Bug 261172
| Summary: | GELI boot failing with aes_xts_reinit: invalid IV length | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | mmatalka | ||||
| Component: | kern | Assignee: | John Baldwin <jhb> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | CC: | allanjude, jhb, markj, mikael, mmatalka, moonlapse81 | ||||
| Priority: | --- | Keywords: | regression | ||||
| Version: | CURRENT | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
|
Description
mmatalka
2022-01-13 11:00:52 UTC
Same here, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261172 I've had to revert all the latest changes in sys/opencrypto and the one in stand (geliboot: Use the multi-block functions for AES-XTS.). I don't know which one is causing the problem, reverting only 'geliboot: Use the multi-block functions for AES-XTS.' doesn't fix it. cryptosoft: Use multi-block encrypt/decrypt for ChaCha20-Poly1305 cryptosoft: Use multi-block encrypt/decrypt for AES-CCM cryptosoft: Use multi-block encrypt/decrypt for AES-GCM swcr_encdec: Rename blks to blkszcryptosoft: Use multi-block encrypt/decrypt for non-AEAD ciphers. crypto: Re-add encrypt/decrypt_multi hooks to enc_xform. crypto: Add support for the XChaCha20-Poly1305 AEAD cipher geliboot: Use the multi-block functions for AES-XTS. It's on a core i7 3540m cpu if that matters. The issue is that the compile fix exposed an assertion that was previously unchecked. Hmm, the code in geliboot_crypto.c is a bit incorrect (but probably not harmfully so). This (untested) patch will fix the assertion, but it should also use a better IV size. The IV size is not the same as the key size (for AES-CBC the IV is a block, and for AES-XTS the IV is actually smaller than a block) Created attachment 230991 [details]
geliboot_iv.patch
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=c7721958ffa1aa81064b74b884e81efbe11d7fe4 commit c7721958ffa1aa81064b74b884e81efbe11d7fe4 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2022-01-14 01:19:54 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2022-01-14 01:19:54 +0000 geliboot: Use the correct IV length for AES-XTS. - Use AES_XTS_IV_LEN instead of the key length as the IV length. - Use G_ELI_IVKEYLEN as the size of the zeroed iv[] array in g_eli_crypto_cipher() to match geli_io(). PR: 261172 Reported by: Malcolm Matalka <mmatalka@gmail.com>, mikael Reviewed by: markj Sponsored by: FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33884 stand/libsa/geli/geliboot.c | 2 +- stand/libsa/geli/geliboot_crypto.c | 9 ++++----- stand/libsa/geli/geliboot_internal.h | 2 +- 3 files changed, 6 insertions(+), 7 deletions(-) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=673910f3b8c4606313bd8e56a44ea43508dee0cc commit 673910f3b8c4606313bd8e56a44ea43508dee0cc Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2022-01-14 01:19:54 +0000 Commit: Warner Losh <imp@FreeBSD.org> CommitDate: 2023-01-24 21:49:20 +0000 geliboot: Use the correct IV length for AES-XTS. - Use AES_XTS_IV_LEN instead of the key length as the IV length. - Use G_ELI_IVKEYLEN as the size of the zeroed iv[] array in g_eli_crypto_cipher() to match geli_io(). PR: 261172 Reported by: Malcolm Matalka <mmatalka@gmail.com>, mikael Reviewed by: markj Sponsored by: FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33884 (cherry picked from commit c7721958ffa1aa81064b74b884e81efbe11d7fe4) stand/libsa/geli/geliboot.c | 2 +- stand/libsa/geli/geliboot_crypto.c | 9 ++++----- stand/libsa/geli/geliboot_internal.h | 2 +- 3 files changed, 6 insertions(+), 7 deletions(-) |
