I'm curious; would this fix other issues such as Btrfs RAID1 on top of
fully encrypted disks?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with LUKS on top of RAID1 if t
** Changed in: cryptsetup (Debian)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with LUKS on top of RAID1 if the array is broken/degra
** Tags removed: sts-sponsor-mfo
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with LUKS on top of RAID1 if the array is broken/degraded
To manage notifications about th
** Merge proposal linked:
https://code.launchpad.net/~mwhudson/ubuntu/+source/cryptsetup/+git/cryptsetup/+merge/393521
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot w
John, thanks a lot for your report! Definitely we don't want to delay boots -
although I'm happy to hear that eventually it boots. Can you send me logs so I
can understand what's going on?
My suggestion is to follow the steps below (as root user):
(0) [optional] Force a log rotation, in order we
I am running a laptop with an internal nvme that is partitioned to
contain an encrypted LUKS partition that contains an LVM2 PV. That PV
contains part of an LV (lvubuntu) which also includes a partition
residing on an external USB drive. The theory is that I'll make part of
the external PV into a
This bug was fixed in the package cryptsetup - 2:2.0.2-1ubuntu1.2
---
cryptsetup (2:2.0.2-1ubuntu1.2) bionic; urgency=medium
* Introduce retry logic for external invocations after mdadm (LP: #1879980)
- Currently, if an encrypted rootfs is configured on top of a MD RAID1
a
This bug was fixed in the package cryptsetup - 2:2.2.2-3ubuntu2.3
---
cryptsetup (2:2.2.2-3ubuntu2.3) focal; urgency=medium
* Introduce retry logic for external invocations after mdadm (LP: #1879980)
- Currently, if an encrypted rootfs is configured on top of a MD RAID1
ar
Thanks for releasing the packages in -proposed Lukasz. I was able to
complete the validation for the Focal version, following the procedure
in the description. An user reported internally to me that the
verification of Bionic version was also successful, hence I'm hereby
marking this LP as verified
Hello Guilherme, or anyone else affected,
Accepted cryptsetup into bionic-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/cryptsetup/2:2.0.2-1ubuntu1.2 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package.
Hello Guilherme, or anyone else affected,
Accepted cryptsetup into focal-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/cryptsetup/2:2.2.2-3ubuntu2.3 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package. S
Thanks a lot Alex for your review from a security point-of-view. And thanks
again Lukasz for dealing with this SRU!
Cheers,
Guilherme
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
F
Thank you Alex! In that case, let me review the change once again.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with LUKS on top of RAID1 if the array is broken/degraded
This bug was fixed in the package initramfs-tools - 0.130ubuntu3.11
---
initramfs-tools (0.130ubuntu3.11) bionic; urgency=medium
[ Guilherme G. Piccoli ]
* scripts/functions: Prevent printf error carry over if the wrong
console is set. (LP: #1879987)
The function _log_ms
Hey Alex, thank you very much for your prompt review.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with LUKS on top of RAID1 if the array is broken/degraded
To manage n
I can't see any potential security impact from this - yes it will now do
another round of asking for passwords but 9 tries doesn't really help
(from an attacker point-of-view) any more than 6 tries assuming this is
a long passphrase - so consider this an ACK from the security team.
--
You receive
Hi Ubuntu Security Team,
I've subscribed you to this bug for a patch review asked by the SRU team.
Please find a request summary below, and feel free to ask for details.
There's a change being proposed to the cryptsetup boot logic
(debdiff in comment #44) so to allow an encrypted device on
top of
1) There are no changes with the cryptsetup in bionic-updates.
This is expected, because the changes in initramfs-tools
are gated by a file introduced in the patched cryptsetup.
Thus no regression from the initramfs-tools side.
...
And, additional testing with the _patched_ cryptsetup,
just in
** Attachment added: "lp1879980 verification-bionic.log"
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1879980/+attachment/5414278/+files/lp1879980%20verification-bionic.log
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubunt
In the benefit of the initramfs-tools upload to move on:
I have verified that it has no regressions with current
cryptsetup in bionic-updates and works as expected with
the patched version (in upload queue, not -proposed yet.)
Verification details in the next comment and detailed
topology and con
Hi Łukasz,
Thanks for accepting initramfs-tools for now; it's much appreciated.
I'm not sure the security team reviewed this; but I can't confirm.
I'll try to find a reviewer there, to check the concerns you have.
Could you please confirm/correct/add the concerns/review points?
1) Behavior chang
Ok, I have accepted the initramfs-tools parts of this fix as they seem
to make sense (and were carrying some other changes too).
But then when I was looking at the cryptsetup parts, well, I think I'd
like to slow down a little. Have all these changes been consulted with
the Ubuntu security team? S
Hello Guilherme, or anyone else affected,
Accepted initramfs-tools into bionic-proposed. The package will build
now and be available at https://launchpad.net/ubuntu/+source/initramfs-
tools/0.130ubuntu3.11 in a few hours, and then in the -proposed
repository.
Please help us by testing this new pa
** Patch added: "bionic_initramfs-tools_lp1879980_V3.debdiff"
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1879980/+attachment/5413638/+files/bionic_initramfs-tools_lp1879980_V3.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscr
Uploaded initramfs-tools to Bionic.
Attaching the updated debdiff for reference.
(Rebased on top of the more recent -updates.)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to bo
** Patch added: "focal_cryptsetup_lp1879980_V3.debdiff"
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1879980/+attachment/5413626/+files/focal_cryptsetup_lp1879980_V3.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubun
Uploaded cryptsetup to Focal and Bionic.
Attaching the updated debdiffs for reference.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with LUKS on top of RAID1 if the arra
** Patch added: "bionic_cryptsetup_lp1879980_V3.debdiff"
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1879980/+attachment/5413627/+files/bionic_cryptsetup_lp1879980_V3.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ub
This bug was fixed in the package cryptsetup - 2:2.3.3-1ubuntu6
---
cryptsetup (2:2.3.3-1ubuntu6) groovy; urgency=medium
* Introduce retry logic for external invocations after mdadm (LP: #1879980)
- Currently, if an encrypted rootfs is configured on top of a MD RAID1
array
I'll retry the test before we investigate further.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with LUKS on top of RAID1 if the array is broken/degraded
To manage noti
Autopkgtest failure found:
autopkgtest for systemd/246.4-1ubuntu1: amd64: Regression ♻ , arm64:
Pass, armhf: Pass, ppc64el: Pass, s390x: Ignored failure
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac
/autopkgtest-groovy/groovy/amd64/s/systemd/20200922_22
Thanks a bunch mfo!!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with LUKS on top of RAID1 if the array is broken/degraded
To manage notifications about this bug go to
** Tags added: sts-sponsor-mfo
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with LUKS on top of RAID1 if the array is broken/degraded
To manage notifications about this
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with LUKS on top of RAID1 if the array is broken/degraded
To manage notifications about this bug go to
[sts-sponsors]
Sponsored and uploaded into groovy.
Let's now wait until the package lands in groovy-releases before proceeding
with the SRU.
Thanks mfo and gpiccoli for your contributions.
- Eric
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscrib
** Patch added: "groovy_cryptsetup_lp1879980_V3.debdiff"
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1879980/+attachment/5413208/+files/groovy_cryptsetup_lp1879980_V3.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ub
Hi Eric,
I just updated the changelog with a more detailed description per file.
If it looks good to you for Groovy I'll update the stable releases too.
Thanks!
Mauricio
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.la
Hi Guilherme,
I can handle that while you're out.
cheers,
Mauricio
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with LUKS on top of RAID1 if the array is broken/degrad
Hi Eric, all the changes are part of the same functionality - the local-bottom
script for example is a clean-up for the files created in the local-top phase.
I think it'd be unnecessary verbosity to explain file by file, and this bug is
waiting for a long time to be fixed (especially due to the
@gpiccoli,
Can you break down everything this debdiff does per file being modified
in the d/changelog along with the summary you have already provided ?
It would ease for future reference and make the d/changelog more
accurate about the changes.
* d/cryptsetup-initramfs.install:
-
* d/fu
** Patch added: "bionic_cryptsetup_lp1879980.debdiff"
https://bugs.launchpad.net/ubuntu/focal/+source/mdadm/+bug/1879980/+attachment/5411486/+files/bionic_cryptsetup_lp1879980.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: "focal_cryptsetup_lp1879980_V2.debdiff"
https://bugs.launchpad.net/ubuntu/focal/+source/mdadm/+bug/1879980/+attachment/5411485/+files/focal_cryptsetup_lp1879980_V2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubu
After the cryptsetup FTBFS investigation (on LP #1891473), coincidentally a
security fix was released for such package, that included a fix for the FTBFS.
So, this is a "rebase" on top of the latest version for Focal/Groovy - Bionic
wasn't affected, but I'm re-uploading its debdiff nevertheless.
This bug was fixed in the package initramfs-tools - 0.136ubuntu6.3
---
initramfs-tools (0.136ubuntu6.3) focal; urgency=medium
* scripts/functions: Prevent printf error carry over if the wrong
console is set. (LP: #1879987)
The function _log_msg() is "void" typed, returning
I've managed to verify the initramfs-tools Focal-proposed package
(version 0.136ubuntu6.3) by following 2 approaches, given that we don't
have its cryptsetup counter-part released yet:
(a) The verification by "negation" aims to check if we don't have
regression, by testing if the new package chang
Hello Guilherme, or anyone else affected,
Accepted initramfs-tools into focal-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/initramfs-
tools/0.136ubuntu6.3 in a few hours, and then in the -proposed
repository.
Please help us by testing this new pack
[sts-sponsor]
Sponsored in Focal/Bionic.
Thanks for your contribution.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with LUKS on top of RAID1 if the array is broken/de
This bug was fixed in the package initramfs-tools - 0.137ubuntu12
---
initramfs-tools (0.137ubuntu12) groovy; urgency=medium
* d/tests: Add explicit call to partprobe on net test, specially in
prep-image and run-image. (LP: #1893675)
initramfs-tools (0.137ubuntu11) groovy; urge
** Patch added: "focal_initramfs_lp1879980_V2.debdiff"
https://bugs.launchpad.net/ubuntu/focal/+source/mdadm/+bug/1879980/+attachment/5406230/+files/focal_initramfs_lp1879980_V2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubunt
An issue on initramfs-tools autopkgtest was found in Groovy and Focal (see LP
#1893675) - it's non-related with the fixes proposed here, but we need to make
autopkgtest happy or we cannot get the package released, so here goes the V2 of
the initramfs-tools debdiffs.
Notice the SRU is mainly driv
Worth to notice that the cryptsetup release is blocked on LP #1891473 -
there's a failure on building this package from source introduced by a
recent PPA builder upgrade (from Xenial to Bionic).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
Attaching a new Bionic debdiff, which now includes a fix for a third bug
(LP #1820929).
** Patch added: "bionic_initramfs_lp1879980_V2.debdiff"
https://bugs.launchpad.net/ubuntu/focal/+source/mdadm/+bug/1879980/+attachment/5401090/+files/bionic_initramfs_lp1879980_V2.debdiff
--
You received
Just got a test result from an user that reported the issue - the packages with
the proposed patches [0] fixed the issue to him.
cheers,
Guilherme
[0] https://launchpad.net/~gpiccoli/+archive/ubuntu/lp1879980
--
You received this bug notification because you are a member of Ubuntu
Bugs, whic
** Patch added: "bionic_cryptsetup_lp1879980.debdiff"
https://bugs.launchpad.net/ubuntu/focal/+source/mdadm/+bug/1879980/+attachment/5398700/+files/bionic_cryptsetup_lp1879980.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: "groovy_initramfs_lp1879980.debdiff"
https://bugs.launchpad.net/ubuntu/focal/+source/mdadm/+bug/1879980/+attachment/5398697/+files/groovy_initramfs_lp1879980.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
h
** Patch added: "focal_initramfs_lp1879980.debdiff"
https://bugs.launchpad.net/ubuntu/focal/+source/mdadm/+bug/1879980/+attachment/5398699/+files/focal_initramfs_lp1879980.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
htt
** Patch added: "bionic_initramfs_lp1879980.debdiff"
https://bugs.launchpad.net/ubuntu/focal/+source/mdadm/+bug/1879980/+attachment/5398701/+files/bionic_initramfs_lp1879980.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
h
** Patch added: "focal_cryptsetup_lp1879980.debdiff"
https://bugs.launchpad.net/ubuntu/focal/+source/mdadm/+bug/1879980/+attachment/5398698/+files/focal_cryptsetup_lp1879980.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
h
Worth to notice that the initramfs-tools debdiffs include a fix for LP
#1879987 - we are doing a single SRU for 2 bugs.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with
Oh, I forgot to mention - Xenial won't be fixed. It's a release pretty stable
with less then a year remaining of regular support, and with older code. So, in
my opinion (again) it's safer to keep it as is, and consider that degraded
RAID1 + encrypted rootfs is fully supported on Bionic and so on
One relevant discussion would be why we decided to not change mdadm code
anymore. What happens here is that we have an inter-dependency between
mdadm and cryptroot - we first changed the mdadm max counter to
"untangle" that relation, in a way cryptroot would run more times than
mdadm.
But studying
** Patch added: "groovy_cryptsetup_lp1879980.debdiff"
https://bugs.launchpad.net/ubuntu/focal/+source/mdadm/+bug/1879980/+attachment/5398696/+files/groovy_cryptsetup_lp1879980.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Description changed:
[Impact]
- * Considering a setup of a encrypted rootfs on top of md RAID1 device, Ubuntu
is currently unable to decrypt the rootfs if the array gets degraded, like for
example if one of the array members gets removed.
+ * Considering a setup of a encrypted rootfs on top
** Changed in: mdadm (Ubuntu)
Status: Confirmed => Opinion
** Changed in: initramfs-tools (Ubuntu)
Status: Confirmed => In Progress
** Also affects: mdadm (Ubuntu Groovy)
Importance: Medium
Assignee: Guilherme G. Piccoli (gpiccoli)
Status: Opinion
** Also affects: cr
** Changed in: cryptsetup (Debian)
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879980
Title:
Fail to boot with LUKS on top of RAID1 if the array is broken/degraded
** Changed in: cryptsetup (Ubuntu)
Status: Confirmed => In Progress
** Bug watch added: Debian Bug tracker #933059
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933059
** Also affects: cryptsetup (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933059
Importance:
Debian merge request for the cryptsetup patch was just submitted:
https://salsa.debian.org/cryptsetup-team/cryptsetup/-/merge_requests/18
Cheers,
Guilherme
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/b
** Description changed:
- Description will be saved for further SRU template, the details of the
- issue will be exposed in comments
+ [Impact]
+ * Considering a setup of a encrypted rootfs on top of md RAID1 device, Ubuntu
is currently unable to decrypt the rootfs if the array gets degraded, lik
I have a report of a Bionic user that tested the packages on my PPA with
success.
I changed a small bit though, from the first proposal (just for consistency):
moved the cryptsetup clean-up script to local-bottom instead of init-bottom.
Thanks,
Guilherme
--
You received this bug notification
List of somewhat duplicate bugs:
https://bugs.launchpad.net/ubuntu/+source/mdadm/+bug/120375
(after comment #74)
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/251164
(propose some alternative solutions we can think about, like failure hooks)
https://bugs.launchpad.net/ubuntu/+source/d
** Patch added: "initramfs-tools patch"
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1879980/+attachment/5375735/+files/0001-scripts-local-Allow-local-block-looping-as-Debian.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscr
** Patch added: "mdadm patch"
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1879980/+attachment/5375736/+files/0001-script.local-block-Improve-last-resort-mechanism.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubu
Not a debdiff - I found easier to just add the patches as in my local
git repository of the packages.
** Patch added: "cryptroot patch"
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1879980/+attachment/5375734/+files/0001-d-initramfs-cryptroot-script-Allow-some-retries-on-l.pa
The issue basically is about a failure in mounting root if we have a
stacked setup of LUKS on top of RAID1, when RAID1 is degraded (like a
member missing). What happens in detail is a conjuncture of factors
leading to this problem:
(a) The initramfs script for cryptroot currently is present in two
74 matches
Mail list logo