Your message dated Sun, 2 Jun 2019 21:20:17 +0200 with message-id <6201d659-c5e3-1b70-452b-3acbd45b05d0@debian.org> and subject line Re: Bug#929828: unblock: cryptsetup/2:2.1.0-4 has caused the Debian Bug report #929828, regarding unblock: cryptsetup/2:2.1.0-4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 929828: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929828 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: cryptsetup/2:2.1.0-4
- From: Guilhem Moulin <guilhem@debian.org>
- Date: Sat, 1 Jun 2019 12:10:13 +0200
- Message-id: <[🔎] 20190601101013.GA31118@debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hi there, Unlocking LUKS2 volumes requires userspace crypto (‘algif_skcipher’ kernel module), which cryptsetup-initramfs 2:2.1.0-3 does not copy to initramfs images created with MODULES=dep, cf. #929616. (Default value for $MODULES is "most", otherwise that bug would have been of much higher severity. Still, newly formatted devices can't be unlocked from initramfs images created with MODULES=dep, which is a severe regression.) In 2:2.1.0-4 we propose ‘algif_skcipher’ be included in all initramfs images, regardless of the value of $MODULES. Even though the module isn't needed for LUKS1, “plain” dm-crypt, etc. we can't always determine the header format/version at initramfs generation time (for instance the header might be detached and on a removable media). As of cryptsetup 2.1.x LUKS2 is the default LUKS format version, so it makes sense to include the module unconditionally (like we've been doing for ‘aesni’ since 2:1.3.0-3, although it's possible to use a non-AES cipher, and not all CPU have the AES instruction set). The overhead of adding an extra module to initramfs images should be minimal: with its dependency the extra module adds a mere 68kiB (as of linux-image-4.19.0-5-amd64). Debdiff between 2:2.1.0-3 and 2:2.1.0-4 attached. This also includes a patch by jmtd fixing the long description of cryptsetup-{bin,run}. The diff doesn't touch our .udeb binary packages, but X-Debbugs-CC'ing kibi anyway as cryptsetup is also under udeb-block. unblock cryptsetup/2:2.1.0-4 Thanks for considering its inclusion in Buster! Cheers, -- Guilhem.diff -Nru cryptsetup-2.1.0/debian/changelog cryptsetup-2.1.0/debian/changelog --- cryptsetup-2.1.0/debian/changelog 2019-04-30 21:20:47.000000000 +0200 +++ cryptsetup-2.1.0/debian/changelog 2019-05-28 17:04:16.000000000 +0200 @@ -1,3 +1,22 @@ +cryptsetup (2:2.1.0-4) unstable; urgency=medium + + [Guilhem Moulin] + * d/initramfs/hooks/cryptroot: Always add userspace crypto module + ('algif_skcipher' kernel module) to the initramfs. This module is + required for required for opening LUKS2 devices, and since 2:2.0.2-2 it's + added to large initramfs (i.e., when the MODULES variable isn't set to + "dep"). It's now added regardless of the value of $MODULES, as 1/ LUKS2 + is the default LUKS header format version; and 2/ we can't check at + initramfs creation time whether there are LUKS2 devices to be opened at + early boot stage (detached headers might not be present then). + Closes: #929616. + + [Jonathan Dowland] + * Update package descriptions to reflect the move of luksformat from + cryptsetup-bin to cryptsetup-run. Closes: #928751. + + -- Guilhem Moulin <guilhem@debian.org> Tue, 28 May 2019 17:04:16 +0200 + cryptsetup (2:2.1.0-3) unstable; urgency=medium * d/scripts/decrypt_opensc: Fix standard output poisoning. Thanks to Nils diff -Nru cryptsetup-2.1.0/debian/control cryptsetup-2.1.0/debian/control --- cryptsetup-2.1.0/debian/control 2019-04-30 21:20:47.000000000 +0200 +++ cryptsetup-2.1.0/debian/control 2019-05-28 17:04:16.000000000 +0200 @@ -51,6 +51,9 @@ automatically configuring encrypted devices at boot time via the config file /etc/crypttab. Additional features are cryptoroot support through initramfs-tools and several supported ways to read a passphrase or key. + . + This package provides the cryptdisk_start and stop wrappers and + luksformat. Package: cryptsetup-bin Architecture: linux-any @@ -61,7 +64,8 @@ device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support. . - This package provides cryptsetup, cryptsetup-reencrypt and luksformat. + This package provides cryptsetup, cryptsetup-reencrypt, integritysetup + and veritysetup. Package: cryptsetup-initramfs Architecture: all diff -Nru cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot --- cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot 2019-04-30 21:20:47.000000000 +0200 +++ cryptsetup-2.1.0/debian/initramfs/hooks/cryptroot 2019-05-28 17:04:16.000000000 +0200 @@ -441,6 +441,10 @@ CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }aesni" fi + # add userspace crypto module (only required for opening LUKS2 devices + # we add the module unconditionally as it's the default format) + CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }algif_skcipher" + if [ "$MODULES" = most ]; then for d in "$MODULESDIR"/kernel/arch/*/crypto; do copy_modules_dir "${d#"$MODULESDIR/"}" @@ -449,7 +453,7 @@ else if [ "$MODULES" != "dep" ]; then # with large initramfs, we always add a basic subset of modules - add_crypto_modules aes algif_skcipher cbc chainiv cryptomgr krng sha256 xts + add_crypto_modules aes cbc chainiv cryptomgr krng sha256 xts fi add_crypto_modules $(printf '%s' "${CRYPTO_MODULES-}" | tr ' ' '\n' | sort -u) fiAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 929828-done@bugs.debian.org, Guilhem Moulin <guilhem@debian.org>
- Subject: Re: Bug#929828: unblock: cryptsetup/2:2.1.0-4
- From: Paul Gevers <elbrus@debian.org>
- Date: Sun, 2 Jun 2019 21:20:17 +0200
- Message-id: <6201d659-c5e3-1b70-452b-3acbd45b05d0@debian.org>
- In-reply-to: <[🔎] 20190602165014.pv2j3jesnxezpd6v@mraw.org>
- References: <[🔎] 20190601101013.GA31118@debian.org> <[🔎] 482793df-e16c-dd6e-d4f4-132685f84cf3@debian.org> <[🔎] 20190601101013.GA31118@debian.org> <[🔎] 20190602165014.pv2j3jesnxezpd6v@mraw.org>
Hi Guilhem, On 02-06-2019 18:50, Cyril Brulebois wrote: > Paul Gevers <elbrus@debian.org> (2019-06-02): >> I'm fine with this. I'll unblock after the ack of kibi as I am not sure >> about checking the udeb part myself (an area that I still have to learn). > > The proposed change seems reasonable. Unblocked, thanks. PaulAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---