打開：cryptsetup 記憶體不足（“可用記憶體不足，無法打開密鑰槽。”）

我正在開發我的 yocto 發行版，包括 2.3.2 版本中的 cryptsetup

我在具有 1 GB RAM 的板上執行此類分發，並且在嘗試打開無法正確調試的加密分區時遇到“記憶體不足”錯誤。有任何想法嗎？

我的發行版從具有 3 個分區的 mSD 執行；第三個（30 MB）是加密的。

我使用ArchLinux 指南中描述的步驟來加密該分區，使用 ext3 而不是 ext4

# cryptsetup -y -v luksFormat /dev/sda2
# cryptsetup open /dev/sda2 cryptroot
# mkfs.ext3 /dev/mapper/cryptroot

但是嘗試在我的板上打開該分區會引發錯誤：

cryptsetup --debug open /dev/mmcblk0p3  cryptroot
# cryptsetup 2.3.2 processing "cryptsetup --debug open /dev/mmcblk0p3 cryptroot"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/mmcblk0p3.
# Trying to open and read device /dev/mmcblk0p3 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/mmcblk0p3.
# Crypto backend (OpenSSL 1.1.1k  25 Mar 2021) initialized in cryptsetup library version 2.3.2.
# Detected kernel Linux 4.1.35-rt41 ppc.
# Loading LUKS2 header (repair disabled).
# Acquiring read lock for device /dev/mmcblk0p3.
# Opening lock resource file /run/cryptsetup/L_179:3
# Verifying lock handle for /dev/mmcblk0p3.
# Device /dev/mmcblk0p3 READ lock taken.
# Trying to read primary LUKS2 header at offset 0x0.
# Opening locked device /dev/mmcblk0p3
# Veryfing locked device handle (bdev)
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:43e122216ab19330fdfb6d2f9d7b586c4e5189884aef24be884e7159228e9ee5 (on-disk)
# Checksum:43e122216ab19330fdfb6d2f9d7b586c4e5189884aef24be884e7159228e9ee5 (in-memory)
# Trying to read secondary LUKS2 header at offset 0x4000.
# Reusing open ro fd on device /dev/mmcblk0p3
# LUKS2 header version 2 of size 16384 bytes, checksum sha256.
# Checksum:4ed9a44c22fde04c4b59a638c20eba6da3a13e591a6a1cfe7e0fec4437dc14cc (on-disk)
# Checksum:4ed9a44c22fde04c4b59a638c20eba6da3a13e591a6a1cfe7e0fec4437dc14cc (in-memory)
# Device size 32505856, offset 16777216.
# Device /dev/mmcblk0p3 READ lock released.
# Only 1 active CPUs detected, PBKDF threads decreased from 4 to 1.
# Not enough physical memory detected, PBKDF max memory decreased from 1048576kB to 255596kB.
# PBKDF argon2i, time_ms 2000 (iterations 0), max_memory_kb 255596, parallel_threads 1.
# Activating volume cryptroot using token -1.
# Interactive passphrase entry requested.
Enter passphrase for /dev/mmcblk0p3:
# Activating volume cryptroot [keyslot -1] using passphrase.
device-mapper: ioctl: 4.31.0-ioctl (2015-3-12) initialised: dm-devel@redhat.com
# dm version   [ opencount flush ]   [16384] (*1)
# dm versions   [ opencount flush ]   [16384] (*1)
# Detected dm-ioctl version 4.31.0.
# Device-mapper backend running with UDEV support enabled.
# dm status cryptroot  [ opencount noflush ]   [16384] (*1)
# Keyslot 0 priority 1 != 2 (required), skipped.
# Trying to open LUKS2 keyslot 0.
# Keyslot 0 (luks2) open failed with -12.
Not enough available memory to open a keyslot.
# Releasing crypt device /dev/mmcblk0p3 context.
# Releasing device-mapper backend.
# Closing read only fd for /dev/mmcblk0p3.
# Unlocking memory.
Command failed with code -3 (out of memory).

LUKS2 使用Argon2i密鑰派生功能，這是記憶體難的——這意味著它需要大量記憶體來打開設備以防止（或至少使其更難）使用 GPU 的暴力攻擊。您可以檢查打開設備需要多少記憶體cryptsetup luksDump /dev/sda2，查找Memory: 755294下面的行Keyslots。

創建設備時，cryptsetup檢查有多少可用記憶體並相應調整打開它所需的數量，但如果您確實從另一台電腦（例如在桌面上格式化 SD 卡時）或什至在同一台電腦上創建了 LUKS 設備有更多可用記憶體的機器，可能你現在根本沒有足夠的記憶體。我們只談論 RAM，在這種情況下不使用交換。

我建議重新創建 LUKS 設備--pbkdf pbkdf2以切換到不使用額外記憶體的“舊”（在 LUKS1 中是預設的）密鑰派生函式 PBKDF2。或者，您也可以使用--pbkdf-memory <num>為預設 Argon2i 強制減少記憶體量。

引用自：https://unix.stackexchange.com/questions/647859