Bug#1036458: add dependency to fido2-tools
Package: gocryptfs Version: 2.3-1 please add (suggests) dependency to fido2-tools. Fido2 support has been added in gocryptfs v2.1 and delegates communication with tokens to fido2-assert and fido2-cred shipped in fido2-tools.
Bug#992675: resynthesizer missing in bullseye
Package: gimp-plugin-registry Version: 9.20200927 the resynthesizer plugin is included in buster (9.20180625) but missing in bullseye (9.20200927) https://packages.debian.org/buster/amd64/gimp-plugin-registry/filelist https://packages.debian.org/bullseye/amd64/gimp-plugin-registry/filelist
Bug#983708: passdev and systemd use conflicting syntax for keyfile
Package: cryptsetup-initramfs Version: 2:2.3.4-2~bpo10+2 systemd 247.2-5~bpo10+1 I recently switched to buster-backports and noticed an issue that (I think) could potentially break systems migrating to bullseye. On a system having encrypted root, keyfile on usb-stick and multiple btrfs subvolumes, the system fails to mount all subvolumes. If there is no solution, then maybe a hint in the README could be added. == Root cause == /etc/crypttab is used by passdev and systemd, but using different syntax passdev expects[1] : systemd expects[2] : == Setup == /etc/crypttab (this is in one line, split to avoid random line breaks) root-luks /dev/sda2 /dev/disk/by-label/usbkeys:/root.key luks,keyscript=passdev,initramfs /etc/fstab /dev/sda1/boot ext2 /dev/mapper/root-luks/ btrfs subvol=@ /dev/mapper/root-luks/.snapshots btrfs subvol=@snapshots /dev/mapper/root-luks/home btrfs subvol=@home == Observed issues == 1. grub starts initramfs 2. cryptsetup-initramfs opens root-luks 3. systemd-cryptsetup-generator starts 4. Error: failed to mount run-systemd-cryptsetup-keydev\\x2droot\\x2dluks.mount 5. .snapshots and home is not mounted because of missing "dependency" for root-luks == Workaround == create a systemd-mount file for the usb-stick /etc/systemd/system/run-systemd-cryptsetup-keydev\\x2droot\\x2dluks.mount What=/dev/disk/by-label/usbkeys Where=/run/systemd/cryptsetup/keydev-root-luks Options=ro == References == 1. /usr/share/doc/cryptsetup-initramfs/README.initramfs.gz 2. https://www.freedesktop.org/software/systemd/man/crypttab.html
Bug#854139: undefined symbol: goa_utils_keyfile_get_boolean
Package: gnome-online-accounts Version: 3.22.4-1 related packages: ii libgoa-1.0-0b:amd643.22.4-1 ii libgoa-1.0-common 3.22.4-1 ii libgoa-backend-1.0-1:amd64 3.22.4-1 access to online accounts stopped working. journalctl shows log entries related to undefined symbol: dbus-daemon[3766]: Activating service name='org.gnome.OnlineAccounts' org.gnome.OnlineAccounts[3766]: /usr/lib/gnome-online-accounts/goa-daemon: symbol lookup error: /usr/lib/gnome-online-accounts/goa-daemon: undefined symbol: goa_utils_keyfile_get_boolean dbus-daemon[3766]: Activated service 'org.gnome.OnlineAccounts' failed: Process org.gnome.OnlineAccounts exited with status 127 nm -D /usr/lib/x86_64-linux-gnu/libgoa-backend-1.0.so.1 |grep utils_keyfile 0004dbe0 T goa_utils_keyfile_remove_key 0004dd70 T goa_utils_keyfile_set_boolean 0004dfa0 T goa_utils_keyfile_set_string
Bug#849335: Support keyfile-size, keyfile-offset in cryptroot
Package: cryptsetup
Version: 2:1.7.3-3
Tags: patch
Debian supports keyscript, systemd does not. Using keyscript for the root
device results either in
delays during boot or (sometimes) in boot errors.
Someone suggested to use devices + keyfile-size, keyfile-offset [1] instead.
However, the cryptroot hook does not pass those options to initramfs.
Please consider adding keyfile-size, keyfile-offset to the supported options.
[1]
https://wiki.debianforum.de/Cryptsetup_mit_systemd_und_Schlüssel_auf_externem_USB-Stick
--- /tmp/cryptsetup_1.7.3-3/lib/cryptsetup/cryptdisks.functions 2016-12-09 01:18:17.0 +0100
+++ /lib/cryptsetup/cryptdisks.functions 2016-12-25 19:02:23.179147532 +0100
@@ -203,6 +203,20 @@
fi
LUKSPARAMS="$LUKSPARAMS --key-slot $VALUE"
;;
+ keyfile-size)
+ if [ -z "$VALUE" ]; then
+log_warning_msg "$dst: no value for keyfile-size option, skipping"
+return 1
+ fi
+ LUKSPARAMS="$LUKSPARAMS --keyfile-size $VALUE"
+ ;;
+ keyfile-offset)
+ if [ -z "$VALUE" ]; then
+log_warning_msg "$dst: no value for keyfile-offset option, skipping"
+return 1
+ fi
+ LUKSPARAMS="$LUKSPARAMS --keyfile-offset $VALUE"
+ ;;
tcrypthidden)
TCRYPTPARAMS="$TCRYPTPARAMS --tcrypt-hidden"
;;
@@ -213,7 +227,7 @@
CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM"
[ -z "$VALUE" ] && VALUE="yes"
- eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\""
+ eval export CRYPTTAB_OPTION_$(echo $PARAM | sed 's/-/_/g')="\"$VALUE\""
done
export CRYPTTAB_OPTIONS
--- /tmp/cryptsetup_1.7.3-3/usr/share/initramfs-tools/hooks/cryptroot 2016-12-09 01:18:17.0 +0100
+++ /usr/share/initramfs-tools/hooks/cryptroot 2016-12-25 19:03:12.954987653 +0100
@@ -444,8 +444,15 @@
resumedev)
OPTIONS="$OPTIONS,$opt"
;;
+ keyfile-size=*)
+OPTIONS="$OPTIONS,$opt"
+;;
+ keyfile-offset=*)
+OPTIONS="$OPTIONS,$opt"
+;;
*)
# Presumably a non-supported option
+echo "option not supported: $opt" >&2
;;
esac
done
@@ -473,25 +480,33 @@
key="/cryptroot-keyfiles/${target}.key"
;;
*)
-key=$(readlink -e "$key")
+# only resolve sym-links for files, not for disks
+if [ "$key" = "${key%/dev/disk/*}" ] ; then
+ key=$(readlink -e "$key")
+fi
# test whether $target is a root device (or parent of the root device)
if printf '%s' "$OPTIONS" | grep -Eq '^(.*,)?rootdev(,.*)?$'; then
- echo "cryptsetup: WARNING: root target $target uses a key file, skipped" >&2
- return 1
+ if [ "$key" = "${key%/dev/disk/*}" ] ; then
+ echo "cryptsetup: WARNING: root target $target uses a key file, skipped" >&2
+ return 1
+ else
+ echo "cryptsetup: NOTE: root target $target uses a device, $key" >&2
+ fi
# test whether a) key file is not on root fs
# or b) root fs is not encrypted
elif [ "$(stat -c %m -- "$key" 2>/dev/null)" != / ] || ! node_or_pv_is_in_crypttab $rootdevs; then
echo "cryptsetup: WARNING: $target's key file $key is not on an encrypted root FS, skipped" >&2
return 1
+else
+ if printf '%s' "$OPTIONS" | grep -Eq '^(.*,)?resumedev(,.*)?$'; then
+ # we'll be able to decrypt the device, but won't be able to use it for resuming
+ echo "cryptsetup: WARNING: resume device $source uses a key file" >&2
+ fi
+ # prepend "/root" (to be substituted by the real root FS
+ # mountpoint "$rootmnt" in the boot script) to the
+ # absolute filename
+ key="/root$key"
fi
-if printf '%s' "$OPTIONS" | grep -Eq '^(.*,)?resumedev(,.*)?$'; then
- # we'll be able to decrypt the device, but won't be able to use it for resuming
- echo "cryptsetup: WARNING: resume device $source uses a key file" >&2
-fi
-# prepend "/root" (to be substituted by the real root FS
-# mountpoint "$rootmnt" in the boot script) to the
-# absolute filename
-key="/root$key"
;;
esac
OPTIONS="$OPTIONS,keyscript=cat"
--- /tmp/cryptsetup_1.7.3-3/usr/share/initramfs-tools/scripts/local-top/cryptroot 2016-12-09 01:18:17.0 +0100
+++ /usr/share/initramfs-tools/scripts/local-top/cryptroot 2016-12-25 19:07:16.661745962 +0100
@@ -70,6 +70,8 @@
cryptkeyscript=""
cryptkey="" # This is only used as an argument to an eventual keyscript
cryptkeyslot=""
+ cryptkeyfilesize=""
+ cryptkeyfileoffset=""
crypttries=3
crypttcrypt=""
cryptveracrypt=""
@@ -124,6 +126,12 @@
keyslot=*)
cryptkeyslot=${x#keyslot=}
;;
+ keyfile-size=*)
+ cryptkeyfilesize=${x#keyfile-size=}
+ ;;
+ keyfile-offset=*)
+ cryptkeyfileoffset=${x#keyfile-offset=}
+ ;;
tries=*)
crypttries="${x#tries=}"
case "$crypttries" in
@@ -152,7 +160,7 @@
VALUE="${x#*=}"
fi
CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM"
- eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\""
+ eval export CRYPTTAB_OPTION_$(echo $PARAM | sed 's/-/_/g')="\"$VALUE\""
done
export CRYPTTAB_OPTIONS
@@ -288,6 +296,12 @@
if [ -n "$cryptkeyslot"
Bug#704007: cryptsetup: make mountpoint used by passdev configurable
Package: cryptsetup Version: 2:1.4.3-4 Severity: normal passdev has hard coded the mount point (/tmp/passdev.XX). To cope with the following scenario the mount point should be configurable: - / is on encrypted deviceA - var is on encrypted deviceB - /tmp is a symlink to /var/tmp mount operation for / works, I suspect because initram is still using a tmpfs at this point in time. mount operation for /var fails because passdev is trying to create mount point /tmp/passdev., but /tmp/-/var/tmp does not exist, yet. workaround: replace /tmp with /run (my /run is a tmpfs) in /lib/cryptsetup/scripts/passdev -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#511840: initramfs-tools: Initrd fails to find root device after boot
Hi, from a user perspective the boot process is already too complicated, please don't add a dependency to the bootloader on top. man initramfs-tools [...] init sets several variables for the boot scripts environment. ROOT correponds to the root boot option. Advanced boot scripts like cryptsetup or live-initramfs need to play tricks. Otherwise keep it alone. [...] according to the man page something like the patch below should be ok: --- scripts/local-top/cryptroot.org 2009-06-01 21:04:23.151755703 +0200 +++ scripts/local-top/cryptroot 2009-06-01 13:56:11.292580410 +0200 @@ -264,6 +264,7 @@ fi message cryptsetup: $crypttarget setup successfully +echo ROOT=$NEWROOT /conf/param.conf break done This is enough to make it work with lilo, no need to change /dev/root Have a nice day Christian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
