597406 – >=app-crypt/gnupg-2.1.15 breaks /etc/init.d/dmcrypt in runlevel boot

Bug 597406 - >=app-crypt/gnupg-2.1.15 breaks /etc/init.d/dmcrypt in runlevel boot

Summary: >=app-crypt/gnupg-2.1.15 breaks /etc/init.d/dmcrypt in runlevel boot

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal major (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-10-18 08:12 UTC by Felix Tiede
Modified:	2023-01-13 13:44 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Adapt OpenRC dmcrypt init script to work with >=app-crypt/gnupg-2.1.15 (dmcrypt.patch,1.38 KB, patch) 2017-01-20 07:12 UTC, Felix Tiede	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Tiede 2016-10-18 08:12:29 UTC

/usr/bin/gpg2 (and hence /usr/bin/gpg) requires its agent to be running to be able to decrypt gpg-symmetrically encrypted LUKS keys.
As the rootfs is r/o while dmcrypt runs (system boot has not yet run fsck and not remounted the root-fs read-write) all tries to decrypt a LUKS key silently fail and mounting a LUKS-encrypted partition with a gpg-encrypted secret fails with "Unable to run cryptsetup".

Rerunning /etc/init.d/dmcrypt later in the boot process or from commandline does work clean, as at this point the root-fs is r/w and the agent can start and create its socket. But this renders automounting (and automated fsck runs) useless and not-working.

For me this is a major issue, as all /home on my systems are LUKS-encrypted with gpg-encrypted secrets.

This does not happen with prior stable app-crypt/gnupg-2.0.28 as downgrading to that version fixed it for me.
Despite the man-page being clear on this and /usr/bin/gpg pointing to gpg2 as well, it seems the test/requirement is not as strictly enforced as it is in app-crypt/gnupg-2.1.

# emerge --info
laymansync module's module_spec is old, missing attribute: 'sourcefile'.  Backward compatibility may be removed in the future.
File: /usr/lib64/python3.4/site-packages/portage/sync/modules/laymansync/__init__.py
Portage 2.3.0 (python 3.4.3-final-0, default/linux/amd64/13.0/desktop/plasma, gcc-4.9.3, glibc-2.22-r4, 4.4.6-gentoo x86_64)
=================================================================
System uname: Linux-4.4.6-gentoo-x86_64-Intel-R-_Core-TM-_i7-2620M_CPU_@_2.70GHz-with-gentoo-2.2
KiB Mem:     8131036 total,   2492812 free
KiB Swap:    8794072 total,   8794072 free
Timestamp of repository gentoo: Tue, 18 Oct 2016 01:45:01 +0000
sh bash 4.3_p48
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
distcc 3.2rc1 x86_64-pc-linux-gnu [enabled]
app-shells/bash:          4.3_p48::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.22.2::gentoo
dev-lang/python:          2.7.10-r1::gentoo, 3.4.3-r1::gentoo
dev-util/cmake:           3.5.2-r1::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.2::gentoo
sys-apps/openrc:          0.21.7::gentoo
sys-apps/sandbox:         2.10-r1::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
sys-devel/automake:       1.11.6-r1::gentoo, 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo
sys-devel/gcc:            4.9.3::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6::gentoo
sys-devel/make:           4.1-r1::gentoo
sys-kernel/linux-headers: 4.3::gentoo (virtual/os-headers)
sys-libs/glibc:           2.22-r4::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://server/gentoo-portage
    priority: -1000
    sync-rsync-extra-opts: --ignore-errors

oss-tools
    location: /usr/local/svn-portage
    masters: gentoo
    priority: 0

x-portage
    location: /usr/local/portage
    masters: gentoo
    priority: 1

kde
    location: /var/lib/layman/kde
    sync-type: laymansync
    sync-uri: git://anongit.gentoo.org/proj/kde.git
    masters: gentoo
    priority: 50

np-hardass-overlay
    location: /var/lib/layman/np-hardass-overlay
    sync-type: laymansync
    sync-uri: https://github.com/np-hardass/np-hardass-overlay.git
    masters: gentoo
    priority: 50

palemoon
    location: /var/lib/layman/palemoon
    sync-type: laymansync
    sync-uri: https://github.com/deuiore/palemoon-overlay.git
    masters: gentoo
    priority: 50

qt
    location: /var/lib/layman/qt
    sync-type: laymansync
    sync-uri: git://anongit.gentoo.org/proj/qt.git
    masters: gentoo
    priority: 50

Installed sets: @kdevelop
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA OPERA-12 cadsoft AdobeFlash-11.x PUEL Oracle-BCLA-JavaSE google-chrome"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=corei7-avx -maes -mavx -mcx16 -mfxsr -mpclmul -mpopcnt -msahf -msse -msse2 -msse3 -msse4 -msse4.1 -msse4.2 -mssse3 -mxsave -mxsaveopt -O2 -pipe -fomit-frame-pointer -fforce-addr -ftracer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/fax /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.3/conf /var/lib/hsqldb /var/spool/fax/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=corei7-avx -maes -mavx -mcx16 -mfxsr -mpclmul -mpopcnt -msahf -msse -msse2 -msse3 -msse4 -msse4.1 -msse4.2 -mssse3 -mxsave -mxsaveopt -O2 -pipe -fomit-frame-pointer -fforce-addr -ftracer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--quiet-build=n --with-bdeps=y --keep-going"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distcc distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://de-mirror.org/gentoo/ http://ftp.halifax.rwth-aachen.de/gentoo/ http://mirror.leaseweb.com/gentoo/ http://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/"
LANG="de_DE.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j13 -l3"
PKGDIR="/var/tmp/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--ignore-errors"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X Xaw3d a52 aac aalib acl acpi alsa amd64 avx baloo branding bzip2 c++0x cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus declarative dga dri dts dvd dvdr emboss encode exif fam fbcon ffmpeg firefox flac gif glamor gmp gpm gstreamer htmlhandbook http2 iconv imlib ipv6 jpeg kde kipi latex lcms ldap libnotify lzma mad mikmod mmx mmxext mng modules mp3 mp4 mpeg multilib ncurses nepomuk nls nptl ogg opengl openmp opus pam pango pcre pdf pgo phonon plasma png policykit ppds qml qt3support qt4 qt5 quicktime readline sdl seccomp semantic-desktop session spell sse sse2 sse3 sse4_1 ssl ssse3 startup-notification svg tcpd theora threads tiff truetype udev udisks unicode upower usb v4l vaapi vim-syntax vorbis widgets x264 xattr xcb xcomposite xinerama xml xprint xscreensaver xv xvid zlib" ABI_X86="64" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="braindump flow gemini karbon kexi krita plan stage tables sheets words" CAMERAS="canon ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="evdev joystick keyboard mouse synaptics" KERNEL="linux" L10N="de de-1901 en en-US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer nlpsolver pdfimport" LINGUAS="de en en_US" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python3_4 python2_7" RUBY_TARGETS="ruby20 ruby21" SANE_BACKENDS="dell1600n_net net" USERLAND="GNU" VIDEO_CARDS="intel nvidia nouveau nv vesa vga" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7 3.4"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-10-29 12:13:29 UTC

(In reply to Felix Tiede from comment #0)
> /usr/bin/gpg2 (and hence /usr/bin/gpg) requires its agent to be running to
> be able to decrypt gpg-symmetrically encrypted LUKS keys.
> As the rootfs is r/o while dmcrypt runs (system boot has not yet run fsck
> and not remounted the root-fs read-write) all tries to decrypt a LUKS key
> silently fail and mounting a LUKS-encrypted partition with a gpg-encrypted
> secret fails with "Unable to run cryptsetup".

Starting this early in the boot process I wonder if it wouldn't make more sense to have a copy of gnupg 1.4 in initramfs.

GnuPG performs all secret-key operations in gpg-agent, ensuring amongst other thing proper process separation, and enables features such as socket forwarding.

> 
> Rerunning /etc/init.d/dmcrypt later in the boot process or from commandline
> does work clean, as at this point the root-fs is r/w and the agent can start
> and create its socket. But this renders automounting (and automated fsck
> runs) useless and not-working.
> 
> For me this is a major issue, as all /home on my systems are LUKS-encrypted
> with gpg-encrypted secrets.

if you have /run/user/$UID created gnupg 2.1.15 will create a socket in /run/user/$UID/gnupg instead of the homedir

Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-10-29 12:16:01 UTC

(In reply to Kristian Fiskerstrand from comment #1)
 
> GnuPG performs all secret-key operations in gpg-agent, ensuring amongst

This should be GnuPG 2.1

Comment 3 Felix Tiede 2016-10-29 13:45:34 UTC

(In reply to Kristian Fiskerstrand from comment #1)
> if you have /run/user/$UID created gnupg 2.1.15 will create a socket in
> /run/user/$UID/gnupg instead of the homedir

Unfortunately only if the agent is started manually before running gpg itself.
/usr/bin/gpg2 does not perform this magic on its own. At least not in app-crypt/gnupg-2.1.15.

This means that /etc/init.d/dmcrypt needs to check gpg-version (works without agent), create the directory, start the agent, perform unlocking operations (which might have also worked w/o all those steps) and then retrace its steps to leave a clean system.

I've already confirmed with upstream that this is intended behavior and running gpg with an unwritable $GNUPGHOME is in fact unsupported. Its unclear if this applies only to encryption, decryption or both. Decryption of symmetric encrypted files does indeed work with an unwritable $GNUPGHOME, yet it might really be unsupported.

Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-10-29 13:54:50 UTC

(In reply to Felix Tiede from comment #3)
> (In reply to Kristian Fiskerstrand from comment #1)
> > if you have /run/user/$UID created gnupg 2.1.15 will create a socket in
> > /run/user/$UID/gnupg instead of the homedir
> 
> Unfortunately only if the agent is started manually before running gpg
> itself.
> /usr/bin/gpg2 does not perform this magic on its own. At least not in
> app-crypt/gnupg-2.1.15.

Its easier if you come to #gentoo-crypto on IRC Freenode to debug things, but gpg auto-start the agent and first checks /run/user/$UID in 2.1.15 (but it is only created there if /run/user/$UID/ is created at the time.

You can also force this by using gpgconf --create-socketdir

> 
> This means that /etc/init.d/dmcrypt needs to check gpg-version (works
> without agent), create the directory, start the agent, perform unlocking
> operations (which might have also worked w/o all those steps) and then
> retrace its steps to leave a clean system.
> 
> I've already confirmed with upstream that this is intended behavior and
> running gpg with an unwritable $GNUPGHOME is in fact unsupported. Its
> unclear if this applies only to encryption, decryption or both. Decryption
> of symmetric encrypted files does indeed work with an unwritable $GNUPGHOME,
> yet it might really be unsupported.

the limitation would be more related to trustdb calculation and key storage/management and not actual cryptographic operations.

Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-11-18 23:32:03 UTC

Please reopen if applicable despite the discussions

Comment 6 Felix Tiede 2017-01-20 07:12:32 UTC

Created attachment 460688 [details, diff]
Adapt OpenRC dmcrypt init script to work with >=app-crypt/gnupg-2.1.15

I've adapted my local dmcrypt init script which does now work with gnupg-2.1.15 and exhibits the same behavior as it did with gnupg-2.0.28.

It manually creates /run/user/0 and removes the directory as well as /run/user if that didn't already exist at the time of dmcrypt start being called.

It's quick and dirty, it works for me, so it should be checked to meet quality criteria.

Comment 7 Felix Tiede 2017-01-20 07:13:59 UTC

(In reply to Kristian Fiskerstrand from comment #5)
> Please reopen if applicable despite the discussions

Reopened as requested with patch proposal.