[pkg-cryptsetup-devel] Bug#811456: Bug#811456: Unable to find seq in shutdown

Klaus Ethgen Klaus at Ethgen.de
Tue Jan 19 12:34:10 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Guilhem,

Am Di den 19. Jan 2016 um 12:02 schrieb Guilhem Moulin:
> On Tue, 19 Jan 2016 at 08:08:42 +0100, Klaus Ethgen wrote:
> > This might be a regression of the earlier bugfix to not loop forever.
> 
> Of #792552 actually (my bad).  (#810380, which you're referring to, was
> itself a regression of #792552 but I reverted the patch and reworked it
> from scratch.)  Didn't spot this during tests since seq comes from
> busybox which is in cryptsetup's Recommends.  So in the meantime, a
> workaround is to install busybox.

I did expand the seq in the script for short term fix.

> > However, it has a bad taste for me to do that looping.
> 
> Could you expand on this?  #792552 shows a desire to try again to close
> a device when it's busy on the first try.  I didn't add the seq to fix
> the endless loop you reported in #810380, but to make the script
> eventually bail out (with open crypt devices) and proceed with the
> shutdown instead of trying forever *if for some reason the disk keeps
> being busy*.  (In most cases it'll be closed on the first try and the
> script will move on the next crypttab(5) entry.)

Well, exactly that is it. There should be a deterministic check if there
are leftover crypt devices and close them.

While open crypt devices are not great, they will at least not end with
lost data. Not by themself. But I do not like the idea that they stay
open with key material still in memory (search for cold boot attack).

On the other hand, at least with full filesystem encryption it would be
not possible to cleanly close all of them.

Currently I have no real solution for that, sorry.

Regards
   Klaus
- -- 
Klaus Ethgen                              http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBCgAGBQJWni07AAoJEKZ8CrGAGfaswKIMAJyJ1ockVJiVkRRJ4yxkzCPI
ij1Jo4InEWqWopRf4ZB9cgFY+6J1nYeRaluEyMwOlC23sUYEU94C9WQlNJDyqjmk
98v6F2COnEHK7dY8S32ixLyZ9GvuZtHMjpCdUopePJHaldzhJsjuwfU8dWCOk7fl
1+w1gyWDqMtCDHZJX15fvruWbthLNoT4wC2Q8M4yPcCyU+gEVmKYNrFSz7Ptew+0
uZMsuO5kyCZehukkPhzPrsr1m8WjLwplLvhrqXpQacp/zCFbOakGxio5r2dgZt/M
2VJVn8KA1uVc5Xdpi4cLh+L8panB3KjeYkA9ebgF8trenhyFlWjP/HwJNGwumWQ1
98Mtwjyj43oQhydtdCzWPsE5kjwMvVfi0k1kq0SN/LryRO6HPv5cyfbxvIHFoarf
TfltybZlTe0LLqv6hS8vpE8JTyLJpymH6P6Kg2uE4e9LC0gOxZbIKzjcFBkC0oC4
lUuvuE8N8mMPHNVxJbruEeC8Ymf7iuw6tMhjfdUh/A==
=RegX
-----END PGP SIGNATURE-----

More information about the pkg-cryptsetup-devel mailing list