Bug#929828: marked as done (unblock: cryptsetup/2:2.1.0-4)

To: Paul Gevers <elbrus@debian.org>
Subject: Bug#929828: marked as done (unblock: cryptsetup/2:2.1.0-4)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 02 Jun 2019 19:24:06 +0000
Message-id: <[🔎] handler.929828.D929828.155950322415135.ackdone@bugs.debian.org>
Reply-to: 929828@bugs.debian.org
References: <6201d659-c5e3-1b70-452b-3acbd45b05d0@debian.org> <[🔎] 20190601101013.GA31118@debian.org>

Your message dated Sun, 2 Jun 2019 21:20:17 +0200
with message-id <6201d659-c5e3-1b70-452b-3acbd45b05d0@debian.org>
and subject line Re: Bug#929828: unblock: cryptsetup/2:2.1.0-4
has caused the Debian Bug report #929828,
regarding unblock: cryptsetup/2:2.1.0-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
929828: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929828
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: cryptsetup/2:2.1.0-4
From: Guilhem Moulin <guilhem@debian.org>
Date: Sat, 1 Jun 2019 12:10:13 +0200
Message-id: <[🔎] 20190601101013.GA31118@debian.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi there,

Unlocking LUKS2 volumes requires userspace crypto (‘algif_skcipher’ kernel
module), which cryptsetup-initramfs 2:2.1.0-3 does not copy to initramfs
images created with MODULES=dep, cf. #929616.  (Default value for $MODULES
is "most", otherwise that bug would have been of much higher severity.
Still, newly formatted devices can't be unlocked from initramfs images
created with MODULES=dep, which is a severe regression.)

In 2:2.1.0-4 we propose ‘algif_skcipher’ be included in all initramfs
images, regardless of the value of $MODULES.  Even though the module isn't
needed for LUKS1, “plain” dm-crypt, etc. we can't always determine the
header format/version at initramfs generation time (for instance the
header might be detached and on a removable media).  As of cryptsetup
2.1.x LUKS2 is the default LUKS format version, so it makes sense to
include the module unconditionally (like we've been doing for ‘aesni’
since 2:1.3.0-3, although it's possible to use a non-AES cipher, and not
all CPU have the AES instruction set).  The overhead of adding an extra
module to initramfs images should be minimal: with its dependency the
extra module adds a mere 68kiB (as of linux-image-4.19.0-5-amd64).

Debdiff between 2:2.1.0-3 and 2:2.1.0-4 attached.  This also includes a
patch by jmtd fixing the long description of cryptsetup-{bin,run}.  The
diff doesn't touch our .udeb binary packages, but X-Debbugs-CC'ing kibi
anyway as cryptsetup is also under udeb-block.

unblock cryptsetup/2:2.1.0-4
Thanks for considering its inclusion in Buster!
Cheers,
-- 
Guilhem.

diff -Nru cryptsetup-2.1.0/debian/changelog cryptsetup-2.1.0/debian/changelog
--- cryptsetup-2.1.0/debian/changelog	2019-04-30 21:20:47.000000000 +0200
+++ cryptsetup-2.1.0/debian/changelog	2019-05-28 17:04:16.000000000 +0200
@@ -1,3 +1,22 @@
+cryptsetup (2:2.1.0-4) unstable; urgency=medium
+
+  [Guilhem Moulin]
+  * d/initramfs/hooks/cryptroot: Always add userspace crypto module
+    ('algif_skcipher' kernel module) to the initramfs.  This module is
+    required for required for opening LUKS2 devices, and since 2:2.0.2-2 it's
+    added to large initramfs (i.e., when the MODULES variable isn't set to
+    "dep").  It's now added regardless of the value of $MODULES, as 1/ LUKS2
+    is the default LUKS header format version; and 2/ we can't check at
+    initramfs creation time whether there are LUKS2 devices to be opened at
+    early boot stage (detached headers might not be present then).
+    Closes: #929616.
+
+  [Jonathan Dowland]
+  * Update package descriptions to reflect the move of luksformat from
+    cryptsetup-bin to cryptsetup-run. Closes: #928751.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Tue, 28 May 2019 17:04:16 +0200
+
 cryptsetup (2:2.1.0-3) unstable; urgency=medium
 
   * d/scripts/decrypt_opensc: Fix standard output poisoning.  Thanks to Nils
diff -Nru cryptsetup-2.1.0/debian/control cryptsetup-2.1.0/debian/control
--- cryptsetup-2.1.0/debian/control	2019-04-30 21:20:47.000000000 +0200
+++ cryptsetup-2.1.0/debian/control	2019-05-28 17:04:16.000000000 +0200
@@ -51,6 +51,9 @@
  automatically configuring encrypted devices at boot time via the config
  file /etc/crypttab. Additional features are cryptoroot support through
  initramfs-tools and several supported ways to read a passphrase or key.
+ .
+ This package provides the cryptdisk_start and stop wrappers and
+ luksformat.
 
 Package: cryptsetup-bin
 Architecture: linux-any
@@ -61,7 +64,8 @@
  device mapper target dm-crypt. It features integrated Linux Unified Key
  Setup (LUKS) support.
  .
- This package provides cryptsetup, cryptsetup-reencrypt and luksformat.
+ This package provides cryptsetup, cryptsetup-reencrypt, integritysetup
+ and veritysetup.
 
 Package: cryptsetup-initramfs
 Architecture: all
diff -Nru cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot
--- cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot	2019-04-30 21:20:47.000000000 +0200
+++ cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot	2019-05-28 17:04:16.000000000 +0200
@@ -441,6 +441,10 @@
         CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }aesni"
     fi
 
+    # add userspace crypto module (only required for opening LUKS2 devices
+    # we add the module unconditionally as it's the default format)
+    CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }algif_skcipher"
+
     if [ "$MODULES" = most ]; then
         for d in "$MODULESDIR"/kernel/arch/*/crypto; do
             copy_modules_dir "${d#"$MODULESDIR/"}"
@@ -449,7 +453,7 @@
     else
         if [ "$MODULES" != "dep" ]; then
             # with large initramfs, we always add a basic subset of modules
-            add_crypto_modules aes algif_skcipher cbc chainiv cryptomgr krng sha256 xts
+            add_crypto_modules aes cbc chainiv cryptomgr krng sha256 xts
         fi
         add_crypto_modules $(printf '%s' "${CRYPTO_MODULES-}" | tr ' ' '\n' | sort -u)
     fi

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 929828-done@bugs.debian.org, Guilhem Moulin <guilhem@debian.org>

Subject: Re: Bug#929828: unblock: cryptsetup/2:2.1.0-4

From: Paul Gevers <elbrus@debian.org>

Date: Sun, 2 Jun 2019 21:20:17 +0200

Message-id: <6201d659-c5e3-1b70-452b-3acbd45b05d0@debian.org>

In-reply-to: <[🔎] 20190602165014.pv2j3jesnxezpd6v@mraw.org>

References: <[🔎] 20190601101013.GA31118@debian.org> <[🔎] 482793df-e16c-dd6e-d4f4-132685f84cf3@debian.org> <[🔎] 20190601101013.GA31118@debian.org> <[🔎] 20190602165014.pv2j3jesnxezpd6v@mraw.org>
Hi Guilhem,

On 02-06-2019 18:50, Cyril Brulebois wrote:
> Paul Gevers <elbrus@debian.org> (2019-06-02):
>> I'm fine with this. I'll unblock after the ack of kibi as I am not sure
>> about checking the udeb part myself (an area that I still have to learn).
> 
> The proposed change seems reasonable.

Unblocked, thanks.

Paul
Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

Reply to:

References:
- Bug#929828: unblock: cryptsetup/2:2.1.0-4
  - From: Guilhem Moulin <guilhem@debian.org>

Prev by Date: Bug#929321: marked as done (unblock: sqlalchemy/1.2.18+ds1-2 (CVE-2019-7164 CVE-2019-7548))
Next by Date: Bug#929898: unblock: golang-github-spf13-afero/1.2.2+really1.2.1-1
Previous by thread: Processed: Re: Bug#929828: unblock: cryptsetup/2:2.1.0-4
Next by thread: Re: simpleid: Not compatible with PHP 7
Index(es):
- Date
- Thread