[pkg-cryptsetup-devel] Bug#933836: cryptkeyctl: When using keyscript "decrypt_keyctl" in crypttab, update-initramfs fails

Guilhem Moulin guilhem at debian.org
Sun Aug 4 10:53:43 BST 2019 

Control: retitle -1 cryptsetup-initramfs: hook files should give hints about missing packages to install
Control: severity -1 minor

Hi,

On Sun, 04 Aug 2019 at 10:45:33 +0200, Sebastian Mohr wrote:
> After some debugging, I found out, that this script copies the file
> "/bin/keyctl" to the initramfs. But this file, belonging to the package
> "keyutils", is not installed.

FWIW this is documented in /usr/share/doc/cryptsetup/README.keyctl (or
/usr/share/doc/cryptsetup-run/README.keyctl for src:cryptsetup between
2:2.0.3-1 and 2:2.1.0-5).

> I would suggest at least suggesting or recommending "keyutils" (and other
> packages being needed for the other keyscripts)

Correct dependency declarations would introduce a lot of clutter here,
for ‘keyscript=decrypt_keyctl’ alone we would need two more binary
packages:

  Package: cryptsetup-keyscript-keyctl
  Depends: cryptsetup, keyctl
  [Ships /lib/cryptsetup/scripts/decrypt_keyctl.]

  Package: cryptsetup-initramfs-keyscript-keyctl
  Depends: cryptsetup-initramfs, cryptsetup-keyscript-keyctl
  [Ships /usr/share/initramfs-tools/hooks/cryptkeyctl.]

And similarily for other keyscripts.  Last time we talked about it we
decided that it was not worth the clutter.  We don't want the less
fine-grained dependency declaration via Recommends either (which should
be on ‘cryptsetup’ not ‘cryptsetup-initramfs’, by the way: keyscripts
can be used outside the initramfs stage too), because that would mean on
systems without --no-install-recommends (ie the default), installing
‘cryptsetup’ would clutter the system with the OpenSC daemon and other
tools that are likely not needed.

Instead we decided to document keyscript setup under
/usr/share/doc/cryptsetup/README.*.

> or giving out a clearer error message on failure, like 'File
> "/bin/keyctl" not found, please install package "keyutils".' or
> something like that.

I guess we could do that in hook files.  Won't help when the device is
opened outside initramfs stage though (for instance via `cryptdisks_start`
or sysvinit scripts).

Perhaps /usr/share/initramfs-tools/hook-functions:copy_exec() could give
a more helpful message mentioning the name of the file that couldn't be
copied to the initramfs.

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20190804/9745af52/attachment.sig>

More information about the pkg-cryptsetup-devel mailing list