[Bug 2031499] [NEW] cryptsetup-initramfs generates change entries order

Nicolas Melot 2031499 at bugs.launchpad.net
Wed Aug 16 08:45:28 UTC 2023


Public bug reported:

update-initramfs does not generate entries of initrd's
/cryptroot/crypttab in the same order as system's /etc/crypttab, when
entries tagged as "initramfs" are placed before entries that are not.
This is a problem if partitions automatically detected as needed depends
on a partition that are not detected as necessary. For examples, see
system's /etc/crypttab below:

# <target name>	<source device>		<key file>	<options>
keyring		UUID=abcdefg		none		luks,initramfs
swap		/dev/xps-nicmel/swap	legacy		luks,keyscript=/etc/luks-key.sh

Turns to initrd's /cryptroot/crypttab:

swap /dev/mapper/xps--nicmel-swap legacy luks,keyscript=/etc/luks-key.sh
keyring UUID=abcdefg none luks,initramfs

The swap partition gets its key from the script luks-key.sh, which
itself reads it from keyring. update-initramfs cannot detect this
dependency and places swap as to be decrypted first. Decryption will
fail at boot because it won't find the necessary key.

I could work around the problem by modifying /usr/share/initramfs-
tools/hooks/cryptroot from

177 generate_initrd_crypttab() {
178     local devnos usage IFS="$(printf '\t\n ')"
179     mkdir -- "$DESTDIR/cryptroot"
180     true >"$DESTDIR/cryptroot/targets"
181 
182     {
183         if devnos="$(get_mnt_devno /)"; then
184             if [ -n "$devnos" ]; then
185                 usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
186             fi  
187         else
188             cryptsetup_message "WARNING: Couldn't determine root device"
189         fi
190 
191         if devnos="$(get_resume_devno)" && [ -n "$devnos" ]; then
192             usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
193         fi
194 
195         if devnos="$(get_mnt_devno /usr)" && [ -n "$devnos" ]; then
196             usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
197         fi
198 
199         # add crypttab entries with the 'initramfs' option set
200         crypttab_foreach_entry crypttab_print_initramfs_entry
201     } 3>"$DESTDIR/cryptroot/crypttab"
202     rm -f "$DESTDIR/cryptroot/targets"
203 }

to

generate_initrd_crypttab() {
178     local devnos usage IFS="$(printf '\t\n ')"
179     mkdir -- "$DESTDIR/cryptroot"
180     true >"$DESTDIR/cryptroot/targets"
181 
182     {
183         # add crypttab entries with the 'initramfs' option set
184         crypttab_foreach_entry crypttab_print_initramfs_entry
185 
186         if devnos="$(get_mnt_devno /)"; then
187             if [ -n "$devnos" ]; then
188                 usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
189             fi
190         else
191             cryptsetup_message "WARNING: Couldn't determine root device"
192         fi
193 
194         if devnos="$(get_resume_devno)" && [ -n "$devnos" ]; then
195             usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
196         fi
197 
198         if devnos="$(get_mnt_devno /usr)" && [ -n "$devnos" ]; then
199             usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
200         fi
201     } 3>"$DESTDIR/cryptroot/crypttab"
202     rm -f "$DESTDIR/cryptroot/targets"
203 }

i.e. moving line 200 to line 183, so that "initramfs"-tagged entries are
generated before other entries. Of course this is a quick and dirty fix
and won't stand many other scenarios.

A possible quick fix includes an order field in options section of
/etc/crypttab. A better one would be a dependency option, e.g.
depends=keyring in the example above:

keyring		UUID=abcdefg		none		luks,initramfs
swap		/dev/xps-nicmel/swap	legacy		luks,keyscript=/etc/luks-key.sh,depends=keyring

** Affects: cryptsetup (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/2031499

Title:
  cryptsetup-initramfs generates change entries order

Status in cryptsetup package in Ubuntu:
  New

Bug description:
  update-initramfs does not generate entries of initrd's
  /cryptroot/crypttab in the same order as system's /etc/crypttab, when
  entries tagged as "initramfs" are placed before entries that are not.
  This is a problem if partitions automatically detected as needed
  depends on a partition that are not detected as necessary. For
  examples, see system's /etc/crypttab below:

  # <target name>	<source device>		<key file>	<options>
  keyring		UUID=abcdefg		none		luks,initramfs
  swap		/dev/xps-nicmel/swap	legacy		luks,keyscript=/etc/luks-key.sh

  Turns to initrd's /cryptroot/crypttab:

  swap /dev/mapper/xps--nicmel-swap legacy luks,keyscript=/etc/luks-key.sh
  keyring UUID=abcdefg none luks,initramfs

  The swap partition gets its key from the script luks-key.sh, which
  itself reads it from keyring. update-initramfs cannot detect this
  dependency and places swap as to be decrypted first. Decryption will
  fail at boot because it won't find the necessary key.

  I could work around the problem by modifying /usr/share/initramfs-
  tools/hooks/cryptroot from

  177 generate_initrd_crypttab() {
  178     local devnos usage IFS="$(printf '\t\n ')"
  179     mkdir -- "$DESTDIR/cryptroot"
  180     true >"$DESTDIR/cryptroot/targets"
  181 
  182     {
  183         if devnos="$(get_mnt_devno /)"; then
  184             if [ -n "$devnos" ]; then
  185                 usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
  186             fi  
  187         else
  188             cryptsetup_message "WARNING: Couldn't determine root device"
  189         fi
  190 
  191         if devnos="$(get_resume_devno)" && [ -n "$devnos" ]; then
  192             usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
  193         fi
  194 
  195         if devnos="$(get_mnt_devno /usr)" && [ -n "$devnos" ]; then
  196             usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
  197         fi
  198 
  199         # add crypttab entries with the 'initramfs' option set
  200         crypttab_foreach_entry crypttab_print_initramfs_entry
  201     } 3>"$DESTDIR/cryptroot/crypttab"
  202     rm -f "$DESTDIR/cryptroot/targets"
  203 }

  to

  generate_initrd_crypttab() {
  178     local devnos usage IFS="$(printf '\t\n ')"
  179     mkdir -- "$DESTDIR/cryptroot"
  180     true >"$DESTDIR/cryptroot/targets"
  181 
  182     {
  183         # add crypttab entries with the 'initramfs' option set
  184         crypttab_foreach_entry crypttab_print_initramfs_entry
  185 
  186         if devnos="$(get_mnt_devno /)"; then
  187             if [ -n "$devnos" ]; then
  188                 usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
  189             fi
  190         else
  191             cryptsetup_message "WARNING: Couldn't determine root device"
  192         fi
  193 
  194         if devnos="$(get_resume_devno)" && [ -n "$devnos" ]; then
  195             usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
  196         fi
  197 
  198         if devnos="$(get_mnt_devno /usr)" && [ -n "$devnos" ]; then
  199             usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
  200         fi
  201     } 3>"$DESTDIR/cryptroot/crypttab"
  202     rm -f "$DESTDIR/cryptroot/targets"
  203 }

  i.e. moving line 200 to line 183, so that "initramfs"-tagged entries
  are generated before other entries. Of course this is a quick and
  dirty fix and won't stand many other scenarios.

  A possible quick fix includes an order field in options section of
  /etc/crypttab. A better one would be a dependency option, e.g.
  depends=keyring in the example above:

  keyring		UUID=abcdefg		none		luks,initramfs
  swap		/dev/xps-nicmel/swap	legacy		luks,keyscript=/etc/luks-key.sh,depends=keyring

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2031499/+subscriptions




More information about the foundations-bugs mailing list