CBE key encryption
josef.soentgen at genode-labs.com
Fri Nov 26 14:45:57 CET 2021
> But then the vfs_cbe requests to have a all zero key encrypted which due
> to the ICV added by hardware black key handling fails. We cannot seam to
> find out where the request originates or why vfs_cbe would ever encrypt
> any key, let alone a key of all zeros.
Whenever the CBE writes the current superblock back to the block device
it first has to encrypt the current and the previous(!) key as both are
stored within the superblock on the block-device. This is necessary
because you may stop the CBE during rekeying and it needs the previous
key to complete the operation as there are still blocks encypted with
the old key around.
So I assume in your case the previous key was not yet used and therefor
is initialized to a default value that, as it happens, is all zeros and
the CBE wants to write the superblock back (it does so on every 'sync'
request), which is why you encounter this unexpected request.
http://www.genode-labs.com/ · http://genode.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the users