Arch Linux

RickDeckard

Member

From: Acworth, Georgia, USA

Registered: 2016-02-19

Posts: 59

[SOLVED] Cryptsetup fails,missing sha512 module in 4.18.7-a-1-hardened

I have two encrypted partitions each on my main and media laptops for their Arch Linux installations, and one of them (where /home is located) uses a SHA512 hash.  This caused the device mapper and consequently boot to fail on both with the message "error allocating crypto tfm" after I upgraded kernels.  I learned this might have been due to a missing crypto protocol module so after checking the /lib/modules/$(uname -r)/kernel/crypto on both lappies I found an interesting issue:

The main laptop, which was using 4.18.6, had the sha512_generic module available.  The 4.18.7 did not and instead only had sha3_generic.  Updating initramfs as well as reinstalling both 4.18.7 and .6 via Pacman did not solve the issue.  Only a downgrade back to 4.18.5 through the ALA did and now both computers are functioning again.

Is SHA512 being phased out in favor of SHA3 or something?  I ask because the file list on packages.archlinux.org doesn't happen to include sha512_generic.ko.xz.  I hope I don't have to delete and remake my whole /home partitions either in light of this because I have too much and too important stuff on the main laptop to lose.

Last edited by RickDeckard (2018-09-13 18:24:36)

loqs

Member

Registered: 2014-03-06

Posts: 17,321

Re: [SOLVED] Cryptsetup fails,missing sha512 module in 4.18.7-a-1-hardened

linux-hardened uses

CONFIG_CRYPTO_SHA512=y

so the code is built in rather than as a seperate module.
linux uses

CONFIG_CRYPTO_SHA512=m

and sha512_generic.ko.xz is still provided by linux 4.18.7.arch1-1
Edit:
You should can check the availability of sha512 on linux-hardened using

cat /proc/crypto

Last edited by loqs (2018-09-11 14:56:04)

Everette88

Member

Registered: 2018-02-17

Posts: 41

Re: [SOLVED] Cryptsetup fails,missing sha512 module in 4.18.7-a-1-hardened

You have some misconfiguration on your system - are you trying to load sha512 module in initramfs?

Normal linux kernel will also have sha512 build-in instead of module in next update so I recommend fix your system asap or you will be locked out.

https://git.archlinux.org/svntogit/pack … b952d4e55d

RickDeckard

Member

From: Acworth, Georgia, USA

Registered: 2016-02-19

Posts: 59

Re: [SOLVED] Cryptsetup fails,missing sha512 module in 4.18.7-a-1-hardened

You have some misconfiguration on your system - are you trying to load sha512 module in initramfs?

I thought that might have been it after you asked, so I went to mkinitcpio.conf and found this:

MODULES=(btrfs ecryptfs encrypted_keys vfat fat nls_cp437 nls_iso8859-1)

As you can see it's not there, but then I went to /etc/modules-load.d/strongswan.conf (I use both computers to connect to the work VPN) and found this:

xt_policy
xfrm_user
authenc
echainiv
xfrm6_mode_tunnel
xfrm4_mode_tunnel
ccm
xfrm_user
xfrm4_tunnel
sha512_ssse3
***sha512_generic***
tunnel4
ipcomp
xfrm_ipcomp
esp4
ah4
af_key 
xfrm_algo

I'll try to remove that line, upgrade kernels again, and then report back.

Last edited by RickDeckard (2018-09-13 16:20:35)

loqs

Member

Registered: 2014-03-06

Posts: 17,321

Re: [SOLVED] Cryptsetup fails,missing sha512 module in 4.18.7-a-1-hardened

If that fails post the full dmesg for the failed boot.  You can store the output on whatever filesystem the kernel was loaded from while you switch kernels.

RickDeckard

Member

From: Acworth, Georgia, USA

Registered: 2016-02-19

Posts: 59

Re: [SOLVED] Cryptsetup fails,missing sha512 module in 4.18.7-a-1-hardened

I'm in my desktop after a kernel upgrade!  It gave me a bit of a runaround on boot because 4.18.5 used bpfilter for iptables and it was expecting to find that so it kicked me to the emergency shell once, but it was a success(?) Thanks for the help.

Everette88

Member

Registered: 2018-02-17

Posts: 41

Re: [SOLVED] Cryptsetup fails,missing sha512 module in 4.18.7-a-1-hardened

Kernel bpfilter module wasn't used for anything, it was added by mistake and it's now gone: https://bugs.archlinux.org/task/59833. I hope your system isn't forcefully trying to load it in some place

Last edited by Everette88 (2018-09-13 21:17:33)

ua4000

Member

Registered: 2015-10-14

Posts: 418

Re: [SOLVED] Cryptsetup fails,missing sha512 module in 4.18.7-a-1-hardened

sorry to ask, I'm interested in this issue, RickDeckard:

In your first post you had problems while using 4.18.7.
Now you downgraded to 4.18.5 and this solved the issue ?
Or did you modify your mkinitcpio.conf and then 4.18.7 was fine too ?

Thanks !

RickDeckard

Member

From: Acworth, Georgia, USA

Registered: 2016-02-19

Posts: 59

Re: [SOLVED] Cryptsetup fails,missing sha512 module in 4.18.7-a-1-hardened

sorry to ask, I'm interested in this issue, RickDeckard:

In your first post you had problems while using 4.18.7.
Now you downgraded to 4.18.5 and this solved the issue ?
Or did you modify your mkinitcpio.conf and then 4.18.7 was fine too ?

Thanks !

I modified the contents of my /etc/modules-load.d directory because StrongSwan wanted to load in the SHA512 module and it helped me work with module loading disabled, but that's largely correct on both counts.

Kernel bpfilter module wasn't used for anything, it was added by mistake and it's now gone: https://bugs.archlinux.org/task/59833. I hope your system isn't forcefully trying to load it in some place

It was part of modules-load.d when I realized it had to load, as per the bug you linked, otherwise iptables wouldn't function.  I've taken it out since upgrading to 4.18.7 and regenerated the initramfs which caused that warning to disappear.

Last edited by RickDeckard (2018-09-14 15:36:43)