[opensuse-security] Encripted filesystem write blocks the system (10.3)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have an encripted filesystem inherited from 10.2 and before. I have this line in fstab: /biggy/crypta_f.mm.x /mnt/crypta.mm.x xfs noauto,user,noatime,nodiratime,loop,encryption=twofish256 1 4 Reading from this filesystem works (I'm copying it elsewhere now). Writing to this filesystem, from another similarly encripted filesystem, large files (between 300 and 400 MB), locks the console where the copy is having place. The copy process stops. It is unkillable. Umount of that filesystem locks (and umount is unkillable). Reboot filesystem locks. If I try to "ls -l" the destination dir of the copy (that is locked, frozen) also freezes. I have to lazy umount ("umount -l /mountpoints &") all the mountpoints I can, and then try to reboot (which hangs) and then poweroff the machine forcefully. There is absolutely nothing in the logs relative to this problem (I know how to look into logs). I have fsck the filesystem, nothing: nimrodel:~ # losetup -e twofish256 /dev/loop2 /biggy/crypta_f.mm.x Password: nimrodel:~ # file -s /dev/loop2 /dev/loop2: SGI XFS filesystem data (blksz 4096, inosz 256, v2 dirs) nimrodel:~ # xfs_check /dev/loop2 ERROR: The filesystem has valuable metadata changes in a log which needs to be replayed. Mount the filesystem to replay the log, and unmount it before re-running xfs_check. If you are unable to mount the filesystem, then use the xfs_repair -L option to destroy the log and attempt a repair. Note that destroying the log may cause corruption -- please attempt a mount of the filesystem before doing this. nimrodel:~ # mount /dev/loop2 /mnt/crypta.mm.x/ nimrodel:~ # umount /dev/loop2 nimrodel:~ # xfs_check /dev/loop2 nimrodel:~ # No errors. I'm aware that the encription filesystems have changed in 10.3, but the only document I have is the release notes. Probably I would have to use a different method than losetup, but I have no idea which. An encripted filesystem I see it uses devmap. But notice that the problem arises from a filesystem mounted directly from fstab - shouldn't this method be used now anymore? In any case, the "classic" method should freeze the computer, as it does :-? - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHTiu2tTMYHG2NR9URAr5gAJwNybIdLLBs5NTiirEehsYUOUzKOwCeN0s3 +FOv7HWC2FOfojUrCKae3r4= =WgTn -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Carlos E. R. wrote:
Writing to this filesystem, from another similarly encripted filesystem, large files (between 300 and 400 MB), locks the console where the copy is having place. The copy process stops. It is unkillable. Umount of that filesystem locks (and umount is unkillable). Reboot filesystem locks.
Interestingly enough I've experienced a similar problem with dm-crypt at home. Using cryptoloop works for me. Please open a bug report for the kernel. Maybe it's a generic problem outside of cryptoloop/dm-crypt. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2007-11-29 at 08:59 +0100, Ludwig Nussel wrote:
Carlos E. R. wrote:
Writing to this filesystem, from another similarly encripted filesystem, large files (between 300 and 400 MB), locks the console where the copy is having place. The copy process stops. It is unkillable. Umount of that filesystem locks (and umount is unkillable). Reboot filesystem locks.
Interestingly enough I've experienced a similar problem with dm-crypt at home. Using cryptoloop works for me. Please open a bug report for the kernel. Maybe it's a generic problem outside of cryptoloop/dm-crypt.
Done: Bug #345039 Oops! I reported against "security", I didn't notice you said "kernel". Sorry! Question: dm-crypt is the old system, and cryptoloop the new one? I confuse the names, sorry. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHTyHYtTMYHG2NR9URAhZDAJ9pLNA2CuHURviRgT35sGN4DS51NwCgg5jh j7DZ2FRGA2qF+shJyo1Rq9o= =VT0B -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hello, Am Donnerstag, 29. November 2007 schrieb Carlos E. R.:
The Thursday 2007-11-29 at 08:59 +0100, Ludwig Nussel wrote: [...]
Interestingly enough I've experienced a similar problem with dm-crypt at home. Using cryptoloop works for me. Please open a bug report for the kernel. Maybe it's a generic problem outside of cryptoloop/dm-crypt.
Done: Bug #345039
Oops! I reported against "security", I didn't notice you said "kernel". Sorry!
No problem - you can change such things yourself: - click "Reassign bug to default assignee [...] of selected component - select "Kernel" from the "component" dropdown - click the submit button I just did this.
Question: dm-crypt is the old system, and cryptoloop the new one? I confuse the names, sorry.
The other way round: - cryptoloop is the old system (<= 10.2) - dm-crypt is the new one (10.3) To mention another name: dm-crypt is combined with LUKS in 10.3, which brings some nice features like multiple passphrases for a partition and easy passphrase changing without the need to re-encrypt the whole partition. Regards, Christian Boltz -- Will updating online update via online update work when online update isn't updating? :) (Say that five times fast!) [suse AT rio.vg in suse-security] --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2007-11-30 at 00:14 +0100, Christian Boltz wrote:
Done: Bug #345039
Oops! I reported against "security", I didn't notice you said "kernel". Sorry!
No problem - you can change such things yourself: - click "Reassign bug to default assignee [...] of selected component - select "Kernel" from the "component" dropdown - click the submit button
I just did this.
Thanks! I was thinking it was possible, but I didn't know if should touch those things. The "Reassign..." part I wouldn't know about.
Question: dm-crypt is the old system, and cryptoloop the new one? I confuse the names, sorry.
The other way round: - cryptoloop is the old system (<= 10.2) - dm-crypt is the new one (10.3)
To mention another name: dm-crypt is combined with LUKS in 10.3, which brings some nice features like multiple passphrases for a partition and easy passphrase changing without the need to re-encrypt the whole partition.
That's very nice :-) I just found that at least some of that is documented here: http://localhost/usr/share/doc/manual/opensuse-manual_en/manual/cha.cryptofs... That's very nice - at least for the people creating new encrypted filesystems. Mine are older, some created for SuSE 9.2, maybe before. Those on the hard disk I can recreate, and probably I will; but those in DVD I can't. In my fstab I already have 4 (four) different entries to mount DVDs created using 4 different methods over time. Now I guess I have to create a new '5' method for DVDs using LUKS, which I hope will last longer, as the options are written inside somehow :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFHT16CtTMYHG2NR9URAjYXAJwM7olU1XGumf7Oz452Tc61Eo7bcQCcDttp mstZk+ymgJLNxCsJaky5OOo= =rQIP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2007-11-29 at 08:59 +0100, Ludwig Nussel wrote:
Carlos E. R. wrote:
Writing to this filesystem, from another similarly encripted filesystem, large files (between 300 and 400 MB), locks the console where the copy is having place. The copy process stops. It is unkillable. Umount of that filesystem locks (and umount is unkillable). Reboot filesystem locks.
Interestingly enough I've experienced a similar problem with dm-crypt at home. Using cryptoloop works for me. Please open a bug report for the kernel. Maybe it's a generic problem outside of cryptoloop/dm-crypt.
This problem continues. Soon after I write large files to an encrypted, loop mounted, filesystem, the operation locks. All programs are thereafter unable to exit or be killed -9, and system can not even reboot or halt, only power switch works, forcing a huge fsck. It does not matter if filesystem is mounted through device mapper, new style (dm-crypt), or old style (cryptoloop). Tonight I tried new style. /etc/crypttab: mycrypt_mm_f /biggy/crypta_f.mm.x none cipher=twofish-cbc-plain,size=256,hash=sha512,noauto,loop /etc/fstab: /dev/mapper/mycrypt_mm_f /mnt/crypta.mm.x xfs noauto,user,noatime,nodiratime 1 4 nimrodel:~ # df -h /mnt/crypta.mm.x Filesystem Size Used Avail Use% Mounted on /dev/mapper/mycrypt_mm_f 28G 19G 9.3G 67% /mnt/crypta.mm.x Mounted as: /dev/mapper/mycrypt_mm_f on /mnt/crypta.mm.x type xfs (rw,noexec,nosuid,nodev,noatime,nodiratime) Logs: nothing is logged anywhere. Nothing! Reported as Bug #345039, but there has been no comments at all. :-?? I'd be happy to try kernel options to enable more logging, or try tests... I can trigger the bug at will, it is reproducible here. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHaH6PtTMYHG2NR9URAmulAJ93Ln51UP64OM3GX14IAjPowP8ClACgk7F+ kIKTlWAjOl2xWpNZYeZZx80= =eh5z -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (3)
-
Carlos E. R. -
Christian Boltz -
Ludwig Nussel