[pkg-cryptsetup-devel] Bug#782024: cryptsetup: [patch] fix remote unlock of encrypted root when plymouth is installed

Guilhem Moulin guilhem at guilhem.org
Tue Oct 13 18:12:59 UTC 2015 

On Thu, 01 Oct 2015 at 12:24:58 +0200, Guilhem Moulin wrote:
> since I like Matthias' solution better

On second thought I take that back on second thought.  Aside from a typo
in my previous patch, init scripts such as /scripts/local-top/cryptroot
are intended to run sequentially, and running two of them in parallel
can yield some oddities such as “… not in dm-table” errors.
Furthermore, killing the existing cryptsetup prompt increases the
counter, hence the likeliness that init aborts by dropping a shell.

After some reflection, I came up with two solutions.

  1/ Replace the existing “$cryptkeyscript | $cryptopen” pipe by a named
     pipe (FIFO).  Then we can have another process dropping the
     passphrase into said FIFO.  It's a bit dirty because the reader
     ($cryptopen) will block until ALL writers are done, so upon success
     of a single writer we have to manually kill the other ones.

  2/ Patch askpass.c to make it work with Plymouth.  Actually there was
     some splashy code left (Plymouth's ancestor), although the
     changelog reads “remove usplash support from cryptroot initramfs
     script, askpass and keyscripts, add plymouth support to keyscripts.
     (closes: #620923)”.

Option 2/ was easy enough (one I made sure to load the method after the
FIFO one, and to set “no_more” to avoid starting the console method),
and the advantage of not messing around with the control flow.  Patch
attached (I also have a patch for 1/, but am not including it as I like
the other one better).

I've also included my own ‘unlock’ script.  I don't mind shipping it via
dropbear-initramfs instead (as I intended to originally), but it's
probably more suited for cryptsetup.

Cheers,
-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cryptroot.patch
Type: text/x-diff
Size: 10897 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20151013/6f073ee3/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20151013/6f073ee3/attachment.sig>

More information about the pkg-cryptsetup-devel mailing list