[Bug 2031499] [NEW] cryptsetup-initramfs generates change entries order
Nicolas Melot
2031499 at bugs.launchpad.net
Wed Aug 16 08:45:28 UTC 2023
Public bug reported:
update-initramfs does not generate entries of initrd's
/cryptroot/crypttab in the same order as system's /etc/crypttab, when
entries tagged as "initramfs" are placed before entries that are not.
This is a problem if partitions automatically detected as needed depends
on a partition that are not detected as necessary. For examples, see
system's /etc/crypttab below:
# <target name> <source device> <key file> <options>
keyring UUID=abcdefg none luks,initramfs
swap /dev/xps-nicmel/swap legacy luks,keyscript=/etc/luks-key.sh
Turns to initrd's /cryptroot/crypttab:
swap /dev/mapper/xps--nicmel-swap legacy luks,keyscript=/etc/luks-key.sh
keyring UUID=abcdefg none luks,initramfs
The swap partition gets its key from the script luks-key.sh, which
itself reads it from keyring. update-initramfs cannot detect this
dependency and places swap as to be decrypted first. Decryption will
fail at boot because it won't find the necessary key.
I could work around the problem by modifying /usr/share/initramfs-
tools/hooks/cryptroot from
177 generate_initrd_crypttab() {
178 local devnos usage IFS="$(printf '\t\n ')"
179 mkdir -- "$DESTDIR/cryptroot"
180 true >"$DESTDIR/cryptroot/targets"
181
182 {
183 if devnos="$(get_mnt_devno /)"; then
184 if [ -n "$devnos" ]; then
185 usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
186 fi
187 else
188 cryptsetup_message "WARNING: Couldn't determine root device"
189 fi
190
191 if devnos="$(get_resume_devno)" && [ -n "$devnos" ]; then
192 usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
193 fi
194
195 if devnos="$(get_mnt_devno /usr)" && [ -n "$devnos" ]; then
196 usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
197 fi
198
199 # add crypttab entries with the 'initramfs' option set
200 crypttab_foreach_entry crypttab_print_initramfs_entry
201 } 3>"$DESTDIR/cryptroot/crypttab"
202 rm -f "$DESTDIR/cryptroot/targets"
203 }
to
generate_initrd_crypttab() {
178 local devnos usage IFS="$(printf '\t\n ')"
179 mkdir -- "$DESTDIR/cryptroot"
180 true >"$DESTDIR/cryptroot/targets"
181
182 {
183 # add crypttab entries with the 'initramfs' option set
184 crypttab_foreach_entry crypttab_print_initramfs_entry
185
186 if devnos="$(get_mnt_devno /)"; then
187 if [ -n "$devnos" ]; then
188 usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
189 fi
190 else
191 cryptsetup_message "WARNING: Couldn't determine root device"
192 fi
193
194 if devnos="$(get_resume_devno)" && [ -n "$devnos" ]; then
195 usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
196 fi
197
198 if devnos="$(get_mnt_devno /usr)" && [ -n "$devnos" ]; then
199 usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
200 fi
201 } 3>"$DESTDIR/cryptroot/crypttab"
202 rm -f "$DESTDIR/cryptroot/targets"
203 }
i.e. moving line 200 to line 183, so that "initramfs"-tagged entries are
generated before other entries. Of course this is a quick and dirty fix
and won't stand many other scenarios.
A possible quick fix includes an order field in options section of
/etc/crypttab. A better one would be a dependency option, e.g.
depends=keyring in the example above:
keyring UUID=abcdefg none luks,initramfs
swap /dev/xps-nicmel/swap legacy luks,keyscript=/etc/luks-key.sh,depends=keyring
** Affects: cryptsetup (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/2031499
Title:
cryptsetup-initramfs generates change entries order
Status in cryptsetup package in Ubuntu:
New
Bug description:
update-initramfs does not generate entries of initrd's
/cryptroot/crypttab in the same order as system's /etc/crypttab, when
entries tagged as "initramfs" are placed before entries that are not.
This is a problem if partitions automatically detected as needed
depends on a partition that are not detected as necessary. For
examples, see system's /etc/crypttab below:
# <target name> <source device> <key file> <options>
keyring UUID=abcdefg none luks,initramfs
swap /dev/xps-nicmel/swap legacy luks,keyscript=/etc/luks-key.sh
Turns to initrd's /cryptroot/crypttab:
swap /dev/mapper/xps--nicmel-swap legacy luks,keyscript=/etc/luks-key.sh
keyring UUID=abcdefg none luks,initramfs
The swap partition gets its key from the script luks-key.sh, which
itself reads it from keyring. update-initramfs cannot detect this
dependency and places swap as to be decrypted first. Decryption will
fail at boot because it won't find the necessary key.
I could work around the problem by modifying /usr/share/initramfs-
tools/hooks/cryptroot from
177 generate_initrd_crypttab() {
178 local devnos usage IFS="$(printf '\t\n ')"
179 mkdir -- "$DESTDIR/cryptroot"
180 true >"$DESTDIR/cryptroot/targets"
181
182 {
183 if devnos="$(get_mnt_devno /)"; then
184 if [ -n "$devnos" ]; then
185 usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
186 fi
187 else
188 cryptsetup_message "WARNING: Couldn't determine root device"
189 fi
190
191 if devnos="$(get_resume_devno)" && [ -n "$devnos" ]; then
192 usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
193 fi
194
195 if devnos="$(get_mnt_devno /usr)" && [ -n "$devnos" ]; then
196 usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
197 fi
198
199 # add crypttab entries with the 'initramfs' option set
200 crypttab_foreach_entry crypttab_print_initramfs_entry
201 } 3>"$DESTDIR/cryptroot/crypttab"
202 rm -f "$DESTDIR/cryptroot/targets"
203 }
to
generate_initrd_crypttab() {
178 local devnos usage IFS="$(printf '\t\n ')"
179 mkdir -- "$DESTDIR/cryptroot"
180 true >"$DESTDIR/cryptroot/targets"
181
182 {
183 # add crypttab entries with the 'initramfs' option set
184 crypttab_foreach_entry crypttab_print_initramfs_entry
185
186 if devnos="$(get_mnt_devno /)"; then
187 if [ -n "$devnos" ]; then
188 usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
189 fi
190 else
191 cryptsetup_message "WARNING: Couldn't determine root device"
192 fi
193
194 if devnos="$(get_resume_devno)" && [ -n "$devnos" ]; then
195 usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
196 fi
197
198 if devnos="$(get_mnt_devno /usr)" && [ -n "$devnos" ]; then
199 usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
200 fi
201 } 3>"$DESTDIR/cryptroot/crypttab"
202 rm -f "$DESTDIR/cryptroot/targets"
203 }
i.e. moving line 200 to line 183, so that "initramfs"-tagged entries
are generated before other entries. Of course this is a quick and
dirty fix and won't stand many other scenarios.
A possible quick fix includes an order field in options section of
/etc/crypttab. A better one would be a dependency option, e.g.
depends=keyring in the example above:
keyring UUID=abcdefg none luks,initramfs
swap /dev/xps-nicmel/swap legacy luks,keyscript=/etc/luks-key.sh,depends=keyring
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2031499/+subscriptions
More information about the foundations-bugs
mailing list