[pkg-cryptsetup-devel] Bug#1055024: cryptsetup-initramfs changes crypttab entries order when generating initramfs
Nicolas Melot
nykau at doramail.com
Sun Oct 29 14:10:18 GMT 2023
Package: cryptsetup-initramfs
Version: 2:2.4.3-1ubuntu1.1
Severity: important
Tags: upstream d-i
X-Debbugs-Cc: nykau at doramail.com
Dear Maintainer,
This is a repost of the same bug report I submitted to Ubuntu maintainers on
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2031499 and that
seems to have been left as is. I am now hitting the same issue on Debian
Bookworm.
update-initramfs does not generate entries of initrd's /cryptroot/crypttab in
the same order as system's /etc/crypttab, when entries tagged as "initramfs"
are placed before entries that are not, or that are detected as necessary to
unlock the root partition. This is a problem if partitions automatically
detected as needed depends on a partition that is not detected as necessary;
even if it actually is. For examples, see system's /etc/crypttab below:
# <target name> <source device> <key file> <options>
keyring UUID=abcdefg none luks,initramfs
swap /dev/xps-nicmel/swap legacy luks,keyscript=/etc/luks-key.sh
Turns to initrd's /cryptroot/crypttab:
swap /dev/mapper/xps--nicmel-swap legacy luks,keyscript=/etc/luks-key.sh
keyring UUID=abcdefg none luks,initramfs
The swap partition gets its key from the script luks-key.sh, which itself reads
it from keyring. update-initramfs cannot detect this dependency and places swap
as to be decrypted first. Decryption will fail at boot because it won't find
the necessary key.
I could work around the problem by modifying /usr/share/initramfs-
tools/hooks/cryptroot from
177 generate_initrd_crypttab() {
178 local devnos usage IFS="$(printf '\t\n ')"
179 mkdir -- "$DESTDIR/cryptroot"
180 true >"$DESTDIR/cryptroot/targets"
181
182 {
183 if devnos="$(get_mnt_devno /)"; then
184 if [ -n "$devnos" ]; then
185 usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
186 fi
187 else
188 cryptsetup_message "WARNING: Couldn't determine root device"
189 fi
190
191 if devnos="$(get_resume_devno)" && [ -n "$devnos" ]; then
192 usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
193 fi
194
195 if devnos="$(get_mnt_devno /usr)" && [ -n "$devnos" ]; then
196 usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
197 fi
198
199 # add crypttab entries with the 'initramfs' option set
200 crypttab_foreach_entry crypttab_print_initramfs_entry
201 } 3>"$DESTDIR/cryptroot/crypttab"
202 rm -f "$DESTDIR/cryptroot/targets"
203 }
to
generate_initrd_crypttab() {
178 local devnos usage IFS="$(printf '\t\n ')"
179 mkdir -- "$DESTDIR/cryptroot"
180 true >"$DESTDIR/cryptroot/targets"
181
182 {
183 # add crypttab entries with the 'initramfs' option set
184 crypttab_foreach_entry crypttab_print_initramfs_entry
185
186 if devnos="$(get_mnt_devno /)"; then
187 if [ -n "$devnos" ]; then
188 usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
189 fi
190 else
191 cryptsetup_message "WARNING: Couldn't determine root device"
192 fi
193
194 if devnos="$(get_resume_devno)" && [ -n "$devnos" ]; then
195 usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
196 fi
197
198 if devnos="$(get_mnt_devno /usr)" && [ -n "$devnos" ]; then
199 usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
200 fi
201 } 3>"$DESTDIR/cryptroot/crypttab"
202 rm -f "$DESTDIR/cryptroot/targets"
203 }
i.e. moving line 200 to line 183, so that "initramfs"-tagged entries are
generated before other entries. Of course this is a quick and dirty fix and
won't stand many other scenarios.
A possible quick fix includes an order field in options section of
/etc/crypttab, or preserving entries order of system's crypttab. A better one
would be a dependency option, e.g. depends=keyring in the example above:
keyring UUID=abcdefg none luks,initramfs
swap /dev/xps-nicmel/swap legacy luks,keyscript=/etc/luks-
key.sh,depends=keyring
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-6.2.0-35-generic root=ZFS=xps-nicmel/ubuntu-22.04 ro quiet splash resume=UUID=dd6ea7ab-5651-4d11-ae2c-b02869051ea3 vt.handoff=1
-- /etc/crypttab
# <target name> <source device> <key file> <options>
keyring UUID=ab96a60d-94e8-40cf-b6e8-e29d30a5b5ec none luks,initramfs
#ubuntu-22.04 /dev/xps-nicmel/ubuntu-22.04 none luks
nvme0n1p10 /dev/nvme0n1p10 xps-nicmel luks,initramfs,keyscript=/etc/luks-key.sh
nvme0n1p11 /dev/nvme0n1p11 xps-nicmel luks,initramfs,keyscript=/etc/luks-key.sh
nvme0n1p12 /dev/nvme0n1p12 xps-nicmel luks,initramfs,keyscript=/etc/luks-key.sh
nvme0n1p13 /dev/nvme0n1p13 xps-nicmel luks,initramfs,keyscript=/etc/luks-key.sh
nvme0n1p16 /dev/nvme0n1p16 xps-nicmel luks,initramfs,keyscript=/etc/luks-key.sh
nvme0n1p17 /dev/nvme0n1p17 xps-nicmel luks,initramfs,keyscript=/etc/luks-key.sh
nvme0n1p18 /dev/nvme0n1p18 xps-nicmel luks,initramfs,keyscript=/etc/luks-key.sh
#nvme0n1p19 UUID=bfcda444-6b0e-414a-8cc4-9c9e4f462889 xps-nicmel luks,initramfs,keyscript=/etc/luks-key.sh
#tmp /dev/xps-nicmel/tmp /etc/luks.key luks
easybuild /dev/xps-nicmel/easybuild /boot/keyring/xps-nicmel.key luks
swap /dev/xps-nicmel/swap xps-nicmel luks,initramfs,keyscript=/etc/luks-key.sh
-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
#/dev/mapper/ubuntu-22.04 / ext4 errors=remount-ro 0 1
# /boot was on /dev/nvme0n1p4 during installation
UUID=17bb4db1-37f6-45c1-97fb-ac14ac5c0334 /boot ext4 defaults 0 2
# /boot/efi was on /dev/nvme0n1p1 during installation
UUID=60F0-EFA8 /boot/efi vfat umask=0077 0 1
/dev/mapper/keyring /boot/keyring ext4 ro 0 1
#/dev/mapper/home /home ext4 defaults 0 2
#/dev/mapper/easybuild /opt/easybuild ext4 defaults 0 2
#UUID=073d294f-fe2e-4b15-b593-3e2c2b1fa718 none swap sw 0 0
#/dev/mapper/tmp /tmp ext4 defaults 0 2
#/dev/mapper/local /usr/local ext4 defaults 0 2
/dev/mapper/swap none swap sw 0 0
-- lsmod
Module Size Used by
rfcomm 98304 4
vboxnetadp 28672 0
vboxnetflt 32768 0
vboxdrv 638976 2 vboxnetadp,vboxnetflt
ccm 20480 6
nfnetlink 24576 0
cmac 16384 2
algif_hash 20480 1
algif_skcipher 16384 1
af_alg 32768 6 algif_hash,algif_skcipher
bnep 32768 2
binfmt_misc 24576 1
snd_hda_codec_hdmi 94208 1
mei_hdcp 28672 0
mei_pxp 20480 0
snd_sof_pci_intel_tgl 16384 0
snd_sof_intel_hda_common 188416 1 snd_sof_pci_intel_tgl
soundwire_intel 57344 1 snd_sof_intel_hda_common
soundwire_generic_allocation 16384 1 soundwire_intel
soundwire_cadence 40960 1 soundwire_intel
pmt_telemetry 16384 0
snd_sof_intel_hda 24576 1 snd_sof_intel_hda_common
pmt_class 16384 1 pmt_telemetry
intel_rapl_msr 20480 0
snd_sof_pci 24576 2 snd_sof_intel_hda_common,snd_sof_pci_intel_tgl
snd_sof_xtensa_dsp 16384 1 snd_sof_intel_hda_common
dell_laptop 36864 0
nls_iso8859_1 16384 1
snd_sof 311296 3 snd_sof_pci,snd_sof_intel_hda_common,snd_sof_intel_hda
dell_smm_hwmon 24576 0
snd_sof_utils 20480 1 snd_sof
snd_soc_hdac_hda 24576 1 snd_sof_intel_hda_common
snd_hda_ext_core 36864 3 snd_sof_intel_hda_common,snd_soc_hdac_hda,snd_sof_intel_hda
x86_pkg_temp_thermal 20480 0
snd_soc_acpi_intel_match 81920 2 snd_sof_intel_hda_common,snd_sof_pci_intel_tgl
snd_soc_acpi 16384 2 snd_soc_acpi_intel_match,snd_sof_intel_hda_common
intel_powerclamp 24576 0
soundwire_bus 110592 3 soundwire_intel,soundwire_generic_allocation,soundwire_cadence
coretemp 24576 0
snd_ctl_led 24576 0
snd_soc_core 417792 4 soundwire_intel,snd_sof,snd_sof_intel_hda_common,snd_soc_hdac_hda
rapl 20480 0
snd_hda_codec_realtek 192512 1
intel_cstate 24576 0
snd_hda_codec_generic 118784 1 snd_hda_codec_realtek
snd_compress 28672 1 snd_soc_core
ac97_bus 16384 1 snd_soc_core
btusb 69632 0
typec_displayport 20480 0
snd_pcm_dmaengine 20480 1 snd_soc_core
serio_raw 20480 0
dell_wmi_sysman 49152 0
btrtl 28672 1 btusb
dell_wmi_ddv 20480 0
dell_wmi 28672 1 dell_laptop
btbcm 24576 1 btusb
snd_hda_intel 61440 5
snd_intel_dspcfg 36864 3 snd_hda_intel,snd_sof,snd_sof_intel_hda_common
btintel 53248 1 btusb
firmware_attributes_class 16384 1 dell_wmi_sysman
snd_usb_audio 425984 0
btmtk 16384 1 btusb
snd_intel_sdw_acpi 20480 2 snd_sof_intel_hda_common,snd_intel_dspcfg
dell_smbios 28672 2 dell_wmi,dell_laptop
snd_usbmidi_lib 53248 1 snd_usb_audio
snd_hda_codec 204800 6 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec_realtek,snd_soc_hdac_hda,snd_sof_intel_hda
uvcvideo 139264 0
bluetooth 1040384 34 btrtl,btmtk,btintel,btbcm,bnep,btusb,rfcomm
snd_seq_midi 20480 0
cmdlinepart 16384 0
snd_seq_midi_event 16384 1 snd_seq_midi
videobuf2_vmalloc 20480 1 uvcvideo
dcdbas 28672 1 dell_smbios
snd_hda_core 135168 9 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_ext_core,snd_hda_codec,snd_hda_codec_realtek,snd_sof_intel_hda_common,snd_soc_hdac_hda,snd_sof_intel_hda
iwlmvm 729088 0
spi_nor 131072 0
videobuf2_memops 20480 1 videobuf2_vmalloc
snd_rawmidi 53248 2 snd_seq_midi,snd_usbmidi_lib
ecdh_generic 16384 1 bluetooth
dell_wmi_descriptor 20480 2 dell_wmi,dell_smbios
snd_hwdep 20480 2 snd_usb_audio,snd_hda_codec
wmi_bmof 16384 0
ledtrig_audio 16384 4 snd_ctl_led,snd_hda_codec_generic,dell_wmi,dell_laptop
mei_me 57344 2
ecc 45056 1 ecdh_generic
mtd 98304 3 spi_nor,cmdlinepart
snd_pcm 192512 13 snd_hda_codec_hdmi,snd_hda_intel,snd_usb_audio,snd_hda_codec,soundwire_intel,snd_sof,snd_sof_intel_hda_common,snd_compress,snd_soc_core,snd_sof_utils,snd_hda_core,snd_pcm_dmaengine
hid_multitouch 36864 0
videobuf2_v4l2 36864 1 uvcvideo
mac80211 1617920 1 iwlmvm
snd_seq 94208 2 snd_seq_midi,snd_seq_midi_event
mei 167936 5 mei_hdcp,mei_pxp,mei_me
videodev 323584 2 videobuf2_v4l2,uvcvideo
snd_seq_device 16384 3 snd_seq,snd_seq_midi,snd_rawmidi
libarc4 16384 1 mac80211
snd_timer 49152 2 snd_seq,snd_pcm
videobuf2_common 86016 4 videobuf2_vmalloc,videobuf2_v4l2,uvcvideo,videobuf2_memops
hid_sensor_gyro_3d 20480 0
hid_sensor_magn_3d 20480 1
hid_sensor_incl_3d 20480 0
snd 135168 26 snd_ctl_led,snd_hda_codec_generic,snd_seq,snd_seq_device,snd_hda_codec_hdmi,snd_hwdep,snd_hda_intel,snd_usb_audio,snd_usbmidi_lib,snd_hda_codec,snd_hda_codec_realtek,snd_sof,snd_timer,snd_compress,snd_soc_core,snd_pcm,snd_rawmidi
hid_sensor_custom_intel_hinge 16384 0
hid_sensor_als 20480 1
hid_sensor_rotation 20480 0
hid_sensor_accel_3d 20480 1
iwlwifi 569344 1 iwlmvm
mc 81920 5 videodev,snd_usb_audio,videobuf2_v4l2,uvcvideo,videobuf2_common
input_leds 16384 0
hid_sensor_trigger 20480 15 hid_sensor_gyro_3d,hid_sensor_custom_intel_hinge,hid_sensor_incl_3d,hid_sensor_als,hid_sensor_accel_3d,hid_sensor_magn_3d,hid_sensor_rotation
soundcore 16384 2 snd_ctl_led,snd
industrialio_triggered_buffer 16384 1 hid_sensor_trigger
kfifo_buf 16384 1 industrialio_triggered_buffer
cfg80211 1241088 3 iwlmvm,iwlwifi,mac80211
hid_sensor_iio_common 28672 8 hid_sensor_gyro_3d,hid_sensor_trigger,hid_sensor_custom_intel_hinge,hid_sensor_incl_3d,hid_sensor_als,hid_sensor_accel_3d,hid_sensor_magn_3d,hid_sensor_rotation
joydev 32768 0
industrialio 126976 13 industrialio_triggered_buffer,hid_sensor_gyro_3d,hid_sensor_trigger,hid_sensor_custom_intel_hinge,hid_sensor_incl_3d,kfifo_buf,hid_sensor_als,hid_sensor_accel_3d,hid_sensor_magn_3d,hid_sensor_rotation
processor_thermal_device_pci_legacy 16384 0
processor_thermal_device 24576 1 processor_thermal_device_pci_legacy
processor_thermal_rfim 28672 1 processor_thermal_device
processor_thermal_mbox 16384 2 processor_thermal_rfim,processor_thermal_device
intel_vsec 20480 0
processor_thermal_rapl 20480 1 processor_thermal_device
intel_rapl_common 40960 2 intel_rapl_msr,processor_thermal_rapl
intel_skl_int3472_tps68470 20480 0
intel_soc_dts_iosf 20480 1 processor_thermal_device_pci_legacy
igen6_edac 24576 0
tps68470_regulator 16384 0
int3403_thermal 20480 0
soc_button_array 20480 0
clk_tps68470 16384 0
intel_hid 24576 0
int340x_thermal_zone 20480 2 int3403_thermal,processor_thermal_device
mac_hid 16384 0
int3400_thermal 24576 0
intel_skl_int3472_discrete 20480 0
acpi_tad 20480 0
acpi_pad 184320 0
sparse_keymap 16384 2 intel_hid,dell_wmi
acpi_thermal_rel 16384 1 int3400_thermal
sch_fq_codel 24576 1
kvm_intel 503808 0
kvm 1347584 1 kvm_intel
irqbypass 16384 1 kvm
msr 16384 0
parport_pc 53248 0
ppdev 24576 0
lp 28672 0
parport 73728 3 parport_pc,lp,ppdev
efi_pstore 16384 0
ip_tables 36864 0
x_tables 65536 1 ip_tables
autofs4 57344 2
dm_crypt 65536 10
raid10 73728 0
raid456 192512 0
async_raid6_recov 24576 1 raid456
async_memcpy 20480 2 raid456,async_raid6_recov
async_pq 24576 2 raid456,async_raid6_recov
async_xor 20480 3 async_pq,raid456,async_raid6_recov
async_tx 20480 5 async_pq,async_memcpy,async_xor,raid456,async_raid6_recov
xor 24576 1 async_xor
hid_cmedia 16384 0
raid6_pq 126976 3 async_pq,raid456,async_raid6_recov
libcrc32c 16384 1 raid456
raid1 57344 0
raid0 24576 0
multipath 20480 0
linear 20480 0
r8153_ecm 16384 0
cdc_ether 24576 1 r8153_ecm
usbnet 65536 2 r8153_ecm,cdc_ether
zfs 4603904 13
zunicode 352256 1 zfs
hid_plantronics 20480 0
zzstd 589824 1 zfs
zlua 229376 1 zfs
zavl 24576 1 zfs
icp 368640 1 zfs
zcommon 131072 2 zfs,icp
znvpair 135168 2 zfs,zcommon
spl 163840 6 zfs,icp,zzstd,znvpair,zcommon,zavl
r8152 139264 1 r8153_ecm
mii 20480 2 usbnet,r8152
hid_sensor_custom 28672 0
hid_sensor_hub 28672 10 hid_sensor_gyro_3d,hid_sensor_trigger,hid_sensor_iio_common,hid_sensor_custom_intel_hinge,hid_sensor_incl_3d,hid_sensor_als,hid_sensor_accel_3d,hid_sensor_magn_3d,hid_sensor_rotation,hid_sensor_custom
intel_ishtp_hid 32768 0
i915 3899392 48
drm_buddy 20480 1 i915
i2c_algo_bit 16384 1 i915
ttm 110592 1 i915
drm_display_helper 212992 1 i915
cec 94208 2 drm_display_helper,i915
rc_core 77824 1 cec
crct10dif_pclmul 16384 1
wacom 159744 0
crc32_pclmul 16384 0
drm_kms_helper 249856 2 drm_display_helper,i915
usbhid 73728 1 wacom
polyval_clmulni 16384 0
syscopyarea 16384 1 drm_kms_helper
polyval_generic 16384 1 polyval_clmulni
sysfillrect 20480 1 drm_kms_helper
hid_generic 16384 0
ghash_clmulni_intel 16384 0
nvme 61440 14
sysimgblt 20480 1 drm_kms_helper
sha512_ssse3 53248 0
aesni_intel 397312 27
rtsx_pci_sdmmc 36864 0
crypto_simd 20480 1 aesni_intel
nvme_core 204800 18 nvme
intel_lpss_pci 28672 0
i2c_i801 40960 0
spi_intel_pci 16384 0
intel_ish_ipc 32768 0
ucsi_acpi 16384 0
intel_lpss 16384 1 intel_lpss_pci
cryptd 28672 13 crypto_simd,ghash_clmulni_intel
psmouse 212992 0
i2c_smbus 20480 1 i2c_i801
xhci_pci 24576 0
rtsx_pci 135168 1 rtsx_pci_sdmmc
typec_ucsi 53248 1 ucsi_acpi
spi_intel 32768 1 spi_intel_pci
nvme_common 28672 1 nvme_core
drm 696320 24 typec_displayport,drm_kms_helper,drm_display_helper,drm_buddy,i915,ttm
thunderbolt 425984 0
intel_ishtp 61440 2 intel_ishtp_hid,intel_ish_ipc
idma64 20480 0
i2c_hid_acpi 16384 0
xhci_pci_renesas 20480 1 xhci_pci
typec 106496 2 typec_displayport,typec_ucsi
i2c_hid 40960 1 i2c_hid_acpi
hid 176128 11 i2c_hid,hid_cmedia,wacom,usbhid,hid_multitouch,hid_sensor_hub,intel_ishtp_hid,hid_generic,hid_plantronics
video 69632 3 dell_wmi,dell_laptop,i915
wmi 40960 7 dell_wmi_sysman,video,dell_wmi_ddv,dell_wmi,wmi_bmof,dell_smbios,dell_wmi_descriptor
pinctrl_tigerlake 32768 2
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy-updates
APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.2.0-35-generic (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cryptsetup-initramfs depends on:
ii busybox-initramfs 1:1.30.1-7ubuntu3
ii cryptsetup 2:2.4.3-1ubuntu1.1
ii debconf [debconf-2.0] 1.5.79ubuntu1
ii initramfs-tools [linux-initramfs-tool] 0.140ubuntu13.4
Versions of packages cryptsetup-initramfs recommends:
ii console-setup 1.205ubuntu3
ii kbd 2.3.0-3ubuntu4.22.04
ii plymouth 0.9.5+git20211018-1ubuntu3
cryptsetup-initramfs suggests no packages.
-- no debconf information
More information about the pkg-cryptsetup-devel
mailing list