cryptsetup은 initramfs에서 암호화 백엔드를 초기화할 수 없습니다.

tag-icon tag-icon cryptsetup dm-crypt
cryptsetup은 initramfs에서 암호화 백엔드를 초기화할 수 없습니다.

저는 임베디드 Linux 장치를 사용하고 있으며 rootfs에 대해 암호화된 squashfs를 열려고 합니다.

이미지는 호스트(빌드 에이전트)에서 생성되며 거기에서 콘텐츠를 열고 사용할 수 있으므로 이미지가 올바른지 확인할 수 있습니다. 임베디드 Linux의 initramfs에서 이미지를 열려고 하면 다음 오류가 발생합니다.

root# cryptsetup open ./rootfs.sqfs.img rootfs

# cryptsetup 2.5.0 processing "/usr/sbin/cryptsetup --debug open ./rootfs.sqfs.img rootfs"
# Verifying parameters for command open.
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device ./rootfs.sqfs.img.
# Trying to open and read device ./rootfs.sqfs.img with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device ./rootfs.sqfs.img.
Cannot initialize crypto backend.
Device ./rootfs.sqfs.img is not a valid LUKS device.
# Releasing crypt device ./rootfs.sqfs.img context.
# Releasing device-mapper backend.
# Unlocking memory.

일부 온라인 검색에서는 커널 모듈 누락으로 인해 이 오류가 발생하는 것처럼 들리지만 모든 모듈이 나열되어 있습니다. 다음 암호화 모듈이 활성화되어 있습니다.

CONFIG_CRYPTO_SHA1_ARM=y
CONFIG_CRYPTO_SHA256_ARM=y
CONFIG_CRYPTO_SHA512_ARM=y
CONFIG_CRYPTO_AES_ARM=y
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_BLKCIPHER=y
CONFIG_CRYPTO_BLKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_RNG_DEFAULT=y
CONFIG_CRYPTO_AKCIPHER2=y
CONFIG_CRYPTO_AKCIPHER=y
CONFIG_CRYPTO_KPP2=y
CONFIG_CRYPTO_KPP=y
CONFIG_CRYPTO_ACOMP2=y
CONFIG_CRYPTO_RSA=y
CONFIG_CRYPTO_ECDH=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_USER=y
CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_NULL2=y
CONFIG_CRYPTO_WORKQUEUE=y
CONFIG_CRYPTO_CRYPTD=y
CONFIG_CRYPTO_AUTHENC=y
CONFIG_CRYPTO_CCM=y
CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_SEQIV=y
CONFIG_CRYPTO_ECHAINIV=y
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CTR=y
CONFIG_CRYPTO_CTS=y
CONFIG_CRYPTO_ECB=y
CONFIG_CRYPTO_XTS=y
CONFIG_CRYPTO_KEYWRAP=y
CONFIG_CRYPTO_CMAC=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_CRC32C=y
CONFIG_CRYPTO_GHASH=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_RMD128=y
CONFIG_CRYPTO_RMD160=y
CONFIG_CRYPTO_RMD256=y
CONFIG_CRYPTO_RMD320=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_ARC4=y
CONFIG_CRYPTO_DES=y
CONFIG_CRYPTO_DEFLATE=y
CONFIG_CRYPTO_LZO=y
CONFIG_CRYPTO_ZSTD=y
CONFIG_CRYPTO_ANSI_CPRNG=y
CONFIG_CRYPTO_DRBG_MENU=y
CONFIG_CRYPTO_DRBG_CTR=y
CONFIG_CRYPTO_DRBG=y
CONFIG_CRYPTO_JITTERENTROPY=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
CONFIG_CRYPTO_USER_API_RNG=y
CONFIG_CRYPTO_USER_API_AEAD=y
CONFIG_CRYPTO_HASH_INFO=y
CONFIG_CRYPTO_HW=y
CONFIG_CRYPTO_DEV_ATMEL_AES=y
CONFIG_CRYPTO_DEV_ATMEL_TDES=y

내 커널에는 장치 매퍼 지원(dm_crypt)도 있습니다. 모든 옵션은 커널에 내장되어 있으므로 언로드된 모듈에서는 문제가 발생하지 않습니다.

Cryptsetup 버전 2.5.0은 임베디드 Linux 시스템에 설치됩니다. 호스트에 버전 2.2.2가 설치되어 있습니다. 임베디드 Linux는 커널 4.19.231을 실행합니다.

cryptsetup을 매핑하려면 무엇을 놓치고 있습니까 /dev/mapper/rootfs?

편집하다:

커널 백엔드를 사용하고 있고 임베디드 Linux 시스템을 확인하는 방법을 모른다고 생각했습니다.

호스트에서 실행하면 openssl을 사용하는 것 같습니다(아래 참조). 내 initramfs에는 openssl이 포함되어 있지 않으므로 커널 대신 openssl을 사용하려고 하면 문제가 될 수 있습니다.

# cryptsetup 2.2.2 processing "cryptsetup --debug open rootfs.sqfs.img rootfs"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device rootfs.sqfs.img.
# Trying to open and read device rootfs.sqfs.img with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device rootfs.sqfs.img.
# Crypto backend (OpenSSL 1.1.1f  31 Mar 2020) initialized in cryptsetup library version 2.2.2.
# Detected kernel Linux 5.15.0-58-generic x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device rootfs.sqfs.img.
# Verifying lock handle for rootfs.sqfs.img.
# Device rootfs.sqfs.img READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device rootfs.sqfs.img
# Veryfing locked device handle (regular file)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:a69c54af714a6d46ac5a514399ebe367012a233d742d2f2913a7b5979ae70441 (on-disk)
# Checksum:a69c54af714a6d46ac5a514399ebe367012a233d742d2f2913a7b5979ae70441 (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device rootfs.sqfs.img
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:d1a6fae45d92dd47f5a99e11e6d157bc6ba0140fc2bd62ebc1fb9dad0414f0ff (on-disk)
# Checksum:d1a6fae45d92dd47f5a99e11e6d157bc6ba0140fc2bd62ebc1fb9dad0414f0ff (in-memory)
# Device size 68157440, offset 16777216.
# Device rootfs.sqfs.img READ lock released.
# PBKDF argon2i, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# Activating volume rootfs using token -1.
# Interactive passphrase entry requested.
Enter passphrase for rootfs.sqfs.img: 
# Activating volume rootfs [keyslot -1] using passphrase.
# dm version   [ opencount flush ]   [16384] (*1)
# dm versions   [ opencount flush ]   [16384] (*1)
# Detected dm-ioctl version 4.45.0.
# Detected dm-crypt version 1.23.0.
# Device-mapper backend running with UDEV support enabled.
# dm status rootfs  [ opencount noflush ]   [16384] (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Reading keyslot area [0x8000].
# Acquiring read lock for device rootfs.sqfs.img.
# Verifying lock handle for rootfs.sqfs.img.
# Device rootfs.sqfs.img READ lock taken.
# Reusing open ro fd on device rootfs.sqfs.img
# Device rootfs.sqfs.img READ lock released.
# Verifying key from keyslot 0, digest 0.
# Loading key (64 bytes, type logon) in thread keyring.
# dm versions   [ opencount flush ]   [16384] (*1)
# dm status rootfs  [ opencount noflush ]   [16384] (*1)
# Allocating a free loop device.
# Trying to open and read device /dev/loop27 with direct-io.
# Calculated device size is 100352 sectors (RW), offset 32768.
# DM-UUID is CRYPT-LUKS2-606147e882c040c3ae6c7a346a4f5b43-rootfs
# Udev cookie 0xd4da08f (semid 32788) created
# Udev cookie 0xd4da08f (semid 32788) incremented to 1
# Udev cookie 0xd4da08f (semid 32788) incremented to 2
# Udev cookie 0xd4da08f (semid 32788) assigned to CREATE task(0) with flags DISABLE_LIBRARY_FALLBACK         (0x20)
# dm create rootfs CRYPT-LUKS2-606147e882c040c3ae6c7a346a4f5b43-rootfs [ opencount flush ]   [16384] (*1)
# dm reload rootfs  [ opencount flush securedata ]   [16384] (*1)
# dm resume rootfs  [ opencount flush securedata ]   [16384] (*1)
# rootfs: Stacking NODE_ADD (253,2) 0:6 0660 [trust_udev]
# rootfs: Stacking NODE_READ_AHEAD 256 (flags=1)
# Udev cookie 0xd4da08f (semid 32788) decremented to 1
# Udev cookie 0xd4da08f (semid 32788) waiting for zero
# Udev cookie 0xd4da08f (semid 32788) destroyed
# rootfs: Skipping NODE_ADD (253,2) 0:6 0660 [trust_udev]
# rootfs: Processing NODE_READ_AHEAD 256 (flags=1)
# rootfs (253:2): read ahead is 256
# rootfs: retaining kernel read ahead of 256 (requested 256)
Key slot 0 unlocked.
# Releasing crypt device rootfs.sqfs.img context.
# Releasing device-mapper backend.
# Closing read only fd for rootfs.sqfs.img.
# Closed loop /dev/loop27 (rootfs.sqfs.img).
# Unlocking memory.
Command successful.

[해결됨]

내 문제는 lvm2에 필요한 musl-libc 및 glibc를 사용하여 발생합니다. glibc로 전환한 후 cryptsetup이 올바른 백엔드를 로드할 수 있었습니다.

답변1

내 문제는 lvm2에 필요한 musl-libc 및 glibc를 사용하여 발생합니다. glibc로 전환한 후 cryptsetup은 cryptsetup에 대한 올바른 백엔드를 로드할 수 있습니다.

관련 정보