plainOpen and luksClose hang on "Unlocking memory."
Issue description
fc17: Certain cryptsetup operations (plainOpen and luksClose, but presumably others too) take several minutes (>2 on an RK3399 and >6 on an RK3328, despite good performance (>200 MiB/s) on cryptsetup benchmark), on the last step # Unlocking memory. in the debug output before Command successful.…
Steps for reproducing the issue
Use the randomEncryption option on a swap device in NixOS. Specifically, this uses commands like cryptsetup plainOpen -c aes-xts-plain64 -d /dev/urandom --allow-discards /dev/disk/by-partuuid/1e984d58-2ad9-4d1a-8c52-04413943fcb3 dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3 and cryptsetup luksClose dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3… Note that running them manually produces the same result…
Additional info
NixOS… because others (using NixOS) didn't seem to be able to reproduce, i.e. finished these commands within seconds… certain custom sysctls and boot parameters, or the fact we use hardened_malloc (from GrapheneOS, then again… GrapheneOS is an Android fork, so afaik it uses cryptsetup too…) as the default malloc might be relevant? As for the custom sysctls…
"kernel.kptr_restrict" = 2;
"kernel.dmesg_restrict" = 1;
"kernel.unprivileged_bpf_disabled" = 1;
"kernel.yama.ptrace_scope" = 3;
"kernel.kexec_load_disabled" = 1;
"kernel.sysrq" = 4;
"kernel.perf_event_paranoid" = 3;
"net.core.bpf_jit_harden" = 2;
"net.ipv4.tcp_rfc1337" = 1;
"net.ipv4.tcp_sack" = 0;
"net.ipv4.tcp_dsack" = 0;
"net.ipv4.tcp_fack" = 0;
"net.ipv4.tcp_syncookies" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.default.rp_filter" = 1;
"dev.tty.ldisc_autoload" = 0;
"vm.swappiness" = 1;
"vm.max_map_count" = 1048576; # For hardened_malloc
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
"vm.unprivileged_userfaultfd" = 0;
"fs.protected_symlinks" = 1;
"fs.protected_hardlinks" = 1;
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
"kernel.core_pattern" = "|${pkgs.coreutils-full}/bin/false";
"fs.suid_dumpable" = 0;Custom boot (kernel) parameters:
"slab_nomerge"
"init_on_alloc=1"
"init_on_free=1"
"pages_alloc.shuffle=1"
"pti=on"
"randomize_kstack_offset=on"
"vsyscall=none"
"debugfs=off"
"oops=panic"
"module.sig_enforce=1"
"lockdown=confidentiality"Debug log
Output with --debug option:
# cryptsetup 2.4.3 processing "cryptsetup --debug-json plainOpen -c aes-xts-plain64 -d /dev/urandom --allow-discards /dev/disk/by-partuuid/1e984d58-2ad9-4d1a-8c52-04413943fcb3 dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/disk/by-partuuid/1e984d58-2ad9-4d1a-8c52-04413943fcb3.
# Trying to open and read device /dev/disk/by-partuuid/1e984d58-2ad9-4d1a-8c52-04413943fcb3 with direct-io.
# Initialising device-mapper backend library.
# Formatting device /dev/disk/by-partuuid/1e984d58-2ad9-4d1a-8c52-04413943fcb3 as type PLAIN.
# Crypto backend (OpenSSL 1.1.1o 3 May 2022) initialized in cryptsetup library version 2.4.3.
# Detected kernel Linux 5.15.43-hardened1 aarch64.
# Activating volume dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3 [keyslot -1] using keyfile /dev/urandom.
# dm version [ opencount flush ] [16384] (*1)
# dm versions [ opencount flush ] [16384] (*1)
# Detected dm-ioctl version 4.45.0.
# Detected dm-crypt version 1.23.0.
# Device-mapper backend running with UDEV support enabled.
# dm status dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3 [ opencount noflush ] [16384] (*1)
# Trying to activate PLAIN device dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3 using cipher aes-xts-plain64.
# dm versions [ opencount flush ] [16384] (*1)
# dm status dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3 [ opencount noflush ] [16384] (*1)
# Calculated device size is 8388608 sectors (RW), offset 0.
# DM-UUID is CRYPT-PLAIN-dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3
# Udev cookie 0xd4d192d (semid 8) created
# Udev cookie 0xd4d192d (semid 8) incremented to 1
# Udev cookie 0xd4d192d (semid 8) incremented to 2
# Udev cookie 0xd4d192d (semid 8) assigned to CREATE task(0) with flags DISABLE_LIBRARY_FALLBACK (0x20)
# dm create dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3 CRYPT-PLAIN-dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3 [ opencount flush ] [16384] (*1)
# dm reload (253:0) [ opencount flush securedata ] [16384] (*1)
# dm resume dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3 [ opencount flush securedata ] [16384] (*1)
# dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3: Stacking NODE_ADD (253,0) 0:0 0600 [trust_udev]
# dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3: Stacking NODE_READ_AHEAD 256 (flags=1)
# Udev cookie 0xd4d192d (semid 8) decremented to 1
# Udev cookie 0xd4d192d (semid 8) waiting for zero
# Udev cookie 0xd4d192d (semid 8) destroyed
# dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3: Skipping NODE_ADD (253,0) 0:0 0600 [trust_udev]
# dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3: Processing NODE_READ_AHEAD 256 (flags=1)
# dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3 (253:0): read ahead is 256
# dev-disk-byx2dpartuuid-1e984d58x2d2ad9x2d4d1ax2d8c52x2d04413943fcb3: retaining kernel read ahead of 256 (requested 256)
# Releasing crypt device /dev/disk/by-partuuid/1e984d58-2ad9-4d1a-8c52-04413943fcb3 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command successful.