cryptsetup-initramfs generates change entries order
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cryptsetup (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
update-initramfs does not generate entries of initrd's /cryptroot/crypttab in the same order as system's /etc/crypttab, when entries tagged as "initramfs" are placed before entries that are not. This is a problem if partitions automatically detected as needed depends on a partition that are not detected as necessary. For examples, see system's /etc/crypttab below:
# <target name> <source device> <key file> <options>
keyring UUID=abcdefg none luks,initramfs
swap /dev/xps-
Turns to initrd's /cryptroot/
swap /dev/mapper/
keyring UUID=abcdefg none luks,initramfs
The swap partition gets its key from the script luks-key.sh, which itself reads it from keyring. update-initramfs cannot detect this dependency and places swap as to be decrypted first. Decryption will fail at boot because it won't find the necessary key.
I could work around the problem by modifying /usr/share/
177 generate_
178 local devnos usage IFS="$(printf '\t\n ')"
179 mkdir -- "$DESTDIR/
180 true >"$DESTDIR/
181
182 {
183 if devnos=
184 if [ -n "$devnos" ]; then
185 usage=rootfs foreach_cryptdev crypttab_
186 fi
187 else
188 cryptsetup_message "WARNING: Couldn't determine root device"
189 fi
190
191 if devnos=
192 usage=resume foreach_cryptdev crypttab_
193 fi
194
195 if devnos=
196 usage="" foreach_cryptdev crypttab_
197 fi
198
199 # add crypttab entries with the 'initramfs' option set
200 crypttab_
201 } 3>"$DESTDIR/
202 rm -f "$DESTDIR/
203 }
to
generate_
178 local devnos usage IFS="$(printf '\t\n ')"
179 mkdir -- "$DESTDIR/
180 true >"$DESTDIR/
181
182 {
183 # add crypttab entries with the 'initramfs' option set
184 crypttab_
185
186 if devnos=
187 if [ -n "$devnos" ]; then
188 usage=rootfs foreach_cryptdev crypttab_
189 fi
190 else
191 cryptsetup_message "WARNING: Couldn't determine root device"
192 fi
193
194 if devnos=
195 usage=resume foreach_cryptdev crypttab_
196 fi
197
198 if devnos=
199 usage="" foreach_cryptdev crypttab_
200 fi
201 } 3>"$DESTDIR/
202 rm -f "$DESTDIR/
203 }
i.e. moving line 200 to line 183, so that "initramfs"-tagged entries are generated before other entries. Of course this is a quick and dirty fix and won't stand many other scenarios.
A possible quick fix includes an order field in options section of /etc/crypttab. A better one would be a dependency option, e.g. depends=keyring in the example above:
keyring UUID=abcdefg none luks,initramfs
swap /dev/xps-