验证成功，但升级到新内核后挂载失败

Question

我们将dm-verity用于squashfs根文件系统。

使用内核4.8.4一切正常，升级到内核4.14.14挂载后，即使veritysetup verify命令验证映像，挂载也会失败。

# veritysetup verify /dev/mmcblk0p5 /dev/mmcblk0p6 --hash-offset 4096 d35f95a4
b47c92332fbcf5aced9c4ed58eb2d5115bad4aa52bd9d64cc0ee676b --debug
# cryptsetup 1.7.4 processing "veritysetup verify /dev/mmcblk0p5 /dev/mmcblk0p6 --hash-offset 4096 d35f95a4b47c92332fbcf5aced9c4ed58eb2d5115bad4aa52bd9d64cc0ee676b --debug"
# Running command verify.
# Allocating crypt device /dev/mmcblk0p6 context.
# Trying to open and read device /dev/mmcblk0p6 with direct-io.
# Initialising device-mapper backend library.
# Trying to load VERITY crypt type from device /dev/mmcblk0p6.
# Crypto backend (OpenSSL 1.0.2m  2 Nov 2017) initialized in cryptsetup library version 1.7.4.
# Detected kernel Linux 4.14.14-yocto-standard armv7l.
# Reading VERITY header of size 512 on device /dev/mmcblk0p6, offset 4096.
# Setting ciphertext data device to /dev/mmcblk0p5.
# Trying to open and read device /dev/mmcblk0p5 with direct-io.
# Activating volume [none] by volume key.
# Trying to activate VERITY device [none] using hash sha256.
# Verification of data in userspace required.
# Hash verification sha256, data device /dev/mmcblk0p5, data blocks 10462, hash_device /dev/mmcblk0p6, offset 2.
# Using 2 hash levels.
# Data device size required: 42852352 bytes.
# Hash device size required: 348160 bytes.
# Verification of data area succeeded.
# Verification of root hash succeeded.
# Releasing crypt device /dev/mmcblk0p6 context.
# Releasing device-mapper backend.
Command successful.


# veritysetup create vroot /dev/mmcblk0p5 /dev/mmcblk0p6 --hash-offset 4096 d3
5f95a4b47c92332fbcf5aced9c4ed58eb2d5115bad4aa52bd9d64cc0ee676b --debug

# mount -o ro /dev/mapper/vroot /mnt/
device-mapper: verity: 179:5: metadata block 2 is corrupted
EXT4-fs (dm-0): unable to read superblock
device-mapper: verity: 179:5: metadata block 2 is corrupted
EXT4-fs (dm-0): unable to read superblock
device-mapper: verity: 179:5: metadata block 2 is corrupted
EXT4-fs (dm-0): unable to read superblock
device-mapper: verity: 179:5: metadata block 2 is corrupted
SQUASHFS error: squashfs_read_data failed to read block 0x0
squashfs: SQUASHFS error: unable to read squashfs_super_block
device-mapper: verity: 179:5: metadata block 2 is corrupted
FAT-fs (dm-0): unable to read boot sector
mount: mounting /dev/mapper/vroot on /mnt/ failed: Input/output error

dmesg中也会出现相同的错误消息。上述命令是在目标设备上运行的。

在我的主机Debian 8(内核3.16.0-5)上，使用最终在/dev/mmcblk0p5和/dev/mmcblk0p6中结束的文件，我能够设置所有工作的东西：

# veritysetup create vroot rootfs-image.squashfs rootfs-image.hashtbl --hash-offset 4096 d35f95a4b47c92332fbcf5aced9c4ed58eb2d5115bad4aa52bd9d64cc0ee676b
# mount /dev/mapper/vroot /tmp/mnt

Answer 1

通过查看/proc/crypto，我发现有两个模块提供sha256:一个来自Atmel，另一个是泛型模块：

name         : sha256
driver       : atmel-sha256
module       : kernel
priority     : 100
[...]
name         : sha256
driver       : sha256-generic
module       : kernel
priority     : 0

通过禁用内核CONFIG_CRYPTO_DEV_ATMEL_SHA=n中的Atmel SHA加速器，它将使用通用实现，然后一切都正常。

似乎从Kernel4.8.4到Kernel4.14.14发生了一些破坏事物的事情。那是另一个问题..。