cryptodev-dkms-1.11-1 breaking SSH on linux-kirkwood-4.4.232

This forum is for Marvell Kirkwood devices such as the GoFlex Home/Net, PogoPlug v1/v2, SheevaPlug, and ZyXEL devices.

cryptodev-dkms-1.11-1 breaking SSH on linux-kirkwood-4.4.232

Postby technosf » Thu Oct 01, 2020 10:48 pm

Saw cryptodev minor up to 1.11 with interest. 1.10 always DMKS compiles with an error and fails. 1.11 compiled fine!

Then, sshd failed to start:

$this->bbcode_second_pass_code('', '
Unable to shield host key "/etc/ssh/ssh_host_ed25519_key": error in libcrypto
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
accumulate_host_timing_secret: ssh_digest_start
')

Reverting back to cryptodev-dkms-1.10-4 fixed it.

I'm on linux-kirkwood-4.4.232, not DT.

Any thoughts on how to fix this or is this just the price of not being on DT?

TIA!
[size=85] MochaBin 5G || NSA325 [/size]
technosf
 
Posts: 130
Joined: Sat Jan 08, 2011 10:54 pm

Re: cryptodev-dkms-1.11-1 breaking SSH on linux-kirkwood-4.4

Postby moonman » Sat Oct 03, 2020 4:31 am

Kernel was probably compiled with an older gcc version so it fails compiling the module. A new version will be pushed shortly which should fix this.
Pogoplug V4 | GoFlex Home | Raspberry Pi 4 4GB | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3387
Joined: Sat Jan 15, 2011 3:36 am

Re: cryptodev-dkms-1.11-1 breaking SSH on linux-kirkwood-4.4

Postby kriztioan » Sat Oct 03, 2020 9:22 pm

My understanding was that the dt-kernel was needed to expose the hardware crypto-engine, but perhaps it is as @moonman suggest. However, I stopped using cryptodev a while back as sshd hardening doesn't play well with it anymore as it wants to open /dev/crypto and openSSH bails out because it is not allowed to do so in the hardened sandbox-environment. See https://archlinuxarm.org/forum/viewtopic.php?f=53&t=11505. Of course, if you know of any workaround, I'm happy to learn it!
kriztioan
 
Posts: 51
Joined: Sat Apr 29, 2017 1:32 am

Re: cryptodev-dkms-1.11-1 breaking SSH on linux-kirkwood-4.4

Postby moonman » Sun Oct 04, 2020 5:00 am

Hmm, I do remember the move to mv-cesa from the old cesa module and something not working, but someone would have to check whether it works or not with the non-dt kernel as I'm rusty on this aspect. The module does load now though.

Also, OP should really switch to the dt kernel if at all possible. All the non-dt code has been removed from the mainline a long time ago, and it just has been patched back in in linux-kirkwood for devices that have no dt support.
Pogoplug V4 | GoFlex Home | Raspberry Pi 4 4GB | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3387
Joined: Sat Jan 15, 2011 3:36 am

Re: cryptodev-dkms-1.11-1 breaking SSH on linux-kirkwood-4.4

Postby Kabbone » Sun Oct 04, 2020 8:52 am

sshd also doesn't work with dt-kernel. The service starts, but login fails. Just noticed a few weeks ago
Kabbone
 
Posts: 153
Joined: Thu Jul 25, 2013 9:20 am

Re: cryptodev-dkms-1.11-1 breaking SSH on linux-kirkwood-4.4

Postby moonman » Sun Oct 04, 2020 6:22 pm

$this->bbcode_second_pass_quote('kriztioan', 'M')y understanding was that the dt-kernel was needed to expose the hardware crypto-engine, but perhaps it is as @moonman suggest. However, I stopped using cryptodev a while back as sshd hardening doesn't play well with it anymore as it wants to open /dev/crypto and openSSH bails out because it is not allowed to do so in the hardened sandbox-environment. See https://archlinuxarm.org/forum/viewtopic.php?f=53&t=11505. Of course, if you know of any workaround, I'm happy to learn it!

$this->bbcode_second_pass_quote('Kabbone', 's')shd also doesn't work with dt-kernel. The service starts, but login fails. Just noticed a few weeks ago

You can use dropbear instead of openssh.
Pogoplug V4 | GoFlex Home | Raspberry Pi 4 4GB | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3387
Joined: Sat Jan 15, 2011 3:36 am

Re: cryptodev-dkms-1.11-1 breaking SSH on linux-kirkwood-4.4

Postby technosf » Tue Oct 06, 2020 3:43 am

Upgraded to 4.4.238-1-ARCH and tried Cryptodev 1.11 again with same failure.

Somewhat of an aside, regarding moving to the DT build, I'm up for that, and looked into it a few years ago. However I could not get clear on the prerequisites and rather than screw up my NSA525, I've left it. Specifically there was the issue of which UBoot to be on, and where to specifically source it, and then configuring pacman to make DT the mainline.

If there are some concise instructions - I'm game right now. Current U-Boot 1.1.4 (Jul 18 2013 - 10:47:29) Marvell version: 3.5.9

Also perhaps more ballpark, what SSH server should we be targeting from a performance and security standpoint? And VPN..?

I appreciate all the help!

T
[size=85] MochaBin 5G || NSA325 [/size]
technosf
 
Posts: 130
Joined: Sat Jan 08, 2011 10:54 pm

Re: cryptodev-dkms-1.11-1 breaking SSH on linux-kirkwood-4.4

Postby kriztioan » Thu Oct 08, 2020 11:20 pm

@moonman I had a quick look into dropbear, but I couldn't find it mentioned anywhere it would actually be able to make use of cryptodev. My testing with dropbear seems to show not, as dropbear both doesn't accept/recognize the aes128-cbc cipher and at no time interrupts are added to f1030000.crypto in /proc/interupts. I could be missing something as the documentation is pretty limited.

@technofs On 5.8.13-1-ARCH (dt-kernel) and cryptodev-dkms-1.11-1 (open)sshd fails with a similar message to yours.

$this->bbcode_second_pass_code('', '$ sudo /usr/bin/sshd -D -d
debug1: sshd version OpenSSH_8.4, OpenSSL 1.1.1h 22 Sep 2020
debug1: Unable to load host key "/etc/ssh/ssh_host_rsa_key": error in libcrypto
debug1: Unable to load host key: /etc/ssh/ssh_host_rsa_key
debug1: Unable to shield host key "/etc/ssh/ssh_host_ecdsa_key": error in libcrypto
debug1: Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
debug1: Unable to shield host key "/etc/ssh/ssh_host_ed25519_key": error in libcrypto
debug1: Unable to load host key: /etc/ssh/ssh_host_ed25519_key
accumulate_host_timing_secret: ssh_digest_start')
openssl-cyptodev-1.1.1.h-1 works just fine.

$this->bbcode_second_pass_code('', '$ openssl engine devcrypto -t -c
(devcrypto) /dev/crypto engine
[DES-CBC, DES-EDE3-CBC, BF-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-CTR, AES-192-CTR, AES-256-CTR, AES-128-ECB, AES-192-ECB, AES-256-ECB, CAMELLIA-128-CBC, CAMELLIA-192-CBC, CAMELLIA-256-CBC, MD5, SHA1, RIPEMD160, SHA224, SHA256, SHA384, SHA512]
[ available ]')
During some web searching I came across a post somewhere that suggested some issue with openssh forking and the kernel not duplicating the in-kernel crytodev context, making it not available to the forked child ...

Eitherway, OpenSSH connections cannot be accelerated because the latest versions of OpenSSH enforce usage of the seccomp sandbox, which forbids some syscalls required to use devcrypto.

As for moving your system to the dt-kernel, did you mean to say you have a NSA325? If so, there are some related topics on the forum, e.g., https://archlinuxarm.org/forum/viewtopic.php?f=47&t=13688&p=61281&hilit=nsa325+device+tree#p61281.

Good luck!
kriztioan
 
Posts: 51
Joined: Sat Apr 29, 2017 1:32 am

Re: cryptodev-dkms-1.11-1 breaking SSH on linux-kirkwood-4.4

Postby moonman » Fri Oct 09, 2020 10:14 pm

My point was to use dropbear if you can't login with sshd and with cryptodev loaded. Dropbear IIRC does not use OpenSSL so it doesn't use cryptodev. It's got its own version of encryption libs built in so will work even if you butchered OpenSSL libs by accident somehow.
Pogoplug V4 | GoFlex Home | Raspberry Pi 4 4GB | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3387
Joined: Sat Jan 15, 2011 3:36 am


Return to Marvell Kirkwood

Who is online

Users browsing this forum: No registered users and 10 guests