NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

bin/49430: The cgdconfig -C option fails with "Inappropriate ioctl for device"



>Number:         49430
>Category:       bin
>Synopsis:       The cgdconfig -C option fails with "Inappropriate ioctl for device"
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Nov 29 21:00:00 +0000 2014
>Originator:     Kyle Amon
>Release:        6.1.5
>Organization:
BackWatcher, Inc.
>Environment:
NetBSD netbsd.gnutec.com 6.1.5 NetBSD 6.1.5 (GENERIC) amd64
>Description:
While setting up a cgd(4) encrypted swap partition, I found that when running "cgdconfig -C" (as /etc/rc.d/cgd does, for example!), the command fails with the following error...

cgdconfig: ioctl: Inappropriate ioctl for device  
cgdconfig: action failed on "/etc/cgd/cgd.conf" line 14

Its "line 14" in my case, but could be any line, and doesn't seem actually causal, in any case.  Regardless, that line in my /etc/cgd/cgd.conf file is...

cgd0            /dev/ld0b       /etc/cgd/cgd0

I have tried configuring /etc/cgd/cgd.conf with and without the optional "paramsfile" parameter, changing /etc/cgd/cgd0 to /etc/cgd/ld0b (as is necessary without the additional, optional parameter), with no effect.

I have found that manually enabling a specific device works as expected, however.  For example, the following command succeeds...

cgdconfig cgd0 /dev/ld0b /etc/cgd/cgd0

I have tried "cgdconfig -C" with both virtio's ld(4) driver as cgd's backing store, and with the wd(4) driver as its backing store (also with and without the optional cgd.conf "paramsfile" parameter), all with no effect.

>How-To-Repeat:
Follow the general instructions for configuring cgd(4) encrypted swap here...

http://www.netbsd.org/docs/guide/en/netbsd.html#chap-cgd

...and watch it fail to bring up your encrypted swap partition on reboot.

As it so happens, I was writing a script to automatically convert an unencrypted swap partition to an encrypted swap partition when I discovered this problem.  The script itself works fine (assuming the workaround I included below is applied manually [until the issue is really fixed, that is]).  I include it here, both as an aide in easily reproducing the problem (if feeling trusting and adventurous) and as a means to gain every detail of my setup.

#!/bin/sh
#
# AUTHOR
#
#   Kyle Amon
#   BackWatcher, Inc.
#   Information Security Solutions
#   http://www.backwatcher.com/
#   support%backwatcher.com@localhost
#   702-613-UNIX
#
# DESCRIPTION
#
#   Switch the current, unencrypted swap partition to a cgd(4) encrypted
#   swap partition. Only aes-cbc with a 256 bit key is currently supported,
#   but these options are easily changed to preference in the script below.
#   The partition used on the current, underlying swap device remains the
#   same on the new, underlying swap device (i.e. if the unencrypted swap
#   device is /dev/wd0b, the encrypted swap device will be /dev/cgd0b, each
#   base device using partition 'b' for swap).  Only a single swap device
#   is currently supported.  Only tested on the amd64 architecture.
#
# LICENSE
#
#   This program is free software; you can redistribute it and/or
#   modify it under the terms of the GNU General Public License as
#   published by the Free Software Foundation; either version 3 of
#   the License, or (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

# Get current swap information
swapd=$(swapctl -l | sed -n 's/.*\/\(.*[0-9][a-p]\).*/\1/p')	# full device
swapp=$(echo $swapd | sed 's/.*[0-9]//')			# partition only

# Generate cgd paramsfile in /etc/cgd
cgdconfig -g -o /etc/cgd/cgd0 -V none -k randomkey aes-cbc 256

# Create cgd configuration file
cat << EOF > /etc/cgd/cgd.conf
# /etc/cgd/cgd.conf
#
# Kyle Amon
# BackWatcher, Inc.
# Information Security Solutions
# http://www.backwatcher.com/
# support%backwatcher.com@localhost
# 702-613-UNIX
#
# Configuration file for cryptographic disk devices
#
# cgd		target		[paramsfile]

cgd0		/dev/${swapd}	/etc/cgd/cgd0
EOF

# Deactivate current swap device
swapctl -d /dev/${swapd}

# Activate cgd0
cgdconfig cgd0 /dev/${swapd} /etc/cgd/cgd0

# Create disklabel for cgd0
disklabel cgd0 2>/dev/null | sed "s/ a:/ ${swapp}:/" | sed 's/4.2BSD/  swap/' | sed 's/0     0     0/             /' > /etc/cgd/cgd0.disklabel

# Apply disklabel to cgd0
disklabel -R -r /dev/cgd0 /etc/cgd/cgd0.disklabel

# Create script to apply disklabel to cgd0 during boot
cat << EOF > /etc/rc.conf.d/cgd
# /etc/rc.conf.d/cgd
#
# Kyle Amon
# BackWatcher, Inc.
# Information Security Solutions
# http://www.backwatcher.com/
# support%backwatcher.com@localhost
# 702-613-UNIX
#
# Apply disklabel to cgd0 for encrypted swap.

device="cgd0"
disklabel="/etc/cgd/cgd0.disklabel"

start_postcmd="cgd_swap"

cgd_swap()
{
  if [ -f \$disklabel ] ; then
    disklabel -R -r \$device \$disklabel
  fi
}
EOF

# Activate new, encrypted swap device
swapctl -a /dev/cgd0${swapp}

# Change swap device in /etc/fstab
ed -s /etc/fstab << EOF
/swap/s/$swapd/cgd0$swapp/
w
q
EOF

# Append 'cgd=YES' to /etc/rc.conf
echo 'cgd=YES' >> /etc/rc.conf

echo "All done.  Run 'swapctl -l' to verify the change."
>Fix:
Not really a fix, but as a temporary workaround, I have commented out the following line in the /etc/rc.d/cgd file...

cgdconfig -C

...and replaced it with this less flexible, but adequate for my current purpose, hardcoded substitute...

cgdconfig cgd0 /dev/ld0b /etc/cgd/cgd0

which actually works.



Home | Main Index | Thread Index | Old Index