[Pkg-cryptsetup-devel] Bug#438169: Warn about missing hash in /etc/crypttab
sebastian.leske at sleske.name
sebastian.leske at sleske.name
Wed Aug 15 20:09:49 UTC 2007
Package: cryptsetup
Version: 2:1.0.4+svn26-1
As described in bug #406317 and documented in README.initramfs.gz, the
initramfs scripts default to using the sha256 hash function while
the plain cryptsetup binary defaults to using the ripemd160 hash
function.
That means that on upgrade from initrd to initramfs, a root partition
that was encrypted using plain cryptsetup will become unbootable, unless
the correct hash is given as an option in /etc/crypttab
("hash=ripemd160").
While this is documented in README.initramfs.gz, it is unlikely everyone
will read all the README's when instaling initramfs. Therefore, as a
migration help I propose that mkinitramfs should warn if the entry for
the root partition in /etc/crypttab lacks the hash= option.
The enclosed patch (to /usr/share/initramfs-tools/hooks/cryptroot) does
just that. If the line for the root device in crypttab does not contain
the options "hash= or "luks", it prints:
WARNING: Option hash= missing in crypttab for target $target, assuming
sha256.
If this is wrong, this initramfs image will not boot.
Please read /usr/share/doc/cryptsetup/README.initramfs.gz and
add
the correct hash= option to your /etc/crypttab (or add luks if
you are
running LUKS).
That will give users a chance to correct their crypttab. Even if sha256
would
have been correct, it doesn't hurt to add it explicitly. To avoid
breaking
things, the patch does not change the behaviour of mkinitramfs, it only
warns.
The patch skips the warning if option "luks" is present, to avoid
bothering
LUKS users, who don't need to specify the hash anyway.
[--- patch follows, format: unified diff ---]
--- /usr/share/initramfs-tools/hooks/cryptroot-orig 2007-07-23
18:08:34.000000000 +0200
+++ /usr/share/initramfs-tools/hooks/cryptroot 2007-08-12
12:10:17.000000000 +0200
@@ -197,17 +197,20 @@
fi
# We have all the basic options, let's go trough them
OPTIONS="target=$target,source=$source,key=$key"
local IFS=", "
+ unset HASH_FOUND
+ unset LUKS_FOUND
for opt in $rootopts; do
case $opt in
cipher=*)
OPTIONS="$OPTIONS,$opt"
;;
hash=*)
OPTIONS="$OPTIONS,$opt"
+ HASH_FOUND=1
;;
size=*)
OPTIONS="$OPTIONS,$opt"
;;
lvm=*)
@@ -221,16 +224,28 @@
fi
KEYSCRIPT="$opt"
opt=$(basename "$opt")
OPTIONS="$OPTIONS,keyscript=/keyscripts/$opt"
;;
+ luks)
+ LUKS_FOUND=1
+ ;;
*)
# Presumably a non-supported option
;;
esac
done
+ # Warn for missing hash option, unless we have a LUKS partition
(which does not need it)
+ if [ -z "$HASH_FOUND" ] && [ -z "$LUKS_FOUND" ]; then
+ echo "WARNING: Option hash= missing in crypttab for target
$target, assuming sha256." >&2
+ echo " If this is wrong, this initramfs image will not
boot." >&2
+ echo " Please read
/usr/share/doc/cryptsetup/README.initramfs.gz and add" >&2
+ echo " the correct hash= option to your /etc/crypttab
(or add" >&2
+ echo " 'luks' if you are running LUKS)." >&2
+ fi
+
# If keyscript is set, the "key" is just an argument to the
script
if [ "$key" != "none" ] && [ -z "$KEYSCRIPT" ]; then
echo "cryptsetup: WARNING: target $target uses a key
file, skipped" >&2
return 1
fi
More information about the Pkg-cryptsetup-devel
mailing list