[pkg-cryptsetup-devel] Bug#907243: Bug#907243: cryptsetup-initramfs recursive resolution broken
Guilhem Moulin
guilhem at debian.org
Sun Sep 9 04:10:44 BST 2018
Control: tag -1 pending
On Sat, 25 Aug 2018 at 09:33:46 +0100, Nathaniel Filardo wrote:
> https://salsa.debian.org/cryptsetup-team/cryptsetup/commit/cb5985935713deb6bd4fd45c77d1f54cc28b204b#a630d04e2df57150e6a092fc23f955c6ea0ce412_214_193
> is subtly wrong: while 'name' and friends were local variables of
> crypttab_print_entry, _CRYPTTAB_NAME and friends are not. For the
> /etc/crypttab contents below, this resulted in the initramfs crypttab
> contaning two copies of the pf2-zfs line but none of the pf2-swap.
Thanks for the report! Just for the record, the likely reason why
nobody complained about this before, is because to generate a corrupted
initrd crypttab the decrypt_derived target must be considered before its
source. The hooks considers devices holding / first, then devices
holding /usr, then resume devices, and finally crypttab(5) entry with
the ‘initramfs’ option set. So in your case what triggered the bug was
that the decrypt_derived target is holding the resume device while the
source wasn't detected as holding the ZFS root. Another way to trigger
this is to format two extra (unused) LUKS volumes and list the
decrypt_derived source after the target in the crypttab(5), like so:
vol1 /dev/vdb1 vol2 luks,keyscript=decrypt_derived,initramfs
vol2 /dev/vdb2 none luks,initramfs
Subtle, as you wrote :-)
> A simple fix is to buffer the output into a local variable
Making _CRYPTTAB_{NAME,SOURCE,KEY,OPTIONS} local to
crypttab_find_and_print_entry() should also fix this, and that's what I
did in c355422:
https://salsa.debian.org/cryptsetup-team/cryptsetup/commit/c3554229394912bfbee03fadb8c56e9b4c175eb3
Cheers,
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20180909/940a3cce/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list