[pkg-cryptsetup-devel] Bug#1052290: cryptsetup-initramfs: askpass is not executed; cryptroot-unlock fails

Tj debian at iam.tj
Tue Sep 19 22:39:40 BST 2023 

Package: cryptsetup-initramfs
Version: 2:2.6.1-4~deb12u1
Severity: important

Discovered this whilst working on a relatively simple test of multiple
LUKS block devices for LUKS.0 + LUKS.1 > btrfs RAID1 @/ - that is a
BTRFS RAID1 using 2 LUKS block devices.

Two files represent SSD1 and SSD2, which each have GPT with:

1: EFI-SP (ef00)
2: LUKS  (8309) for BTRFS
3: LUKS (8309) for swap

added as loop devices and configured. SSD2's EFI-SP partition is not
formatted.
# fallocate -l 12G ssd${x}.raw
# sgdisk --new=... --typecode=... ssd${x}.raw
# losetup --show --partscan --find ssd${x}.raw
mkfs.vfat -F 16 ${SSD1}p1
# next 2 also applied to SSD2
cryptsetup luksFormat --pbkdf pbkdf2 ${SSD1}p2
cryptsetup open ${SSD1}p2 luks-$(UUID_SSD1p2}
mkfs.btrfs -d raid1 -m raid1 /dev/mapper/luks-${UUID_SSD1p2}
/dev/mapper/luks-${UUID_SSD2p2}
mount /dev/mapper/luks-${UUID_SSD1p2} /target
btrfs subvol create /target/@
btrfs subvol create /target/@home
umount /target
mount -o subvol=@ /dev/mapperluks-${UUID_SSD1p2}
debootstrap bookworm /target
# add and configure packages for bootable EFI image

After unmounting and closing devices create a libvirt VM guest using the
two files as virtio storage and configure for UEFI boot.

On startup GRUB correctly opens the LUKS block devices to access vmlinuz
and initrd.img, and its own configuration and modules.

On reaching initialramfs it fails to unlock either of the LUKS devices;
eventually dropping to the shell after reporting:

Error: Timeout reached while waiting for askpass.

After using `break=mount` and investigating with `sh -x
/bin/cryptsetup-unlock` it seems it fails because it is not finding
`askpass` in the process list.

On closer examination and searching I am unable to locate where
/usr/lib/cryptsetup/askpass is actually executed.  `cryptsetup-unlock`
correctly locates the file with [ -f ] and ensures it is executable with
[-x ] but I do not see any attempt to actually execute it.

If needed I can either share the 2 SSD files or a script to build them.

-- System Information:
Debian Release: 12.1
Architecture: amd64 (x86_64)

Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cryptsetup-initramfs depends on:
ii  busybox-static [busybox]                1:1.36.0-1~exp1
ii  cryptsetup                              2:2.6.1-4~deb12u1
ii  debconf [debconf-2.0]                   1.5.82
ii  initramfs-tools [linux-initramfs-tool]  0.143~tj01

Versions of packages cryptsetup-initramfs recommends:
ii  console-setup  1.221
ii  kbd            2.5.1-1+b1

More information about the pkg-cryptsetup-devel mailing list