[pkg-cryptsetup-devel] Bug#842951: Bug#842951: Falsely identifies origin of a key file

Jonas Meurer jonas at freesources.org
Tue Dec 6 21:13:50 UTC 2016 

Hi Martin,

Am 16.11.2016 um 15:40 schrieb martin f krafft:
> also sprach Jonas Meurer <jonas at freesources.org> [2016-11-14 19:01 +0100]:
>>> I think the reason for the confusion is that the "crypt" device is
>>> actually a PV for the fishbowl LVM VG, and the root filesystem is
>>> just an LV there, so it's not encrypted per se, but it's part of an
>>> encrypted volume group…
>>
>> Can you give a bit more context here? In particular the shell script
>> trace before and after the part that you parsed would be helpful. Could
>> you send me the full shell script trace with 'set -x' enabled (and
>> KEYFILE_PATTERN temporarely removed again)?
> 
> Here you go, hope this helps. more info below.

Indeed, it helped a lot.


> [...]
> + key=/boot/nvme0n1.luks
> + printf %s fishbowl-root
> + tr   \n
> + grep -Fxq crypt
> + stat -c %m -- /boot/nvme0n1.luks
> + [ / != / ]
> + node_is_in_crypttab fishbowl-root
> + [ -f /etc/crypttab ]
> + [ 1 -gt 0 ]
> + sed -rn s/^\s*([^#]\S*)\s.*/\1/p /etc/crypttab
> + grep -Fxq fishbowl-root
> + return 1
> + echo cryptsetup: WARNING: crypt's key file /boot/nvme0n1.luks is not on an encrypted root FS, skipped
> cryptsetup: WARNING: crypt's key file /boot/nvme0n1.luks is not on an encrypted root FS, skipped
> + return 1
> [...]
> 
>> For some reason, 'node_is_in_crypttab fishbowl-root' expands to
>> false. Is 'fishbowl-root' the name of your unlocked dm-crypt
>> device or a the name of your LVM logical volume?
> 
> The setup is as follows:
> 
>   /boot is on LV /dev/mapper/fishbowl-root
>   The fishbowl VG is on PV /dev/mapper/crypt
>   /dev/mapper/crypt is a dm-crypt mapping on top of /dev/nvme0n1p3
> 
> So to answer your question: 'root' is the LV in VG 'fishbowl', which
> sits on PV 'crypt', which is the unlocked dm-crypt device
> corresponding to the SSD.

The problem was with the following test condition for the key file:

if printf '%s' "$rootdevs" | tr ' ' '\n' | grep -Fxq "$target"; ...

it didn't didn't detect root parent devices. This is fixed now:

if printf '%s' "$OPTIONS" | tr ',' '\n' |grep -Fxq "rootdev"; ...

Could you give updated packages a try? You can find them at
https://people.debian.org/~mejo/debian/mejo-unstable/. Along with some
other changes, they should have fixed the issue you revealed.

In order to test whether the script works as expected now, you'll have
to remove the KEYFILE_PATTERN stuff again. The script now should fail
with the correct message:

cryptsetup: WARNING: root target crypt uses a key file, skipped

Cheers,
 jonas


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20161206/e4b0c883/attachment.sig>

More information about the pkg-cryptsetup-devel mailing list