Dm-verity does not work with tegra-se-sha256

I found issues about dm-verity on bsp kernel. I would be glad to share to NVIDIA’s kernel team.

Environment

  • Hardware
    • SoM: Orin NX 16GB
    • Carrierboard: Orin nano developer kit
  • BSP: Jetson linux r35.4.1
    • kernel, rootfs and all blobs are totally bsp images.

Impact

  • dm-verity does not work. It uses for secure boot.

Event

It show mount error with Verity device detected corruption after activation. messages.

root@orinnx-010:~/work# veritysetup create dm-v-0 data_partition.img hash.img $ROOT_HASH
Verity device detected corruption after activation.
root@orinnx-010:~/work#  dmesg | grep verity
[  879.678832] device-mapper: verity: sha256 using implementation "tegra-se-sha256"
[  879.691438] device-mapper: verity: 7:2: metadata block 1 is corrupted
[  879.698275] device-mapper: verity: 7:2: metadata block 1 is corrupted
[  879.741692] device-mapper: verity: 7:2: metadata block 1 is corrupted
[  879.748491] device-mapper: verity: 7:2: metadata block 1 is corrupted
[  879.771402] device-mapper: verity: 7:2: metadata block 1 is corrupted
[  879.778366] device-mapper: verity: 7:2: metadata block 1 is corrupted
[  879.794747] device-mapper: verity: 7:2: metadata block 1 is corrupted
[  879.801542] device-mapper: verity: 7:2: metadata block 1 is corrupted
[  879.817573] device-mapper: verity: 7:2: metadata block 1 is corrupted
[  879.824392] device-mapper: verity: 7:2: metadata block 1 is corrupted
[  879.966541] device-mapper: verity: 7:2: reached maximum errors

Reproduce step

Create partitions of dm-verity

truncate -s 128M data_partition.img
mkfs.ext4 data_partition.img

mkdir tmp
mount -o loop data_partition.img tmp
echo "test" > hello.txt
umount tmp
rmdir tmp

veritysetup format data_partition.img hash.img

ROOT_HASH="" #Please fill the above result.

Mount

veritysetup create dm-v-0 data_partition.img hash.img $ROOT_HASH
# Happen the issue
veritysetup close dm-v-0

Reproducibility is 100% (4/4)

Workaround

Not use “tegra-se-sha256” algorithm. It changes to “sha256-ce” when apply the below. dm-verity works fine on “sha256-ce”.

  • Disable CONFIG_CRYPTO_DEV_TEGRA_SE_USE_HOST1X_INTERFACE
  • Use this below patch.
build/kernel/nvidia
 %  git diff
diff --git a/drivers/crypto/tegra-se-nvhost.c b/drivers/crypto/tegra-se-nvhost.c
index c077db70a073..0aa2982a2c3e 100644
--- a/drivers/crypto/tegra-se-nvhost.c
+++ b/drivers/crypto/tegra-se-nvhost.c
@@ -6634,7 +6634,7 @@ static struct ahash_alg hash_algs[] = {
                .halg.base = {
                        .cra_name = "sha256",
                        .cra_driver_name = "tegra-se-sha256",
-                       .cra_priority = 300,
+                       .cra_priority = 0,
                        .cra_flags = CRYPTO_ALG_TYPE_AHASH,
                        .cra_blocksize = SHA256_BLOCK_SIZE,
                        .cra_ctxsize = sizeof(struct tegra_se_sha_context),

memo: you can check on dmesg what use algorithm.

[ 11.104471] device-mapper: verity: sha256 using implementation “sha256-ce”

tcrypto.ko

tegra-se-sha256 passed test of tcrypto.ko in my viewing. However, dm-verity is not worked in the fact.

I thought tegra-se-sha256 is broken. so, I checked by tcrypto.ko. tcrypto.ko is test module for crypto algolithm from kernel space.

If you know more, please read attachment file.
Result-tcrypto.txt (18.1 KB)

hello naoki.matt.matsumoto,

thanks for sharing, let me arrange resources to review this internally.

The following workaround also works.

diff --git a/kernel/nvidia/drivers/crypto/tegra-se-nvhost.c b/kernel/nvidia/drivers/crypto/tegra-se-nvhost.c
index c077db70a…1f0b6e7dd 100644
— a/kernel/nvidia/drivers/crypto/tegra-se-nvhost.c
+++ b/kernel/nvidia/drivers/crypto/tegra-se-nvhost.c
@@ -6634,7 +6634,7 @@ static struct ahash_alg hash_algs = {
.halg.base = {
.cra_name = “sha256”,
.cra_driver_name = “tegra-se-sha256”,
– .cra_priority = 300,
++ .cra_priority = 30,
.cra_flags = CRYPTO_ALG_TYPE_AHASH,
.cra_blocksize = SHA256_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_se_sha_context),

hello naoki.matt.matsumoto,

FYI, L4T doesn’t support dm-verity officially.

memo:

We can confirm crypto algorithm pool at /proc/crypto. The priority parameter is performance hinting information. kernel drivers use highest priority algorithm normally.

I see Orin nano devkit supports the below sha256 algorithm.

  • tegra-se-sha256 (300)
  • sha256-ce (200)
  • sha256-arm64-neon (150)
  • sha256-arm64 (125)
  • sha256-generic (100)
  • name (priority)

Therefore, if you apply this patch, it changes using driver to sha256-ce.

@JerryChang
I see. so, Do you want to close this issue? I can set Solution flag to your comment.

yes, let’s close this topic.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

let me have update here…
there’s bug fix within tegra-se-nvhost.c, fixes will be available for next Jetpack-5.x release version.
you may expect DM-Verity will works for the next Jetpack-5 public release.

1 Like