[pkg-cryptsetup-devel] Bug#907243: cryptsetup-initramfs recursive resolution broken

Nathaniel Filardo nwfilardo at gmail.com
Sat Aug 25 09:33:46 BST 2018 

Package: cryptsetup-initramfs
Version: 2:2.0.4-2
Severity: important

Dear Maintainer,

https://salsa.debian.org/cryptsetup-team/cryptsetup/commit/cb5985935713deb6bd4fd45c77d1f54cc28b204b#a630d04e2df57150e6a092fc23f955c6ea0ce412_214_193
is subtly wrong: while 'name' and friends were local variables of
crypttab_print_entry, _CRYPTTAB_NAME and friends are not.  For the
/etc/crypttab contents below, this resulted in the initramfs crypttab
contaning two copies of the pf2-zfs line but none of the pf2-swap.  A simple
fix is to buffer the output into a local variable, thus:

    local STR
    STR=$(printf '%s %s %s %s\n' \
        "$_CRYPTTAB_NAME" "$_CRYPTTAB_SOURCE" "$_CRYPTTAB_KEY"
"$_CRYPTTAB_OPTIONS")

    if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ]; then
        copy_exec "$CRYPTTAB_OPTION_keyscript"
    fi
    if [ "${CRYPTTAB_OPTION_keyscript-}" =
"/lib/cryptsetup/scripts/decrypt_derived" ]; then
        # (recursively) list first the device to derive the key from (so
        # the boot scripts unlock it first)
        crypttab_find_and_print_entry "$CRYPTTAB_KEY"
    fi
    echo "$STR" >&3

Having just tested, the variant above generates the correct contents in the
initramfs's keytab.  Please deploy it or an equivalent change at your
earliest convenience.

Thank you,
--nwf;

-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-4.17.0-3-amd64 root=ZFS=pf2/root ro quiet boot=zfs
luks=no

-- /etc/crypttab
# <target name> <source device> <key file> <options>
pf2-zfs  UUID=f9135fb3-c044-4317-9a42-3933e8702511 none
luks,initramfs,discard
pf2-swap UUID=454fadc5-8023-499a-a766-39a92313d241 pf2-zfs
luks,initramfs,discard,keyscript=/lib/cryptsetup/scripts/decrypt_derived
# preserve last line

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (102, 'unstable'), (101,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cryptsetup-initramfs depends on:
ii  busybox                                 1:1.27.2-3
ii  cryptsetup-run                          2:2.0.4-2
ii  initramfs-tools [linux-initramfs-tool]  0.132

Versions of packages cryptsetup-initramfs recommends:
ii  console-setup  1.184
ii  kbd            2.0.4-4

cryptsetup-initramfs suggests no packages.

-- no debconf information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20180825/f6d72db3/attachment.html>

More information about the pkg-cryptsetup-devel mailing list