[pkg-cryptsetup-devel] Bug#809686: cryptsetup: --header plus UUID plus initramfs gives "Requested offset beyond size of device"
Benjamin Moody
benjaminmoody at gmail.com
Sat Jan 2 21:02:30 UTC 2016
Package: cryptsetup
Version: 2:1.6.6-5
Severity: normal
Dear Maintainer,
cryptsetup appears to be broken for a particular unusual case: when
1. a detached LUKS header is specified using --header,
2. the source device is a symbolic link such as /dev/disk/by-uuid/*,
and cryptsetup is run *from the initramfs*, it fails with the message
"Requested offset is beyond real size of device".
(My reason for doing this, by the way, is so that the LUKS metadata
can be stored within the initramfs and thereby verified by the
bootloader. I've kept the duplicate header on the encrypted disk
itself to make it easier to recover if necessary.)
In my case, /dev/disk/by-uuid/003b718b-69a5-4974-9a56-54fc07f3835e =
/dev/sda2 and /dev/disk/by-uuid/550a445a-80d1-45f3-9527-4378c8740244 =
/dev/sda3. (These links are correctly created in the initramfs as
well.)
The following cryptsetup commands work after booting Debian:
- luksOpen /dev/sda3 sda3_crypt
- luksOpen /dev/disk/by-uuid/550a* sda3_crypt
- luksOpen --header=/root/luks-hdr-sda3 /dev/sda3 sda3_crypt
- luksOpen --header=/root/luks-hdr-sda3 /dev/disk/by-uuid/550a* sda3_crypt
The following commands work from the initramfs:
- luksOpen /dev/sda2 sda2_crypt
- luksOpen /dev/disk/by-uuid/003b* sda2_crypt
- luksOpen --header=/root/luks-hdr-sda2 /dev/sda2 sda2_crypt
(although, incidentally, to make the third command work I also had to
add 'loop' to /etc/initramfs-tools/modules - for some reason
cryptsetup-in-initramfs uses a loopback device to read the header
file, although cryptsetup-in-Debian doesn't. Of course, I also had to
add a hook to copy the header files into the initramfs - see the TODO
in /usr/share/initramfs-tools/hooks/cryptroot.)
The following command, however, does *not* work from the initramfs:
- luksOpen --header=/root/luks-hdr-sda2 /dev/disk/by-uuid/003b* sda2_crypt
The debug output is as follows:
=== broken cryptsetup log ===
Enter passphrase for /dev/disk/by-uuid/003b718b-69a5-4974-9a56-54fc07f3835e:
Requested offset is beyond real size of device /dev/disk/by-uuid/003b718b-69a5-4974-9a56-54fc07f3835e.
Command failed with code 22: Requested offset is beyond real size of device /dev/disk/by-uuid/003b718b-69a5-4974-9a56-54fc07f3835e.
# cryptsetup 1.6.6 processing "cryptsetup -T 1 --debug --allow-discards --header=/root/luks-hdr-sda2 open --type luks /dev/disk/by-uuid/003b718b-69a5-4974-9a56-54fc07f3835e sda2_crypt"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device /root/luks-hdr-sda2 context.
# Trying to open and read device /root/luks-hdr-sda2.
# Initialising device-mapper backend library.
# Trying to load LUKS1 crypt type from device /root/luks-hdr-sda2.
# Crypto backend (gcrypt 1.6.3) initialized.
# Detected kernel Linux 3.16.0-4-amd64 x86_64.
# Reading LUKS header of size 1024 from device /root/luks-hdr-sda2
# Trying to open device /root/luks-hdr-sda2 without direct-io.
# Key length 64, device size 4040 sectors, header size 4036 sectors.
# Setting ciphertext data device to /dev/disk/by-uuid/003b718b-69a5-4974-9a56-54fc07f3835e.
# Trying to open and read device /dev/disk/by-uuid/003b718b-69a5-4974-9a56-54fc07f3835e.
# Timeout set to 0 miliseconds.
# Password retry count set to 1.
# Password verification disabled.
# Iteration time set to 1000 miliseconds.
# Activating volume sda2_crypt [keyslot -1] using [none] passphrase.
# dm version OF [16384] (*1)
# dm versions OF [16384] (*1)
# Detected dm-crypt version 1.13.0, dm-ioctl version 4.27.0.
# Device-mapper backend running with UDEV support enabled.
# dm status sda2_crypt OF [16384] (*1)
# Interactive passphrase entry requested.
# Trying to open key slot 0 [ACTIVE_LAST].
# Reading key slot 0 area.
# Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
# Using dmcrypt to access keyslot area.
# Allocating a free loop device.
# Trying to open and read device /dev/loop0.
# Calculated device size is 504 sectors (RW), offset 8.
# DM-UUID is CRYPT-TEMP-temporary-cryptsetup-155
# Udev cookie 0xd4dcfd7 (semid 65536) created
# Udev cookie 0xd4dcfd7 (semid 65536) incremented to 1
# Udev cookie 0xd4dcfd7 (semid 65536) incremented to 2
# Udev cookie 0xd4dcfd7 (semid 65536) assigned to CREATE task(0) with flags DISABLE_SUBSYSTEM_RULES DISABLE_DISK_RULES DISABLE_OTHER_RULES (0xe)
# dm create temporary-cryptsetup-155 CRYPT-TEMP-temporary-cryptsetup-155 OF [16384] (*1)
# dm reload temporary-cryptsetup-155 OFRW [16384] (*1)
# dm resume temporary-cryptsetup-155 OFRW [16384] (*1)
# temporary-cryptsetup-155: Stacking NODE_ADD (254,0) 0:6 0660 [verify_udev]
# temporary-cryptsetup-155: Stacking NODE_READ_AHEAD 256 (flags=1)
# Udev cookie 0xd4dcfd7 (semid 65536) decremented to 1
# Udev cookie 0xd4dcfd7 (semid 65536) waiting for zero
# Udev cookie 0xd4dcfd7 (semid 65536) destroyed
# temporary-cryptsetup-155: Processing NODE_ADD (254,0) 0:6 0660 [verify_udev]
# temporary-cryptsetup-155: Processing NODE_READ_AHEAD 256 (flags=1)
# temporary-cryptsetup-155 (254:0): read ahead is 256
# temporary-cryptsetup-155: retaining kernel read ahead of 256 (requested 256)
# Udev cookie 0xd4d57e3 (semid 98304) created
# Udev cookie 0xd4d57e3 (semid 98304) incremented to 1
# Udev cookie 0xd4d57e3 (semid 98304) incremented to 2
# Udev cookie 0xd4d57e3 (semid 98304) assigned to REMOVE task(2) with flags (0x0)
# dm remove temporary-cryptsetup-155 OFT [16384] (*1)
# temporary-cryptsetup-155: Stacking NODE_DEL [verify_udev]
# Udev cookie 0xd4d57e3 (semid 98304) decremented to 1
# Udev cookie 0xd4d57e3 (semid 98304) waiting for zero
# Udev cookie 0xd4d57e3 (semid 98304) destroyed
# temporary-cryptsetup-155: Processing NODE_DEL [verify_udev]
Key slot 0 unlocked.
# Releasing crypt device /root/luks-hdr-sda2 context.
# Releasing device-mapper backend.
# Closed loop /dev/loop0 (/root/luks-hdr-sda2).
# Unlocking memory.
=== end of broken cryptsetup log ===
When I use the real name of the device instead of the symlink, it works:
=== working cryptsetup log ===
Enter passphrase for /dev/sda2:
# cryptsetup 1.6.6 processing "cryptsetup -T 1 --debug --allow-discards --header=/root/luks-hdr-sda2 open --type luks /dev/sda2 sda2_crypt"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device /root/luks-hdr-sda2 context.
# Trying to open and read device /root/luks-hdr-sda2.
# Initialising device-mapper backend library.
# Trying to load LUKS1 crypt type from device /root/luks-hdr-sda2.
# Crypto backend (gcrypt 1.6.3) initialized.
# Detected kernel Linux 3.16.0-4-amd64 x86_64.
# Reading LUKS header of size 1024 from device /root/luks-hdr-sda2
# Trying to open device /root/luks-hdr-sda2 without direct-io.
# Key length 64, device size 4040 sectors, header size 4036 sectors.
# Setting ciphertext data device to /dev/sda2.
# Trying to open and read device /dev/sda2.
# Timeout set to 0 miliseconds.
# Password retry count set to 1.
# Password verification disabled.
# Iteration time set to 1000 miliseconds.
# Activating volume sda2_crypt [keyslot -1] using [none] passphrase.
# dm version OF [16384] (*1)
# dm versions OF [16384] (*1)
# Detected dm-crypt version 1.13.0, dm-ioctl version 4.27.0.
# Device-mapper backend running with UDEV support enabled.
# dm status sda2_crypt OF [16384] (*1)
# Interactive passphrase entry requested.
# Trying to open key slot 0 [ACTIVE_LAST].
# Reading key slot 0 area.
# Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
# Using dmcrypt to access keyslot area.
# Allocating a free loop device.
# Trying to open and read device /dev/loop0.
# Calculated device size is 504 sectors (RW), offset 8.
# DM-UUID is CRYPT-TEMP-temporary-cryptsetup-153
# Udev cookie 0xd4d7ce4 (semid 65536) created
# Udev cookie 0xd4d7ce4 (semid 65536) incremented to 1
# Udev cookie 0xd4d7ce4 (semid 65536) incremented to 2
# Udev cookie 0xd4d7ce4 (semid 65536) assigned to CREATE task(0) with flags DISABLE_SUBSYSTEM_RULES DISABLE_DISK_RULES DISABLE_OTHER_RULES (0xe)
# dm create temporary-cryptsetup-153 CRYPT-TEMP-temporary-cryptsetup-153 OF [16384] (*1)
# dm reload temporary-cryptsetup-153 OFRW [16384] (*1)
# dm resume temporary-cryptsetup-153 OFRW [16384] (*1)
# temporary-cryptsetup-153: Stacking NODE_ADD (254,0) 0:6 0660 [verify_udev]
# temporary-cryptsetup-153: Stacking NODE_READ_AHEAD 256 (flags=1)
# Udev cookie 0xd4d7ce4 (semid 65536) decremented to 1
# Udev cookie 0xd4d7ce4 (semid 65536) waiting for zero
# Udev cookie 0xd4d7ce4 (semid 65536) destroyed
# temporary-cryptsetup-153: Processing NODE_ADD (254,0) 0:6 0660 [verify_udev]
# temporary-cryptsetup-153: Processing NODE_READ_AHEAD 256 (flags=1)
# temporary-cryptsetup-153 (254:0): read ahead is 256
# temporary-cryptsetup-153: retaining kernel read ahead of 256 (requested 256)
# Udev cookie 0xd4dd9dc (semid 98304) created
# Udev cookie 0xd4dd9dc (semid 98304) incremented to 1
# Udev cookie 0xd4dd9dc (semid 98304) incremented to 2
# Udev cookie 0xd4dd9dc (semid 98304) assigned to REMOVE task(2) with flags (0x0)
# dm remove temporary-cryptsetup-153 OFT [16384] (*1)
# temporary-cryptsetup-153: Stacking NODE_DEL [verify_udev]
# Udev cookie 0xd4dd9dc (semid 98304) decremented to 1
# Udev cookie 0xd4dd9dc (semid 98304) waiting for zero
# Udev cookie 0xd4dd9dc (semid 98304) destroyed
# temporary-cryptsetup-153: Processing NODE_DEL [verify_udev]
Key slot 0 unlocked.
# Calculated device size is 117182464 sectors (RW), offset 4096.
# DM-UUID is CRYPT-LUKS1-003b718b69a549749a5654fc07f3835e-sda2_crypt
# Udev cookie 0xd4daf1e (semid 131072) created
# Udev cookie 0xd4daf1e (semid 131072) incremented to 1
# Udev cookie 0xd4daf1e (semid 131072) incremented to 2
# Udev cookie 0xd4daf1e (semid 131072) assigned to CREATE task(0) with flags (0x0)
# dm create sda2_crypt CRYPT-LUKS1-003b718b69a549749a5654fc07f3835e-sda2_crypt OF [16384] (*1)
# dm reload sda2_crypt OFW [16384] (*1)
# dm resume sda2_crypt OFW [16384] (*1)
# sda2_crypt: Stacking NODE_ADD (254,0) 0:6 0660 [verify_udev]
# sda2_crypt: Stacking NODE_READ_AHEAD 256 (flags=1)
# Udev cookie 0xd4daf1e (semid 131072) decremented to 1
# Udev cookie 0xd4daf1e (semid 131072) waiting for zero
# Udev cookie 0xd4daf1e (semid 131072) destroyed
# sda2_crypt: Processing NODE_ADD (254,0) 0:6 0660 [verify_udev]
# sda2_crypt: Processing NODE_READ_AHEAD 256 (flags=1)
# sda2_crypt (254:0): read ahead is 256
# sda2_crypt: retaining kernel read ahead of 256 (requested 256)
# Releasing crypt device /root/luks-hdr-sda2 context.
# Releasing device-mapper backend.
# Closed loop /dev/loop0 (/root/luks-hdr-sda2).
# Unlocking memory.
Command successful.
=== end of working cryptsetup log ===
As shown below, I was able to work around this by changing
/etc/crypttab to use the real device names instead of UUIDs. This
works for me but is not optimal.
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.16.0-4-amd64 root=UUID=d4a95191-90d7-4f4a-9504-b1254cb12617 ro quiet break=mountroot
-- /etc/crypttab
sda2_crypt /dev/sda2 none luks,discard,header=/root/luks-hdr-sda2
sda3_crypt /dev/sda3 /root/disk-key luks,keyscript=/root/get-disk-key,header=/root/luks-hdr-sda3
sda5_crypt /dev/sda5 /root/disk-key luks,discard
-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/sda2_crypt / ext4 noatime,errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=9a4308d4-1a36-4f22-9aed-e79c48e2545d /boot ext3 noatime,nodev,nosuid,noexec 0 2
/dev/mapper/sda3_crypt none swap defaults 0 0
/dev/mapper/sda5_crypt /home ext4 relatime 0 2
none /tmp tmpfs nodev,nosuid,mode=1777 0 0
-- lsmod
Module Size Used by
bnep 17431 2
ecb 12737 1
btusb 29721 0
bluetooth 374429 21 bnep,btusb
6lowpan_iphc 16588 1 bluetooth
uvcvideo 79005 0
videobuf2_vmalloc 12816 1 uvcvideo
videobuf2_memops 12519 1 videobuf2_vmalloc
videobuf2_core 47787 1 uvcvideo
v4l2_common 12995 1 videobuf2_core
videodev 126451 3 uvcvideo,v4l2_common,videobuf2_core
media 18305 2 uvcvideo,videodev
algif_skcipher 13008 0
af_alg 12988 1 algif_skcipher
iTCO_wdt 12831 0
iTCO_vendor_support 12649 1 iTCO_wdt
thinkpad_ec 12813 0
msr 12677 0
acpi_call 12552 0
arc4 12536 2
ath9k 90245 0
snd_hda_codec_conexant 17841 1
ath9k_common 21746 1 ath9k
ath9k_hw 391172 2 ath9k_common,ath9k
snd_hda_codec_generic 63181 1 snd_hda_codec_conexant
ath 26067 3 ath9k_common,ath9k,ath9k_hw
mac80211 474277 1 ath9k
coretemp 12820 0
kvm_intel 139116 0
kvm 388784 1 kvm_intel
cfg80211 405538 4 ath,ath9k_common,ath9k,mac80211
sg 29973 0
i915 837175 2
evdev 17445 23
psmouse 99249 0
pcspkr 12595 0
thinkpad_acpi 69119 2
serio_raw 12849 0
lpc_ich 20768 0
i2c_i801 16965 0
mfd_core 12601 1 lpc_ich
e1000e 212128 0
snd_hda_intel 26327 5
snd_hda_controller 26646 1 snd_hda_intel
snd_hda_codec 104500 4 snd_hda_codec_conexant,snd_hda_codec_generic,snd_hda_intel,snd_hda_controller
nvram 13034 1 thinkpad_acpi
rfkill 18867 5 cfg80211,thinkpad_acpi,bluetooth
drm_kms_helper 49210 1 i915
snd_hwdep 13148 1 snd_hda_codec
drm 249955 4 i915,drm_kms_helper
uhci_hcd 43499 0
ehci_pci 12512 0
battery 13356 0
snd_pcm 88662 3 snd_hda_codec,snd_hda_intel,snd_hda_controller
snd_timer 26614 1 snd_pcm
ehci_hcd 69837 1 ehci_pci
usbcore 195427 5 btusb,uhci_hcd,uvcvideo,ehci_hcd,ehci_pci
snd 65244 22 snd_hwdep,snd_timer,snd_hda_codec_conexant,snd_pcm,snd_hda_codec_generic,snd_hda_codec,snd_hda_intel,thinkpad_acpi
shpchp 31121 0
soundcore 13026 2 snd,snd_hda_codec
i2c_algo_bit 12751 1 i915
i2c_core 46012 7 drm,i915,i2c_i801,drm_kms_helper,i2c_algo_bit,v4l2_common,videodev
ptp 17692 1 e1000e
video 18096 1 i915
usb_common 12440 1 usbcore
pps_core 17225 1 ptp
ac 12715 0
acpi_cpufreq 17218 1
button 12944 1 i915
processor 28221 3 acpi_cpufreq
fuse 83350 1
parport_pc 26300 0
ppdev 16782 0
lp 17074 0
parport 35749 3 lp,ppdev,parport_pc
autofs4 35529 2
ext4 473802 3
crc16 12343 2 ext4,bluetooth
mbcache 17171 1 ext4
jbd2 82522 1 ext4
xts 12679 3
gf128mul 12970 1 xts
dm_crypt 22595 3
dm_mod 89405 7 dm_crypt
loop 26605 0
sd_mod 44356 5
crc_t10dif 12431 1 sd_mod
crct10dif_generic 12581 1
crct10dif_common 12356 2 crct10dif_generic,crc_t10dif
ahci 33334 4
libahci 27158 1 ahci
libata 177508 2 ahci,libahci
scsi_mod 191405 3 sg,libata,sd_mod
thermal 17559 0
thermal_sys 27642 3 video,thermal,processor
-- System Information:
Debian Release: 8.2
APT prefers stable
APT policy: (900, 'stable'), (500, 'stable-updates'), (1, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:1.6.6-5
ii debconf [debconf-2.0] 1.5.56
ii dmsetup 2:1.02.90-2.2
ii libc6 2.19-18+deb8u1
Versions of packages cryptsetup recommends:
ii busybox 1:1.22.0-9+deb8u1
ii console-setup 1.123
ii initramfs-tools [linux-initramfs-tool] 0.120
ii kbd 1.15.5-2
Versions of packages cryptsetup suggests:
ii dosfstools 3.0.27-1
pn keyutils <none>
ii liblocale-gettext-perl 1.05-8+b1
-- debconf information:
cryptsetup/prerm_active_mappings: true
More information about the pkg-cryptsetup-devel
mailing list