[Bug 1938692] Re: systemd-cryptsetup-generator generated unit for root filesystem fails with keyfile

Nick Rosbrook 1938692 at bugs.launchpad.net
Thu Jul 6 20:32:03 UTC 2023 

Sorry this was not looked at sooner. Is this still a problem in newer
releases?

** Changed in: systemd (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1938692

Title:
  systemd-cryptsetup-generator generated unit for root filesystem fails
  with keyfile

Status in systemd package in Ubuntu:
  Incomplete

Bug description:
  I'm using Ubuntu 21.04 on a Raspberry Pi 4b.

  /etc/crypttab:
  # <target name> <source device>         <key file>      <options>
  crypt_root UUID=12989868-19fe-4834-90a8-f1bf13977745    /dev/disk/by-label/wopr_keys:/crypt_root_key  luks,discard,keyscript=/lib/cryptsetup/scripts/passdev,initramfs,x-initrd.attach
  crypt_swap /dev/disk/by-id/scsi-SSamsung_Portable_SSD_T5_4B1C18654321-part2    /dev/urandom  swap,discard,cipher=aes-xts-plain64,size=256,plain

  /etc/fstab
  LABEL=system-boot       /boot/firmware  vfat    defaults        0       1
  /dev/mapper/crypt_root  /               btrfs   defaults,ssd,compress=zstd,discard=async,relatime,x-initrd.mount,subvol=@     0 0
  /dev/mapper/crypt_root  /home           btrfs   defaults,ssd,compress=zstd,discard=async,relatime,x-initrd.mount,subvol=@home 0 0
  /dev/mapper/crypt_swap  none            swap    defaults        0       0

  /boot/firmware/cmdline.txt
  dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 cryptdevice=LABEL=crypt_root:crypt_root root=/dev/mapper/crypt_root rootflags=subvol=@ rootfstype=btrfs rootwait fixrtc zswap.enabled=1

  On the Raspberry Pi, it seems that cryptsetup-initramfs is responsible
  for unlocking devices in the initramfs. Things worked perfectly before
  I started using a keyfile on a USB Drive to unlock my root device.

  The issue is that /lib/cryptsetup/scripts/passdev expects the keyfile
  to be in a particular format, and systemd-cryptsetup-generator expects
  a slightly different format. So cryptsetup-initramfs successfully
  unlocks the root filesystem and mounts it, but systemd's auto-
  generated unit attempts to mount the (in its view) incorrectly
  formatted keyfile device and fails. As a result the entire boot fails.
  In the rescue shell, I can see that all filesystems have mounted
  correctly.

  I can think of a couple of solutions:
  1. I disabled systemd luks unit generation by passing luks=no in the kernel command line. This also disables other crypttab entries from unlocking, so my swap partition mount fails.
  2. I tried disabling systemd unit generation just for my root device with x-initrd.attach,noauto,nofail,initramfs options. This resulted in the exact same error. I also tried adding noauto to the fstab entry for my root device and this did not work.
  3. Arch Linux has a separate crypttab.initramfs file that is only loaded into the initramfs. Could this be implemented somehow?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1938692/+subscriptions

More information about the foundations-bugs mailing list