Package: cryptsetup-initramfs Version: 2:2.0.5-1 Severity: important -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Dear Maintainer, I have the whole /boot/ partition on an external USB drive. I also have LUKSv2 header detached from the system container and also placed inside of that external USB drive. So, to open my laptop, I have to connect the USB device (my phone) first. In order to make this work, I had to write some script and put it in the /etc/initramfs-tools/scripts/local-block/mount-boot file. Here's the file. =========================================== #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac # source for log_*_msg() functions, see LP: #272301 . /scripts/functions # Default PATH differs between shells, and is not automatically exported # by klibc dash. Make it consistent. export PATH=/sbin:/usr/sbin:/bin:/usr/bin [ -d /boot ] || mkdir -m 0755 /boot mount -t ext4 -o ro /dev/disk/by-uuid/6f3b0020-0491-4a12-98ca-c97a7a80f5b7 /boot exit 0 =========================================== This setup was working well for some time, but it's not working as well as before, and I don't really know when it exactly sopped working. I thought the situation was temporary, but it looks like it's not. When I boot my system, I get prompt for password, so I type it correctly, and my system is unable to open the encrypted system container. No matter what I do, first 6 tries always fail -- I can type whatever, or even left it empty and just press enter. The 7th time works, and everything backs to normal. For some time I thought it's a really nice security feature, but I'm getting tired of it. :D Looking for some answers, I found this: 1. When the system with detached LUKS header boots, it looks for the external USB device. The device isn't available when the first password prompt shows. In the earlier version (when everything was working well), some errors were printed on the screen when the system was probing for the external USB device (because of the /etc/initramfs-tools/scripts/local-block/mount-boot file). It was saying something about "Error LUKS header missing" several times, one after another till I got the password prompt. Now, only the first error is printed, but after that, it stops, and it doesn't probe for the USB device till I type some password. 2. When I type 3x the password, I can see "Running /script/local-premount". Some messages also are written to the screen, and then I see "Running /scripts/local-block", and boot hangs again waiting for another password. 3. Also after those 3 bad passwords, I get the message "maximum numbers of tries exceeded". Usually this should lock the user from typing another password for 60s or something, but in this case it doesn't do that. 4. After another 3 tries, I can see another "Running /scripts/local-block" and some other messages are displayed, including also another "maximum numbers of tries exceeded" also without preventing the user from typing another password. 5. So, after those 6 tries, when I try for the 7th time, it finally works, and my system is able to decrypt the encrypted system container. So where's the problem? Why it's not working well now, and it was working in the past? - -- Package-specific info: - -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (990, 'unstable'), (130, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.18.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cryptsetup-initramfs depends on: ii busybox 1:1.27.2-3 ii cryptsetup-run 2:2.0.5-1 ii initramfs-tools [linux-initramfs-tool] 0.132 Versions of packages cryptsetup-initramfs recommends: ii console-setup 1.187 ii kbd 2.0.4-4 cryptsetup-initramfs suggests no packages. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5JPPWm5C7TFDUMqpzQRoEHcbZSAFAlv4JTkACgkQzQRoEHcb ZSBcQhAAzQYz4+h6a8MLX9yUoFJipoYq/PStms8goCiUI09e1HUDVpvt9dknJRBs eZrijfd08VfSiMqz7CrHyIArvDwAtLCajW8k/TWKDH9wTSA+27GZXSJPPOUUnk9H zXCeAuJAX4LUasyOrTHTMDrM9w842xyfKEs6TwZf/lxi+9EuIRFTLuJQnlpTT3bv t5oKC5j+rFgOxsp7XKuZnxi82blb8EAsFNYTJb5f4ZKnP5qamUU1yaHV/o1tzisF LgtFCRkP03NUh1M4lzGD70Tp6A+Bc8O9H/kMrBx2yWVg5AN/439uWsDIBk++4kTC I4FuzPcWnChtZMjO5HlFME59k0ET4hEh53Vf9So3PSbcWEFxCcG9IKymOx7IWO64 v9Yb3CHDBB98UcdRw9Rbr9VexVi+EqsoywP2eUPjBExEjh9jDcdCYjac9rplZUOT qS2vHfy93kWl7TOo//o5qvVjjYpIrOBQWItFR3UrQuZHdQbx0zoNL/GHXO0l2e81 yL7RZRwXlVk0A+XJODnZz4b+qsdfkCR3LKwfqdlhbLmpul9CwKlA3bhV3c55BqXL oADUWk9ve5uzsu+9RLZ05hdmz361aXsIthky0D9S1PnohqpnvyvaAMYCyZR/DGa7 zsUQnqzEaYNqXxSqTWyFHaLGZV7DF3P/bwp6t0M1smHbWoOH+tU= =szAv -----END PGP SIGNATURE-----