Assertion `crypt_volume_key_get_id(vk) == LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT)' failed
Issue description
cryptsetup crashes with an assertion failure when trying to open partition with OPAL only encryption. Would love to know what the next steps to investigate and fix the root cause.
Steps for reproducing the issue
- Create a OPAL LUKS2 partition
% sudo cryptsetup luksFormat /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2 --type luks2 --hw-opal-only
- Enroll key in TPM:
% sudo systemd-cryptenroll /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2 --tpm2-device=auto
- Try to unlock the drive:
% sudo cryptsetup open /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1 root --debug
Additional info
Using Arch Linux
% uname -a
Linux tiberius 6.8.2-arch2-1 #1 SMP PREEMPT_DYNAMIC Thu, 28 Mar 2024 17:06:35 +0000 x86_64 GNU/Linux
% systemctl --version
systemd 255 (255.4-2-arch)
+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified
% cryptsetup --version
cryptsetup 2.7.1 flags: UDEV BLKID KEYRING KERNEL_CAPI HW_OPAL
% sudo cryptsetup luksDump /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2
LUKS header information
Version: 2
Epoch: 13
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: b79daba8-0598-4cd7-8c2e-be327bbb756a
Label: (no label)
Subsystem: HW-OPAL
Flags: (no flags)
Requirements: opal
Data segments:
0: hw-opal
offset: 16777216 [bytes]
length: 998038831104 [bytes]
cipher: (no SW encryption)
HW OPAL encryption:
OPAL segment number: 2
OPAL key: 256 bits
OPAL segment length: 998038831104 [bytes]
Keyslots:
0: luks2
Key: 256 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 7
Memory: 1048576
Threads: 4
Salt: 56 65 dd 7c 14 a3 6f 01 0a 06 43 de dc 43 32 4f
a3 dc 6f 21 35 71 67 01 a1 12 02 24 02 ae 32 94
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:131072 [bytes]
Digest ID: 0
1: luks2
Key: 256 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha512
Iterations: 1000
Salt: 47 c3 50 26 1e d8 82 15 dd 5d 4a 39 15 e4 1a 5c
4d 03 4c 3b ed d5 94 f2 4f e5 21 2f a2 db 4b ff
AF stripes: 4000
AF hash: sha512
Area offset:163840 [bytes]
Area length:131072 [bytes]
Digest ID: 0
Tokens:
0: systemd-tpm2
tpm2-hash-pcrs: 7
tpm2-pcr-bank: sha256
tpm2-pubkey:
(null)
tpm2-pubkey-pcrs:
tpm2-primary-alg: ecc
tpm2-blob: 00 7e 00 20 00 5a 82 3b 9e e3 2b 10 af ae ac 42
ed 7f 0a d6 42 b4 e0 24 1e 05 fc ef 69 fc 08 fd
43 4e 3a a9 00 10 95 fe 28 eb 82 12 90 d8 39 1e
2d 54 84 2b 93 52 6b a8 75 4e a3 37 71 c6 0b aa
1c 84 25 8d c4 af 59 38 61 17 1f 74 0a 25 b1 17
e9 90 cb 19 5d 72 29 88 4f 63 ed 63 77 3b 82 65
e8 1c 03 10 3f ad 1d 8b 09 bc 77 33 4d 81 10 e5
ed 7d 7e 3e ab 0a 49 65 c4 21 b6 d6 5f 29 fe b7
00 4e 00 08 00 0b 00 00 00 12 00 20 a5 38 ca af
bb 77 18 d3 fd 4e 41 b8 ec cb a4 55 f4 a0 00 c9
1e 14 bc 50 39 17 85 18 4d 39 4e 66 00 10 00 20
c3 c5 b2 dd 81 70 17 c2 02 eb 0d dc 4d 5e 06 33
57 01 f7 bf 18 15 f7 22 9d 25 14 cf 8b 75 03 de
tpm2-policy-hash:
a5 38 ca af bb 77 18 d3 fd 4e 41 b8 ec cb a4 55
f4 a0 00 c9 1e 14 bc 50 39 17 85 18 4d 39 4e 66
tpm2-pin: false
tpm2-pcrlock: false
tpm2-salt: false
tpm2-srk: true
Keyslot: 1
Digests:
0: pbkdf2
Hash: sha256
Iterations: 285249
Salt: 4b 07 9a f1 b7 f1 4c 65 b8 8b e4 8b 89 eb cc 2f
22 eb 85 09 14 4c 19 0e 52 ae 71 c1 1c bd 81 87
Digest: df 2c c0 df a9 17 26 df 06 e1 53 20 2b 85 c3 7e
6b fd 15 f2 b9 7c e7 61 b8 21 5c 95 2b 90 85 b4
Debug log
Output with --debug option:
fernie@tiberius ~ % sudo cryptsetup open /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2 root --debug
# cryptsetup 2.7.1 processing "cryptsetup open /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2 root --debug"
# Verifying parameters for command open.
# Running command open.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2.
# Trying to open and read device /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2.
# Crypto backend (OpenSSL 3.2.1 30 Jan 2024 [default][legacy][threads][argon2]) initialized in cryptsetup library version 2.7.1.
# Detected kernel Linux 6.8.2-arch2-1 x86_64.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2.
# Opening lock resource file /run/cryptsetup/L_259:2
# Verifying lock handle for /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2.
# Device /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2
# Verifying locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:2d5d037320a27b4053d103fbbd238b3b8ac3aff0714c97660c787e2438cd49d4 (on-disk)
# Checksum:2d5d037320a27b4053d103fbbd238b3b8ac3aff0714c97660c787e2438cd49d4 (in-memory)
# LUKS2 requirements detected:
# opal - known
# LUKS2 requirements detected:
# opal - known
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:2298a14dd099ad2db00d3ae6625bb3ee69ef903faf99a0ddf8f7c343ebe8f110 (on-disk)
# Checksum:2298a14dd099ad2db00d3ae6625bb3ee69ef903faf99a0ddf8f7c343ebe8f110 (in-memory)
# LUKS2 requirements detected:
# opal - known
# LUKS2 requirements detected:
# opal - known
# Device size 998055608320, offset 16777216.
# Device /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2 READ lock released.
# PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
# LUKS2 requirements detected:
# opal - known
# Activating volume root [keyslot -1] using token.
# LUKS2 requirements detected:
# opal - known
# dm version [ opencount flush ] [16384] (*1)
# dm versions [ opencount flush ] [16384] (*1)
# Detected dm-ioctl version 4.48.0.
# Detected dm-crypt version 1.25.0.
# Device-mapper backend running with UDEV support enabled.
# dm status root [ opencount noflush ] [16384] (*1)
# Token 0 unusable for segment 0 with desired keyslot priority 2.
# Trying to load /usr/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so.
# Loading symbol cryptsetup_token_open@CRYPTSETUP_TOKEN_1.0.
# Loading symbol cryptsetup_token_buffer_free@CRYPTSETUP_TOKEN_1.0.
# Loading symbol cryptsetup_token_validate@CRYPTSETUP_TOKEN_1.0.
# Loading symbol cryptsetup_token_dump@CRYPTSETUP_TOKEN_1.0.
# Loading symbol cryptsetup_token_open_pin@CRYPTSETUP_TOKEN_1.0.
# Loading symbol cryptsetup_token_version@CRYPTSETUP_TOKEN_1.0.
# Token handler systemd-tpm2-1.0 systemd-v255 (255.4-2-arch) loaded successfully.
# Requesting JSON for token 0.
# Trying to open keyslot 1 with token 0 (type systemd-tpm2).
# Trying to open LUKS2 keyslot 1.
# Running keyslot key derivation.
# Reading keyslot area [0x28000].
# Acquiring read lock for device /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2.
# Opening lock resource file /run/cryptsetup/L_259:2
# Verifying lock handle for /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2.
# Device /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2 READ lock taken.
# Reusing open ro fd on device /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2
# Device /dev/disk/by-id/nvme-Samsung_SSD_990_PRO_1TB_S73VNJ0X112405L_1-part2 READ lock released.
# Verifying key from keyslot 1, digest 0.
# LUKS2 requirements detected:
# opal - known
# LUKS2 requirements detected:
# opal - known
# LUKS2 requirements detected:
# opal - known
cryptsetup: lib/setup.c:5330: _activate_luks2_by_volume_key: Assertion `crypt_volume_key_get_id(vk) == LUKS2_digest_by_segment(&cd->u.luks2.hdr, CRYPT_DEFAULT_SEGMENT)' failed.
[1] 3275 IOT instruction sudo cryptsetup open root --debug