[pkg-cryptsetup-devel] Bug#949888: cryptsetup-initramfs: cryptroot hook doesn't recognize devices with authenticated encryption

hede debian452 at der-he.de
Sun Jan 26 17:34:50 GMT 2020 

Package: cryptsetup-initramfs
Version: 2:2.1.0-5+deb10u2
Severity: normal

Dear Maintainer,

I've switched to Authenticated Encryption, i.e:
cryptsetup luksFormat --type luks2 --key-size 128 --cipher
aegis128-random --integrity aead /dev/sda

This way the dm device doesn't have the correct MAJ:MIN values.
But there exists some ${CRYPTTAB_NAME}_dif device which indeed points to
the correct MAJ:MIN device. 

As a consequence therof there do exist devices /dev/mapper/xxx_dif which are not
directly used as block devices. As such they are not found within
crypttab and a message like the following is useless:
cryptsetup: WARNING: target 'sdXX_crypt_dif' not found in /etc/crypttab

Nevertheless, the initramfs doesn't get created as expected. 

My workaround is:

#################
--- /usr/share/initramfs-tools/hooks/cryptroot  2019-08-26 14:54:10.000000000 +0200
+++ cryptroot   2020-01-26 18:13:21.898393199 +0100
@@ -150,7 +150,8 @@ crypttab_find_and_print_entry() {
 crypttab_print_entry() {
     local DEV MAJ MIN sourcename uuid keyfile
     if resolve_device "$CRYPTTAB_SOURCE"; then
-        if [ "$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" != "$MAJ:$MIN" ]; then
+        if [ "$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" != "$MAJ:$MIN" ] &&
+           [ "$(dmsetup info -c --noheadings -o devnos_used -- "${CRYPTTAB_NAME}_dif" 2>/dev/null)" != "$MAJ:$MIN" ]; then
             cryptsetup_message "ERROR: $CRYPTTAB_NAME: Source mismatch"
         elif sourcename="$(dmsetup info -c --noheadings -o mangled_name -j "$MAJ" -m "$MIN" 2>/dev/null)" &&
                [ -b "/dev/mapper/$sourcename" ]; then
#################

that's indeed a workaround and not a proper patch. 

btw: This is debian buster (current stable) and not sid but it seems sid suffers from
the same problem. 

regards
hede


-- System Information:
Debian Release: 10.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cryptsetup-initramfs depends on:
pn  busybox | busybox-static                1:1.30.1-4
pn  cryptsetup-run                          2:2.1.0-5+deb10u2
pn  initramfs-tools | linux-initramfs-tool  0.133+deb10u1

Versions of packages cryptsetup-initramfs recommends:
pn  console-setup  1.193~deb10u1
pn  kbd            2.0.4-4

cryptsetup-initramfs suggests no packages.

More information about the pkg-cryptsetup-devel mailing list