I found issues about dm-verity on bsp kernel. I would be glad to share to NVIDIA’s kernel team.
Environment
- Hardware
- SoM: Orin NX 16GB
- Carrierboard: Orin nano developer kit
- BSP: Jetson linux r35.4.1
- kernel, rootfs and all blobs are totally bsp images.
Impact
- dm-verity does not work. It uses for secure boot.
Event
It show mount error with Verity device detected corruption after activation. messages.
root@orinnx-010:~/work# veritysetup create dm-v-0 data_partition.img hash.img $ROOT_HASH
Verity device detected corruption after activation.
root@orinnx-010:~/work# dmesg | grep verity
[ 879.678832] device-mapper: verity: sha256 using implementation "tegra-se-sha256"
[ 879.691438] device-mapper: verity: 7:2: metadata block 1 is corrupted
[ 879.698275] device-mapper: verity: 7:2: metadata block 1 is corrupted
[ 879.741692] device-mapper: verity: 7:2: metadata block 1 is corrupted
[ 879.748491] device-mapper: verity: 7:2: metadata block 1 is corrupted
[ 879.771402] device-mapper: verity: 7:2: metadata block 1 is corrupted
[ 879.778366] device-mapper: verity: 7:2: metadata block 1 is corrupted
[ 879.794747] device-mapper: verity: 7:2: metadata block 1 is corrupted
[ 879.801542] device-mapper: verity: 7:2: metadata block 1 is corrupted
[ 879.817573] device-mapper: verity: 7:2: metadata block 1 is corrupted
[ 879.824392] device-mapper: verity: 7:2: metadata block 1 is corrupted
[ 879.966541] device-mapper: verity: 7:2: reached maximum errors
Reproduce step
Create partitions of dm-verity
truncate -s 128M data_partition.img
mkfs.ext4 data_partition.img
mkdir tmp
mount -o loop data_partition.img tmp
echo "test" > hello.txt
umount tmp
rmdir tmp
veritysetup format data_partition.img hash.img
ROOT_HASH="" #Please fill the above result.
Mount
veritysetup create dm-v-0 data_partition.img hash.img $ROOT_HASH
# Happen the issue
veritysetup close dm-v-0
Reproducibility is 100% (4/4)
Workaround
Not use “tegra-se-sha256” algorithm. It changes to “sha256-ce” when apply the below. dm-verity works fine on “sha256-ce”.
- Disable
CONFIG_CRYPTO_DEV_TEGRA_SE_USE_HOST1X_INTERFACE - Use this below patch.
build/kernel/nvidia
% git diff
diff --git a/drivers/crypto/tegra-se-nvhost.c b/drivers/crypto/tegra-se-nvhost.c
index c077db70a073..0aa2982a2c3e 100644
--- a/drivers/crypto/tegra-se-nvhost.c
+++ b/drivers/crypto/tegra-se-nvhost.c
@@ -6634,7 +6634,7 @@ static struct ahash_alg hash_algs[] = {
.halg.base = {
.cra_name = "sha256",
.cra_driver_name = "tegra-se-sha256",
- .cra_priority = 300,
+ .cra_priority = 0,
.cra_flags = CRYPTO_ALG_TYPE_AHASH,
.cra_blocksize = SHA256_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct tegra_se_sha_context),
memo: you can check on dmesg what use algorithm.
[ 11.104471] device-mapper: verity: sha256 using implementation “sha256-ce”
tcrypto.ko
tegra-se-sha256 passed test of tcrypto.ko in my viewing. However, dm-verity is not worked in the fact.
I thought tegra-se-sha256 is broken. so, I checked by tcrypto.ko. tcrypto.ko is test module for crypto algolithm from kernel space.
If you know more, please read attachment file.
Result-tcrypto.txt (18.1 KB)