Bug#839994: [pkg-cryptsetup-devel] Bug#839994: Newest version prevent boot of full encrypted disk

Fri, 07 Oct 2016 05:09:13 -0700 

On Fri, 07 Oct 2016 at 11:10:08 +0100, Klaus Ethgen wrote:
>> This is an undocumented way of forcing cryptsetup initramfs integration.
>> As of 2:1.7.2-1, the hook script configuration variable are to be set in
>> /etc/crytsetup-initramfs/conf-hook, cf. the following changelog entry
>> 
>> * Use /etc/crytsetup-initramfs/conf-hook for initramfs hook script
>>  configuration.  For backward compatibility setting CRYPTSETUP and
>>  KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf is still supported
>>  for now, but causes the hook to print a warning.
>>  This is done following the initramfs-tools maintainers' request (see
>>  #807527) that hook and boot script configuration files be stored outside
>>  the /etc/initramfs-tools directory. (Closes: #783393)
> 
> Ah, in that file (/etc/cryptsetup-initramfs/conf-hook, not
> /etc/crytsetup-initramfs/conf-hook) is a (empty) setting "CRYPTSETUP=".
> This file is from yesterday, and was installed by today with the
> upgrade.
> 
> However, that particulare problem was only about including cryptsetup
> out of the chroot from a recovery grml stick.
> 
> The current implementation following some documenations I had in the
> past. The main key is a file "initramfs-tools/conf.d/diskkey" with the
> following content:
> KEYFILE_PATTERN="/etc/security/disk.key"
> export KEYFILE_PATTERN

I see.  Indeed, we've unfortunately been too fast at releasing a fix for
#786578.  That is, we documented setting KEYFILE_PATTERN
/etc/initramfs-tools/initramfs.conf (or alternatively, under
/etc/initramfs-tools/conf.d) while the initramfs-tools maintainers later
(#807527) objected to using /etc/initramfs-tools for hook configuration:

    “If a hook script requires configuration beyond the exported
    variables listed below, it should read a private configuration file
    that is separate from the /etc/initramfs-tools directory.  It must
    not read initramfs-tools configuration files directly.” —
    initramfs-tools(8)

Can you confirm your system boots as expected once you delete
/etc/initramfs-tools/conf.d/diskkey and use
/etc/cryptsetup-initramfs/conf-hook instead?  I'll push a proper fix
later today, to make the latter config file take precedence over
mkinitramfs(8) settings; but *not override them* as it's incorrectly
done now.  (Just to be clear, we *will* drop backward compatibility at
some point, but after at least one stable release cycle, and with a
loud warning printed at each update-initramfs run meanwhile.)

Cheers,
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply via email to