On Tue, 19 Jun 2018 at 23:52:45 +0200, Guilhem Moulin wrote: > Sorry, I meant between your backup initrd.img (presumably also compiled > with MODULES=dep) and the new, broken one.
Alternatively, if you don't have this initrd around anymore, are you able
to boot if you add the ‘xts’ module to the broken one?
echo xts >>/etc/initramfs-tools/modules
update-initramfs -u
systemctl reboot
I'm now able to reproduce this in a test environment where the cipher
mode (xts is your case) is provided by a separate module. We didn't
catch that earlier because our test VMs run using their host's CPU
model, which have AES-NI. Indeed, running qemu with `-cpu host,-aes`
yields an unbootable system if the root FS is encrypted using AES-XTS
and the initrd is compiled with MODULES=dep.
(That's a lot of “ifs” and most systems won't be affected as default is
MODULES=most and these days AES-NI is common enough, so I'm not sure
‘severity: critical’ is appropriate, but but it's definitely RC anyway.)
--
Guilhem.
signature.asc
Description: PGP signature
