[pkg-cryptsetup-devel] Bug#901795: cryptsetup: new version may break 3rd party keyscripts (and thus boot)

Guilhem Moulin guilhem at debian.org
Mon Jun 18 23:26:07 BST 2018


Control: severity -1 wishlist
Control: tag -1 - moreinfo
Control: retitle -1 cryptsetup-initramfs: please provide documented shell functions to validate/sanitize cryptroot entries in 3rd party hook files

On Mon, 18 Jun 2018 at 23:54:09 +0200, Christoph Anton Mitterer wrote:
> So why do I need stuff from crypttab during initramfs generation?
> […]

I see, thanks for the explanation, sounds like a valid use case indeed.

Thus lowering the bug severity to ‘wishlist’ and retiling the bug
accordingly.

FWIW, what we're currently doing (so far undocumented and subject to
change) is to go through the system crypttab(5) and copy each entry
requiring unlocking at initramfs stage to $DESTDIR/cryptroot/crypttab
(the format of which is therefore analogous to crypttab(5)).  So the
following template should work when the hook file has ‘cryptroot’ as
prerequisite:

    . /lib/cryptsetup/functions

    [ -s "$DESTDIR/cryptroot/crypttab" ] || return 0
    while read CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_KEY CRYPTTAB_OPTIONS; do
        if [ "${CRYPTTAB_NAME#\#}" = "$CRYPTTAB_NAME" ] && \
                crypttab_parse_options "$CRYPTTAB_OPTIONS" n; then
            […]
        fi
    done <"$DESTDIR/cryptroot/crypttab"

But please note that this is subject to change until we document the
snippet and close this bug :-P

Cheers,
-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20180619/495d169a/attachment.sig>


More information about the pkg-cryptsetup-devel mailing list