[pkg-cryptsetup-devel] Bug#782024: cryptsetup: [patch] fix remote unlock of encrypted root when plymouth is installed
Matthias Buecher / Germany
maddes+debian at maddes.net
Mon Apr 6 15:55:37 UTC 2015
Package: cryptsetup
Version: 2:1.4.3-4
Severity: important
Tags: patch
Dear Maintainer,
The cryptroot script always uses plymouth if present (plymouth is
installed by default on Ubuntu).
Unfortunately this prevents to unlock an encrypted root from console
(e.g. via SSH).
Attached is a patch with a solution to this issue.
Changes in /usr/share/initramfs-tools/scripts/local-top/cryptroot
- new parameter "noplymouth": possible to use during boot time to avoid
usage of plymouth even if present
- kill all processes which ask for the password after encrypted root is
available
New file /usr/share/initramfs-tools/hooks/cryptroot_unlock.sh
- creates /bin/unlock script in initramfs to define correct PATH and
call cryptroot script with correct parameter
- creates /etc/motd file in initramfs to inform user about unlock script
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.2.0-4-amd64 root=/dev/mapper/zulu1959-root ro quiet
-- /etc/crypttab
# <target name> <source device> <key file> <options>
md1_crypt UUID=033d63d6-3939-4908-803d-532ca73b77af none luks
md2_crypt UUID=305b4437-d583-497b-9b66-1cd118746982 md1_crypt
luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/mapper/zulu1959-root during installation
UUID=2294b0ce-084e-4999-b5ed-60fb23d62842 / ext4
errors=remount-ro,usrquota 0 1
# /boot was on /dev/md0 during installation
UUID=683249e6-e34e-4beb-91b1-bd0ff6f46a20 /boot ext2
defaults 0 2
# swap was on /dev/mapper/zulu1959-swap_1 during installation
UUID=a4d49eb1-3697-4d43-a912-ff242b17e71b none swap sw
0 0
/dev/mapper/zulu1959data-maddes_home /home/maddes ext4 defaults 0 0
/dev/mapper/zulu1959data-maddes_mail /home/maddes/mail ext4 defaults 0 0
/dev/mapper/zulu1959data-chrisse_home /home/chrisse ext4 defaults 0 0
/dev/mapper/zulu1959data-chrisse_mail /home/chrisse/mail ext4 defaults 0 0
/dev/mapper/zulu1959data-svn_home /home/svn ext4 defaults 0 0
-- lsmod
Module Size Used by
cpuid 12708 0
ip6t_REJECT 12512 3
nf_conntrack_ipv6 13316 5
nf_defrag_ipv6 12832 1 nf_conntrack_ipv6
ip6table_filter 12540 1
ip6table_raw 12528 1
ip6table_mangle 12540 0
ip6_tables 22175 3 ip6table_mangle,ip6table_raw,ip6table_filter
xt_comment 12427 26
ipt_REJECT 12502 3
xt_tcpudp 12570 28
nf_conntrack_ipv4 14078 5
nf_defrag_ipv4 12483 1 nf_conntrack_ipv4
xt_conntrack 12681 10
nf_conntrack 52720 3
xt_conntrack,nf_conntrack_ipv4,nf_conntrack_ipv6
iptable_filter 12536 1
ip_tables 22042 1 iptable_filter
x_tables 19118 11
ip_tables,iptable_filter,xt_conntrack,xt_tcpudp,ipt_REJECT,xt_comment,ip6_tables,ip6table_mangle,ip6table_raw,ip6table_filter,ip6t_REJECT
nfsd 216181 2
nfs 308353 0
nfs_acl 12511 2 nfs,nfsd
auth_rpcgss 37143 2 nfs,nfsd
fscache 36739 1 nfs
lockd 67306 2 nfs,nfsd
sunrpc 173730 6 lockd,auth_rpcgss,nfs_acl,nfs,nfsd
ext2 59231 1
radeon 722295 1
snd_hda_codec_hdmi 30824 1
ttm 53664 1 radeon
drm_kms_helper 31370 1 radeon
snd_hda_intel 26259 0
snd_hda_codec 78031 2 snd_hda_intel,snd_hda_codec_hdmi
snd_hwdep 13186 1 snd_hda_codec
drm 183952 3 drm_kms_helper,ttm,radeon
power_supply 13475 1 radeon
snd_pcm 68083 3
snd_hda_codec,snd_hda_intel,snd_hda_codec_hdmi
i2c_algo_bit 12841 1 radeon
fam15h_power 12677 0
sp5100_tco 12900 0
snd_page_alloc 13003 2 snd_pcm,snd_hda_intel
shpchp 31293 0
k10temp 12611 0
i2c_piix4 12536 0
edac_mce_amd 17103 0
snd_timer 22917 1 snd_pcm
snd 52893 6
snd_timer,snd_pcm,snd_hwdep,snd_hda_codec,snd_hda_intel,snd_hda_codec_hdmi
powernow_k8 17618 0
mperf 12453 1 powernow_k8
i2c_core 23876 5
i2c_piix4,i2c_algo_bit,drm,drm_kms_helper,radeon
soundcore 13065 1 snd
pcspkr 12579 0
edac_core 35258 0
psmouse 69265 0
processor 28149 9 powernow_k8
evdev 17562 3
serio_raw 12931 0
button 12937 0
thermal_sys 18040 1 processor
ext4 350804 6
crc16 12343 1 ext4
jbd2 62115 1 ext4
mbcache 13114 2 ext4,ext2
xts 12645 16
gf128mul 13048 1 xts
dm_crypt 22586 2
dm_mod 63645 30 dm_crypt
raid1 30714 5
md_mod 87742 4 raid1
microcode 30126 0
sg 25874 0
sd_mod 36136 12
crc_t10dif 12348 1 sd_mod
ohci_hcd 26563 0
crc32c_intel 12747 0
broadcom 13032 0
ghash_clmulni_intel 13130 0
aesni_intel 50667 64
aes_x86_64 16843 1 aesni_intel
aes_generic 33026 2 aes_x86_64,aesni_intel
cryptd 14517 18 aesni_intel,ghash_clmulni_intel
ahci 24997 10
libahci 22941 1 ahci
tg3 119064 0
libphy 19057 2 tg3,broadcom
ehci_hcd 40249 0
libata 140630 2 libahci,ahci
usbcore 128741 3 ehci_hcd,ohci_hcd
scsi_mod 162321 3 libata,sd_mod,sg
usb_common 12354 1 usbcore
-- System Information:
Debian Release: 7.8
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:1.4.3-4
ii debconf [debconf-2.0] 1.5.49
ii dmsetup 2:1.02.74-8
ii libc6 2.13-38+deb7u8
Versions of packages cryptsetup recommends:
ii busybox 1:1.20.0-7
ii console-setup 1.88
ii initramfs-tools [linux-initramfs-tool] 0.109.1
ii kbd 1.15.3-9
Versions of packages cryptsetup suggests:
pn dosfstools <none>
ii liblocale-gettext-perl 1.05-7+b1
-- debconf information:
cryptsetup/prerm_active_mappings: true
-------------- next part --------------
--- /usr/share/initramfs-tools/scripts/local-top/cryptroot 2012-11-07 16:28:47.000000000 +0100
+++ /usr/share/initramfs-tools/scripts/local-top/cryptroot 2015-03-11 23:25:18.000000000 +0100
@@ -16,11 +16,15 @@ prereqs()
done
}
+NOPLYMOUTH=0
+
case $1 in
prereqs)
prereqs
exit 0
;;
+noplymouth)
+ NOPLYMOUTH=1
esac
# source for log_*_msg() functions, see LP: #272301
@@ -31,7 +35,7 @@ esac
#
message()
{
- if [ -x /bin/plymouth ] && plymouth --ping; then
+ if [ "${NOPLYMOUTH}" -eq 0 -a -x /bin/plymouth ] && plymouth --ping; then
plymouth message --text="$@"
else
echo "$@" >&2
@@ -269,7 +273,7 @@ setup_mapping()
if [ -z "$cryptkeyscript" ]; then
cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
- if [ -x /bin/plymouth ] && plymouth --ping; then
+ if [ "${NOPLYMOUTH}" -eq 0 -a -x /bin/plymouth ] && plymouth --ping; then
cryptkeyscript="plymouth ask-for-password --prompt"
cryptkey=$(printf "$cryptkey")
else
@@ -291,6 +295,12 @@ setup_mapping()
return 1
fi
+ # Kill all remaining processes that ask for the password
+ for PID in $(ps | grep -e '/lib/cryptsetup/askpass' -e 'plymouth.*ask-for-password' | sed -n -e '/grep/! { s#[[:space:]]*\([0-9]\+\)[[:space:]]*.*#\1#p ; }')
+ do
+ kill -9 "${PID}"
+ done
+
#FSTYPE=''
#eval $(fstype < "$NEWROOT")
FSTYPE="$(blkid -s TYPE -o value "$NEWROOT")"
--- /usr/share/initramfs-tools/hooks/cryptroot_unlock.sh 2014-12-28 22:16:37.909586616 +0100
+++ /usr/share/initramfs-tools/hooks/cryptroot_unlock.sh 2015-03-11 22:33:41.000000000 +0100
@@ -0,0 +1,60 @@
+#!/bin/sh
+
+#
+# This InitRAMFS hook provides:
+# Simple script to easily unlock LUKS encrypted root partition from remote (SSH, Telnet)
+# Intended for Debian 6.0 Squeeze
+#
+# Copyright: Matthias Bücher, see http://www.maddes.net/
+# License: GNU GPL v2 or later, see http://www.gnu.org/licenses/gpl.html
+#
+# Adopted from http://www.howtoforge.com/unlock-a-luks-encrypted-root-partition-via-ssh-on-ubuntu#comment-25990
+#
+# Thanks to:
+# - Wulf Coulmann; http://gpl.coulmann.de/ssh_luks_unlock.html
+# for his tremendeous effort to unlock LUKS root parititon remotely on Debian 5.0 Lenny and before
+#
+# History:
+# v1.0 - 2011-02-15
+# initial release
+# v1.1 - 2011-03-29
+# fixed some typos
+# (also thanks to Sven Greuer)
+#
+
+PREREQ=""
+
+prereqs()
+{
+ echo "${PREREQ}"
+}
+
+case "${1}" in
+ prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+#
+# Begin real processing
+#
+
+SCRIPTNAME=unlock
+
+# 1) Create script to unlock luks partitions
+cat > ${DESTDIR}/bin/${SCRIPTNAME} << '__EOF'
+#!/bin/sh
+PATH='/sbin:/bin'
+/scripts/local-top/cryptroot noplymouth
+__EOF
+chmod 700 ${DESTDIR}/bin/${SCRIPTNAME}
+
+
+# 2) Enhance Message Of The Day (MOTD) with info how to unlock luks partition
+cat >> ${DESTDIR}/etc/motd << __EOF
+
+To unlock root partition, and maybe others like swap, run "${SCRIPTNAME}"
+__EOF
More information about the pkg-cryptsetup-devel
mailing list