Bug#1036458: add dependency to fido2-tools
Package: gocryptfs Version: 2.3-1 please add (suggests) dependency to fido2-tools. Fido2 support has been added in gocryptfs v2.1 and delegates communication with tokens to fido2-assert and fido2-cred shipped in fido2-tools.
Bug#992675: resynthesizer missing in bullseye
Package: gimp-plugin-registry Version: 9.20200927 the resynthesizer plugin is included in buster (9.20180625) but missing in bullseye (9.20200927) https://packages.debian.org/buster/amd64/gimp-plugin-registry/filelist https://packages.debian.org/bullseye/amd64/gimp-plugin-registry/filelist
Bug#983708: passdev and systemd use conflicting syntax for keyfile
Package: cryptsetup-initramfs Version: 2:2.3.4-2~bpo10+2 systemd 247.2-5~bpo10+1 I recently switched to buster-backports and noticed an issue that (I think) could potentially break systems migrating to bullseye. On a system having encrypted root, keyfile on usb-stick and multiple btrfs subvolumes, the system fails to mount all subvolumes. If there is no solution, then maybe a hint in the README could be added. == Root cause == /etc/crypttab is used by passdev and systemd, but using different syntax passdev expects[1] : systemd expects[2] : == Setup == /etc/crypttab (this is in one line, split to avoid random line breaks) root-luks /dev/sda2 /dev/disk/by-label/usbkeys:/root.key luks,keyscript=passdev,initramfs /etc/fstab /dev/sda1/boot ext2 /dev/mapper/root-luks/ btrfs subvol=@ /dev/mapper/root-luks/.snapshots btrfs subvol=@snapshots /dev/mapper/root-luks/home btrfs subvol=@home == Observed issues == 1. grub starts initramfs 2. cryptsetup-initramfs opens root-luks 3. systemd-cryptsetup-generator starts 4. Error: failed to mount run-systemd-cryptsetup-keydev\\x2droot\\x2dluks.mount 5. .snapshots and home is not mounted because of missing "dependency" for root-luks == Workaround == create a systemd-mount file for the usb-stick /etc/systemd/system/run-systemd-cryptsetup-keydev\\x2droot\\x2dluks.mount What=/dev/disk/by-label/usbkeys Where=/run/systemd/cryptsetup/keydev-root-luks Options=ro == References == 1. /usr/share/doc/cryptsetup-initramfs/README.initramfs.gz 2. https://www.freedesktop.org/software/systemd/man/crypttab.html
Bug#854139: undefined symbol: goa_utils_keyfile_get_boolean
Package: gnome-online-accounts Version: 3.22.4-1 related packages: ii libgoa-1.0-0b:amd643.22.4-1 ii libgoa-1.0-common 3.22.4-1 ii libgoa-backend-1.0-1:amd64 3.22.4-1 access to online accounts stopped working. journalctl shows log entries related to undefined symbol: dbus-daemon[3766]: Activating service name='org.gnome.OnlineAccounts' org.gnome.OnlineAccounts[3766]: /usr/lib/gnome-online-accounts/goa-daemon: symbol lookup error: /usr/lib/gnome-online-accounts/goa-daemon: undefined symbol: goa_utils_keyfile_get_boolean dbus-daemon[3766]: Activated service 'org.gnome.OnlineAccounts' failed: Process org.gnome.OnlineAccounts exited with status 127 nm -D /usr/lib/x86_64-linux-gnu/libgoa-backend-1.0.so.1 |grep utils_keyfile 0004dbe0 T goa_utils_keyfile_remove_key 0004dd70 T goa_utils_keyfile_set_boolean 0004dfa0 T goa_utils_keyfile_set_string
Bug#849335: Support keyfile-size, keyfile-offset in cryptroot
Package: cryptsetup Version: 2:1.7.3-3 Tags: patch Debian supports keyscript, systemd does not. Using keyscript for the root device results either in delays during boot or (sometimes) in boot errors. Someone suggested to use devices + keyfile-size, keyfile-offset [1] instead. However, the cryptroot hook does not pass those options to initramfs. Please consider adding keyfile-size, keyfile-offset to the supported options. [1] https://wiki.debianforum.de/Cryptsetup_mit_systemd_und_Schlüssel_auf_externem_USB-Stick --- /tmp/cryptsetup_1.7.3-3/lib/cryptsetup/cryptdisks.functions 2016-12-09 01:18:17.0 +0100 +++ /lib/cryptsetup/cryptdisks.functions 2016-12-25 19:02:23.179147532 +0100 @@ -203,6 +203,20 @@ fi LUKSPARAMS="$LUKSPARAMS --key-slot $VALUE" ;; + keyfile-size) + if [ -z "$VALUE" ]; then +log_warning_msg "$dst: no value for keyfile-size option, skipping" +return 1 + fi + LUKSPARAMS="$LUKSPARAMS --keyfile-size $VALUE" + ;; + keyfile-offset) + if [ -z "$VALUE" ]; then +log_warning_msg "$dst: no value for keyfile-offset option, skipping" +return 1 + fi + LUKSPARAMS="$LUKSPARAMS --keyfile-offset $VALUE" + ;; tcrypthidden) TCRYPTPARAMS="$TCRYPTPARAMS --tcrypt-hidden" ;; @@ -213,7 +227,7 @@ CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM" [ -z "$VALUE" ] && VALUE="yes" - eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\"" + eval export CRYPTTAB_OPTION_$(echo $PARAM | sed 's/-/_/g')="\"$VALUE\"" done export CRYPTTAB_OPTIONS --- /tmp/cryptsetup_1.7.3-3/usr/share/initramfs-tools/hooks/cryptroot 2016-12-09 01:18:17.0 +0100 +++ /usr/share/initramfs-tools/hooks/cryptroot 2016-12-25 19:03:12.954987653 +0100 @@ -444,8 +444,15 @@ resumedev) OPTIONS="$OPTIONS,$opt" ;; + keyfile-size=*) +OPTIONS="$OPTIONS,$opt" +;; + keyfile-offset=*) +OPTIONS="$OPTIONS,$opt" +;; *) # Presumably a non-supported option +echo "option not supported: $opt" >&2 ;; esac done @@ -473,25 +480,33 @@ key="/cryptroot-keyfiles/${target}.key" ;; *) -key=$(readlink -e "$key") +# only resolve sym-links for files, not for disks +if [ "$key" = "${key%/dev/disk/*}" ] ; then + key=$(readlink -e "$key") +fi # test whether $target is a root device (or parent of the root device) if printf '%s' "$OPTIONS" | grep -Eq '^(.*,)?rootdev(,.*)?$'; then - echo "cryptsetup: WARNING: root target $target uses a key file, skipped" >&2 - return 1 + if [ "$key" = "${key%/dev/disk/*}" ] ; then + echo "cryptsetup: WARNING: root target $target uses a key file, skipped" >&2 + return 1 + else + echo "cryptsetup: NOTE: root target $target uses a device, $key" >&2 + fi # test whether a) key file is not on root fs # or b) root fs is not encrypted elif [ "$(stat -c %m -- "$key" 2>/dev/null)" != / ] || ! node_or_pv_is_in_crypttab $rootdevs; then echo "cryptsetup: WARNING: $target's key file $key is not on an encrypted root FS, skipped" >&2 return 1 +else + if printf '%s' "$OPTIONS" | grep -Eq '^(.*,)?resumedev(,.*)?$'; then + # we'll be able to decrypt the device, but won't be able to use it for resuming + echo "cryptsetup: WARNING: resume device $source uses a key file" >&2 + fi + # prepend "/root" (to be substituted by the real root FS + # mountpoint "$rootmnt" in the boot script) to the + # absolute filename + key="/root$key" fi -if printf '%s' "$OPTIONS" | grep -Eq '^(.*,)?resumedev(,.*)?$'; then - # we'll be able to decrypt the device, but won't be able to use it for resuming - echo "cryptsetup: WARNING: resume device $source uses a key file" >&2 -fi -# prepend "/root" (to be substituted by the real root FS -# mountpoint "$rootmnt" in the boot script) to the -# absolute filename -key="/root$key" ;; esac OPTIONS="$OPTIONS,keyscript=cat" --- /tmp/cryptsetup_1.7.3-3/usr/share/initramfs-tools/scripts/local-top/cryptroot 2016-12-09 01:18:17.0 +0100 +++ /usr/share/initramfs-tools/scripts/local-top/cryptroot 2016-12-25 19:07:16.661745962 +0100 @@ -70,6 +70,8 @@ cryptkeyscript="" cryptkey="" # This is only used as an argument to an eventual keyscript cryptkeyslot="" + cryptkeyfilesize="" + cryptkeyfileoffset="" crypttries=3 crypttcrypt="" cryptveracrypt="" @@ -124,6 +126,12 @@ keyslot=*) cryptkeyslot=${x#keyslot=} ;; + keyfile-size=*) + cryptkeyfilesize=${x#keyfile-size=} + ;; + keyfile-offset=*) + cryptkeyfileoffset=${x#keyfile-offset=} + ;; tries=*) crypttries="${x#tries=}" case "$crypttries" in @@ -152,7 +160,7 @@ VALUE="${x#*=}" fi CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM" - eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\"" + eval export CRYPTTAB_OPTION_$(echo $PARAM | sed 's/-/_/g')="\"$VALUE\"" done export CRYPTTAB_OPTIONS @@ -288,6 +296,12 @@ if [ -n "$cryptkeyslot"
Bug#704007: cryptsetup: make mountpoint used by passdev configurable
Package: cryptsetup Version: 2:1.4.3-4 Severity: normal passdev has hard coded the mount point (/tmp/passdev.XX). To cope with the following scenario the mount point should be configurable: - / is on encrypted deviceA - var is on encrypted deviceB - /tmp is a symlink to /var/tmp mount operation for / works, I suspect because initram is still using a tmpfs at this point in time. mount operation for /var fails because passdev is trying to create mount point /tmp/passdev., but /tmp/-/var/tmp does not exist, yet. workaround: replace /tmp with /run (my /run is a tmpfs) in /lib/cryptsetup/scripts/passdev -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#511840: initramfs-tools: Initrd fails to find root device after boot
Hi, from a user perspective the boot process is already too complicated, please don't add a dependency to the bootloader on top. man initramfs-tools [...] init sets several variables for the boot scripts environment. ROOT correponds to the root boot option. Advanced boot scripts like cryptsetup or live-initramfs need to play tricks. Otherwise keep it alone. [...] according to the man page something like the patch below should be ok: --- scripts/local-top/cryptroot.org 2009-06-01 21:04:23.151755703 +0200 +++ scripts/local-top/cryptroot 2009-06-01 13:56:11.292580410 +0200 @@ -264,6 +264,7 @@ fi message cryptsetup: $crypttarget setup successfully +echo ROOT=$NEWROOT /conf/param.conf break done This is enough to make it work with lilo, no need to change /dev/root Have a nice day Christian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org