On 09.09.2025 13:18, Ingo Franzki wrote: > On 09.09.2025 11:42, Mikulas Patocka wrote: >> >> >> On Tue, 9 Sep 2025, Ingo Franzki wrote: >> >>> However, combined encryption and integrity seems to have problems. Not >>> sure if this is related to your changes in dm-integrity, or if there is >>> still something missing in dm-crypt, or the interface between the two: >>> >>> I did: >>> >>> # cryptsetup luksFormat --type luks2 --master-key-file '<key-file>' >>> --key-size <size-of-encryption-key-in-bits> --cipher paes-xts-plain64 >>> --pbkdf argon2i --pbkdf-memory 32 --pbkdf-force-iterations 4 --integrity >>> phmac-sha256 --integrity-key-size <size-of-integrity-key-in-bits> >>> /dev/loop0 >>> >>> # cryptsetup luksOpen /dev/loop0 int-loop >>> >>> The open step succeeds, but the following errors are shown in the journal: >>> >>> Sep 09 04:54:50 fedora kernel: crypt_convert_block_aead: 12 callbacks suppressed >>> Sep 09 04:54:50 fedora kernel: trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 350976 >>> Sep 09 04:54:50 fedora kernel: trusted_key: device-mapper: crypt: dm-0: INTEGRITY AEAD ERROR, sector 350976 >>> Sep 09 04:54:50 fedora kernel: buffer_io_error: 3 callbacks suppressed >>> Sep 09 04:54:50 fedora kernel: Buffer I/O error on dev dm-1, logical block 43872, async page read >>> Sep 09 04:54:50 fedora 55-scsi-sg3_id.rules[2378]: WARNING: SCSI device dm-1 has no device ID, consider changing .SCSI_ID_SERIAL_SRC in 00-scsi-sg3_config.rules >> >> In this mode, the encryption, decryption and authentication is done by >> dm-crypt, not dm-integrity. dm-integrity just passes the tags around. >> >> So, it looks like a dm-crypt bug. >> >> Please, revert my patches and run the same test on a clean 6.17.0-rc5 just >> to verify that the patches do not introduce the bug. > > With your patches reverted the combined mode fails the same way as with your patches. > So they did not introduce the bug. Mikulas, do you have any idea what could be causing this errors? Is it that dm-crypt is not properly dealing with async-only HMAC ciphers? Async-only encryption ciphers seem to work fine in dm-crypt, since LUKS with PAES (but no integrity) works fine, and PAES is an async-onky cipher. LUKS with sync-HMAC ciphers (e.g. clear key HMAC) also works fine, even in combination with PAES. > >> >> Mikulas >> > > -- Ingo Franzki eMail: ifranzki@xxxxxxxxxxxxx Tel: ++49 (0)7031-16-4648 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Gregor Pillen Geschäftsführung: David Faller Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
