_ok=`cat /proc/mounts | grep mnt`
if [ -z "$mount_ok" ] ; then
echo "Failed to mount $root_dev on mnt/"
else
echo "Switch rootfs"
exec switch_root -c /dev/console /mnt /sbin/init
fi
The mount operation fails:
device-mapper: verity: 179:4: metadata block 2 is corrupted
EXT4-fs (dm-0): unable to read superblock
device-mapper: verity: 179:4: metadata block 2 is corrupted
EXT4-fs (dm-0): unable to read superblock
device-mapper: verity: 179:4: metadata block 2 is corrupted
EXT4-fs (dm-0): unable to read superblock
device-mapper: verity: 179:4: metadata block 2 is corrupted
SQUASHFS error: squashfs_read_data failed to read block 0x0
squashfs: SQUASHFS error: unable to read squashfs_super_block
device-mapper: verity: 179:4: metadata block 2 is corrupted
FAT-fs (dm-0): unable to read boot sector
mount: mounting /dev/mapper/vroot on /mnt/ failed: Input/output error
Failed to mount /dev/mmcblk0p4 on mnt/
Smartcom initramfs init failed
reboot: Restarting system
Reboot failed -- System halted
Using veritysetup to verify the integrity against the hashes is
successful, as it's not using the kernel for that ...
Any help is appreciated !
Thanks in advanced and have a nice day.
Mircea
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20180221/7396a353/attachment.html>
More information about the yocto
mailing list