Bug#929828: unblock: cryptsetup/2:2.1.0-4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#929828: unblock: cryptsetup/2:2.1.0-4
From: Guilhem Moulin <guilhem@debian.org>
Date: Sat, 1 Jun 2019 12:10:13 +0200
Message-id: <[🔎] 20190601101013.GA31118@debian.org>
Reply-to: Guilhem Moulin <guilhem@debian.org>, 929828@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi there,

Unlocking LUKS2 volumes requires userspace crypto (‘algif_skcipher’ kernel
module), which cryptsetup-initramfs 2:2.1.0-3 does not copy to initramfs
images created with MODULES=dep, cf. #929616.  (Default value for $MODULES
is "most", otherwise that bug would have been of much higher severity.
Still, newly formatted devices can't be unlocked from initramfs images
created with MODULES=dep, which is a severe regression.)

In 2:2.1.0-4 we propose ‘algif_skcipher’ be included in all initramfs
images, regardless of the value of $MODULES.  Even though the module isn't
needed for LUKS1, “plain” dm-crypt, etc. we can't always determine the
header format/version at initramfs generation time (for instance the
header might be detached and on a removable media).  As of cryptsetup
2.1.x LUKS2 is the default LUKS format version, so it makes sense to
include the module unconditionally (like we've been doing for ‘aesni’
since 2:1.3.0-3, although it's possible to use a non-AES cipher, and not
all CPU have the AES instruction set).  The overhead of adding an extra
module to initramfs images should be minimal: with its dependency the
extra module adds a mere 68kiB (as of linux-image-4.19.0-5-amd64).

Debdiff between 2:2.1.0-3 and 2:2.1.0-4 attached.  This also includes a
patch by jmtd fixing the long description of cryptsetup-{bin,run}.  The
diff doesn't touch our .udeb binary packages, but X-Debbugs-CC'ing kibi
anyway as cryptsetup is also under udeb-block.

unblock cryptsetup/2:2.1.0-4
Thanks for considering its inclusion in Buster!
Cheers,
-- 
Guilhem.

diff -Nru cryptsetup-2.1.0/debian/changelog cryptsetup-2.1.0/debian/changelog
--- cryptsetup-2.1.0/debian/changelog	2019-04-30 21:20:47.000000000 +0200
+++ cryptsetup-2.1.0/debian/changelog	2019-05-28 17:04:16.000000000 +0200
@@ -1,3 +1,22 @@
+cryptsetup (2:2.1.0-4) unstable; urgency=medium
+
+  [Guilhem Moulin]
+  * d/initramfs/hooks/cryptroot: Always add userspace crypto module
+    ('algif_skcipher' kernel module) to the initramfs.  This module is
+    required for required for opening LUKS2 devices, and since 2:2.0.2-2 it's
+    added to large initramfs (i.e., when the MODULES variable isn't set to
+    "dep").  It's now added regardless of the value of $MODULES, as 1/ LUKS2
+    is the default LUKS header format version; and 2/ we can't check at
+    initramfs creation time whether there are LUKS2 devices to be opened at
+    early boot stage (detached headers might not be present then).
+    Closes: #929616.
+
+  [Jonathan Dowland]
+  * Update package descriptions to reflect the move of luksformat from
+    cryptsetup-bin to cryptsetup-run. Closes: #928751.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Tue, 28 May 2019 17:04:16 +0200
+
 cryptsetup (2:2.1.0-3) unstable; urgency=medium
 
   * d/scripts/decrypt_opensc: Fix standard output poisoning.  Thanks to Nils
diff -Nru cryptsetup-2.1.0/debian/control cryptsetup-2.1.0/debian/control
--- cryptsetup-2.1.0/debian/control	2019-04-30 21:20:47.000000000 +0200
+++ cryptsetup-2.1.0/debian/control	2019-05-28 17:04:16.000000000 +0200
@@ -51,6 +51,9 @@
  automatically configuring encrypted devices at boot time via the config
  file /etc/crypttab. Additional features are cryptoroot support through
  initramfs-tools and several supported ways to read a passphrase or key.
+ .
+ This package provides the cryptdisk_start and stop wrappers and
+ luksformat.
 
 Package: cryptsetup-bin
 Architecture: linux-any
@@ -61,7 +64,8 @@
  device mapper target dm-crypt. It features integrated Linux Unified Key
  Setup (LUKS) support.
  .
- This package provides cryptsetup, cryptsetup-reencrypt and luksformat.
+ This package provides cryptsetup, cryptsetup-reencrypt, integritysetup
+ and veritysetup.
 
 Package: cryptsetup-initramfs
 Architecture: all
diff -Nru cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot
--- cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot	2019-04-30 21:20:47.000000000 +0200
+++ cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot	2019-05-28 17:04:16.000000000 +0200
@@ -441,6 +441,10 @@
         CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }aesni"
     fi
 
+    # add userspace crypto module (only required for opening LUKS2 devices
+    # we add the module unconditionally as it's the default format)
+    CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }algif_skcipher"
+
     if [ "$MODULES" = most ]; then
         for d in "$MODULESDIR"/kernel/arch/*/crypto; do
             copy_modules_dir "${d#"$MODULESDIR/"}"
@@ -449,7 +453,7 @@
     else
         if [ "$MODULES" != "dep" ]; then
             # with large initramfs, we always add a basic subset of modules
-            add_crypto_modules aes algif_skcipher cbc chainiv cryptomgr krng sha256 xts
+            add_crypto_modules aes cbc chainiv cryptomgr krng sha256 xts
         fi
         add_crypto_modules $(printf '%s' "${CRYPTO_MODULES-}" | tr ' ' '\n' | sort -u)
     fi

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#929828: unblock: cryptsetup/2:2.1.0-4
  - From: Paul Gevers <elbrus@debian.org>
- Processed: Re: Bug#929828: unblock: cryptsetup/2:2.1.0-4
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#929828: marked as done (unblock: cryptsetup/2:2.1.0-4)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Next by Date: Re: simpleid: Not compatible with PHP 7
Next by thread: Bug#929828: unblock: cryptsetup/2:2.1.0-4
Index(es):
- Date
- Thread