using gpg ecnrypted passphrases, initramfs provided by genkernel-3.4.16 built with genkernel --luks --gpg all does not open the luks container. removing/disabling one line in initrd.scripts does fix the issue. (see patch below) Reproducible: Always Actual Results: initrd does not create /dev/mapper/root Expected Results: initrd should create /dev/mapper root ##########grub2 menuentry############ menuentry "3.0.0_rc5-3 - Sneaky Weasel (LUKS)" { load_video insmod gzio insmod part_msdos insmod ext2 set root='(/dev/sda,msdos5)' search --no-floppy --fs-uuid --set=root 8e82ac0e-4c71-4a09-b80e-4ad5a7ffbdf6 linux linux-3.0.0_rc5-3 ro crypt_root=/dev/sda7 root_keydev=/dev/sda5 root_key=/gsys.gpg real_root=/dev/mapper/root real_rootflags=subvol=gentoo acpi=on mce vbe crypt_swap=/dev/sda6 swap_keydev=/dev/sda5 swap_key=/gswap.gpg real_resume=/dev/mapper/swap scsi_mod.scan=sync initrd initrd-3.0.0_rc5-3 } ############## emerge --info ################### Portage 2.2.0_alpha43 (hardened/linux/amd64/desktop, gcc-4.6.0, glibc-2.13-r2, 3.0.0-rc5 x86_64) ================================================================= System uname: Linux-3.0.0-rc5-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T7500_@_2.20GHz-with-gentoo-2.0.3 Timestamp of tree: Sat, 02 Jul 2011 22:45:01 +0000 app-shells/bash: 4.2_p10 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.2, 3.2 dev-util/cmake: 2.8.4-r1 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.8.3-r1 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.10.3, 1.11.1-r1 sys-devel/binutils: 2.21.1 sys-devel/gcc: 4.6.0 sys-devel/gcc-config: 1.4.1-r1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 2.6.38 (virtual/os-headers) sys-libs/glibc: 2.13-r2 Repositories: gentoo systemd kde local Installed sets: @kdeaccessibility, @kdeadmin, @kdeartwork, @kdebase, @kdeedu, @kdegames, @kdegraphics, @kdelibs, @kdemultimedia, @kdenetwork, @kdepim, @kdetoys, @kdeutils, @kdewebdev, @system ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -mtune=generic -O2 -pipe -floop-interchange -floop-strip-mine -floop-block" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=core2 -mtune=generic -O2 -pipe -floop-interchange -floop-strip-mine -floop-block" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch usersandbox usersync" FFLAGS="" GENTOO_MIRRORS="http://sunsite.cnlab-switch.ch/mirror/gentoo/ http://www.ibiblio.org/pub/Linux/distributions/gentoo" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common -Wl,-z,relro -Wl,-z,now" LINGUAS="en en_US" MAKEOPTS="-j3 -l7" PKGDIR="/usr/portage/packages" PORTAGE_COMPRESS="xz" PORTAGE_COMPRESS_FLAGS="--extreme" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--exclude=/.snapshot --exclude=/lost+found" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/systemd /var/lib/layman/kde /usr/local/portage" SYNC="rsync://blakharaz.schlumberger.soho/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 bash-completion berkdb bluetooth branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr emboss encode exif expat fam ffmpeg fftw firefox flac gdbm gdu gif gpm handbook hardened iconv icu idn ipv6 jpeg justify kde kerberos lcms ldap libedit libnotify logrotate lzma mad mmx mng modules mp3 mp4 mpeg mpi mudflap multilib mysql ncurses nls nptl nptlonly ogg openexr opengl openmp pam pango pcre pdf perl png policykit ppds pppd pulseaudio python qt3support qt4 sdl semantic-desktop session smp spell sqlite sse sse2 ssl svg sysfs syslog tcpd theora threads tiff truetype udev unicode urandom usb vim-syntax vorbis x264 xattr xcb xml xorg xulrunner xv xvid zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND
Created attachment 278917 [details, diff] initrd.scripts fix for gpg encrypted passphrases applying the attached patch to /usr/share/genkernel/defaults/initrd.scripts fixes the named issue.
Adding dacook to CC - in his interest I hope. (In reply to comment #0) > using gpg ecnrypted passphrases, initramfs provided by genkernel-3.4.16 built > with genkernel --luks --gpg all does not open the luks container. Please describe what you experience, instead. > removing/disabling one line in initrd.scripts does fix the issue. (see patch > below) Please explain the problem of the current cryptsetup_options="-d -" . Does cryptsetup_options="--key-file -" do any better? To my surprise I see two conflicting definitions of parameter -d in cryptsetup(8). --key-file, -d [..] --keyfile-size, -d value [..] I haven't looked at cryptsetup code, yet.
Thanks for the reply. (In reply to comment #2) > Please describe what you experience, instead. > kernel and initrd boot, then I get the following output >> Activating mdev >> Using / key device /dev/sda5. >> Removable device /dev/sda5 mounted. >> /gsys.gpg on device /dev/sda5 found enter passphrase: <enter password> No key available with this passphrase >> LUKS device /dev/sda7 opened >> Using / key device /dev/sda5. >> Removable device /dev/sda5 mounted. >> /gswap.gpg on device /dev/sda5 found enter passphrase: <enter password> No key available with this passphrase >> LUKS device /dev/sda6 opened ls: /dev/mapper/swap: No such file or directory >>Determining root device... !! Block Device /dev/mapper/root is not a valid root device !! Could not find the root block device in . root block device() :: if I go into the shell, I see that neither swap not root are present in /dev/mapper. > > Please explain the problem of the current cryptsetup_options="-d -" . > > Does cryptsetup_options="--key-file -" do any better? > > To my surprise I see two conflicting definitions of parameter -d in > cryptsetup(8). > > --key-file, -d > [..] > > --keyfile-size, -d value > [..] > > I haven't looked at cryptsetup code, yet. using --key-file - instead gives exactly the same error. opening the partition by hand, i use the following command: gpg -d --quiet /boot/gsys.gpg 2>/dev/null | cryptsetup luksOpen /dev/sda7 root there was never a need to specify the keyfile (-d, --key-file).
What version of cryptsetup are you using? IIRC, genkernel borrows the local one. The problem is likely with cryptsetup chaging behavior/duplicating the option, and will probably exhibit even without a gpg-armored key if genkernel's initrd specifies the key with --key-file or -d.
=sys-fs/cryptsetup-1.2.0-r1 Though I thought,that genkernel pulls it in on its own. I see, that I can run some tests, varying the cryptsetup version, to if it make any difference.
Downgraded to sys-fs/cryptsetup-1.1.3-r3 (latest stable), rebuilt initramfs, and the result is the same. the encrypted passphrase gets decrypted, but cryptsetup is unable to open the container. I like also to refer to dmcrypt's mouting script: /lib/rcscripts/addons/dm-crypt-start.sh, and how it calls the cryptsetup. gpg key (line 157): gpg ${gpg_options} ${key} 2>/dev/null | cryptsetup ${options} ${arg1} ${arg2} ${arg3} key (line 170): cryptsetup ${options} -d ${key} ${arg1} ${arg2} ${arg3} passphrase (line 174): cryptsetup ${options} ${arg1} ${arg2} ${arg3} and here too, there is no need to call cryptsetup with "-d -" to inject the key. Ok, intead of just commenting that part out (as proposed in patch), it may as well just be deleted. Regards nico
I'm not yet comfortable with simply removing it (for nico's benefit, I provided the GPG initrd functionality). This represents a change in cryptsetup's behavior, and as with all cryptographic changes we should tread carefully. My concern here is that cryptsetup is not receiving the actual key material (or all of it) and using it properly, newlines and all - I need to test what it's doing more.
dacook, I perfectly understand. I already appreciate, that I was able to use genkernel instead of rolling my own initramfs. I used an article on gentoo-wiki for the initial setup, that's where I got the idea, that -d flag is not needed. See [1] for how to setup the mappings, and how to open the container afterwards. I know - it is not an official gentoo documentation. Is there one on the subject? [1] http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS#Creating_the_mapping.28s.29 Is there anything I help/test? I am currently running a second setup with only an ecrypted swap - not root - and it shows the same behavior. Be also advised, that both setups are running full (hardened) ~amd64, though with a vanilla/gentoo kernel. cheers nico
this is a super old bug, but "dogpg" has been supported for a while now.
