Bug#477658: marked as done ([cryptsetup] problem related to resuming from encrypted swap partition)

Fri, 06 Jun 2008 15:20:21 -0700 

Your message dated Fri, 06 Jun 2008 20:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#477658: fixed in cryptsetup 2:1.0.6-2
has caused the Debian Bug report #477658,
regarding [cryptsetup] problem related to resuming from encrypted swap partition
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
477658: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477658
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: cryptsetup
Version: 2:1.0.6-1
Severity: normal

--- Please enter the report below this line. ---

Hi everyone!


I'm running a Debian system with both encrypted root and swap
partitions. I have been experiencing a problem with suspend-to-disk and
the subsequent resume operation that involves the encrypted swap
partition. I tracked the problem down to a bug in the cryptsetup
package. In the following, I'll try to explain the problem and suggest
both a workaround and bugfix...


Problem:

I don't know the exact suspend-to-disk method i use, since I simple
select "Hibernate" from Gnome's shutqown dialog. However, it is apparent
 that the swap partition is used to store RAM contents and that
initramfs is doing most of the resume work. In case of an LUKS encrypted
swap partition cryptsetup has to provide access to that partition during
the boot.

For that purpose cryptsetup installs a hook script for initramfs-tools,
namely "/usr/share/initramfs-tools/hooks/cryptroot". That script is
supposed to identify all partitions that may need to be decrypted by
initramfs during boot. This includes the root partition and any swap
partition used for resume.

In my case information about the swap partition to use for resume is
found in the configuration file "/etc/initramfs-tools/conf.d/resume". I
think, the Debian Installer created this file. Usually it only contains
one line, in my case: "RESUME=/dev/mapper/cryptoswap".

Line 69 of "/usr/share/initramfs-tools/hooks/cryptroot" tries to use
this file to determine which partitions to decrypt during boot. However,
the sed scrypt used seems to be buggy. It assumes whitespace where none
is present:

        device=$(sed -rn 's/^RESUME[[:space:]]+=[[:space:]]+// p' \
        /etc/initramfs-tools/conf.d/resume)

Therefore the encrypted swap device is never added to the list of
devices to encrypt during boot.


Workaround:

The trivial workaround of adding appropriate whitespace around the "="
in the configuration file does not work very well. While this is a
worksaround for the mentioned bug, it does break other scripts. There is
at least one script that tries to source the configuration file and then
use the contents of the environment variable "RESUME". However, the
syntax for setting an environment variable does not allow any whitespace
there.

To enable both kinds of usage of the configuration file I added a
duplicate line, and thus changed it to:

RESUME = /dev/mapper/cryptoswap
RESUME=/dev/mapper/cryptoswap

This actually fixed my problem of resuming from my encrypted swap
partition. However it seems quite messy!


Suggested Bugfix:

IMHO the bug should be fixed in
"/usr/share/initramfs-tools/hooks/cryptroot" itself. I did not try that
yet, since I did not want to modify any files outside of "/etc".
However, changing line 69 to either of the following might do the trick:

        device=$(sed -rn 's/^RESUME[[:space:]]?=[[:space:]]?// p' \
        /etc/initramfs-tools/conf.d/resume)

        device=$(sed -rn 's/^RESUME=// p' \
        /etc/initramfs-tools/conf.d/resume)

Alternatively the script could be modified so that it sources the
configuration file and then uses the variable "RESUME" to determine the
device to decrypt. As mentioned, that seems to be the way other scripts
do it.


Conclusion:

I don't know if my use of encrypted partitions is correct let alone
typical. But for me it seems to work, except for the mentioned bug. So
I'd be happy to see it fixed. Otherwise, could anyone point me to a
better way to resume from an encrypted swap partition?

BTW, I don't report Debian bugs too often. Sorry. I already tried to
report this last week, using "reportbug" and "sendmail", but it didn't
seem to work. Now I'm trying with "reportbug-ng" and "icedove". I
appologize, if this should be duplicate after all.


Regards,
Michael Riedel


--- System information. ---
Architecture: amd64
Kernel:       Linux 2.6.24-1-amd64

Debian Release: lenny/sid
  500 testing         www.debian-multimedia.org
  500 testing         security.debian.org
  500 testing         ftp.nz.debian.org

--- Package information. ---
Depends                     (Version) | Installed
=====================================-+-===============
dmsetup                               | 2:1.02.24-4
libc6                      (>= 2.7-1) | 2.7-10
libdevmapper1.02.1     (>= 2:1.02.20) | 2:1.02.24-4
libpopt0                    (>= 1.10) | 1.10-3
libuuid1                              | 1.40.8-2
initramfs-tools                       | 0.91e

--- End Message ---
--- Begin Message --- 
Source: cryptsetup
Source-Version: 2:1.0.6-2

We believe that the bug you reported is fixed in the latest version of
cryptsetup, which is due to be installed in the Debian FTP archive:

cryptsetup-udeb_1.0.6-2_amd64.udeb
  to pool/main/c/cryptsetup/cryptsetup-udeb_1.0.6-2_amd64.udeb
cryptsetup_1.0.6-2.diff.gz
  to pool/main/c/cryptsetup/cryptsetup_1.0.6-2.diff.gz
cryptsetup_1.0.6-2.dsc
  to pool/main/c/cryptsetup/cryptsetup_1.0.6-2.dsc
cryptsetup_1.0.6-2_amd64.deb
  to pool/main/c/cryptsetup/cryptsetup_1.0.6-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Härdeman <[EMAIL PROTECTED]> (supplier of updated cryptsetup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 26 May 2008 08:12:32 +0200
Source: cryptsetup
Binary: cryptsetup cryptsetup-udeb
Architecture: source amd64
Version: 2:1.0.6-2
Distribution: unstable
Urgency: low
Maintainer: Jonas Meurer <[EMAIL PROTECTED]>
Changed-By: David Härdeman <[EMAIL PROTECTED]>
Description: 
 cryptsetup - configures encrypted block devices
 cryptsetup-udeb - configures encrypted block devices (udeb)
Closes: 477658 478268
Changes: 
 cryptsetup (2:1.0.6-2) unstable; urgency=low
 .
   [ Jonas Meurer ]
   * Taken from ubuntu:
     - debian/scripts/luksformat: Use 256 bit key size by default. (LP: #78508)
     - debian/patches/02_manpage.patch: Clarify default key sizes (128 for
       luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508)
   * Use 'shred -uz' instead of 'rm -r' to remove a tempfile that contains a
     key in gen-ssl-key example script.
 .
   [ David Härdeman ]
   * Misc bugfixes to askpass, make sure it is installed to the correct
     location and is built using pedantic mode.
   * Change the initramfs script to use askpass to prompt for
     passphrases, this should hopefully fix #382375 and #465902 once it
     is enabled in the init scripts as well.
   * Add a keyscript called passdev which allows a keyfile to be
     retrieved from a device which is first mounted, mainly useful to get
     keyfiles off USB devices etc.
   * Unbreak MODULES=dep booting (closes: #478268)
   * Relax checks for suspend devices a bit (closes: #477658)
   * Convert man pages to docbook.
Checksums-Sha1: 
 a7c94c55cc45210375ef0895a25aa45b391d308f 1434 cryptsetup_1.0.6-2.dsc
 c3e3ad343b8ea77ba2901f1f3dbc2c1c4f8cf42b 55494 cryptsetup_1.0.6-2.diff.gz
 5e23255dde5229378fb62fc7b7194f1ae5c66270 307752 cryptsetup_1.0.6-2_amd64.deb
 2f89ad866868de44ea40128d11334ca1457f235c 247136 
cryptsetup-udeb_1.0.6-2_amd64.udeb
Checksums-Sha256: 
 61a62587051e9b10f0c84ed28fbbdd86658ffcdac32821c8bc9bc00b5d96b4f9 1434 
cryptsetup_1.0.6-2.dsc
 20b936daabd472bef7587958d65832bc36fa7aa3be9bd4ebf2fb4e6c7f8d699b 55494 
cryptsetup_1.0.6-2.diff.gz
 5c9e7c0ac88f4eec530b7a476bb04ec9776151567a9e2e44d470ebeb3ea7b978 307752 
cryptsetup_1.0.6-2_amd64.deb
 e0c28025a1118a62c4c87892dc09aa3041078062d9307ce8f7ec91ec2416071f 247136 
cryptsetup-udeb_1.0.6-2_amd64.udeb
Files: 
 99a6be9e62f66c6389fdc846ba3e1280 1434 admin optional cryptsetup_1.0.6-2.dsc
 1a421d54c13ae38569a7688a5a1b6411 55494 admin optional 
cryptsetup_1.0.6-2.diff.gz
 9798a21c931db267cb1aa7fbf85ee6ac 307752 admin optional 
cryptsetup_1.0.6-2_amd64.deb
 5149d96b74e0582c1e1da297441441c1 247136 debian-installer optional 
cryptsetup-udeb_1.0.6-2_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhJGRoACgkQd6lUs+JfIQIjeQCeNLAuoZ4fam0r1jXwv1shOaDF
lk4An2WN/ryIcqSn88XkVDEl4GH3/fXG
=MbZd
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to