[pkg-cryptsetup-devel] Bug#901795: cryptsetup: new version may break 3rd party keyscripts (and thus boot)

Christoph Anton Mitterer calestyo at scientia.net
Mon Jun 18 22:54:09 BST 2018


Hey :-)

Sorry, I completely messed up my bug report ^^...

Actually, in the keyscript I already use CRYPTTAB_* ... it's the
initramfs hook which fails.

During the initramfs hook, I obviously won't have any of CRYPTTAB_*, or
do I?
But I do have the main/conf/conf.d/cryptroot (respectively now it's
main/cryptroot/crypttab - within the initramfs image).


So why do I need stuff from crypttab during initramfs generation?

Well the first thing is, I do some sanity checking already in the
initramfs hook, e.g. if there is no pathname= option my keyscript would
never be able to succeed, thus I already warn during initramfs
generation, that this initramfs will fail to boot.

Second thing is, in addition to device=, I alternatively offer an
option to simply include the key inside the initramfs, which is however
quite questionable from a security PoV,... so the hook script needs to
know that option and only if that is set, include the key (which is
taken again from pathname=).
Further, only if the key is read from some device, and not contained in
the initramfs image,... my hook scripts includes passdev (which I use
for reading) in the initramfs, otherwise it's not needed.
Last but not least if both, device= and "key_file_in_initramfs_images"
options are set, the initramfs hook script gives a warning, that one
will be ignored.



So in order to make the initramfs generation a bit more powerful, I
need the options for the device currently being processed.

Cheers,
Chris.



More information about the pkg-cryptsetup-devel mailing list