Ubuntu
cryptsetup package

cryptsetup-initramfs generates change entries order

Bug #2031499 reported by Nicolas Melot
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
New
Undecided
Unassigned

Bug Description

update-initramfs does not generate entries of initrd's /cryptroot/crypttab in the same order as system's /etc/crypttab, when entries tagged as "initramfs" are placed before entries that are not. This is a problem if partitions automatically detected as needed depends on a partition that are not detected as necessary. For examples, see system's /etc/crypttab below:

# <target name> <source device> <key file> <options>
keyring UUID=abcdefg none luks,initramfs
swap /dev/xps-nicmel/swap legacy luks,keyscript=/etc/luks-key.sh

Turns to initrd's /cryptroot/crypttab:

swap /dev/mapper/xps--nicmel-swap legacy luks,keyscript=/etc/luks-key.sh
keyring UUID=abcdefg none luks,initramfs

The swap partition gets its key from the script luks-key.sh, which itself reads it from keyring. update-initramfs cannot detect this dependency and places swap as to be decrypted first. Decryption will fail at boot because it won't find the necessary key.

I could work around the problem by modifying /usr/share/initramfs-tools/hooks/cryptroot from

177 generate_initrd_crypttab() {
178 local devnos usage IFS="$(printf '\t\n ')"
179 mkdir -- "$DESTDIR/cryptroot"
180 true >"$DESTDIR/cryptroot/targets"
181
182 {
183 if devnos="$(get_mnt_devno /)"; then
184 if [ -n "$devnos" ]; then
185 usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
186 fi
187 else
188 cryptsetup_message "WARNING: Couldn't determine root device"
189 fi
190
191 if devnos="$(get_resume_devno)" && [ -n "$devnos" ]; then
192 usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
193 fi
194
195 if devnos="$(get_mnt_devno /usr)" && [ -n "$devnos" ]; then
196 usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
197 fi
198
199 # add crypttab entries with the 'initramfs' option set
200 crypttab_foreach_entry crypttab_print_initramfs_entry
201 } 3>"$DESTDIR/cryptroot/crypttab"
202 rm -f "$DESTDIR/cryptroot/targets"
203 }

to

generate_initrd_crypttab() {
178 local devnos usage IFS="$(printf '\t\n ')"
179 mkdir -- "$DESTDIR/cryptroot"
180 true >"$DESTDIR/cryptroot/targets"
181
182 {
183 # add crypttab entries with the 'initramfs' option set
184 crypttab_foreach_entry crypttab_print_initramfs_entry
185
186 if devnos="$(get_mnt_devno /)"; then
187 if [ -n "$devnos" ]; then
188 usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
189 fi
190 else
191 cryptsetup_message "WARNING: Couldn't determine root device"
192 fi
193
194 if devnos="$(get_resume_devno)" && [ -n "$devnos" ]; then
195 usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
196 fi
197
198 if devnos="$(get_mnt_devno /usr)" && [ -n "$devnos" ]; then
199 usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
200 fi
201 } 3>"$DESTDIR/cryptroot/crypttab"
202 rm -f "$DESTDIR/cryptroot/targets"
203 }

i.e. moving line 200 to line 183, so that "initramfs"-tagged entries are generated before other entries. Of course this is a quick and dirty fix and won't stand many other scenarios.

A possible quick fix includes an order field in options section of /etc/crypttab. A better one would be a dependency option, e.g. depends=keyring in the example above:

keyring UUID=abcdefg none luks,initramfs
swap /dev/xps-nicmel/swap legacy luks,keyscript=/etc/luks-key.sh,depends=keyring

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.