On Wed, 19 Jun 2019 01:36:22 +0200 Guilhem Moulin <guil...@debian.org> wrote:
> Control: severity -1 minor > > Hi, > > On Tue, 18 Jun 2019 at 20:35:47 +0200, Jernej Jakob wrote: > > Any keyfiles configured in /etc/cryptsetup-initramfs/conf-hook > > KEYFILE_PATTERN are not added to the initramfs if the target in > > /etc/crypttab also has keyscript set. > > As crypttab(5) reads, > > “In case of a keyscript, the value of [the third] field is given as > argument to the keyscript.” > > This could probably be made clearer, but the behavior is intentional: it is > *not* treated as a key file, hence not compared against the KEYFILE_PATTERN > glob(7) expansion. Makes sense. Seems good to add this explanation to the documentation, maybe adding "and is *not* added to the initramfs". Otherwise it may be assumed it would still be added, since it's a file, and is passed as an argument to the keyscript (the argument of which could be a file), and the field is normally used as the path to a keyfile, which is added. It all seems very complex to understand to a novice, in particular due to the dual function of the third field. > > > This may prevent the system from booting if the target has a > > keyscript=/bin/cat set (as is in PureOS which is based on buster). > > Setting ‘keyscript=/bin/cat’ is useless for unlocking by key file, and > is discouraged as it's incompatible with setups not supporting > keyscripts, like systemd's systemd-cryptsetup@.service. The same entry > without the key script should work just fine. > > > Perhaps cryptroot should print out a warning that the keyfile set in > > crypttab wasn't added due to a set keyscript. That way the users would > > know something may be misconfigured. > > I'm reluctant to do that due to false positives. Consider a setup with > two devices unlocked at initramfs stage, one opened by key file (copied > to the initramfs image), one by key script, and KEYFILE_PATTERN set to > "*". Nothing wrong with that setup, KEYFILE_PATTERN="*" indicates that > all key files should be copied to the initramfs image; crypttab(5) > entries with a ‘keyscript=’ option are intentionally excluded from > glob(7)'ing printing any warning would be a false positive. > > Cheers, I agree. Thanks
