On 18.09.2025 17:00, Harald Freudenberger wrote: > On 2025-09-11 17:58, Mikulas Patocka wrote: >> On Thu, 11 Sep 2025, Ingo Franzki wrote: >> >>> >> So, it looks like a dm-crypt bug. >>> >> >>> >> Please, revert my patches and run the same test on a clean 6.17.0-rc5 >>> >> just >>> >> to verify that the patches do not introduce the bug. >>> > >>> > With your patches reverted the combined mode fails the same way as with >>> > your patches. >>> > So they did not introduce the bug. >>> >>> Mikulas, do you have any idea what could be causing this errors? >>> Is it that dm-crypt is not properly dealing with async-only HMAC ciphers? >>> Async-only encryption ciphers seem to work fine in dm-crypt, since LUKS >>> with PAES (but no integrity) works fine, and PAES is an async-onky cipher. >>> LUKS with sync-HMAC ciphers (e.g. clear key HMAC) also works fine, even in >>> combination with PAES. >> >> Yes, I think that it's a problem with async HMAC. The bug is probably >> either in dm-crypt or in the crypto library. >> >> Do you have some other (non-dm-crypt-related) workload that uses the >> async authentication, so that we can determine whether the bug is in >> dm-crypt or crypto? >> >> Otherwise, would it be possible to give us a virtual machine on the >> mainframe to debug this issue? >> >> Mikulas > > So here is now an out-of-tree kernel module build which offers a pseudo > phmac-sha256 > for testing and debugging purpose. In the end this is just a asynch (ahash) > wrapper > around the hmac-sha256 shash crypto subsystem implementation. It should > compile and > be usable on all platforms (s390, x64, arm, ...). > > I ran dm-integrity tests with this and all worked fine. Ingo ran dm-crypt > tests > where he combined aes-cbc encryption with phmac-sha256 integrity and saw hangs > on cryptsetup open. He also reported that these issues are different to what > he > saw with the 'real' phmac in combination with aes encryption. A short glimpse > gives > me the impression that there is a job blocking the system's workqueue. > However, I > could not find any indication that the pseudo phmac is not working properly.
Here is what I did (after insmod'ing the pseudo phmac cipher). I did this on a s390x system, but it should behave the same on x86. # cryptsetup luksFormat --type luks2 --integrity phmac-sha256 --integrity-key-size 256 /dev/loop0 # cryptsetup luksOpen /dev/loop0 int-loop Note: To use the above cryptsetup commands with phmac you might need the code from this cryptsetup PR, otherwise it won't accept phmac as integrity algorithm: https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/693 The luksOpen step hangs forever and the following messages are shown in syslog after a while: Sep 19 02:43:29 fedora systemd-udevd[500]: dm-1: Worker [2720] processing SEQNUM=1272 is taking a long time Sep 19 02:45:29 fedora systemd-udevd[500]: dm-1: Worker [2720] processing SEQNUM=1272 killed Still the luksOpen keeps hanging, and a lot of kworkers are hanging around as well: # ps -ef ... root 2679 1987 2 02:42 pts/0 00:00:04 cryptsetup luksOpen /dev/loop0 int-loop root 2712 2 0 02:42 ? 00:00:00 [kworker/R-kdmflush/251:0] root 2713 2 0 02:42 ? 00:00:00 [kworker/R-dm-integrity-metadata] root 2714 2 0 02:42 ? 00:00:00 [kworker/R-dm-integrity-wait] root 2715 2 0 02:42 ? 00:00:00 [kworker/R-dm-integrity-offload] root 2716 2 0 02:42 ? 00:00:00 [kworker/R-dm-integrity-commit] root 2717 2 0 02:42 ? 00:00:00 [kworker/R-dm-integrity-writer] root 2718 500 0 02:42 ? 00:00:00 (udev-worker) root 2719 500 0 02:42 ? 00:00:00 (udev-worker) root 2720 500 0 02:42 ? 00:00:00 [(udev-worker)] root 2726 2 0 02:42 ? 00:00:00 [kworker/R-kdmflush/251:1] root 2727 2 0 02:42 ? 00:00:00 [kworker/R-kcryptd_io-251:1-1] root 2728 2 0 02:42 ? 00:00:00 [kworker/R-kcryptd-251:1-1] root 2729 2 0 02:42 ? 00:00:00 [dmcrypt_write/251:1] ... # dmsetup table int-loop: 0 351128 crypt capi:authenc(phmac(sha256),xts(aes))-plain64 :96:logon:cryptsetup:239c87ad-8c23-4cdb-943f-947737e9cf5c-d0 0 251:0 0 2 integrity:32:aead integrity_key_size:32 int-loop_dif: 0 351128 integrity 7:0 32768 32 J 6 interleave_sectors:32768 buffer_sectors:128 journal_sectors:3168 journal_watermark:50 commit_time:10000 fix_padding # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS loop0 7:0 0 200M 0 loop └─int-loop_dif 251:0 0 171.4M 0 crypt > > For instructions on how to build and use the module see the README in the tgz > archive. > > Thanks to all > Harald Freudenberger > > -- Ingo Franzki eMail: [email protected] Tel: ++49 (0)7031-16-4648 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Gregor Pillen Geschäftsführung: David Faller Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
