TX2 JetPack 4.2 - SATA drive LUKS encryption failure

LUKS SATA drive encryption worked with JetPack 3.3, but is not working with JetPack 4.2. Has this support been dropped? If it is still supported, how do I acquire/enable it?

Here is the command and failure response:

$ sudo cryptsetup luksFormat /dev/sda1

WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sda1: 
Verify passphrase: 
device-mapper: reload ioctl on   failed: Invalid argument
Failed to setup dm-crypt key mapping for device /dev/sda1.
Check that kernel supports aes-xts-plain64 cipher (check syslog for more info).

I couldn’t say which driver is needed (I’ve not set up for luks, but perhaps someone else here has), but there would simply be a feature or driver needing to be added. You can see the current kernel configuration with:

zcat /proc/config.gz

I consider this to be a missing kernel feature issue because of the ioctl error. An ioctl is a call to a file which is custom to specific kernel drivers (files in “/dev” are typically not real files…mostly these are a way to talk to a kernel driver). If there is an invalid ioctl, then it means communicating to the driver resulted in a rejected command…and the command is rejected because the driver doesn’t recognize the ioctl…which in turn means something is missing in the kernel.

Thanks for the response, linuxdev. The results of running the command above are in the attached text file. The section on ciphers is pasted below. It seems AES should be supported by looking at this section.

Does this give you any clues as to what is going on?

#
# Ciphers
#
CONFIG_CRYPTO_AES=y
# CONFIG_CRYPTO_ANUBIS is not set
CONFIG_CRYPTO_ARC4=y
# CONFIG_CRYPTO_BLOWFISH is not set
# CONFIG_CRYPTO_CAMELLIA is not set
# CONFIG_CRYPTO_CAST5 is not set
# CONFIG_CRYPTO_CAST6 is not set
CONFIG_CRYPTO_DES=m
# CONFIG_CRYPTO_FCRYPT is not set
# CONFIG_CRYPTO_KHAZAD is not set
# CONFIG_CRYPTO_SALSA20 is not set
# CONFIG_CRYPTO_CHACHA20 is not set
# CONFIG_CRYPTO_SEED is not set
# CONFIG_CRYPTO_SERPENT is not set
# CONFIG_CRYPTO_SPECK is not set
# CONFIG_CRYPTO_TEA is not set
CONFIG_CRYPTO_TWOFISH=y
CONFIG_CRYPTO_TWOFISH_COMMON=y

ZcatProcConfigGz.txt (162 KB)

Algorithm is only part of the requirement. You also need to set “CONFIG_DM_CRYPT”. If you are not booting directly to the encrypted partition, and if you are allowed to create this as a module ("=m") in a config editor, then you could just add this in as a module via a file copy. I’m not sure if “CONFIG_DM_CRYPT” is able to be used as a module though…you’ll have to check this out in an editor.

CONFIG_DM_CRYPT” is currently unset. I will not be booting directly to the encrypted partition.

Can you elaborate on how/what to use as a config editor to find out if I can create it as a module? And if it is allowed, how I would go about adding it as a module via a file copy? Pointing me to a guide would be sufficient. This is an area of linux in which I have no experience, so I’m not really sure where I should be looking for this type of info.

Thanks for your help!

Unsetting is the same as not available. Having “=m” implies available after the file system is up. Having “=y” implies always available. Assuming the feature can be built as a module (and not all features can be modules), then you could simply build the module and copy the file in. Without either “=y” or “=m” you can’t use the feature at all.

On the system where you build the kernel install package “libncurses5-dev” (e.g., “sudo apt-get install libncurses5-dev”). This makes all of the text mode editors (e.g., “make O=/where/ever/top/level/output/goes/ nconfig”) available.

I copy my existing “/proc/config.gz” into the top level of the kernel output location (renamed as “.config”), and then run “make nconfig”. This sets the starting config to match your running system (aside from still needing CONFIG_LOCALVERSION set). From there you can use “make nconfig” to search for “dm_crypt” (see the search function hot key list at the bottom of the menu). If it allows using the “m” key to set up the feature, then the feature can be a module. If only the “y” key can be used, then you must rebuild all modules and the kernel tool (and in this case you want a new CONFIG_LOCALVERSION other than “-tegra” and a new population of modules at “/lib/modules/$(uname -r)/”.

Tip: You can directly edit “.config” for the CONFIG_LOCALVERSION="-tegra", or use the nconfig search feature and find “localversion”.

Thanks for all the help, linuxdev. Using the information you provided as well as some nvidia documentation https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%2520Linux%2520Driver%2520Package%2520Development%2520Guide%2Fkernel_custom.html%23 and the kernel sources https://developer.nvidia.com/embedded/linux-tegra, I was able to build dm-crypt as a module, install and load it, and successfully encrypt a drive.

All that said, I hope the next JetPack release returns this functionality in the kernel itself.

JetPack 3.3 /proc/config.gz:

CONFIG_DM_CRYPT=y

JetPack 4.2 /proc/config.gz:

# CONFIG_DM_CRYPT is not set

I’ve made a follow-up topic here: https://devtalk.nvidia.com/default/topic/1049928/jetson-tx2/please-return-luks-drive-encryption-support-to-the-kernel/