0
cabela

Problems with crypt root

Recommended Posts

Hi Igor,

Hi Everyone,

 

I am very new here. I have Orange Pi R1 and using Armbian everything is working, however I have proprietary software and want to secure it ( as much as possible ) Read a lot of articles and read about Armbian supporting CRYPTROOT_ENABLE , so decided to try to build my own image.

I have succeeded in building 5 images but unfortunatelly none of them boots correctly. I decided to first build image without CRYPTROOT_ENABLE but still cannot succeed. It gives me KERNEL PANIC after truing to load/uncompress Linux. 

I Basicly want default Armbian image for Orange Pi R1 + CRYPTROOT_ENABLE.

 

My second question will follow after this - I've read that 2 options for unlocking encrypted LUKS partition is - to write down the password via keyboard or SSH with dropbear. However I was thinking of using SPI FLASH integrated on the OrangePi R1 because SPI is independent to SD card. If someone gots the SD card he still do not have the KEY to unlock it ? I have googled and searched this forum about similar post and only found post about "Full root encryption of Orange Pi PC" but unfortunatelly this walktrough does not work for me ( Orange Pi R1 ).

Any help will be more than apreciated !

 

Thanks everyone in advance

Share this post


Link to post
Share on other sites

Hard to investigate "does not boot" when there is no further debug output. Do you have an USB UART converter to help yourself to a serial console? If not get one. Dirt cheap and extremely helpful.

You can also activate more verbose output at the boot process:

 

Quote

With more recent Armbian builds you would have to alter the verbosity= line in /boot/armbianEnv.txt (defaults to 1 which means less verbose, maximum value is 7).

 

Is it really necessary to encrypt your root folder? Maybe it is easier to create some kind a jail or chroot and use the software inside. This chroot could be within a home directory for example.

 

If I would be a thief I would take the whole board rather than pulling the SD card out. So the unlock key MUST be stored physically somewhere else.

 

 

@moderators: This could probably splitted into its own topic.

Share this post


Link to post
Share on other sites

Dear Werner,

I understand I have given some basic info because expected this to be some kind of known issue. I do have USB UART and it is connected. I have not touched the armbianEnv with more verbosity ( I will do this later today  and will give output ) but this is on unencrypted version which also fails from my own image. About root encryption - I am thinking of storing the key on some external memory ( some SPI flash or NVRAM ) and also all the IC on the PCB will be glued with some black resin for not being able to disassemble.  The software cannot be chrooted because it is playing role of a server, if you have the SD card outside the Orange Pi you can have the software. If there is better way for saving my software which I am trying to sell I am open , but it will be another topic. 
My primary idea was to build ROOT encrypted image and the key to be stored in the SPI or another NVRAM which is connected to i2c and to unlock by itself. If someone have the SD cannot decrypt content. and also the SPI IC will be glued to the PCB and wont be that easy to remove the SPI ?
Maybe I am doing something wrong when building the image ? I have install Ubuntu ( this very version mentioned in the howto ) on a VPS server , downloaded armbian GIT , run compile.sh and choose to Build Full Image and with next kernel, then choose Orange Pi R1 and basicly this is all ... after compilation was ready ( no errors ) I have .img file ready and copy it to SD ( copy as usual copy .img file to SD - with Win32DiskImager to SD card ) 
the SD card boots UBOOT and then when Uncompressing linux ... waits for about 5-10 secs and dumps out Kernel exception ( kernel panic )
this happens to both ENCRYPT ROOT and not encrypted.

Share this post


Link to post
Share on other sites
40 minutes ago, cabela said:

because expected this to be some kind of known issue

 

Always assume its not a known issue - supply "everything" saves us a lot of time. This feature was tested at the merge time, manual/how-to exits in docs and we try no to break it.

 

48 minutes ago, cabela said:

I am thinking of storing the key on some external


IMO, key must be elsewhere otherwise there is no point doing this.

 

50 minutes ago, cabela said:

with Win32DiskImager


https://docs.armbian.com/User-Guide_Getting-Started/#how-to-prepare-a-sd-card

Written why win32 is a bad idea.

 

49 minutes ago, cabela said:

Maybe I am doing something wrong when building the image

51 minutes ago, cabela said:

this happens to both ENCRYPT ROOT and not encrypted

 

Now, there must be something wrong. I assume you don't have troubles with our pre-build images?

 

Check debug/output and build with additional parameter PROGRESS_DISPLAY="plain" to see more when building. Perhaps is just your SD card / wrong burning method?

Share this post


Link to post
Share on other sites

Fortunately when changed SD card

I succeeded in booting normal image ( without cryptroot )

however when I enable verbosity=7 and  console=serial

when tried to load my cryptto

 

Begin: Mounting root file system ... Begin: Running /scripts/local-top ... done.
[    5.211099] mmc1: new high speed SDIO card at address 0001
Begin: Running /scripts/local-premount ... Scanning for Btrfs filesystems[    5.240369] random: fast init done

done.
Begin: Waiting for root file system ... Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
Begin: Running /scripts/local-block ... done.
done.
Gave up waiting for root file system device.  Common problems:
 - Boot args (cat /proc/cmdline)
   - Check rootdelay= (did the system wait long enough?)
 - Missing modules (cat /proc/modules; ls /dev)
ALERT!  /dev/mapper/armbian-root does not exist.  Dropping to a shell!
Rebooting automatically due to panic= boot argument
[   46.102019] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000000

 

Share this post


Link to post
Share on other sites

Interesting. I get kernel panic as well. Cryptoroot might be currently broken in general.

 

U-Boot SPL 2019.04-armbian (Aug 05 2019 - 15:05:26 +0000)
DRAM: 1024 MiB
Trying to boot from MMC1
NOTICE:  BL31: v2.1(debug):3ee48f4-dirty
NOTICE:  BL31: Built : 15:05:16, Aug  5 2019
NOTICE:  BL31: Detected Allwinner H6 SoC (1728)
NOTICE:  BL31: Found U-Boot DTB at 0xc079c08, model: OrangePi One Plus
INFO:    ARM GICv2 driver initialized
NOTICE:  PMIC: Probing AXP805
NOTICE:  PMIC: AXP805 detected
INFO:    BL31: Platform setup done
INFO:    BL31: Initializing runtime services
INFO:    BL31: cortex_a53: CPU workaround for 855873 was applied
INFO:    BL31: Preparing for EL3 exit to normal world
INFO:    Entry point address = 0x4a000000
INFO:    SPSR = 0x3c9


U-Boot 2019.04-armbian (Aug 05 2019 - 15:05:26 +0000) Allwinner Technology

CPU:   Allwinner H6 (SUN50I)
Model: OrangePi One Plus
DRAM:  1 GiB
MMC:   mmc@4020000: 0
Loading Environment from EXT4... ** File not found /boot/boot.env **

** Unable to read "/boot/boot.env" from mmc0:1 **
In:    serial@5000000
Out:   serial@5000000
Err:   serial@5000000
Net:   No ethernet found.
starting USB...
No controllers found
Hit any key to stop autoboot:  0
switch to partitions #0, OK
mmc0 is current device
Scanning mmc 0:1...
Found U-Boot script /boot.scr
3042 bytes read in 2 ms (1.5 MiB/s)
## Executing script at 4fc00000
U-boot loaded from SD
Boot script loaded from mmc
166 bytes read in 0 ms
27296 bytes read in 6 ms (4.3 MiB/s)
4161 bytes read in 3 ms (1.3 MiB/s)
Applying kernel provided DT fixup script (sun50i-h6-fixup.scr)
## Executing script at 44000000
8695915 bytes read in 886 ms (9.4 MiB/s)
14954504 bytes read in 1518 ms (9.4 MiB/s)
## Loading init Ramdisk from Legacy Image at 4fe00000 ...
   Image Name:   uInitrd
   Image Type:   AArch64 Linux RAMDisk Image (gzip compressed)
   Data Size:    8695851 Bytes = 8.3 MiB
   Load Address: 00000000
   Entry Point:  00000000
   Verifying Checksum ... OK
## Flattened Device Tree blob at 4fa00000
   Booting using the fdt blob at 0x4fa00000
   Loading Ramdisk to 497b4000, end 49fff02b ... OK
   Loading Device Tree to 0000000049744000, end 00000000497b3fff ... OK

Starting kernel ...

[   44.800773] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000000
[   44.808444] CPU: 3 PID: 1 Comm: init Not tainted 5.2.6-sunxi64 #5.93
[   44.814794] Hardware name: OrangePi One Plus (DT)
[   44.819494] Call trace:
[   44.821953]  dump_backtrace+0x0/0x140
[   44.825616]  show_stack+0x14/0x20
[   44.828933]  dump_stack+0xa8/0xcc
[   44.832250]  panic+0x150/0x32c
[   44.835304]  do_exit+0xa9c/0xaa0
[   44.838531]  do_group_exit+0x34/0xd0
[   44.842105]  __arm64_sys_exit_group+0x14/0x18
[   44.846463]  el0_svc_common.constprop.0+0x64/0x160
[   44.851253]  el0_svc_handler+0x20/0x78
[   44.855001]  el0_svc+0x8/0xc
[   44.857883] SMP: stopping secondary CPUs
[   44.861810] Kernel Offset: disabled
[   44.865298] CPU features: 0x0002,20002004
[   44.869304] Memory Limit: none
[   44.872362] Rebooting in 10 seconds..

I built a new image with the same settings but cryptoroot and it boots normally.

 

orangepioneplus login: root
Password:
Last login: Mon Aug  5 09:58:29 UTC 2019 on ttyS0
  ___  ____  _    ___
 / _ \|  _ \(_)  / _ \ _ __   ___   _
| | | | |_) | | | | | | '_ \ / _ \_| |_
| |_| |  __/| | | |_| | | | |  __/_   _|
 \___/|_|   |_|  \___/|_| |_|\___| |_|

Welcome to Debian Buster with Armbian Linux 5.2.6-sunxi64
System load:   1.22 0.45 0.16   Up time:       1 min
Memory usage:  9 % of 991MB     IP:
CPU temp:      34°C
Usage of /:    4% of 29G

 

Share this post


Link to post
Share on other sites

Do you think it is only broken for this specific board or broken at all ?

I have some other boards at work and will try tomorrow to build image for another board with cryptroot.

 

as seen in my screen - it shows that /dev/mapper/armbian-root does not exist

do not know if this helps

Share this post


Link to post
Share on other sites

With bionic - Moved a little bit forward but still Kernel Panic...

It asks for password, and after correct password given - starts to boot but then hangs

 

[    6.525588] device-mapper: ioctl: 4.39.0-ioctl (2018-04-03) initialised: dm-devel@redhat.com
Please unlock disk armbian-root: 
[   31.872802] NET: Registered protocol family 38
[   33.058377] random: cryptsetup: uninitialized urandom read (2 bytes read)
cryptsetup (armbian-root): set up successfully
done.
Begin: Running /scripts/local-premount ... Scanning for Btrfs filesystems
done.
Begin: Will now check root file system ... fsck from util-linux 2.31.1
[/sbin/fsck.ext4 (1) -- /dev/mapper/armbian-root] fsck.ext4 -a -C0 /dev/mapper/armbian-root 
/dev/mapper/armbian-root: clean, 35947/60032 files, 188438/240128 blocks
done.
[   33.672350] EXT4-fs (dm-0): mounted filesystem with writeback data mode. Opts: (null)
done.
Begin: Running /scripts/local-bottom ... done.
Begin: Running /scripts/init-bottom ... done.
[   34.606962] systemd[1]: System time before build time, advancing clock.
[   34.666720] systemd[1]: systemd 237 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)
[   34.688556] systemd[1]: Detected architecture arm.

Welcome to Ubuntu 18.04.2 LTS!

[   34.714477] systemd[1]: Set hostname to <orangepi>.
[   35.315531] random: systemd: uninitialized urandom read (16 bytes read)
[   35.322418] systemd[1]: Started ntp-systemd-netif.path.
[  OK  ] Started ntp-systemd-netif.path.
[   35.341170] random: systemd: uninitialized urandom read (16 bytes read)
[   35.348747] systemd[1]: Created slice User and Session Slice.
[  OK  ] Created slice User and Session Slice.
[   35.365160] random: systemd: uninitialized urandom read (16 bytes read)
[   35.372037] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[  OK  ] Started Forward Password Requests to Wall Directory Watch.
[   35.393214] systemd[1]: Reached target System Time Synchronized.
[  OK  ] Reached target System Time Synchronized.
[   35.413139] systemd[1]: Reached target Swap.
[  OK  ] Reached target Swap.
[   35.429339] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[  OK  ] Started Dispatch Password Requests to Console Directory Watch.
[   35.453136] systemd[1]: Reached target Remote File Systems.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Set up automount Arbitrary Executab…rmats File System Automount Point.
[  OK  ] Created slice System Slice.
[  OK  ] Listening on Syslog Socket.
[  OK  ] Created slice system-serial\x2dgetty.slice.
[  OK  ] Reached target Slices.
[  OK  ] Listening on Journal Socket.
         Mounting Kernel Debug File System...
         Starting Set the console keyboard layout...
         Mounting POSIX Message Queue File System...
[  OK  ] Created slice system-systemd\x2dfsck.slice.
[  OK  ] Listening on udev Kernel Socket.
[  OK  ] Listening on /dev/initctl Compatibility Named Pipe.
         Starting Create list of required st…ce nodes for the current kernel...
[  OK  ] Listening on udev Control Socket.
         Starting udev Coldplug all Devices...
[  OK  ] Listening on fsck to fsckd communication Socket.
[  OK  ] Listening on Journal Audit Socket.
         Starting Nameserver information manager...
         Starting Remount Root and Kernel File Systems...
         Starting Load Kernel Modules...
[   35.787900] EXT4-fs (dm-0): re-mounted. Opts: commit=600,errors=remount-ro
         Starting Restore / save the current clock...
[  OK  ] Listening on Journal Socket (/dev/log).
         Starting Journal Service...
[   35.832852] g_serial gadget: Gadget Serial v2.4
[   35.838263] g_serial gadget: g_serial ready
[  OK  ] Created slice system-systemd\x2dcryptsetup.slice.
[   35.856009] usbcore: registered new interface driver r8152
[  OK  ] Mounted Kernel Debug File System.
[  OK  ] Mounted POSIX Message Queue File System.
[  OK  ] Started Create list of required sta…vice nodes for the current kernel.
[  OK  ] Started Remount Root and Kernel File Systems.
[  OK  ] [   35.951838] cfg80211: Loading compiled-in X.509 certificates for regulatory database
Started Restore / save the current clock.
[  OK  ] Started Nameserver information manager.
[   35.975654] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[  OK  ] Reached target Network (Pre).
[   35.997143] usb 3-1: reset high-speed USB device number 2 using ehci-platform
         Starting Load/Save Random Seed...
         Starting Create Static Device Nodes in /dev...
[  OK  ] Started Journal Service.
[  OK  ] Started Set the console keyboard layout.
[  OK  ] Started Load/Save Random Seed.
         Starting Flush Journal to Persistent Storage...
[   36.165492] bFWReady == _FALSE call reset 8051...
[  OK  ] Started Load Kernel Modules.
[   36.235280] r8152 3-1:1.0 eth1: v1.09.9
         Mounting Kernel Configuration File System...
         Starting Apply Kernel Variables...
[  OK  ] Started Create Static Device Nodes in /dev.
[  OK  ] Mounted Kernel Configuration File System.
[  OK  ] Started Flush Journal to Persistent Storage.
[  OK  ] Started Apply Kernel Variables.
         Starting udev Kernel Device Manager...
[  OK  ] Reached target Local File Systems (Pre).
         Mounting /tmp...
[  OK  ] Mounted /tmp.
[  OK  ] Started udev Coldplug all Devices.
[  OK  ] Started udev Kernel Device Manager.
[  OK  ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
         Starting Load/Save RF Kill Switch Status...
[  OK  ] Started Load/Save RF Kill Switch Status.
[  OK  ] Found device /dev/ttyS0.
[  OK  ] Found device /dev/disk/by-uuid/1bd5f94b-1d0e-4344-a2bf-638269b97e92.
[  OK  ] Found device /dev/disk/by-uuid/4ad77585-b472-46d4-a236-be6708aa77d8.
         Starting File System Check on /dev/…585-b472-46d4-a236-be6708aa77d8...
         Starting Cryptography Setup for armbian-root...
[  OK  ] Started Cryptography Setup for armbian-root.
[  OK  ] Started File System Check on /dev/d…77585-b472-46d4-a236-be6708aa77d8.
         Mounting /boot...
[  OK  ] Reached target Local Encrypted Volumes.
[  OK  ] Started File System Check Daemon to report status.
[  OK  ] Mounted /boot.
[  OK  ] Reached target Local File Systems.
         Starting Raise network interfaces...
         Starting Armbian ZRAM config...
         Starting Set console font and keymap...
         Starting Create Volatile Files and Directories...
[  OK  ] Started Set console font and keymap.
[  OK  ] Started Create Volatile Files and Directories.
         Starting Update UTMP about System Boot/Shutdown...
         Starting Network Time Synchronization...
         Starting Network Name Resolution...
[  OK  ] Started Entropy daemon using the HAVEGE algorithm.
[  OK  ] Started Update UTMP about System Boot/Shutdown.
[   39.029073] Unable to handle kernel paging request at virtual address 597507d6
[   39.033860] BUG: Bad page state in process armbian-zram-co  pfn:4d821
[   39.036376] pgd = 2ff59934
[   39.042739] page:cff604a4 count:-298859672 mapcount:0 mapping:00000000 index:0x0
[   39.042746] flags: 0x0()
[   39.042762] raw: 00000000 00000100 00000200 00000000 00000000 00000000 ffffffff ee2fc368
[   39.045471] [597507d6] *pgd=00000000
[   39.052842] raw: 4646c77f
[   39.052844] page dumped because: page still charged to cgroup
[   39.052847] page->mem_cgroup:4646c77f
[   39.052849] Modules linked in: zram snd_soc_simple_card sun8i_codec_analog snd_soc_simple_card_utils sun8i_adda_pr_regmap sun4i_i2s snd_soc_core sun4i_gpadc_iio industrialio
[   39.063473]  snd_pcm_dmaengine snd_pcm sun8i_ths snd_timer snd
[   39.067064] Internal error: Oops: 5 [#1] SMP THUMB2
[   39.069664]  soundcore
[   39.075397] Modules linked in:
[   39.079051]  cpufreq_dt
[   39.094490]  zram
[   39.100310]  thermal_sys
[   39.105177]  snd_soc_simple_card
[   39.107530]  uio_pdrv_genirq
[   39.110576]  sun8i_codec_analog
[   39.113015]  uio
[   39.114934]  snd_soc_simple_card_utils
[   39.117461]  sch_fq_codel
[   39.120680]  sun8i_adda_pr_regmap
[   39.123553]  8189es
[   39.126686]  sun4i_i2s
[   39.128518]  cfg80211
[   39.132258]  snd_soc_core
[   39.134871]  r8152
[   39.138177]  sun4i_gpadc_iio
[   39.140270]  usb_f_acm
[   39.142623]  industrialio
[   39.144889]  u_serial
[   39.147502]  snd_pcm_dmaengine
[   39.149509]  g_serial
[   39.152381]  snd_pcm
[   39.154735]  libcomposite
[   39.157348]  sun8i_ths
[   39.159614]  ip_tables
[   39.162660]  snd_timer
[   39.164926]  x_tables
[   39.167106]  snd
[   39.169719]  algif_skcipher
[   39.172072]  soundcore
[   39.174424]  af_alg
[   39.176778]  cpufreq_dt
[   39.179044]  dm_crypt
[   39.180877]  thermal_sys
[   39.183663]  dm_mod
[   39.186016]  uio_pdrv_genirq
[   39.188109]  dax
[   39.190549]  uio
[   39.192815]  pwrseq_simple
[   39.195342]  sch_fq_codel
[   39.197435]  lima
[   39.200307]  8189es
[   39.202141]  gpu_sched
[   39.203974]  cfg80211
[   39.206674]  ttm
[   39.209286]  r8152
[   39.211206]  aes_arm_bs
[   39.213299]  usb_f_acm
[   39.215652]  crypto_simd
[   39.217919]  u_serial
[   39.219750]  cryptd
[   39.221756]  g_serial
[   39.226548]  libcomposite
[   39.229079] CPU: 3 PID: 558 Comm: armbian-zram-co Not tainted 4.19.64-sunxi #5.93
[   39.231341]  ip_tables
[   39.233435] Hardware name: Allwinner sun8i Family
[   39.235700]  x_tables
[   39.238342] [<c010d74d>] (unwind_backtrace) from [<c010a2f1>] (show_stack+0x11/0x14)
[   39.245780]  algif_skcipher
[   39.248143] [<c010a2f1>] (show_stack) from [<c08fc401>] (dump_stack+0x69/0x78)
[   39.252826]  af_alg
[   39.255105] [<c08fc401>] (dump_stack) from [<c01ee01f>] (bad_page+0xab/0xec)
[   39.262820]  dm_crypt
[   39.265616] [<c01ee01f>] (bad_page) from [<c01f03bb>] (get_page_from_freelist+0x857/0xc94)
[   39.272813]  dm_mod
[   39.274914] [<c01f03bb>] (get_page_from_freelist) from [<c01f0d81>] (__alloc_pages_nodemask+0xcd/0xbc0)
[   39.281940]  dax
[   39.284218] [<c01f0d81>] (__alloc_pages_nodemask) from [<c0210c1f>] (__pte_alloc+0x1f/0x11c)
[   39.292453]  pwrseq_simple
[   39.294556] [<c0210c1f>] (__pte_alloc) from [<c0211565>] (copy_page_range+0x3a5/0x4bc)
[   39.303920]  lima
[   39.305766] [<c0211565>] (copy_page_range) from [<c011a46f>] (copy_process.part.5+0x139b/0x13e4)
[   39.314174]  gpu_sched
[   39.316881] [<c011a46f>] (copy_process.part.5) from [<c011a5e1>] (_do_fork+0x89/0x328)
[   39.324773]  ttm
[   39.326700] [<c011a5e1>] (_do_fork) from [<c011a921>] (sys_clone+0x19/0x1c)
[   39.335458]  aes_arm_bs
[   39.337820] [<c011a921>] (sys_clone) from [<c0101001>] (ret_fast_syscall+0x1/0x62)
[   39.345712]  crypto_simd
[   39.347548] Exception stack(0xcf2b1fa8 to 0xcf2b1ff0)
[   39.354492]  cryptd
[   39.356936] 1fa0:                   b6fd9208 00000000 01200011 00000000 00000000 00000000
[   39.367016] 1fc0: b6fd9208 00000000 b6fd9660 00000078 b6f70000 004d0e2c 00000000 b6fd91a0
[   39.372054] CPU: 0 PID: 555 Comm: systemd-udevd Not tainted 4.19.64-sunxi #5.93
[   39.374145] 1fe0: 00000078 be912020 b6eef98f b6e93206
[   39.382304] Hardware name: Allwinner sun8i Family
[   39.407535] PC is at kfree+0x3a/0x154
[   39.411220] LR is at free_vfsmnt+0x11/0x2c
[   39.415324] pc : [<c022c7be>]    lr : [<c0256ed9>]    psr: a0010133
[   39.421591] sp : cf2e9ce8  ip : 0ef80000  fp : c0e11880
[   39.426822] r10: 0000000a  r9 : c0e11d80  r8 : cf2e8000
[   39.432062] r7 : 80000000  r6 : cfd3be20  r5 : c0256ed9  r4 : cd823540
[   39.438591] r3 : 597507d3  r2 : cf2e9d10  r1 : ce873f24  r0 : 597507d2
[   39.445115] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA Thumb  Segment none
[   39.452413] Control: 50c5387d  Table: 4df9006a  DAC: 00000051
[   39.458157] Process systemd-udevd (pid: 555, stack limit = 0x799896c8)
[   39.464675] Stack: (0xcf2e9ce8 to 0xcf2ea000)
[   39.469029] 9ce0:                   c0e11880 c0e11880 ce679d00 c0e11880 cfd3be20 cf2e9d34
[   39.477198] 9d00: cf2e8000 c0256ed9 cfd3be00 c016a901 cfd3b600 c0147493 c0e04d70 ffffe000
[   39.485367] 9d20: 00000001 c0e04d48 c0ee338f cfd3b600 c0e04d48 cea323c0 ce873f24 ffffffff
[   39.493535] 9d40: 00000000 a6bbfdcd 00000100 c0e030a4 00000002 00000009 00000002 ffffe000
[   39.501716] 9d60: 00000100 c0e03080 c0e04d70 c010226d c0e04d48 cf8cb900 c0db2358 c0e04d70
[   39.509889] 9d80: c0ee3998 c0dbb1c0 0000000a ffff011f c0e03d00 00400140 c07b1ad1 c0dbb18c
[   39.518058] 9da0: 00000000 00000013 00000000 00000001 cf83fc00 00000080 00470df4 c011fefb
[   39.526228] 9dc0: 00000095 c015f86d cf2e9e00 c0e05528 d080200c d0802000 cf2e9e00 d0803000
[   39.534397] 9de0: cf2e8000 c05c9e91 c01a06ba a0010033 ffffffff cf2e9e34 cf2e9ee0 c0101a65
[   39.542566] 9e00: 00000000 cf2e9ee0 a6bbfdcd cf2e8000 c99e2700 00000000 c0e04d48 000000c5
[   39.550735] 9e20: cf2e9ee0 00000000 00000080 00470df4 cda42080 cf2e9e50 c01a0abb c01a06ba
[   39.558904] 9e40: a0010033 ffffffff 00000051 bf000000 00000000 cf2e9e5c ffffffff 00000040
[   39.567073] 9e60: 002a8000 00000000 b6f37000 b6f63968 00000142 40000028 b6e5a206 00000000
[   39.575243] 9e80: 00000010 00000000 ce5a3b10 ccc52f68 002a8000 a6bbfdcd 00000000 c0e04d48
[   39.583412] 9ea0: 00000000 cf2e9f70 00000000 fffff000 cf2e8000 a6bbfdcd 00470df4 a6bbfdcd
[   39.591581] 9ec0: c0e04d48 0046b9c8 000000c5 00000000 00000000 00000080 00470df4 c01a0abb
[   39.599749] 9ee0: 00000000 00000000 cf8cd600 0000045a 00000000 00000000 00000000 cf2e9f00
[   39.607918] 9f00: c0101224 c023cd6b 000007ff c023cd53 0000000f c022bfe5 00000000 00000000
[   39.616087] 9f20: 00000000 c0e04d48 0000000f 00000000 00000000 00000000 00000000 a6bbfdcd
[   39.624256] 9f40: 00000010 c023cce7 c0e04d48 cd567b40 0000000f c0e04d48 cd567b40 c9994000
[   39.632425] 9f60: 40000020 a6bbfdcd 00000000 80000000 cf2e9fb0 0046b9c8 000000c5 c0101224
[   39.640594] 9f80: cf2e8000 c0108cef b6f37000 b6f63968 00000010 0173f850 01732452 0046b9c8
[   39.648763] 9fa0: 000000c5 c01011cb 0173f850 01732452 0000000f beace9a8 beace9a8 3aab2700
[   39.656932] 9fc0: 0173f850 01732452 0046b9c8 000000c5 0000000f 00000010 00468350 00470df4
[   39.665101] 9fe0: 000000c5 beace974 b6ecf083 b6e5a206 20010030 0000000f 00000000 00000000
[   39.673286] [<c022c7be>] (kfree) from [<c0256ed9>] (free_vfsmnt+0x11/0x2c)
[   39.680163] [<c0256ed9>] (free_vfsmnt) from [<c016a901>] (rcu_process_callbacks+0x175/0x3dc)
[   39.688598] [<c016a901>] (rcu_process_callbacks) from [<c010226d>] (__do_softirq+0xd5/0x27c)
[   39.697031] [<c010226d>] (__do_softirq) from [<c011fefb>] (irq_exit+0x8f/0xc0)
[   39.704250] [<c011fefb>] (irq_exit) from [<c015f86d>] (__handle_domain_irq+0x49/0x84)
[   39.712079] [<c015f86d>] (__handle_domain_irq) from [<c05c9e91>] (gic_handle_irq+0x39/0x68)
[   39.720425] [<c05c9e91>] (gic_handle_irq) from [<c0101a65>] (__irq_svc+0x65/0x94)
[   39.727896] Exception stack(0xcf2e9e00 to 0xcf2e9e48)
[   39.732945] 9e00: 00000000 cf2e9ee0 a6bbfdcd cf2e8000 c99e2700 00000000 c0e04d48 000000c5
[   39.741114] 9e20: cf2e9ee0 00000000 00000080 00470df4 cda42080 cf2e9e50 c01a0abb c01a06ba
[   39.749279] 9e40: a0010033 ffffffff
[   39.752770] [<c0101a65>] (__irq_svc) from [<c01a06ba>] (seccomp_run_filters+0x32/0x100)
[   39.760768] [<c01a06ba>] (seccomp_run_filters) from [<c01a0abb>] (__seccomp_filter+0x33/0x390)
[   39.769371] [<c01a0abb>] (__seccomp_filter) from [<c0108cef>] (syscall_trace_enter+0x5f/0x118)
[   39.777973] [<c0108cef>] (syscall_trace_enter) from [<c01011cb>] (__sys_trace+0x9/0x36)
[   39.785964] Exception stack(0xcf2e9fa8 to 0xcf2e9ff0)
[   39.791011] 9fa0:                   0173f850 01732452 0000000f beace9a8 beace9a8 3aab2700
[   39.799180] 9fc0: 0173f850 01732452 0046b9c8 000000c5 0000000f 00000010 00468350 00470df4
[   39.807347] 9fe0: 000000c5 beace974 b6ecf083 b6e5a206
[   39.812397] Code: 07df bf48 f103 30ff (6843) 07de 
[   39.817256] ---[ end trace 244c678b7ff6db00 ]---
[   39.821906] Kernel panic - not syncing: Fatal exception in interrupt
[   39.828269] CPU3: stopping
[   39.830985] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G    B D           4.19.64-sunxi #5.93
[   39.839148] Hardware name: Allwinner sun8i Family
[   39.843865] [<c010d74d>] (unwind_backtrace) from [<c010a2f1>] (show_stack+0x11/0x14)
[   39.851607] [<c010a2f1>] (show_stack) from [<c08fc401>] (dump_stack+0x69/0x78)
[   39.858826] [<c08fc401>] (dump_stack) from [<c010c7fb>] (handle_IPI+0x2a7/0x2c0)
[   39.866220] [<c010c7fb>] (handle_IPI) from [<c05c9ebf>] (gic_handle_irq+0x67/0x68)
[   39.873785] [<c05c9ebf>] (gic_handle_irq) from [<c0101a65>] (__irq_svc+0x65/0x94)
[   39.881257] Exception stack(0xcf921f60 to 0xcf921fa8)
[   39.886306] 1f60: 00000000 0000f3a4 cfd6c438 c0116441 ffffe000 c0e04d70 c0e04db8 00000008
[   39.894475] 1f80: 00000000 c0e04d48 c0dba870 00000000 c0e03d00 cf921fb0 c01078f3 c01078f4
[   39.902639] 1fa0: 40010033 ffffffff
[   39.906131] [<c0101a65>] (__irq_svc) from [<c01078f4>] (arch_cpu_idle+0x28/0x2c)
[   39.913524] [<c01078f4>] (arch_cpu_idle) from [<c013e983>] (do_idle+0x14b/0x1d8)
[   39.920915] [<c013e983>] (do_idle) from [<c013ec05>] (cpu_startup_entry+0x19/0x1c)
[   39.928479] [<c013ec05>] (cpu_startup_entry) from [<401024b1>] (0x401024b1)
[   39.935432] CPU2: stopping
[   39.938141] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G    B D           4.19.64-sunxi #5.93
[   39.946304] Hardware name: Allwinner sun8i Family
[   39.951009] [<c010d74d>] (unwind_backtrace) from [<c010a2f1>] (show_stack+0x11/0x14)
[   39.958746] [<c010a2f1>] (show_stack) from [<c08fc401>] (dump_stack+0x69/0x78)
[   39.965963] [<c08fc401>] (dump_stack) from [<c010c7fb>] (handle_IPI+0x2a7/0x2c0)
[   39.973354] [<c010c7fb>] (handle_IPI) from [<c05c9ebf>] (gic_handle_irq+0x67/0x68)
[   39.980918] [<c05c9ebf>] (gic_handle_irq) from [<c0101a65>] (__irq_svc+0x65/0x94)
[   39.988388] Exception stack(0xcf91ff60 to 0xcf91ffa8)
[   39.993437] ff60: 00000000 000045bc cfd5a438 c0116441 ffffe000 c0e04d70 c0e04db8 00000004
[   40.001606] ff80: 00000000 c0e04d48 c0dba870 00000000 c0e03d00 cf91ffb0 c01078f3 c01078f4
[   40.009770] ffa0: 40070033 ffffffff
[   40.013260] [<c0101a65>] (__irq_svc) from [<c01078f4>] (arch_cpu_idle+0x28/0x2c)
[   40.020651] [<c01078f4>] (arch_cpu_idle) from [<c013e983>] (do_idle+0x14b/0x1d8)
[   40.028040] [<c013e983>] (do_idle) from [<c013ec05>] (cpu_startup_entry+0x19/0x1c)
[   40.035601] [<c013ec05>] (cpu_startup_entry) from [<401024b1>] (0x401024b1)
[   40.042553] CPU1: stopping
[   40.045262] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G    B D           4.19.64-sunxi #5.93
[   40.053425] Hardware name: Allwinner sun8i Family
[   40.058129] [<c010d74d>] (unwind_backtrace) from [<c010a2f1>] (show_stack+0x11/0x14)
[   40.065866] [<c010a2f1>] (show_stack) from [<c08fc401>] (dump_stack+0x69/0x78)
[   40.073083] [<c08fc401>] (dump_stack) from [<c010c7fb>] (handle_IPI+0x2a7/0x2c0)
[   40.080474] [<c010c7fb>] (handle_IPI) from [<c05c9ebf>] (gic_handle_irq+0x67/0x68)
[   40.088038] [<c05c9ebf>] (gic_handle_irq) from [<c0101a65>] (__irq_svc+0x65/0x94)
[   40.095509] Exception stack(0xcf91df60 to 0xcf91dfa8)
[   40.100557] df60: 00000000 00004ba8 cfd48438 c0116441 ffffe000 c0e04d70 c0e04db8 00000002
[   40.108727] df80: 00000000 c0e04d48 c0dba870 00000000 c0e03d00 cf91dfb0 c01078f3 c01078f4
[   40.116891] dfa0: 40010033 ffffffff
[   40.120380] [<c0101a65>] (__irq_svc) from [<c01078f4>] (arch_cpu_idle+0x28/0x2c)
[   40.127771] [<c01078f4>] (arch_cpu_idle) from [<c013e983>] (do_idle+0x14b/0x1d8)
[   40.135160] [<c013e983>] (do_idle) from [<c013ec05>] (cpu_startup_entry+0x19/0x1c)
[   40.142722] [<c013ec05>] (cpu_startup_entry) from [<401024b1>] (0x401024b1)
[   40.149684] Rebooting in 10 seconds..

 

Share this post


Link to post
Share on other sites
On 8/3/2019 at 12:19 PM, cabela said:

I am very new here. I have Orange Pi R1 and using Armbian everything is working, however I have proprietary software and want to secure it ( as much as possible ) Read a lot of articles and read about Armbian supporting CRYPTROOT_ENABLE , so decided to try to build my own image.

I have succeeded in building 5 images but unfortunatelly none of them boots correctly. I decided to first build image without CRYPTROOT_ENABLE but still cannot succeed. It gives me KERNEL PANIC after truing to load/uncompress Linux. 

I Basicly want default Armbian image for Orange Pi R1 + CRYPTROOT_ENABLE.

 

My second question will follow after this - I've read that 2 options for unlocking encrypted LUKS partition is - to write down the password via keyboard or SSH with dropbear. However I was thinking of using SPI FLASH integrated on the OrangePi R1 because SPI is independent to SD card. If someone gots the SD card he still do not have the KEY to unlock it ? I have googled and searched this forum about similar post and only found post about "Full root encryption of Orange Pi PC" but unfortunatelly this walktrough does not work for me ( Orange Pi R1 ).

Any help will be more than apreciated !

 

Might consider looking at SecureBoot

 

 

That would be the first place to look - lock your board down there...

 

And then start moving up the stack...

 

sfx

Share this post


Link to post
Share on other sites
21 hours ago, Igor said:

But this more generic way should also work. :huh:

 

Locks the filesystem, but it doesn't lock the board down - depends on what OP wants to do and how paranoid they might be.

 

Come to think of it, for their case, could use both as belt and suspenders - doesn't do the code signing part however...

 

I've seen platforms that lock things down so tight that they even require code-signing for binaries, bootloaders, and file systems.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
0