[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#378651: crypto installation report

Package: installation-reports

Boot method: netboot/mini.iso
Image version: 2006-07-17 daily from

Machine: VMWare Player 1.0.1 build-19317
Memory: 128MB

Filesystem    Type    Size  Used Avail Use% Mounted on
/dev/sda1     ext3    897M  292M  558M  35% /
tmpfs        tmpfs     63M     0   63M   0% /dev/shm
/dev/sda2     ext3     89M  4.1M   80M   5% /home
              ext3     88M  4.1M   79M   5% /opt
/dev/sda5     ext3     92M  5.7M   81M   7% /tmp
tmpfs        tmpfs     10M   96K   10M   1% /dev

# /etc/fstab: static file system information.
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
/dev/sda1       /               ext3    defaults,errors=remount-ro 0       1
/dev/sda2       /home           ext3    defaults,loop=/dev/loop0,encryption=AES256,gpgkey=/etc/loopkeys/_dev_sda2.gpg 0       0
/dev/mapper/crypt0 /opt            ext3    defaults        0       2
/dev/sda5       /tmp            ext3    defaults,loop=/dev/loop2,encryption=serpent256,phash=random/1777 0       0
/dev/sda3       none            swap    sw,loop=/dev/loop1,encryption=AES256 0       0
/dev/hdc        /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

crypt0 /dev/sda6 none luks

losetup -a:
/dev/loop/0: [000c]:4266 (/dev/sda2) encryption=AES256 multi-key-v3
/dev/loop1: [000c]:4337 (/dev/sda3) offset=4096 encryption=AES256 multi-key-v3
/dev/loop2: [000c]:4333 (/dev/sda5) encryption=serpent256 multi-key-v3

Filename				Type		Size	Used	Priority
/dev/loop1                              partition	96376	0	-1

Initial boot worked:    [O]
Configure network HW:   [O]
Config network:         [O]
Detect CD:              [O]
Load installer modules: [O]
Detect hard drives:     [O]
Partition hard drives:  [O]
Create file systems:    [O]
Mount partitions:       [O]
Install base system:    [O]
Install boot loader:    [O]
Reboot:                 [E]


This install was focused on testing partman-crypto; Everything
else worked nicely as expected.

The installed system had two crypto-related problems:

1. The kernel module that provides the serpent cipher for
loop-AES was not automatically loaded during boot (loop_serpent).
As a result, the system booted up without interruption but also
without encrypted /tmp. Something in partman-crypto needs to add
the required modules to /target/etc/modules; This applies to
modules loop_twofish and loop_serpent. I'm currently testing a
change that adds the required modules.

2. Once loop_serpent was included in /etc/modules, checkfs-loop
tried to fsck the /dev/sda5 partition, which was designated to be
used for encrypted /tmp.  This failed because the mount option
phash=random/1777 makes mount use random keys and recreate the
filesystem at each boot. checkfs-loop runs earlier than mount and
so of course cannot fsck correctly. The system stopped booting at
this point and asked for manual repair of the failed fsck. This
can be fixed by excluding loop mounts with a phash=random* option
from being fsck'ed in the checkfs-loop rcS.d script
(loop-aes-utils, change pending upload)

3. Documentation: I can confirm that the checkfs-loop script (which
does the passphrase prompting for loop-AES partitions during
boot) now shows a full prompt including the mountpoint, format:
"Setting up $loop ($mnt)". This is good on the one hand in that
it works as intended, but means that section 7.2.1. loop-AES of
the d-i manual is mostly obsolete. Can we still drop parts of the
manual at this point, without disrupting the beta3 release? Else
I'll try to figure out the correct package to file a bug+patch
against so that we can drop this section post beta3. 


Reply to: