[LU-15407] fscrypt does not work on Ubuntu 5.8 kernel Created: 03/Jan/22  Updated: 21/Mar/22  Resolved: 18/Jan/22

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.15.0
Fix Version/s: Lustre 2.15.0

Type: Bug Priority: Critical
Reporter: James A Simmons Assignee: Sebastien Buisson
Resolution: Fixed Votes: 0
Labels: None
Environment:

Ubuntu 20 HWE client running a 5.8 kernel.

Issue Links:
Related
is related to LU-13717 Client-side encryption - support file... Resolved
is related to LU-13783 Support for linux kernel version 5.8 Resolved
Severity: 3
Rank (Obsolete): 9223372036854775807

 Description   

With Ubuntu LTS running a 5.8 kernel which has native fscrypt support I added in sanity-sec testing. This is using the default embedded llcrypt and it failed the fscrypt test. For sanity-sec 46 I get:

== sanity-sec test 46: encrypted file access semantics without key ========================================================== 07:46:51 (1641221211)
10.0.0.10@tcp:/lustre /mnt/lustre lustre rw,checksum,flock,user_xattr,lruresize,lazystatfs,nouser_fid2path,verbose,encrypt 0 0
Stopping client samuel /mnt/lustre (opts
Starting client: samuel:  -o user_xattr,flock,test_dummy_encryption 10.0.0.10@tcp:/lustre /mnt/lustre
mount.lustre: test dummy encryption option ignored: could not insert dummy encryption key into session keyring
Unable to dump key: Key has been revoked
Format:

All the fscrypt test fail the same way.

 Comments   
Comment by Peter Jones [ 04/Jan/22 ]

Seb

Could you please investigate?

Thanks

Peter

Comment by Sebastien Buisson [ 06/Jan/22 ]

Hi James,

I tried but did not manage to reproduce. Here is my configuration:

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:        20.04
Codename:       focal
# uname -r
5.8.0-63-generic

And like you, I am using the embedded llcrypt lib instead of the in-kernel fscrypt.

When mounting with test_dummy_encryption option, it works and the fscrypt key is added to the session keyring:

# keyctl show
Session Keyring
 499722460 --alswrv      0     0  keyring: _ses
 302746999 --alswrv      0 65534   \_ keyring: _uid.0
  70358189 --alsw-v      0     0   \_ logon: fscrypt:4242424242424242

The error message could not insert dummy encryption key into session keyring you get is displayed when the call to add_key fails. This function is provided by libkeyutils, in my case it is:

libkeyutils1/focal,now 1.6-6ubuntu1 amd64 [installed,automatic]
Comment by James A Simmons [ 10/Jan/22 ]

I figured out its due to one of the sanity-sec test failing. Currently if any of the test fail the later test also will fail with the above error. My thinking is that the sanity-sec test are not properly revoking the key on failing testing. 

Comment by Gerrit Updater [ 11/Jan/22 ]

"Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/46038
Subject: LU-15407 test: remove dummy enc key at cleanup
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: b05a9eb3e2fbe4110c66c12447af971577faa46c

Comment by Gerrit Updater [ 18/Jan/22 ]

"Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/46038/
Subject: LU-15407 test: remove dummy enc key at cleanup
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: ec0b308614a2bad18a7a1fd805f36eb8ed6ea5eb

Comment by Peter Jones [ 18/Jan/22 ]

Landed for 2.15

Generated at Sat Feb 10 03:18:03 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.