Your message dated Sun, 2 Jun 2019 21:20:17 +0200
with message-id <[email protected]>
and subject line Re: Bug#929828: unblock: cryptsetup/2:2.1.0-4
has caused the Debian Bug report #929828,
regarding unblock: cryptsetup/2:2.1.0-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
929828: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929828
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi there,
Unlocking LUKS2 volumes requires userspace crypto (‘algif_skcipher’ kernel
module), which cryptsetup-initramfs 2:2.1.0-3 does not copy to initramfs
images created with MODULES=dep, cf. #929616. (Default value for $MODULES
is "most", otherwise that bug would have been of much higher severity.
Still, newly formatted devices can't be unlocked from initramfs images
created with MODULES=dep, which is a severe regression.)
In 2:2.1.0-4 we propose ‘algif_skcipher’ be included in all initramfs
images, regardless of the value of $MODULES. Even though the module isn't
needed for LUKS1, “plain” dm-crypt, etc. we can't always determine the
header format/version at initramfs generation time (for instance the
header might be detached and on a removable media). As of cryptsetup
2.1.x LUKS2 is the default LUKS format version, so it makes sense to
include the module unconditionally (like we've been doing for ‘aesni’
since 2:1.3.0-3, although it's possible to use a non-AES cipher, and not
all CPU have the AES instruction set). The overhead of adding an extra
module to initramfs images should be minimal: with its dependency the
extra module adds a mere 68kiB (as of linux-image-4.19.0-5-amd64).
Debdiff between 2:2.1.0-3 and 2:2.1.0-4 attached. This also includes a
patch by jmtd fixing the long description of cryptsetup-{bin,run}. The
diff doesn't touch our .udeb binary packages, but X-Debbugs-CC'ing kibi
anyway as cryptsetup is also under udeb-block.
unblock cryptsetup/2:2.1.0-4
Thanks for considering its inclusion in Buster!
Cheers,
--
Guilhem.
diff -Nru cryptsetup-2.1.0/debian/changelog cryptsetup-2.1.0/debian/changelog
--- cryptsetup-2.1.0/debian/changelog 2019-04-30 21:20:47.000000000 +0200
+++ cryptsetup-2.1.0/debian/changelog 2019-05-28 17:04:16.000000000 +0200
@@ -1,3 +1,22 @@
+cryptsetup (2:2.1.0-4) unstable; urgency=medium
+
+ [Guilhem Moulin]
+ * d/initramfs/hooks/cryptroot: Always add userspace crypto module
+ ('algif_skcipher' kernel module) to the initramfs. This module is
+ required for required for opening LUKS2 devices, and since 2:2.0.2-2 it's
+ added to large initramfs (i.e., when the MODULES variable isn't set to
+ "dep"). It's now added regardless of the value of $MODULES, as 1/ LUKS2
+ is the default LUKS header format version; and 2/ we can't check at
+ initramfs creation time whether there are LUKS2 devices to be opened at
+ early boot stage (detached headers might not be present then).
+ Closes: #929616.
+
+ [Jonathan Dowland]
+ * Update package descriptions to reflect the move of luksformat from
+ cryptsetup-bin to cryptsetup-run. Closes: #928751.
+
+ -- Guilhem Moulin <[email protected]> Tue, 28 May 2019 17:04:16 +0200
+
cryptsetup (2:2.1.0-3) unstable; urgency=medium
* d/scripts/decrypt_opensc: Fix standard output poisoning. Thanks to Nils
diff -Nru cryptsetup-2.1.0/debian/control cryptsetup-2.1.0/debian/control
--- cryptsetup-2.1.0/debian/control 2019-04-30 21:20:47.000000000 +0200
+++ cryptsetup-2.1.0/debian/control 2019-05-28 17:04:16.000000000 +0200
@@ -51,6 +51,9 @@
automatically configuring encrypted devices at boot time via the config
file /etc/crypttab. Additional features are cryptoroot support through
initramfs-tools and several supported ways to read a passphrase or key.
+ .
+ This package provides the cryptdisk_start and stop wrappers and
+ luksformat.
Package: cryptsetup-bin
Architecture: linux-any
@@ -61,7 +64,8 @@
device mapper target dm-crypt. It features integrated Linux Unified Key
Setup (LUKS) support.
.
- This package provides cryptsetup, cryptsetup-reencrypt and luksformat.
+ This package provides cryptsetup, cryptsetup-reencrypt, integritysetup
+ and veritysetup.
Package: cryptsetup-initramfs
Architecture: all
diff -Nru cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot
cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot
--- cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot 2019-04-30
21:20:47.000000000 +0200
+++ cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot 2019-05-28
17:04:16.000000000 +0200
@@ -441,6 +441,10 @@
CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }aesni"
fi
+ # add userspace crypto module (only required for opening LUKS2 devices
+ # we add the module unconditionally as it's the default format)
+ CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }algif_skcipher"
+
if [ "$MODULES" = most ]; then
for d in "$MODULESDIR"/kernel/arch/*/crypto; do
copy_modules_dir "${d#"$MODULESDIR/"}"
@@ -449,7 +453,7 @@
else
if [ "$MODULES" != "dep" ]; then
# with large initramfs, we always add a basic subset of modules
- add_crypto_modules aes algif_skcipher cbc chainiv cryptomgr krng
sha256 xts
+ add_crypto_modules aes cbc chainiv cryptomgr krng sha256 xts
fi
add_crypto_modules $(printf '%s' "${CRYPTO_MODULES-}" | tr ' ' '\n' |
sort -u)
fi
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Hi Guilhem,
On 02-06-2019 18:50, Cyril Brulebois wrote:
> Paul Gevers <[email protected]> (2019-06-02):
>> I'm fine with this. I'll unblock after the ack of kibi as I am not sure
>> about checking the udeb part myself (an area that I still have to learn).
>
> The proposed change seems reasonable.
Unblocked, thanks.
Paul
signature.asc
Description: OpenPGP digital signature
--- End Message ---
