[pkg-cryptsetup-devel] Bug#994056: cryptsetup: blkid check fails to take offset option into account
Thorsten Glaser
tg at mirbsd.de
Fri Sep 10 18:57:35 BST 2021
Package: cryptsetup
Version: 2:2.3.5-1
Severity: important
X-Debbugs-Cc: tg at mirbsd.de
In order to use a cryptsetup swap with a very tiny protective ext2fs
filesystem so we can use LABEL= as source device, I use offset= as
shown in the Arch Linux wiki.
However it fails in Debian:
tglase at tglase-nb:~ $ sudo cryptdisks_start cswap
Starting crypto disk...cswap (starting)...cswap: the precheck for '/dev/sda2' failed: - The device /dev/sda2 contains a filesystem type ext2. ... (warning).
failed.
The cause is missing option processing for offset there, with a
very simple fix. I have attached a “git diff” against the git tag
corresponding to the version in bullseye right now; it applies to
the following files “in situ”, in patch order (so people can fix
their local systems, even if this is not applied):
• /lib/cryptsetup/checks/blkid
• /lib/cryptsetup/checks/un_blkid
• /lib/cryptsetup/cryptdisks-functions
I’m writing this all up as well at:
https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=posix/swapcycle;hb=HEAD
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-5.10.0-8-amd64 root=/dev/sda4 ro rootdelay=5 syscall.x32=y vsyscall=emulate net.ifnames=0 kaslr pcie_aspm=force consoleblank=0
-- /etc/crypttab
# <target name> <source device> <key file> <options>
cswap LABEL=swp_tglase-nb /dev/random offset=1024,discard,cipher=aes-xts-plain64,size=256,plain,swap
-- /etc/fstab
/dev/sda4 / ext4 relatime,errors=remount-ro,auto_da_alloc 0 1
/dev/sda1 /boot ext4 noatime,sync,auto_da_alloc 0 2
swap /var/cache/apt tmpfs nosuid,noexec,mode=0755 0 0
/dev/mapper/cswap swap swap sw,discard 0 0
-- lsmod
Module Size Used by
apple_mfi_fastcharge 20480 0
cpuid 16384 0
snd_seq_dummy 16384 0
fuse 167936 2
ctr 16384 3
ccm 20480 9
cpufreq_conservative 16384 0
cpufreq_ondemand 16384 2
cpufreq_userspace 20480 0
cpufreq_powersave 20480 0
binfmt_misc 24576 1
nft_counter 16384 1
nft_chain_nat 16384 1
xt_MASQUERADE 20480 1
nf_nat 53248 2 nft_chain_nat,xt_MASQUERADE
nf_conntrack 176128 2 nf_nat,xt_MASQUERADE
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack
nft_compat 20480 1
nf_tables 245760 5 nft_compat,nft_counter,nft_chain_nat
x_tables 53248 2 nft_compat,xt_MASQUERADE
libcrc32c 16384 3 nf_conntrack,nf_nat,nf_tables
nfnetlink 16384 2 nft_compat,nf_tables
tun 57344 3
snd_seq_midi 20480 0
snd_seq_midi_event 16384 1 snd_seq_midi
snd_rawmidi 45056 1 snd_seq_midi
snd_seq 86016 3 snd_seq_midi,snd_seq_midi_event,snd_seq_dummy
snd_seq_device 16384 3 snd_seq,snd_seq_midi,snd_rawmidi
msr 16384 0
ecb 16384 1
aes_generic 36864 8
libaes 16384 1 aes_generic
crypto_simd 16384 0
cryptd 24576 1 crypto_simd
glue_helper 16384 0
xts 16384 1
dm_crypt 53248 1
dm_mod 163840 2 dm_crypt
snd_hda_codec_analog 20480 1
snd_hda_codec_generic 98304 1 snd_hda_codec_analog
iwl4965 110592 0
iwlegacy 90112 1 iwl4965
ppdev 24576 0
snd_hda_intel 57344 0
snd_intel_dspcfg 28672 1 snd_hda_intel
pcmcia 77824 0
soundwire_intel 45056 1 snd_intel_dspcfg
mac80211 983040 2 iwl4965,iwlegacy
coretemp 20480 0
soundwire_generic_allocation 16384 1 soundwire_intel
snd_soc_core 315392 1 soundwire_intel
kvm_intel 327680 0
snd_compress 32768 1 snd_soc_core
soundwire_cadence 36864 1 soundwire_intel
snd_hda_codec 172032 3 snd_hda_codec_generic,snd_hda_intel,snd_hda_codec_analog
snd_hda_core 110592 4 snd_hda_codec_generic,snd_hda_intel,snd_hda_codec_analog,snd_hda_codec
snd_hwdep 16384 1 snd_hda_codec
iTCO_wdt 16384 0
kvm 917504 1 kvm_intel
intel_pmc_bxt 16384 1 iTCO_wdt
irqbypass 16384 1 kvm
soundwire_bus 90112 3 soundwire_intel,soundwire_generic_allocation,soundwire_cadence
cfg80211 970752 3 iwl4965,iwlegacy,mac80211
iTCO_vendor_support 16384 1 iTCO_wdt
serio_raw 20480 0
pcspkr 16384 0
yenta_socket 53248 0
sg 36864 0
pcmcia_rsrc 24576 1 yenta_socket
snd_pcm_oss 65536 0
watchdog 28672 1 iTCO_wdt
thinkpad_acpi 118784 0
snd_mixer_oss 28672 1 snd_pcm_oss
pcmcia_core 32768 3 pcmcia,pcmcia_rsrc,yenta_socket
snd_pcm 135168 7 snd_hda_intel,snd_hda_codec,soundwire_intel,snd_compress,snd_pcm_oss,snd_soc_core,snd_hda_core
libarc4 16384 1 mac80211
nvram 16384 1 thinkpad_acpi
snd_timer 49152 2 snd_seq,snd_pcm
ledtrig_audio 16384 2 snd_hda_codec_generic,thinkpad_acpi
snd 110592 15 snd_hda_codec_generic,snd_seq,snd_seq_device,snd_hwdep,snd_hda_intel,snd_hda_codec_analog,snd_hda_codec,snd_timer,snd_compress,snd_pcm_oss,thinkpad_acpi,snd_soc_core,snd_pcm,snd_rawmidi,snd_mixer_oss
soundcore 16384 1 snd
parport_pc 40960 0
rfkill 28672 3 thinkpad_acpi,cfg80211
ac 16384 0
parport 69632 2 parport_pc,ppdev
evdev 28672 16
acpi_cpufreq 32768 1
button 24576 0
ext4 921600 2
crc16 16384 1 ext4
mbcache 16384 1 ext4
jbd2 151552 1 ext4
crc32c_generic 16384 4
sd_mod 61440 4
t10_pi 16384 1 sd_mod
crc_t10dif 20480 1 t10_pi
crct10dif_generic 16384 1
crct10dif_common 16384 2 crct10dif_generic,crc_t10dif
ata_generic 16384 0
i915 2715648 5
ahci 40960 3
libahci 45056 1 ahci
ata_piix 36864 0
libata 290816 4 ata_piix,libahci,ahci,ata_generic
sdhci_pci 69632 0
cqhci 32768 1 sdhci_pci
e1000e 303104 0
sdhci 77824 1 sdhci_pci
psmouse 184320 0
i2c_algo_bit 16384 1 i915
drm_kms_helper 274432 1 i915
mmc_core 188416 3 sdhci,cqhci,sdhci_pci
i2c_i801 32768 0
i2c_smbus 20480 1 i2c_i801
cec 61440 2 drm_kms_helper,i915
scsi_mod 262144 3 sd_mod,libata,sg
ehci_pci 20480 0
uhci_hcd 53248 0
ehci_hcd 98304 1 ehci_pci
lpc_ich 28672 0
drm 618496 6 drm_kms_helper,i915
usbcore 323584 4 ehci_pci,apple_mfi_fastcharge,ehci_hcd,uhci_hcd
ptp 32768 1 e1000e
pps_core 24576 1 ptp
usb_common 16384 3 usbcore,ehci_hcd,uhci_hcd
battery 20480 1 thinkpad_acpi
video 53248 2 thinkpad_acpi,i915
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'oldstable-updates'), (500, 'oldoldstable'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-8-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)
Versions of packages cryptsetup depends on:
ii cryptsetup-bin 2:2.3.5-1
ii debconf [debconf-2.0] 1.5.77
ii dmsetup 2:1.02.175-2.1
ii libc6 2.31-13
Versions of packages cryptsetup recommends:
pn cryptsetup-initramfs <none>
pn cryptsetup-run <none>
Versions of packages cryptsetup suggests:
ii dosfstools 4.2-1
pn keyutils <none>
ii liblocale-gettext-perl 1.07-4+b1
-- debconf information:
cryptsetup/prerm_active_mappings: true
-------------- next part --------------
HEAD detached at debian/2%2.3.5-1
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: debian/checks/blkid
modified: debian/checks/un_blkid
modified: debian/cryptdisks-functions
diff --git a/debian/checks/blkid b/debian/checks/blkid
index 490c93c6..e5d7b474 100644
--- a/debian/checks/blkid
+++ b/debian/checks/blkid
@@ -15,8 +15,9 @@ fi
dev="$1"
fs="$2"
+ofs="$3"
-blkid="$(/sbin/blkid -o value -s TYPE -p -- "$dev")"
+blkid="$(/sbin/blkid -o value -s TYPE -p ${ofs:+-O "$ofs"} -- "$dev")"
# blkid output is empty if $dev has an unknown filesystem
if [ -z "$blkid" ] && [ -z "$fs" ]; then
diff --git a/debian/checks/un_blkid b/debian/checks/un_blkid
index ef98fc8f..22c3a359 100644
--- a/debian/checks/un_blkid
+++ b/debian/checks/un_blkid
@@ -14,8 +14,9 @@ fi
dev="$1"
fs="$2"
+ofs="$3"
-blkid="$(/sbin/blkid -o value -s TYPE -p -- "$dev")"
+blkid="$(/sbin/blkid -o value -s TYPE -p ${ofs:+-O "$ofs"} -- "$dev")"
# blkid output is empty if $dev has an unknown filesystem
if [ -n "$blkid" ] && [ -z "$fs" ]; then
diff --git a/debian/cryptdisks-functions b/debian/cryptdisks-functions
index 757b9a40..173fc539 100644
--- a/debian/cryptdisks-functions
+++ b/debian/cryptdisks-functions
@@ -114,8 +114,8 @@ setup_mapping() {
# fail if the device has a filesystem and the disk encryption format doesn't
# verify the key digest (unlike LUKS); unless it's swap, otherwise people can't
# easily convert an existing plainttext swap partition to an encrypted one
- if ! out="$(/lib/cryptsetup/checks/un_blkid "$CRYPTTAB_SOURCE" 2>/dev/null)" &&
- ! /lib/cryptsetup/checks/blkid "$CRYPTTAB_SOURCE" swap >/dev/null; then
+ if ! out="$(/lib/cryptsetup/checks/un_blkid "$CRYPTTAB_SOURCE" "" "$CRYPTTAB_OPTION_offset" 2>/dev/null)" &&
+ ! /lib/cryptsetup/checks/blkid "$CRYPTTAB_SOURCE" swap "$CRYPTTAB_OPTION_offset" >/dev/null; then
log_warning_msg "$CRYPTTAB_NAME: the precheck for '$CRYPTTAB_SOURCE' failed: $out"
return 1
fi
@@ -145,8 +145,8 @@ setup_mapping() {
continue
fi
if [ "${CRYPTTAB_OPTION_swap+x}" ]; then
- if out="$(/lib/cryptsetup/checks/un_blkid "$tmpdev" 2>/dev/null)" ||
- /lib/cryptsetup/checks/blkid "$tmpdev" swap >/dev/null 2>&1; then
+ if out="$(/lib/cryptsetup/checks/un_blkid "$tmpdev" "" "$CRYPTTAB_OPTION_offset" 2>/dev/null)" ||
+ /lib/cryptsetup/checks/blkid "$tmpdev" swap "$CRYPTTAB_OPTION_offset" >/dev/null 2>&1; then
mkswap "$tmpdev" >/dev/null 2>&1
else
log_warning_msg "$target: the check for '$CRYPTTAB_NAME' failed. $CRYPTTAB_NAME contains data: $out"
More information about the pkg-cryptsetup-devel
mailing list