Package: crypsetup Severity: normal Version: 2:1.4.3-4 Tags: patch Dear Maintainer,
at the moment crypsetup initramfs hook unconditionally includes cryptsetup in the in initramfs, whether its needed to mount root file system or not. I am proposing a two-fold fix to the above problem. First patch, fixes the bug, where after having performed multiple checks to see if the root filesystem is encrypted or not, it was deemed to discard the checks results and claim that nonetheless root file system is encrypted. The above is sufficient to cause cryptsetup to be excluded on machines that have modified /etc/initramfs-tools/initramfs.conf and set MODULES to something other than most. The second patch, goes further. It changes the behaviour such that if and only if rootfs is encrypted cryptsetup utilities & modules are included in the initramfs, and MODULES variable is consulted to include only needed modules or to include standard ones as well. I understand that there is a corner case, where one might want to generate initramfs on one machine, on behalf of another one. For this case, I include a check of setting CRYPTSETUP. If this hunk is also accepted, the documentation & default setting CRYPTSETUP=n will be then proposed to the initramfs-tools package. I have tested this patch extensively using various combinations of installation types including ecryptfs & lvm2. These changes have also been uploaded in Ubuntu Saucy, with no regressions identified thus far. Regards, Dmitrijs.
diff -Nru cryptsetup-1.4.3/debian/initramfs/cryptroot-hook cryptsetup-1.4.3/debian/initramfs/cryptroot-hook --- cryptsetup-1.4.3/debian/initramfs/cryptroot-hook 2012-04-11 22:34:23.000000000 +0100 +++ cryptsetup-1.4.3/debian/initramfs/cryptroot-hook 2013-06-10 17:04:25.000000000 +0100 @@ -518,7 +524,14 @@ echo "cryptsetup: FAILURE: could not determine configuration for $dev" >&2 continue fi - setup="yes" + + if [ -n "$modules" ]; then + setup="yes" + fi + + if [ "$setup" = "no" ]; then + continue + fi if [ "$MODULES" = "most" ]; then archcrypto="$(find "$MODULESDIR/kernel/arch" -type d -name "crypto" 2>/dev/null)"
diff -Nru cryptsetup-1.4.3/debian/initramfs/cryptroot-hook cryptsetup-1.4.3/debian/initramfs/cryptroot-hook --- cryptsetup-1.4.3/debian/initramfs/cryptroot-hook 2012-04-11 22:34:23.000000000 +0100 +++ cryptsetup-1.4.3/debian/initramfs/cryptroot-hook 2013-06-10 17:04:25.000000000 +0100 @@ -503,6 +503,12 @@ rootdev="" resumedevs="" +# Include cryptsetup modules, regardless of _this_ machine +# configuration +if [ -n "$CRYPTSETUP" ] && [ "$CRYPTSETUP" != "n" ]; then + setup="yes" +fi + # Find the root and resume device(s) if [ -r /etc/crypttab ]; then rootdev=$(get_root_device) @@ -534,14 +547,14 @@ done # With large initramfs, we always add a basic subset of modules -if [ "$MODULES" != "dep" ]; then +if [ "$MODULES" != "dep" ] && [ "$setup" = "yes" ]; then for mod in aes cbc chainiv cryptomgr krng sha256 xts; do add_crypto_modules $mod done fi # See if we need to add the basic components -if [ "$MODULES" != "dep" ] || [ "$setup" = "yes" ]; then +if [ "$setup" = "yes" ]; then for mod in dm_mod dm_crypt; do manual_add_modules $mod done
