Ubuntu
cryptsetup package

cryptsetup fails to initialize /tmp encrypted by /dev/urandom during boot

Bug #1719176 reported by Konstantin Boyandin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Checked to happen on several instance of Ubuntu 16.04 (64bit).

Setup: /dev/vdb6 partition is set for /tmp

/etc/crypttab:
cryptswap1 UUID=ba7eaa11-bfcf-4d28-917d-f9b4e2a48830 /dev/urandom swap,offset=1024,cipher=aes-xts-plain64
crypttmp1 /dev/vdb6 /dev/urandom tmp=ext4,cipher=aes-xts-plain64

After the system boots, there's /dev/mapper/cryptswap1, but not /dev/mapper/crypttmp1 available.

In /var/log/syslog:

Sep 24 18:15:03 ubuntu-1604 systemd[1]: Starting Cryptography Setup for crypttmp1...
Sep 24 18:15:03 ubuntu-1604 systemd[1]: Starting Authenticate and Authorize
 Users to Run Privileged Tasks...
Sep 24 18:15:03 ubuntu-1604 systemd-cryptsetup[1162]: Encountered unknown /etc/crypttab option 'tmp=ext4', ignoring.
Sep 24 18:15:03 ubuntu-1604 systemd-cryptsetup[1162]: crypt_load() failed on device /dev/vdb6.
Sep 24 18:15:03 ubuntu-1604 systemd-cryptsetup[1162]: Failed to activate: Invalid argument
Sep 24 18:15:03 ubuntu-1604 systemd[1]: <email address hidden>: Main process exited, code=exited, status=1/FAILURE
Sep 24 18:15:03 ubuntu-1604 systemd[1]: Failed to start Cryptography Setup
for crypttmp1.
Sep 24 18:15:03 ubuntu-1604 systemd[1]: Dependency failed for dev-mapper-crypttmp1.device.
Sep 24 18:15:03 ubuntu-1604 systemd[1]: dev-mapper-crypttmp1.device: Job dev-mapper-crypttmp1.device/start failed with result 'dependency'.
Sep 24 18:15:03 ubuntu-1604 systemd[1]: <email address hidden>: Unit entered failed state.
Sep 24 18:15:03 ubuntu-1604 systemd[1]: <email address hidden>: Failed with result 'exit-code'.

After the boot sequence concludes, /tmp can be initialized manually, but with quirks:

# cryptdisks_start crypttmp1
 * Starting crypto disk... * crypttmp1 (starting)..
 * crypttmp1 (started)... [ OK ]
# ls /dev/mapper
control cryptswap1 crypttmp1
# blkid
/dev/vda5: UUID="d604b9da-9ef0-4a88-b1e2-416104f6dac9" TYPE="ext4" PARTUUID="aa8f7570-05"
/dev/vdb5: UUID="ba7eaa11-bfcf-4d28-917d-f9b4e2a48830" TYPE="swap" PARTUUID="aa7293f2-05"
/dev/vdb6: PARTUUID="aa7293f2-06"
/dev/mapper/cryptswap1: UUID="2fef28d0-25df-4feb-96c5-cefef62b388e" TYPE="swap"
/dev/mapper/crypttmp1: UUID="1b372ae0-5042-4cbf-9dfe-05d60e2c357c" TYPE="ext2"

(pay attention to filesystem type, despite the parameter tmp=ext4 )

# mount -t ext2 /dev/mapper/crypttmp1 /tmp
#

(note that /tmp filesystem is formatted as ext2, despite the parameter in /etc/crypttab)

If 'tmp=' option is omitted from /etc/crypttab line for /tmp, no valid filesystem is created on /dev/mapper/crypttmp1

Revision history for this message
Konstantin Boyandin (7-det-g) wrote :
Download full text (4.8 KiB)

Additional tests and results:

Test 1.

/etc/crypttab:
cryptswap1 UUID=ba7eaa11-bfcf-4d28-917d-f9b4e2a48830 /dev/urandom swap,offset=1024,cipher=aes-xts-plain64
ctmp /dev/vdb6 /dev/urandom tmp

/etc/fstab:
/dev/mapper/cryptswap1 none swap sw 0 0
/dev/mapper/ctmp /tmp ext4 defaults,noatime,nodiratime,nosuid,nofail 0 2

The above works, both encrypted swap and /tmp are mounted at boot time. Also:

# # cryptsetup status ctmp
/dev/mapper/ctmp is active and is in use.
  type: PLAIN
  cipher: aes-cbc-essiv:sha256
  keysize: 256 bits
  device: /dev/vdb6
  offset: 0 sectors
  size: 258048 sectors
  mode: read/write

Test 2.

/etc/crypttab:
cryptswap1 UUID=ba7eaa11-bfcf-4d28-917d-f9b4e2a48830 /dev/urandom swap,offset=1024,cipher=aes-xts-plain64
ctmp /dev/vdb6 /dev/urandom tmp=ext2

/etc/fstab:
/dev/mapper/cryptswap1 none swap sw 0 0
/dev/mapper/ctmp /tmp ext2 defaults,noatime,nodiratime,nosuid,nofail 0 2

Encrypted swap is mounted at boot time, /tmp doesn't. Also:

# grep ctmp /var/log/syslog

Oct 15 09:00:23 ubuntu-1604-home systemd[1]: Starting Cryptography Setup for ctmp...
Oct 15 09:00:23 ubuntu-1604-home systemd[1]: <email address hidden>: Main process exited, code=exited, status=1/FAILURE
Oct 15 09:00:23 ubuntu-1604-home systemd[1]: Failed to start Cryptography Setup for ctmp.
Oct 15 09:00:23 ubuntu-1604-home systemd[1]: Dependency failed for dev-mapper-ctmp.device.
Oct 15 09:00:23 ubuntu-1604-home systemd[1]: Dependency failed for File System Check on /dev/mapper/ctmp.
Oct 15 09:00:23 ubuntu-1604-home systemd[1]: <email address hidden>: Job <email address hidden>/start failed with result 'dependency'.
Oct 15 09:00:23 ubuntu-1604-home systemd[1]: dev-mapper-ctmp.device: Job dev-mapper-ctmp.device/start failed with result 'dependency'.
Oct 15 09:00:23 ubuntu-1604-home systemd[1]: <email address hidden>: Unit entered failed state.
Oct 15 09:00:23 ubuntu-1604-home systemd[1]: <email address hidden>: Failed with result 'exit-code'.

Test 3.

/etc/crypttab:
cryptswap1 UUID=ba7eaa11-bfcf-4d28-917d-f9b4e2a48830 /dev/urandom swap,offset=1024,cipher=aes-xts-plain64
ctmp /dev/vdb6 /dev/urandom tmp,cipher=aes-cbc-essiv

/etc/fstab:
/dev/mapper/cryptswap1 none swap sw 0 0
/dev/mapper/ctmp /tmp ext4 defaults,noatime,nodiratime,nosuid,nofail 0 2

The boot process is stuck: the below question is printed on console:

"Please enter passphrase for disk ctmp on /tmp"

When Enter is entered (the above question appears twice), OS boots, encrypted swap is mounted, ctmp isn't initialized. Also:

# grep ctmp /var/log/syslog

Oct 15 09:09:43 ubuntu-1604-home systemd[1]: Starting Cryptography Setup for ctmp...
Oct 15 09:09:43 ubuntu-1604-home systemd[1]: <email address hidden>: Main process exited, code=exited, status=1/FAILURE
Oct 15 09:09:43 ubuntu-1604-home systemd[1]: Failed to start Cryptography Setup for ctmp.
Oct 15 09:09:43 ubuntu-1604-home systemd[1]: Dependency failed for dev-mapper-ctmp.device.
Oct 15 09:09:43 ubuntu-1604-home systemd[1]: Dependency failed for File System Check on /dev/mapper/ctmp.
Oct ...

Read more...

Revision history for this message
Johannes Grassler (jgr-launchpad) wrote :

I can confirm this problem still persists for Ubuntu 20.04 LTS (haven't tested on anything more recent). Here's the crypttab(5) I used for testing:

crypt-tmp /dev/disk/by-partlabel/linux-tmp /dev/urandom cipher=aes-xts-plain64,size=256,hash=sha1,tmp=ext4

This is a fairly serious security bug because it will fail quietly. The only way to tell is to see the journal message or check manually whether /tmp is mounted from a LUKS volume. If anybody attempts to set up an encrypted /tmp this way without checking it actually gets mounted, they'll get a /tmp that's just a plain old directory in the root file system.

Changed in cryptsetup (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.