diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 08:06:26 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 08:06:26 +0000 |
commit | fd888e850cf413955483bfb993aeeea5ea611289 (patch) | |
tree | 6148fed3d1f30272c48403f4cdefa59c2b7e1513 /debian | |
parent | Adding upstream version 2:2.6.1. (diff) | |
download | cryptsetup-debian.tar.xz cryptsetup-debian.zip |
Adding debian version 2:2.6.1-4~deb12u2.debian/2%2.6.1-4_deb12u2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian')
185 files changed, 17593 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 0000000..87e657a --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,12 @@ +cryptsetup (2:2.3.3-3+exp1) experimental; urgency=medium + + This release adds a new binary package 'cryptsetup-suspend' which brings + support to suspend encrypted LUKS devices before the system goes to sleep + (via ACPI S3 system suspend). In other words, the encryption keys for + LUKS devices are removed automatically from system memory before system + suspend. After system resume, LUKS devices will be unlocked again and + the user may be asked to provide a passphrase if required. + + See the cryptsetup-suspend(7) manpage for more information. + + -- Jonas Meurer <jonas@freesources.org> Wed, 12 Aug 2020 21:31:47 +0200 diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..99633bf --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,344 @@ +Cryptsetup for Debian +===================== + +Table of Contents +----------------- + +* 1. Introduction into Cryptsetup for Debian +* 2. Encrypted swap partition(s) +* 3. Insecure mode/owner for keys +* 4. Cryptsetup and udev +* 5. Useful keyscripts: askpass and passdev +* 6. The `check` option +* 7. Cryptsetup and Splashy +* 8. Remotely unlock encrypted rootfs +* 9. Backup the LUKS header +* 10. Changing the boot order of cryptdisks init scripts +* 11. Unlocking LUKS devices from GRUB +* 12. Suspend LUKS devices on system suspend +* 13. Credits + + +1. Introduction into Cryptsetup for Debian +------------------------------------------ + + Cryptsetup is a command-line interface for configuring encrypted block +devices via dm-crypt, a kernel device-mapper target. For documentation about +the cryptsetup tool, see manpage of cryptsetup(8) and the frequently asked +questions at `/usr/share/doc/cryptsetup/FAQ.gz`. + + The Debian cryptsetup package provides the initscript `/etc/init.d/cryptdisks` +and a configuration file `/etc/crypttab` for automatically configuring encrypted +devices at boot time. The applications cryptdisks_start and cryptdisks_stop +are provided to process crypttab configured devices manually. See the manpages +of crypttab(5), cryptdisks_start(8) and cryptdisks_stop(8) for more information. +The systemd init system masks our initscripts as it has native +cryptsetup support; use cryptdisks_start(8) or systemd-cryptsetup@.service(8) to +manually unlock devices on such systems. + + The luksformat script provides a simple interface for creating an encrypted +device that follows the LUKS standard and for putting a file system onto the +encrypted device. See man luksformat(8) for more information. + + If you wish to perform a Debian installation to an encrypted root, you might +be interested in using a version of Debian Installer with partman-crypto, +which will install the system and setup cryptsetup and initramfs-tools. + + For instructions about how to encrypt your root filesystem and integrate +cryptsetup into initramfs on a running system, see +`/usr/share/doc/cryptsetup-initramfs/README.initramfs.gz`. + + +2. Encrypted swap partition(s) +------------------------------ + + An encrypted swap partition prevents spying on plaintext secrets (passwords) +that may be written to disk when memory is swapped to disk. + + To encrypt your swap partitions, you'll first have to deactivate your swap: + + swapoff -a + + You'll have to add an entry for every swap partition in `/etc/crypttab`. Be +sure to place the source device (here `/dev/sde9`) with your swap devices: + + # <target name> <source device> <key file> <options> + cswap1 /dev/sde9 /dev/urandom plain,cipher=aes-xts-plain64,size=256,swap + + Now you need to change the swap devices in `/etc/fstab` to the encrypted swap +device names (`/dev/mapper/cswap1` in this example). + + # <file system> <mount point> <type> <options> <dump> <pass> + /dev/sde9 none swap sw 0 0 + +becomes + + # <file system> <mount point> <type> <options> <dump> <pass> + /dev/mapper/cswap1 none swap sw 0 0 + + Then, you need to start the cryptsetup swap devices and reactivate swap: + + cryptdisks_start cswap1 + swapon -a + + And finally, if `/dev/sde9` was previously used as resume device, you should +disable it (the new swap partition is mapped with a non-persistent key hence +can't be used for resuming after suspend to disk). With initramfs-tools 0.130 +and later, this can be done with + + echo "RESUME=none" >/etc/initramfs-tools/conf.d/resume + update-initramfs -u + + That's it! You have a crypted swap device. Note that `/dev/urandom` provides +only pseudo-random entropy. So if you're paranoid rather use `/dev/random` as +source for random data. Be aware though that `/dev/random` might not provide +enough random bytes for your key, causing your system to hang at boot, waiting +for more entropy. Moving mouse and keyboard typing might help in this case. + + Read the crypttab(5) manpage for more information, for example options to use +a different encryption algorithm than the default. + + +3. Insecure mode/owner for keys +------------------------------- + + Any key that is stored somewhere to be used with cryptsetup should have the +mode 400 (`-r--------`) and root as owner/group. `chown root.root keyfile` and +`chmod 400 keyfile` will do the trick for you. + + If a key is stored on a vfat filesystem (very common for removable media), +chmod and chown will not work. The vfat filesystem (and several others too) +does not support file permissions and ownership. Instead, you should use the +uid, gid and umask options in `/etc/fstab` to ensure secure permissions for +the key. + + As an example, assume that `/dev/sdg8` is the removable media containing +keyfiles on a vfat filesystem and that it is going to be mounted on +`/media/flash0`. The configuration in `/etc/fstab` should then be something +like this: + + # <file system> <mount point> <type> <options> <dump> <pass> + /dev/sdg8 /media/flash0 vfat uid=0,gid=0,umask=277 0 0 + + If you are using udev, it might be a good idea to use the `/dev/disk/by-label` +links instead of `/dev/sdg8` as the link will work no matter in which order the +media is inserted and detected. + + +4. Cryptsetup and udev +---------------------- + + As a workaround for some yet-to-be-fixed race condition in kernel, +device-mapper or udev, cryptsetup currently runs udevsettle. + + This leads to problems if you invoke cryptsetup as part of a udev rule. +udevsettle waits until queued kernel/udev events are processed and the +"run programs" have finished. Due to cryptsetup itself being a "run +program" in this case, this ends in a deadlock. + + Therefore cryptsetup should be detached directly after invocation in this +case, so that it runs asynchronously. + + +5. Useful keyscripts: askpass and passdev +----------------------------------------- + + The cryptsetup package ships with several keyscripts. Keyscripts may be +configured in `/etc/crypttab` in order to provide the key required to unlock +the device. The shipped keyscripts are located at `/lib/cryptsetup/scripts`. + + Some keyscripts have an own README file at `/usr/share/doc/cryptsetup/`. + + Two special keyscripts, worth being mentioned here, are askpass and passdev. + + Askpass is located at `/lib/cryptsetup/askpass`. It's a simple helper program +that supports different methods (console, fifo, splashy, ...) to prompt for a +passphrase, and prints the result to stdout. The syntax is: + + /lib/cryptsetup/askpass PROMPT + + Passdev will wait for a given device to appear, mount it read-only, read the +key, and unmount the device. See `/usr/share/doc/cryptsetup-initramfs/README.initramfs.gz` +for more information about passdev. + + +6. The `check` option +--------------------- + + The `check` option in crypttab allows one to configure checks to be run +against the target device after cryptsetup has been invoked. +The default check `blkid` can check for any known filesystem type, as it uses +blkid from util-linux. you can check for a particular filesystem by giving for +example `checkargs=ext4` or `checkargs=swap` as an option in `/etc/crypttab`. + + Please send us your checks, if you write new ones. If they are generally +useful, we will include them in the package. + + See man crypttab(5) for more information about the checksystem. + + +7. Cryptsetup and Splashy +------------------------- + + Splashy support in cryptsetup is currently somehow limited. Splashy is known +to freeze at the password dialog for encrypted non-root filesystems. Only the +password dialog for the encrypted root filesystem works. + + It seems like splashy freezes for any input dialog in initscripts while +input dialogs at initramfs stage seem to work. This leads to the assumption +that the bug is somewhere in splashy and neither in cryptsetups initscripts +nor in askpass. + + +8. Remotely unlock encrypted rootfs +----------------------------------- + + Thanks to Chris <debian@x.ray.net> it's possible to install a dropbear SSH +server into the initramfs, connect to this SSH server during execution of +initramfs early in the boot process, and unlock encrypted devices - even +the root device - before the boot process continues. (Note that in order +to force an arbitrary device to be processed at initramfs stage you +might need to set the `initramfs` option in its crypttab entry; see +crypttab(5) for details.) + + This way it is possible to use an encrypted root filesystem on headless +systems where no physical access is available during boot process. + + Dropbear 0.52-1 or later is required for this to work. (Since 2015.68-1 the +functionality has its own binary package `dropbear-initramfs`.) Consult +`/usr/share/doc/dropbear-initramfs/README.initramfs` from the dropbear-initramfs +package for information how to install and configure the dropbear SSH server +into the initramfs. + + You can then unlock the disk remotely via SSH with + + ssh -tF ~/.luks/ssh.conf root@remote.system.com cryptroot-unlock + + Or, using a local gpg-encrypted key file: + + gpg --decrypt ~/.luks/remote.key.gpg | ssh -TF ~/.luks/ssh.conf root@remote.system.com cryptroot-unlock + + When its standard input is a TTY, `cryptroot-unlock` keeps prompting for +passphrases until there are no more devices to unlock; otherwise you'll +need to invoke it as many times as there are devices to unlock. + + That's it. Now that all required encrypted devices are unlocked, the +remote system should continue with the boot process. + + You can also use the following authorized_keys(5) options in +`/etc/dropbear-initramfs/authorized_keys` to restrict access and avoid +users poking around: + + no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock" ssh-rsa ... + +(Be sure to rebuild the initrd afterwards: `update-initramfs -u -k all`) + + +9. Backup the LUKS header +------------------------- + + WARNING: This information might be outdated. Please read the cryptsetup FAQ +at `/usr/share/doc/cryptsetup/FAQ.gz` for up-to-date information on how to +backup the LUKS header. + + The LUKS header is located at the beginning of every LUKS encrypted device. +It stores information such as used cipher, hash, etc. But most importantly, +the header contains eight keyslots, which do keep an encrypted version of the +LUKS masterkey. the data on an encrypted LUKS partition is encrypted with this +masterkey. thus, there's no way to restore the data once the masterkey is +lost. For that reason, one might want to backup the LUKS header in order to +prevent accidental data loss. + + On the other hand keeping a backup of the LUKS header isn't recommended for +security reasons. The reason is, that LUKS was designed with key revocation in +mind. Once the LUKS header is copied to a backup, revoking a (possibly +compromised) passphrase or keyfile from the keyslot isn't enough anymore. the +revoked passphrase/keyfile can easily be reactived by writing back the header +backup to the device. + + Beginning with version 1.1.0, cryptsetup has support for the commands +luksHeaderBackup and luksHeaderRestore. If you want to store a backup of your +LUKS header with the mentioned drawbacks in mind, do the following: + + Prepare a ramdisk to store the backup temporarely. You should do that in order +to prevent any hardware caching functions or filesystem jounals to copy the +backup around to places you cannot control. If you want to store the backup +permanently, write it to a read-only medium like CD immediately from ramdisk, +without your burning program writing an intermediate image to some temp dir. + + To actually backup the header, use the following command: + + cryptsetup luksHeaderBackup <luks-device> --header-backup-file <destination-on-ramdisk> + + That's it. But once again, keep in mind all the security implications when +doing LUKS header backups. In general it's better to backup the data from +encrypted LUKS devices to another encrypted LUKS device. That way you can +manage the keyslots for both original and backup device independently. + + +10. Changing the boot order of cryptdisks init scripts +----------------------------------------------------- + + In order to support non-standard setups, it might be necessary to change the +order of init scripts in the boot process. Cryptsetup already installs two +init scripts, cryptdisks-early and cryptdisks, in order to support some complex +setups. For example, both "lvm on luks" and "luks on lvm" are supported that +way. + + If your system isn't supported by the default order of init scripts in the +boot process, you need to change the boot process on your own. In some cases +it might be enough to change the LSB dependency headers at initscripts, see +`/etc/init.d/README` for more information about that. For more complex setups, +more intrusive changes are required. For example, adding a third cryptdisks +init script might help. See the log of bugreport [#576646] and [discussion on +debian-devel] for further information. + +[#576646]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576646 +[discussion on debian-devel]: https://lists.debian.org/debian-devel/2010/06/msg00021.html + + +11. Unlocking LUKS devices from GRUB +------------------------------------ + + GRUB has been able to unlock LUKS1 devices since early in Jessie's +release cycle. This feature removes the need for a separate cleartext +`/boot` partition, hence enables "real" full disk encryption. However +cryptsetup >=2.1 uses LUKS version 2 by default, which GRUB 2.02 doesn't +support. In other words, as of Buster it is not possible to unlock from +GRUB new LUKS devices formatted with the default parameters. + + Neither Jessie nor Stretch's installers natively support unlocking from +GRUB, hence users already had to implement various workarounds to enable +it. **Former workarounds won't work anymore with LUKS2**. Integration +between LUKS and GRUB is documented at +<https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html>, +including recipes to enable the feature starting from the usual +"encrypted LVM" partitioning method of the Debian Installer -- both with +LUKS1 (pre-Buster) and LUKS2 (Buster and later) devices. + + +12. Suspend LUKS devices on system suspend +------------------------------------------ + + The 'cryptsetup-suspend' package brings support to suspend encrypted +LUKS devices before the system goes to sleep (via ACPI S3 system suspend). +In other words, the encryption keys for LUKS devices are removed +automatically from system memory before system suspend. After system +resume, LUKS devices will be unlocked again and the user may be asked +to provide a passphrase if required. + + See the cryptsetup-suspend(7) manpage for more information. + + +13. Credits +----------- + + People who contributed to the Debian cryptsetup package: + +* Guilhem Moulin <guilhem@debian.org> +* Jonas Meurer <jonas@freesources.org> +* David Härdeman <david@hardeman.nu> +* Bastian Kleineidam <calvin@debian.org> +* Michael Gebetsroither <michael.geb@gmx.at> + + -- Jonas Meurer <jonas@freesources.org>, Sun, 09 Jun 2019 15:01:09 +0200 diff --git a/debian/README.debug b/debian/README.debug new file mode 100644 index 0000000..7a627bf --- /dev/null +++ b/debian/README.debug @@ -0,0 +1,72 @@ +Debugging Cryptsetup issues +=========================== + +Cryptsetup is responsible for unlocking dm-crypt devices. The cryptsetup Debian +provide a whole slew of helper scripts that integrate cryptsetup into the +Debian operating system. The most important ones are the `cryptdisks` init +script and the `cryptroot` initramfs scripts, both implementing support for the +`/etc/crypttab` configuration file and for automatic unlocking of encrypted +devices during the boot process. + +This page collects information on debugging different features of the Debian +cryptsetup packages in case of problems. + +Debug cryptroot initramfs script +-------------------------------- + +In order to debug the cryptroot initramfs script during initramfs stage, the +following steps are required: + +* Boot into the initramfs rescue shell by adding `break=premount` as kernel + option during boot + + In grub, this can be done interactively from the grub boot menu: `<E>` to + edit, and `<Ctrl>+<X>` to boot once you've edited the kernel line. + + See <https://help.ubuntu.com/community/Grub2/Troubleshooting#Editing_the_GRUB_2_Menu_During_Boot> + for details. + +* Append `-x` to the shebang (first line) of cryptroot initramfs script: + + sed -i -e '1s,^#!/bin/sh,& -x,' /scripts/local-top/cryptroot + +* Run the cryptroot initramfs script manually, redirecting output to a log file: + + /scripts/local-top/cryptroot 2>&1 | tee /run/initramfs/cryptroot.debug + + **Please note:** if the boot process is broken, you might need to mount an + external storage device (e.g. a USB flash drive) inside the initramfs and + redirect the output to a log files on this external device. + +* Continue the boot process (by pressing `<Ctrl>+<D>`) and save a copy of the + debug log file to `/run/initramfs/cryptroot.debug`. The content of `/run/` + will be lost after reboot. + +Sometimes, debugging the initramfs directly can be helpful as well. See +<https://wiki.debian.org/InitramfsDebug#Saving_debug_information> for details. + +Gather debugging information in the initramfs rescue shell +---------------------------------------------------------- + +Useful commands to gather information from initramfs rescue shell: + +* Check for device-mapper support (these directories/symlinks exist only if + kernel has device-mapper support): + + ls -l /sys/class/misc/device-mapper /sys/devices/virtual/misc/device-mapper + +* Check whether dm-crypt kernel module is loaded: + + lsmod | grep dm-crypt + +* Display cryptroot configuration and list loaded kernel modules: + + cat /cryptroot/crypttab + lsmod + +* Gather information about the available block devices: + + blkid + ls -l /dev/disk/by-*/ + + -- Jonas Meurer <jonas@freesources.org>, Wed 25 Dec 2019 02:58:00 PM CET diff --git a/debian/README.gnupg b/debian/README.gnupg new file mode 100644 index 0000000..837d151 --- /dev/null +++ b/debian/README.gnupg @@ -0,0 +1,42 @@ +Using GnuPG keys for LUKS dm-crypt devices in Debian +==================================================== + +The Debian cryptsetup package provides the keyscript `decrypt_gnupg` for +setups with a GnuPG encrypted LUKS keyfile. + +The following example assumes that you store the encrypted keyfile in +`/etc/keys/cryptkey.gpg`. LUKS device is `/dev/<luks_device>`. + +First, you'll have to create the encrypted keyfile: + + dd if=/dev/random bs=1 count=256 | gpg --no-options --no-random-seed-file \ + --no-default-keyring --keyring /dev/null --secret-keyring /dev/null \ + --trustdb-name /dev/null --symmetric --output /etc/keys/cryptkey.gpg + +Next the LUKS device needs to be formated with the key. For that, the +`decrypt_gnupg` keyscript can be used: + + /lib/cryptsetup/scripts/decrypt_gnupg /etc/keys/cryptkey.gpg | \ + cryptsetup --key-file=- luksFormat /dev/<luks_device> + +In order to unlock the encrypted LUKS device automatically during boot process, +add the following to `/etc/crypttab`: + + cdev1 /dev/<luks_device> /etc/keys/cryptkey.gpg luks,discard,keyscript=decrypt_gnupg + + +Decrypting the keyfile at initramfs stage +----------------------------------------- + +If the device is to be unlocked at initramfs stage (such as for the root FS or +the resume device), the provided initramfs hooks should do all additionally +required work for you when the initramfs is created or updated. + +Be warned though, that for such devices the GnuPG encrypted key is copied to +the initramfs by the initramfs cryptgnupg hook. If you don't want this, you +should take a look at the initramfs cryptgnupg hook, which is located at +`/usr/share/initramfs-tools/hooks/cryptgnupg`. + + -- Jonas Meurer <jonas@freesources.org> Thu, 04 Mar 2010 17:31:40 +0100 + + -- Guilhem Moulin <guilhem@guilhem.org> Sat, 17 Sep 2016 16:14:41 +0200 diff --git a/debian/README.gnupg-sc b/debian/README.gnupg-sc new file mode 100644 index 0000000..edddfbd --- /dev/null +++ b/debian/README.gnupg-sc @@ -0,0 +1,55 @@ +Using an OpenPGP smartcard for LUKS dm-crypt devices in Debian +============================================================== + +The Debian cryptsetup package provides the keyscript `decrypt_gnupg-sc` +for setups with a keyfile that is encrypted using an OpenPGP smartcard. + +The following example assumes that you store the encrypted keyfile in +`/etc/keys/cryptkey.gpg`. LUKS device is `/dev/<luks_device>`. + +First, you'll have to create the keyfile and encrypt it with your key +0xDEADBEEF: + + dd if=/dev/random bs=1 count=256 | gpg --recipient 0xDEADBEEF \ + --output /etc/keys/cryptkey.gpg --encrypt + +Next the LUKS device needs to be formated with the key. For that, the +`decrypt_gnupg-sc` keyscript can be used: + + /lib/cryptsetup/scripts/decrypt_gnupg-sc /etc/keys/cryptkey.gpg | \ + cryptsetup --key-file=- luksFormat /dev/<luks_device> + +In order to unlock the encrypted LUKS device automatically during boot process, +add the following to `/etc/crypttab`: + + cdev1 /dev/<luks_device> /etc/keys/cryptkey.gpg luks,keyscript=decrypt_gnupg-sc + +In order to avoid data loss if the smartcard is damaged or lost, you may +want to decrypt `/etc/keys/cryptkey.gpg` and store the plaintext in a safe +place. Or alternatively, use another slot with your backup key: + + cryptsetup luksAddKey /dev/<luks_device> /path/to/backup.key + + +Decrypting the keyfile at initramfs stage +----------------------------------------- + +If the device is to be unlocked at initramfs stage (such as for the root +FS or the resume device), you need to copy the public part of the +encryption key to `/etc/cryptsetup-initramfs/pubring.gpg`: + + gpg --export 0xDEADBEEF >/etc/cryptsetup-initramfs/pubring.gpg + +Then the provided initramfs hooks should do all additionally required +work for you when the initramfs is created or updated. + +Be warned though, that for such devices the OpenPGP encrypted key is copied +to the initramfs by the initramfs cryptgnupg-sc hook. If you don't want this, +you should take a look at the initramfs cryptgnupg-sc hook, which is located +at `/usr/share/initramfs-tools/hooks/cryptgnupg-sc`. + +Moreover, note that unlocking at initramfs stage is currently not compatible +with plymouth or other bootsplash, as a curses-based prompt is used for PIN +entry. + + -- Guilhem Moulin <guilhem@guilhem.org> Sun, 23 Sep 2018 03:28:31 +0200 diff --git a/debian/README.initramfs b/debian/README.initramfs new file mode 100644 index 0000000..d85ae9c --- /dev/null +++ b/debian/README.initramfs @@ -0,0 +1,280 @@ +Debian Cryptsetup Initramfs integration +======================================= + +1. Introduction +--------------- + +Kernels more recent than 2.6.12 have dropped support for devfs, which +means that initrd-tools can no longer be used to boot into an encrypted +root partition. Instead, a similar functionality has been developed for +use with an initramfs-image. + + +2. A fresh installation +----------------------- + +If you plan to perform a completely new installation of Debian onto a +machine and to do so using an encrypted root partition, you might want +to consider using a version of Debian Installer with partman-crypto +(see https://wiki.debian.org/DebianInstaller/PartmanCrypto). + +The installation will then take care of all the details and perform the +necessary configuration for you, meaning that you should not have to +read the rest of this document to get a machine with an encrypted +root filesystem up and running. + +However, if you are not planning to perform a new installation from scratch, +the following information might be useful to you. + + +3. Requirements +--------------- + +In order to boot from an encrypted root filesystem, you need an +initramfs-image which includes the necessary kernel modules and scripts to +setup the root device after the kernel has been initialized, but before the +rest of the operating system is booted. + +To do so, you need two partitions: +* an unencrypted `/boot` partition +* an encrypted `/` partition + +In addition, you need to have both initramfs-tools and busybox installed. + +NOTE: You should make sure that your swap partition is either encrypted, or +that you are using a swap file on an encrypted partition, as crypto keys and +other sensitive information might otherwise be written out to the swap +partition in unencrypted form. + + +4. Setup (regular dm-crypt) +--------------------------- + +First of all, you must edit `/etc/crypttab` and add a line describing your +root device, for example: + + cryptroot /dev/sda2 none cipher=aes-xts-plain64,size=256,hash=sha1 + +This will allow cryptsetup to create `/dev/mapper/cryptroot` from the +encrypted partition `/dev/sda2` during boot. + +In addition, you must also make sure that the root device is listed in +`/etc/fstab`, for example: + + /dev/mapper/cryptroot / ext4 defaults 0 1 + +This will allow the initramfs support scripts to know which of the devices +in the crypttab that is the root device. + +After doing these changes, you should regenerate the initramfs by running +`update-initramfs -u`, then make sure that your boot loader is configured +to feed the initramfs to the kernel when booting. The kernel root argument +should also be changed to `/dev/mapper/cryptroot`. + +Now, reboot the machine, and if everything is correctly configured, you +should be given a prompt to type in the passphrase for the encrypted +root partition before the boot can continue. + +NOTE: In order to ensure that the crypto setup works in a consistent +manner, you should make sure that the hash function is specified in the +/etc/crypttab file if you are using regular dm-crypt (with LUKS the hash +function to use is stored in the LUKS header). + + +5. Setup (using LUKS) +--------------------- + +If you are using the LUKS feature of cryptsetup, the above setup recipe should +still apply, but since most options can be derived from the information stored +in the LUKS header on-disk, the line to add to `/etc/crypttab` should look +something like this: + + cryptroot /dev/sda2 none luks,discard + + +6. Exotic key types +------------------- + +The above examples assume that you use a regular passphrase as the key to the +encrypted filesystem. However, if you wish to make use of more complex setups +(such as root-key-on-usb-memory), you can create a script which does all the +steps necessary to retrieve the key and then prints it to stdout. + +Then add a `keyscript=/path/to/your/script.sh` to the options (fourth column) +in the above mentioned `/etc/crypttab` line, so that it looks something like +this: + + cryptroot /dev/sda2 none luks,discard,keyscript=/usr/local/sbin/cryptkey + +Next, regenerate your initramfs image. This will copy the script into the +initramfs image under the `/lib/cryptsetup/keyscripts/` directory. + +NOTE: there is a limited set of tools available when the script is executing +as part of the initramfs bootup, you have to make sure that you do not use +any tools which are not available or your script, and therefore boot, will +fail. + + +7. "cryptopts" boot argument +---------------------------- + +In general, you should use the above approach with a line describing your +root partition in `/etc/crypttab` and `/etc/fstab`. However, if for some +reason you wish to override the settings that are derived from these files +and stored in the initramfs image, you can use the "cryptopts" boot argument +(this *only* works for the root partition). + +The format of cryptopts is: + + cryptopts=<opt1>[=<value1>],<opt2>[=<value2>]... + +Beside options from the 4th field of /etc/crypttab, the options +`target`, `source` and `key` are also supported: they respectively +correspond to the first, second and third field of /etc/crypttab. +Consult the crypttab manual page for further details. + +Several `cryptopts` boot arguments can also be specified in case more than +one mapping needs to be setup in the initramfs stage of the boot. + +Example boot arguments: + + root=/dev/mapper/crypt0 cryptopts=target=crypt0,source=/dev/sda1,cipher=aes-xts-plain64,size=256,hash=sha1 + +In particular, if all `cryptopts` boot arguments have an empty value +then no mapping is setup. This can be used to disable the cryptsetup +initramfs scripts for a particular boot. + +8. Resume device support +------------------------ + +The initramfs scripts will also try to automatically determine the devices, +if any, that are used for software suspend (swsusp, suspend2 or uswsusp) and +to set them up during the initramfs stage in order to allow suspend and resume +in combination with encryption to keep the resume image safe from potential +attackers. + +If your resume device and your root partition use two different cryptsetup +mappings, you might want to use the `decrypt_derived` keyscript as described +below. + +9. The `decrypt_derived` keyscript +---------------------------------- + +Assume that you have two entries in `/etc/crypttab`: + + cryptroot /dev/sda1 none luks,discard + cryptswap /dev/sda2 none luks + +If cryptswap is used as your suspend/resume device, you'd normally need to +enter two different passphrases during the boot, but the `decrypt_derived` +script can generate the key for the second mapping using a hash of the key +for the first mapping. + +In short, you'll need to do something like the following to take advantage +of the decrypt_derived script: + +1. `swapoff -a` +2. `cryptsetup luksClose cryptswap` +3. edit `/etc/crypttab` and change the cryptswap line to e.g.: + `cryptswap /dev/sda2 cryptroot cipher=aes-xts-plain65,size=256,hash=sha1,keyscript=decrypt_derived,swap` +4. `cryptdisks_start cryptswap` +5. Make sure that `/dev/mapper/cryptswap` has been created +6. `swapon -a` +7. (optional) `update-initramfs -u` + +After you've followed the above steps, your swap device should be setup +automatically after the root device has been setup during the boot stage. + +WARNING: If you use the decrypt_derived keyscript for devices with persistent +data (i.e. not swap or temp devices), then you will lose access to that data +permanently if something damages the LUKS header of the LUKS device you derive +from. The same applies if you luksFormat the device, even if you use the same +passphrase(s). A LUKS header backup, or better a backup of the data on the +derived device may be a good idea. See the Cryptsetup FAQ on how to do this +right. + +Note: The decrypt_derived keyscript won't work when the volume key of the +device being derived from is offloaded to the kernel keyring service (thus not +readable by userspace). That behavior is the default for LUKS2 devices (unless +opened with the `--disable-keyring` option) since Linux 4.10. For such devices, +an alternative is to use the same passphrase and unlock the source device using +the `decrypt_keyctl` keyscript. + +Note: If you don't use suspend device support, it's better to use completely +random keys for your encrypted swap device. See the section '2. Encrypted +swap partition(s)' in `/usr/share/doc/cryptsetup/README.Debian.gz` for +information on how to setup this. + +10. The `passdev` keyscript +---------------------------- + +If you have a keyfile on a removable device (e.g. a USB-key), you can use the +passdev keyscript. It will wait for the device to appear, mount it read-only, +read the key and then unmount the device. + +The `key` part of `/etc/crypttab` will be interpreted as `<device>:<path>[:<timeout>]`, +it is strongly recommended that you use one of the persistent device names from +`/dev/disk/*`, e.g. `/dev/disk/by-label/myusbkey`. + +This is an example of a suitable line in cryptsetup: + + cryptroot /dev/sda2 /dev/disk/by-label/myusbkey:/keys/root.key discard,cipher=aes-xts-plain64,size=256,hash=sha1,keyscript=passdev + +The above line would cause the boot to pause until `/dev/disk/by-label/myusbkey` +appears in the fs, then mount that device and use the file `/keys/root.key` +on the device as the key (without any hashing) as the key for the fs. + +The timeout option has to be in seconds. + +If any modules are required in order to mount the filesystem on the removable +device, then initramfs-tools needs to be configured to add these modules to +the initramfs. This can be done by listing the required modules in +`/etc/initramfs-tools/modules`. + +11. Limitation: renaming of target name for encrypted root device +----------------------------------------------------------------- + +As spotted by Adam Lee in bug report [#671037], it's not possible to simply +rename the target name for encrypted root devices. It breaks the initramfs +creation process. The bug report submitter found a solution to work around +this limitation: + +0. enter another system (like livecd) +1. open luks device with the new name, change the target name to the new one +2. chroot into it (now, the current target name is the same as it in conf) +3. `update-initramfs -u` +4. reboot + +[#671037]: https://bugs.debian.org/671037 + +12. Storing keyfiles directly in the initrd +------------------------------------------- + +Normally devices using a keyfile are ignored (with a loud warning), and +the key file itself is not included in the initrd, because the initramfs +image typically lives on an unencrypted `/boot` partition. However in +some cases it is desirable to include the key file in the initrd; for +instance recent versions of GRUB support booting from encrypted block +devices, allowing an encrypted `/boot` partition. + +Among the key files listed in the crypttab(5), those matching the value +of the environment variable KEYFILE_PATTERN (interpreted as a shell +pattern) will be included in the initramfs image. For instance if +`/etc/crypttab` lists two key files `/etc/keys/{root,swap}.key`, you can +add the following to `/etc/cryptsetup-initramfs/conf-hook` to add them to +the initrd. + + KEYFILE_PATTERN="/etc/keys/*.key" + +Furthermore if the initramfs image is to include private key material, +you'll want to create it with a restrictive umask in order to keep +non-privileged users at bay. This can be achieved by adding the +following to `/etc/initramfs-tools/initramfs.conf`. + + UMASK=0077 + + -- David Härdeman <david@hardeman.nu> + + -- Jonas Meurer <mejo@debian.org> Thu, 01 Nov 2012 13:44:31 +0100 + + -- Guilhem Moulin <guilhem@debian.org> Wed, 09 Dec 2015 04:53:41 +0100 diff --git a/debian/README.keyctl b/debian/README.keyctl new file mode 100644 index 0000000..6585c8b --- /dev/null +++ b/debian/README.keyctl @@ -0,0 +1,106 @@ +decrypt_keyctl +============== + +A passphrase caching script to be used in `/etc/crypttab` on Debian and Ubuntu. +When there are multiple cryptsetup (either plain or LUKS) volumes with the same +passphrase, it is an unnecessary task to input the passphrase more than once. + +Just add this script as keyscript to your `/etc/crypttab` and it will cache the +passphrase of all crypttab entries with the same identifier. + +Either copy decrypt_keyctl into the default search path for keyscripts from +cryptsetup /lib/cryptdisks/scripts/. So you can just write +`keyscript=decrypt_keyctl` in `/etc/crypttab`, or use a random path of your +choice and give the full path e.g `keyscript=/sbin/decrypt_keyctl`. + + +Requirements +------------ + +* Debian cryptsetup package with `/etc/crypttab` handling and keyscript option + * Tested with Debian Lenny, Squeeze and Sid +* Installed and working keyutils package (`keyctl`) + * Needs `CONFIG_KEYS=y` in your kernel configuration + +What For? +--------- + +In old (pre 2.6.38) kernels, dm-crypt used to be single threaded. Thus every +dm-crypt mapping only used a single core for crypto operations. To use the full +power of your many-core processor it is was necessary to split the dm-crypt +device. For Linux software raid arrays the easiest segmentation was to just put +the dm-crypt layer below the software raid layer. + +But with a 5 disk raid5 it is a rather daunting task to input the passphrase +five times. This is what this keyscripts solve for you. + +Usage +----- + +Best shown by example: + +* 5 disks +* Linux software raid5 + +Layer: + + sda sdb sdc ... sde + +-----------+ +-----------+ + | LUKS | | LUKS | + | +-------+ | | +-------+ | + | | RAID5 | | | | RAID5 | | + | | ... | | | | ... | | + +Crypttab Entries: + + <target> <source> <keyfile> <options> + sda_crypt /dev/sda2 main_data_raid luks,discard,keyscript=decrypt_keyctl + sdb_crypt /dev/sdb2 main_data_raid luks,discard,keyscript=decrypt_keyctl + ... + sde_crypt /dev/sde2 main_data_raid luks,discard,keyscript=decrypt_keyctl + + +How does it work +---------------- + +Crypttab Interface: + +A keyscript is added to options including a keyfile definition as third +parameter in the crypttab file. The keyscript is called with the keyfile as the +first and only parameter. Additionally there are a few environment variables +set but currently are not used by this keyscript (man 5 crypttab for exact +description). + +Keyscript: + +`decrypt_keyctl` uses the Linux kernel keyring facility to securely cache +passphrases between multiple invocations. +The keyfile parameter from crypttab is used to find the same passphrase +between multiple invocations. The term used to described the key in the user +keyring is `cryptsetup:$CRYPTTAB_KEY`, unless `$CRYPTTAB_KEY` is empty +or has the special value `none`, in which case the description is merely +`cryptsetup` (thus allowing compatibility with other tools like gdm and +systemd-ask-password(1).) + +Currently the cache timeout is 60 seconds and not configurable (please report a +bug if it is too low for you). + + +Problems +-------- + +Passphrase is piped between processes and could end up in unsecured memory, +thus later swapped to disk! => Use of cryptoswap recommend! + + +Hints +----- + +To remove all traces of this keyscript you may want to cleanup the keyring +completely with the following command afterwards: + + sudo keyctl clear @u + + -- Jonas Meurer <jonas@freesources.org> Mon, 27 Sep 2010 14:01:35 +0000 + + -- Guilhem Moulin <guilhem@debian.org> Tue, 25 Dec 2018 01:12:24 +0100 diff --git a/debian/README.opensc b/debian/README.opensc new file mode 100644 index 0000000..b8212b4 --- /dev/null +++ b/debian/README.opensc @@ -0,0 +1,124 @@ +opensc/pcscd with cryptsetup and LUKS on Debian +=============================================== + +This is an overview on how you can make use of cryptsetup with your +smartcard device supported by opensc/pcscd. + +I assume that you already have an initialized smartcard with a RSA key +that has the proper X509 properties for encryption set. To generate such +a key in hardware on the smartcard you should execute the following +command: + + pkcs15-init -G rsa/2048 -a [PIN id] -u sign,decrypt + +If your smart card doesn't support 2048 bit RSA just change the argument +to the largest size possible. + +The decrypt_opensc keyscript decrypts an encrypted key in your boot +partition with the private key on your smartcard. Therefore you have to +create a key for the partition that is to be decrypted using the +smartcard. As pkcs15-crypt does not seem to support PKCS1 padding, the +key is required to have the same size as your RSA key. For a 2048 bit +key use the following (the byte count is 256 as 2048/8 is 256): + + dd if=/dev/random of=/boot/keys/key bs=1 count=256 + +Now the key is added to the LUKS partition: + + cryptsetup luksAddKey /dev/sdXn /boot/keys/key + +Enter an already existing pass phrase and watch cryptsetup doing its +job. As we don't want the key in clear on the hard drive, we are going +to encrypt it with the public key to the key on the smartcard. +Read the public key first: + + pkcs15-tool --read-public-key [key id] -o pubkey + +Then encrypt the random data with the extracted key, destroy the +plain text one and remove your public key from the hard drive (it isn't +necessary to shred it as a potential attacker can't use your public key +for anything). + + openssl rsautl -in /boot/keys/key -inkey pubkey -pubin -raw \ + -encrypt -out /boot/keys/root + shred -u /boot/keys/key + rm -rf pubkey + +Now you'll have to edit `/etc/crypttab`. The format should be familiar but +I'll state it here again: + + name device /boot/keys/root luks,discard,keyscript=decrypt_opensc + +The modules needed by the reader should now be added to +`/etc/initramfs-tools/modules`, so they are loaded on boot time. For +example yenta_socket, pcmcia, pcmcia_core, serial_cs, rsrc_nonstatic for +PCMCIA card readers. + +In a perfect world you would just rebuild the initramfs now and it would +work. Unfortunately there are some additional issues to address. The +most important one is pcscd. Newer versions of pcscd use HAL and dbus to +detect readers. As most people (including me) aren't too enthusiastic +about adding these two daemons to the initramfs, we will rebuild the +daemon to use the traditional polling method with libusb. Again, this +step is only necessary if your reader uses pcscd (for example the +Gemalto PC Card readers). + +To do this, download the ccid and pcsc-lite packages from +https://pcsc-lite.alioth.debian.org/ + +Install the libusb header files, extract the tarballs and build pcscd +with the following commands: + + apt-get install libusb-dev + ./configure --disable-libhal --enable-libusb + make + make install + +Now go to the ccid directory and execute these commands (the option is +only need if you use the libccidtwin.so to access your reader: + + ./configure [--enable-twinserial] + make + make install + +This installs the new pcscd and it's libraries in `/usr/local/`. To +reflect the new situation we have to change the initramfs scripts. +Edit /etc/reader.conf to instruct `pcscd` to use the new libraries (they +should be in `/usr/local/pcsc/drivers/`) instead of the ones from the Debian +package. Replace everything after line 45 in +`/usr/share/initramfs-tools/hooks/cryptopensc` with the following chunk: + + for dir in etc/opensc usr/local/pcsc var/run tmp ; do + if [ ! -d ${DESTDIR}/${dir} ] ; then mkdir -p ${DESTDIR}/${dir} ; fi + done + + # Install pcscd daemon, drivers, conf file + copy_exec /usr/local/sbin/pcscd + cp -r /usr/local/pcsc ${DESTDIR}/usr/local + cp /etc/reader.conf ${DESTDIR}/etc + cp -r /usr/local/lib ${DESTDIR}/usr/local + # Install opensc commands and conf file + copy_exec /usr/bin/opensc-tool + copy_exec /usr/bin/pkcs15-crypt + cp /etc/opensc/opensc.conf ${DESTDIR}/etc/opensc + +Edit `/usr/share/initramfs-tools/scripts/local-bottom/cryptopensc` and +`/usr/share/initramfs-tools/scripts/local-top/cryptopensc` to use the new +binary in `/usr/local/sbin/pcscd` instead of `/usr/sbin/pcscd` and change +the path in the existence test to: + + if [ ! -x /usr/local/sbin/pcscd ]; then + exit 0 + fi + +If you have completed all the steps up to now, you can update your +initramfs image with: + + update-initramfs -u -k `uname -r` + +and reboot your machine. This leaves a backup of your old initramfs in +the boot partition if something doesn't work. If you have to debug your +initramfs during boot just append the `break=mount` option to the kernel +to have a debug shell just before the root partition would be mounted. + + -- Benjamin Kiessling <benjaminkiessling@bttec.org>, Sun, 26 Jul 2009 diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 0000000..f641e46 --- /dev/null +++ b/debian/README.source @@ -0,0 +1,40 @@ +General maintenance + + This package is maintained in Git via the Alioth pkg-cryptsetup project. + Alioth is used only for repository access control and mailinglist hosting, + not for any of its other features. + + This package uses the "3.0 (quilt)" source format. + +Importing a new upstream release + + Since upstream release 1.7.2, we use cryptographically signed Git release + tags as basis for the Debian cryptsetup package. + + To import a new upstream release into our packaging repository, do the + following: + + 0. Ensure that you have the cryptsetup upstream Git repository available + as a remote in the Git repository where you're doing the packaging + work: + + git remote add upstream https://gitlab.com/cryptsetup/cryptsetup.git + + 1. Merge the newest upstream release tag (pass --upstream-version=$VERSION + if you want a specific upstream version) into the 'debian/latest' + branch of your packaging repository: + + gbp import-orig --uscan + + That commands does all the magic, namely + - updating the `upstream` remote, + - verifying the cryptographic signature on the upstream tag 'v$VERSION', + - creating a new tag 'upstream/$VERSION' with 'v$VERSION' as additional parent, and + - merging 'upstream/$VERSION' into 'debian/latest' + + N. After development and testing, the final packages to be uploaded to + Debian are built and tagged in the repository as follows: + + gbp buildpackage --git-tag + + -- Jonas Meurer <jonas@freesources.org> Fri, 15 Jun 2018 13:39:49 +0200 diff --git a/debian/TODO.md b/debian/TODO.md new file mode 100644 index 0000000..8958ec2 --- /dev/null +++ b/debian/TODO.md @@ -0,0 +1,47 @@ +# TODO list + +* luks nuke feature + * https://www.kali.org/tutorials/nuke-kali-linux-luks/ + * https://pkg.kali.org/pkg/cryptsetup + * https://github.com/offensive-security/cryptsetup-nuke-keys + * TODO: + * review and improve original patch to address upstream's concerns + * http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/7184 + * patch luks2 functions to support it as well + * documentation in manpage (and README.Debian?) + * bash completion + +* systemd integration and future of cryptscripts + * patch cryptsetup.c in systemd to support cryptscripts? + * try the patches + * https://github.com/systemd/systemd/pull/3007#pullrequestreview-39358162 + * https://lists.freedesktop.org/archives/systemd-devel/2012-June/005693.html + * or completely remove cryptscripts feature from cryptsetup in Debian? + +* ephemeral swap encryption + +* improve test suite + +* cryptroot hook script: + - We should add parent device detection for ZFS (#820888) so users + don't have to manually add the 'initramfs' option to the crypttab. + + +## Old list + +* Would a fallback make sense? like when using any keyscript, try passphrase + in the case that it fails. if we implement that at all, never make it the + default, and warn about security issues in README.Debian. even explain that + backup passphrase keyslots thwart the extra security of keyfiles/keyscripts. + (#438481, #471729) + +* Implement something like 'ignore-if-no-device' to mount (/etc/fstab), and + thus support several situations where cryptsetup fails to setup a device: + -> the device is not attached at all + -> wrong passphrase/no keyfile available + -> timeouts arise + (#474120) + * seems like the fstab flag alread does exists: nofail. so reimplement + timeout? + +* Reimplement timeout support in a cleaner way? diff --git a/debian/askpass.c b/debian/askpass.c new file mode 100644 index 0000000..07826de --- /dev/null +++ b/debian/askpass.c @@ -0,0 +1,573 @@ +/* + * askpass.c - prompts a user for a passphrase using any suitable method + * and prints the result to stdout. + * + * Copyright (C) 2008 David Härdeman <david@hardeman.nu> + * + * This package is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This package is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this package; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + + +#define _GNU_SOURCE +#define _DEFAULT_SOURCE +#define _POSIX_C_SOURCE 1 +#include <stdio.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <stdarg.h> +#include <stdlib.h> +#include <errno.h> +#include <stdbool.h> +#include <string.h> +#include <termios.h> +#include <sys/klog.h> +#include <sys/select.h> +#include <sys/ioctl.h> +#include <signal.h> +#include <sys/un.h> + +#define DEBUG 0 + +#define ARRAY_SIZE(x) (sizeof(x)/sizeof(x[0])) + +static bool disable_method(const char *method); + +/***************************************************************************** + * Utility functions * + *****************************************************************************/ +static void +debug(const char *fmt, ...) +{ + va_list ap; + static bool first = true; + static FILE *dbgfile; + + if (!DEBUG) + return; + + if (first) { + first = false; + dbgfile = fopen("/tmp/askpass.debug", "a"); + } + + if (!dbgfile) + return; + + va_start(ap, fmt); + vfprintf(dbgfile, fmt, ap); + va_end(ap); +} + +static void +usage(const char *arg0, const char *errmsg) +{ + if (errmsg) + fprintf(stderr, "Error: %s\nUsage: %s PROMPT\n", errmsg, arg0); + else + fprintf(stderr, "Usage: %s PROMPT\n", arg0); + exit(EXIT_FAILURE); +} + +static void +fifo_common_finish(int fd, char **buf, size_t *used, size_t *size) +{ + if (fd >= 0) + close(fd); + + if (!*buf) + return; + + memset(*buf, '\0', *size); + free(*buf); + *buf = NULL; + *used = 0; + *size = 0; +} + +static bool +fifo_common_read(int fd, char **buf, size_t *used, size_t *size) +{ + ssize_t result; + +again: + if ((*size - *used) == 0) { + *size += 4096; + *buf = realloc(*buf, *size); + if (!*buf) { + *size = 0; + *used = 0; + debug("Failed to allocate memory for passphrase\n"); + return false; + } + } + +reread: + result = read(fd, *buf + *used, *size - *used); + + if (result < 0) { + if (errno == EAGAIN) + return false; + if (errno == EINTR) + goto reread; + debug("Error when reading from fifo\n"); + return false; + } + + debug("Read %i bytes from fifo\n", (int)result); + *used += result; + + if (result == 0) + return true; + + goto again; +} + +/***************************************************************************** + * systemd functions * + *****************************************************************************/ + +#define SYSTEMD_ASKPASS "/bin/systemd-ask-password" +static pid_t systemdpid; +static size_t systemdused = 0; +static size_t systemdsize = 0; +static char *systemdbuf = NULL; + +static int +systemd_prepare(const char *prompt) +{ + struct stat a, b; + int pipefds[2]; + + /* is systemd running? */ + if (lstat("/sys/fs/cgroup", &a) < 0) + return -1; + if (lstat("/sys/fs/cgroup/systemd", &b) < 0) + return -1; + if (a.st_dev == b.st_dev) + return -1; + + if (access(SYSTEMD_ASKPASS, X_OK)) + return -1; + + if (pipe(pipefds)) + return -1; + + systemdpid = fork(); + if (systemdpid < 0) { + close(pipefds[0]); + close(pipefds[1]); + return -1; + } + + if (systemdpid == 0) { + close(pipefds[0]); + if (dup2(pipefds[1], STDOUT_FILENO) < 0) + exit(EXIT_FAILURE); + execl(SYSTEMD_ASKPASS, SYSTEMD_ASKPASS, + "--timeout=0", prompt, (char*)NULL); + exit(EXIT_FAILURE); + } + + close(pipefds[1]); + return pipefds[0]; +} + +static bool +systemd_read(int fd, char **buf, size_t *size) +{ + debug("In systemd_read\n"); + if (fifo_common_read(fd, &systemdbuf, &systemdused, &systemdsize)) { + /* systemd likes to include the terminating newline */ + if (systemdused >= 1 && systemdbuf[systemdused - 1] == '\n') { + systemdbuf[systemdused - 1] = '\0'; + systemdused--; + } + *buf = systemdbuf; + *size = systemdused; + return true; + } + + return false; +} + +static void +systemd_finish(int fd) +{ + kill(systemdpid, SIGTERM); + fifo_common_finish(fd, &systemdbuf, &systemdused, &systemdsize); +} + +/***************************************************************************** + * plymouth functions * + *****************************************************************************/ + +#define PLYMOUTH_PATH "/bin/plymouth" +static pid_t plymouthpid; +static size_t plymouthused = 0; +static size_t plymouthsize = 0; +static char *plymouthbuf = NULL; + +static int +plymouth_prepare(const char *prompt) +{ + int pipefds[2]; + + if (access(PLYMOUTH_PATH, X_OK)) + return -1; + + if (system(PLYMOUTH_PATH" --ping")) + return -1; + + /* Plymouth will add a ':' if it is a non-graphical prompt */ + char *prompt2 = strdup(prompt); + int len = strlen(prompt2); + if (len > 1 && prompt2[len-2] == ':' && prompt2[len - 1] == ' ') + prompt2[len - 2] = '\0'; + else if (len > 0 && prompt2[len - 1] == ':') + prompt2[len - 1] = '\0'; + + if (pipe(pipefds)) + return -1; + + plymouthpid = fork(); + if (plymouthpid < 0) { + close(pipefds[0]); + close(pipefds[1]); + return -1; + } + + if (plymouthpid == 0) { + close(pipefds[0]); + if (dup2(pipefds[1], STDOUT_FILENO) < 0) + exit(EXIT_FAILURE); + execl(PLYMOUTH_PATH, PLYMOUTH_PATH, + "ask-for-password", "--prompt", prompt2, (char*)NULL); + exit(EXIT_FAILURE); + } + free(prompt2); + + close(pipefds[1]); + return pipefds[0]; +} + +static bool +plymouth_read(int fd, char **buf, size_t *size) +{ + debug("In plymouth_read\n"); + if (fifo_common_read(fd, &plymouthbuf, &plymouthused, &plymouthsize)) { + *buf = plymouthbuf; + *size = plymouthused; + return true; + } + + return false; +} + +static void +plymouth_finish(int fd) +{ + kill(plymouthpid, SIGKILL); + fifo_common_finish(fd, &plymouthbuf, &plymouthused, &plymouthsize); +} + +/***************************************************************************** + * fifo functions * + *****************************************************************************/ +#define FIFO_PATH "/lib/cryptsetup/passfifo" +static size_t fifoused = 0; +static size_t fifosize = 0; +static char *fifobuf = NULL; + +static void +fifo_finish(int fd) +{ + fifo_common_finish(fd, &fifobuf, &fifoused, &fifosize); +} + +static bool +fifo_read(int fd, char **buf, size_t *size) +{ + debug("In fifo_read\n"); + if (fifo_common_read(fd, &fifobuf, &fifoused, &fifosize)) { + *buf = fifobuf; + *size = fifoused; + return true; + } + + return false; +} + +static int +fifo_prepare(const char *prompt) +{ + int ret; + + ret = mkfifo(FIFO_PATH, 0600); + if (ret && errno != EEXIST) + return -1; + + return open(FIFO_PATH, O_RDONLY | O_NONBLOCK); +} + +/***************************************************************************** + * console functions * + *****************************************************************************/ +#define CONSOLE_PATH "/dev/console" +static struct termios term_old; +static bool term_set = false; +static char *consolebuf = NULL; +static size_t consolebuflen = 0; + +static void +console_finish(int fd) +{ + if (consolebuf) { + memset(consolebuf, '\0', consolebuflen); + free(consolebuf); + consolebuf = NULL; + consolebuflen = 0; + } + + if (!term_set || fd < 0) + return; + + term_set = false; + tcsetattr(fd, TCSAFLUSH, &term_old); + fprintf(stderr, "\n"); + klogctl(7, NULL, 0); +} + +bool +console_read(int fd, char **buf, size_t *size) +{ + ssize_t nread; + + /* Console is in ICANON mode so we'll get entire lines */ + nread = getline(&consolebuf, &consolebuflen, stdin); + + if (nread < 0) { + clearerr(stdin); + return false; + } + + /* Strip trailing newline, if any */ + if (nread > 0 && consolebuf[nread - 1] == '\n') { + nread--; + consolebuf[nread] = '\0'; + } + + *size = nread; + *buf = consolebuf; + + return true; +} + +static int +console_prepare(const char *prompt) +{ + struct termios term_new; + const char *prompt_ptr = prompt; + char *newline = NULL; + + if (!isatty(STDIN_FILENO)) { + if (access(CONSOLE_PATH, R_OK | W_OK)) { + debug("No access to console device " CONSOLE_PATH "\n"); + return -1; + } + + if (!freopen(CONSOLE_PATH, "r", stdin) || + !freopen(CONSOLE_PATH, "a", stdout) || + !freopen(CONSOLE_PATH, "a", stderr) || + !isatty(STDIN_FILENO)) { + debug("Failed to open console\n"); + return -1; + } + } + + if (tcgetattr(STDIN_FILENO, &term_old)) { + debug("Failed to get terminal settings\n"); + return -1; + } + + term_new = term_old; + term_new.c_lflag &= ~ECHO; + term_new.c_lflag |= ICANON; + + if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_new)) { + debug("Failed to disable echoing\n"); + return -1; + } + + /* handle any non-literal embedded newlines in prompt */ + while ( (newline = strstr(prompt_ptr,"\\n")) != NULL ) { + /* Calculate length of string leading up to newline. */ + int line_len = newline - prompt_ptr; + + /* Force trimming of prompt to location of newline. */ + if (fwrite(prompt_ptr, line_len, 1, stderr) < 1 || + fwrite("\n", 1, 1, stderr) < 1) { + debug("Failed to print prompt\n"); + tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_old); + return -1; + } + + /* Skip over newline. */ + prompt_ptr = newline + 2; + } + if (fputs(prompt_ptr, stderr) < 0) { + debug("Failed to print prompt\n"); + tcsetattr(STDIN_FILENO, TCSAFLUSH, &term_old); + return -1; + } + + /* Disable printk to console */ + klogctl(6, NULL, 0); + term_set = true; + return STDIN_FILENO; +} + +/***************************************************************************** + * main functions * + *****************************************************************************/ + +struct method { + const char *name; + int (*prepare)(const char *prompt); + bool (*read)(int fd, char **buf, size_t *size); + void (*finish)(int fd); + bool no_more; + bool active; + bool enabled; + int fd; +}; + +static struct method methods[] = { + { "systemd", systemd_prepare, systemd_read, systemd_finish, true, false, true, -1 }, + { "fifo", fifo_prepare, fifo_read, fifo_finish, false, false, true, -1 }, + { "plymouth", plymouth_prepare, plymouth_read, plymouth_finish, true, false, true, -1 }, + { "console", console_prepare, console_read, console_finish, false, false, true, -1 } +}; + +static bool +disable_method(const char *method) +{ + int i; + bool result = false; + + debug("Disabling method %s\n", method ? method : "ALL"); + + for (i = 0; i < ARRAY_SIZE(methods); i++) { + /* A NULL method means all methods should be disabled */ + if (method && strcmp(methods[i].name, method)) + continue; + if (!methods[i].enabled) + continue; + if (methods[i].active) + methods[i].finish(methods[i].fd); + + methods[i].active = false; + methods[i].fd = -1; + methods[i].enabled = false; + result = true; + } + + return result; +} + +int +main(int argc, char **argv, char **envp) +{ + char *pass = NULL; + size_t passlen = 0; + int i; + int nfds; + fd_set fds; + int ret; + bool done = false; + sigset_t sigset; + + if (argc != 2) + usage(argv[0], "incorrect number of arguments"); + + sigfillset(&sigset); + sigprocmask(SIG_BLOCK, &sigset, NULL); + + for (i = 0; i < ARRAY_SIZE(methods); i++) { + if (!methods[i].enabled) + continue; + debug("Enabling method %s\n", methods[i].name); + methods[i].fd = methods[i].prepare(argv[1]); + if (methods[i].fd < 0) { + methods[i].active = false; + methods[i].enabled = false; + } else { + methods[i].active = true; + methods[i].enabled = true; + if (methods[i].no_more) + break; + } + } + + while (!done) { + nfds = 0; + FD_ZERO(&fds); + for (i = 0; i < ARRAY_SIZE(methods); i++) { + if (!methods[i].enabled || methods[i].fd < 0) + continue; + debug("method %i has fd %i and name %s\n", i, methods[i].fd, methods[i].name); + FD_SET(methods[i].fd, &fds); + if (methods[i].fd + 1 > nfds) + nfds = methods[i].fd + 1; + } + + if (nfds == 0) { + debug("All methods disabled\n"); + exit(EXIT_FAILURE); + } + + debug("Starting select with nfds %i\n", nfds); + ret = select(nfds, &fds, NULL, NULL, NULL); + + if (ret <= 0) { + if (ret == 0 || errno == EINTR) + continue; + debug("Select failed\n"); + disable_method(NULL); + exit(EXIT_FAILURE); + } + + for (i = 0; i < ARRAY_SIZE(methods); i++) { + if (!methods[i].enabled || methods[i].fd < 0) + continue; + if (!FD_ISSET(methods[i].fd, &fds)) + continue; + if (methods[i].read(methods[i].fd, &pass, &passlen) && pass) { + done = true; + break; + } + } + } + + debug("Writing %i bytes to stdout\n", (int)passlen); + if (write(STDOUT_FILENO, pass, passlen) == -1) { + disable_method(NULL); + exit(EXIT_FAILURE); + } + disable_method(NULL); + exit(EXIT_SUCCESS); +} + diff --git a/debian/bash_completion/cryptdisks_start b/debian/bash_completion/cryptdisks_start new file mode 100644 index 0000000..679c302 --- /dev/null +++ b/debian/bash_completion/cryptdisks_start @@ -0,0 +1,42 @@ +# cryptdisks_{start,stop} completion by first column of crypttab +# +# Copyright 2013 Claudius Hubig <cl_crds@chubig.net>, 2-clause BSD + +_cryptdisks() { + local action="$1" t + for t in $( awk -vt="${COMP_WORDS[COMP_CWORD]}" \ + '($1 !~ /^#/ && index($1,t) == 1) {print $1}' \ + "${TABFILE-"/etc/crypttab"}" ); do + if [ "$action" = start -a ! -e "/dev/mapper/$t" ] || + [ "$action" = stop -a -e "/dev/mapper/$t" ]; then + COMPREPLY+=( "$t" ) + fi + done + return 0; +} + +_cryptdisks_start() { + local i include_options=y + COMPREPLY=() + for (( i=0; i < COMP_CWORD-1; i++ )); do + if [ "${COMP_WORDS[i]}" = "--" ] || [[ "${COMP_WORDS[i]}" != -* ]]; then + include_options=n + break + fi + done + if [ "$include_options" = "y" ]; then + for i in "-r" "--readonly" "--"; do + if [[ "$i" == "${COMP_WORDS[COMP_CWORD]}"* ]]; then + COMPREPLY+=( "$i" ) + fi + done + fi + _cryptdisks start "$@" +} +_cryptdisks_stop() { + COMPREPLY=() + _cryptdisks stop "$@"; +} + +complete -F _cryptdisks_start cryptdisks_start +complete -F _cryptdisks_stop cryptdisks_stop diff --git a/debian/bug-script b/debian/bug-script new file mode 100644 index 0000000..302afdf --- /dev/null +++ b/debian/bug-script @@ -0,0 +1,38 @@ +#!/bin/bash + +cat <<EOF + +Providing additional information can help diagnose problems with cryptsetup. +Specifically, this would include: +- kernel cmdline (copy of /proc/cmdline). +- crypttab configuration (copy of /etc/crypttab). +- fstab configuration (copy of /etc/fstab). +If this information is not relevant for your bug report or you have privacy +concerns, please choose no. + +EOF + +yesno "Do you want to provide additional information [Y|n]? " yep +[ "$REPLY" = yep ] || exit 0 + +exec >&3 + +echo "-- /proc/cmdline" +cat /proc/cmdline +echo + +if [ -r /etc/crypttab ]; then + echo "-- /etc/crypttab" + cat /etc/crypttab + echo +fi + +if [ -r /etc/fstab ]; then + echo "-- /etc/fstab" + cat /etc/fstab + echo +fi + +echo "-- lsmod" +lsmod +echo diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..19f59dc --- /dev/null +++ b/debian/changelog @@ -0,0 +1,3671 @@ +cryptsetup (2:2.6.1-4~deb12u2) bookworm; urgency=medium + + [ Michael Biebl ] + * cryptsetup-suspend-wrapper: Don't error out on missing + /lib/systemd/system-sleep directory as systemd 254.1-3 and later no longer + ship empty directories. (Closes: #1050606) + + [ Kevin Locke ] + * cryptsetup-initramfs: Add support for compressed kernel modules, which is + the default as linux-image 6.6.4-1~exp1. (Closes: #1036049, #1057441) + + [ Guilhem Moulin ] + * add_modules(): Change suffix drop logic to match initramfs-tools. + * Fix DEP-8 tests with kernels shipping compressed modules. + * d/salsa-ci.yml: Set RELEASE=bookworm. + + -- Guilhem Moulin <guilhem@debian.org> Mon, 18 Dec 2023 03:41:04 +0100 + +cryptsetup (2:2.6.1-4~deb12u1) bookworm; urgency=medium + + * Rebuild for Bookworm. + + -- Guilhem Moulin <guilhem@debian.org> Fri, 21 Apr 2023 00:54:29 +0200 + +cryptsetup (2:2.6.1-4) unstable; urgency=medium + + * Backport upstream MR !498, see #1028250: + + 7893c33d: Check for physical memory available also in PBKDF benchmark. + + 6721d3a8: Use only half of detected free memory on systems without swap. + + -- Guilhem Moulin <guilhem@debian.org> Thu, 20 Apr 2023 23:46:08 +0200 + +cryptsetup (2:2.6.1-3~deb12u1) bookworm; urgency=medium + + * Rebuild for Bookworm. + * d/gbp.conf: Set 'debian-branch = debian/bookworm'. + * #1032221 can't be fixed via unstable since libcryptsetup12-udeb 2:2.6.1-3 + has "Depends: libargon2-1-udeb (>= 0~20190702)" which won't transition to + testing, so instead the release team asked for a t-p-u upload. + + -- Guilhem Moulin <guilhem@debian.org> Sun, 26 Mar 2023 19:18:59 +0200 + +cryptsetup (2:2.6.1-3) unstable; urgency=medium + + [ Guilhem Moulin ] + * initramfs hook: Fix copy_libgcc_argon2() on non merged-/usr systems. + (Closes: #1032518) + * Backport upstream MR !490, see #1028250: + + 27f8e5c0: Try to avoid OOM killer on low-memory systems without swap + + 899bad8c: Print warning when keyslot requires more memory than available + * d/t/initramfs-hook: Pass `-xdev` to `find "$INITRD_DIR"` in order to solve + a race condition in that autopkgtest. + + [ Remus-Gabriel Chelu ] + * Add Romanian debconf templates translation. (Closes: #1031497) + + -- Guilhem Moulin <guilhem@debian.org> Mon, 13 Mar 2023 23:43:50 +0100 + +cryptsetup (2:2.6.1-2) unstable; urgency=medium + + * initramfs hook: Explicitly call copy_libgcc(). The recent libargon2-1 + upgrade is built with glibc ≥2.34 hence no longer links libpthread. This + in turns means that initramfs-tool's copy_exec() is no longer able to + detect pthread_*() need and thus doesn't copy libgcc_s.so anymore. So we + need to do it manually instead. Closes: #1032221 + + -- Guilhem Moulin <guilhem@debian.org> Thu, 02 Mar 2023 05:01:53 +0100 + +cryptsetup (2:2.6.1-1) unstable; urgency=medium + + * New upstream bugfix release. + * d/README.Debian: Explicitly set cswap1's device type to 'plain'. + (Closes: #1025136) + * d/control: Update standards version to 4.6.2, no changes needed. + * d/clean: Add some gitignore(5)'d files. (Closes: #1026838) + * cryptgnupg-sc hook: Look terminfo file in /usr/share/terminfo in adition + to /lib/terminfo, see #1028202. (Closes: 1028234) + * d/copyright: Bump copyright years. + + -- Guilhem Moulin <guilhem@debian.org> Fri, 10 Feb 2023 00:50:42 +0100 + +cryptsetup (2:2.6.0-2) unstable; urgency=low + + * libcryptsetup-dev: Add 'Depends: libargon2-dev, libblkid-dev, + libdevmapper-dev, libjson-c-dev, libssl-dev, uuid-dev' to account for + libcryptsetup.pc's Requires.private. Closes: #1025054. + + -- Guilhem Moulin <guilhem@debian.org> Tue, 29 Nov 2022 15:42:25 +0100 + +cryptsetup (2:2.6.0-1) unstable; urgency=low + + * New upstream release 2.6.0. + + -- Guilhem Moulin <guilhem@debian.org> Tue, 29 Nov 2022 01:20:38 +0100 + +cryptsetup (2:2.6.0~rc0-1) experimental; urgency=medium + + * New upstream release candidate 2.6.0, introducing support for handling + macOS FileVault2 devices (FVAULT2). The new version of FileVault based on + the APFS filesystem used in recent macOS versions is currently not + supported: only the (legacy) FileVault2 format based on Core Storage and + HFS+ filesystem (introduced in MacOS X 10.7 Lion) is supported. Moreover + header formatting and changes are not supported; cryptsetup never changes + the metadata on the device. + Closes: #923513. + * Update d/copyright for 2:2.6.0~rc0-1. + * Ship cryptsetup-fvault2Dump(8) and cryptsetup-fvault2Open(8) to + cryptsetup-bin binary package. + * Update d/libcryptsetup12.symbols for 2:2.6.0~rc0-1. + * Add 'fvault2' flag to crypttab(5) to force detection of Apple's FileVault2 + volumes. + * d/rules: Add new target execute_before_dh_auto_test so blhc ignores + compilations of tests/*.c. + * d/u/metadata: Set 'Security-Contact' upstream metadata field. + + -- Guilhem Moulin <guilhem@debian.org> Sat, 19 Nov 2022 17:30:40 +0100 + +cryptsetup (2:2.5.0-6) unstable; urgency=medium + + * d/t/cryptroot-*: Mask systemd-firstboot.service. + * d/t/cryptroot-*: Use camel case for apt.conf(5) settings. + * d/t/cryptroot-*: _apt(): Sort apt.conf(5) settings. + * d/t/cryptroot-*: Honor apt_preferences(5) settings under autopkgtest. + * d/t/cryptroot-*: init: bind mount temporary filesystems to fix + autopkgtests with systemd 252. (Closes: #1022970) + + -- Guilhem Moulin <guilhem@debian.org> Fri, 28 Oct 2022 19:30:14 +0200 + +cryptsetup (2:2.5.0-5) unstable; urgency=medium + + * d/t/cryptroot-*: Bump setup timeout to 3600s so autopkgtests don't fail on + debci runners lacking KVM support. + + -- Guilhem Moulin <guilhem@debian.org> Tue, 04 Oct 2022 20:01:50 +0200 + +cryptsetup (2:2.5.0-4) unstable; urgency=medium + + * suspend.conf: Improve description and typofix. + * d/t/cryptroot-*: Fix race condition between creating new partition and + using them. + * d/t/cryptroot-*: Fail the test after a reasonable timeout. + (Closes: #1020714) + * d/t/cryptroot-*: setup_apt(): Add 'Identifier: Packages' to `apt-get + indextargets` filter. + * cryptsetup-suspend-wrapper: Explicitly disable udev support when resuming. + (Closes: #1020553) + * d/t/cryptroot-*: Pin versions for all packages in PKGS_EXTRA that are part + of src:cryptsetup. + + -- Guilhem Moulin <guilhem@debian.org> Tue, 04 Oct 2022 01:14:30 +0200 + +cryptsetup (2:2.5.0-3) unstable; urgency=low + + * d/t/cryptroot-*: Disable VGA card on the guest. + * d/t/cryptroot-*: Communicate with guests on /dev/hvc0 and remove + console=hvc0 from the kernel command line to get a noise-free channel. + * d/t/cryptroot-*: poweroff(): Use poweroff(8) not `echo o + >/proc/sysrq-trigger`. + * d/t/cryptroot-*: hibernate(): Use systemctl(1) not `echo disk + >/sys/power/state`. + * d/t/cryptroot-*: Use a separate logfile for each communication channel. + * Refactor d/t/utils/mock.pm and add QMP support; this adds 'Depends: + libjson-perl' to cryptroot-* autopkgtests. + * d/t/cryptroot-*: Use the QMP "quit" command to destroy guests early. + * d/t/cryptroot-*: Start getty on /dev/hvc0 only (not /dev/ttyS0) in + non-interactive mode. + * d/t/cryptroot-*: Remove console=tty0 from the kernel command line. + * d/t/cryptroot-*: Mask all timer units to avoid cluttering test + environments with background jobs. + * d/t/cryptroot-lvm: Also test cryptsetup-suspend (enter to and resume from + S3 state). + * d/t/cryptroot-*: Simplify login prompt regex. + * d/t/cryptroot-*: Use $' when consuming input buffers. + * Salsa CI: Include recipes/debian.yml. + * Salsa CI: Remove redundant variable RELEASE=unstable. + * Salsa CI: Re-enable autopkgtest job with partial coverage. + * cryptsetup-suspend-wrapper: Improve quoting. + * cryptsetup-suspend-wrapper: Use crypttab_find_entry()'s return status. + * d/copyright: Improve wording. + * d/copyright: Fix license for d/scripts/suspend/cryptsetup-suspend.c . + * Add license headers for d/scripts/suspend/*. + * Relicense own code from GPLv2+ to GPLv3+. + * cryptsetup-suspend-wrapper: Don't bindmount temporary filesystems. + * cryptsetup-suspend-wrapper: Improve $INITRAMFS_DIR detection and cleanup. + * cryptsetup-suspend-wrapper: Improve TODO comment. + * d/t/cryptroot-*: Add a network device in interactive mode. + * d/t/cryptroot-lvm: Test I/O on the root FS after wakeup to make sure the + device is not suspended. + * cryptsetup-suspend-wrapper: Harden chroot environment: mount ramfs + read-only and with the 'nodev' option, make it unbindable, and use a + restrictive root mode. + * initramfs hook: Remove duplicate unmangling. + * initramfs hook: populate_CRYPTO_HASHES(): Add missing call to + crypttab_parse_options(). + * d/functions: crypttab_parse_options(): Always reset $CRYPTTAB_TYPE. + * cryptsetup-suspend-wrapper: Ignore $KEEP_INITRAMFS if a newer initrd is + detected. + * d/functions: resume_device(): Fix resuming by keyscript. + * d/functions: Refactor resume_device() and freeze_cgroups(). + * cryptsetup-suspend-wrapper: Don't copy /lib/firmware if it already exists + in the initrd. + * cryptsetup-suspend-wrapper: Don't treat udevd specially as luksResume now + appears to work when udevd is still frozen. + * cryptsetup-suspend-wrapper: Populate ACTIVE_DEVICES via callback. + * cryptsetup-suspend-wrapper: Use FD3 to list remaining devices. + * d/t/utils/debootstrap: Strip colon and suffix from package (Pre-)Depends. + * d/t/utils/debootstrap: Remove obsolete comment and Pre-Depends. + * d/t/cryptroot-*: Manually create merged-/usr layout and install + usr-is-merged. + + -- Guilhem Moulin <guilhem@debian.org> Sun, 18 Sep 2022 23:01:46 +0200 + +cryptsetup (2:2.5.0-2) unstable; urgency=low + + [ Matthias Klose ] + * Add support for 'noudeb' build profile. (Closes: #983318) + + [ Christoph Anton Mitterer ] + * initramfs hook: align busybox check on klibc-utils's hook. + + [ Benjamin Drung ] + * initramfs hook: Fix broken compatibility with OpenSSL3 when cryptsetup + needs legacy hashes (currently ripemd160 and whirlpool). (LP: #1979159) + + [ Guilhem Moulin ] + * New DEP-8 test for crude checks of the initramfs hook. + * Minor changes to the legacy.so inclusion logic. + * DEP-8: Add checks for OpenSSL's legacy.so inclusion. + * d/rules: Inspect DEB_BUILD_* with $(filter ,) not $(findstring ,). + * initramfs boot script: Remove custom LVM handling. Since 2.03.15-1 lvm2 + doesn't ship an initramfs boot script anymore and relies solely on udev + rules instead. We therefore don't have to manually activate LVs/VGs + anymore, but cryptsetup-initramfs now conflicts with earlier lvm2 + versions. (Closes: #928943) + * Override lintian tag 'conflicts-with-version' given the above. + * initramfs hook: Don't overwrite crypttab(5) source to /dev/mapper/$NAME + for mapped devices. (Closes: #1016455) + * initramfs hook: Preserve crypttab source specifications and devices + starting with /dev/disk/by- or /dev/mapper/. + * d/README.initramfs: Improve section about cryptopts= kernel parameter. + * d/Debian.README: Mention that systemd masks /etc/init.d/cryptdisks. + (Closes: #1010708) + * Rename systemd_cryptsetup-suspend.conf to systemd/cryptsetup-suspend.conf. + * cryptsetup-suspend-wrapper: Fix grep calls in some corner cases such as + template cgroups. + * cryptsetup-suspend-wrapper: Avoid double slash in cgroup paths. + * cryptsetup-suspend-wrapper: Consolidate style. + * d/t/cryptroot-*: Relax the kernel.deb regex to account for release + candidates. + * d/t/cryptroot-*: Add more partition type GUIDs. + * d/t/cryptroot-*: Improve sources.list(5) generation. + * d/t/cryptroot-*: Make APT repository Origin and URI configurable. + * d/t/cryptroot-*: Start udevd before setting up the guest. + * d/t/cryptroot-*: Use a separate /run partition when bootstrapping. + * Run `chmod +x d/t/cryptdisks d/t/utils/init` for consistency. + * d/t/cryptroot-*.d/config: Remove 'cryptsetup' from PKGS_EXTRA as it's only + needed for cryptroot-sysvinit. + * d/t/cryptroot-sysvinit: Rename 'rootfs.key' keyfile to 'homefs.key' which + better describes the purpose of the keyfile. + * d/t/cryptroot-*: Replace /target with '$ROOT'. + * d/t/cryptroot-*: Rename 'testvg' Volume Group to 'cryptvg'. + * d/t/cryptroot-*: Add note about testing cryptsetup-suspend. + * d/t: Add convenience wrapper script for local cryptroot-* test runs. + * New DEP-8 test for LVM-on-MD-on-LUKS2 layout backed by 4 independently + encrypted partitions (all unlocked at initramfs stage). + * New DEP-8 test for a complex nested block device stack. + * Salsa CI: Disable autopkgtest job for now. + + -- Guilhem Moulin <guilhem@debian.org> Tue, 09 Aug 2022 01:40:50 +0200 + +cryptsetup (2:2.5.0-1) unstable; urgency=medium + + * New upstream release. (Closes: #1000634, #1011128) + * d/copyright: Fix licence for tokens/ssh/cryptsetup-ssh.c. + * Remove patches applied upstream. + * Rename 'ssh-plugin-test' to 'ssh-test-plugin'. + * Add DEP-8 tests for cryptroot unlocking at early boot stage. + + -- Guilhem Moulin <guilhem@debian.org> Fri, 29 Jul 2022 16:31:23 +0200 + +cryptsetup (2:2.5.0~rc1-3) experimental; urgency=medium + + * DEP-8: Add 'Features: test-name=' in order to name inline tests. + * d/t/control: Add 'Restrictions: rw-build-tree' to upstream-testsuite. + * d/control: Remove cryptsetup-reencrypt from cryptsetup-bin package + description since the utility was removed upstream in v2.5.0-rc1. + * d/changelog: Retroactively correct 2:2.4.0~rc0-1+exp1 entry. + * Update d/patches with what's landed upstream since v2.5.0-rc1. + * d/patches, d/rules: Pass $(LDFLAGS) when building fake_token_path.so and + no longer silence blhc(1) for test files. + * Move SSH token plugin stuff into new binary package 'cryptsetup-ssh'. + That plugin is arguably not useful for everyone and we can save the + 'Depends: libssh-4' on cryptsetup-bin by moving cryptsetup-ssh(8) and + libcryptsetup-token-ssh.so to a separate package. Since LUKS2 SSH token + support was added after the Bullseye release, and since it is still in + experimental stage, we don't let cryptsetup-bin or cryptsetup depend on + the new binary package. Users who need that feature will need to install + it manually. + + -- Guilhem Moulin <guilhem@debian.org> Thu, 21 Jul 2022 20:41:20 +0200 + +cryptsetup (2:2.5.0~rc1-2) experimental; urgency=medium + + * localtest: Treat skipped tests as failure for full coverage. + * d/watch: Add uversionmangle option for release candidates. + * unit-wipe-test: Skip DIO tests when the file system doesn't support + O_DIRECT. This is needed on the buildds where the source tree appears to + be on a tmpfs. + + -- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jul 2022 20:49:13 +0200 + +cryptsetup (2:2.5.0~rc1-1) experimental; urgency=low + + * New upstream release candidate 2.5.0. Highlights include: + + Remove cryptsetup-reencrypt(8) executable, use `cryptsetup reencrypt` + instead (for both LUKS1 and LUKS2). + + Split manual pages into per-action pages, for instance cryptsetup-open.8 + which can be consulted with `man cryptsetup open`. + + Add LUKS2 encryption removal support with `cryptsetup reencrypt + --decrypt`. + + Preserve unknown metadata option (features implemented in more recent + cryptsetup releases) during reencryption. + * Salsa CI's deploy stage: Use a Bullseye image. + * Salsa CI's deploy stage: Use apt-get(8) not apt(8). + * Salsa CI's deploy stage: Replace `cp` with `install`. + * Salsa CI's reprotest job: Remove '--no-diffoscope' flag. + * Salsa CI's reprotest job: Update reason for running under 'nocheck' build + profile. + * d/README.source: Update text to reflect current practices. + * DEP-8: Run installed binaries and libraries through the full upstream test + suite (needs machine-level isolation). + * Retroactivately add NEWS.Debian for #949336. + * d/t/control: Add 'Depends: xxd' for 'Tests: cryptdisks' stanza. + * foreach_cryptdev(): Process each device *after* its slaves. + * do_stop(): Remove device holders beforehand. (Closes: #1006802) + * Fix space damage. + * d/u/metadata: Add FAQ URL. + * Refresh lintian overrides to accommodate lintian v2.115. + * d/control: New Build-Depends: asciidoctor (unless under 'nodoc' build + profile). + * d/cryptsetup.docs: Fix FAQ filename. + * Move usr/share/man/*/* glob to debian/*.manpages where it belongs. + * Update d/libcryptsetup12.symbols. + * Bump Standards-Version to 4.6.1 (no changes needed). + * Update d/copyright. + + -- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jul 2022 01:49:59 +0200 + +cryptsetup (2:2.4.3-1) unstable; urgency=high + + [ Guilhem Moulin ] + * New upstream security release 2.4.3, with fix for CVE-2021-4122: + decryption through LUKS2 reencryption crash recovery. (Closes: #1003685, + #1003686) + * Remove cryptsetup-initramfs.preinst. (Closes: #1001063) + + [ Christoph Anton Mitterer ] + * d/rules: don't expand here-document. + + -- Guilhem Moulin <guilhem@debian.org> Thu, 13 Jan 2022 19:07:05 +0100 + +cryptsetup (2:2.4.2-1) unstable; urgency=high + + * New upstream bugfix release 2.4.2. + * d/control: Replace Build-Depends on removed package libsepol1-dev with + libsepol-dev. (Closes: #999815) + * blkid/un_blkid checks: Ignore large offsets when converting from sectors + to bytes. + * crypttab(5): Formatting fix. + * Refresh d/copyright. + * Refresh lintian overrides to accommodate lintian v2.112. + + -- Guilhem Moulin <guilhem@debian.org> Thu, 18 Nov 2021 17:15:08 +0100 + +cryptsetup (2:2.4.1-1) unstable; urgency=medium + + [ Guilhem Moulin ] + * New upstream bugfix release 2.4.1. + * d/rules: + + Use execute_after_dh_* from Debhelper compatibility level 13 when + relevant. + + Skip documentation generation under nodoc profile. + + Add new target execute_before_dh_auto_test so blhc ignores compilations + of tests/*.c. + * d/cryptsetup-initramfs.lintian-overrides: Refresh for lintian 2.107.0. + * crypttab(5): + + Improve documentation about escape sequences. + + Document that keyscript= can also take an absolute path. + (Closes: #994219) + + Document that keyscript's exit status is ignored. + + Various typo fixes and manpages improvements. + * initramfs: Add new hook configuration option ASKPASS=[Yn] to opt out from + askpass inclusion. (Closes: #994486) + * d/cryptsetup-initramfs.post*: Replace `which` with `command -v`. + * Merge debian/experimental branch and bring cryptsetup-suspend to sid. + * d/bash_completion: s/mawk/awk/. We're only using the POSIX subset so any + implementation should work. (Closes: #993374) + * Add DEP-8 tests for cryptdisks_start and cryptdisks_stop covering most of + d/functions and d/cryptdisks-functions. The testbed requires + 'isolation-machine' restriction since we need to load kernel modules and + create loop devices. + * d/gbp.conf, d/watch: Explicitly use gzip compression. + + [ Christoph Anton Mitterer ] + * d/functions: Export _CRYPTTAB_* to the keyscript's environment. + + [ Lukas Schwaighofer ] + * initramfs: Honor activation/auto_activation_volume_list setting. + (Closes: #993725) + + [ Thorsten Glaser ] + * blkid/un_blkid checks: Honor offset= option. (Closes: #994056) + + -- Guilhem Moulin <guilhem@debian.org> Fri, 08 Oct 2021 14:27:03 +0200 + +cryptsetup (2:2.4.0-1+exp1) experimental; urgency=medium + + * Upload to experimental. + * d/rules: Prefix /lib/systemd/system-shutdown/cryptsetup-suspend.shutdown + with /usr to fix FTBS with debhelper 13.4; see #992469. + + -- Guilhem Moulin <guilhem@debian.org> Thu, 19 Aug 2021 22:55:02 +0200 + +cryptsetup (2:2.4.0-1) unstable; urgency=low + + [ Guilhem Moulin ] + * New upstream release. + * Salsa CI: Set SALSA_CI_BLHC_ARGS to avoid failing when *test* files are + built without the "right" LDFLAGS. + * Remove obsolete upstart configuration files on upgrade and purge. + (Closes: #990490) + * d/*.{pre,post}*: Explicitly exit with status code 0. + * d/copyright: Set field Upstream-Name. + * d/control: Bump Standards-Version to 4.6.0 (no changes necessary). + * d/control: Remove cryptsetup-run from cryptsetup's Recommends. + (Closes: #987769) + * d/control: Demote cryptsetup-initramfs from cryptsetup's Recommends to + Suggests. This concludes the package split started in 2:2.0.3-1 during + the Buster release cycle. + + [ Ayla Ounce ] + * Add support for --perf_* flags to initramfs. + + -- Guilhem Moulin <guilhem@debian.org> Thu, 19 Aug 2021 03:11:11 +0200 + +cryptsetup (2:2.4.0~rc1-1+exp1) experimental; urgency=medium + + * New upstream release candidate. + * d/copyright: Update file. + * d/cryptsetup.docs: Add upstream's README.md. + * d/TODO.md: Remove implemented `luksSuspend` integration. + + -- Guilhem Moulin <guilhem@debian.org> Fri, 30 Jul 2021 02:37:32 +0200 + +cryptsetup (2:2.4.0~rc0-1+exp1) experimental; urgency=medium + + * New upstream release candidate 2.4.0. Highlights include: + + Support for external libraries (plugins) for handling LUKS2 token + objects. + + Experimental SSH token handler and cryptsetup-ssh(8) utility (resp. + shipped in the 'cryptsetup' and 'cryptsetup-bin' binary packages) as a + demonstration of the external LUKS2 token interface. This adds + libssh-dev to build-depends. + + Change default LUKS2 PBKDF to Argon2id from Argon2i. + + Increase minimal memory cost for Argon2 benchmark to 64MiB (suggested + value in Argon2 RFC). + + Autodetect optimal encryption sector size on LUKS2 format. + + integritysetup: add integrity-recalculate-reset flag. + + cryptsetup: retains keyslot number in luksChangeKey for LUKS2. + + Add close --deferred and --cancel-deferred options. + + -- Guilhem Moulin <guilhem@debian.org> Tue, 06 Jul 2021 10:18:17 +0200 + +cryptsetup (2:2.3.6-1+exp1) experimental; urgency=medium + + * New upstream bugfix release. (Closes: #949336) + + -- Guilhem Moulin <guilhem@debian.org> Fri, 28 May 2021 22:54:20 +0200 + +cryptsetup (2:2.3.5-1+exp1) experimental; urgency=medium + + * Upload to experimental. + + -- Guilhem Moulin <guilhem@debian.org> Thu, 11 Mar 2021 23:36:01 +0100 + +cryptsetup (2:2.3.5-1) unstable; urgency=medium + + * New upstream bugfix release. (Closes: #985581) + * d/watch: Monitor upstream tags rather than tarballs. + * d/gbp.conf: Set 'upstream-vcs-tag' to add upstream tag as additional + parent. + * Simplify d/README.source in accordance with the above. + * Rename d/upstream-signing-key.asc to d/upstream/signing-key.asc as uscan + is now able to verify git tags. + * encrypted-boot.md: Clarify how to solve double password prompt for the + device holding /boot. + * d/copyright: Update copyright year. + + -- Guilhem Moulin <guilhem@debian.org> Fri, 02 Apr 2021 23:43:41 +0200 + +cryptsetup (2:2.3.4-2+exp1) experimental; urgency=medium + + * Upload to experimental. + + -- Guilhem Moulin <guilhem@debian.org> Thu, 14 Jan 2021 19:55:25 +0100 + +cryptsetup (2:2.3.4-2) unstable; urgency=medium + + [ Guilhem Moulin ] + * d/control: Remove Build-Depends: dh-exec. In compatibility level 13 + Debhelper supports variable expansion, which was why we used dh-exec in + the first place. + * libcryptsetup-dev: Install libcryptsetup.so to /lib/$DEB_HOST_MULTIARCH + not /usr/lib/$DEB_HOST_MULTIARCH (closes: #978585), and override + subsequent lintian warning per #843932. + * d/*.install: Replace wildcard with $DEB_HOST_MULTIARCH for consistency. + * d/cryptsetup.lintian-overrides: Rename "init.d-script-does-not-implement- + optional-option $FOO status" tags to "init.d-script-does-not-implement- + status-option $FOO". + * Bump Standards-Version to 4.5.1 (no changes necessary). + * d/cryptdisks-functions: Rename left-over loop_cryptdevs() to + foreach_cryptdev(). Regression from 2:2.3.0-1. (Closes: #974591) + * Initramfs boot script: Drop `lvm vgchange`'s --ignoreskippedcluster flag + which is now a no-op. + * Make d/cryptsetup-initramfs.preinst mangling idempotent. + * Rename Debian resp. upstream branch to debian/latest resp. upstream/latest + for DEP-14 compliance. + * Rename d/gitlab-ci.yml to d/salsa-ci.yml. + * Consolidate d/gbp.conf. + * cryptsetup-initramfs now requires initramfs-tools 0.137 or later and no + longer copies libgcc_s.so.1 to the initrd since recent initramfs-tools + take care of it. + * Add libcryptsetup.la to debian/not-installed. + + [ Guilherme G. Piccoli ] + * Initramfs boot script: Fix a deadlock when cryptroot would wait at + local-top stage for a device to appear, while the device would only be + created at local-block stage. This can be the case in dm-crypt-over-MD + scenario when booting the RAID array in degraded mode. (Closes: #933059) + + [ Felix C. Stegerman ] + * Fix typo in README.gnupg-sc + + -- Guilhem Moulin <guilhem@debian.org> Thu, 14 Jan 2021 19:16:40 +0100 + +cryptsetup (2:2.3.4-1+exp1) experimental; urgency=medium + + * Upload to experimental. + + -- Guilhem Moulin <guilhem@debian.org> Fri, 04 Sep 2020 00:55:41 +0200 + +cryptsetup (2:2.3.4-1) unstable; urgency=high + + * New upstream bugfix release, including fix for CVE-2020-14382: + possible out-of-bounds memory write while validating LUKS2 data + segments metadata on 32-bits platforms. (Closes: #969471) + + -- Guilhem Moulin <guilhem@debian.org> Fri, 04 Sep 2020 00:30:40 +0200 + +cryptsetup (2:2.3.3-3+exp3) experimental; urgency=medium + + * d/control: Make cryptsetup-suspend explicitly depend on + initramfs-tools-core as we use unmkinitramfs(8) in the wrapper. + * systemd-suspend.service override: Set OOMScoreAdjust to -1000 to + disable OOM killing of processes of the unit. Thanks, ಚಿರಾಗ್. + (Closes: #968569) + * d/doc/cryptsetup-suspend.xml: Document that key material included in the + initramfs image will remain unencrypted (see #969286). + + -- Guilhem Moulin <guilhem@debian.org> Mon, 31 Aug 2020 00:09:10 +0200 + +cryptsetup (2:2.3.3-3+exp2) experimental; urgency=medium + + * d/control: Typofix in cryptsetup-suspend's long description. + (Closes: #968455) + * d/control: Make cryptsetup-suspend explicitly depend on kbd as we use + openvt(1) in the systemd-suspend.service override. (Closes: #969226) + * d/*: Run wrap-and-sort(1). + * d/scripts/suspend/cryptsetup-suspend-wrapper: + + Parse /proc/meminfo in a single pass using shell builtins rather than + calling awk(1). + + Use "/boot/initrd.img-$(uname -r)" as path to the initrd instead of + deriving it from the kernel command line. BOOT_IMAGE's value is + relative to the boot's loader viewpoint, which might differ from that of + the main system. + + run_dir(): Prefer find(1)'s -execdir option over -exec. + + Conditionally remove/copy firmware into the initramfs image. + (Closes: #969270) + * d/rules: Build our scripts with `-Wall -Werror`. + * d/cryptsetup-suspend.{postinst,postrm}: Call `systemctl daemon-reload`, + which appears to be needed on upgrades. (dh_installsystemd(1) doesn't + support overrides so we manually copy the snippet it would add.) + + -- Guilhem Moulin <guilhem@debian.org> Sun, 30 Aug 2020 18:01:49 +0200 + +cryptsetup (2:2.3.3-3+exp1) experimental; urgency=medium + + * Add new binary package 'crypsetup-suspend', which implements support + to luksSuspend LUKS devices before ACPI S3 system suspend. + + See the cryptsetup-suspend(7) manpage for further information. + + -- Jonas Meurer <jonas@freesources.org> Wed, 12 Aug 2020 21:29:31 +0200 + +cryptsetup (2:2.3.3-2) unstable; urgency=medium + + [ Helmut Grohne ] + * d/control: Annotate Build-Depends with <!nocheck>. (Closes: #964092) + + [ Guilhem Moulin ] + * d/rules: Build with `--with-tmpfilesdir` to force installing + usr/lib/tmpfiles.d/cryptsetup.conf instead of picking the source from + scripts/cryptsetup.conf. This fixes FTBS in environments containing + systemd. (Closes: #968250) + * Add 'bitlk' flag in crypttab(5) to force detection of Windows BitLocker + volumes. (Closes: #967853) + + -- Guilhem Moulin <guilhem@debian.org> Wed, 12 Aug 2020 00:22:59 +0200 + +cryptsetup (2:2.3.3-1) unstable; urgency=medium + + [ Guilhem Moulin ] + * New upstream bugfix release. + * d/scripts/decrypt_derived: Remove useless call to `| tr -d '\n'`. + * d/control: Bump debhelper compatibility level to 13. Remove + debian/tmp/lib/$DEB_HOST_MULTIARCH/libcryptsetup.la as we don't install it + anywhere. + + [ Rob Pilling ] + * d/scripts/decrypt_derived: + + move an error message to standard error so it's not accidentally used as + a key + + exit with a success code when successful + + -- Guilhem Moulin <guilhem@debian.org> Thu, 04 Jun 2020 01:41:44 +0200 + +cryptsetup (2:2.3.2-1) unstable; urgency=medium + + * New upstream release. + * debian/control: Set 'Rules-Requires-Root: no'. + * d/initramfs/hooks/cryptroot: Unconditionally copy 'ecb' kernel module + when the host CPU lacks AES-NI support. On such systems XTS needs ECB. + This is a work around for #883595 on kernels 4.10 and later. + (Closes: #959423) + + -- Guilhem Moulin <guilhem@debian.org> Wed, 06 May 2020 16:22:01 +0200 + +cryptsetup (2:2.3.1-1) unstable; urgency=medium + + * New upstream release. + * d/initramfs/hooks/cryptroot: Don't set unused variable LIBC_DIR. + + -- Guilhem Moulin <guilhem@debian.org> Tue, 24 Mar 2020 02:07:07 +0100 + +cryptsetup (2:2.3.0-1) unstable; urgency=low + + * New upstream release, introducing support for BitLocker-compatible + devices (BITLK format) used in Windows systems. + WARNING: crypttab(5) support for these devices is currently *experimental* + and requires blkid from util-linux >=2.33 (i.e., Buster or later). These + devices currently have no keyword to use in the 4th field (unlike 'luks' + or 'plain'), the device type is inferred from the signature instead. + * crypttab(5): Make the 4th field (options) optional so we don't have to + introduce a new keyword for each new device type. (That field is also + optional in the systemd implementation.) Other fields (dm target name, + source device, and key file) remain required. + * Install cryptdisks_{start,stop} bash completion scripts to the right + path/name so they are loaded automatically. This was no longer the case + since 2:1.7.0-1. (Closes: #949623) + * d/*.install: Replace tabs with spaces. + * d/cryptdisks-functions: Fix broken $FORCE_START handling. Since + 2:2.0.3-2 the SysV init scripts' "force-start" option was no longer + overriding noauto/noearly. (Closes: #933142) + * Move some functions to d/function from the initramfs hook. + * SysV init scripts: skip devices holding the root FS and/or /usr during the + shutdown phase; these file systems are still mounted at this point so any + attempt to gracefully close the underlying device(s) is bound to fail. + (Closes: #916649, #918008) + * Bump Standards-Version to 4.5.0 (no changes necessary). + + -- Guilhem Moulin <guilhem@debian.org> Wed, 04 Mar 2020 00:48:19 +0100 + +cryptsetup (2:2.2.2-3) unstable; urgency=high + + * initramfs hook: Workaround fix for the libgcc_s's source location. + (Closes: #950628, #939766.) Fixing #950254 will provide a better + solution. + + -- Guilhem Moulin <guilhem@debian.org> Tue, 04 Feb 2020 14:11:12 +0100 + +cryptsetup (2:2.2.2-2) unstable; urgency=medium + + [ Guilhem Moulin ] + * d/initramfs/hooks/cryptroot: On initramfs images built with MODULES=dep, + include the IV generator found in the cipher specification when there is a + matching kernel module. On 5.4 kernels ESSIV isn't implemented in + dm_crypt anymore, but by a dedicated 'essiv' module which thus needs to be + available in order to unlock dm-crypt target using 'aes-cbc-essiv:sha256'. + Closes: #948593. + + [ Debian Janitor ] + * Set debhelper-compat version in Build-Depends. + * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, + Repository-Browse. + + -- Guilhem Moulin <guilhem@debian.org> Sat, 18 Jan 2020 20:53:19 +0100 + +cryptsetup (2:2.2.2-1) unstable; urgency=medium + + * New upstream bugfix release. + * debian/control: + + Add 'procps' to the Build-Depends since the upstream test suite uses + free(1). + + Bump Standards-Version to 4.4.1 (no changes necessary). + + -- Guilhem Moulin <guilhem@debian.org> Fri, 01 Nov 2019 19:32:36 +0100 + +cryptsetup (2:2.2.1-1) unstable; urgency=medium + + * New upstream bugfix release. + * Remove d/patches, applied upstream. + + -- Guilhem Moulin <guilhem@debian.org> Fri, 06 Sep 2019 13:28:55 +0200 + +cryptsetup (2:2.2.0-3) unstable; urgency=medium + + * Cherry pick upstream commit 8f8f0b32: Fix mapped segments overflow on + 32bit architectures. Regression since 2:2.1.0-1. (Closes: #935702) + + -- Guilhem Moulin <guilhem@debian.org> Mon, 26 Aug 2019 12:53:45 +0200 + +cryptsetup (2:2.2.0-2) unstable; urgency=medium + + * debian/control: Add 'Multi-Arch: foreign' tag to the transitional dummy + package 'crytsetup-run'. + * debian/control, debian/compat: Bump debhelper compatibility level to 12. + * debian/rules: Remove dh_makeshlibs(1) override; debhelper 12.3's auto + detection feature subsumes our use of --add-udeb=. This fixes FTBFS with + debhelper 12.5. + + -- Guilhem Moulin <guilhem@debian.org> Wed, 21 Aug 2019 22:45:12 +0200 + +cryptsetup (2:2.2.0-1) unstable; urgency=medium + + * New upstream release 2.2.0. Highlights include: + + New LUKS2 online reencryption extension, allowing reencryption of + mounted LUKS2 devices. + + Optional global serialization lock for memory hard PBKDF, to workaround + situations when multiple devices are unlocked in parallel, possibly + exhausting memory and triggering the OOM killer. (Cf. #924560.) + + Add integritysetup support for bitmap mode (Linux >=5.2). + + Reduce keyslots area size in luksFormat when the header device is too + small. + * Remove d/patches, applied upstream. + + -- Guilhem Moulin <guilhem@debian.org> Thu, 15 Aug 2019 09:31:55 +0200 + +cryptsetup (2:2.1.0-8) unstable; urgency=medium + + * encrypted-boot.md: + + Clarify partition layout. + + encrypted-boot.md: New section 'Using a custom keyboard layout'. + * d/gbp.conf: New section [export-orig] mirroring [buildpackage]. + * d/gitlab-ci.yml: Add 'publish' stage and make yamllint(1) happy. + * d/patches: Backport upstream commit c03e3fe8 so libcryptsetup's + crypt_keyslot_add_by_volume_key() also works a on LUKS2 header where all + bound key slots were deleted, like it does for LUKS1. (Closes: #934715) + + -- Guilhem Moulin <guilhem@debian.org> Wed, 14 Aug 2019 16:34:23 +0200 + +cryptsetup (2:2.1.0-7) unstable; urgency=low + + * debian/cryptsetup.NEWS: Mention the 'cryptsetup' and 'cryptsetup-run' + package swap. + * debian/control: Add 'cryptsetup-initramfs' to 'cryptsetup's Recommends:, + so upgrading systems pull it automatically on upgrade. (cryptsetup + <2:2.1.0-6 was a dummy transitional package depending on cryptsetup-run + and cryptsetup-initramfs.) Closes: #932643. + * debian/control: Add 'cryptsetup-run' to 'cryptsetup's Recommends. This + avoids it being removed by `apt upgrade --autoremove` from <2:2.1.0-6, + thus avoids the old cryptsetup-run's prerm script showing a scary (but + moot) warning. After upgrading the prerm script is gone and the package + can be removed without troubles, so we can get rid of it after Bullseye. + (Closes: #932625.) + * cryptsetup-initramfs: Add loud warning upon "prerm remove" if there are + mapped crypt devices (like for cryptsetup.prerm). + * Thanks to David Prévot for helping with the upgrade path! + + -- Guilhem Moulin <guilhem@debian.org> Sun, 21 Jul 2019 21:21:10 -0300 + +cryptsetup (2:2.1.0-6) unstable; urgency=low + + * debian/control: + + Add 'Multi-Arch: foreign' tags to 'cryptsetup-bin' and 'crytsetup-run', + as binaries from these packages are architecture independent. + (Closes: #930115) + + Add 'Build-Depends: jq, xxd' as the jq(1) and xxd(1) executables are + required for some upstream tests (skipped if the executables are not + found in $PATH). + + Swap 'cryptsetup' and 'cryptsetup-run' packages: the former now contains + init scripts, libraries, keyscripts, etc. while the latter is now a + transitional dummy package. + + Remove obsolete cryptsetup.maintscript. + + Bump Standards-Version to 4.4.0 (no changes necessary). + * debian/*: + + Fix path names for /usr/share/doc/cryptsetup*/**. (Closes: #904916). + + Remove compatibility warnings regarding setting 'CRYPTSETUP' in + the initramfs hook configuration. The variable is no longer honored, + and cryptsetup is always integrated to the initramfs when the + 'cryptsetup-initramfs' package is installed. + * debian/doc/pandoc/encrypted-boot.md: Minor refactoring. + * debian/gitlab-ci.yml: Adapt pandoc flags to Debian 9 (pass '-S'). + * debian/initramfs/conf-hook: Clarify that KEYFILE_PATTERN isn't expanded + for crypttab(5) entries with a 'keyscript=' option. (Closes: #930696) + * debian/doc/crypttab.xml: Point to README.initramfs in the "See Also" + section. (Closes: #913233) + + -- Guilhem Moulin <guilhem@debian.org> Sat, 20 Jul 2019 22:15:04 -0300 + +cryptsetup (2:2.1.0-5) unstable; urgency=medium + + [ Jonas Meurer ] + * debian/README.*: Fix markdown formatting issues + * Copy https://wiki.debian.org/CryptsetupDebug to debian/README.debug + + [ Guilhem Moulin ] + * d/README.Debian: New section "Unlocking LUKS devices from GRUB" pointing + to https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html . + + -- Guilhem Moulin <guilhem@debian.org> Mon, 10 Jun 2019 14:51:15 +0200 + +cryptsetup (2:2.1.0-4) unstable; urgency=medium + + [Guilhem Moulin] + * d/initramfs/hooks/cryptroot: Always add userspace crypto module + ('algif_skcipher' kernel module) to the initramfs. This module is + required for required for opening LUKS2 devices, and since 2:2.0.2-2 it's + added to large initramfs (i.e., when the MODULES variable isn't set to + "dep"). It's now added regardless of the value of $MODULES, as 1/ LUKS2 + is the default LUKS header format version; and 2/ we can't check at + initramfs creation time whether there are LUKS2 devices to be opened at + early boot stage (detached headers might not be present then). + Closes: #929616. + + [Jonathan Dowland] + * Update package descriptions to reflect the move of luksformat from + cryptsetup-bin to cryptsetup-run. Closes: #928751. + + -- Guilhem Moulin <guilhem@debian.org> Tue, 28 May 2019 17:04:16 +0200 + +cryptsetup (2:2.1.0-3) unstable; urgency=medium + + * d/scripts/decrypt_opensc: Fix standard output poisoning. Thanks to Nils + Mueller for the report and patch. (Closes: #926573.) + * d/initramfs/hooks/cryptopensc: Ensure that libpcsclite.so is copied to the + initramfs on non-usrmerge systems. (Closes: #928263.) + + -- Guilhem Moulin <guilhem@debian.org> Tue, 30 Apr 2019 21:20:47 +0200 + +cryptsetup (2:2.1.0-2) unstable; urgency=medium + + * debian/copyright: + + Update copyright years. + + Add OpenSSL linking exception, in accordance with upstream's "COPYING" + and "COPYING.LGPL" files. Since 2:2.1.0-1 the cryptsetup binaries and + library are linked against libssl, which is the new upstream default + backend for LUKS header processing. + * debian/askpass.c: in the console backend, clear stdin's end-of-file + indicator before calling getline() again. Thanks to Ken Milmore for the + detailed report and patch. (Closes: #921906.) + + -- Guilhem Moulin <guilhem@debian.org> Thu, 28 Feb 2019 22:32:43 +0100 + +cryptsetup (2:2.1.0-1) unstable; urgency=medium + + * New upstream release. Highlights include: + - The on-disk LUKS format version now defaults to LUKS2 (use `luksFormat + --type luks1` to use LUKS1 format). Closes: #919725. + - The cryptographic backend used for LUKS header processing is now libssl + instead of libgcrypt. + - LUKS' default key size is now 512 in XTS mode, half of which is used for + block encryption. XTS mode uses two internal keys, hence the previous + default key size (256) caused AES-128 to be used for block encryption, + while users were expecting AES-256. + + [ Guilhem Moulin ] + * Add docs/Keyring.txt and docs/LUKS2-locking.txt to + /usr/share/doc/cryptsetup-run. + * debian/README.Debian: Mention that for non-persistent encrypted swap one + should also disable the resume device. + * debian/README.initramfs: Mention that keyscript=decrypt_derived normally + won't work with LUKS2 sources. (The volume key of LUKS2 devices is by + default offloaded to the kernel keyring service, hence not readable by + userspace.) Since 2:2.0.3-5 the keyscript loudly fails on such sources. + * decrypt_keyctl keyscript: Always use our askpass binary for password + prompt (fail instead of falling back to using stty or `read -s` if askpass + is not available). askpass and decrypt_keyctl are both shipped in our + 'cryptsetup-run' and 'cryptsetup-udeb' binary packages, and the cryptsetup + and askpass binaries are added together to the initramfs image. + * decrypt_keyctl: Document the identifier used in the user keyring: + "cryptsetup:$CRYPTTAB_KEY", or merely "cryptsetup" if "$CRYPTTAB_KEY" is + empty or "none". The latter improves compatibility with gdm and + systemd-ask-password(1). + * debian/*: run wrap-and-sort(1). + * debian/doc/crypttab.xml: mention `cryptsetup refresh` and the `--persistent` + option flag. + * debian/control: Bump Standards-Version to 4.3.0 (no changes necessary). + + [ Jonas Meurer ] + * Update docs about 'discard' option: Mention in manpage, that it's enabled + per default by Debian Installer. Give advice to add it to new devices in + /etc/crypttab and add it to crypttab example entries in the docs. + + -- Guilhem Moulin <guilhem@debian.org> Sat, 09 Feb 2019 00:40:17 +0100 + +cryptsetup (2:2.0.6-1) unstable; urgency=medium + + * New upstream bugfix release. Highlights include: + - Fix support of larger metadata areas in LUKS2 header. + - Fix checking of device size alignment and hash & AEAD algorithms to + avoid formatting devices that later cannot be activated. + - Fix cryptsetup-reencrypt interrupt handling. + - Allow Adiantum cipher construction (require Linux 4.21 or later). + + -- Guilhem Moulin <guilhem@debian.org> Mon, 03 Dec 2018 20:16:07 +0100 + +cryptsetup (2:2.0.5-2) unstable; urgency=medium + + * debian/initramfs/hooks/*: Skip call to copy_file() when the target already + exists (as the function return value 1 in the case). + * OpenPGP Smartcard support, based on work by Peter Lebbing and Erik + Nellessen. (Closes: #888916, #903163.) + * Move header presence check to crypttab_parse_options() from + unlock_mapping(). Having the presence checks in unlock_mapping() caused + dummy password prompts in interactive mode when the LUKS header file was + missing. Regression since 2:2.0.3-2. (Closes: #914458.) + + -- Guilhem Moulin <guilhem@debian.org> Sat, 24 Nov 2018 18:34:42 +0100 + +cryptsetup (2:2.0.5-1) unstable; urgency=medium + + * New upstream release. + * Remove d/patches/Disable-blockwise-compat-test-as-it-s-FS-dependent.patch + as the test suite no longer fails on misaligned I/O in O_DIRECT mode. + (Cf. upstream issue #403.) + + -- Guilhem Moulin <guilhem@debian.org> Mon, 29 Oct 2018 12:21:00 +0100 + +cryptsetup (2:2.0.4-3) unstable; urgency=medium + + [ Guilhem Moulin ] + * debian/initramfs/hooks/cryptroot: + + Make _CRYPTTAB_* variables local to crypttab_find_and_print_entry(). + (Closes: #907243.) + + Silence the warning that honoring CRYPTSETUP="[y|n]" in the config is + deprecated when the variable is set to "y". (Keep the warning when it's + set to "n" though.) Closes: #908220. + * debian/functions: Make get_crypt_type() set variable CRYPTTAB_TYPE to the + type of crypt device ("luks" / "plain" / "tcrypt"). + * debian/initramfs/scripts/local-top/cryptroot: Don't complain that + (successful) unlocking of a LUKS device doesn't yield a known file system. + The check is preserved for plain dm-crypt devices and tcrypt devices. + (Closes: #906283.) + * debian/control: Bump Standards-Version to 4.2.1 (no changes necessary). + * debian/doc/crypttab.xml: Improve formatting. + * debian/cryptsetup-run.lintian-overrides: Remove unused override + init.d-script-possible-missing-stop (x2). + * debian/libcryptsetup12.symbols: Add "Build-Depends-Package: + libcryptsetup-dev" field. + + [ Helmut Grohne ] + * Fix FTCBFS: Supply $(CC) from dpkg's buildtools.mk. (Closes: #911042) + + [ Dimitri John Ledkov ] + * Implement support for `cryptsetup --sector-size` in crypttab(5). + LP: #1776626. + + -- Guilhem Moulin <guilhem@debian.org> Mon, 22 Oct 2018 17:45:35 +0200 + +cryptsetup (2:2.0.4-2) unstable; urgency=medium + + * debian/cryptsetup-initramfs.preinst: Don't try to overwrite + /etc/cryptsetup-initramfs/conf-hook if that file doesn't exist. (The fix + for #905188 broke 2:2.0.4-1's instability on sid.) Closes: #905514. + * debian/control: Bump Standards-Version to 4.2.0 (no changes necessary). + + -- Guilhem Moulin <guilhem@debian.org> Tue, 07 Aug 2018 17:25:30 +0200 + +cryptsetup (2:2.0.4-1) unstable; urgency=medium + + * New upstream release. Add 'libblkid-dev' to Build-Depends since + libcryptsetup and utilities are now linked to libblkid. + * debian/cryptsetup-initramfs.preinst: Improve conffile ownership transfer + from 'cryptsetup' to 'cryptsetup-initramfs' to comply with Policy §10.7.3. + (Closes: #905188.) + + -- Guilhem Moulin <guilhem@debian.org> Sun, 05 Aug 2018 04:59:10 +0800 + +cryptsetup (2:2.0.3-7) unstable; urgency=medium + + * debian/scripts/gen-ssl-key: avoid storing temporary key file on disk. + * debian/initramfs/*, debian/scripts/*: improve quoting. + * debian/initramfs/cryptroot-unlock: Normalize paths before comparison. + This fixes usage on initramfs images with an usrmerge layout, such as + images made by mkinitramfs(8) from initramfs-tools-core 0.132. (Closes: + #904926.) + * debian/functions: crypttab_find_entry(), crypttab_foreach_entry(): return + gracefully if $TABFILE doesn't exist. + + -- Guilhem Moulin <guilhem@debian.org> Mon, 30 Jul 2018 16:32:07 +0800 + +cryptsetup (2:2.0.3-6) unstable; urgency=medium + + * debian/TODO.md: Remove mention of parent device detection for mdadm + (#629236) as it's fixed since 2:2.0.3-2. + * debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo + fixes. + * debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to + add configure flag '--disable-internal-tests'. The internal test suite is + run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment + variable contains the string "nocheck". + * debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot: + When the 2nd column of a crypttab entry denodes a block special device, + resolve the device but don't convert it to /dev/block/$major:$minor. + (Closes: #903246.) + * debian/initramfs/hooks/cryptroot: + + Treat null device numbers as invalid in resolve_device(), cf. + /Documentation/admin-guide/devices.txt in the kernel source tree. + + generate_initrd_crypttab(): add '\n' to the local IFS since + get_resume_devno() prints one major:minor pair per line. + * debian/initramfs/scripts/local-{top,bottom}/cryptopensc: + + Save process ID of the pcscd daemon at local-top stage, and kill it at + local-bottom stage. Thanks to Pascal Vibet for the patch. + (Closes: #903574.) + + Fix path to the pcscd executable (the fix for #880750 was incomplete). + * debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone + since 2:2.0.3-2. + * debian/scripts/decrypt_opensc: Fix plymouth prompt message (use + $CRYPTTAB_NAME not $crypttarget). + + -- Guilhem Moulin <guilhem@debian.org> Fri, 13 Jul 2018 22:10:43 +0200 + +cryptsetup (2:2.0.3-5) unstable; urgency=medium + + [ Jonas Meurer ] + * debian/askpass.c, debian/scripts/passdev.c, debian/rules: + + Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE + + Drop c99 std, as the default is now higher than that + * debian/control: + + Drop explicit dependencies on libgcrypt20 and libgpg-error0 from + libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically. + + [ Guilhem Moulin ] + * debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the + disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf. + crypttab(5). + * debian/doc/crypttab.xml: Clarify that the 'readonly' flag sets up a + read-only mapping. Cf. `cryptsetup --readonly`. + * debian/initramfs/hooks/cryptroot: + + Fix generation of initrd crypttab(5) with `update-initramfs -u -v` for + key files matching $KEYFILE_PATTERN, or when a 'keyscript' is specified + in the crypttab options. Regression since 2:2.0.3-2. (Closes: #902733.) + + Avoid processing entries multiple times in get_crypttab_entry(), which + could happen with 'keyscript=decrypt_derived' for instance. + + Don't complain that the sysfs dir can't be found when the hook failed to + normalize the device (another warning is shown already). + + If source device is mapped (for instance if it's a logical volume), put + its dm name into the initrd crypttab. LVM2's local-block script doesn't + work with UUIDs, and giving it a VG+LV is better anyway as we avoid to + activate all volumes at initramfs stage. (Closes: #902943.) + * debian/initramfs/conf-hook: Clarify that if KEYFILE_PATTERN if null or + unset then no key file is copied. + * debian/initramfs/*, debian/functions, debian/cryptdisks-functions: + + Use major:minor device IDs internally, as this facilitate discovery of + sysfs directories, and we don't have to take care of the udev mangling. + + Decode octal sequences when reading /etc/crypttab or /etc/fstab. This + means that key files and option values can contain blanks and special + characters encoded as octal sequences. + + Refactor crypttab(5) parsing logic, to avoid duplication of boilerplate + code. + * debian/functions: If the key file is a symlink, warn about insecure + permissions of the target, not the link itself. + * debian/scripts/decrypt_derived: For devices with keys in the kernel + keyring (e.g., LUKS2 by default), refuse to derive anything. + * debian/patches/disable-internal-tests.patch: Add configure option + '--disable-internal-tests' to disable the internal test suite. + * debian/rules: Don't run upstream's internal test suite if + $DEB_BUILD_OPTIONS contains the string "skip-internal-tests". (Tests are + still run by default.) + * debian/cryptdisks-functions: Restore support for crypttab(5) entries with + regular files as source device. Regression since 2:2.0.3-2. + (Closes: #902879.) + * debian/control: Bump Standards-Version to 4.1.5 (no changes necessary). + + -- Guilhem Moulin <guilhem@debian.org> Sat, 07 Jul 2018 01:47:57 +0200 + +cryptsetup (2:2.0.3-4) unstable; urgency=low + + * debian/initramfs/hooks/cryptroot: + + Fix typo in warning message. (Closes: #901971.) + + sysfs_devdir(): don't croak when the normalized device pathname isn't of + the form /dev/$blk. This is the case in the Debian installer, where the + devtmpfs pseudo-filesystem exposes /dev/mapper/$name as a block device + instead of a symlink to /dev/dm-$index. + + sysfs_devdir(): return /sys/dev/block/$maj:$min (a symlink pointing the + sysfs directory corresponding to the device) rather than /sys/block/$blk. + While the latter is present for mapped devices, it's not present for + block devices corresponding to disk partitions. See sysfs(5) for + details. (Closes: #902183.) + + get_crypttab_entry(): skip (harmless) warning if blkid_tag() fails to + get the UUID of a dm-crypt device's slave (it's normal with plain + dm-crypt devices). + + get_crypttab_entry(): don't warn that key file doesn't exist if it's + e.g., an existing character special device. + * debian/functions:unlock_mapping(): translate crypttab(5) option + 'size=<size>' to `cryptsetup --key-size=<size>`, not `--size` (which + doesn't set the key size but the size of the device in number of 512 byte + sectors). Regression since 2:2.0.3-2. (Closes: #902245.) + * debian/initramfs/scripts/local-top/cryptroot, debian/cryptdisks-functions, + debian/initramfs/cryptroot-unlock: Fix off-by-one unlock count. Some + keyscripts (such as decrypt_keyctl) don't work properly if on first try + the CRYPTTAB_TRIED environment variable isn't set to 0. Regression since + 2:2.0.3-2. (Closes: #902116.) + * debian/scripts/decrypt_keyctl: replace the source device path with the + mapped device name in messages, to match the new askpass behavior. + + -- Guilhem Moulin <guilhem@debian.org> Sun, 24 Jun 2018 22:48:41 +0200 + +cryptsetup (2:2.0.3-3) unstable; urgency=low + + [ Jonas Meurer ] + * debian/*: run wrap-and-sort(1) + * debian/control: + + Add Conflicts and Breaks on 'cryptsetup-bin (<< 2:2.0.3-2)' to + cryptsetup-run. Needed since we moved luksformat between the + packages. (Closes: #901773) + + Remove all traces of package 'cryptsetup-luks' from dependency + headers. This package has never been part of an official Debian + release and the time it existed is more than 12 years ago. + + Remove Conflicts/Breaks headers from the split of cryptsetup into + cryptsetup/cryptsetup-bin in release 2:1.4.1-3. The conflicting + version is from Debian Wheezy, which means that there's three + releases in between. We don't support dist-upgrades with skipped + releases anyway. + + Remove obsolete 'Breaks: hashalot (<< 0.3-2)' from cryptsetup-run. + + Remove versioned depends of libcryptsetup12 on libgcrypt20 and + libgpg-error0. Both versions are satisfied since more than three + releases. + + Remove versioned build-depends on docbook-xsl, dpkg-dev, + libdevmapper-dev, libgcrypt20-dev and libtool. All versions are + satisfied since more than three releases. + * debian/*: Change maintainer contact address to @alioth-lists.debian.net. + + [ Guilhem Moulin ] + * debian/control: Replace 2:2.0.2-2 with 2:2.0.3-1 in Breaks/Replaces/Depends + fields. (2:2.0.2-2 was never released, the version we released after the + package split was 2:2.0.3-1.) + * debian/initramfs/cryptroot-script: exit immediately when + /lib/cryptsetup/functions is not present. (Closes: #901830.) + * debian/cryptsetup-run.prerm: use `dmsetup table --target crypt` to avoid + manually excluding mapped devices using another subsystem. + * d/initramfs/hooks/cryptroot: + + Fix parser for cipher specifications in mapping table of crypt targets. + In particular, the cipher mode wasn't parsed properly, potentially + causing missing modules in initrd.img compiled with MODULES=dep. + Regression introduced in 2:2.0.3-2. (Closes: #901884.) + + Print a warning when the mapping table specifies the cipher in kernel + crypto API format ("capi:" prefix). We don't support these yet. + + -- Guilhem Moulin <guilhem@debian.org> Wed, 20 Jun 2018 17:22:36 +0200 + +cryptsetup (2:2.0.3-2) unstable; urgency=medium + + The "nights are long in summer" cryptsetup sprint release :-) + + Guilhem and Jonas hacked together for three days (and nights), refactored + almost all of the cryptsetup packages, squashed (at least) 19 bugs and + started work on several new features. Yay! + + [ Guilhem Moulin ] + * cryptsetup-initramfs: Demote "Depends: console-setup, kbd" to Recommends: + (Closes: #901641.) + * debian/initramfs/*-hook: complete refactoring. Common functions are now in + /lib/cryptsetup/functions (source-able from shell scripts). + (Closes: #784881.) + * debian/initramfs/cryptroot-hook: + + Use sysfs(5) block (resp. fs) hierarchies to detect slave dm-crypt + devices such as LVM2 on top of LUKS (resp. multiple device filesystems + such as btrfs). This approach is more robust than parsing the output of + `lvs` or `btrfs filesystem`. + + Export relevant crypttab(5) snippet (for devices that need to be + unlocked at initramfs stage) to the initramfs' /cryptroot/crypttab. + + Print a warning inviting the user to uninstall 'cryptsetup-initramfs' + if 1/ the CRYPTSETUP configuration option is unset or null (the + default), and 2/ the hook didn't detect any device to be unlocked at + initramfs stage. The benefit is two-fold: it guides users through the + package split, and warns them that their system might not reboot if the + hook script didn't work properly. + * Remove the 'decrypt_openct' keyscript since openct was last seen in + oldoldstable, cf. #760258 (ROM). + * debian/initramfs/cryptroot-script: refactoring, using functions from + /lib/cryptsetup/functions. (Closes: #720952, #826124.) + + One can disable the cryptsetup initramfs scripts for a particular boot + by passing "cryptopts=" as kernel boot argument. (Closes: #873840.) + + No longer sleep for a full minute after exceeding the maximum number of + unlocking tries. (This was added in 2:1.7.3-2 as an attempt to mitigate + CVE-2016-4484.) Instead, the script sleeps for 1 second after each failed + attempt in order to defeat online brute-force attacks. (Closes: #898495.) + * debian/README.initramfs: Remove mention that the initramfs scripts and the + crypsetup binary are using a different hash algorithm for plain dm-crypt + volumes. This is no longer true since 2:1.0.6~pre1+svn45-1, cf. #406317. + * debian/cryptdisks.functions: + + Refactoring, using functions from /lib/cryptsetup/functions. + (Closes: #859953, #891219.) + + Install to /lib/cryptsetup/cryptdisks-functions. + * crypttab(5): + + Remove support for the 'precheck' option. The precheck for LUKS devices + is still hardcoded to `cryptsetup isLuks`; the script refuses to unlock + non-LUKS devices (plain dm-crypt and tcrypt devices) containing a known + filesystem (other that swap). + + Don't ignore the 'plain' option: disable auto-detection and treat the + device as a plain dm-crypt device. (Closes: #886007.) + + Add support for some option aliases to unify with systemd's crypttab(5) + options. Namely, 'read-only' is an alias for 'readonly', 'key-slot=' is + an alias for 'keyslot=', 'tcrypt-hidden' is an alias for 'tcrypthidden', + and 'tcrypt-veracrypt' is an alias for 'veracrypt'. + + Add support for 'keyfile-size=' and 'keyfile-offset=' options. + (Closes: #849335.) + + Source devices can now be specified using their PARTUUID or PARTLABEL, + similar to fstab(5). + * debian/scripts/cryptdisks_start: Add support for '-r'/'--readonly' switch + to setup readonly mappings. (Closes: #782843.) + * debian/scripts/cryptdisks_stop: Add support for closing multiple disks at + once. (Closes: #783194.) + + [ Jonas Meurer ] + * debian/doc/crypttab.xml: + + Add a section about the different crypttab formats of our package and + the systemd cryptsetup wrapper. + + Document, which options are ignored by the initramfs scripts and which + are unsupported by the systemd implementation. (Closes: #714380) + + Clarify documentation of option 'tries'. It also applies when using + keyscripts, not only with interactive passphrases. (Closes: #826127) + + Make it obvious that in case a keyscript is configured, the third option + is passed as argument to the keyscript. Mention the optional requirement + to quote the value. (Closes: #826122) + + Some minor wording improvements. + * debian/control, debian/compat: Bump debhelper compatibility level to 11. + * debian/rules: + + Completely refactor the rules file, adapt to debhelper 11 style. + (Closes: #901713) + + Run the upstream build-time testsuite thanks to dh_auto_test. + + Move the luksformat script from cryptsetup-bin to cryptsetup-run. + + Install the bug-script into all packages. + + No longer install the sysvinit initscripts into cryptsetup-udeb. + + Remove many old build and compile flags, debhelper takes care of most of + them nowadays. + + -- Jonas Meurer <jonas@freesources.org> Mon, 18 Jun 2018 02:40:41 +0200 + +cryptsetup (2:2.0.3-1) unstable; urgency=medium + + [ Guilhem Moulin ] + * Split cryptsetup package into cryptsetup-run (init scripts and libraries) + and cryptsetup-initramfs (initramfs integration). The 'cryptsetup' + package is now a transitional dummy package. (Closes: #783297.) + * debian/cryptsetup-run.preinst: remove logic for rm_conffile + /etc/udev/rules.d/z60_cryptsetup.rules, which was added for #493151 in + 2:1.0.6-5. + * debian/cryptdisks.bash_completion: only complete cryptdisks_stop arguments + with crypttab(5) targets that already exist, and only complete + cryptdisks_start targets with crypttab(5) targets that don't exist yet. + (Closes: #827200.) + * debian/initramfs/cryptroot-hook: + + use copy_file() from hook-functions to copy key files to the initrd. + This ensures that relevant messages are printed in verbose mode. + (Closes: #898516.) + + remove backward compatibility support for setting CRYPTSETUP and + KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf. Since 2:1.7.2-1 + they should be set in /etc/cryptsetup-initramfs/conf-hook. + + add 'algif_skcipher' kernel module to large initramfs (if the MODULES + variable isn't "dep"). That module is required for unlocking LUKS2 + devices. + + [ Jonas Meurer ] + * New upstream release 2.0.3 + * debian/control: + - Bump standards-version to 4.1.4, no changes required + - Change my mail address to 'jonas@freesources.org' + - Change Vcs links to the new repository on salsa.debian.org + * debian/README.source: minor improvements + * debian/doc/crypttab.xml: Fix typo in manpage + + -- Jonas Meurer <jonas@freesources.org> Fri, 15 Jun 2018 15:32:16 +0200 + +cryptsetup (2:2.0.2-1) unstable; urgency=low + + * New upstream release 2.0.2 + * debian/initramfs/cryptroot-hook: copy libgcc_s.so.1 to the initrd, as + libargon2 (used by LUKS2 devices) uses pthread_cancel. (Closes: #890798.) + * debian/initramfs/cryptroot-script: create locking directory at initramfs + stage, before running the cryptsetup binary, which would create it + automatically but also spew a warning. + * debian/patches/Fix-loopaesOpen-for-keyfile-on-standard-input.patch: + removed as it was cherry-picked from upstream and included in 2.0.2. + * debian/libcryptsetup12.symbols: update with new crypt_token_is_assigned() + API function. + + -- Guilhem Moulin <guilhem@debian.org> Sat, 17 Mar 2018 18:03:03 +0100 + +cryptsetup (2:2.0.1-1) unstable; urgency=low + + * New upstream release 2.0.1: + - Use /run/cryptsetup as default for cryptsetup locking dir. + - Add missing symbols for new functions to debian/libcryptsetup12.symbols. + * debian/copyright: update copyright years. + * debian/patches: backport upstream's 8728ba08 to fix opening of loop-AES + devices using --key-file=-. (Closes: #888162.) + * debian/rules: replace `autoreconf -f -i` with `dh_autoreconf` and add + `dh_autoreconf_clean` to the "clean:" target. This bumps the minimum + debhelper version to 9.20160403~ in Build-Depends. (Closes: #888742.) + + -- Guilhem Moulin <guilhem@debian.org> Sun, 11 Feb 2018 00:02:05 +0100 + +cryptsetup (2:2.0.0-1) unstable; urgency=low + + [ Guilhem Moulin ] + * cryptsetup-bin: Install /usr/lib/tmpfiles.d/cryptsetup.conf to create the + LUKS2 locking directory /run/lock/cryptsetup. For sysVinit, this is taken + care of by the cryptdisks-early init file. + * Remove debian/patches/Use-system-libargon2.patch (applied upstream). + * debian/README.{source,gbp.conf}: Upgrade to latest upstream conventions. + * debian/control: Bump Standards-Version to 4.1.3 (remove verbatim copy of + CC0-1.0 license from debian/copyright). + * debian/rules: Fix symlink target of libcryptsetup.so in libcryptsetup-dev + package. Thanks to Alan Fung for the report and patch. (Closes: #885435.) + * debian/initramfs/cryptroot-{hook,script}: Add support for 'skip' and + 'offset' crypttab(5) options in the initramfs script. Thanks to Pascal + Liehne for the report and patch. (Closes: #872342.) + + [ Jonas Meurer ] + * debian/initramfs/cryptopensc-*: Install required libs and config files for + pcscd and use correct path to pcscd. Thanks to Martijn van de Streek for + bugreport and patch. (Closes: #880750) + + -- Guilhem Moulin <guilhem@debian.org> Mon, 22 Jan 2018 00:25:52 +0100 + +cryptsetup (2:2.0.0~rc1-1) experimental; urgency=low + + * debian/rules: Compile with --enable-libargon2 to use system libargon2 + instead of bundled version. + * debian/control: Bump Standards-Version to 4.1.1 (no changes necessary). + * debian/copyright: Update licensing information. + + -- Guilhem Moulin <guilhem@debian.org> Wed, 01 Nov 2017 17:37:15 +0100 + +cryptsetup (2:2.0.0~rc0-1) experimental; urgency=low + + * New upstream release 2.0.0 RC0 (closes: #877566). Highlights include: + - Support for new on-disk LUKS2 format, offering authenticated disk + encrption (EXPERIMENTAL), memory-hard PBKDF (argon2), kernel keyring for + storage of key material, and more. + - New CLI `integritysetup` which can setup standalone dm-integrity devices. + - soname bump of libcryptsetup library. + * Rename library package from libcryptsetup4 to libcryptsetup12. + * Also remove deprecated upstart configuration files on upgrade and purge. + (Closes: #883677) + * debian/control: Bump Standards-Version to 4.1.0 (no changes necessary). + * debian/*: Apply wrap-and-sort(1). + * debian/copyright: Update copyright years. + + -- Guilhem Moulin <guilhem@debian.org> Tue, 03 Oct 2017 03:37:36 +0200 + +cryptsetup (2:1.7.5-1) unstable; urgency=low + + * New upstream release 1.7.5. + * cryptroot-unlock: When the standard input is a TTY, keep prompting for + passphrases until there are no more devices to unlock. (Closes: #866786) + * cryptsetup.prerm: Don't try to call `dmsetup table` to list dm-crypt + devices when the dm_mod module isn't loaded. (Closes: #870673) + * Rename upstream signing key from debian/upstream/signing-key.asc to + debian/upstream-signing-key.asc in order to avoid lintian error + orig-tarball-missing-upstream-signature" (we use the key to verify + signature on upstrem's git tags). + * Remove deprecated upstart configuration files: /etc/init/cryptdisks.conf + and /etc/init/cryptdisks-udev.conf. Cf. `lintian-info --tags + package-installs-deprecated-upstart-configuration`. + * debian/cryptsetup.{postinst,postrm}: Don't hard-code path to + update-initramfs(1). + * debian/rules: Include /usr/share/dpkg/pkg-info.mk to avoid parsing + dpkg-parsechangelog(1) output. + * debian/control: Bump Standards-Version to 4.0.0 (no changes necessary). + + -- Guilhem Moulin <guilhem@debian.org> Thu, 14 Sep 2017 13:00:23 +0200 + +cryptsetup (2:1.7.3-4) unstable; urgency=high + + [ Guilhem Moulin ] + * Drop obsolete update-rc.d parameters. Thanks to Michael Biebl for the + patch. (Closes: #847620) + * debian/copyright: Fix license mismatch (docs/examples/* + lib/crypto_backend/* lib/loopaes/* lib/tcrypt/* lib/verity/* python/* are + LGPL-2.1+ not GPL-2+). (Closes: #861802) + * debian/initramfs/cryptroot-hook: honor RESUME={none,auto} as documented in + initramfs.conf(5) by initramfs-tools >=0.129. (Closes: #861074) + + -- Jonas Meurer <mejo@debian.org> Tue, 09 May 2017 13:50:59 +0200 + +cryptsetup (2:1.7.3-3) unstable; urgency=medium + + [ Jonas Meurer ] + * debian/scripts/decrypt_ssl: fix script to actually output the decrypted + key. Apparently this script has been broken since June 2008. Doesn't seem + like anybody is using it. Thanks to g1 for spotting and reporting the + error. (Closes: #844050) + * debian/initramfs/cryptroot-script: + + limit the sleep after max passphrase attempts to devices for the rootfs. + This mitigates the negative impact in case of broken keyscripts etc. + + add $crypttarget to each message to provide more context. + * debian/initramfs/cryptroot-hook: fix sanity check for key files on root + fs in get_device_opts(): detect if processed device is a root (parent) + device even for LVM setups. (closes: #842951) + * debian/README.initramfs: minor fix to the decrypt_derived keyscript + section: now that systemd is standard, 'cryptdisks_start' should be used + instead of '/etc/init.d/cryptdisks start'. + * debian/manpages/crypttab.xml: add a warning to the 'keyscript' option + that systemd doesn't support the option (yet) and mention the possible + workaround to process the devices in question in the initramfs. + + [ Guilhem Moulin ] + * add debian/gbp.conf to set the upstream tag to "v%(version%.%_)s". As + this enables git-buildpackage >= 0.8.7 to automatically generate + orig.tar.gz, step nr. 5 is now removed from debian/README.source. + * debian/compat: bump debhelper compatibility version to 9. + * debian/initramfs/cryptroot-hook: + + fix tab damage for consistency with the rest of the code + + better warning for deprecated settings + + fix sanity check for key files in get_device_opts(): print a warning if + the key file isn't on the root FS, or if the root device is not + encrypted, even for LVM setups. + + fix sanity check for key files in get_device_opts(): print a warning if + the processed device is a resume device, even for LVM setups. + + fix runtime error in get_lvm_deps() if the first argument is either + missing or the empty string. + + reset IFS after processing $rootopts in get_device_opts(); the missing + linefeed in $IFS caused LVM logical volumes spaning over multiple PVs + not to have their parent devices detected correctly. + + -- Jonas Meurer <mejo@debian.org> Fri, 09 Dec 2016 01:18:17 +0100 + +cryptsetup (2:1.7.3-2) unstable; urgency=medium + + [ Guilhem Moulin ] + * debian/README.Debian: update authorized_keys(5) path, incorrect since + 2:1.7.2-1, for remote unlocking at initramfs stage using the dropbear SSH + server. + + [ Jonas Meurer ] + * debian/initramfs/cryptroot-script: sleep after max passphrase attempts. + This mitigates local brute-force attacks and addresses CVE-2016-4484. + Thanks to Ismael Ripoll and Hector Marco for discovery and report. + - decrease $count by one in tries loop if unlocking was successful. + - warn and sleep for 60 seconds if the maximum allowed attempts of + unlocking (configured with crypttab option tries, default=3) are + reached. + + -- Jonas Meurer <mejo@debian.org> Mon, 07 Nov 2016 11:34:41 +0100 + +cryptsetup (2:1.7.3-1) unstable; urgency=medium + + * New upstream release 1.7.3. + * debian/rules: run dh_strip_nondeterminism(1p) in binary-arch rules to + make the package build more reproducible. Introduces a new Build-Depends + on dh-strip-nondeterminism. Thanks to Reiner Herrmann for bugreport and + patch. (Closes: #842581) + + -- Jonas Meurer <mejo@debian.org> Mon, 31 Oct 2016 22:00:52 +0100 + +cryptsetup (2:1.7.2-5) unstable; urgency=high + + [ Guilhem Moulin ] + * debian/upstream/signing-key.asc: add upstream's armored OpenPGP key, + fingerprint 2A29 1824 3FDE 4664 8D06 86F9 D9B0 577B D93E 98FC. + * debian/watch: add "pgpsigurlmangle" option so uscan(1) can automatically + verify cryptographic signatures on release tarballs. + + [ Jonas Meurer ] + * debian/initramfs/cryptroot-hook: only source crypt-hook from + /etc/cryptsetup-initramfs/ when present. (Closes: #841503) + + -- Jonas Meurer <mejo@debian.org> Fri, 21 Oct 2016 18:10:56 +0200 + +cryptsetup (2:1.7.2-4) unstable; urgency=high + + [ Guilhem Moulin ] + * debian/initramfs/cryptroot-hook: + + Fix warning printed for lvm devices backed by multiple dm-crypt nodes. + Regression introduced in 2:1.7.2-1. Thanks Zoltan Hidvegi, for the + patch. (Closes: #840480) + + Don't escape all slash characters "/" in device paths of the form + /dev/by-label/..., only the label itself. Regression introduced in + 2:1.7.2-2 as a fix for #839888. + + -- Jonas Meurer <mejo@debian.org> Thu, 13 Oct 2016 23:11:45 +0200 + +cryptsetup (2:1.7.2-3) unstable; urgency=medium + + [ Guilhem Moulin ] + * debian/initramfs/cryptroot-conf: don't set CRYPTSETUP and KEYFILE_PATTERN, + so the (deprecated) values set in /etc/initramfs-tools aren't overridden + to the empty string by default. Regression introduced in 2:1.7.2-1. + (Closes: #839994.) + * debian/README.initramfs: fixed minor typo. + + -- Jonas Meurer <mejo@debian.org> Sat, 08 Oct 2016 00:01:25 +0200 + +cryptsetup (2:1.7.2-2) unstable; urgency=medium + + * debian/cryptdisks.functions: fix a nasty typo in do_start that rendered + systems with sysVinit unbootable. Thanks to Marc Haber for bugreport and + patch (Closes: #839888) + + -- Jonas Meurer <mejo@debian.org> Thu, 06 Oct 2016 10:47:05 +0200 + +cryptsetup (2:1.7.2-1) unstable; urgency=medium + + [ Jonas Meurer ] + * new upstream release 1.7.2. Highlights include: + - code now uses kernel crypto API backend according to new changes + introduced in mainline kernel. (in 1.7.1) + - cryptsetup now allows special "-" (standard input) keyfile handling + even for TCRYPT (TrueCrypt and VeraCrypt compatible) devices. (in 1.7.1) + - Support activation options for error handling modes in Linux kernel + dm-verity module. (in 1.7.2) + * debian/cryptdisks.functions: use '--key-file=-' again with the tcrypt + extension, now that upstream issue #269 is fixed. + * migrate the packaging repository from SVN to Git: + - debian/control: Update Vcs-* fields to point to the new git repository. + - debian/README.source: document new repository structure and release + handling. + * debian/README.Debian, debian/NEWS: minor typo fixes. + * debian/rules: run pod2man --release="$(DEB_VERSION). (Closes: #839352) + + [ Guilhem Moulin ] + * debian/control: add self to uploaders. + * debian/cryptdisks.functions: when iterating through the crypttab, don't + abort after the first disk that fails to be closed. Regression introduced + 2:1.7.0-1 when the filed is sourced under 'set -e'. + * debian/cryptdisks.functions: stop using `seq` since cryptsetup doesn't + depend on busybox. Instead, try again after 1, 2, 4, 8 and 16s when an + encrypted disk cannot be closed. (Closes: #811456) + * debian/cryptsetup.maintscript: add a "rm_conffile" directive to remove + conffile /etc/bash_completion.d/cryptdisks, obsolete since 2:1.7.0-1. + (Closes: #810227) + * debian/README.initramfs: fix typo s/initramfs-update/update-initramfs/. + Thanks, Stuart Prescott. (Closes: #827263) + * debian/rules: Add 'hardening=+pie' to DEB_BUILD_MAINT_OPTIONS to compile + ELF executables as PIEs. + * debian/control: Bump Standards-Version to 3.9.8 (no changes necessary). + * debian/cryptsetup.lintian-overrides: Remove unused lintian override + init.d-script-does-not-source-init-functions. + * Use /etc/crytsetup-initramfs/conf-hook for initramfs hook script + configuration. For backward compatibility setting CRYPTSETUP and + KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf is still supported + for now, but causes the hook to print a warning. + This is done following the initramfs-tools maintainers' request (see + #807527) that hook and boot script configuration files be stored outside + the /etc/initramfs-tools directory. (Closes: #783393) + * Print a warning when private key material is to be included in the + initramfs image (ie, if $KEYFILE_PATTERN is not empty), and the image is + created with a permissive mode. + * Add Indonesian debconf templates translation. Thanks, Izharul Haq for the + patch. (Closes: #835158) + * debian/initramfs/cryptroot-hook: Avoid leading space in $rootdevs, + $resumedevs, etc. + * Support unlocking devices at initramfs stage using a key file stored on + the encrypted root FS. Note however that resume devices won't be unlocked + this way since the resume boot script is currently run before mounting the + root FS. (Closes: #776409) + * debian/initramfs/cryptroot-hook: Avoid undesired effects for target or + device names containing non-alphanumeric characters such as "." or "-": + + replace `grep "^$x\b"` by `awk -vx="$x" '$1==x {print}'`; and + + replace `echo "$x"` by printf '%s' "$x" when the argument might start + with a dash. + * debian/initramfs/cryptroot-{hook,script}, debian/cryptdisks.functions: + ensure slash characters "/" from device labels are escaped when + constructing symlinks under /dev/disk/by-label. + * debian/scripts/decrypt_gnupg: + + Remove --no-mdc-warning to display a warning if the MDC integrity + protection is missing. + + Replace "GnuPG key" by "gpg-encrypted key" in messages and + documentation. + * debian/initramfs/cryptgnupg-hook: Add support for multiple devices + encrypted using a gpg-encrypted key. + * debian/README.gnupg: Indicate that not the only the gpg-encrypted key for + the root FS is copied onto the initramfs, but also the ones for all + devices that need to be unlocked at initramfs stage. + * debian/initramfs/cryptroot-hook: Fix bug for device label starting with + "UUID=". + + [ Helmut Grohne ] + * libcryptsetup-dev: move the .pc file to a multiarch location such that + cross-pkg-config can find it. (closes: #811545) + * Fix FTCBFS: Use host arch compiler for askpass as well. (closes: #811559) + + -- Jonas Meurer <mejo@debian.org> Wed, 05 Oct 2016 20:53:09 +0200 + +cryptsetup (2:1.7.0-2) unstable; urgency=medium + + [ Guilhem Moulin ] + * Fix cryptsetup shutdown procedure on sysvinit, broken since 2:1.7.0-1 for + systems without active crypttab entry at the time fo the shutdown. + (Closes: #792552, #810380) + + -- Jonas Meurer <mejo@debian.org> Sun, 10 Jan 2016 18:45:20 +0100 + +cryptsetup (2:1.7.0-1) unstable; urgency=medium + + [ Jonas Meurer ] + * new upstream release 1.7.0. Highlights include: + - cryptsetup TCRYPT mode now supports VeraCrypt devices (in 1.6.7) + - fix activation using (UNSECURE) ECB mode (in 1.6.7) (closes: #784129) + - properly support stdin "-" handling for luksAddKey for both new and old + keyfile parameters. (in 1.6.8) + - default hash function is now SHA256 (used in key derivation function + and anti-forensic splitter) (in 1.7.0) + * debian/cryptsetup.functions, debian/initramfs/cryptroot.{hook,script}: add + support for veracrypt option to cryptdisks initscript and cryptroot + initramfs script. (closes: #806290) + * debian/cryptdisks.functions: don't use '--key-file=-' with the tcrypt + extension. This fixes the tcrypt implementation in the initscript and + provides a workaround for upstream issue #269. + * debian/cryptsetup.bug-script: do not send potentially private information + without prior user confirmation in reportbug script. (Closes: #783298) + * debian/cryptsetup.apport: do not send potentially private information + without prior user confirmation in apport hook. + * debian/control, debian/NEWS: fix links to cryptsetup homepage/FAQ. Homepage + (and FAQ) moved from code.google.com to gitlab.com. (closes: #781674) + * debian/*: update hyperlinks to use https instead of http where appropriate. + * debian/rules, debian/post{inst,rm}: don't install cryptdisks_st{art,op} + symlinks to /usr/sbin if everything-in-usr directories scheme is used. + Thanks to Marco d'Itri for the patch. (closes: #767921) + * debian/scripts/luksformat: search for mkfs binaries in /usr/sbin, /usr/bin, + /sbin and /bin (default order in $PATH). This fixes luksformat for btrfs + filesystems. (closes: #805353) + * debian/dirs, debian/rules: install cryptdisks bash-completion script into + /usr/share/bash-completion/completions. + * debian/cryptdisks.functions: iterate over remaining open crypttab devices + in do_stop() in order to close dependent devices and don't freeze the + shutdown process. Thanks to Avatar for the patch. (closes: #792552) + * debian/rules: set V=1 in order to make build logs usable for blhc. + * debian/rules: set DEB_VERSION and DEB_DATE in a way to make cryptsetup + build reproducible. Thanks to Dhole and Valentin Lorentz for patches. + (closes: #780864, #794106) + * debian/cryptdisks.functions: bring the passphrase prompt in line with the + one from initramfs script in order to make the user experience more + consistent. (closes: #772943) + * debian/initramfs/cryptroot-script: move sanity checks of $cryptkeyscript + and potential expansion to '/lib/cryptsetup/askpass' to the beginning of + setup_mapping(). + + [ Guilhem Moulin ] + * debian/README.{Debian,remote}: remove dropbear-specific configuration and + point to dropbear-initramfs instead. Since version 2015.70-1, dropbear + ships dropbear-specific initramfs configuration and documentation in an + own binary package dropbear-initramfs. (closes: #801471) + * debian/initramfs/cryptroot-{hook,script}: add support for 'keyslot' option + to cryptroot initramfs script. (closes: #801479) + * debian/README.initramfs, debian/initramfs/cryptroot-hook: add support for + storing keyfiles directly in the initrd. (closes: #786578) + * debian/initramfs/cryptroot-hook: display a warning for invalid source + devices. (closes: #720515, #781955, #784435) + * debian/askpass.c: add plymouth support to the askpass helper command. + * debian/cryptdisks.functions, debian/initramfs/cryptroot-script: remove + special treatment of plymouth installations now that askpass supports + plymouth natively. + * debian/initramfs/cryptroot-unlock(-hook): add initramfs hook and script + to remotely unlock cryptroot devices. (closes: #782024, #697156) + + -- Jonas Meurer <mejo@debian.org> Thu, 07 Jan 2016 02:22:33 +0100 + +cryptsetup (2:1.6.6-5) unstable; urgency=high + + * debian/cryptdisks.functions: fix the precheck for ubuntu+upstart + before invoking 'status cryptdisks-udev'. (closes: #773456) + * debian/cryptdisks.functions: fix the insufficient grep regex for + detecting a running cryptdisks-udev (upstart) init script. + + -- Jonas Meurer <mejo@debian.org> Thu, 22 Jan 2015 21:22:08 +0100 + +cryptsetup (2:1.6.6-4) unstable; urgency=medium + + [ Simon McVittie ] + * debian/initramfs/cryptroot-script: decrypt /usr as well as / so that + split-/usr will work with initramfs-tools (>= 0.118). (closes: #767832) + + [ Jonas Meurer ] + * debian/cryptdisks.funcctions: check for cryptdisks-udev initscript before + actually invoking 'status' on it. It's only useful in ubuntu+upstart + environment anyway. (closes: #764564) + * debian/askpas.c: fix systemd_read() to really strip trailing newline from + input. Thanks to Quentin Lefebvre for report and patch. (closes: #768407) + + -- Jonas Meurer <mejo@debian.org> Wed, 17 Dec 2014 14:24:41 +0100 + +cryptsetup (2:1.6.6-3) unstable; urgency=medium + + * debian/initramfs/cryptroot-script: fix environment variable $CRYPTTAB_TRIED + to hold the number of actual tries instead of the number of maximum tries. + Thanks to Luc Maisonobe for debugging and the patch. (closes: #758788) + + -- Jonas Meurer <mejo@debian.org> Tue, 07 Oct 2014 19:51:36 +0200 + +cryptsetup (2:1.6.6-2) unstable; urgency=medium + + * rename 'luksheader' option in crypttab to 'header', as it may be used for + different encryption modes later as well. + * add support for detached LUKS header to initramfs scripts. Thanks to Pablo + Santiago for the hint and DiagonalArg from Launchpad for patch suggestions. + (closes: #716652) + * fix support for truecrypt devices in initramfs scripts. Thanks to Lukas + Wunner for the patch. (closes: #748286) + * use blkid instead of fstype everywhere in cryptroot initramfs scripts. + Thanks to Pablo Santiago for the hint. + * debian/initramfs/cryptroot-hook: add support for 'initramfs' option to + crypttab. Thanks to Hugh Davenport for the patch. (closes: #697162) + * debian/initramfs/cryptroot-script: add support for multiple btrfs root + devices. This should fix the WARNING at mkinitramfs for unencrypted + btrfs root device(s) as well. Thanks to Jon Severinsson and Gerald Turner + for patches. (closes: #682751, #762268) + * debian/initramfs/cryptroot-script: skip missing device in initramfs after + dropping to the panic/emergency shell instead of looping in the panic + shell. Thanks to Cédric Barboiron for the patch. (closes: #762573) + * debian/initramfs/cryptroot-script: for LVM devices, don't set ROOT to + $NEWROOT in /etc/param.conf in case that /etc/param.conf already has ROOT + set. This is the case for flash-kernel devices. Thanks to Brandon Parker + for bugreport and patch. (closes: #759720) + * debian/initramfs/cryptroot-script: in slumber loop, retry vg_activate + every ten seconds. Fixes LVM on USB in cases that the USB device didn't + come up fast enough. (closes: #762032) + * fix package version number in debian/NEWS. + * bump standards-version to 3.9.6, no changes needed. + + -- Jonas Meurer <mejo@debian.org> Wed, 20 Aug 2014 19:59:03 +0200 + +cryptsetup (2:1.6.6-1) unstable; urgency=medium + + * new upsream version 1.6.6. + * add versioned dependency on cryptsetup-bin to cryptsetup. (closes: #747670) + * change versioned build-depends on automake to >= 1.12 to reflect upstream + requirements. Thanks to Joel Johnson. (closes: #740688) + * build and link against libgcrypt20 (>= 1.6.1). Add note about whirlpool + bug in older libgcrypt releases and how to deal with it to debian/NEWS. + * add systemd support to askpass. Thanks to David Härdeman for the patch. + (closes: #742600, #755074) + * fix initramfs cryptroot hook to not include modules unconditionally. Thanks + to Dmitrijs Ledkovs for bugreport and patch. (closes: #714104) + * fix decrypt_keyctl script to ask again in case of wrong passphrase. Thanks + to Dmitriy Matrosov for bugreport and patch. (closes: #748368) + * incorporate changes from ubuntu package: + - don't hardcode paths to udevadm and udevsettle. + - restore terminal settings in askpass.c. (closes: #714942) + - migrate upstart jobs to new names. + + -- Jonas Meurer <mejo@debian.org> Tue, 04 Mar 2014 20:14:07 +0100 + +cryptsetup (2:1.6.4-4) unstable; urgency=medium + + * really fix plain device opening in initramfs cryptroot script this time. + Thanks again to Dirk Griesbach for the patch. (closes: #740592) + + -- Jonas Meurer <mejo@debian.org> Mon, 03 Mar 2014 21:00:16 +0100 + +cryptsetup (2:1.6.4-3) unstable; urgency=medium + + * fix plain device opening, broken by switch to new unified open command + in 1.6.4-1. Thanks to Dirk Griesbach for the patch. (closes: #740592) + * update italian debconf translations, thanks to Italian l10n team and + Francesca Ciceri. (closes: #740557) + * remove trailing whitespaces from text files. + * some minor packaging fixes thanks to lintian checks: + - fix VCS-* fields in debian/control to use canoncial URIs. + - remove empty directory from libcryptsetup4 package. + - add lintian-override for init.d-script-not-included-in-package. + + -- Jonas Meurer <mejo@debian.org> Sun, 02 Mar 2014 13:51:35 +0100 + +cryptsetup (2:1.6.4-2) unstable; urgency=medium + + * fix libcryptsetup.so symlink. Thanks to Michael Biebl. (closes: #740484) + + -- Jonas Meurer <mejo@debian.org> Sun, 02 Mar 2014 01:33:39 +0100 + +cryptsetup (2:1.6.4-1) unstable; urgency=low + + * new upstream version 1.6.4. + - minor fixes in cryptsetup manpage. (closes: #725131) + - by default verify new passphrase in luksChangeKey and luksAddKey + commands (closes: #728302) + - cryptsetup releases are released on kernel.org since 1.6.4. Change + debian/watch accordingly. + * use compiled defaults for cypher, keysize and hash in luksformat script + * improvements to docs (thanks to Christoph Anton Mitterer): + - small improvement to explanation for CRYPTTAB_TRIED environment variable + in crypttab manpage + - update cipher, size and hash settings in examples (closes: #714331) + - replace '/dev/hdX' devices with '/dev/sdX' in examples + - full path to keyscripts in /lib/cryptsetup/scripts not needed in examples + * update init and initramfs scripts to use new open syntax (closes: #714395) + * add scripts/local-block/cryptroot in order to support event based block + device handling. Thanks to Goswin von Brederlow (closes: #678692) + * add support for TCRYPT device handling to cryptdisks init and cryptroot + initramfs scripts. (closes: #722509) + * improve passphrase prompt in cryptroot initramfs script. Thanks to Joachim + Breitner. (closes: #728080) + * add support for detached luks header to cryptdisks init script. Thanks to + Ximin Luo. (closes: #716652) + * enhance docs about remote unlocking feature. Thanks to Karl O. Pinc. + (closes: #715487, #714952) + * update README.keyctl docs: since linux kernel 2.6.38, dm-crypt is not + single-threaded any longer. (closes: #714806) + * don't sleep between retries in cryptroot initramfs script. (closes: #715525) + * add multi-arch support. Thanks to Shawn Landden. (closes: #696008, #732099) + * suggest keyutils. Thanks to Nikolaus Rath. (closes: #734133, #735496) + * fix initramfs/cryptroot-hook to support more than one lvm source devices. + Thanks to Jens Reinsberger for the patch. (closes: #659688, #737686) + * bump standards-version to 3.9.5, no changes needed. + * override lintian false positives for init scripts: + - init.d-script-does-not-implement-optional-option status + - init.d-script-does-not-source-init-functions + + -- Jonas Meurer <mejo@debian.org> Fri, 28 Jun 2013 12:14:55 +0200 + +cryptsetup (2:1.6.1-1) unstable; urgency=low + + [ Milan Broz ] + * new upstream version. (closes: #704827, 707997) + - default LUKS encryption mode is XTS (aes-xts-plain64) (closes: #714331) + - adds native support for Truecrypt and compatible on-disk format + - adds benchmark command + - adds cryptsetup-reencrypt, a tool to offline reencrypt LUKS device + - adds veritysetup, a tool for dm-verity block device verification module + * install docs/examples into docs at cryptsetup-dev package. + * fix compilation warnings in askpass.c. + + [ Steve Langasek ] + * fix upstart jobs to not cause boot hangs when actually used in + conjunction with startpar. (closes: #694499, #677712). + * in connection with the above, make the cryptdisks-early job explicitly + wait for 'umountfs' on shutdown just like cryptdisks does; otherwise, + the teardown of the cryptdisks upstart job may cause the cryptdisks-early + init script run before we're done unmounting filesystems. + + [ Jonas Meurer ] + * minor wording fixes to README.initramfs, suggested by intrigeri and Adam + D. Barrett. + * add bash-completion script for cryptdisks_{start,stop}. Thanks to Claudius + Hubig for providing a patch. (closes: #700777) + * support specifying key-slot in crypttab. Thanks to Kevin Locke for the + patch. (closes: #704470) + * remove evms support code from cryptroot initramfs script. (closes: #713918) + * fix location of keyscripts in initramfs documentation. (closes: #697446) + * fix a typo in decrypt_ssl script that prevented stdout from beeing + redirected to /dev/null. (closes: #700285) + * give full path to blkid in crytproot initramfs script. (closes: #697155) + * export number of previous tries from cryptroot and cryptdisks to + keyscript. Thanks to Laurens Blankers for the idea. Opens the possibility + to fallback after a given number of tries for keyscripts. (closes: #438481, + #471729, #697455) + * improve check for cpu hardware encryption support in initramfs cryptroot + hook. (closes: #714326) + + -- Jonas Meurer <mejo@debian.org> Fri, 28 Jun 2013 12:10:41 +0200 + +cryptsetup (2:1.4.3-4) unstable; urgency=medium + + * change recommends for busybox to busybox | busybox-static. Thanks to + Armin Haas for the bugreport. (closes: #692151) + + -- Jonas Meurer <mejo@debian.org> Wed, 07 Nov 2012 16:12:25 +0100 + +cryptsetup (2:1.4.3-3) unstable; urgency=medium + + * add recommends for 'kbd, console-setup' to cryptsetup package. Both are + necessary to support local keymap in initramfs. Thanks to Raphaël Hertzog + for the bugreport. (closes: #689722) + * move suggestion for 'initramfs-tools (>= 0.91) | linux-initramfs-tool, + busybox' to recommends. Both are required for encrypted root fs. + * remove suggestion for udev, most debian systems have it installed anyway. + * mention option to use UUID=<luks_uuid> for source device in crypttab(5). + Thanks to Felicitus for the bug report. (closes: #688786) + * add a paragraph in README.initramfs: Describe, why renaming the target + name is not supported for encrypted root devices. Thanks to Adam Lee for + bugreport and proposed workaround for this limitation. (closes: #671037) + * fix keyfile permission checks in cryptdisks init scripts to follow + symlinks. Thanks to intrigeri for the bugreport. (closes: #691517) + * fix owner group check for keyfile in cryptdisks init scripts to really + check owner group. + * update debconf translations: + - brasilian portuguese, thanks to Adriano Rafael Gomes. (closes: #685762) + - japanese, thanks to victory. (closes: #690784) + * fix typo in manpages: s/passphase/passphrase. Thanks to Milan Broz for + the bugreport. (closes: #684086) + + -- Jonas Meurer <mejo@debian.org> Thu, 01 Nov 2012 15:34:09 +0100 + +cryptsetup (2:1.4.3-2) unstable; urgency=medium + + * fix the shared library symbols magic: so far, the symbols file for + libcryptsetup4 included just a wildcard for all exported symbols, with + libcrypsetup4 (>= 2:1.4) as minimum version. This was wrong. Symbols + that were added later need adjusted minimum versions. Thanks for the + great help in #debian-mentors. (closes: #677127) + * remove emtpy directory /lib from cryptsetup-bin package. + * compile askpass and passdev with CFLAGS, CPPFLAGS and LDFLAGS. + + -- Jonas Meurer <mejo@debian.org> Tue, 12 Jun 2012 21:26:18 +0200 + +cryptsetup (2:1.4.3-1) unstable; urgency=low + + [ Jonas Meurer ] + * mention limitations for keyscripts in crypttab(5) manpage: keyscripts + must not depend on binaries/files which are part of the to-be-unlocked + device. (closes: #665494) + * bump versioned build-dependency on debhelper now that we install + upstart initscripts in debian as well. + * change versioned breaks/replaces for cryptsetup-bin on cryptsetup to + 1.4.3-1~, fixing upgrades in debian. + + [ Jean-Louis Dupond ] + * New upstream version. (closes: #670071) + - Fix keyslot removal (closes: #672299) + - Add -r to cryptsetup.8 (closes: #674027) + * Split up package in cryptsetup and cryptsetup-bin. + * I'm now co-maintainer (closes: #600777). + * Start cryptdisks-enable upstart job on 'or container', to let us + simplify the udevtrigger job. + * debian/cryptdisks.functions: handle the case where crypttab contains a + name for the source device that is not the kernel's preferred name for + it (as is the case for LVs). (Thanks Steve Langasek) + * debian/cryptdisks.functions: fix a race condition in some cases by + adding and udevadm settle before rename. + * debian/cryptdisks.functions: add UUID & LABEL support to do_start. + * debian/copyright: really fix lintian warning. + * debian/rules: also include upstart files in debian. + + -- Jonas Meurer <mejo@debian.org> Fri, 08 Jun 2012 13:42:51 +0200 + +cryptsetup (2:1.4.1-3) unstable; urgency=low + + [ Jonas Meurer ] + * finally add back support for configuration of custom rootfs-devices through + the boot parameter 'root' to initramfs cryptroot script. Thanks a lot to + August Martin for the bugreport as well as continuously debugging and + providing patches. (closes: #546610) + * use blkid instead of fstype to detect the content of devices in initramfs + cryptroot script. Unfortunately fstype doesn't recognize md-raid devices, + which leads to errors with encrypted devices on top of software raid. + * check whether $NEWROOT already exists before actually invoking cryptsetup + in initramfs cryptroot script. (closes: #653241) + * fix conditions for prechecks at do_noluks() in cryptdisks.functions. Should + prevent data loss with encrypted swap in most cases. (closes: #652497) + * change default value for tmpfs and examples from ext2 to ext4. + * minor code cleanup. + * update debconf translations: + - russian, thanks to Yuri Kozlov. (closes: #661303) + - spanish, thanks to Camaleón. (closes: #661316) + + [ Jean-Louis Dupond ] + * fix watch file. + * always add aesni module to initramfs if we have hardware aes support. + (closes: #639832). + * debian/copyright: fix lintain warning. + * add upstart scripts for ubuntu. + * silent warnings on kernels without kernel/{arch,crypto}. + * add crypttab_start_one_disk in function script to handle udev startup + in ubuntu. + * bump standards-version to 3.9.3, no changes needed. + + -- Jonas Meurer <mejo@debian.org> Wed, 11 Apr 2012 23:55:35 +0200 + +cryptsetup (2:1.4.1-2) unstable; urgency=low + + * acknowledge NMU. Thanks to Michael Biebl. (closes: #659182) + * don't print error for non-encrypted rootfs in initramfs cryptroot hook. + Thanks to Jamie Heilman and Christoph Anton Mitterer for bugreports. + (closes: #659087, #659106) + * use dmsetup splitname to extract VG name from $node in initramfs cryptroot + hook. Thanks to Kai Weber for the bugreport, Milan Broz and Claudio + Imbrenda for suggestions and patches. (closes: #659235) + + -- Jonas Meurer <mejo@debian.org> Sun, 12 Feb 2012 15:51:11 +0100 + +cryptsetup (2:1.4.1-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix dangling .so symlink. Don't hard code the library version but use + readlink instead to determine where the .so symlink should point at. + (closes: #659182) + + -- Michael Biebl <biebl@debian.org> Sat, 11 Feb 2012 04:32:01 +0100 + +cryptsetup (2:1.4.1-1) unstable; urgency=low + + * new upstream release (1.4.0 + 1.4.1) (closes: #647851) + - fixes typo in german translation. (closes: #645528) + - remove patches, all incorporated upstream. + - soname bump, rename library package to libcryptsetup4 + * check for busybox in initramfs cryptroot hook, and install the sed binary + in case it's either not installed or not activated. (closes: #591853) + * add checks for 'type $KEYSCRIPT' to initscripts cryptdisks.functions, and + to cryptroot initramfs script/hook. this adds support for keyscripts inside + $PATH. thanks to Ian Jackson for the suggestion. (closes: #597583) + * use argument '--sysinit' for vgchange in cryptroot initramfs script. Thanks + to Christoph Anton Mitterer for the suggestion. + * add option for discard/trim features to crypttab and initramfs scripts. + Thanks to intrigeri and Peter Colberg for patches. (closes: #648868) + * print $target on error in initramfs hook. Thanks to Daniel Hahler for the + bugreport. (closes: #648192) + * add a warning about using decrypt_derived keyscript for devices with + persistent data. Thanks to Arno Wagner for pointing this out. + * remove quotes from resume device candidates at get_resume_devs() in + initramfs hook script. Thanks to Johannes Rohr. (closes: #634017) + * support custom $TABFILE, thanks to Douglas Huff. (closes: #638317) + * fix get_lvm_deps() in initramfs cryptroot hook to add all physical volumes + of lvm volume group that contains the rootfs logical volume, even if the + rootfs is lv is not spread over all physical volumes. Thanks to Christian + Pernegger for bugreport and patch. (closes: #634109) + * debian/initramfs/cryptroot-script: Move check for maximum number of tries + behind the while loop, to make the warning appear in case that maximum + number of tries is reached. Thanks to Chistian Lamparter for bugreport and + patch. (closes: #646083) + * incorporate changes to package descriptions and debconf templates that + suggested by debian-l10n-english people. Special thanks go to Justin B Rye. + * acknowledge NMU, thanks a lot to Christian Perrier for his great work on + the i18n front. (closes: #633105, #641719, #641839, #641947, #642470, + #640056, #642540, #643633, #643962, #644853) + * add and update debconf translations: + - italian, thanks to Milo Casagrande, Francesca Ciceri. (closes: #656933) + - german, thanks to Erik Pfannenstein. (closes: #642147) + - spanish, thanks to Camaleón. (closes: #658360) + - russian, thanks to Yuri Kuzlov (closes: #654676) + * set architecture to linux-any, depends on linux kernel anyway. Thanks to + Christoph Egger. (closes: #638257) + * small updates to the copyright file. + * add targets build-indep and build-arch to debian/rules, thanks to lintian. + + -- Jonas Meurer <mejo@debian.org> Sun, 05 Feb 2012 03:17:59 +0100 + +cryptsetup (2:1.3.0-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix pending l10n issues. Debconf translations: + - French (Julien Patriarca). Closes: #633105 + - Vietnamese (Hung Tran). Closes: #641719 + - Portuguese (Miguel Figueiredo). Closes: #641839 + - Russian (Yuri Kozlov). Closes: #641947 + - Swedish (Martin Bagge / brother). Closes: #642470,#640056 + - Czech (Michal Simunek). Closes: #642540 + - Dutch; (Jeroen Schot). Closes: #643633 + - Spanish; (Camaleón). Closes: #643962 + - Danish (Joe Hansen). Closes: #644853 + + -- Christian Perrier <bubulle@debian.org> Sun, 25 Dec 2011 19:00:24 +0100 + +cryptsetup (2:1.3.0-3) unstable; urgency=low + + * drop the loopback magick from cryptdisks scripts. Mario 'Bitkoenig' Holbe + pointed out, that auto-destruction support was added to the loopback driver + with kernel 2.6.25. Given, that even lenny has a more recent kernel, + support for kernels < 2.6.25 is not required any more. (closes: #626458) + * add debconf question 'prerm/active-mappings' with priority high to prerm + maintainer script. will warn about active dm-crypt mappings before the + package is removed/purged. (closes: #626641) + * add lintian-override for 'cryptsetup: no-debconf-config', as the debconf + question in prerm doesn't require a debconf config script. + * add debian/patches/03_create_fix_keyfile.patch. (closes: #626738) + + -- Jonas Meurer <mejo@debian.org> Thu, 19 May 2011 20:50:08 +0200 + +cryptsetup (2:1.3.0-2) unstable; urgency=low + + * fix changelog of 2:1.3.0-1 release, thanks to Thorsten Glaser for the hint + + -- Jonas Meurer <mejo@debian.org> Thu, 12 May 2011 03:06:46 +0200 + +cryptsetup (2:1.3.0-1) unstable; urgency=low + + * new upstream release + - automatically allocates loopback device for container files. update the + cryptdisks functions to only setup loopback device for kernel < 2.6.35. + otherwise, let cryptsetup do the magic itself. + - introduces maximum default keyfile size, see --help for value. manually + set the keyfile size with --keyfile-size in order to overwrite the limit. + - adds luksChangeKey command for changing passphrase/keyfile in one step + - adds loopAES compatibility command loopaesOpen + - remove d/patches/01_luksAddKey_return_code.patch, incorporated upstream + * add gettext support to luksformat script. Thanks to intrigeri for initial + patch, and adduser sources for implementation ideas. (closes: #558405) + * fix KEYSCRIPT checks in cryptdisks.functions for empty values. + * update REAMDE.gnupg and initramfs cryptgnupg hook script: + - warn about keys being copied to initramfs. + - fix the documentation to provide working examples. + * update README.Debian and related documentation: + - add a section about the 'special' keyscripts askpass and passdev + (closes: #601314) + - update several sections, remove reference to lenny + * add debian/patches/01_create_fix_size.patch, to fix a regression in 1.2.0 + where the size argument was ignored for create command (closes: #624828) + * add debian/patches/02_manpage.patch, escapes minus signs in manpage + * remove usplash support from cryptroot initramfs script, askpass and + keyscripts, add plymouth support to keyscripts. (closes: #620923) + * ignore options like cipher, hash, size, etc. for luks commands in + cryptdisks. mention this in the crypttab manpage. (closes: #619249) + * again check for existance of /lib/cryptsetup/cryptdisks.functions before + sourcing it in cryptdisks(-early).init. required if cryptsetup is removed + but not purged, where initscripts are still around. (closes: #625468) + * bump standards-version to 3.9.2, no changes needed. + * debian/libcryptsetup1.symbols: update, 1.3.0 adds new function symbols + + -- Jonas Meurer <mejo@debian.org> Wed, 11 May 2011 14:45:42 +0200 + +cryptsetup (2:1.2.0-2) unstable; urgency=low + + * upload to unstable. + * fixes a ftbfs due to updated libgpg-error and libgcrypt11 build- + dependencies. (closes: #614530) + * install cryptkeyctl initramfs hook, needed for keyctl keyscript in + initramfs, thanks to Maik Zumstrull (closes: #610750) + * use 'egrep -c' instead of wc in cryptdisks_st* scripts, wc might not be + available as it's located at /usr/bin. Thanks to Mario 'BitKoenig' Holbe + for bugreport and patch. (closes: #611747) + * add debian/patches/01_luksAddKey_return_code.patch, fixes the luksAddKey + return code when the master key is used. (closes: #610366) + * fix luksformat script to invoke usage() with --help. (closes: #612947) + * add a paragraph about known upgrade issues to the crypttab manpage. this + paragraph strongly suggests to configure cipher, hash and keysize for + plain dm-crypt devices. (closes: #612452) + * fix examples in crypttab manpage, cipher, hash and keysize should be + configured for plain dm-crypt devices. + * luksformat: invoke udevadm settle between mkfs.vfat and luksClose, to + prevent possible race conditions. This is a workaround. (closes: #601886) + * update lintian-overrides for new lintian from experimental. + * fix spelling mistake in README.Debian thanks to lintian. + * update short and long description for udebs to mention udeb and + debian-installer. This satisfies lintian. + * fix get_resume_device() in initramfs cryptroot hook script to add source + device for decrypt_derived keyscript in case it's not the root device. + Thanks to Robert Lange and mahashakti89 for bugreport. (closes: #592430) + + -- Jonas Meurer <mejo@debian.org> Mon, 07 Mar 2011 23:52:13 +0100 + +cryptsetup (2:1.2.0-1) experimental; urgency=low + + * new major upstream release (closes: #603804) + - adds text version of FAQ + - adds new options --use-random and --use-urandom for MK generation + - fixes luksRemoveKey to not ask for remaining keyslot passphrase + - no longer supports luksDelKey command (replaced by luksKillSlot) + - no longer supports reload command, dmsetup reload should be used instead + - adds support to change the UUID later (with --uuid cmd option) + - adds --dump-master-key option for luksDump command + - no luksOpen, luksFormat and create for open devices (closes: #600208) + - remove debian/patches/01_manpage.patch, incorporated upstream + - and many more changes, see upstream changelog for further information + - update debian/libcryptsetup1.symbols + * invoke update-initramfs at cryptsetup removal in order to not leave behind + a broken initramfs. thanks to ubuntu for the hint. + * link dynamically against libgcrypt11 and libgpg-error0 now that the + libraries have been moved to /lib. add versioned depends for libcryptsetup1 + on (libgcrypt >= 1.4.6-2) and libgpg-error0 (>= 1.10-0.1). + * debian/initramfs/cryptroot-script: prereq 'cryptroot-prepare' added in + order to support cryptroot to depend on custom initramfs scripts. thanks + to Marc Haber for the suggestion. (closes: #601311) + * debian/cryptdisks.functions: + + fix check for ownership and permissions of $key to work with slighly + different output of 'ls -l' with selinux enabled. (closes: #600522) + + fix $TRIES implementation to support TRIES=0 again. (closes: #602501) + * change 'echo -e' to 'printf' in debian/initramfs/cryptroot-script. thanks + to checkbashisms script devscripts for spotting that bashism. + * add a libcryptsetup1-udeb library package for debian-installer in order to + satisfy cryptsetup-udeb dependencies with dynamically linked binary. + Version the build-depends on libgcrypt11-dev to (>= 1.4.6-3), to satisfy + udeb library dependencies. + * change 'XC-Package-Type: udeb' to 'Package-Type: udeb' in debian/control + * add debian/cryptsetup.apport from Ubuntu, install only for dist=Ubuntu. + build-depends on dpkg-dev (>= 1.15.1) is required for this to work. + + -- Jonas Meurer <mejo@debian.org> Sun, 16 Jan 2011 01:01:03 +0100 + +cryptsetup (2:1.1.3-4) unstable; urgency=high + + * bump standards-version to 3.9.1, no changes required + * add patches/01_manpage_units: mention units (512b sectors) for -o option + in man page. (closes: #584174) + * move cryptdisks_st* scripts from /usr/sbin to /sbin, add symlinks for + compatibility reasons. thanks to Mario 'BitKoenig' Holbe. (closes: #589800) + * add decrypt_keyctl keyscript and initramfs hook from Michael Gebetsroither, + which supports to cache a passphrase for later use. (closes: #563961) + * invoke /sbin/lvm with full path in cryptroot initramfs script. thanks to + Bernd Zeimetz. (closes: #597648) + * print out a warning at initramfs cryptroot hook in case that detection of + canonical device failed. (closes: #594092) + * add manpage fixes, thanks to Stephen Gildea for patch. (closes: #598237) + * fix deprecated ext2 wrapper checkscript to succeed for ext2, ext3, ext4 + and ext4dev filesystems. (closes: #595331) + * again remove duplicates from debian/NEWS. + * truncate trailing spaces for some variables at initramfs cryptroot hook. + * remove volume group -guessing magic from initramfs scripts and hooks, + instead activate all available lvm volume groups. thanks to Christoph + Anton Mitterer for the suggestion. (closes: #554506, #591626) + * remove /etc/bash_completion.d from debian/cryptsetup.dirs + * set urgency=high as this upload fixes two release-critical bugs. + + -- Jonas Meurer <mejo@debian.org> Thu, 04 Nov 2010 20:36:45 +0100 + +cryptsetup (2:1.1.3-3) unstable; urgency=low + + * fix usage of new variable $DEFAULT_LOUD, and some cosmetical changes. + thanks to Mario 'BitKoenig' Holbe. (closes: #589029) + + -- Jonas Meurer <mejo@debian.org> Thu, 22 Jul 2010 12:56:01 +0200 + +cryptsetup (2:1.1.3-2) unstable; urgency=low + + * introduce new $INITSTATE 'manual' for cryptdisks_st* scripts. that way, + noauto devices are processed again by cryptdisks_st* scripts. + (closes: #588697, #588698, #589153, #589798) + * introduce new variable $DEFAULT_LOUD. now the 'loud' option in crypttab + affects only the device in question. thanks to Mario 'BitKoenig' Holbe. + * introduce new crypttab option 'quiet' which overwrites and unsets the + 'loud' option. thanks to Mario 'BitKoenig' Holbe. (closes: #589029) + + -- Jonas Meurer <mejo@debian.org> Wed, 21 Jul 2010 10:42:49 +0200 + +cryptsetup (2:1.1.3-1) unstable; urgency=low + + * new upstream release: + - fix device alignment ioctl calls parameters for archs like ppc64. + - fix activate_by_* API calls to handle NULL device name as documented + - fix udev support for old libdevmapper with not compatible definition + * fix rm_lo_setup() in cryptdisks.functions for failed device setup. thanks + to Roger Pettersson. (closes: #581712) + * add X-Stop-After headers to cryptdisks(-early) initscripts. this fixes + shutdown process for system without encrypted rootfs at least. thanks to + Alfredo Finelli. (closes: #575652) + * more merges from ubuntu, thanks to and Steve Langasek (closes: #575024): + - debian/cryptdisk.functions: initially create the device under a temporary + name and rename it only at the end using 'dmsetup rename', to ensure that + upstart/mountall doesn't see our device before it's ready to go. + LP: #475936. + - cryptdisks.functions: do_tmp should mount under /var/run/cryptsetup for + changing the permissions of the filesystem root, not directly on /tmp, + since mounting on /tmp a) is racy, b) confuses mountall something fierce. + LP: #475936. + * fix manpage checkscripts documentation. clarify that both cryptdisks and + cryptroot invoke checkscripts. thanks Christoph Anton Mitterer. + * remove quotes from $KEYSCRIPT invokation, thanks Alexandre Rossi. + (closes: #585099) + * fix support for commandline options to mkfs in luksformat. thanks to Eduard + Bloch again for bugreport and patch. (closes: #585787) + * remove duplicates from debian/NEWS, thanks Steve Langasek (closes: 586019) + * improve documentation on environment variables in cryptdisks.default and + crypttab manpage. thanks Christoph Anton Mitterer. (closes: #585664) + * several improvements to (pre)check scripts, inspired by scripts from + Christoph Anton Mitterer (closes: #585418, #585496) + - checkscripts exit with error 1 if executables aren't available. + - ext2, swap and xfs scripts are deprecated and invoke blkid script. + - drop filtering of minix filesystem in blkid, util-linux 2.17.2 in debian + - remove *vol_id check scripts, vol_id isn't available in debian any longer + - don't use sed in *blkid check scripts any longer + * fix initramfs/cryptroot-hook to canonicalize $device in get_resume_devices + function. this should really weed out all duplicates. (closes: #586122), + and catch all udev/device-mapper symlink setups as well (closes: #554506) + * bash-completion file now in pck bash-completion (closes: #586299, #586162) + * add a paragraph about the boot order of init scripts to README.Debian, + describing the current catch-22 situation. (closes: #576646) + * initscripts and cryptdisks_st* no longer silently quit in case that include + file /lib/cryptsetup/cryptdisks.functions is missing. (closes: #587220) + * fix cryptdisks-early LSB headers to restore legacy boot sequence order. + mdadm-raid was started before cryptdisks-early. (closes: #587224) + * cryptdisks initscript now raises a warning for failed started devices, and + cryptdisks-early initscript raises a warning for failed stopped devices. + this makes the initscript actions far more transparent to users. same holds + for cryptdisks_st*. thanks to Christoph Anton Mitterer. (closes: #587222) + * remove lintian overrides init.d-script-should-depend-on-virtual-facility + as lintian lintian 2.4.2 has fixed #580082. + * bump standards-version to 3.9.0, remove version information from replaces/ + provides/conflicts against cryptsetup-luks, change conflicts against + hashalot (<= 0.3-1) to breaks hashalot (<< 0.3-1) and add replaces. + * fix loads of typos, thanks to Christoph Anton Mitterer. (closes: #588068) + * update copyright years and list Milan Broz in debian/copyright + + -- Jonas Meurer <mejo@debian.org> Sat, 10 Jul 2010 14:32:40 +0200 + +cryptsetup (2:1.1.2-1) unstable; urgency=low + + * new upstream release, changes include: + - Fix luksFormat/luksOpen reading passphrase from stdin and "-" keyfile. + (closes: #583397) + - Add verbose log level and move unlocking message there. + - Remove device even if underlying device disappeared (remove, luksClose). + (closes: #554600, #574126) + - Fix (deprecated) reload device command to accept new device argument. + * merged from ubuntu: + - if plymouth is present in the initramfs, use this directly, bypassing + the cryptsetup askpass script + - start usplash in initramfs, since we need it for fancy passphrase input + - Set FRAMEBUFFER=y in cryptroot-conf, to pull plymouth into the initramfs + - debian/initramfs/cryptroot-hook: Properly anchor our regexps when + grepping /etc/crypttab so that we don't incorrectly match device names + that are substrings of one another. + - debian/initramfs/cryptroot-script: Don't leak /conf/conf.d/cryptroot + file descriptor to subprocesses. + * sync list of supported filesystems in passdev.c and cryptpassdev-hook + * fix debian/watch file to work with updated code.google.com download page + * stop building and shipping static libs (closes: #583387, #583471) + * improve documentation on (pre)checks in manpage. (closes: #583568, #583567) + * remove xfs and ext2 check scripts documentation from crypttab manpage, + blkid script can be used. thanks Christoph Anton Mitterer (closes: #583570) + + -- Jonas Meurer <mejo@debian.org> Tue, 01 Jun 2010 15:37:50 +0200 + +cryptsetup (2:1.1.1-1) unstable; urgency=low + + * new upstream release, changes include: + - detects and uses device-mapper udev support if available + - fix luksOpen reading of passphrase on stdin if "-" keyfile specified + - fix isLuks to initialise crypto backend (closes: #578979) + - fix luksClose operation for stacked DM devices + * remove all patches, they have all been merged upstream + * redirect output of copy_exec in add_device() from initramfs cryptroot + hook to stderr. fixes verbose run of mkinitramfs. (closes: #574163) + * acknowledge NMU. thanks to maximilian attems. (closes: #576488) + * change default for random key from /dev/random to /dev/urandom in + README.Debian, extend explanation. (closes: #579932) + * add comment to crypttab manpage about how to disable (pre)checks. + (closes: #574948) + * fix cryptdisks.functions to print cryptsource and crypttarget again at + the passphrase prompt. (closes: #578428) + * reorder build-depends, add pkg-config, change automake1.9 to automake + * add new lintian overrides + * switch to new dpkg source format "3.0 (quilt)", use upstream bzip tarball + * add ${misc:Depends} to depends for libcryptsetup-dev + * remove UID checks from initscripts, as these aren't meant to be invoked by + users anyway, and the UID checks introduced dependency on /usr filesystem. + * use grep -s for /etc/fstab in initramfs/cryptroot-hook. (closes: #580756) + * note that fs modules fore passdev devices need to be added to initramfs + in README.initramfs (closes: #580898) + * merged from ubuntu: + - Fix grammar error in debian/initramfs/cryptroot-script (closes: #581973) + * add busybox to suggests, thanks to martin michlmayr. (closes: #582914) + + -- Jonas Meurer <mejo@debian.org> Wed, 26 May 2010 23:38:01 +0200 + +cryptsetup (2:1.1.0-2.1) unstable; urgency=low + + * Non-maintainer upload. + + [ Martin Pitt ] + * debian/initramfs/cryptroot-script: (closes: #576488) + - Source /scripts/functions after checking for prerequisites. + - prereqs(): Do not assume we are running within initramfs, and calculate + relative path correctly. + + -- maximilian attems <maks@debian.org> Thu, 08 Apr 2010 01:37:17 +0200 + +cryptsetup (2:1.1.0-2) unstable; urgency=low + + * fix version in NEWS.Debian: 2:1.1.0~rc2-1 instead of 2:1.0.7-3. + * remove 'NOT RELEASED YET' from 2:1.1.0-1 changelog + * capitalize names in changelog + * mention the old default plain mode in changelog and NEWS, add a note that + debian-installer setups can ignore the warning, and warn for plain dm-crypt + mappings in crypttab that don't have set cipher, hash and size. + (closes: #573103, #573261) + + -- Jonas Meurer <mejo@debian.org> Tue, 16 Mar 2010 13:44:50 +0100 + +cryptsetup (2:1.1.0-1) unstable; urgency=low + + * new upstream stable release (1.1.0), notable changes since rc2: + - default key size for LUKS changed from 128 to 256 bits + - default plain mode changed from aes-cbc-plain to aes-cbc-essiv:sha256 + - key slot and key diggest iteration minimum set to 1000 + - convert hash name to lower case in header + * update patch 02_manpage + * add more supported filesystems to passdev.c, isofs->iso9660. thanks to + Christoph Anton Mitterer. (closes: #557405) + * update to standards-version 3.8.4, no changes needed + * accept spaces in $opts at postinst script. (closes: #559184) + * set extended $PATH in cryptdisks.functions. thanks to Christoph Anton + Mitterer. (closes: #557329) + * fix huge initramfs for archs which don't have kernel/arch directory. + thanks to martin michlmayr for bugreport and patch. (closes: #559510) + * support commandline options to mkfs in luksformat. thanks to Eduard + Bloch for bugreport and patch. (closes: #563975) + * extend error messages for evms setup in cryptroot-script + * add 03_luksAddKey.patch, to not verify unlocking passphrase in luksAddKey + command. (closes: #570418) + * add 04_crypto_init.patch, to properly initialise crypto backend in header + backup/restore commands. + * change build-dependency on cvs to new autopoint package (closes: #572463) + * rename decrypt_gpg keyscript to decrypt_gnupg, improve it based on ideas + by Christoph Anton Mitterer, mention the keyscript rename in NEWS.Debian. + Also, provide a initramfs cryptgnupg hook script. Thanks to Christoph + Anton Mitterer for bugreport and ideas. (closes: #560034) + * check for root privileges with '/usr/bin/id -u' in init scripts and + cryptdisks_{start|stop}. (closes: #563162) + + -- Jonas Meurer <mejo@debian.org> Mon, 08 Mar 2010 14:15:35 +0100 + +cryptsetup (2:1.1.0~rc2-1) unstable; urgency=low + + * new upstream release candidate (1.1.0-rc2), highlights include: + - new libcryptsetup API (documented in libcryptsetup.h) + - luksHeaderBackup and luksHeaderRestore commands (closes: #533643) + - use libgcrypt, enables all gcrypt hash algorithms for LUKS through + -h luksFormat option (closes: #387159, #537385) + - new --master-key-file option for luksFormat and luksAddKey + - use dm-uuid for all crypt devices, contains device type and name now + (closes: #548988, #549870) + - command successful messages moved to verbose level (closes: #541805) + - several code changes to improve speed of luksOpen (closes: #536415) + - luksSuspend and luksResume commands + * remove unneeded patches 03_read_rework and 04_no_stderr_success, update + 02_manpage for new upstream release candidate. + * update patch to comply with DEP-3 (http://dep.debian.net/deps/dep3/) + * fix initramfs/cryptroot-hook to support setups where /dev/mapper/ contains + symlinks to devices at /dev/dm-*. the lvm2/device-mapper packages had + defaults changed to this temporary. it has been fixed in a subsequent + upload of lvm2 in the meantime, but still it's not a bad idea to be + prepared for such setups in the future. that way cryproot now supports + /dev/dm-* devices as well. (closes: #532579, #544487, #544773) + * fix initscript dependencies both for cryptdisks and cryptdisks-early. + thanks to Petter Reinholdtsen for bugreport and patch. (closes: #548356) + * finally change default behaviour of initscripts/cryptroot-hook to include + all available crypto modules into the initramfs. this change should fix + any problems with cryto modules missing from the initramfs. announce the + change in NEWS.Debian. (closes: #547597) + * add error messages to lvm detecting code in initramfs/cryptroot-script + in order to make debugging easier. (closes: #541248) + * implement detection of devices which are required by decrypt_derived + keyscript in initscripts/cryptroot-hook. that way setups where encrypted + swap has the key derived from non-root partitions should support suspend/ + resume as well. (closes: #475838) + * remove outdated documentation from the source package: CryptoRoot.HowTo, + CheckSystem.Doc + * mention in README.initramfs that busybox is required for cryptroot to work + * stop creating /etc/keys in postinst maintainer script. + * update build system to include library files again: (closes: #480157) + - split into three packages: cryptsetup, libcryptsetup1, libcryptsetup-dev + - rename preinst to cryptsetup.preinst, copy code to create /etc/crypttab + skeleton into cryptsetup-udeb.preinst. + - build with --enable-shared and --enable-static for libcryptsetup.a + - create debian/libcryptsetup1.symbols with help of dpkg-gensymbols + * add debian/cryptsetup.lintian-override for two false positives + * raise build-depends on debhelper and debian/compat for that reason + * update README.remote to work with latest dropbear package. thanks to + debian@x.ray.net. + * make all crypttab fields available to keyscripts as environment variables. + thanks to ludwig nussel from suse for idea and implmentation. document + this in crypttab(5) manpage. impelement the same environment variables in + initramfs cryptroot script. + * fix formatting errors in crypttab(5) manpage. + + -- Jonas Meurer <mejo@debian.org> Thu, 15 Oct 2009 19:26:14 +0200 + +cryptsetup (2:1.0.7-2) unstable; urgency=low + + * add a paragraph to the cryptsetup manpage that mentions /proc/crypto as + source for available crypto ciphers, modes, hashs, keysizes, etc. + (closes: #518266) + * fix luksformat to check for mkfs.$fs both in /sbin and /usr/sbin. thanks + to Jon Dowland. (closes: #539734) + * mention era eriksson as author of the typo fixes for manpage (submitted as + bug #476624) in changelog of cryptsetup 2:1.0.6-3. (closes: #541344) + * bump standards-version to 3.8.3. no changes needed. + * add 04_no_stderr_success.patch, which adds an option to suppress success + messages to stderr. don't apply the patch as this already has been fixed + upstream in another way. next cryptsetup release will print the command + successful message to stdout only if opt_verbose is set. + * add checkscripts blkid and un_blkid for the reason that vol_id will be + removed from udev soon. advertise the new scripts at all places that + mentioned vol_id or un_vol_id before. + * add /usr/share/bug/cryptsetup which adds /proc/cmdline, /etc/crypttab, + /etc/fstab and output of 'lsmod' to bugs against cryptsetup. + * add debian/README.remote, which describes how to setup a cryptroot system + with support for remote unlocking via ssh login into the initramfs. Thanks + to debian@x.ray.net for writing it down. + * update debian/copyright for current format from dep.debian.net/deps/dep5 + * add chainiv, cryptomgr and krng to standard list of modules in initramfs + cryptroot hook. (closes: #541835) + * add a section describing LUKS header backups and related security + implications to README.Debian. a tool to automate this task should not be + distributed at all. (closes: #432150) + + -- Jonas Meurer <mejo@debian.org> Tue, 01 Sep 2009 12:38:02 +0200 + +cryptsetup (2:1.0.7-1) unstable; urgency=low + + * new upstream release, highlights include (diff from ~rc1): + - allow removal of last slot in luksRemoveKey and luksKillSlot + - eject unsupported --offset and --skip options for luksFormat + * make passdev accept a timeout option, thanks to Evgeni Golov for the patch. + (closes: #502598) + * finally add the cryptsource delay implementation from ubuntu, as it seems + to workaround some issues where appearance of the root device takes longer + than expected. (closes: #488271) + * execute udev_settle before $cryptremove if $cryptcreate fails at + setup_mapping() in the initramfs cryptroot script. it seems like a short + delay and/or udev_settly is needed in between of 'cryptsetup create' and + 'cryptsetup remove'. thanks to Gernot Schilling for the bugreport. + (closes: #529527) + * talk about /dev/urandom instead of /dev/random in crypttab manpage. + (closes: #537344) + * check for $IGNORE before check_key() in handle_crypttab_line_start() + * rewrite error code handling: + - return 1 for errors in handle_crypttab_line_{start|stop} + - handle_crypttab_line_... || true needed due to set -e in initscript + - check for exit code of handle_crypttab_line_{start<stop} in + cryptdisks_{start|stop}, exit with proper status code (closes: #524173) + * add a counter to the while loop in cryptdisks_{start|stop}, in order to + detect if $dst was not found in crypttab. (closes: #524485) + * check for keyscript in the new location in initramfs/cryptopensc-hook. + * add README.opensc to docs, thanks to Benjamin Kiessling for writing it. + (closes: #514538) + * add patches/03_rework_read.patch [rework write_blockwise() and + read_blockwise()], but don't apply it yet as it's still experimental. + applying it will increase the speed of luksOpen. + + -- Jonas Meurer <mejo@debian.org> Thu, 30 Jul 2009 17:41:16 +0200 + +cryptsetup (2:1.0.7~rc1-2) unstable; urgency=low + + * flag the root device with rootdev option at /conf/conf.d/cryptroot in + initramfs hook, check for that flag before adding ROOT=$NEWROOT to + /conf/param.conf in initramfs script. that should prevent the initramfs + script from adding ROOT=$NEWROOT for resume devices. (closes: #535801) + + -- Jonas Meurer <mejo@debian.org> Wed, 15 Jul 2009 11:44:45 +0200 + +cryptsetup (2:1.0.7~rc1-1) unstable; urgency=low + + * new upstream release candidate, highlights include: + - use better error messages if device doesn't exist or is already used by + other mapping (closes: #492926) + - check device size when loading LUKS header + - add some error hint if dm-crypt mapping failed (key size and kernel + version check for XTS and LRW mode for now) (closes: #494584) + - display device name when asking for password + - retain readahead of underlying device, if devmapper version supports it + - set UUID in device-mapper for LUKS devices + - define device-mapper crypt UUID maximal length and check for its size + - add some checks for error codes, fixes warning: ignoring return value... + - update LUKS homepage in manpage to code.google.com/p/cryptsetup + * patches/01_fix_make_distclean.patch: removed, incorporated upstream + * patches/02_manpage.patch: updated, mostly incorporated upstream + * remove invokation of ./setup-gettext.sh from debian/rules. + * set $PATH in checks/xfs. Required to make /usr/sbin/xfs_admin work at early + boot stage. Thanks to Stefan Bender. (closes: #525118) + * update path to docbook-xsl stylesheet in debian/rules to + /usr/share/xml/docbook/stylesheet/docbook-xsl/. Add versioned build-depends + to docbook-xsl (>= 1.74.3+dfsg) for that reason. + * fix bashisms in scripts/decrypt_opensc, thanks to Raphael Geissert. + (closes: #530060) + * fix UUID and LABEL handling for cryptroot, thanks to Kees Cook and ubuntu. + (closes: #522041) + * add ROOT=$NEWROOT to /conf/param.conf in cryptroot initramfs script. This + is required for lilo to find the correct root device. Thanks to Pyotr + Berezhkov and Christian Schaarschmidt. (closes: #511447, #511840) + * replace mini autogen.sh with autoreconf in debian/rules. Thanks to Bastian + Kleineidam. (closes: #522798) + * support escaped newlines in askpass.c, thanks to Kees Cook and ubuntu. + (closes: #528133) + * use the same passphrase prompt in init script and initramfs script + * mention the incoherent behaviour of cryptsetup create/luksOpen with invalid + passwords/keys in cryptsetup manpage. (closes: #529359) + * bump standards-version to 3.8.2, no changes required. + * add 'X-Interactive: true' LSB-header to initscripts. + * fix bash_completion script to use 'command ls'. that way it now works with + aliased ls as well. thanks to Daniel Dehennin. (closes: #535351) + + -- Jonas Meurer <mejo@debian.org> Sat, 04 Jul 2009 15:52:06 +0200 + +cryptsetup (2:1.0.6+20090405.svn49-1) unstable; urgency=low + + * New upstream svn snapshot. Highlights include: + - Uses remapping to error target instead of calling udevsettle for + temporary crypt device. (closes: #514729, #498964, #521547) + - Removes lots of autoconf stuff as it's generated by autogen.sh anyway. + - Uses autopoint in build process, thus needs to Build-Depend on cvs. + - Fixes signal handler to proper close device. + - Wipes start of device before LUKS-formatting. + - Allows deletion of key slot with it's own key. (closes: #513596) + - Checks device mapper communication and gives proper error message in + case the communication fails. (closes: #507727) + * Update debian patches accordingly: + - Remove obsolete patches 01_gettext_package and 03_check_for_root + - Update patch 02_manpage + * Add missing newlines to some error messages in passdev.c. Thanks to + Christoph Anton Mitterer for bugreport and patch. (closes: #509067) + * Move keyscripts in initramfs from /keyscripts to /lib/cryptsetup/scripts + for the sake of consistency between initramfs and normal system. Document + this change in NEWS.Debian. (closes: #509066) + * Fix $LOUD in cryptdisks.init and cryptdisks.functions to take effect. Add + LOUD="yes" to cryptdisks_start. (closes: #513149) + * cryptdisks_{start,stop}: print error message if no entry is found in + crypttab for the given name. + * Actually fix watchfile to work with code.google.com. + * Update Homepage field to code.google.com URL. (closes: #516236) + * Fix location of ltmain.sh, build-depend on versioned libtool. + (closes: #521673, #522338) + * Some minor changes to make lintian happy: + - use set -e instead of /bin/sh -e in preinst. + - link to GPL v2 in debian/copyright + * Bump standards-version to 3.8.1, no changes needed. + * Fix a typo in NEWS.Debian. (closes: #522387) + * Taken from ubuntu: + - debian/checks/un_vol_id: dynamically build the "unknown volume type" + string, to allow for encrypted swap, (closes: #521789, #521469). Fix + sed to replace '/' with '\/' instead of '\\/' in device names. + - disable error message 'failed to setup lvm device' (LP 151532). + + -- Jonas Meurer <mejo@debian.org> Mon, 06 Apr 2009 08:49:14 +0200 + +cryptsetup (2:1.0.6-7) unstable; urgency=medium + + * Add patches/01_gettext_package.patch: Remove -luks from GETTEXT_PACKAGE + in configure.in. + * Support keyfiles option in bash completion. Thanks to Stefan Goebel for + the patch. (closes: #499936) + * Update patches/02_manpage.patch: Fix the documnetation of default cipher + for LUKS mappings. (closes: #495832) + * Update debian/watch file to reflect the move of project home to + code.google.com. + * Check for $CRYPTDISKS_ENABLE in cryptdisks initscripts instead of + cryptdisks.functions. This way, cryptdisks_start/stop work even with + $CRYPTDISKS_ENABLE != "yes". Thanks to Pietro Abate. (closes: #506643) + * Add force-start to cryptdisks(-early).init in order to support starting + noauto devices manually. Thanks to Niccolo Rigacci. (closes: #505779) + * Document how to enable remote device unlocking via dropbear ssh server + in the initramfs during boot process. Thanks to Chris <debian@x.ray.net> + for the great work. (closes: #465902) + * Completely remove support and documentation of the timeout option, + document this in NEWS.Debian. (closes: #495509, #474120) + * Use exit instead of return in decrypt_ssl keyscript. Thanks to Rene Wagner. + (closes: #499704) + * Fix initramfs/cryptpassdev-hook to check for passdev instead of mountdev. + Thanks to Christoph Anton Mitterer. + * cryptdisks.functions: + - Search for keyscript in /lib/cryptdisks/scripts. the cryptoroot initramfs + script already supports keyscripts without path as argument. Thanks to + Christoph Anton Mitterer. + * README.initramfs: + - Remove the mention of bug #398302 from the section about suspend/resume, + as this bug has been fixes for some time now. + - Remove step 6 (mkswap) from the section about decrypt_derived, as it was + superfluous. Thanks to Helmut Grohe. (closes: #491867) + * Fix initramfs/cryptroot-script to use the lvm binary instead of vgchange. + Thanks to Marc Haber. (closes: #506536) + * Make get_lvm_deps() recursive in initramfs/cryptroot-hook. This is required + to detect the dm-crypt device in setups with more than one level of device + mapper mappings. For example if LVM is used with snapshots on top of the + dm-crypt mapping. Thanks to Christian Jaeger for bugreport and patch, Ben + Hutchings and Yves-Alexis Perez for help with debugging. (closes: #507721) + * urgency=medium due to several important fixes. + + -- Jonas Meurer <mejo@debian.org> Wed, 17 Dec 2008 21:25:45 +0100 + +cryptsetup (2:1.0.6-6) unstable; urgency=high + + * Don't cat keyfile into pipe for do_noluks(). cryptsetup handles + --key-file=- different for luks and plain dm-crypt mappings. This time + really (closes: #493848). Thus again upload with urgency=high. + + -- Jonas Meurer <mejo@debian.org> Sat, 09 Aug 2008 13:36:31 +0200 + +cryptsetup (2:1.0.6-5) unstable; urgency=high + + * Fix watch file to not report -pre and -rc releases as superior. + * Remove the global var $SIZE from cryptdisks.functions again but keep the + extended value checks. + * Remove the udev rules file also in preinst, code taken from example at + http://wiki.debian.org/DpkgConffileHandling. Thanks Marco d'Itri. + (closes: #493151) + * Remove duplicated configuration of --key-file in $PARAMS at do_noluks(). + (closes: #493848). + * Invoke mount_fs() and umount_fs() in cryptdisks_start, add + log_action_begin_msg() and log_action_end_msg() to both cryptdisks_start + and cryptdisks_stop. + * Copy fd 3 code from do_start and do_stop to cryptdisks_start and + cryptdisks_stop to fix "keyscript | cryptsetup". (closes: #493622) + * This upload fixes two RC bugs, thus upload with severity=high. + + -- Jonas Meurer <mejo@debian.org> Wed, 06 Aug 2008 10:19:21 +0200 + +cryptsetup (2:1.0.6-4) unstable; urgency=medium + + [ David Härdeman ] + * Make sure $IGNORE is reset as necessary, patch by Thomas Luzat + <thomas@luzat.com> (closes: #490199) + * Use askpass in init scripts as well (closes: #489033, #477203) + + [ Jonas Meurer ] + * Don't copy_exec libgcc1 in cryptopensc initramfs hook, as it's already + copied by copy_exec /usr/sbin/pcscd automaticly. Thanks to Evgeni Golov + <sargentd@die-welt.net>. (closes: #490300) + * Remove the udev rules file again as the relevant rules are now provided + by dmsetup package which cryptsetup depends on. + * Add splashy support to askpass, thanks to John Hughes <john@calva.com> + for the patch. (closes: #492451) The support is limited to cryptroot + though, as splashy freezes for passphrase input dialogs from initscripts. + Document that in README.Debian. + * Now that askpass is used as keyscript for interactive mode, it's not + necessary to set cryptsetup parameter '--tries=$TRIES' and TRIES=1 for + interactive mode anymore in cryptdisks.functions. + * Implement special treatment for random passphrases now that we use + "--key-file=-" for all situations. Only necessary in do_noluks. + * Fix the passphrase prompt string in initramfs/cryptroot.script to use + $cryptsource instead of $cryptsources. + * Major documentation cleanup for lenny: + - Rewrite CryptoSwap.HowTo in README.Debian, remove CryptoSwap.HowTo. + - Refer to README.initramfs instead of CryptoRoot.HowTo for encrypted root + filesystem in README.Debian. + - Remove outdated docs CryptoRoot.HowTo, usbcrypto.udev and gen-old-ssl-key + as well as the decrypt_old_ssl keyscript. + - Remove debian/TODO, didn't have any useful content anyway. + - Fix section ''9. The "decrypt_derived" keyscript'': Add swap option to + the example line for crypttab and other minor fixes. Thanks to + Helmut Grohne <helmut@subdivi.de>. (closes: #491867) + * urgency=medium since important (#492451) and security (#477203) bugs get + fixed by this upload. + + -- Jonas Meurer <mejo@debian.org> Mon, 28 Jul 2008 00:21:44 +0200 + +cryptsetup (2:1.0.6-3) unstable; urgency=low + + [ Jonas Meurer ] + * Fix cryptdisks.functions to actually recognize the noauto option. Thanks + to Christian Pernegger <pernegger@gmail.com> (closes: #483882) + * Update patches/02_manpage.patch: + - fixes two more typos, thanks to and Era Eriksson <era@iki.fi> for the + patch, and Bruno Barrera Yever <bbyever@gmail.com> for forwarding it + to the bts (closes: #476624) + - removes a duplicate sentence + * Rephrase "Enter password for $crypttarget" to "Enter password to unlock + the disk $cryptsource ($crypttarget)" in initramfs/cryptroot.script. + * Bump Standards-Version to 3.8.0: + - Add a README.source which references /usr/share/doc/quilt/README.source. + - Add support for debian build option parallel=n to debian/rules. + * Add a udev rules file to ignore temporary-cryptsetup-* devices, as + suggested in bug #467200. Thanks to Sam Morris <sam@robots.org.uk>. + * Transform debian/copyright into machine-readable code as proposed in + http://wiki.debian.org/Proposals/CopyrightFormat. Update and add several + copyright notices. + * Change reference to docbook xml v4.2 driver file from an online version + to a local one in the manpage files, as the build process should not + depend on internet access. Add docbook-xml to build-depends. Thanks to + Lucas Nussbaum <lucas@lucas-nussbaum.net>. (closes: #487056) + + [ David Härdeman ] + * Hopefully fix askpass to properly handle console and usplash input + (closes: #477203) + * Clarify crypttab manpage (closes: #487246) + * Make regex work if keyfile has extended attributes, + https://launchpad.net/bugs/231339 (closes: #488131) + * Support comments in options part of crypttab (closes: #488128) + + -- Jonas Meurer <mejo@debian.org> Mon, 07 Jul 2008 00:30:07 +0200 + +cryptsetup (2:1.0.6-2) unstable; urgency=low + + [ Jonas Meurer ] + * Taken from ubuntu: + - debian/scripts/luksformat: Use 256 bit key size by default. (LP: #78508) + - debian/patches/02_manpage.patch: Clarify default key sizes (128 for + luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508) + * Use 'shred -uz' instead of 'rm -r' to remove a tempfile that contains a + key in gen-ssl-key example script. + + [ David Härdeman ] + * Misc bugfixes to askpass, make sure it is installed to the correct + location and is built using pedantic mode. + * Change the initramfs script to use askpass to prompt for + passphrases, this should hopefully fix #382375 and #465902 once it + is enabled in the init scripts as well. + * Add a keyscript called passdev which allows a keyfile to be + retrieved from a device which is first mounted, mainly useful to get + keyfiles off USB devices etc. + * Unbreak MODULES=dep booting (closes: #478268) + * Relax checks for suspend devices a bit (closes: #477658) + * Convert man pages to docbook. + + -- David Härdeman <david@hardeman.nu> Mon, 26 May 2008 08:12:32 +0200 + +cryptsetup (2:1.0.6-1) unstable; urgency=low + + [ Jonas Meurer ] + * new upstream release + - reload option is deprecated and a warning is printed. (closes: #428288) + * convert patch system from dpatch to quilt. + * enhance the information regarding the default hash setting in NEWS.Debian. + Thanks to Ross Boylan <ross@biostat.ucsf.edu>. + * change author of keyslot patch to Marc Merlin in changelog, thanks to + U. Kuehn for raising that issue. + * doing some debian/rules redesign and cleanup, speeds up the build process. + * ignore devices with the noauto option early enough to prevent any checks + on them. Thanks to Joachim Breitner <nomeata@debian.org> (closes: #464672) + * update debian/copyright to actually mention copyright, thanks lintian. + * change script=$(basename $req) to script=${req##*/} in initramfs cryptroot + script. Thanks to Adeodato Simó <dato@net.com.org.es>. (closes: #466240) + * change test ... -a ... to [ ... ] && [ ... ] in the check scripts. + * add support for tries option to initramfs scripts. Thanks to Helmut Grohne + <helmut@subdivi.de>. (closes: #430158, #469869) Use --tries=1 for + cryptsetup in the initramfs script. Document the difference between + initscript and initramfs for tries=0 in the crypttab manpage. + * add, build and install askpass.c, a helper program by David Härdeman. The + idea is to use it for passphrase prompt in the initramfs script. + + [ David Härdeman ] + * Work with LABEL=, UUID= and symlinks in /etc/fstab (closes: #466175) + * Improve module loading in initramfs hook so that the newer as well + as arch specific crypto drivers are taken into consideration + (closes: #464673) + * Depend on race-free version of libdevmapper, thus making udevsettle + call from cryptsetup binary unnecessary. Also change call to + udevsettle in initramfs script (which is still useful as it related + to the source device) to optionally use udevadm if present (closes: + #456326). + + -- Jonas Meurer <mejo@debian.org> Mon, 31 Mar 2008 15:58:35 +0200 + +cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low + + * New upstream svn snapshot: + - Adds typo fixes by Justin Pryzby <jpryzby+d@quoininc.com> to cryptsetup.8 + manpage. + - Mentions luksKillSlot in the manpage. Thanks to Alexander Heinlein + <alexander.heinlein@web.de>. (closes: #459206) + - Adds the patch by Marc Merlin <marc_www@merlins.org> to support explicit + key slots for luksFormat and luksAddKey. Thanks to U. Kuehn, who figured + out that this patch wasn't applied even though changelog said so. + - Supports adding new keys to active devices again. Thanks to Tobias Frost + <tobi@coldtobi.de> for the bugreport. (closes: #460409) + * Add support for a custom filesystem for /tmp. Patch provided by + Hans-Peter Oeri <hp@oeri.ch>. + * Add X-Start-Before headers to cryptdisks and cryptdisks-early initscripts. + Thanks to Petter Reinholdtsen <pere@debian.org> for report and patch. + (closes: #458944) + * Add support for a noauto option to cryptdisks. Thanks to U Kuehn + <ukuehn@acm.org> for the idea. + * Add typo fixes by Justin Pryzby <jpryzby+d@quoininc.com> to crypttab.5 + manpage. (closes: #460994) + * Add a cryptdisks_stop script, corresponding to cryptdisks_start. Thanks to + Joachim Breitner <nomeata@debian.org> for the idea. (closes: #459832) + * Change log_progress_msg to log_action_msg in cryptdisks.functions. That + way a newline is printed after the start of every device. Thanks to Frans + Pop <elendil@planet.nl> for the bugreport. (closes: #461548) + * Add bash_completition script provided by Kevin Locke <kwl7@cornell.edu>. + (closes: #423591) + * Fix a spelling error in the package description: linux -> Linux. + * Fix bashisms in cryptdisks_{start,stop} found by Raphael Geissert + <atomo64+debian@gmail.com>. + * Change the default hash in initramfs scripts from sha256 to ripemd160 for + consistency with cryptsetup default. Add information about that to + NEWS.Debian. Thanks to martin f krafft <madduck@debian.org>. + (closes: #406317) + + -- Jonas Meurer <mejo@debian.org> Wed, 30 Jan 2008 09:01:52 +0100 + +cryptsetup (2:1.0.6~pre1-1) unstable; urgency=low + + [ Jonas Meurer ] + * New upstream alpha release 1.0.6~pre1: + - [01_crypt_luksFormat_libcryptsetup.dpatch] removed, applied upstream + - [02_manpage.dpatch] likewise + - [04_fix_unused_or_unitialized_variables.dpatch] likewise + - [05_segfault_at_nonexisting_device.dpatch] likewise + - [06_run_udevsettle.dpatch] update for new upstream + * Disable 03_check_for_root.dpatch. As Ludwig Nussel mentioned on + dm-crypt@saout.de, cryptsetup 1.0.5 already prints out meaningfull errors + if expected permissions are not available. Therefore the check for uid == + 0 is superfluous. + * [06_run_udevsettle.dpatch] Run udevsettle after device-mapper device + creation. Fixes issues with temporary device files in /dev/mapper. Patch + by Reinhard Tartler from Ubuntu. (closes: #444914) + * Add support for offset and skip options to cryptdisks/crypttab. Thanks to + Marc-Jano Knopp. (closes: #446674) + * Update the long description in debian/control. Don't mention kernel 2.6.4 + any longer, remove references to /usr/share/doc/cryptsetup/CryptoRoot.HowTo + and mkinitrd. + * Add noearly option to cryptdisks/crypttab, which causes cryptdisks-early + to ignore the entry. Thanks to Joerg Jaspert (closes: #423102) + * Change log_progress_msg "$dst (started)" to device_msg "$dst" "started" in + cryptdisks.functions. Makes console output of cryptdisks more consistent. + * Add cryptdisks_start and patch to cryptdisks.functions by Jon Dowland. + Also add a manpage for cryptdisks_start(8). (closes: #447159) + * Add load_optimized_module() function to cryptdisks.functions. Initial idea + by Reinhard Tartler from Ubuntu, enhanced by David Härdeman. + (closes: #445186) + * Add support for UUID=.. device strings to initramfs cryptroot-hook. Thanks + to Reinhard Tartler from Ubuntu for the patch. (closes: #445189) + * Support UUID=... and LABEL=... device strings in /etc/crypttab. Thanks + to Martin Pitt from Ubuntu for the patch. (closes: #445189) + * Add Vcs-Browser and Vcs-Svn fields to debian/control. + * Fix debian/rules to not fail to build if autom4te.cache is left behind + from a previous incomplete build. Patch again taken from Ubuntu. + * Mention in the crypttab manpage that files are allowed as source. In that + case they are mounted as loopback device automatically. Thanks to + Michal Cihar (closes: #451909) + * At stopping dm-crypt devices really remove the corresponding loopback + device if one has been used. Thanks to Rene Pavlik for report and to David + Härdeman, who had the idea for the fix. (closes: #451916) + * Also remove loopback devices if the cryptsetup device setup fails. + * Document a possible deadlock if cryptsetup is invoked as a 'run programm' + in a udev role. This i related to the invokation of udevsettle in + cryptsetup. Thanks to Dick Middleton for reporting and debugging. + (closes: #444914) + * Move umount_fs() from handle_crypttab_line() to the end of do_start(). + * Bump Standards-Version to 3.7.3.0. No changes needed. + * Remove unused litian-override file + * Remove --build $(DEB_BUILD_GNU_TYPE) and --host $(DEB_HOST_GNU_TYPE) from + invocation of ./configure, as they are already included in $(confflags). + + -- Jonas Meurer <mejo@debian.org> Thu, 06 Dec 2007 15:56:05 +0100 + +cryptsetup (2:1.0.5-2) unstable; urgency=low + + [ Jonas Meurer ] + * Add libselinux1-dev and libsepol1-dev to build-depends. Detected by + the build daemon from hell by Steinar H. Gunderson. Thanks to Manoj + Srivastava for advice. + * Fix the watchfile + * Fix cryptopensc-hook to honor key=none. Thanks to Daniel Baumann + (closes: #436434) + * Remove outdated README.html and example usbcrypto.* scripts from + documentation. Add example usbcrypto.udev script. Thanks to Volker Sauer + for the update. (closes: #409775) + * Document that stdin is read different with '--key-file=-' than without. + Thanks to Marc Haber. (closes: #418450) + * Document that --timeout is useless in conjunction with --key-file. Thanks + Alexander Zangerl. (closes: #421693) + * [03_check_for_root.dpatch] Check for UID == 0 before actually doing + something. Thanks to Benjamin Seidenberg. (closes: #401766) + * [04_fix_unused_or_unitialized_variables.dpatch] Fix some gcc warnings + about unused or unitialized variables. Thanks to Ludwig Nussel for the + patch. + * [05_segfault_at_nonexisting_device.dpatch] Fix segfault when trying to + open a non existing device. Thanks to Ludwig Nussel for the patch. + (closes: #438198) + * Add CFLAGS="$(CFLAGS)" before ./configure invocation in debian/rules. + This way CFLAGS are passed to the configure script. Thanks to Gordon + Farquharson for the patch. (closes: #438450) + * Add a warning about missing hash option in crypttab to initramfs + cryptoroot hook. Thanks to Sebastian Leske for the patch. + (closes: #438169) + * Add support for openct using data objects on a smartcard as key. Thanks to + Daniel Baumann <baumann@swiss-it.ch> for patch and documentation. + (closes: #438473) + * Polish opensc_decrypt and openct_decrypt. + * Add initramfs patch by maximilian attems. Bump depends on initramfs-tools + to (>= 0.91). (closes: #441428) + * several cleanups to make lintian happy: + - remove #!/bin/sh from cryptsetup.functions as it is not executable. + - remove unused-override configure-generated-file-in-source config.log. + - add some hyphen fixes to patches/02_manpage.dpatch + * Filter out the detection of filesystem type 'minix' in checks vol_id and + un_vol_id if checking for any valid filesystem. The minix fs signature + seems short enough to be detected erroneously by /lib/udev/vol_id. + Thanks to Fredrik Olofsson and arno for the bugreport. (closes: #411784) + * Add Homepage field to debian/control. + + -- Jonas Meurer <mejo@debian.org> Mon, 24 Sep 2007 15:42:06 +0200 + +cryptsetup (2:1.0.5-1) unstable; urgency=low + + [ Jonas Meurer ] + * New upstream release, nearly identical to svn snapshot svn29. + * Fix watch file to use cryptsetup instead of cryptsetup-luks. + * Add 01_crypt_luksFormat_libcryptsetup.dpatch - rename luksInit to + luksFormat in libcryptsetup.h. + * Merge some ubuntu changes: + - make luksformat check if filesystem is already mounted to prevent a + strange error message. + - modprobe dm-mod in cryptsetup.functions. + - wait for udev to be settled in initramfs script. + + [ David Härdeman ] + * Allow other crypto devices to be setup even if one fails. + (closes: #423100) + * Remove an incorrect warning in postinst. + + -- Jonas Meurer <mejo@debian.org> Fri, 27 Jul 2007 04:59:33 +0200 + +cryptsetup (2:1.0.4+svn29-1) unstable; urgency=low + + * New upstream svn snapshot with several bugfixes + - remove 01_tries_fix.dpatch, added upstream + + -- Jonas Meurer <mejo@debian.org> Wed, 02 May 2007 02:48:37 +0200 + +cryptsetup (2:1.0.4+svn26-3) unstable; urgency=low + + * Add cryptdevice name to prompt before actually starting it. Thanks + to Joerg Jaspert. (closes: #421803) + + -- Jonas Meurer <mejo@debian.org> Wed, 02 May 2007 01:05:22 +0200 + +cryptsetup (2:1.0.4+svn26-2) unstable; urgency=low + + [ David Härdeman ] + * Fix typo in crypttab(5), the ext checkscript is called ext2, not + ext3. (closes: #410390) + * Use the initramfs-tools keymap support instead of our own (requires + initramfs-tools >= 0.87) + * Add support for usplash password prompt (closes: #397981) + * Remove the "ssl" and "gpg" options which are supported by keyscripts + since October 2006 (see NEWS for details). + * Spring cleaning of cryptdisks.functions, now supports multiple tries + for keyscripts and uses lsb logging. (closes: #420105, #383808) + + [ Jonas Meurer ] + * Add 01_tries_fix.dpatch, makes the --tries commandline option work + again. (closes: #414326, #412064) + * Document the un_vol_id check script, remove the swap check script from + documentation. The swap check indeed is rather useless, thanks to Frank + Engler <bts.to.FrankEngler@spamgourmet.com>. The script itself is kept + for compability issues. (closes: #406837) + * Add smartcard keyscript and initramfs-tools hooks/scripts. This adds + support for disk encryption with smartcards, even for root disks. + Thanks a lot to Gerald Turner <gturner@unzane.com> for the patch and a + smartcard reader for testing this. (closes: #416528) + * update copyright file: change "program" to "package", and mention GPL + version 2. add a full disclaimer. + * Add "--showkeys" to the dmsetup invocation in decrypt_derived script. + (closes: #420399) + * Fixes in cryptdisks.functions: + - Don't suppress error messages at mount and unmount and don't break + if 'mount $point' fails. + - Fix handling of checks and prechecks, the vars somehow where mixed + - Really use $CHECKARGS if it's defined + - Rename "stopped" to "stopping" for devices which are shutdown at + 'cryptdisks stop' (show a difference to already stopped devices). + + -- Jonas Meurer <mejo@debian.org> Sat, 28 Apr 2007 20:45:50 +0200 + +cryptsetup (2:1.0.4+svn26-1) unstable; urgency=high + + [ Jonas Meurer ] + * New upstream svn snapshot 1.0.4+svn26 + - contains a slightly modified patch by Rob Walker + <rob@tenfoot.org.uk> to fix a sector size error. (closes: #403075) + - fixes a LUKS header corruption on arm, which downgrades bug + #403426 from critical to important. + - prevents password retrying with I/O errors. + * handle chainmode/essiv "plain" correctly in initramfs hook. + Thanks to Leonard Norrgard. (closes: #402417) + * remove 'rm -rf m4' from a clean target in debian/rules. + * urgency=high to get this into etch. + + [ David Härdeman ] + * Document the difference in default hash functions between the + initramfs scripts and the plain cryptsetup binary. (closes: #398429) + * Verify symlinks for source devices when initramfs is generated and + correct if necessary. (closes: #405301) + + -- Jonas Meurer <mejo@debian.org> Tue, 9 Jan 2007 21:53:06 +0100 + +cryptsetup (2:1.0.4+svn16-2) unstable; urgency=high + + [ David Härdeman ] + * Add cbc to standard list of modules. Thanks to Michael Olbrich + <michael.olbrich@gmx.net>. (closes: #401370) + * Fix support for crypto-on-evms. Thanks to Enrico Gatto + <cat@legnago.linux.it>. (closes: #402417) + + [ Jonas Meurer ] + * urgency=high to get this into etch. + + -- Jonas Meurer <mejo@debian.org> Thu, 14 Dec 2006 01:41:40 +0100 + +cryptsetup (2:1.0.4+svn16-1) unstable; urgency=medium + + [ David Härdeman ] + * Support adding separate blockcipher modules to initramfs image + (necessary for kernels >= 2.6.19) + * Hashing was previously not done correctly when decrypt_derived was used + + [ Jonas Meurer ] + * Add new upstream patch 02_luks_var_keysize.dpatch. Cryptsetup no longer + segfaults with unsupported keysize. (closes: #381973) + * Urgency medium as we really want these fixes in etch. + + -- Jonas Meurer <mejo@debian.org> Tue, 28 Nov 2006 18:17:12 +0100 + +cryptsetup (2:1.0.4-8) unstable; urgency=high + + [ Jonas Meurer ] + * Add 'set -e' and 'if ...; then ... fi' to cryptdisks-early as well. + + [ David Härdeman ] + * Make sure that a failed modprobe does not break with 'set -e'. + (closes: #398799) + + -- Jonas Meurer <mejo@debian.org> Thu, 16 Nov 2006 16:59:35 +0100 + +cryptsetup (2:1.0.4-7) unstable; urgency=low + + [ David Härdeman ] + * Do not try to configure resume devices which we cant get the key for + and also try harder to find resume devices. + (closes: #397887, #397888) + * Kill some more bashisms. + * Only try three times per crypto device in initramfs scripts to avoid + unbootable systems if a swap partition can't be setup. + * Added decrypt_derived keyscript and improved documentation of latest + changes, see README.initramfs for details. + + -- Jonas Meurer <mejo@debian.org> Tue, 14 Nov 2006 16:27:51 +0100 + +cryptsetup (2:1.0.4-6) unstable; urgency=high + + [ David Härdeman ] + * Improve LVM dependency checks in initramfs hook. Thanks to Loïc + Minier <lool@dooz.org> for the patch. (closes: #397633, #397651) + + -- Jonas Meurer <mejo@debian.org> Thu, 9 Nov 2006 13:55:48 +0100 + +cryptsetup (2:1.0.4-5) unstable; urgency=high + + [ David Härdeman ] + * Make sure that duplicate entries in initramfs do not block the boot + (closes: #397454) + * Do not check for the presence of a key if the keyscript option is + set (closes: #397450) + + -- Jonas Meurer <mejo@debian.org> Tue, 7 Nov 2006 18:03:41 +0100 + +cryptsetup (2:1.0.4-4) unstable; urgency=high + + [ David Härdeman ] + * Readd and document the kernel boot argument "cryptopts" due to user + demand + * Implement support for multiple device setup in initramfs. + (closes: #394136, #382280) + * Remove bashisms. (closes: #396092) + * Fix FTBFS by altering dpatch so that it is applied to Makefile.in.in + before configure is executed. (closes: #396126) + + [ Jonas Meurer ] + * Only warn for insecure keyfile mode/owner. Add some information about + insecure keys in README.Debian. (closes: #395357, #394134) + + -- Jonas Meurer <mejo@debian.org> Fri, 3 Nov 2006 02:22:49 +0100 + +cryptsetup (2:1.0.4-3) unstable; urgency=medium + + [ Jonas Meurer ] + * Suggest dosfstools. Needed for the default settings in luksformat. Thanks + to Loïc Minier <lool@dooz.org>. (closes: #393473) + * Suggest initramfs-tools (>= 0.60) | linux-initramfs-tool as well. + * Still urgency=medium for the same reasons + + [ David Härdeman ] + * Change the previous fix for #388871 to use the original patch from + Loïc Minier <lool@dooz.org>. This also removes the bogus UTF8 char. + (closes: #393895) + + -- Jonas Meurer <mejo@debian.org> Wed, 18 Oct 2006 23:03:47 +0200 + +cryptsetup (2:1.0.4-2) unstable; urgency=medium + + [ Jonas Meurer ] + * Fix postinst, use 'elif [ -z $foo] || [ -z $bar ]; then ...' + * Fix a typo in cryptdisks.functions, change $opt to $opts for more + consistency with the postinst script. + * Fix mount_fs() in cryptdisks.functions to actually do what we want it to + do. Up to now, the initscript stopped if a mountpoint failed to mount. + * urgency=medium to get cryptsetup 1.0.4 into etch + + -- Jonas Meurer <mejo@debian.org> Tue, 17 Oct 2006 16:16:02 +0200 + +cryptsetup (2:1.0.4-1) unstable; urgency=low + + [ David Härdeman ] + * Always update the current initramfs when a new version is installed + * Move the double-ssl decryption into a keyscript and change the ssl + option to use that script instead + * Move the gpg key decryption into a keyscript and change the gpg + option to use that script instead + * Clean up cryptdisks.functions + * Let initramfs-tools know that we need busybox in the initramfs image + * Fix bogus error message from initramfs hook, based on patch by + Loïc Minier <lool@dooz.org>. (closes: #388871) + * Remove the undocumented kernel boot argument "cryptopts" + * Always add some crypto modules/tools to the initramfs image unless + MODULES=dep. (closes: #389835) + * Update README.initramfs. + * Add checks and warnings that the ssl and gpg options are going away + in favour of the keyscript option + * Fix the decrypt_ssl script (closes: #390514) + + [ Jonas Meurer ] + * New upstream release. + - [01_terminal_output.dpatch] removed, finally went upstream + - [02_docs_tries.dpatch] removed, went upstream + - [03_fix_build_error.dpatch] renamed to 01_fix_build_error.dpatch + * Fix SYNOPSIS in crypttab(5) manpage to show all arguments as mandatory. + Thanks to Michael Steinfurth. + * Check in postinst for entries with missing arguments in /etc/crypttab. + Warn is one is found. Thanks to Michael Steinfurth (closes: #388083) + * Fix pretest for encrypted swap. Allow unencrypted swap on the source + device. Thanks to Dennis Furey. (closes: #387158) + * Fix posttest for encrypted swap. Don't skip if a swap filesystem is found + on the target device. Thanks to Sam Couter. (closes: #385317) + * Use 'set -e' and 'if [ -r <file> ]; then ...; fi' in init script. Thanks + to Goswin Brederlow. (closes: #390354) + * change '... > &2' to ... >&2' in cryptdisks.functions + + -- Jonas Meurer <mejo@debian.org> Mon, 16 Oct 2006 19:22:41 +0200 + +cryptsetup (2:1.0.4~rc2-1) unstable; urgency=low + + [ Jonas Meurer ] + * Add some more german translations to de.po. + * Add a note to NEWS.Debian where the fix for #376393 is explained. thanks + to Robert Bihlmeyer for the report. (closes: #379719) + * Allow swap filesystems to be overwritten when the swap flag is set. thanks + to Raphaël Quinet for the report. (closes: #379771) + * Update to upstream 1.0.4-rc2. (closes: #378422, #379726, closes: #379723) + * removed patches 03-05, merged upstream. + * [01_terminal_output.dpatch] updated for new upstream. + * [02_docs_tries.dpatch] updated for new upstream, to fix luksDelKey + documentation and to give more information about the keysize. + (closes: #379084) + + [ David Härdeman ] + * Make sure that README.initramfs is included in the package (closes + #380048) + * Replace panic calls in cryptsetup script with exit 1 to match the + behaviour of other scripts. The regular initramfs script will panic + later when root isn't detected anyway + * Make all four fields in crypttab mandatory (closes: #370180, + #376941) + * Add UTF8 keyboard input support to initramfs image (closes: #379737) + * Add a keyscript option (closes: #370302, #375913) + * [03_fix_build_error.dpatch] patch po/Makefile with more recent + gettext implementation. + + + -- Jonas Meurer <mejo@debian.org> Mon, 4 Sep 2006 03:55:35 +0200 + +cryptsetup (2:1.0.3-3) unstable; urgency=low + + [ Jonas Meurer ] + * revert the change that for swap devices the vol_id check is run by + default. if the swap partition is encrypted with a random key, the check + will always fail. thanks to Mika Bostrom <bostik@bostik.iki.fi> + (closes: #371135, #371160, #377434) + * fix the vol_id checkscript to do what it's expected to do. + * add the un_vol_id checkscript, which does the reverse of vol_id. + * use 'check=un_vol_id, checkargs=swap' for swap devices per default. + * added do_close function to cryptdisks.functions, as do_swap needs to use + it. up to now, 'cryptsetup remove' was invoked regardless whether the + device contains a LUKS partition or not. this is fixed now too. + * allow custom check scripts. check only if $CHECK exists in + /lib/cryptsetup/checks/ and use the given value as full path otherwise. + * make precheck for no_luks mandatory, fail if any known filesystem is + found. + * update crypttab manpage to reflect the checksystem changes. added an own + section for check scripts. update the CheckSystem documentation. + * update and simplify the gen-ssl-key script, thanks to Markus Nass + <generalstone@gmx.net> + * move gen-ssl-key, decrypt_ssl and luksformat to debian/scripts in the + source. + * add new directory /lib/cryptsetup/scripts/ for key decryption scripts like + decrypt_ssl and decrypt_gpg. + * add 05_fix_pointer_and_int_comparison.dpatch, fixes compiler warnings on + 64bit architectures. Thanks to David Härdeman for the patch. + * revert the order of do_start and do_stop at 'cryptdisks restart'. thanks + to Hans Peter Wiedau <hpw@quelltext.com> for pointing out that silly typo. + (closes: #377591) + + [ David Härdeman ] + * Support root-on-crypto-on-lvm in the initramfs scripts without + having to change the root variable (closes: #371846) + * If possible, load correct keymap in the initramfs image before any + password prompts (closes: #376393) + + -- Jonas Meurer <mejo@debian.org> Mon, 10 Jul 2006 20:01:02 +0200 + +cryptsetup (2:1.0.3-2) unstable; urgency=low + + [ David Härdeman ] + * Add patch by Arjan Oosting <arjanoosting@home.nl) for lvm-on-cryptroot + in initramfs scripts (closes: #362564) + + [ Jonas Meurer ] + * install luksformat to /usr/sbin, as it depends on perl (closes: #369923) + * use essiv cipher in luksformat, debian 2.6.16 kernels have essiv support + compiled in (closes: #369878) + * fix cryptsetup output, patch by David Härdeman <david@2gen.com> + (closes: #369575) + * add new check 'vol_id', which uses /lib/udev/vol_id from udev and supports + checks for any known filesystem type. implement a new option checkargs in + cryptdisks for that. suggest udev. closes one half of #370302. thanks to + Markus Nass and Darvid Härdeman for the suggestion. + * always check for a swap partition before running mkswap + * updated README.Debian, Checksystem.Doc and crypttab.5.txt accordingly. + * drop usage of strings from swap check, as it is in /usr/bin. thanks to + Markus Nass. + + -- Jonas Meurer <mejo@debian.org> Mon, 5 Jun 2006 18:27:07 +0200 + +cryptsetup (2:1.0.3-1) unstable; urgency=low + + [ Jonas Meurer ] + * new upstream release, 1.0.3 final + - Add alignPayload patch by Peter Palfrader (closes: #358388) + - meaningful exitcodes and password retrying by Johannes Weißl + (closes: #359277) + * add 01_terminal_timeout.dpatch from Andres Salomon <dilinger@debian.org>. + - gets rid of getpass(), which is obsolete according to manpage + - restores the terminal state before doing the timeout (closes: #364153) + * add 02_docs_tries.dpatch, to describe --tries in the cryptsetup manpage. + * add 03_stdin_input.dpatch from David Härdeman <david@2gen.com>, + fixes input from stdin, accepts input with more than 32 characters + (closes: #364529, #365333) + * add 04_status_exit_codes.dpatch from David Härdeman <david@2gen.com>, + fixes the exit codes of 'cryptsetup status' + * provide a cryptsetup-udeb package (closes: #358422) + * remove debian/luksformat.8 in clean target (closes: #358386) + * fix update-rc.d arguments to start cryptdisks in rc0 and rc6. + it is not really started [but stopped], but still the links need to be + named S48cryptdisks. otherwise it will be invoked before umountfs. + * add initramfs cryptroot functionality, thanks to David Härdeman + <david@2gen.com> for the patch (closes: #358452) + * rename /lib/cryptsetup/init_functions to cryptdisks.functions + * move most of /etc/init.d/cryptdisks to cryptdisks.functions. + /etc/init.d/cryptdisks now does not much more than importing + cryptdisks.functions. required for running two seperate cryptdisks + initscripts. + * split the cryptdisks initscript into cryptdisks-early and cryptdisks. + actually both scripts do the same except having slightly different output. + the early script is run before lvm/evms/... are started, and the other one + after they are started. (closes: #363007) + * add support for mount to cryptdisks. this makes it possible to use + keyfiles from removable media. see the crypttab.5 manpage for more + information. + * use upstream cryptsetup tries option instead of the shell code in + cryptdisks. rename cryptdisks 'retry' option to 'tries'. + * document the fact, that the default settings in /etc/default/cryptdisks + take only effect if the relevant option is set without a value in + crypttab. add the environment section to crypttab.5.txt (closes: #364203) + * update the TODO list. + * update crypdisks.default + * run do_swap and do_tmp. Thanks to Riku Voipio <riku.voipio@iki.fi> + (closes: #365633) + * bump Standards-Version to 3.7.2.0, no changes needed + + [ David Härdeman ] + * add lvm capabilities to initramfs scripts (closes: #362564) + * add cryptsetup.postinst which executes update-initramfs when + cryptsetup is first installed (not on upgrades) + + -- Jonas Meurer <mejo@debian.org> Sat, 13 May 2006 19:45:08 +0200 + +cryptsetup (2:1.0.2+1.0.3-rc3-1) unstable; urgency=low + + [ Jonas Meurer ] + * new upstream release candidate: + - fixes sector size of the temporary mapping (closes: #355156) + - more verbose error logging (closes: #353755, #356288, #258376) + - upstream accepted my patches to the manpage + * fixed spelling error in README.Debian + * removed debian/cryptsetup.sgml, outdated + * ran ispell against doc files in debian/, fixed many typos + * change /usr/share/cryptsetup to /lib/cryptsetup in crypttab.5.txt + (closes: #354910) + * add --build (and maybe even --host) to configure flags, for + cross-compiling + * remove debian/luksformat.8 in clean target + * fix bashism in cryptdisks. thanks to Michal Politowski + <mpol@charybda.icm.edu.pl> (closes: #356484) + * add support for openssl encrypted keys, based on a patch by General Stone + <generalstone@gmx.net> (closes: #350615) + * add some code to support gnupg encrypted keys, some parts are missing. + + -- Jonas Meurer <mejo@debian.org> Fri, 17 Mar 2006 00:42:41 +0100 + +cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low + + [ Jonas Meurer ] + * new upstream version 1.0.3-rc2, fixing issues with devmapper + * new upstream version 1.0.3-rc1, doesn't use essiv per default + * new upstream version (1.0.2) released + - add --timeout option for interactive usage + - add --batch-mode option to suppress input verifications + * install local cryptsetup.8 copy instead of the upstream manpage + - mention --readonly as possible option to luksOpen (closes: #353753) + - mention --batch-mode, --timeout, --version + - transform remaining option hyphens from '-' to '\-' + * merged ubuntu patches: + - modify cryptdisks init script to use lsb functions + - add luksformat and a manpage + * removed postinst and postrm, empty scripts + * added a README.Debian and a TODO + * added a NEWS file for Debian, and explain both the upstream transition + from plain cryptsetup to cryptsetup-luks, and the check options for + crypttab. + * install manpages using dh_installman, not with install + * updated CryptoRoot.HowTo, mention /etc/mkinitrd/modules and different + linux-image versions. (closes: #344867) + * removed needless debian/hack + * added debian/watch + * bumped debhelper compat level to 5, add versioned depends on + debhelper (>> 5.0.0) + * update debian/cryptsetup.8 to mention batch-mode and timeout + * updated cryptdisks + - modify init script to use lsb functions, at least where possible + - updated comments for cryptdisks.default + - moved option parsing and setup of loopback devices to seperate functions. + added a new include file /lib/cryptsetup/init_functions with functions + parse_opts, lo_setup, check_key, do_luks, do_noluks, do_swap, do_tmp + - always check for the source device exists before running cryptsetup + - hardcode precheck for LUKS to use 'cryptsetup isLuks'. this is much safer + than allowing other random prechecks, as it manifests that the source + device actually is a LUKS partition. + - don't remove the LUKS device when postcheck fails, as the supplied + password/key is correct anyway. + - use the new 'timeout' commandline option of cryptsetup instead of an + external wrapper + - be silent for not existing devices per default. Implement the loud + option for crypttab to warn if a device does not exist. + - remerge postchecks and prechecks into checks. + - don't disable swap & luks combination, instead disable luks with + /dev/random, /dev/urandom or /dev/hwrandom as key. + - run parse_opts before check_key, to know whether we use luks or not + + [ Michael Gebetsroither ] + * converted crypttab.sgml to asciidoc + * added dependencies for asciidoc to manpage conversion + * added developer documentation for a robust checksystem into cryptdisks + + -- Jonas Meurer <mejo@debian.org> Sun, 26 Feb 2006 20:04:49 +0100 + +cryptsetup (2:1.0.1-16) unstable; urgency=low + + [ Jonas Meurer ] + * already fixed in 2:1.0.1-14: binaries xor and delay from + usbcrypto.mkinitrd don't exist in debian. replaces with a perl script + and /bin/sleep. thanks to wesley terpstra for the help. + (closes: #324353) + * clean cryptdisks from bashisms (closes: #350360) + * check for /usr/bin/timeout before using it in cryptdisks. First, it's + only available when /usr is mounted, and that is not definitive when + cryptdisks is run at boot time. Second, timeout is a non-essential + debian package, and not neccecarily installed. The usage of + /usr/bin/timeout in any case is only a temporary workaround. + * move /usr/share/cryptsetup to /lib/cryptsetup, as the checks need to be + available at boot time, before local filesystems (like i.e. /usr) are + mounted. + * replace RETRY=`expr $RETRY - 1` with RETRY=$(($RETRY-1)), as expr is in + /usr/bin. + * install init.d script and default file with dh_installinit + (closes: #350548) + * don't build-depend on cvs + + -- Jonas Meurer <mejo@debian.org> Mon, 30 Jan 2006 17:54:50 +0100 + +cryptsetup (2:1.0.1-15) unstable; urgency=low + + [ Jonas Meurer ] + * rebuilt with -sa, to include the sources into upload + + -- Jonas Meurer <mejo@debian.org> Fri, 27 Jan 2006 18:18:46 +0100 + +cryptsetup (2:1.0.1-14) unstable; urgency=low + + [ Jonas Meurer ] + * added a configurable timeout option for interactive password + prompt. set the default timeout to 180 seconds in + /etc/default/cryptdisks, and documented the crypttab option in + the crypttab manpage. (closes: #328961) + * fixed the default "precheck" and "postcheck" options, currently + no useful precheck exists, so no default here. + * removed the dummy cryptsetup-luks package, ftpmaster complains + about it. + + [ Michael Gebetsroither ] + * make small fixes to CryptoSwap.HowTo + * added postcheck for swap (closes: #342079) + + -- Jonas Meurer <mejo@debian.org> Fri, 27 Jan 2006 12:59:10 +0100 + +cryptsetup (2:1.0.1-13) unstable; urgency=low + + * split the "check" in a "precheck" and a "postcheck" option + - adds the possibility to check the source device before creating the + decrypted target device, useful for things like swap. + + -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 21:24:06 +0100 + +cryptsetup (2:1.0.1-12) unstable; urgency=low + + * correctly parse options in cryptdisks (closes: #304399) + * remove the moduledir /usr/lib/cryptsetup from the deb, it's + empty anyway (closes: #334648) + * replace /usr/local/bin/delay with /bin/sleep in usbcrypto.mkinitrd + * cosmetical changes to /etc/crypttab + * add "check" and "retry" options to cryptdisks script, + thanks to A Mennucc <debdev@mennucci.sns.it>. (closes: #290626) + + -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 19:46:18 +0100 + +cryptsetup (2:1.0.1-11) unstable; urgency=low + + * include sources although the debian revision is not -1 + + -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 16:35:12 +0100 + +cryptsetup (2:1.0.1-10) unstable; urgency=low + + * introduce an epoch to make upgrade happen + + -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 09:02:47 +0100 + +cryptsetup (1.0.1-9) unstable; urgency=low + + * rename the package to cryptsetup, provide a dummy cryptsetup-luks package + * initial upload to debian + + -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 08:06:25 +0100 + +cryptsetup-luks (1.0.1-8) unstable; urgency=low + + * use upstream tarball as orig.tar.gz and keep debian changes in diff.gz + * change to use dpatch + * adjust build environment to work with upstream sources, and without + autogen.sh + * merge fixes for debian scripts from cryptsetup. + * keep cryptsetup manpage untouched, as merging cryptsetup and + cryptsetup-luks manpages is rather complex. + * set mandir to /usr/share/man for configure + * add a lintian-override file + + -- Jonas Meurer <mejo@debian.org> Sun, 22 Jan 2006 06:48:30 +0100 + +cryptsetup-luks (1.0.1-7) unstable; urgency=high + + * make cryptsetup create work again (patch for lib/libdevmapper.c) + + -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 21 Jan 2006 14:39:36 +0100 + +cryptsetup-luks (1.0.1-6) unstable; urgency=low + + * recompile for new libdevmapper + + -- Michael Gebetsroither <michael.geb@gmx.at> Tue, 10 Jan 2006 15:10:17 +0100 + +cryptsetup-luks (1.0.1-5) unstable; urgency=low + + * improved documentation for /etc/crypttab + + -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 7 Nov 2005 17:05:20 +0100 + +cryptsetup-luks (1.0.1-4) unstable; urgency=low + + * added luks option for /etc/crypttab (thx to Fabian Thorns + <fabian@thorns.it> for the initial patch) + + -- Michael Gebetsroither <michael.geb@gmx.at> Thu, 3 Nov 2005 19:22:59 +0100 + +cryptsetup-luks (1.0.1-3) unstable; urgency=low + + * completly switched to luks upstream + + -- Michael Gebetsroither <michael.geb@gmx.at> Thu, 11 Aug 2005 22:14:16 +0200 + +cryptsetup-luks (1.0.1-2) unstable; urgency=low + + * fixed build dependencies + + -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 20 Jun 2005 22:30:38 +0200 + +cryptsetup-luks (1.0.1-1) unstable; urgency=low + + * synced with luks upstream + + -- Michael Gebetsroither <michael.geb@gmx.at> Mon, 20 Jun 2005 16:22:53 +0200 + +cryptsetup-luks (1.0-5) unstable; urgency=low + + * fixed a small typo in the manpage + + -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 23 Apr 2005 11:06:31 +0200 + +cryptsetup-luks (1.0-4) unstable; urgency=low + + * cleand source-tree for submitting a wishlist report into debian BTS + + -- Michael Gebetsroither <michael.geb@gmx.at> Tue, 19 Apr 2005 18:44:13 +0200 + +cryptsetup-luks (1.0-3) unstable; urgency=low + + * updatet dependencies (libdevmapper1.00 => libdevmapper1.01) + + -- Michael Gebetsroither <michael.geb@gmx.at> Tue, 19 Apr 2005 13:51:10 +0200 + +cryptsetup-luks (1.0-2) unstable; urgency=low + + * replaced original debian cryptsetup manpage with manpage from + cryptsetup-luks + + -- Michael Gebetsroither <michael.geb@gmx.at> Sun, 3 Apr 2005 13:33:55 +0200 + +cryptsetup-luks (1.0-1) unstable; urgency=low + + * new upstream release + + -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 2 Apr 2005 23:29:43 +0200 + +cryptsetup-luks (0.993-3) unstable; urgency=low + + * fixed dependencis + + -- Michael Gebetsroither <michael.geb@gmx.at> Sun, 13 Feb 2005 01:28:11 +0100 + +cryptsetup-luks (0.993-2) unstable; urgency=low + + * fixed a few source problems + * fixed post/pre install scripts + + -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 16:18:07 +0100 + +cryptsetup-luks (0.993-1) unstable; urgency=low + + * synced with luks upstream + + -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 15:50:21 +0100 + +cryptsetup-luks (0.992-5) unstable; urgency=low + + * fixed a few problems in den debian source package + + -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 04:22:30 +0100 + +cryptsetup-luks (0.992-4) unstable; urgency=low + + * debianized the package + * cleand up build system + + -- Michael Gebetsroither <michael.geb@gmx.at> Sat, 12 Feb 2005 00:12:43 +0100 + +cryptsetup-luks (0.992-3) unstable; urgency=low + + * Fixed typo + + -- Michael Gebetsroither <michael.geb@gmx.at> Fri, 11 Feb 2005 18:38:42 +0100 + +cryptsetup-luks (0.992-2) unstable; urgency=low + + * Added note within description + + -- Michael Gebetsroither <michael.geb@gmx.at> Fri, 11 Feb 2005 18:21:03 +0100 + +cryptsetup-luks (0.992-1) unstable; urgency=low + + * "integrated LUKS" support (very messy hack) + + -- Michael Gebetsroither <michael.geb@gmx.at> Thu, 10 Feb 2005 18:16:21 +0100 diff --git a/debian/checks/blkid b/debian/checks/blkid new file mode 100644 index 0000000..27615d3 --- /dev/null +++ b/debian/checks/blkid @@ -0,0 +1,32 @@ +#!/bin/sh +# this script depends on /sbin/blkid from the util-linux package + +# usage: blkid <device> <fs_type> [<offset>] +# <device> may be any device that should be checked. +# if no <fs_type> is given, the check fails if no valid filesystem is found. +# if <fs_type> is given, the check fails when no filesystem type <fs_type> +# is found on the device. if <fs_type> is 'none', the check fails if any +# know filesystem is found. + +if test ! -x "/sbin/blkid"; then + echo " - WARNING: blkid from util-linux is not available, impossible to run checks." + exit 1 +fi + +dev="$1" +fs="$2" +offset="${3-}" + +blkid="$(/sbin/blkid -o value -s TYPE -p ${offset:+-O "$offset"} -- "$dev")" + +# blkid output is empty if $dev has an unknown filesystem +if [ -z "$blkid" ] && [ -z "$fs" ]; then + echo " - The device $dev does not contain a known filesystem${offset:+" at offset $offset"}." + exit 1 +elif [ -n "$blkid" ] && [ "$fs" = "none" ]; then + echo " - The device $dev contains a filesystem type $blkid${offset:+" at offset $offset"}." + exit 1 +elif [ -n "$fs" ] && [ "$blkid" != "$fs" ]; then + echo " - The device $dev does not contain a filesystem type $fs${offset:+" at offset $offset"}." + exit 1 +fi diff --git a/debian/checks/ext2 b/debian/checks/ext2 new file mode 100644 index 0000000..0776fce --- /dev/null +++ b/debian/checks/ext2 @@ -0,0 +1,12 @@ +#!/bin/sh + +echo "WARNING: The check script $0 is deprecated. Please use check script blkid instead." >&2 + +not_fs="" +for fs in ext2 ext3 ext4 ext4dev; do + /lib/cryptsetup/checks/blkid "$1" "$fs" >/dev/null || not_fs="$not_fs $fs" +done +if [ "$not_fs" = " ext2 ext3 ext4 ext4dev" ]; then + echo " - The device $1 does not contain a valid ext2, ext3, ext4 or ext4dev filesystem." + exit 1 +fi diff --git a/debian/checks/swap b/debian/checks/swap new file mode 100644 index 0000000..2891417 --- /dev/null +++ b/debian/checks/swap @@ -0,0 +1,5 @@ +#!/bin/sh + +echo "WARNING: The check script $0 is deprecated. Please use check script blkid instead." >&2 + +/lib/cryptsetup/checks/blkid "$1" "swap" diff --git a/debian/checks/un_blkid b/debian/checks/un_blkid new file mode 100644 index 0000000..572d937 --- /dev/null +++ b/debian/checks/un_blkid @@ -0,0 +1,28 @@ +#!/bin/sh +# this script depends on /sbin/blkid from the util-linux package + +# usage: un_blkid <device> <fs_type> [<offset>] +# <device> may be any device that should be checked. +# if no <fs_type> is given, the check fails for any valid filesystem +# if <fs_type> is given, the check fails when a filesystem type <fs_type> +# is found on the device. + +if test ! -x "/sbin/blkid"; then + echo " - WARNING: blkid from util-linux is not available, impossible to run checks." + exit 1 +fi + +dev="$1" +fs="$2" +offset="${3-}" + +blkid="$(/sbin/blkid -o value -s TYPE -p ${offset:+-O "$offset"} -- "$dev")" + +# blkid output is empty if $dev has an unknown filesystem +if [ -n "$blkid" ] && [ -z "$fs" ]; then + echo " - The device $dev contains a filesystem type $blkid${offset:+" at offset $offset"}." + exit 1 +elif [ -n "$fs" ] && [ "$blkid" = "$fs" ]; then + echo " - The device $dev contains a filesystem type $fs${offset:+" at offset $offset"}." + exit 1 +fi diff --git a/debian/checks/xfs b/debian/checks/xfs new file mode 100644 index 0000000..981cde8 --- /dev/null +++ b/debian/checks/xfs @@ -0,0 +1,5 @@ +#!/bin/sh + +echo "WARNING: The check script $0 is deprecated. Please use check script blkid instead." >&2 + +/lib/cryptsetup/checks/blkid "$1" "xfs" diff --git a/debian/clean b/debian/clean new file mode 100644 index 0000000..f1aea9d --- /dev/null +++ b/debian/clean @@ -0,0 +1,10 @@ +debian/askpass +debian/doc/*.[0-9] +debian/doc/variables.xml +debian/scripts/passdev +debian/scripts/suspend/cryptsetup-suspend +# `make clean` doesn't remove all gitignore(5)'d files, instead +# .gitlab/ci/debian.yml runs `git clean -xdf` +man/*.8 +po/*.gmo +po/stamp-po diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..b53fcda --- /dev/null +++ b/debian/control @@ -0,0 +1,206 @@ +Source: cryptsetup +Section: admin +Priority: optional +Maintainer: Debian Cryptsetup Team <pkg-cryptsetup-devel@alioth-lists.debian.net> +Uploaders: Jonas Meurer <jonas@freesources.org>, + Guilhem Moulin <guilhem@debian.org> +Rules-Requires-Root: no +Build-Depends: asciidoctor <!nodoc>, + autoconf, + automake (>= 1:1.12), + autopoint, + debhelper-compat (= 13), + dh-strip-nondeterminism, + docbook-xml <!nodoc>, + docbook-xsl <!nodoc>, + gettext, + jq <!nocheck>, + libargon2-dev, + libblkid-dev, + libdevmapper-dev, + libjson-c-dev, + libpopt-dev, + libselinux1-dev, + libsepol-dev, + libssh-dev, + libssl-dev, + libtool, + pkg-config, + po-debconf, + procps <!nocheck>, + uuid-dev, + xsltproc <!nodoc>, + xxd <!nocheck> +Standards-Version: 4.6.2 +Homepage: https://gitlab.com/cryptsetup/cryptsetup +Vcs-Browser: https://salsa.debian.org/cryptsetup-team/cryptsetup +Vcs-Git: https://salsa.debian.org/cryptsetup-team/cryptsetup.git -b debian/latest + +Package: cryptsetup +Architecture: linux-any +Multi-Arch: foreign +Depends: cryptsetup-bin (>= 2:1.6.0), + dmsetup, + ${misc:Depends}, + ${shlibs:Depends} +Suggests: cryptsetup-initramfs, dosfstools, keyutils, liblocale-gettext-perl +Replaces: cryptsetup-run (<< 2:2.1.0-6) +Breaks: cryptsetup-run (<< 2:2.1.0-6) +Description: disk encryption support - startup scripts + Cryptsetup provides an interface for configuring encryption on block + devices (such as /home or swap partitions), using the Linux kernel + device mapper target dm-crypt. It features integrated Linux Unified Key + Setup (LUKS) support. + . + Cryptsetup is backwards compatible with the on-disk format of cryptoloop, + but also supports more secure formats. This package includes support for + automatically configuring encrypted devices at boot time via the config + file /etc/crypttab. Additional features are cryptoroot support through + initramfs-tools and several supported ways to read a passphrase or key. + . + This package provides the cryptdisks_start and _stop wrappers, as well as + luksformat. + +Package: cryptsetup-bin +Architecture: linux-any +Multi-Arch: foreign +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: disk encryption support - command line tools + Cryptsetup provides an interface for configuring encryption on block + devices (such as /home or swap partitions), using the Linux kernel + device mapper target dm-crypt. It features integrated Linux Unified Key + Setup (LUKS) support. + . + This package provides the cryptsetup, integritysetup and veritysetup + utilities. + +Package: cryptsetup-ssh +Architecture: linux-any +Multi-Arch: foreign +Depends: ${misc:Depends}, ${shlibs:Depends} +Recommends: cryptsetup-bin (>= ${source:Version}) +Breaks: cryptsetup (<< 2:2.5.0~rc1-3), cryptsetup-bin (<< 2:2.5.0~rc1-3) +Replaces: cryptsetup (<< 2:2.5.0~rc1-3), cryptsetup-bin (<< 2:2.5.0~rc1-3) +Description: disk encryption support - experimental SSH token handler + Cryptsetup provides an interface for configuring encryption on block + devices (such as /home or swap partitions), using the Linux kernel + device mapper target dm-crypt. It features integrated Linux Unified Key + Setup (LUKS) support. + . + This package provides the cryptsetup-ssh(8) utility and an SSH token plugin + which can be used to unlock LUKS2 devices using a remote keyfile hosted on a + system accessible through SSH. This is currently an *experimental* feature + and mostly serves as a demonstration of the plugin interface API. + +Package: cryptsetup-initramfs +Architecture: all +Depends: busybox | busybox-static, + cryptsetup (>= ${source:Version}), + initramfs-tools (>= 0.137) | linux-initramfs-tool, + ${misc:Depends} +Recommends: console-setup, kbd +Breaks: cryptsetup (<< 2:2.0.3-1) +Replaces: cryptsetup (<< 2:2.0.3-1) +Conflicts: lvm2 (<< 2.03.15-1) +Description: disk encryption support - initramfs integration + Cryptsetup provides an interface for configuring encryption on block + devices (such as /home or swap partitions), using the Linux kernel + device mapper target dm-crypt. It features integrated Linux Unified Key + Setup (LUKS) support. + . + This package provides initramfs integration for cryptsetup. + +Package: cryptsetup-suspend +Architecture: linux-any +Multi-Arch: foreign +Depends: cryptsetup-initramfs (>= ${source:Version}), + initramfs-tools-core, + kbd, + systemd, + ${misc:Depends}, + ${shlibs:Depends} +Description: disk encryption support - suspend mode integration + Cryptsetup provides an interface for configuring encryption on block + devices (such as /home or swap partitions), using the Linux kernel + device mapper target dm-crypt. It features integrated Linux Unified Key + Setup (LUKS) support. + . + This package provides suspend mode integration for cryptsetup. It takes + care of removing LUKS master key from memory before system suspend. + . + Please note that the suspend mode integration is limited to LUKS devices + and requires systemd. Moreover, this is an early implementation and may not + be as mature as the other cryptsetup-* packages yet. + +Package: cryptsetup-run +Section: oldlibs +Architecture: all +Multi-Arch: foreign +Depends: cryptsetup (>= 2:2.1.0-6), ${misc:Depends} +Description: transitional dummy package for cryptsetup + This is a transitional dummy package to get upgrading systems to install the + cryptsetup package. It can safely be removed once no other package depends on + it. + +Package: libcryptsetup12 +Section: libs +Architecture: linux-any +Multi-Arch: same +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: disk encryption support - shared library + Cryptsetup provides an interface for configuring encryption on block + devices (such as /home or swap partitions), using the Linux kernel + device mapper target dm-crypt. It features integrated Linux Unified Key + Setup (LUKS) support. + . + This package provides the libcryptsetup shared library. + +Package: libcryptsetup-dev +Section: libdevel +Architecture: linux-any +Multi-Arch: same +# XXX [#1025065] ideal we would have "Depends: libcryptsetup12 +# (= ${binary:Version}), ${misc:Depends}, ${pkgconf:Depends}" +Depends: libargon2-dev, + libblkid-dev, + libcryptsetup12 (= ${binary:Version}), + libdevmapper-dev, + libjson-c-dev, + libssl-dev, + uuid-dev, + ${misc:Depends} +Description: disk encryption support - development files + Cryptsetup provides an interface for configuring encryption on block + devices (such as /home or swap partitions), using the Linux kernel + device mapper target dm-crypt. It features integrated Linux Unified Key + Setup (LUKS) support. + . + This package provides the libcryptsetup development files. + +Package: cryptsetup-udeb +Section: debian-installer +Package-Type: udeb +Build-Profiles: <!noudeb> +Architecture: linux-any +Depends: dmsetup-udeb, ${misc:Depends}, ${shlibs:Depends} +Description: disk encryption support - commandline tools (udeb) + Cryptsetup provides an interface for configuring encryption on block + devices (such as /home or swap partitions), using the Linux kernel + device mapper target dm-crypt. It features integrated Linux Unified Key + Setup (LUKS) support. + . + This udeb package provides cryptsetup for the Debian Installer. + +Package: libcryptsetup12-udeb +Section: debian-installer +Package-Type: udeb +Build-Profiles: <!noudeb> +Architecture: linux-any +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: disk encryption support - shared library (udeb) + Cryptsetup provides an interface for configuring encryption on block + devices (such as /home or swap partitions), using the Linux kernel + device mapper target dm-crypt. It features integrated Linux Unified Key + Setup (LUKS) support. + . + This udeb package provides libcryptsetup for the Debian Installer. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..5e9553d --- /dev/null +++ b/debian/copyright @@ -0,0 +1,280 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Contact: Milan Broz <mbroz@redhat.com> +Source: https://gitlab.com/cryptsetup/cryptsetup +Upstream-Name: cryptsetup + +Files: * +Copyright: © 2004 Christophe Saout <christophe@saout.de> + © 2004-2008 Clemens Fruhwirth <clemens@endorphin.org> + © 2008-2023 Red Hat, Inc. + © 2008-2023 Milan Broz <gmazyland@gmail.com> +License: GPL-2+ with OpenSSL exception + +Files: debian/* +Copyright: © 2004-2005 Wesley W. Terpstra <terpstra@debian.org> + © 2005-2006 Michael Gebetsroither <michael.geb@gmx.at> + © 2006-2008 David Härdeman <david@hardeman.nu> + © 2005-2015 Jonas Meurer <jonas@freesources.org> + © 2016-2023 Guilhem Moulin <guilhem@debian.org> +License: GPL-2+ + +Files: debian/scripts/suspend/cryptsetup-suspend.c +Copyright: © 2018 Guilhem Moulin <guilhem@debian.org> + © 2018-2020 Jonas Meurer <jonas@freesources.org> +License: GPL-3+ + +Files: debian/scripts/suspend/cryptsetup-suspend-wrapper +Copyright: © 2019-2020 Tim <tim@systemli.org> + © 2019-2020 Jonas Meurer <jonas@freesources.org> + © 2020-2022 Guilhem Moulin <guilhem@debian.org> +License: GPL-3+ + +Files: debian/askpass.c debian/scripts/passdev.c +Copyright: © 2008 David Härdeman <david@hardeman.nu> +License: GPL-2+ + +Files: debian/initramfs/cryptroot-unlock +Copyright: © 2015-2018 Guilhem Moulin <guilhem@debian.org> +License: GPL-3+ + +Files: debian/README.opensc +Copyright: © 2008 Benjamin Kiessling <benjaminkiessling@bttec.org> +License: GPL-2+ + +Files: debian/scripts/cryptdisks_start +Copyright: © 2007 Jon Dowland <jon@alcopop.org> +License: GPL-2+ + +Files: debian/scripts/luksformat +Copyright: © 2005 Canonical Ltd. +License: GPL-2+ + +Files: debian/scripts/decrypt_gnupg-sc debian/README.gnupg-sc debian/initramfs/hooks/cryptgnupg-sc debian/initramfs/scripts/local-bottom/cryptgnupg-sc +Copyright: © 2005-2015 Jonas Meurer <jonas@freesources.org> + © 2016-2018 Guilhem Moulin <guilhem@debian.org> + © 2009,2014 Peter Lebbing <peter@digitalbrains.com> + © 2018 Erik Nellessen +License: GPL-2+ + +Files: debian/tests/* +Copyright: © 2021-2022 Guilhem Moulin <guilhem@debian.org> +License: GPL-3+ + +Files: docs/examples/* tests/all-symbols-test.c +Copyright: © 2011-2023 Red Hat, Inc. +License: LGPL-2.1+ + +Files: lib/bitlk/* +Copyright: © 2019-2023 Red Hat, Inc. + © 2019-2023 Milan Broz <gmazyland@gmail.com> + © 2019-2023 Vojtech Trefny +License: LGPL-2.1+ + +Files: tokens/ssh/* +Copyright: © 2016-2023 Milan Broz <gmazyland@gmail.com> + © 2020-2023 Vojtech Trefny +License: LGPL-2.1+ + +Files: tokens/ssh/cryptsetup-ssh.c +Copyright: © 2016-2023 Milan Broz <gmazyland@gmail.com> + © 2021-2023 Vojtech Trefny +License: GPL-2+ + +Files: lib/crypto_backend/* lib/integrity/* lib/loopaes/* lib/tcrypt/* lib/verity/* +Copyright: © 2009-2023 Red Hat, Inc. + © 2010-2023 Milan Broz <gmazyland@gmail.com> +License: LGPL-2.1+ + +Files: lib/crypto_backend/base64.c +Copyright: © 2010 Lennart Poettering + © 2021-2023 Milan Broz <gmazyland@gmail.com> +License: LGPL-2.1+ + +Files: lib/crypto_backend/utf8.c +Copyright: © 2010 Lennart Poettering + © 2021-2023 Vojtech Trefny + © 1999 Tom Tromey + © 2000 Red Hat, Inc. +License: GPL-2+ + +Files: lib/crypto_backend/crypto_openssl.c +Copyright: © 2009-2023 Red Hat, Inc. + © 2010-2023 Milan Broz <gmazyland@gmail.com> +License: LGPL-2.1+ with OpenSSL exception + +Files: lib/fvault2/fvault2.c lib/fvault2/fvault2.h +Copyright: © 2021-2022 Pavel Tobias +License: LGPL-2.1+ with OpenSSL exception + +Files: lib/keyslot_context.c lib/keyslot_context.h +Copyright: © 2022-2023 Red Hat, Inc. + © 2022-2023 Ondrej Kozina <okozina@redhat.com> +License: GPL-2+ + +Files: lib/crypto_backend/argon2/* +Copyright: © 2015 Daniel Dinu + © 2015 Dmitry Khovratovich + © 2015 Jean-Philippe Aumasson + © 2015 Samuel Neves +License: CC0 or Apache-2.0 + +Files: lib/crypto_backend/argon2/encoding.c +Copyright: © 2015 Thomas Pornin <pornin@bolet.org> +License: CC0 or Apache-2.0 + +Files: lib/crypto_backend/crc32.c +Copyright: © 1986 Gary S. Brown +License: public-domain + Gary S. Brown's license is as follows: + . + You may use this program, or code or tables extracted from it, as + desired without restriction. + +Files: lib/bitops.h +Copyright: © Karel Zak <kzak@redhat.com> +License: public-domain + Karel Zak's license is as follows: + . + No copyright is claimed. This code is in the public domain; do with it + what you wish. + +License: GPL-2+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301 USA. + . + On Debian systems, the complete text of the GNU General Public + License version 2 can be found in `/usr/share/common-licenses/GPL-2'. + +License: GPL-2+ with OpenSSL exception + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301 USA. + . + On Debian systems, the complete text of the GNU General Public + License version 2 can be found in `/usr/share/common-licenses/GPL-2'. + . + In addition, as a special exception, the copyright holders give + permission to link the code of portions of this program with the + OpenSSL library under certain conditions as described in each + individual source file, and distribute linked combinations including + the two. You must obey the GNU General Public License in all respects + for all of the code used other than OpenSSL. If you modify file(s) + with this exception, you may extend this exception to your version of + the file(s), but you are not obligated to do so. If you do not wish to + do so, delete this exception statement from your version. If you + delete this exception statement from all source files in the program, + then also delete it here. + +License: GPL-3+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, + Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + . + On Debian systems, the complete text of the GNU General Public License + version 3 can be found in `/usr/share/common-licenses/GPL-3`. + +License: LGPL-2.1+ + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published + by the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301 USA. + . + On Debian systems, the complete text of the GNU Lesser General Public + License version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'. + +License: LGPL-2.1+ with OpenSSL exception + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published + by the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301 USA. + . + On Debian systems, the complete text of the GNU Lesser General Public + License version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'. + . + In addition, as a special exception, the copyright holders give + permission to link the code of portions of this program with the + OpenSSL library under certain conditions as described in each + individual source file, and distribute linked combinations including + the two. You must obey the GNU Lesser General Public License in all + respects for all of the code used other than OpenSSL. If you modify + file(s) with this exception, you may extend this exception to your + version of the file(s), but you are not obligated to do so. If you do + not wish to do so, delete this exception statement from your version. + If you delete this exception statement from all source files in the + program, then also delete it here. + +License: CC0 + You may use this work under the terms of a Creative Commons CC0 1.0 + License/Waiver. + . + On Debian systems, the complete text of the Creative Commons CC0 1.0 + Universal license can be found in `/usr/share/common-licenses/CC0-1.0'. + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + https://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the complete text of the Apache version 2.0 license + can be found in "/usr/share/common-licenses/Apache-2.0". diff --git a/debian/cryptdisks-functions b/debian/cryptdisks-functions new file mode 100644 index 0000000..ce5e6f4 --- /dev/null +++ b/debian/cryptdisks-functions @@ -0,0 +1,286 @@ +# +# This file is for inclusion with +# . /lib/cryptsetup/cryptdisks-functions +# and should not be executed directly. + +PATH="/usr/sbin:/usr/bin:/sbin:/bin" +CRYPTDISKS_ENABLE="Yes" + +#set -x + +# Sanity check #1 +[ -x /sbin/cryptsetup ] || exit 0 + +. /lib/lsb/init-functions +. /lib/cryptsetup/functions + +if [ -r /etc/default/cryptdisks ]; then + . /etc/default/cryptdisks +fi + +MOUNT="$CRYPTDISKS_MOUNT" + + +# do_start() +# Unlock all devices in the crypttab(5) +do_start() { + [ -s "$TABFILE" ] || return 0 + + # Create locking directory before invoking cryptsetup(8) to avoid warnings + mkdir -pm0700 /run/cryptsetup + modprobe -qb dm-mod || true + modprobe -qb dm-crypt || true + dmsetup mknodes >/dev/null 2>&1 || true + + if [ "$INITSTATE" != "init" ]; then + log_action_begin_msg "Starting $INITSTATE crypto disks" + fi + mount_fs + + crypttab_foreach_entry _do_start_callback + + umount_fs + log_action_end_msg 0 +} +_do_start_callback() { + setup_mapping || log_action_end_msg $? +} + +# mount_fs() +# Premounts file systems +mount_fs() { + local point + MOUNTED="" + + for point in $MOUNT; do + if mount "$point" >/dev/null; then + MOUNTED="$MOUNTED $point" + fi + done +} + +# Postunmounts file systems +umount_fs() { + local point + + for point in $MOUNTED; do + umount "$point" >/dev/null + done +} + +# setup_mapping() +# Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME, +# $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS. +setup_mapping() { + if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then + device_msg "running" + return 0 + fi + + local loud="${DEFAULT_LOUD:-}" + crypttab_parse_options --export --missing-path=fail || return 1 + if [ -n "${CRYPTTAB_OPTION_quiet+x}" ]; then + loud="no" + elif [ -n "${CRYPTTAB_OPTION_loud+x}" ]; then + loud="yes" + fi + + if [ -z "${FORCE_START-}" ]; then + if [ "$INITSTATE" = "early" -a -n "${CRYPTTAB_OPTION_noearly+x}" ] || + [ "$INITSTATE" != "manual" -a -n "${CRYPTTAB_OPTION_noauto+x}" ]; then + device_msg "ignored" + return 0 + fi + fi + + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then + if ! crypttab_key_check; then + device_msg "invalid key" + return 1 + fi + CRYPTTAB_OPTION_tries=1 + fi + + if ! crypttab_resolve_source; then + if [ "$loud" = "yes" ]; then + device_msg "skipped, device $CRYPTTAB_SOURCE does not exist" + fi + return 1 + fi + device_msg "starting" + + local offset_bytes="" + if [ -n "${CRYPTTAB_OPTION_offset+x}" ] && [ ${#CRYPTTAB_OPTION_offset} -le 7 ] && [ $CRYPTTAB_OPTION_offset -lt 4194304 ]; then + # silently ignore large offset values which might cause the multiplication to overflow... + offset_bytes=$((CRYPTTAB_OPTION_offset * 512)) + fi + + local out tmpdev + if [ "$CRYPTTAB_TYPE" != "luks" ] && [ "$CRYPTTAB_TYPE" != "bitlk" ]; then + # fail if the device has a filesystem and the disk encryption format doesn't + # verify the key digest (unlike LUKS); unless it's swap, otherwise people can't + # easily convert an existing plainttext swap partition to an encrypted one + if ! out="$(/lib/cryptsetup/checks/un_blkid "$CRYPTTAB_SOURCE" "" ${CRYPTTAB_OPTION_offset+"$offset_bytes"} 2>/dev/null)" && + ! /lib/cryptsetup/checks/blkid "$CRYPTTAB_SOURCE" swap ${CRYPTTAB_OPTION_offset+"$offset_bytes"} >/dev/null; then + log_warning_msg "$CRYPTTAB_NAME: the precheck for '$CRYPTTAB_SOURCE' failed: $out" + return 1 + fi + fi + + local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype rv + local target="$CRYPTTAB_NAME" + CRYPTTAB_NAME="${CRYPTTAB_NAME}_unformatted" # XXX potential conflict + while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then + # unlock via keyfile + unlock_mapping "$CRYPTTAB_KEY" + else + # unlock interactively or via keyscript + CRYPTTAB_NAME="$target" run_keyscript "$count" | unlock_mapping + fi + rv=$? + count=$(( $count + 1 )) + + if [ $rv -ne 0 ] || ! tmpdev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then + continue + fi + if [ -n "${CRYPTTAB_OPTION_check+x}" ] && \ + ! "$CRYPTTAB_OPTION_check" "$tmpdev" ${CRYPTTAB_OPTION_checkargs+"$CRYPTTAB_OPTION_checkargs"}; then + log_warning_msg "$target: the check for '$CRYPTTAB_NAME' failed" + cryptsetup remove -- "$CRYPTTAB_NAME" + continue + fi + if [ "${CRYPTTAB_OPTION_swap+x}" ]; then + if out="$(/lib/cryptsetup/checks/un_blkid "$tmpdev" "" ${CRYPTTAB_OPTION_offset+"$offset_bytes"} 2>/dev/null)" || + /lib/cryptsetup/checks/blkid "$tmpdev" swap ${CRYPTTAB_OPTION_offset+"$offset_bytes"} >/dev/null 2>&1; then + mkswap "$tmpdev" >/dev/null 2>&1 + else + log_warning_msg "$target: the check for '$CRYPTTAB_NAME' failed. $CRYPTTAB_NAME contains data: $out" + cryptsetup remove -- "$CRYPTTAB_NAME" + return 1 + fi + elif [ "${CRYPTTAB_OPTION_tmp+x}" ]; then + local tmpdir="$(mktemp --tmpdir="/run/cryptsetup" --directory)" rv=0 + if ! mkfs -t "$CRYPTTAB_OPTION_tmp" -q "$tmpdev" >/dev/null 2>&1 || + ! mount -t "$CRYPTTAB_OPTION_tmp" "$tmpdev" "$tmpdir" || + ! chmod 1777 "$tmpdir"; then + rv=1 + fi + umount "$tmpdir" || true + rmdir "$tmpdir" || true + [ $rv -eq 0 ] || return $rv + fi + if command -v udevadm >/dev/null 2>&1; then + udevadm settle + fi + dmsetup rename -- "$CRYPTTAB_NAME" "$target" + device_msg "$target" "started" + return 0 + done + device_msg "$target" "failed" + return 1 +} + +# Removes all mappings in crypttab, except the ones holding the root +# file system or /usr +do_stop() { + local devno_rootfs devno_usr + dmsetup mknodes + log_action_begin_msg "Stopping $INITSTATE crypto disks" + + devno_rootfs="$(get_mnt_devno /)" || devno_rootfs="" + devno_usr="$(get_mnt_devno /usr)" || devno_usr="" + + crypttab_foreach_entry _do_stop_callback + log_action_end_msg 0 +} +_do_stop_callback() { + local skip="n" devno rv=0 + + # traverse the device tree for each crypttab(5) entry and mark / and + # /usr holders as skipped. that's suboptimal but we can't use + # mapped device names as they might contain any character other than + # NUL. shouldn't be much overhead anyway as the device tree is + # likely not that long + foreach_cryptdev _do_stop_skipped $devno_rootfs $devno_usr + [ "$skip" = "n" ] || return $rv + + if devno="$(dmsetup info -c --noheadings -o devno -- "$CRYPTTAB_NAME" 2>/dev/null)" && [ -n "$devno" ]; then + foreach_cryptdev --reverse _do_stop_remove "$devno" || rv=$? # try to remove slave devices first + fi + return $rv +} +_do_stop_skipped() { + if [ "$1" = "$CRYPTTAB_NAME" ]; then + skip="y" + fi +} +_do_stop_remove() { + local name="$1" i rv=0 + for i in 1 2 4 8 16 32; do + remove_mapping "$name" 3<&- && break || rv=$? + if [ $rv -eq 1 ] || [ $rv -eq 2 -a $i -gt 16 ]; then + log_action_end_msg $rv + break + fi + log_action_cont_msg "$name busy..." + sleep $i + done +} + +# device_msg([$name], $message) +# Convenience function to handle $VERBOSE +device_msg() { + local name message + if [ $# -eq 1 ]; then + name="$CRYPTTAB_NAME" + message="$1" + else + name="$1" + message="$2" + fi + + if [ "$VERBOSE" != "no" ]; then + log_action_cont_msg "$name ($message)" + fi +} + +# remove_mapping($target) +# Remove mapping $target +remove_mapping() { + local CRYPTTAB_NAME="$1" + + if ! dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then + device_msg "stopped" + return 0 + fi + + if [ "$(dmsetup info --noheadings -c -o subsystem -- "$CRYPTTAB_NAME")" != "CRYPT" ]; then + device_msg "error" + return 1 + fi + + local opencount="$(dmsetup info -c --noheadings -o open -- "$CRYPTTAB_NAME" 2>/dev/null || true)" + if [ -z "$opencount" ]; then + device_msg "error" + return 1 + elif [ "$opencount" != "0" ]; then + device_msg "busy" + if [ "$INITSTATE" = "early" ] || [ "$INITSTATE" = "manual" ]; then + return 1 + elif [ "$INITSTATE" = "remaining" ]; then + return 2 + fi + return 0 + fi + + if cryptsetup remove -- "$CRYPTTAB_NAME"; then + device_msg "stopping" + return 0 + else + device_msg "error" + return 1 + fi +} + +# vim: set filetype=sh : diff --git a/debian/cryptsetup-bin.NEWS b/debian/cryptsetup-bin.NEWS new file mode 100644 index 0000000..ec5bf13 --- /dev/null +++ b/debian/cryptsetup-bin.NEWS @@ -0,0 +1,215 @@ +cryptsetup (2:2.3.6-1+exp1) bullseye-security; urgency=high + + This release fixes a key truncation issue for standalone dm-integrity + devices using HMAC integrity protection. For existing such devices + with extra long HMAC keys (typically >106 bytes of length, see + https://bugs.debian.org/949336#78 for the various corner cases), one + might need to manually truncate the key using integritysetup(8)'s + `--integrity-key-size` option in order to properly map the device + under 2:2.3.6-1+exp1 and later. + + Only standalone dm-integrity devices are affected. dm-crypt devices, + including those using authenticated disk encryption, are unaffected. + + -- Guilhem Moulin <guilhem@debian.org> Fri, 28 May 2021 22:54:20 +0200 + +cryptsetup (2:1.6.6-1) unstable; urgency=medium + + The whirlpool hash implementation has been broken in gcrypt until version + 1.5.3. This has been fixed in subsequent gcrypt releases. In particular, + the gcrypt version that is used by cryptsetup starting with this release, + has the bug fixed. Consequently, LUKS containers created with broken + whirlpool will fail to open from now on. + + In the case that you're affected by the whirlpool bug, please read section + '8.3 Gcrypt after 1.5.3 breaks Whirlpool' of the cryptsetup FAQ at + https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions + carefully. It explains how to open your LUKS container and reencrypt it + afterwards. + + -- Jonas Meurer <mejo@debian.org> Tue, 04 Mar 2014 23:17:37 +0100 + +cryptsetup (2:1.1.3-1) unstable; urgency=low + + Cryptdisks init scripts changed their behaviour for failures at starting and + stopping encrypted devices. Cryptdisks init script now raises a warning for + failures at starting encrypted devices, and cryptdisks-early warns about + failures at stopping encrypted devices. + + -- Jonas Meurer <mejo@debian.org> Sat, 10 Jul 2010 14:36:33 +0200 + +cryptsetup (2:1.1.0-1) unstable; urgency=low + + The default key size for LUKS was changed from 128 to 256 bits, and default + plain mode changed from aes-cbc-plain to aes-cbc-essiv:sha256. + In case that you use plain mode encryption and don't have set cipher and hash + in /etc/crypttab, you should do so now. The new defaults are not backwards + compatible. See the manpage for crypttab(5) for further information. If your + dm-crypt setup was done by debian-installer, you can ignore that warning. + + Additionally, the keyscript decrypt_gpg, which was disabled by default up to + now, has been rewritten and renamed to decrypt_gnupg. If you use a customized + version of the decrypt_gpg keyscript, please backup it before upgrading the + package. + + -- Jonas Meurer <mejo@debian.org> Thu, 04 Mar 2010 17:31:40 +0100 + +cryptsetup (2:1.1.0~rc2-1) unstable; urgency=low + + The cryptroot initramfs hook script has been changed to include all + available crypto kernel modules in case that initramfs-tools is configured + with MODULES=most (default). See /etc/initramfs-tools/initramfs.conf for + more information. + If initramfs-tools is configured with MODULES=dep, the cryptroot hook script + still tries to detect required modules, as it did by default in the past. + + -- Jonas Meurer <mejo@debian.org> Sun, 27 Sep 2009 16:49:20 +0200 + +cryptsetup (2:1.0.7-2) unstable; urgency=low + + Checkscripts vol_id and un_vol_id have been replaced by blkid and un_blkid. + In case that you explicitly set keyscript=vol_id or keyscript=un_vol_id in + /etc/crypttab, you will need to update your /etc/crypttab manually. + Replacing 'vol_id' with 'blkid' and 'un_vol_id' with 'un_blkid' should work. + The new *blkid keyscripts are fully compatible to the old *vol_id scripts. + + -- Jonas Meurer <mejo@debian.org> Sun, 23 Aug 2009 23:32:49 +0200 + +cryptsetup (2:1.0.6-8) unstable; urgency=low + + Keyscripts inside the initramfs have been moved from /keyscripts to + /lib/cryptsetup/scripts. This way they're now available at the same location + as on the normal system. + In most cases no manual action is required. Only if you reference a keyscript + by path in some script that is included in the initramfs, then you need to + update that reference by updating the path. + + -- Jonas Meurer <mejo@debian.org> Tue, 23 Dec 2008 00:43:10 +0100 + +cryptsetup (2:1.0.6-7) unstable; urgency=medium + + Support for the timeout option has been removed from cryptdisks initscripts + in order to support splash screens and remote shells in boot process. + The implementation had been unclean and problematic anyway. + If you used the timeout option on headless systems without physical access, + then it's a much cleaner solution anyway, to use the 'noauto' option in + /etc/crypttab, and start the encrypted devices manually with + '/etc/init.d/cryptdisks force-start'. + Another approach is to start a minimal ssh-server in the initramfs and unlock + the encrypted devices after connecting to it. This even supports encrypted + root filesystems for headless server systems. + For more information, please see /usr/share/docs/cryptsetup/README.Debian.gz + + -- Jonas Meurer <mejo@debian.org> Tue, 16 Dec 2008 18:37:16 +0100 + +cryptsetup (2:1.0.6-4) unstable; urgency=medium + + The obsolete keyscript decrypt_old_ssl and the corresponding example script + gen-old-ssl-key have been removed from the package. If you're still using + them, either save a local backup of /lib/cryptsetup/scripts/decrypt_old_ssl + and put it back after the upgrade finished, or migrate your setup to use + keyscripts that are still supported. + + -- Jonas Meurer <mejo@debian.org> Sun, 27 Jul 2008 16:22:57 +0200 + +cryptsetup (2:1.0.6~pre1+svn45-1) unstable; urgency=low + + The default hash used by the initramfs cryptroot scripts has been changed + from sha256 to ripemd160 for consistency with the cryptsetup default. If you + have followed the recommendation to configure the hash in /etc/crypttab this + change will have no effect on you. + + If you set up disk encryption on your system using the Debian installer + and/or if you use LUKS encryption, everything is already set up correctly + and you don't need to do anything. + If you did *not* use the Debian installer and if you have encrypted devices + which do *not* use LUKS, you must make sure that the relevant entries in + /etc/crypttab contain a hash=<hash> setting. + + -- Jonas Meurer <mejo@debian.org> Tue, 29 Jan 2008 11:46:57 +0100 + +cryptsetup (2:1.0.5-2) unstable; urgency=low + + The vol_id and un_vol_id check scripts no longer regard minix as a valid + filesystem, since random data can be mistakenly identified as a minix + filesystem due to an inadequate signature length. + + If you use minix filesystems, you should not rely on prechecks anymore. + + -- Jonas Meurer <mejo@debian.org> Mon, 10 Sep 2007 14:39:44 +0200 + +cryptsetup (2:1.0.4+svn16-1) unstable; urgency=high + + The --key-file=- argument has changed. If a --hash parameter is passed, it + will now be honoured. This means that the decrypt_derived keyscript will in + some situations create a different key than previously meaning that any swap + partitions that rely on the script will have to be recreated. To emulate the + old behaviour, make sure that you pass "--hash=plain" to cryptsetup. + + -- David Härdeman <david@hardeman.nu> Tue, 21 Nov 2006 21:29:50 +0100 + +cryptsetup (2:1.0.4-7) unstable; urgency=low + + The cryptsetup initramfs scripts now also tries to detect swap + partitions used for software suspend (swsusp/suspend2/uswsusp) and + to set them up during the initramfs stage. See README.initramfs for + more details. + + -- David Härdeman <david@hardeman.nu> Mon, 13 Nov 2006 19:27:02 +0100 + +cryptsetup (2:1.0.4-1) unstable; urgency=low + + The ssl and gpg options in /etc/crypttab have been deprecated in + favour of the keyscripts option. The options will still work, but + generate warnings. You should change any lines containing these + options to use keyscript=/lib/cryptsetup/scripts/decrypt_old_ssl or + keyscript=/lib/cryptsetup/scripts/decrypt_gpg instead as support + will be completely removed in the future. + + -- David Härdeman <david@hardeman.nu> Mon, 16 Oct 2006 00:00:12 +0200 + +cryptsetup (2:1.0.3-4) unstable; urgency=low + + Up to now, the us keymap was loaded at the passphrase prompt in the boot + process and ASCII characters were always used. With this upload this is + fixed, meaning that the correct keymap is loaded and the keyboard is + (optionally) set to UTF8 mode before the passphrase prompt. + + This may result in your password not working any more in the boot process. + In this case, you should add a new key with cryptsetup luksAddKey with your + correct keymap loaded. + + Additionally, all four fields are now mandatory in /etc/crypttab. An entry + which does not contain all fields will be ignored. It is recommended to + set cipher, size and hash anyway, as defaults may change in the future. + + If you didn't set any of these settings yet, then you should add + cipher=aes-cbc-plain,size=128,hash=ripemd160 + to the the options in /etc/crypttab. See man crypttab(5) for more details. + + -- David Härdeman <david@2gen.com> Sat, 19 Aug 2006 18:08:40 +0200 + +cryptsetup (2:1.0.2+1.0.3-rc2-2) unstable; urgency=low + + The crypttab 'retry' has been renamed to 'tries' to reflect upstream's + functionality. Default is 3 tries now, even if the option is not given. + See the crypttab.5 manpage for more information. + + -- Jonas Meurer <mejo@debian.org> Fri, 28 Apr 2006 17:42:15 +0200 + +cryptsetup (2:1.0.2+1.0.3-rc2-1) unstable; urgency=low + + Since release 2:1.0.1-9, the cryptsetup package uses cryptsetup-luks as + upstream source. This is a enhanced version of plain cryptsetup which + includes support for the LUKS extension, a standard on-disk format for + hard disk encryption. Plain dm-crypt (as provided by the old cryptsetup + package) is still available, thus backwards compatibility is given. + Nevertheless it is recommended to update your encrypted partitions to + LUKS, as this implementation is more secure than the plain dm-crypt. + + Another major change is the check option for crypttab. It allows to + configure checks that are run after cryptsetup has been invoked, and + prechecks to be run against the source device before cryptsetup has been + invoked. See man crypttab(5) or README.Debian for more information. + + -- Jonas Meurer <mejo@debian.org> Fri, 3 Feb 2006 13:41:35 +0100 diff --git a/debian/cryptsetup-bin.install b/debian/cryptsetup-bin.install new file mode 100644 index 0000000..6c344e1 --- /dev/null +++ b/debian/cryptsetup-bin.install @@ -0,0 +1,5 @@ +sbin/cryptsetup +sbin/integritysetup +sbin/veritysetup +usr/lib/tmpfiles.d/cryptsetup.conf +usr/share/locale/*/*/* diff --git a/debian/cryptsetup-bin.manpages b/debian/cryptsetup-bin.manpages new file mode 100644 index 0000000..759911e --- /dev/null +++ b/debian/cryptsetup-bin.manpages @@ -0,0 +1,44 @@ +# We don't use a glob here since we want to exclude cryptsetup-ssh.8 +# which we ship in the 'cryptsetup-ssh' binary package. +# Explicitely listing all manual pages here isn't as brittle as it might +# sound since in compat >=13 dh_listing(1) fails if upstream installs +# files which aren't part of any binary package. +usr/share/man/man8/cryptsetup-benchmark.8 +usr/share/man/man8/cryptsetup-bitlkDump.8 +usr/share/man/man8/cryptsetup-bitlkOpen.8 +usr/share/man/man8/cryptsetup-close.8 +usr/share/man/man8/cryptsetup-config.8 +usr/share/man/man8/cryptsetup-convert.8 +usr/share/man/man8/cryptsetup-create.8 +usr/share/man/man8/cryptsetup-erase.8 +usr/share/man/man8/cryptsetup-fvault2Dump.8 +usr/share/man/man8/cryptsetup-fvault2Open.8 +usr/share/man/man8/cryptsetup-isLuks.8 +usr/share/man/man8/cryptsetup-loopaesOpen.8 +usr/share/man/man8/cryptsetup-luksAddKey.8 +usr/share/man/man8/cryptsetup-luksChangeKey.8 +usr/share/man/man8/cryptsetup-luksConvertKey.8 +usr/share/man/man8/cryptsetup-luksDump.8 +usr/share/man/man8/cryptsetup-luksErase.8 +usr/share/man/man8/cryptsetup-luksFormat.8 +usr/share/man/man8/cryptsetup-luksHeaderBackup.8 +usr/share/man/man8/cryptsetup-luksHeaderRestore.8 +usr/share/man/man8/cryptsetup-luksKillSlot.8 +usr/share/man/man8/cryptsetup-luksOpen.8 +usr/share/man/man8/cryptsetup-luksRemoveKey.8 +usr/share/man/man8/cryptsetup-luksResume.8 +usr/share/man/man8/cryptsetup-luksSuspend.8 +usr/share/man/man8/cryptsetup-luksUUID.8 +usr/share/man/man8/cryptsetup-open.8 +usr/share/man/man8/cryptsetup-plainOpen.8 +usr/share/man/man8/cryptsetup-reencrypt.8 +usr/share/man/man8/cryptsetup-refresh.8 +usr/share/man/man8/cryptsetup-repair.8 +usr/share/man/man8/cryptsetup-resize.8 +usr/share/man/man8/cryptsetup-status.8 +usr/share/man/man8/cryptsetup-tcryptDump.8 +usr/share/man/man8/cryptsetup-tcryptOpen.8 +usr/share/man/man8/cryptsetup-token.8 +usr/share/man/man8/cryptsetup.8 +usr/share/man/man8/integritysetup.8 +usr/share/man/man8/veritysetup.8 diff --git a/debian/cryptsetup-initramfs.NEWS b/debian/cryptsetup-initramfs.NEWS new file mode 100644 index 0000000..0f60251 --- /dev/null +++ b/debian/cryptsetup-initramfs.NEWS @@ -0,0 +1,15 @@ +cryptsetup (2:2.0.3-2) unstable; urgency=medium + + In order to defeat online brute-force attacks, the initramfs boot + script sleeps for 1 second after each failed try. On the other + hand, it no longer sleeps for a full minute after exceeding the + maximum number of unlocking tries. This behavior was added in + 2:1.7.3-2 as an attempt to mitigate CVE-2016-4484; to avoid dropping + to the debug shell after exceeding the maximum number of unlocking + tries, users need to use the 'panic' boot parameter and lock down + their boot loader & BIOS/UEFI. + + The initramfs hook nows uses /proc/mounts instead of /etc/fstab to + detect the root device that is to be unlocked at initramfs stage. + + -- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jun 2018 18:50:56 +0200 diff --git a/debian/cryptsetup-initramfs.docs b/debian/cryptsetup-initramfs.docs new file mode 100644 index 0000000..c1280ac --- /dev/null +++ b/debian/cryptsetup-initramfs.docs @@ -0,0 +1 @@ +debian/README.initramfs diff --git a/debian/cryptsetup-initramfs.install b/debian/cryptsetup-initramfs.install new file mode 100644 index 0000000..6780893 --- /dev/null +++ b/debian/cryptsetup-initramfs.install @@ -0,0 +1,10 @@ +debian/initramfs/conf-hook /etc/cryptsetup-initramfs/ +debian/initramfs/conf-hooks.d/cryptsetup /usr/share/initramfs-tools/conf-hooks.d/ +debian/initramfs/cryptroot-unlock /usr/share/cryptsetup/initramfs/bin/ +debian/initramfs/hooks/* /usr/share/initramfs-tools/hooks/ +debian/initramfs/scripts/local-block/cryptroot /usr/share/initramfs-tools/scripts/local-block/ +debian/initramfs/scripts/local-bottom/cryptgnupg-sc /usr/share/initramfs-tools/scripts/local-bottom/ +debian/initramfs/scripts/local-bottom/cryptopensc /usr/share/initramfs-tools/scripts/local-bottom/ +debian/initramfs/scripts/local-bottom/cryptroot /usr/share/initramfs-tools/scripts/local-bottom/ +debian/initramfs/scripts/local-top/cryptopensc /usr/share/initramfs-tools/scripts/local-top/ +debian/initramfs/scripts/local-top/cryptroot /usr/share/initramfs-tools/scripts/local-top/ diff --git a/debian/cryptsetup-initramfs.lintian-overrides b/debian/cryptsetup-initramfs.lintian-overrides new file mode 100644 index 0000000..72e8077 --- /dev/null +++ b/debian/cryptsetup-initramfs.lintian-overrides @@ -0,0 +1,6 @@ +# `cryptroot-unlock` is meant to be run from the initramfs image, using busybox's /bin/ash +unusual-interpreter /bin/busybox [usr/share/cryptsetup/initramfs/bin/cryptroot-unlock] +no-debconf-config + +# valid use of Conflicts:, cf. section 7.4 of the Debian Policy +conflicts-with-version lvm2 (<< 2.03.15-1) diff --git a/debian/cryptsetup-initramfs.postinst b/debian/cryptsetup-initramfs.postinst new file mode 100644 index 0000000..acf6e1b --- /dev/null +++ b/debian/cryptsetup-initramfs.postinst @@ -0,0 +1,41 @@ +#! /bin/sh + +set -e + +# needed for debconf magic in prerm script +. /usr/share/debconf/confmodule + +# summary of how this script can be called: +# * <postinst> `configure' <most-recently-configured-version> +# * <old-postinst> `abort-upgrade' <new version> +# * <conflictor's-postinst> `abort-remove' `in-favour' <package> +# <new-version> +# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' +# <failed-install-package> <version> `removing' +# <conflicting-package> <version> + +case "$1" in + configure) + + if command -v update-initramfs >/dev/null; then + update-initramfs -u + fi + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/cryptsetup-initramfs.postrm b/debian/cryptsetup-initramfs.postrm new file mode 100644 index 0000000..f42e20e --- /dev/null +++ b/debian/cryptsetup-initramfs.postrm @@ -0,0 +1,15 @@ +#! /bin/sh + +set -e + +case "$1" in + remove) + if command -v update-initramfs >/dev/null; then + update-initramfs -u + fi + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/cryptsetup-initramfs.prerm b/debian/cryptsetup-initramfs.prerm new file mode 100644 index 0000000..48fa691 --- /dev/null +++ b/debian/cryptsetup-initramfs.prerm @@ -0,0 +1,29 @@ +#! /bin/sh + +set -e + +. /usr/share/debconf/confmodule + +case "$1" in + remove) + if grep -q '^dm_mod\s' /proc/modules; then + # XXX we overshoot here, only devices that need to be present at + # initramfs stage need to be checked here + cryptmap="$(dmsetup table --target crypt | sed -n 's/:.*//p' | tr '\n' ' ')" + if [ -n "$cryptmap" ]; then + db_fset cryptsetup-initramfs/prerm_active_mappings seen false + db_subst cryptsetup-initramfs/prerm_active_mappings cryptmap "$cryptmap" + db_input high cryptsetup-initramfs/prerm_active_mappings || true + db_go || true + db_get cryptsetup-initramfs/prerm_active_mappings + if [ "$RET" = "false" ]; then + exit 1 + fi + fi + fi + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/cryptsetup-initramfs.templates b/debian/cryptsetup-initramfs.templates new file mode 100644 index 0000000..2d87012 --- /dev/null +++ b/debian/cryptsetup-initramfs.templates @@ -0,0 +1,9 @@ +Template: cryptsetup-initramfs/prerm_active_mappings +Type: boolean +Default: true +_Description: Continue with cryptsetup-initramfs removal? + This system has unlocked dm-crypt devices: ${cryptmap} + . + If these devices are managed with cryptsetup and need to be present at + initramfs stage, then you might be unable to boot your system after the + package removal. diff --git a/debian/cryptsetup-run.NEWS b/debian/cryptsetup-run.NEWS new file mode 100644 index 0000000..9dfe5a4 --- /dev/null +++ b/debian/cryptsetup-run.NEWS @@ -0,0 +1,11 @@ +cryptsetup (2:2.0.3-2) unstable; urgency=medium + + The 'decrypt_openct' keyscript has been removed, since openct itself + is no longer developed and was removed from Debian since Jessie. + + The 'precheck' crypttab(5) option is no longer supported. The + precheck for LUKS devices is still hardcoded to `cryptsetup isLuks`; + the script refuses to unlock non-LUKS devices (plain dm-crypt and + tcrypt devices) containing a known filesystem (other that swap). + + -- Guilhem Moulin <guilhem@debian.org> Fri, 15 Jun 2018 18:49:45 +0200 diff --git a/debian/cryptsetup-ssh.install b/debian/cryptsetup-ssh.install new file mode 100644 index 0000000..f41adb1 --- /dev/null +++ b/debian/cryptsetup-ssh.install @@ -0,0 +1,2 @@ +lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.so +sbin/cryptsetup-ssh diff --git a/debian/cryptsetup-ssh.manpages b/debian/cryptsetup-ssh.manpages new file mode 100644 index 0000000..f89b50f --- /dev/null +++ b/debian/cryptsetup-ssh.manpages @@ -0,0 +1 @@ +usr/share/man/man8/cryptsetup-ssh.8 diff --git a/debian/cryptsetup-suspend.install b/debian/cryptsetup-suspend.install new file mode 100644 index 0000000..371a98f --- /dev/null +++ b/debian/cryptsetup-suspend.install @@ -0,0 +1,5 @@ +debian/scripts/suspend/cryptsetup-suspend /lib/cryptsetup/scripts/suspend/ +debian/scripts/suspend/cryptsetup-suspend-wrapper /lib/cryptsetup/scripts/suspend/ +debian/scripts/suspend/cryptsetup-suspend.shutdown /lib/systemd/system-shutdown/ +debian/scripts/suspend/suspend.conf /etc/cryptsetup/ +debian/scripts/suspend/systemd/cryptsetup-suspend.conf /lib/systemd/system/systemd-suspend.service.d/ diff --git a/debian/cryptsetup-suspend.lintian-overrides b/debian/cryptsetup-suspend.lintian-overrides new file mode 100644 index 0000000..c5a34f6 --- /dev/null +++ b/debian/cryptsetup-suspend.lintian-overrides @@ -0,0 +1,2 @@ +# cryptsetup-suspend depends on systemd and doesn't work with sysvinit +cryptsetup-suspend: package-supports-alternative-init-but-no-init.d-script diff --git a/debian/cryptsetup-suspend.manpages b/debian/cryptsetup-suspend.manpages new file mode 100644 index 0000000..e338d98 --- /dev/null +++ b/debian/cryptsetup-suspend.manpages @@ -0,0 +1 @@ +debian/doc/cryptsetup-suspend.7 diff --git a/debian/cryptsetup-suspend.postinst b/debian/cryptsetup-suspend.postinst new file mode 100644 index 0000000..daabad5 --- /dev/null +++ b/debian/cryptsetup-suspend.postinst @@ -0,0 +1,14 @@ +#!/bin/sh + +set -e + +# dh_installsystemd(1) doesn't support overrides but we manually copy +# the snippet it would add. +if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ]; then + if [ -d /run/systemd/system ]; then + systemctl --system daemon-reload >/dev/null || true + fi +fi + +#DEBHELPER# +exit 0 diff --git a/debian/cryptsetup-suspend.postrm b/debian/cryptsetup-suspend.postrm new file mode 100644 index 0000000..2505065 --- /dev/null +++ b/debian/cryptsetup-suspend.postrm @@ -0,0 +1,12 @@ +#!/bin/sh + +set -e + +# dh_installsystemd(1) doesn't support overrides but we manually copy +# the snippet it would add. +if [ -d /run/systemd/system ]; then + systemctl --system daemon-reload >/dev/null || true +fi + +#DEBHELPER# +exit 0 diff --git a/debian/cryptsetup-udeb.install b/debian/cryptsetup-udeb.install new file mode 100644 index 0000000..b37fb69 --- /dev/null +++ b/debian/cryptsetup-udeb.install @@ -0,0 +1,7 @@ +debian/askpass /lib/cryptsetup/ +debian/checks/* /lib/cryptsetup/checks/ +debian/cryptdisks-functions /lib/cryptsetup/ +debian/functions /lib/cryptsetup/ +debian/scripts/decrypt_* /lib/cryptsetup/scripts/ +debian/scripts/passdev /lib/cryptsetup/scripts/ +sbin/cryptsetup diff --git a/debian/cryptsetup-udeb.preinst b/debian/cryptsetup-udeb.preinst new file mode 100644 index 0000000..483051e --- /dev/null +++ b/debian/cryptsetup-udeb.preinst @@ -0,0 +1,32 @@ +#! /bin/sh + +set -e + +create_crypttab() { + if [ ! -f "/etc/crypttab" ]; then + cat <<-EOC >/etc/crypttab + # <target name> <source device> <key file> <options> + EOC + fi +} + +case "$1" in + install) + create_crypttab + ;; + + upgrade) + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument '$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/cryptsetup.NEWS b/debian/cryptsetup.NEWS new file mode 100644 index 0000000..8bf645b --- /dev/null +++ b/debian/cryptsetup.NEWS @@ -0,0 +1,62 @@ +cryptsetup (2:2.5.0~rc1-3) experimental; urgency=medium + + The experimental SSH token handler and cryptsetup-ssh(8) utility are now + shipped in a separate binary package 'cryptsetup-ssh'. (They were first + included in cryptsetup 2:2.4.0~rc0-1+exp1 so have never been part of a + stable Debian release.) No pre-existing binary package in src:cryptsetup + declares any dependency on the new binary package so users who need + experimental SSH token support need to manually run `apt install + cryptsetup-ssh`. + + -- Guilhem Moulin <guilhem@debian.org> Thu, 21 Jul 2022 20:41:20 +0200 + +cryptsetup (2:2.1.0-7) unstable; urgency=low + + The 'cryptsetup' and 'cryptsetup-run' packages have been swapped: + 'cryptsetup' now contains init scripts, libraries, keyscripts, etc., + while 'cryptsetup-run' is a transitional dummy package depending on + 'cryptsetup'. + + On systems which do rely on the initramfs integration, one can mark + 'cryptsetup-initramfs' as being manually installed (so APT never + selects it for auto-removal) with the following command: + + apt-mark manual cryptsetup-initramfs + + On the other hand, the 'cryptsetup-initramfs' package can be safely + removed on systems not relying on initramfs integration. + + -- Guilhem Moulin <guilhem@debian.org> Sun, 21 Jul 2019 17:08:52 -0300 + +cryptsetup (2:2.0.3-2) unstable; urgency=medium + + The 'decrypt_openct' keyscript has been removed, since openct itself + is no longer developed and was removed from Debian since Jessie. + + In order to defeat online brute-force attacks, the initramfs boot + script sleeps for 1 second after each failed try. On the other + hand, it no longer sleeps for a full minute after exceeding the + maximum number of unlocking tries. This behavior was added in + 2:1.7.3-2 as an attempt to mitigate CVE-2016-4484; to avoid dropping + to the debug shell after exceeding the maximum number of unlocking + tries, users need to use the 'panic' boot parameter and lock down + their boot loader & BIOS/UEFI. + + The initramfs hook nows uses /proc/mounts instead of /etc/fstab to + detect the root device that is to be unlocked at initramfs stage. + + The 'precheck' crypttab(5) option is no longer supported. The + precheck for LUKS devices is still hardcoded to `cryptsetup isLuks`; + the script refuses to unlock non-LUKS devices (plain dm-crypt and + tcrypt devices) containing a known filesystem (other that swap). + + -- Guilhem Moulin <guilhem@debian.org> Tue, 22 May 2018 01:47:21 +0200 + +cryptsetup (2:2.0.3-1) unstable; urgency=medium + + With this version, cryptsetup has been split into cryptsetup-run + (init script) and cryptsetup-initramfs (initramfs integration). + 'cryptsetup' is now a transitional dummy package depending on + cryptsetup-run and cryptsetup-initramfs. + + -- Guilhem Moulin <guilhem@debian.org> Wed, 16 May 2018 23:39:20 +0200 diff --git a/debian/cryptsetup.apport b/debian/cryptsetup.apport new file mode 100644 index 0000000..ad811ce --- /dev/null +++ b/debian/cryptsetup.apport @@ -0,0 +1,43 @@ +'''apport package hook for cryptsetup + +(c) 2009 Author: Reinhard Tartler <siretart@tauware.de> +(c) 2015 Author: Jonas Meurer <jonas@freesources.org> +''' + +from apport.hookutils import * + +msg = \ +""" + +Providing additional information can help diagnose problems with cryptsetup. +Specifically, this would include: +- kernel cmdline (copy of /proc/cmdline). +- crypttab configuration (copy of /etc/crypttab). +- fstab configuration (copy of /etc/fstab). +If this information is not relevant for your bug report or you have privacy +concerns, please choose no. + +Do you want to provide additional information? +(you will be able to review the data before it is sent) + +""" + +def add_info(report, ui): + attach_files = False + + if ui: + if ui.yesno(msg) == None: + # user decided to cancel + raise StopIteration + + # user is allowing files to be attached. + attach_files = True + + if attach_files == False: + # do not attach any files + return + + attach_file(report, '/proc/cmdline', 'cmdline') + attach_file(report, '/etc/fstab', 'fstab') + attach_file_if_exists(report, '/etc/crypttab', 'crypttab') + diff --git a/debian/cryptsetup.cryptdisks-early.init b/debian/cryptsetup.cryptdisks-early.init new file mode 100644 index 0000000..6498431 --- /dev/null +++ b/debian/cryptsetup.cryptdisks-early.init @@ -0,0 +1,53 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: cryptdisks-early +# Required-Start: checkroot +# Required-Stop: umountroot +# Should-Start: udev mdadm-raid +# Should-Stop: udev mdadm-raid +# X-Start-Before: lvm2 +# X-Stop-After: lvm2 umountfs +# X-Interactive: true +# Default-Start: S +# Default-Stop: 0 6 +# Short-Description: Setup early encrypted block devices. +# Description: +### END INIT INFO + +set -e + +if [ -r /lib/cryptsetup/cryptdisks-functions ]; then + . /lib/cryptsetup/cryptdisks-functions +else + exit 0 +fi + +INITSTATE="early" +DEFAULT_LOUD="" + +case "$CRYPTDISKS_ENABLE" in +[Nn]*) + exit 0 + ;; +esac + +case "$1" in +start) + do_start + ;; +stop) + do_stop + ;; +restart|reload|force-reload) + do_stop + do_start + ;; +force-start) + FORCE_START="yes" + do_start + ;; +*) + echo "Usage: cryptdisks-early {start|stop|restart|reload|force-reload|force-start}" + exit 1 + ;; +esac diff --git a/debian/cryptsetup.cryptdisks.default b/debian/cryptsetup.cryptdisks.default new file mode 100644 index 0000000..c1f837c --- /dev/null +++ b/debian/cryptsetup.cryptdisks.default @@ -0,0 +1,12 @@ +# Run cryptdisks initscripts at startup? Default is Yes. +CRYPTDISKS_ENABLE=Yes + +# Mountpoints to mount, before cryptsetup is invoked at initscripts. Takes +# mountpoins which are configured in /etc/fstab as arguments. Separate +# mountpoints by space. +# This is useful for keyfiles on removable media. Default is unset. +CRYPTDISKS_MOUNT="" + +# Default check script. Takes effect, if the 'check' option is set in crypttab +# without a value. +CRYPTDISKS_CHECK=blkid diff --git a/debian/cryptsetup.cryptdisks.init b/debian/cryptsetup.cryptdisks.init new file mode 100644 index 0000000..0cd4a83 --- /dev/null +++ b/debian/cryptsetup.cryptdisks.init @@ -0,0 +1,53 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: cryptdisks +# Required-Start: checkroot cryptdisks-early +# Required-Stop: umountroot cryptdisks-early +# Should-Start: udev mdadm-raid lvm2 +# Should-Stop: udev mdadm-raid lvm2 +# X-Start-Before: checkfs +# X-Stop-After: umountfs +# X-Interactive: true +# Default-Start: S +# Default-Stop: 0 6 +# Short-Description: Setup remaining encrypted block devices. +# Description: +### END INIT INFO + +set -e + +if [ -r /lib/cryptsetup/cryptdisks-functions ]; then + . /lib/cryptsetup/cryptdisks-functions +else + exit 0 +fi + +INITSTATE="remaining" +DEFAULT_LOUD="yes" + +case "$CRYPTDISKS_ENABLE" in +[Nn]*) + exit 0 + ;; +esac + +case "$1" in +start) + do_start + ;; +stop) + do_stop + ;; +restart|reload|force-reload) + do_stop + do_start + ;; +force-start) + FORCE_START="yes" + do_start + ;; +*) + echo "Usage: cryptdisks {start|stop|restart|reload|force-reload|force-start}" + exit 1 + ;; +esac diff --git a/debian/cryptsetup.docs b/debian/cryptsetup.docs new file mode 100644 index 0000000..7e2362a --- /dev/null +++ b/debian/cryptsetup.docs @@ -0,0 +1,10 @@ +AUTHORS +FAQ.md +README.md +debian/README.debug +debian/README.gnupg +debian/README.gnupg-sc +debian/README.keyctl +debian/README.opensc +docs/*.txt +docs/*ReleaseNotes diff --git a/debian/cryptsetup.examples b/debian/cryptsetup.examples new file mode 100644 index 0000000..3cf5ebb --- /dev/null +++ b/debian/cryptsetup.examples @@ -0,0 +1 @@ +debian/scripts/gen-ssl-key diff --git a/debian/cryptsetup.install b/debian/cryptsetup.install new file mode 100644 index 0000000..934801d --- /dev/null +++ b/debian/cryptsetup.install @@ -0,0 +1,9 @@ +debian/askpass /lib/cryptsetup/ +debian/bash_completion/cryptdisks_start /usr/share/bash-completion/completions/ +debian/checks/* /lib/cryptsetup/checks/ +debian/cryptdisks-functions /lib/cryptsetup/ +debian/functions /lib/cryptsetup/ +debian/scripts/cryptdisks_* /sbin/ +debian/scripts/decrypt_* /lib/cryptsetup/scripts/ +debian/scripts/luksformat /usr/sbin/ +debian/scripts/passdev /lib/cryptsetup/scripts/ diff --git a/debian/cryptsetup.links b/debian/cryptsetup.links new file mode 100644 index 0000000..1c8eea5 --- /dev/null +++ b/debian/cryptsetup.links @@ -0,0 +1 @@ +/usr/share/bash-completion/completions/cryptdisks_start /usr/share/bash-completion/completions/cryptdisks_stop diff --git a/debian/cryptsetup.lintian-overrides b/debian/cryptsetup.lintian-overrides new file mode 100644 index 0000000..393e3fe --- /dev/null +++ b/debian/cryptsetup.lintian-overrides @@ -0,0 +1,3 @@ +init.d-script-does-not-implement-status-option [etc/init.d/cryptdisks] +init.d-script-does-not-implement-status-option [etc/init.d/cryptdisks-early] +no-debconf-config diff --git a/debian/cryptsetup.maintscript b/debian/cryptsetup.maintscript new file mode 100644 index 0000000..e29d3ed --- /dev/null +++ b/debian/cryptsetup.maintscript @@ -0,0 +1,2 @@ +rm_conffile /etc/init/cryptdisks-udev.conf 2:2.4.0-1 +rm_conffile /etc/init/cryptdisks.conf 2:2.4.0-1 diff --git a/debian/cryptsetup.manpages b/debian/cryptsetup.manpages new file mode 100644 index 0000000..efd2b80 --- /dev/null +++ b/debian/cryptsetup.manpages @@ -0,0 +1,2 @@ +debian/doc/*.5 +debian/doc/*.8 diff --git a/debian/cryptsetup.postinst b/debian/cryptsetup.postinst new file mode 100644 index 0000000..635324b --- /dev/null +++ b/debian/cryptsetup.postinst @@ -0,0 +1,53 @@ +#! /bin/sh + +set -e + +# needed for debconf magic in prerm script +. /usr/share/debconf/confmodule + +# summary of how this script can be called: +# * <postinst> `configure' <most-recently-configured-version> +# * <old-postinst> `abort-upgrade' <new version> +# * <conflictor's-postinst> `abort-remove' `in-favour' <package> +# <new-version> +# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' +# <failed-install-package> <version> `removing' +# <conflicting-package> <version> + +case "$1" in + configure) + for file in cryptdisks_start cryptdisks_stop; do + if [ ! -e "/usr/sbin/$file" ]; then + ln -s "/sbin/$file" "/usr/sbin/$file" + fi + done + + # Do a number of checks on the currently installed crypttab + . /lib/cryptsetup/functions + crypttab_foreach_entry crypttab_parse_options || true + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +# try to remove /etc/init if it exists, it's empty and isn't owned +# NOTE: this needs to placed *after* the dh_installdeb-replaced snippet +# which contains calls to `dpkg-maintscript-helper rm_conffile` +if [ "$1" = "configure" ] && [ -d /etc/init ] && dpkg --compare-versions -- "${2-}" lt "2:2.4.0-1" && \ + ! { dpkg-query -S /etc/init >/dev/null 2>&1 || [ $? -ne 1 ]; } then + rmdir --ignore-fail-on-non-empty /etc/init +fi + +exit 0 diff --git a/debian/cryptsetup.postrm b/debian/cryptsetup.postrm new file mode 100644 index 0000000..403f223 --- /dev/null +++ b/debian/cryptsetup.postrm @@ -0,0 +1,26 @@ +#! /bin/sh + +set -e + +case "$1" in + remove) + for file in cryptdisks_start cryptdisks_stop; do + if [ -L /usr/sbin/$file ]; then + rm /usr/sbin/$file + fi + done + ;; +esac + +#DEBHELPER# + +# try to remove /etc/init if it exists, it's empty and isn't owned +# NOTE: this needs to placed *after* the dh_installdeb-replaced snippet +# which contains calls to `dpkg-maintscript-helper rm_conffile` +if [ "$1" = "remove" ] || [ "$1" = "purge" ]; then + if [ -d /etc/init ] && ! { dpkg-query -S /etc/init >/dev/null 2>&1 || [ $? -ne 1 ]; } then + rmdir --ignore-fail-on-non-empty /etc/init + fi +fi + +exit 0 diff --git a/debian/cryptsetup.preinst b/debian/cryptsetup.preinst new file mode 100644 index 0000000..7f1e1bc --- /dev/null +++ b/debian/cryptsetup.preinst @@ -0,0 +1,13 @@ +#!/bin/sh + +set -e + +if [ "$1" = install ] && [ ! -f "/etc/crypttab" ]; then + cat <<-EOC >/etc/crypttab + # <target name> <source device> <key file> <options> + EOC +fi + +#DEBHELPER# + +exit 0 diff --git a/debian/cryptsetup.prerm b/debian/cryptsetup.prerm new file mode 100644 index 0000000..f0cb4b2 --- /dev/null +++ b/debian/cryptsetup.prerm @@ -0,0 +1,27 @@ +#! /bin/sh + +set -e + +. /usr/share/debconf/confmodule + +case "$1" in + remove) + if grep -q '^dm_mod\s' /proc/modules; then + cryptmap="$(dmsetup table --target crypt | sed -n 's/:.*//p' | tr '\n' ' ')" + if [ -n "$cryptmap" ]; then + db_fset cryptsetup/prerm_active_mappings seen false + db_subst cryptsetup/prerm_active_mappings cryptmap "$cryptmap" + db_input high cryptsetup/prerm_active_mappings || true + db_go || true + db_get cryptsetup/prerm_active_mappings + if [ "$RET" = "false" ]; then + exit 1 + fi + fi + fi + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/cryptsetup.templates b/debian/cryptsetup.templates new file mode 100644 index 0000000..88540ca --- /dev/null +++ b/debian/cryptsetup.templates @@ -0,0 +1,13 @@ +Template: cryptsetup/prerm_active_mappings +Type: boolean +Default: true +_Description: Continue with cryptsetup removal? + This system has unlocked dm-crypt devices: ${cryptmap} + . + If these devices are managed with cryptsetup, you might be unable to + lock the devices after the package removal, though other tools can be + used for managing dm-crypt devices. Any system shutdown or reboot will + lock the devices. + . + Do not choose this option if you want to lock the dm-crypt devices + before package removal. diff --git a/debian/doc/cryptdisks_start.xml b/debian/doc/cryptdisks_start.xml new file mode 100644 index 0000000..fd8269d --- /dev/null +++ b/debian/doc/cryptdisks_start.xml @@ -0,0 +1,60 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd"> + +<refentry id="command.cryptdisks_start"> + + <xi:include href="variables.xml" + xpointer="xpointer(/refentry/refentryinfo)" + xmlns:xi="http://www.w3.org/2001/XInclude"/> + + <refmeta> + <refentrytitle>cryptdisks_start</refentrytitle> + <manvolnum>8</manvolnum> + <xi:include href="variables.xml" + xpointer="xpointer(/refentry/refmeta/*)" + xmlns:xi="http://www.w3.org/2001/XInclude"/> + </refmeta> + + <refnamediv> + <refname>cryptdisks_start</refname> + <refpurpose>wrapper around cryptsetup that parses /etc/crypttab.</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <simpara> + <emphasis role="strong">cryptdisks_start</emphasis> + <emphasis><name></emphasis> + </simpara> + </refsynopsisdiv> + + <refsect1 id="cryptdisks_start.description"> + <title>DESCRIPTION</title> + <simpara> + <emphasis role="strong">cryptdisks_start</emphasis> is a wrapper around + <emphasis role="strong">cryptsetup</emphasis> that parses + <emphasis role="strong">/etc/crypttab</emphasis> just like the initscript + /etc/init.d/cryptdisks does and starts the dm-crypt mapping that + corresponds to <emphasis><name></emphasis>. + </simpara> + <simpara> + Note that this wrapper passes <option>--key-file=-</option> to + <command moreinfo="refentry">cryptsetup</command>, so the passphrase + in any referenced key file must not be followed by a newline character. + </simpara> + </refsect1> + + <refsect1 id="cryptdisks_start.see_also"> + <title>SEE ALSO</title> + <simpara> + <emphasis>cryptdisks_stop</emphasis>(8), + <emphasis>cryptsetup</emphasis>(8), <emphasis>crypttab</emphasis>(5) + </simpara> + </refsect1> + + <refsect1 id="cryptdisks_start.author"> + <title>AUTHOR</title><simpara>This manual page was written by Jonas Meurer + <mejo@debian.org> in December 2007. + </simpara> + </refsect1> + +</refentry> diff --git a/debian/doc/cryptdisks_stop.xml b/debian/doc/cryptdisks_stop.xml new file mode 100644 index 0000000..b0ed32a --- /dev/null +++ b/debian/doc/cryptdisks_stop.xml @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd"> + +<refentry id="command.cryptdisks_stop"> + + <xi:include href="variables.xml" + xpointer="xpointer(/refentry/refentryinfo)" + xmlns:xi="http://www.w3.org/2001/XInclude"/> + + <refmeta> + <refentrytitle>cryptdisks_stop</refentrytitle> + <manvolnum>8</manvolnum> + <xi:include href="variables.xml" + xpointer="xpointer(/refentry/refmeta/*)" + xmlns:xi="http://www.w3.org/2001/XInclude"/> + </refmeta> + + <refnamediv> + <refname>cryptdisks_stop</refname> + <refpurpose>wrapper around cryptsetup that parses /etc/crypttab.</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <simpara> + <emphasis role="strong">cryptdisks_stop</emphasis> + <emphasis><name></emphasis> + </simpara> + </refsynopsisdiv> + + <refsect1 id="cryptdisks_stop.description"> + <title>DESCRIPTION</title> + <simpara> + <emphasis role="strong">cryptdisks_stop</emphasis> is a wrapper around + <emphasis role="strong">cryptsetup</emphasis> that parses + <emphasis role="strong">/etc/crypttab</emphasis> just like the initscript + /etc/init.d/cryptdisks does and stops the dm-crypt mapping that corresponds + to <emphasis><name></emphasis>. + </simpara> + </refsect1> + + <refsect1 id="cryptdisks_stop.see_also"> + <title>SEE ALSO</title> + <simpara> + <emphasis>cryptdisks_start</emphasis>(8), + <emphasis>cryptsetup</emphasis>(8), <emphasis>crypttab</emphasis>(5) + </simpara> + </refsect1> + + <refsect1 id="cryptdisks_stop.author"> + <title>AUTHOR</title><simpara>This manual page was written by Jonas Meurer + <mejo@debian.org> in January 2008. + </simpara> + </refsect1> + +</refentry> diff --git a/debian/doc/cryptsetup-suspend.xml b/debian/doc/cryptsetup-suspend.xml new file mode 100644 index 0000000..c179a6c --- /dev/null +++ b/debian/doc/cryptsetup-suspend.xml @@ -0,0 +1,120 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd"> + +<refentry id="overview.cryptsetup-suspend"> + + <xi:include href="variables.xml" + xpointer="xpointer(/refentry/refentryinfo)" + xmlns:xi="http://www.w3.org/2001/XInclude"/> + + <refmeta> + <refentrytitle>cryptsetup-suspend</refentrytitle> + <manvolnum>7</manvolnum> + <xi:include href="variables.xml" + xpointer="xpointer(/refentry/refmeta/*)" + xmlns:xi="http://www.w3.org/2001/XInclude"/> + </refmeta> + + <refnamediv> + <refname>cryptsetup-suspend</refname> + <refpurpose>automatically suspend LUKS devices on system suspend</refpurpose> + </refnamediv> + + <refsect1 id="cryptsetup-suspend.description"> + <title>DESCRIPTION</title> + <simpara> + <emphasis>cryptsetup-suspend</emphasis> brings support to automatically + suspend LUKS devices before entering system suspend mode. Devices will be + unlocked at system resume time, asking for passwords if required. + The feature is enabled automatically by installing the + <emphasis>cryptsetup-suspend</emphasis> package. No further configuration + is required. + </simpara> + <simpara> + <emphasis>cryptsetup-suspend</emphasis> supports all setups of LUKS + devices that are supported by the <emphasis>cryptsetup</emphasis> + packages. To do so, it depends on scripts from the Debian package + <emphasis>cryptsetup-initramfs</emphasis>. See the + <reference>INTERNALS</reference> section about details on how it works. + </simpara> + </refsect1> + + <refsect1 id="cryptsetup-suspend.security-aspects"> + <title>SECURITY ASPECTS</title> + <simpara> + Suspending LUKS devices basically means to remove the corresponding + encryption keys from system memory. This protects against all sort of + attacks that try to read out the memory from a suspended system, like + for example cold-boot attacks. + </simpara> + <simpara> + <emphasis>cryptsetup-suspend</emphasis> protects <emphasis>only</emphasis> + the encryption keys of your LUKS devices against being read from the + memory. Most likely there's more sensitive data in system memory, be + it other kinds of private keys (e.g. OpenPGP, OpenSSH) or any kind + of documents with sensitive content. + </simpara> + <simpara> + The initramfs image is extracted in memory and left unencrypted (see the + <reference>INTERNALS</reference> section) so all key material it might + include, for instance key files copied using the hooks' + <emphasis>KEYFILE_PATTERN=</emphasis> option, will remain unprotected. + </simpara> + </refsect1> + + + <refsect1 id="cryptsetup-suspend.limitations"> + <title>LIMITATIONS</title> + <simpara> + The <emphasis>cryptsetup-suspend</emphasis> feature is limited to LUKS + devices and doesn't work with <emphasis>plain dm-crypt</emphasis> or + <emphasis>tcrypt</emphasis> devices. + </simpara> + </refsect1> + + <refsect1 id="cryptsetup-suspend.internals"> + <title>INTERNALS</title> + <simpara> + <emphasis>cryptsetup-suspend</emphasis> consists of three parts: + <simplelist type="inline"> + <member> + <command>cryptsetup-suspend</command>: A c program that takes a list + of LUKS devices as arguments, suspends them via + <emphasis>luksSuspend</emphasis> and suspends the system afterwards. + </member> + <member> + <command>cryptsetup-suspend-wrapper</command>: A shell wrapper script + which works the following way: + <simplelist type="inline"> + <member>1. Disable swap and extract the initramfs into a tmpfs (the chroot)</member> + <member>2. Run (systemd) pre-suspend scripts, stop udev, freeze cgroups</member> + <member>3. run cryptsetup-suspend in chroot</member> + <member>4. resume initramfs devices inside chroot after resume</member> + <member>5. resume non-initramfs devices outside chroot</member> + <member>6. thaw groups, start udev, run (systemd) post-suspend scripts</member> + <member>7. Unmount the tmpfs and re-enable swap</member> + </simplelist> + </member> + <member> + A systemd unit drop-in file that overrides the Exec property of + <filename class="devicefile">systemd-suspend.service</filename> so that + it invokes the script <command>cryptsetup-suspend-wrapper</command>. + </member> + </simplelist> + </simpara> + </refsect1> + + <refsect1 id="cryptsetup-suspend.see_also"> + <title>SEE ALSO</title> + <simpara> + <emphasis>cryptsetup</emphasis>(8), <emphasis>crypttab</emphasis>(5) + </simpara> + </refsect1> + + <refsect1 id="cryptsetup-suspend.author"> + <title>AUTHOR</title><simpara>This manual page was written by Jonas Meurer + <jonas@freesources.org> in December 2019. + </simpara> + </refsect1> + +</refentry> diff --git a/debian/doc/crypttab.xml b/debian/doc/crypttab.xml new file mode 100644 index 0000000..c6077a7 --- /dev/null +++ b/debian/doc/crypttab.xml @@ -0,0 +1,772 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd"> + +<refentry id="file.crypttab"> + + <xi:include href="variables.xml" + xpointer="xpointer(/refentry/refentryinfo)" + xmlns:xi="http://www.w3.org/2001/XInclude"/> + + <refmeta> + <refentrytitle>crypttab</refentrytitle> + <manvolnum>5</manvolnum> + <xi:include href="variables.xml" + xpointer="xpointer(/refentry/refmeta/*)" + xmlns:xi="http://www.w3.org/2001/XInclude"/> + </refmeta> + + <refnamediv> + <refname>crypttab</refname> + <refpurpose>static information about encrypted filesystems</refpurpose> + </refnamediv> + + <refsect1 id="crypttab.description"> + <title>DESCRIPTION</title> + <simpara> + The file <filename>/etc/crypttab</filename> contains descriptive + information about encrypted devices. <filename>crypttab</filename> + is only read by programs (e.g. + <command moreinfo="refentry">cryptdisks_start</command> and + <command moreinfo="refentry">cryptdisks_stop</command>), + and not written; it is the duty of the system + administrator to properly create and maintain this file. + <filename>crypttab</filename> entries are treated sequentially, so their + order matters (dependencies need to listed first). + </simpara> + <simpara> + Each encrypted device is described on a separate line. Fields on each line + are separated by tabs or spaces. Lines starting with '#' are comments, and blank + lines are ignored. + Octal sequences <code>\0</code><emphasis>num</emphasis> within a field are + decoded, which can be used for values containing spaces or special characters. + A backslash which doesn't start an octal sequence yields undefined behavior. + </simpara> + <simpara> + The first field, <emphasis>target</emphasis>, describes the mapped + device name. It must be a plain filename without any directory components. + A mapped device which encrypts/decrypts data to/from the <emphasis>source + device</emphasis> will be created at + <filename class="devicefile">/dev/mapper/target</filename> by + <command moreinfo="refentry">cryptsetup</command>. + </simpara> + <simpara> + The second field, <emphasis>source device</emphasis>, describes either the + block special device or file that contains the encrypted data. Instead of + giving the <emphasis>source device</emphasis> explicitly, the UUID + (resp. LABEL, PARTUUID and PARTLABEL) is supported as well, using <quote>UUID=<uuid></quote> + (resp. <quote>LABEL=<label></quote>, <quote>PARTUUID=<partuuid></quote> + and <quote>PARTLABEL=<partlabel></quote>). + </simpara> + <simpara> + The third field, <emphasis>key file</emphasis>, describes the file to use + as a key for decrypting the data of the <emphasis>source device</emphasis>. + In case of a <emphasis>keyscript</emphasis>, the value of this field is + given as argument to the keyscript. + Note that the <emphasis>entire</emphasis> key file will be used as the + passphrase; the passphrase must <emphasis>not</emphasis> be followed by a + newline character. + </simpara> + <simpara> + It can also be a device name (e.g. + <filename class="devicefile">/dev/urandom</filename>), note however that + LUKS requires a persistent key and therefore does <emphasis>not</emphasis> + support random data keys. + </simpara> + <simpara> + If the <emphasis>key file</emphasis> is the string + <emphasis>none</emphasis>, a passphrase will be read interactively from the + console. In this case, the options check, checkargs and tries may be + useful. + </simpara> + <simpara> + The fourth field, <emphasis>options</emphasis>, is an optional comma-separated + list of options and/or flags describing the device type (<emphasis>luks</emphasis>, + <emphasis>tcrypt</emphasis>, <emphasis>bitlk</emphasis>, <emphasis>fvault2</emphasis>, + or <emphasis>plain</emphasis> which is also the default) and cryptsetup options + associated with the encryption process. + The supported options are described below. + For plain dm-crypt devices the <emphasis>cipher</emphasis>, <emphasis>hash</emphasis> + and <emphasis>size</emphasis> options are required. + Some options can be changed on active mappings using + <command>cryptsetup refresh [<options>] <name></command>. + Furthermore some options can be permanently written into metadata of LUKS2 + headers using cryptsetup's <emphasis>--persistent</emphasis> flag. + </simpara> + <simpara> + Note that the first three fields are required and that a missing field will lead + to unspecified behaviour. + </simpara> + </refsect1> + + <refsect1 id="crypttab.implementations"> + <title>ON DIFFERENT CRYPTTAB FORMATS</title> + <simpara> + Please note that there are several independent cryptsetup wrappers with + their own <emphasis>crypttab</emphasis> format. This manpage covers + Debian's implementation for <emphasis>initramfs</emphasis> scripts and + <emphasis>SysVinit</emphasis> init scripts. <emphasis>systemd</emphasis> + brings its own <emphasis>crypttab</emphasis> implementation. + We try to cover the differences between the <emphasis>systemd</emphasis> and + our implementation in this manpage, but if in doubt, better check the + <emphasis>systemd</emphasis> + <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry> + manpage, e.g. online at + <ulink url="https://www.freedesktop.org/software/systemd/man/crypttab.html"/>. + </simpara> + </refsect1> + + <refsect1 id="crypttab.options"> + <title>OPTIONS</title> + <variablelist> + + <varlistentry> + <term><emphasis>cipher</emphasis>=<cipher></term> + <listitem> + <simpara> + Encryption algorithm (ignored for LUKS and TCRYPT devices). See + <command>cryptsetup -c</command>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>size</emphasis>=<size></term> + <listitem> + <simpara> + Encryption key size (ignored for LUKS and TCRYPT devices). See + <command>cryptsetup -s</command>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>sector-size</emphasis>=<bytes></term> + <listitem> + <simpara> + Sector size. See + <citerefentry><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> + for possible values and the default value of this option. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>hash</emphasis>=<hash></term> + <listitem> + <simpara> + Hash algorithm (ignored for LUKS and TCRYPT devices). See + <command>cryptsetup -h</command>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>offset</emphasis>=<offset></term> + <listitem> + <simpara> + Start offset (ignored for LUKS and TCRYPT devices). Uses + <emphasis role="strong">cryptsetup -o</emphasis>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>skip</emphasis>=<skip></term> + <listitem> + <simpara> + Skip sectors at the beginning (ignored for LUKS and TCRYPT devices). + Uses <emphasis role="strong">cryptsetup -p</emphasis>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>keyfile-offset</emphasis>=<keyfile-offset></term> + <listitem> + <simpara> + Specifies the number of bytes to skip at the start of the key file. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>keyfile-size</emphasis>=<keyfile-size></term> + <listitem> + <simpara> + Specifies the maximum number of bytes to read from the key file. + The default is to read the whole file up to the compiled-in maximum, + that can be queried with <emphasis role="strong">cryptsetup --help</emphasis>. + This option is ignored for plain dm-crypt devices, as the key file + size is then given by the encryption key size (option + <emphasis>size</emphasis>). + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>keyslot</emphasis>=<slot>, <emphasis>key-slot</emphasis>=<slot></term> + <listitem> + <simpara> + Key slot (ignored for non-LUKS devices). See <command>cryptsetup + -S</command>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>header</emphasis>=<path></term> + <listitem> + <simpara> + Detached header file (ignored for plain dm-crypt devices). See + <command>cryptsetup --header</command>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>verify</emphasis></term> + <listitem> + <simpara> + Verify password. Uses <emphasis role="strong">cryptsetup -y</emphasis>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>readonly</emphasis>, <emphasis>read-only</emphasis></term> + <listitem> + <simpara>Set up a read-only mapping.</simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>tries</emphasis>=<num></term> + <listitem> + <simpara>Try to unlock the device <num> before failing. It's + particularly useful when using a passphrase or a + <emphasis>keyscript</emphasis> that asks for interactive input. If you + want to disable retries, pass <quote>tries=1</quote>. Default is + <quote>3</quote>. Setting <quote>tries=0</quote> means infinitive + retries. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>discard</emphasis></term> + <listitem> + <simpara>Allow using of discards (TRIM) requests for device.</simpara> + <simpara>Starting with Debian 10 (Buster), this option is added per + default to new dm-crypt devices by the Debian Installer. If you + don't care about leaking access patterns (filesystem type, used + space) and don't have hidden truecrypt volumes inside this volume, + then it should be safe to enable this option. See the following + warning for further information.</simpara> + <simpara><emphasis role="strong">WARNING</emphasis>: Assess the + specific security risks carefully before enabling this option. + For example, allowing discards on encrypted devices may lead to + the leak of information about the ciphertext device (filesystem + type, used space etc.) if the discarded blocks can be located + easily on the device later.</simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>luks</emphasis></term> + <listitem> + <simpara>Force LUKS mode. When this mode is used, the following options + are ignored since they are provided by the LUKS header on the device: + <emphasis>cipher=</emphasis>, <emphasis>hash=</emphasis>, + <emphasis>size=</emphasis></simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>plain</emphasis></term> + <listitem> + <simpara>Force plain encryption mode.</simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>bitlk</emphasis></term> + <listitem> + <simpara> + Force BITLK (Windows BitLocker-compatible) mode. + WARNING: <emphasis>crypttab</emphasis> support is currently experimental. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>fvault2</emphasis></term> + <listitem> + <simpara> + Force Apple's FileVault2 mode. + Only the (legacy) FileVault2 format based on Core Storage and HFS+ + filesystem (introduced in MacOS X 10.7 Lion) is currently supported; + the new version of FileVault based on the APFS filesystem used in + recent macOS versions is not supported. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>tcrypt</emphasis></term> + <listitem> + <simpara>Use TrueCrypt encryption mode. When this mode is used, the + following options are ignored since they are provided by the TrueCrypt + header on the device or do not apply: <emphasis>cipher=</emphasis>, + <emphasis>hash=</emphasis>, <emphasis>keyfile-offset=</emphasis>, + <emphasis>keyfile-size=</emphasis>, <emphasis>size=</emphasis></simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>veracrypt</emphasis>, <emphasis>tcrypt-veracrypt</emphasis></term> + <listitem> + <simpara> + Use VeraCrypt extension to TrueCrypt device. Only useful in + conjunction with <emphasis>tcrypt</emphasis> option (ignored for + non-TrueCrypt devices). + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>tcrypthidden</emphasis>, <emphasis>tcrypt-hidden</emphasis></term> + <listitem> + <simpara> + Use hidden TCRYPT header (ignored for non-TCRYPT devices). + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>same-cpu-crypt</emphasis></term> + <listitem> + <simpara> + Perform encryption using the same cpu that IO was submitted on. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>submit-from-crypt-cpus</emphasis></term> + <listitem> + <simpara> + Disable offloading writes to a separate thread after encryption. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>no-read-workqueue</emphasis>, <emphasis>no-write-workqueue</emphasis></term> + <listitem> + <simpara> + Bypass dm-crypt internal workqueue and process read or write requests synchronously. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>swap</emphasis></term> + <listitem> + <simpara> + Run <command moreinfo="refentry">mkswap</command> on the created device. + </simpara> + <simpara> + This option is ignored for <emphasis>initramfs</emphasis> devices. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>tmp</emphasis>[=<tmpfs>]</term> + <listitem> + <simpara> + Run <command moreinfo="refentry">mkfs</command> with filesystem type + <tmpfs> (or ext4 if omitted) on the created device. + </simpara> + <simpara> + This option is ignored for <emphasis>initramfs</emphasis> devices. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>check</emphasis>[=<check>]</term> + <listitem> + <simpara>Check the content of the target device by a suitable program; if + the check fails, the device is closed immediately. The program is being + run with decrypted volume (target device) as first positional argument and, + if the <emphasis>checkargs</emphasis> option is used, its value as second + argument. See the CHECKSCRIPTS section for more information. + </simpara> + <simpara>The program is either specified by full path or relative to + <filename class="directory">/lib/cryptsetup/checks/</filename>. + If omitted, then the value of $CRYPTDISKS_CHECK set in + <filename>/etc/default/cryptdisks</filename> is used + (<filename>blkid</filename> by default). + </simpara> + <simpara> + This option is specific to the Debian <emphasis>crypttab</emphasis> + format. It's not supported by <emphasis>systemd</emphasis>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>checkargs</emphasis>=<arguments></term> + <listitem> + <simpara>Give <arguments> as the second argument to the check + script. See the CHECKSCRIPTS section for more information. + </simpara> + </listitem> + <simpara> + This option is specific to the Debian <emphasis>crypttab</emphasis> + format. It's not supported by <emphasis>systemd</emphasis>. + </simpara> + </varlistentry> + + <varlistentry> + <term><emphasis>initramfs</emphasis></term> + <listitem> + <simpara>The initramfs hook processes the root device, any resume devices + and any devices with the <emphasis>initramfs</emphasis> option set. These + devices are processed within the initramfs stage of boot. As an example, + that allows the use of remote unlocking using dropbear. + </simpara> + <simpara> + This option is specific to the Debian <emphasis>crypttab</emphasis> + format. It's not supported by <emphasis>systemd</emphasis>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>noearly</emphasis></term> + <listitem> + <simpara>The cryptsetup init scripts are invoked twice during the boot + process - once before lvm, raid, etc. are started and once again after + that. Sometimes you need to start your encrypted disks in a special + order. With this option the device is ignored during the first invocation + of the cryptsetup init scripts. + </simpara> + <simpara> + This option is ignored for <emphasis>initramfs</emphasis> devices and + specific to the Debian <emphasis>crypttab</emphasis> format. It's not + supported by <emphasis>systemd</emphasis>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>noauto</emphasis></term> + <listitem> + <simpara>Entirely ignore the device at the boot process. It's still + possible to map the device manually using cryptdisks_start. + </simpara> + <simpara> + This option is ignored for <emphasis>initramfs</emphasis> devices and + specific to the Debian <emphasis>crypttab</emphasis> format. It's not + supported by <emphasis>systemd</emphasis>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>loud</emphasis></term> + <listitem> + <simpara>Be loud. Print warnings if a device does not exist. + This option overrides the option <emphasis>quiet</emphasis>.</simpara> + <simpara> + This option is ignored for <emphasis>initramfs</emphasis> devices and + specific to the Debian <emphasis>crypttab</emphasis> format. It's not + supported by <emphasis>systemd</emphasis>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>quiet</emphasis></term> + <listitem> + <simpara>Be quiet. Don't print warnings if a device does not exist. + This option overrides the option <emphasis>loud</emphasis>.</simpara> + <simpara> + This option is ignored for <emphasis>initramfs</emphasis> devices and + specific to the Debian <emphasis>crypttab</emphasis> format. It's not + supported by <emphasis>systemd</emphasis>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>keyscript</emphasis>=<path></term> + <listitem> + <simpara> + The executable at the indicated path is executed with the value of the + <emphasis>third field</emphasis> as only argument. The keyscript's standard + output is passed to cryptsetup as decyption key. Its exit status is currently + ignored, but no assumption should be made in that regard. + When used in initramfs, the executable either needs to be self-contained + (i.e. doesn't rely on any external program which is not present in the + initramfs environment) or the dependencies have to added to the initramfs + image by other means. + The program is either specified by full path or relative to + <filename class="directory">/lib/cryptsetup/scripts/</filename>. + </simpara> + <simpara> + LIMITATIONS: All binaries and files on which the keyscript depends must + be available at the time of execution. Special care needs to be taken for + encrypted filesystems like /usr or /var. As an example, unlocking + encrypted /usr must not depend on binaries from /usr/(s)bin. + </simpara> + <simpara> + This option is specific to the Debian <emphasis>crypttab</emphasis> + format. It's not supported by <emphasis>systemd</emphasis>. + </simpara> + <simpara> + WARNING: With systemd as init system, this option might be ignored. At + the time this is written (December 2016), the systemd cryptsetup helper + doesn't support the keyscript option to /etc/crypttab. For the time + being, the only option to use keyscripts along with systemd is to force + processing of the corresponding crypto devices in the initramfs. See the + 'initramfs' option for further information. + </simpara> + <para> + All fields of the appropriate crypttab entry are available to the + keyscript as exported environment variables: + <variablelist> + + <varlistentry> + <term>CRYPTTAB_NAME, _CRYPTTAB_NAME</term> + <listitem><para> + The target name (after resp. before octal sequence decoding). + </para></listitem> + </varlistentry> + <varlistentry> + <term>CRYPTTAB_SOURCE, _CRYPTTAB_SOURCE</term> + <listitem><para> + The source device (after resp. before octal sequence decoding and device resolution). + </para></listitem> + </varlistentry> + <varlistentry> + <term>CRYPTTAB_KEY, _CRYPTTAB_KEY</term> + <listitem><para> + The value of the third field (after resp. before octal sequence decoding). + </para></listitem> + </varlistentry> + <varlistentry> + <term>CRYPTTAB_OPTIONS, _CRYPTTAB_OPTIONS</term> + <listitem><para> + A list of exported crypttab options (after resp. before octal sequence decoding). + </para></listitem> + </varlistentry> + <varlistentry> + <term>CRYPTTAB_OPTION_<option></term> + <listitem><para> + The value of the appropriate crypttab option, with value set to 'yes' + in case the option is merely a flag. + For option aliases, such as 'readonly' and 'read-only', the + variable name refers to the first alternative listed (thus + 'CRYPTTAB_OPTION_readonly' in that case). + If the crypttab option name contains '-' characters, then they + are replaced with '_' in the exported variable name. For + instance, the value of the 'CRYPTTAB_OPTION_keyfile_offset' + environment variable is set to the value of the + 'keyfile-offset' crypttab option. + </para></listitem> + </varlistentry> + <varlistentry> + <term>CRYPTTAB_TRIED</term> + <listitem><para> + Number of previous tries since start of cryptdisks (counts until + maximum number of tries is reached). + </para></listitem> + </varlistentry> + + </variablelist> + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id="crypttab.checkscripts"> + <title>CHECKSCRIPTS</title> + <variablelist> + + <varlistentry> + <term><emphasis>blkid</emphasis></term> + <listitem> + <simpara>Checks for any known filesystem. Supports a filesystem type as + argument via <checkargs>: + </simpara> + <itemizedlist> + <listitem><para> + no checkargs - succeeds if any valid filesystem is found on the device. + </para></listitem> + <listitem><para> + "none" - succeeds if no valid filesystem is found on the device. + </para></listitem> + <listitem><para> + "ext4" [or another filesystem type like xfs, swap, crypto_LUKS, ...] - + succeeds if ext4 filesystem is found on the device. + </para></listitem> + </itemizedlist> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>un_blkid</emphasis></term> + <listitem> + <simpara>Checks for no known filesystem. Supports a filesystem type as + argument via <checkargs>: + </simpara> + <itemizedlist> + <listitem><para> + no checkargs - succeeds if no valid filesystem is found on the device. + </para></listitem> + <listitem><para> + "ext4" [or another filesystem type like xfs, swap, crypto_LUKS, ...] - + succeeds if no ext4 filesystem is found on the device. + </para></listitem> + </itemizedlist> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id="crypttab.examples"> + <title>EXAMPLES</title> + <para> + <screen> +# Encrypted swap device +cswap /dev/sda6 /dev/urandom plain,cipher=aes-xts-plain64,size=256,hash=sha1,swap + +# Encrypted LUKS disk with interactive password, identified by its UUID, discard enabled +cdisk0 UUID=12345678-9abc-def012345-6789abcdef01 none luks,discard + +# Encrypted TCRYPT disk with interactive password, discard enabled +tdisk0 /dev/sr0 none tcrypt,discard + +# Encrypted ext4 disk with interactive password, discard enabled +# - retry 5 times if the check fails +cdisk1 /dev/sda2 none plain,cipher=aes-xts-plain64,size=256,hash=sha1,check,checkargs=ext4,tries=5,discard + +# Encrypted disk with interactive password, discard enabled +# - use a nondefault check script +# - no retries +cdisk2 /dev/sdc1 none plain,cipher=aes-xts-plain64,size=256,hash=sha1,check=customscript,tries=1,discard + +# Encrypted disk with interactive password, discard enabled +# - Twofish as the cipher, RIPEMD-160 as the hash +cdisk3 /dev/sda3 none plain,cipher=twofish,size=256,hash=ripemd160,discard + </screen> + </para> + </refsect1> + + <refsect1 id="crypttab.environment"> + <title>ENVIRONMENT</title> + <variablelist> + + <varlistentry> + <term><emphasis>CRYPTDISKS_ENABLE</emphasis></term> + <listitem> + <simpara> + Set to <emphasis>yes</emphasis> to run cryptdisks initscripts at startup. + Set to <emphasis>no</emphasis> to disable cryptdisks initscripts. Default + is <emphasis>yes</emphasis>. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>CRYPTDISKS_MOUNT</emphasis></term> + <listitem> + <simpara>Specifies the mountpoints that are mounted before cryptdisks is + invoked. Takes mountpoints configured in /etc/fstab as arguments. Separate + mountpoints by space. + This is useful for keys on removable devices, such as cdrom, usbstick, + flashcard, etc. Default is unset. + </simpara> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>CRYPTDISKS_CHECK</emphasis></term> + <listitem> + <simpara>Specifies the default checkscript to be run against the target + device, after cryptdisks has been invoked. The target device is passed as + the first and only argument to the checkscript. Takes effect if the + <emphasis>check</emphasis> option is given in crypttab with no value. See + documentation for <emphasis>check</emphasis> option above for more + information. + </simpara> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id="crypttab.known_upgrade_issues"> + <title>KNOWN UPGRADE ISSUES</title> + <simpara> + The upstream defaults for encryption cipher, hash and keysize have changed + several times in the past, and they're expected to change again in future, + for example if security issues arise. + + On LUKS devices, the used settings are stored in the LUKS header, and thus + don't need to be configured in <filename>/etc/crypttab</filename>. For plain + dm-crypt devices, no information about used cipher, hash and keysize are + available at all. + + Therefore we strongly suggest to configure the cipher, hash and keysize in + <filename>/etc/crypttab</filename> for plain dm-crypt devices, even if they + match the current default. + </simpara> + </refsect1> + + <refsect1 id="crypttab.see_also"> + <title>SEE ALSO</title> + <simplelist type="inline"> + <member><command moreinfo="refentry">cryptsetup</command>(8)</member> + <member><command moreinfo="refentry">cryptdisks_start</command>(8)</member> + <member><command moreinfo="refentry">cryptdisks_stop</command>(8)</member> + <member><filename>/usr/share/doc/cryptsetup-initramfs/README.initramfs.gz</filename></member> + </simplelist> + </refsect1> + + <refsect1 id="crypttab.author"> + <title>AUTHOR</title> + <simpara> + This manual page was originally written by + <author> + <firstname>Bastian</firstname> + <surname>Kleineidam</surname> + </author> + <email>calvin@debian.org</email> + for the Debian distribution of cryptsetup. It has been further improved by + <author> + <firstname>Michael</firstname> + <surname>Gebetsroither</surname> + </author> + <email>michael.geb@gmx.at</email>, + <author> + <firstname>David</firstname> + <surname>Härdeman</surname> + </author> + <email>david@hardeman.nu</email> + and + <author> + <firstname>Jonas</firstname> + <surname>Meurer</surname> + </author> + <email>jonas@freesources.org</email>. + </simpara> + </refsect1> + +</refentry> diff --git a/debian/doc/manpages.xml b/debian/doc/manpages.xml new file mode 100644 index 0000000..4bd59bc --- /dev/null +++ b/debian/doc/manpages.xml @@ -0,0 +1,10 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd"> + +<reference> + <title>Manual Pages</title> + <xi:include href="cryptdisks_start.xml" xpointer="command.cryptdisks_start" xmlns:xi="http://www.w3.org/2001/XInclude"/> + <xi:include href="cryptdisks_stop.xml" xpointer="command.cryptdisks_stop" xmlns:xi="http://www.w3.org/2001/XInclude"/> + <xi:include href="cryptsetup-suspend.xml" xpointer="overview.cryptsetup-suspend" xmlns:xi="http://www.w3.org/2001/XInclude"/> + <xi:include href="crypttab.xml" xpointer="file.crypttab" xmlns:xi="http://www.w3.org/2001/XInclude"/> +</reference> diff --git a/debian/doc/pandoc/encrypted-boot.md b/debian/doc/pandoc/encrypted-boot.md new file mode 100644 index 0000000..27d331b --- /dev/null +++ b/debian/doc/pandoc/encrypted-boot.md @@ -0,0 +1,536 @@ +% Full disk encryption, including `/boot`: Unlocking LUKS devices from GRUB + +Introduction +============ + +So called “full disk encryption” is often a misnomer, because there is +typically a separate plaintext partition holding `/boot`. For instance +the Debian Installer does this in its “encrypted LVM” partitioning method. +Since not all bootloaders are able to unlock LUKS devices, a plaintext +`/boot` is the only solution that works for all of them. + +However, GRUB2 is (since Jessie) able to unlock LUKS devices with its +[`cryptomount`](https://www.gnu.org/software/grub/manual/grub/html_node/cryptomount.html) +command, which therefore enables encryption of the `/boot` partition as +well: using that feature reduces the amount of plaintext data written to +disk. It is especially interesting when GRUB is installed to a read-only +media, for instance as [coreboot payload](https://doc.coreboot.org/payloads.html#grub2) +flashed to a write-protected chip. On the other hand, it is *incompatible* +with some other features that only enabled later at initramfs stage, such +as splash screens or remote unlocking. + +Since enabling unlocking LUKS devices from GRUB [isn't exposed to the d-i +interface](https://bugs.debian.org/814798) (as of Buster), people have +come up with various custom workarounds. But as of Buster [`cryptsetup`(8)] +defaults to a new [LUKS header format version](https://gitlab.com/cryptsetup/LUKS2-docs), +which isn't supported by GRUB as of 2.04. **Hence the pre-Buster +workarounds won't work anymore**. Until LUKS *version 2* support is +[added to GRUB2](https://savannah.gnu.org/bugs/?55093), the device(s) +holding `/boot` needs to be in *LUKS format version 1* to be unlocked from +the boot loader. + +This document describes a generic way to unlock LUKS devices from GRUB +for Debian Buster. + + +Encrypting the device holding `/boot` +===================================== + +There are two alternatives here: + + * Either format an existing `/boot` partition to LUKS1; or + * Move `/boot` to the root file system. The root device(s) needs to + use LUKS version 1, but existing LUKS2 devices can be *converted* + (in-place) to LUKS1. + +These two alternatives are described in the two following sub-sections. + +We assume the system resides on a single drive `/dev/sda`, partitioned +with d-i's “encrypted LVM” scheme: + + root@debian:~# lsblk -o NAME,FSTYPE,MOUNTPOINT /dev/sda + NAME FSTYPE MOUNTPOINT + sda + ├─sda1 ext2 /boot + ├─sda2 + └─sda5 crypto_LUKS + └─sda5_crypt LVM2_member + ├─debian--vg-root ext4 / + └─debian--vg-swap_1 swap [SWAP] + +*Note*: The partition layout of your system may differ. + + +Formatting the existing `/boot` partition to LUKS1 +-------------------------------------------------- + +Since the installer creates a separate (plaintext) `/boot` partition by +default in its “encrypted LVM” partitioning method, the simplest +solution is arguably to re-format it as LUKS1, especially if the root +device is in LUKS2 format. + +That way other partitions, including the one holding the root file +system, can remain in LUKS2 format and benefit from the *stronger +security guaranties* and *convenience features* of the newer version: +more secure (memory-hard) Key Derivation Function, backup header, +ability to offload the volume key to the kernel keyring (thus preventing +access from userspace), custom sector size, persistent flags, unattended +unlocking via kernel keyring tokens, etc. + +Furthermore every command in this sub-section can be run from the main +system: no need to reboot into a live CD or an initramfs shell. + + 1. Before copying content of the `/boot` directory, remount it read-only + to make sure data is not modified while it's being copied. + + root@debian:~# mount -oremount,ro /boot + + 2. Archive the directory elsewhere (on another device), and unmount it + afterwards. + + root@debian:~# install -m0600 /dev/null /tmp/boot.tar + <!-- --> + root@debian:~# tar -C /boot --acls --xattrs --one-file-system -cf /tmp/boot.tar . + <!-- --> + root@debian:~# umount /boot + + (If `/boot` has sub-mountpoints, like `/boot/efi`, you'll need to + unmount them as well.) + + 3. Optionally, wipe out the underlying block device (assumed to be + `/dev/sda1` in the rest of this sub-section). + + root@debian:~# dd if=/dev/urandom of=/dev/sda1 bs=1M status=none + dd: error writing '/dev/sda1': No space left on device + + 4. Format the underlying block device to LUKS1. (Note the `--type luks1` + in the command below, as Buster's [`cryptsetup`(8)] defaults to LUKS + version 2 for `luksFormat`.) + + root@debian:~# cryptsetup luksFormat --type luks1 /dev/sda1 + + WARNING! + ======== + This will overwrite data on /dev/sda1 irrevocably. + + Are you sure? (Type uppercase yes): YES + Enter passphrase for /dev/sda1: + Verify passphrase: + + 5. Add a corresponding entry to [`crypttab`(5)] with mapped device name + `boot_crypt`, and open it afterwards. + + root@debian:~# uuid="$(blkid -o value -s UUID /dev/sda1)" + <!-- --> + root@debian:~# echo "boot_crypt UUID=$uuid none luks" | tee -a /etc/crypttab + <!-- --> + root@debian:~# cryptdisks_start boot_crypt + Starting crypto disk...boot_crypt (starting)... + Please unlock disk boot_crypt: ******** + boot_crypt (started)...done. + + 6. Create a file system on the mapped device. Assuming source device for + `/boot` is specified by its UUID in the [`fstab`(5)] -- which the + Debian Installer does by default -- reusing the old UUID avoids + editing the file. + + root@debian:~# grep /boot /etc/fstab + # /boot was on /dev/sda1 during installation + UUID=c104749f-a0fa-406c-9e9a-3fc01f8e2f78 /boot ext2 defaults 0 2 + <!-- --> + root@debian:~# mkfs.ext2 -m0 -U c104749f-a0fa-406c-9e9a-3fc01f8e2f78 /dev/mapper/boot_crypt + mke2fs 1.44.5 (15-Dec-2018) + Creating filesystem with 246784 1k blocks and 61752 inodes + Filesystem UUID: c104749f-a0fa-406c-9e9a-3fc01f8e2f78 + […] + + 7. Finally, mount `/boot` again from [`fstab`(5)], and copy the saved + tarball to the new (and now encrypted) file system. + + root@debian:~# mount -v /boot + mount: /dev/mapper/boot_crypt mounted on /boot. + <!-- --> + root@debian:~# tar -C /boot --acls --xattrs -xf /tmp/boot.tar + + (If `/boot` had sub-mountpoints, like `/boot/efi`, you'll need to + mount them back as well.) + +You can skip the next sub-section and go directly to [Enabling +`cryptomount` in GRUB2]. Note that `init`(1) needs to unlock the +`/boot` partition *again* during the boot process. See [Avoiding the +extra password prompt] for details and a proposed workaround. (You'll +need to substitute `/` resp. `sda5` with `/boot` resp. `sda1` in that +section, however only steps 1-3 are relevant here: no need to copy the +key file to the initramfs image since `/boot` can be unlocked and +mounted later during the boot process.) + + +Moving `/boot` to the root file system +-------------------------------------- + +The [previous sub-section][Formatting the existing `/boot` partition to LUKS1] +described how to to re-format the `/boot` partition as LUKS1. +Alternatively, it can be moved to the root file system, assuming the +latter is not held by any LUKS2 device. (As shown below, LUKS2 devices +created with default parameters can be “downgraded” to LUKS1.) + +The advantage of this method is that the original `/boot` partition can +be preserved and used in case of *disaster recovery* (if for some reason +the GRUB image is lacking the `cryptodisk` module and the original +plaintext `/boot` partition is lost, you'd need to reboot into a live CD +to recover). Moreover increasing the number of partitions *increases +usage pattern visibility*: a separate `/boot` partition, even encrypted, +will likely leak the fact that a kernel update took place to an attacker +with access to both pre- and post-update snapshots. + +On the other hand, the downside of that method is that the root file +system can't benefit from the nice LUKS2 improvements over LUKS1, some +of which were listed above. Another (minor) downside is that space +occupied by the former `/boot` partition (typically 256MiB) becomes +unused and can't easily be reclaimed by the root file system. + +### Downgrading LUKS2 to LUKS1 ### + +Check the LUKS format version on the root device (assumed to be +`/dev/sda5` in the rest of this sub-section): + + root@debian:~# cryptsetup luksDump /dev/sda5 | grep -A1 "^LUKS" + LUKS header information + Version: 2 + +Here the LUKS format version is 2, so the device needs to be *converted* +to LUKS *version 1* to be able to unlock from GRUB. Unlike the rest of +this document, conversion can't be done on an open device, so you'll +need reboot into a live CD or an [initramfs shell]. (The `(initramfs)` +prompt strings in this sub-section indicates commands that are executed +from an initramfs shell.) Also, if you have valuable data in the root +partition, then *make sure you have a backup* (at least of the LUKS +header)! + +[initramfs shell]: https://wiki.debian.org/InitramfsDebug#Rescue_shell_.28also_known_as_initramfs_shell.29 + +Run `cryptsetup convert --type luks1 DEVICE` to downgrade. However if +the device was created with the default parameters then in-place +conversion will fail: + + (initramfs) cryptsetup convert --type luks1 /dev/sda5 + + WARNING! + ======== + This operation will convert /dev/sda5 to LUKS1 format. + + + Are you sure? (Type uppercase yes): YES + Cannot convert to LUKS1 format - keyslot 0 is not LUKS1 compatible. + +This is because its first key slot uses Argon2 as Password-Based Key +Derivation Function (PBKDF) algorithm: + + (initramfs) cryptsetup luksDump /dev/sda5 | grep "PBKDF:" + PBKDF: argon2i + +Argon2 is a *memory-hard* function that was selected as the winner of +the Password-Hashing Competition; LUKS2 devices use it by default for +key slots, but LUKS1's only supported PBKDF algorithm is PBKDF2. Hence +the key slot has to be converted to PBKDF2 prior to LUKS format version +downgrade. + + (initramfs) cryptsetup luksConvertKey --pbkdf pbkdf2 /dev/sda5 + Enter passphrase for keyslot to be converted: + +Now that all key slots use the PBKDF2 algorithm, the device shouldn't +have any LUKS2-only features left, and can be converted to LUKS1. + + (initramfs) cryptsetup luksDump /dev/sda5 | grep "PBKDF:" + PBKDF: pbkdf2 +<!-- --> + (initramfs) cryptsetup convert --type luks1 /dev/sda5 + + WARNING! + ======== + This operation will convert /dev/sda5 to LUKS1 format. + + + Are you sure? (Type uppercase yes): YES +<!-- --> + (initramfs) cryptsetup luksDump /dev/sda5 | grep -A1 "^LUKS" + LUKS header information + +### Moving `/boot` to the root file system ### + +(The moving operation can be done from the normal system. No need to +reboot into a live CD or an initramfs shell if the root file system +resides in a LUKS1 device.) + + 1. To ensure data is not modified while it's being copied, remount + `/boot` read-only. + + root@debian:~# mount -oremount,ro /boot + + 2. Recursively copy the directory to the root file system, and replace + the old `/boot` mountpoint with the new directory. + + <!-- --> + root@debian:~# cp -axT /boot /boot.tmp + <!-- --> + root@debian:~# umount /boot + <!-- --> + root@debian:~# rmdir /boot + <!-- --> + root@debian:~# mv -T /boot.tmp /boot + + (If `/boot` has sub-mountpoints, like `/boot/efi`, you'll need to + unmount them first, and then remount them once `/boot` has been + moved to the root file system.) + + 3. Comment out the [`fstab`(5)] entry for the `/boot` mountpoint. + Otherwise at reboot `init`(1) will mount it and therefore shadow data + in the new `/boot` directory with data from the old plaintext + partition. + + root@debian:~# grep /boot /etc/fstab + ## /boot was on /dev/sda1 during installation + #UUID=c104749f-a0fa-406c-9e9a-3fc01f8e2f78 /boot ext2 defaults 0 2 + + +Enabling `cryptomount` in GRUB2 +=============================== + +Enable the feature and update the GRUB image: + + root@debian:~# echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub +<!-- --> + root@debian:~# update-grub +<!-- --> + root@debian:~# grub-install /dev/sda + +If everything went well, `/boot/grub/grub.cfg` should contain `insmod +cryptodisk` (and also `insmod lvm` if `/boot` is on a Logical Volume). + +*Note*: The PBKDF parameters are determined via benchmark upon key slot +creation (or update). Thus they only makes sense if the environment in +which the LUKS device is open matches (same CPU, same RAM size, etc.) +the one in which it's been formatted. Unlocking from GRUB does count as +an environment mismatch, because GRUB operates under tighter memory +constraints and doesn't take advantage of all crypto-related CPU +instructions. Concretely, that means unlocking a LUKS device from GRUB +might take *a lot* longer than doing it from the normal system. Since +GRUB's LUKS implementation isn't able to benchmark, you'll need to do it +manually. It's easier for PBKDF2 as there is a single parameter to play +with (iteration count) — while Argon2 has two (iteration count and +memory) — and changing it affects the unlocking time linearly: for +instance halving the iteration count would speed up unlocking by a +factor of two. (And of course, making low entropy passphrases twice as +easy to brute-force. There is a trade-off to be made here. Balancing +convenience and security is the whole point of running PBKDF +benchmarks.) + + root@debian:~# cryptsetup luksDump /dev/sda1 | grep -B1 "Iterations:" + Key Slot 0: ENABLED + Iterations: 1000000 +<!-- --> + root@debian:~# cryptsetup luksChangeKey --pbkdf-force-iterations 500000 /dev/sda1 + Enter passphrase to be changed: + Enter new passphrase: + Verify passphrase: + +(You can reuse the existing passphrase in the above prompts. Replace +`/dev/sda1` with the LUKS1 volume holding `/boot`; in this document +that's `/dev/sda1` if `/boot` resides on a separated encrypted +partition, or `/dev/sda5` if `/boot` was moved to the root file system.) + +*Note*: `cryptomount` lacks an option to specify the key slot index to +open. All active key slots are tried sequentially until a match is +found. Running the PBKDF algorithm is a slow operation, so to speed up +things you'll want the key slot to unlock at GRUB stage to be the first +active one. Run the following command to discover its index. + + root@debian:~# cryptsetup luksOpen --test-passphrase --verbose /dev/sda5 + Enter passphrase for /dev/sda5: + Key slot 0 unlocked. + Command successful. + + +Avoiding the extra password prompt +================================== + +The device holding the kernel (and the initramfs image) is unlocked by +GRUB, but the root device needs to be *unlocked again* at initramfs +stage, regardless whether it's the same device or not. This is because +GRUB boots with the given `vmlinuz` and initramfs images, but there is +currently no way to securely pass cryptographic material (or Device +Mapper information) to the kernel. Hence the Device Mapper table is +initially empty at initramfs stage; in other words, all devices are +locked, and the root device needs to be unlocked again. + +To avoid extra passphrase prompts at initramfs stage, a workaround is +to *unlock via key files stored into the initramfs image*. Since the +initramfs image now resides on an encrypted device, this still provides +protection for data at rest. After all for LUK1 the volume key can +already be found by userspace in the Device Mapper table, so one could +argue that including key files to the initramfs image -- created with +restrictive permissions -- doesn't change the threat model for LUKS1 +devices. Please note however that for LUKS2 the volume key is normally +*offloaded to the kernel keyring* (hence no longer readable by +userspace), while key files lying on disk are of course readable by +userspace. + + 1. Generate the shared secret (here with 512 bits of entropy as it's also + the size of the volume key) inside a new file. + + root@debian:~# mkdir -m0700 /etc/keys + <!-- --> + root@debian:~# ( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/root.key conv=excl,fsync ) + 64+0 records in + 64+0 records out + 64 bytes copied, 0.000698363 s, 91.6 kB/s + + 2. Create a new key slot with that key file. + + root@debian:~# cryptsetup luksAddKey /dev/sda5 /etc/keys/root.key + Enter any existing passphrase: + <!-- --> + root@debian:~# cryptsetup luksDump /dev/sda5 | grep "^Key Slot" + Key Slot 0: ENABLED + Key Slot 1: ENABLED + Key Slot 2: DISABLED + Key Slot 3: DISABLED + Key Slot 4: DISABLED + Key Slot 5: DISABLED + Key Slot 6: DISABLED + Key Slot 7: DISABLED + + 3. Edit the [`crypttab`(5)] and set the third column to the key file path + for the root device entry. + + root@debian:~# cat /etc/crypttab + root_crypt UUID=… /etc/keys/root.key luks,discard,key-slot=1 + + The unlock logic normally runs the PBKDF algorithm through each key + slot sequentially until a match is found. Since the key file is + explicitly targeting the second key slot, its index is specified with + `key-slot=1` in the [`crypttab`(5)] to save useless expensive PBKDF + computations and *reduce boot time*. + + 4. In `/etc/cryptsetup-initramfs/conf-hook`, set `KEYFILE_PATTERN` to a + `glob`(7) expanding to the key path names to include to the initramfs + image. + + root@debian:~# echo "KEYFILE_PATTERN=\"/etc/keys/*.key\"" >>/etc/cryptsetup-initramfs/conf-hook + + 5. In `/etc/initramfs-tools/initramfs.conf`, set `UMASK` to a restrictive + value to avoid leaking key material. See [`initramfs.conf`(5)] for + details. + + root@debian:~# echo UMASK=0077 >>/etc/initramfs-tools/initramfs.conf + + 6. Finally re-generate the initramfs image, and double-check that it + 1/ has restrictive permissions; and 2/ includes the key. + + root@debian:~# update-initramfs -u + update-initramfs: Generating /boot/initrd.img-4.19.0-4-amd64 + <!-- --> + root@debian:~# stat -L -c "%A %n" /initrd.img + -rw------- /initrd.img + <!-- --> + root@debian:~# lsinitramfs /initrd.img | grep "^cryptroot/keyfiles/" + cryptroot/keyfiles/root_crypt.key + + (`cryptsetup-initramfs` normalises and renames key files inside the + initramfs, hence the new file name.) + +Should be safe to reboot now :-) If all went well you should see a +single passphrase prompt. + + +Using a custom keyboard layout +============================== + +GRUB uses the US keyboard layout by default. Alternative layouts for +the LUKS passphrase prompts can't be loaded from `/boot` or the root +file system, as the underlying devices haven't been mapped yet at that +stage. If you require another layout to type in your passphrase, then +you'll need to manually generate the core image using +[`grub-mkimage`(1)]. A possible solution is to embed a memdisk +containing the keymap inside the core image. + + 1. Create a memdisk (in GNU tar format) with the desired keymap, for + instance dvorak's. (The XKB keyboard layout and variant passed to + `grub-kbdcomp`(1) are described in the [`setxkbmap`(1)] manual.) + + root@debian:~# memdisk="$(mktemp --tmpdir --directory)" + <!-- --> + root@debian:~# grub-kbdcomp -o "$memdisk/keymap.gkb" us dvorak + <!-- --> + root@debian:~# tar -C "$memdisk" -cf /boot/grub/memdisk.tar . + + 2. Generate an early configuration file to embed inside the image. + + root@debian:~# uuid="$(blkid -o value -s UUID /dev/sda1)" + <!-- --> + root@debian:~# cat >/etc/early-grub.cfg <<-EOF + terminal_input --append at_keyboard + keymap (memdisk)/keymap.gkb + cryptomount -u ${uuid//-/} + + set root=(cryptouuid/${uuid//-/}) + set prefix=/grub + configfile grub.cfg + EOF + + *Note*: This is for the case of a separate `/boot` partition. If + `/boot` resides on the root file system, then replace `/dev/sda1` + with `/dev/sda5` (the LUKS device holding the root file system) and + set `prefix=/boot/grub`; if it's in a logical volume you'll also + [need to set][GRUB device syntax] `root=(lvm/DMNAME)`. + + *Note*: You might need to remove the first line if you use a USB + keyboard, or tweak it if GRUB doesn't see any PC/AT keyboard among its + available terminal input devices. Start by specifing `terminal_input` + in an interactive GRUB shell in order to determine the suitable input + device. (Choosing an incorrect device might prevent unlocking if no + input can be be entered.) + + 3. Finally, manually create and install the GRUB image. Don't use + `grub-install`(1) here, as we need to pass an early configuration + and a ramdisk. Instead, use [`grub-mkimage`(1)] with suitable image + file name, format, and module list. + + root@debian:~# grub-mkimage \ + -c /etc/early-grub.cfg -m /boot/grub/memdisk.tar \ + -o "$IMAGE" -O "$FORMAT" \ + diskfilter cryptodisk luks gcry_rijndael gcry_sha256 \ + memdisk tar keylayouts configfile \ + at_keyboard usb_keyboard uhci ehci \ + ahci part_msdos part_gpt lvm ext2 + + (Replace with `ahci` with a suitable module if the drive holding + `/boot` isn't a SATA drive supporting AHCI. Also, replace `ext2` + with a file system driver suitable for `/boot` if the file system + isn't ext2, ext3 or ext4.) + + The value of `IMAGE` and `FORMAT` depend on whether GRUB is in EFI + or BIOS mode. + + a. For EFI mode: `IMAGE="/boot/efi/EFI/debian/grubx64.efi"` and + `FORMAT="x86_64-efi"`. + + b. For BIOS mode: `IMAGE="/boot/grub/i386-pc/core.img"`, + `FORMAT="i386-pc"` and set up the image as follows: + + root@debian:~# grub-bios-setup -d /boot/grub/i386-pc /dev/sda + + You can now delete the memdisk and the early GRUB configuration + file, but note that subquent runs of `grub-install`(1) will override + these changes. + + +[`cryptsetup`(8)]: https://manpages.debian.org/cryptsetup.8.en.html +[`crypttab`(5)]: https://manpages.debian.org/crypttab.5.en.html +[`fstab`(5)]: https://manpages.debian.org/fstab.5.en.html +[`initramfs.conf`(5)]: https://manpages.debian.org/initramfs.conf.5.en.html +[`grub-mkimage`(1)]: https://manpages.debian.org/grub-mkimage.1.en.html +[`setxkbmap`(1)]: https://manpages.debian.org/setxkbmap.1.en.html +[GRUB device syntax]: https://www.gnu.org/software/grub/manual/grub/grub.html#Device-syntax + + -- Guilhem Moulin <guilhem@debian.org>, Sun, 09 Jun 2019 16:35:20 +0200 diff --git a/debian/doc/pandoc/index.md b/debian/doc/pandoc/index.md new file mode 100644 index 0000000..bd750c4 --- /dev/null +++ b/debian/doc/pandoc/index.md @@ -0,0 +1,24 @@ +Cryptsetup for Debian +===================== + +The main documentation: + +* [Debian Cryptsetup README](README.Debian.html) +* [Debian Cryptsetup Debugging README](README.debug.html) +* [Cryptsetup Initramfs intregration README](README.initramfs.html) + +Detailed documentation of specific setups: + +* [Debian encrypted boot documentation](encrypted-boot.html) + +Documentation of some particular keyscripts: + +* [Cryptsetup GnuPG keyscript README](README.gnupg.html) +* [Cryptsetup GnuPG smartcard keyscript README](README.gnupg-sc.html) +* [Cryptsetup keyctl keyscript README](README.keyctl.html) +* [Cryptsetup smartcard keyscript README](README.opensc.html) + + +**Please note**: Some of the documentation might be outdated. We +recommend to look at the date of the page footer. It gives an idea +about when the docs last got written and/or updated. diff --git a/debian/doc/pandoc/pandoc.css b/debian/doc/pandoc/pandoc.css new file mode 100644 index 0000000..bb66ac5 --- /dev/null +++ b/debian/doc/pandoc/pandoc.css @@ -0,0 +1,77 @@ +body { + margin: auto; + padding-right: 1em; + padding-left: 1em; + margin-left: 2em; + border-left: 1px solid black; + color: black; + font-size: 100%; + line-height: 140%; + color: #333; +} + +pre { + border: 1px dotted gray; + background-color: #ececec; + color: #1111111; + padding: 0.5em; + line-height: 1.42857143; + tab-size: 4; + -moz-tab-size: 4; +} + +code { + font-family: monospace; +} + +h1 a, h2 a, h3 a, h4 a, h5 a { + text-decoration: none; + color: #7a5ada; +} +h1, h2, h3, h4, h5 { + font-family: sans-serif; + font-weight: bold; + text-decoration: underline; + color: #7a5ada; +} +h1 { + font-size: 130%; +} +h2 { + font-size: 110%; +} +h3 { + font-size: 95%; +} +h4 { + font-size: 90%; + font-style: italic; +} +h5 { + font-size: 90%; + font-style: italic; +} +h1.title { + font-size: 200%; + font-weight: bold; + padding-top: 0.2em; + padding-bottom: 0.2em; + text-align: left; + border: none; +} + +dt code { + font-weight: bold; +} +dd p { + margin-top: 0; +} + +#TOC { + float: right; + width: 40%; + background: #eee; + font-size: 0.8em; + padding: 1em 2em; + margin: 0.0 0.5em 0.5em; +} diff --git a/debian/doc/variables.xml.in b/debian/doc/variables.xml.in new file mode 100644 index 0000000..8ca89f2 --- /dev/null +++ b/debian/doc/variables.xml.in @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "/usr/share/xml/docbook/schema/dtd/4.2/docbookx.dtd"> + +<refentry> + + <refmeta> + <refmiscinfo class="version">VERSION</refmiscinfo> + <refmiscinfo class="source">cryptsetup</refmiscinfo> + <refmiscinfo class="manual">cryptsetup manual</refmiscinfo> + </refmeta> + + <refentryinfo> + <date>DATE</date> + </refentryinfo> + +</refentry> diff --git a/debian/functions b/debian/functions new file mode 100644 index 0000000..917abad --- /dev/null +++ b/debian/functions @@ -0,0 +1,686 @@ +if [ "${0#/usr/share/initramfs-tools/hooks/}" != "$0" ] || + [ "${0#/etc/initramfs-tools/hooks/}" != "$0" ]; then + # called from an initramfs-tools hook script + TABFILE="$DESTDIR/cryptroot/crypttab" +elif [ "${0#/scripts/}" != "$0" ]; then + # called at initramfs stage from a boot script + TABFILE="/cryptroot/crypttab" + CRYPTROOT_COUNT_FILE="/run/cryptroot.initrd.cnt" +else + TABFILE="${TABFILE-/etc/crypttab}" +fi +export DM_DEFAULT_NAME_MANGLING_MODE=hex # for dmsetup(8) + +# Logging helpers. Send the argument list to plymouth(1), or fold it +# and print it to the standard error. +cryptsetup_message() { + local IFS=' ' + if [ "${0#/scripts/}" != "$0" ] && [ -x /bin/plymouth ] && plymouth --ping; then + plymouth message --text="cryptsetup: $*" + elif [ ${#*} -lt 70 ]; then + echo "cryptsetup: $*" >&2 + else + # use busybox's fold(1) and sed(1) at initramfs stage + echo "cryptsetup: $*" | fold -s | sed '1! s/^/ /' >&2 + fi + return 0 +} + +# crypttab_parse_options([--export], [--quiet], [--missing-path={ignore|warn|fail}]) +# Parse $_CRYPTTAB_OPTIONS, a comma-separated option string from the +# crypttab(5) 4th column, and sets corresponding variables +# CRYPTTAB_OPTION_<option>=<value> (which are added to the environment +# if --export is set). If --path-exists isn't set to "ignore" (the +# default), then options taking a file name, such as header=<path>, +# need to point to an existing path, otherwise a warning is printed; +# and an error is raised if the value is set to "fail". +# For error and warning messages, CRYPTTAB_NAME, (resp. CRYPTTAB_KEY) +# should be set to the (unmangled) mapped device name (resp. key +# file). +# Moreover CRYPTTAB_TYPE is set the device type. +# Return 1 on parsing error, 0 otherwise (incl. if unknown options +# were encountered). +crypttab_parse_options() { + local quiet="n" export="n" missing_path="ignore" + while [ $# -gt 0 ]; do + case "$1" in + --quiet) quiet="y";; + --export) export="y";; + --missing-path=*) missing_path="${1#--missing-path=}";; + *) cryptsetup_message "WARNING: crypttab_parse_options(): unknown option $1" + esac + shift + done + + local IFS=',' x OPTION VALUE + CRYPTTAB_TYPE="" + unset -v CRYPTTAB_OPTION_cipher \ + CRYPTTAB_OPTION_size \ + CRYPTTAB_OPTION_sector_size \ + CRYPTTAB_OPTION_hash \ + CRYPTTAB_OPTION_offset \ + CRYPTTAB_OPTION_skip \ + CRYPTTAB_OPTION_verify \ + CRYPTTAB_OPTION_readonly \ + CRYPTTAB_OPTION_discard \ + CRYPTTAB_OPTION_plain \ + CRYPTTAB_OPTION_luks \ + CRYPTTAB_OPTION_tcrypt \ + CRYPTTAB_OPTION_veracrypt \ + CRYPTTAB_OPTION_bitlk \ + CRYPTTAB_OPTION_fvault2 \ + CRYPTTAB_OPTION_swap \ + CRYPTTAB_OPTION_tmp \ + CRYPTTAB_OPTION_check \ + CRYPTTAB_OPTION_checkargs \ + CRYPTTAB_OPTION_tries \ + CRYPTTAB_OPTION_initramfs \ + CRYPTTAB_OPTION_noearly \ + CRYPTTAB_OPTION_noauto \ + CRYPTTAB_OPTION_loud \ + CRYPTTAB_OPTION_quiet \ + CRYPTTAB_OPTION_keyscript \ + CRYPTTAB_OPTION_keyslot \ + CRYPTTAB_OPTION_header \ + CRYPTTAB_OPTION_tcrypthidden \ + CRYPTTAB_OPTION_same_cpu_crypt \ + CRYPTTAB_OPTION_submit_from_crypt_cpus \ + CRYPTTAB_OPTION_no_read_workqueue \ + CRYPTTAB_OPTION_no_write_workqueue + # use $_CRYPTTAB_OPTIONS not $CRYPTTAB_OPTIONS as options values may + # contain '\054' which is decoded to ',' in the latter + for x in $_CRYPTTAB_OPTIONS; do + OPTION="${x%%=*}" + VALUE="${x#*=}" + if [ "$x" = "$OPTION" ]; then + unset -v VALUE + else + VALUE="$(printf '%b' "$VALUE")" + fi + if ! crypttab_validate_option; then + if [ "$quiet" = "n" ]; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: invalid value for '${x%%=*}' option, skipping" + fi + return 1 + elif [ -z "${OPTION+x}" ]; then + continue + fi + if [ "$export" = "y" ]; then + export "CRYPTTAB_OPTION_$OPTION"="${VALUE-yes}" + else + eval "CRYPTTAB_OPTION_$OPTION"='${VALUE-yes}' + fi + done + IFS=" " + + if ! _get_crypt_type; then # set CRYPTTAB_TYPE to the type of crypt device + CRYPTTAB_TYPE="plain" + if [ "$quiet" = "n" ]; then + cryptsetup_message "WARNING: $CRYPTTAB_NAME: couldn't determine device type," \ + "assuming default ($CRYPTTAB_TYPE)." + fi + fi + + if [ "$quiet" = "n" ] && [ -n "${CRYPTTAB_OPTION_header+x}" ] && [ "$CRYPTTAB_TYPE" != "luks" ]; then + cryptsetup_message "WARNING: $CRYPTTAB_NAME: Headers are only supported for LUKS devices." + fi + if [ "$CRYPTTAB_TYPE" = "plain" ]; then + # the compiled-in default for these are subject to change + options='cipher size' + if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then + options="$options hash" # --hash is being ignored in plain mode with keyfile specified + fi + for o in $options; do + if [ "$quiet" = "n" ] && eval [ -z "\${CRYPTTAB_OPTION_$o+x}" ]; then + cryptsetup_message "WARNING: Option '$o' missing in crypttab for plain dm-crypt" \ + "mapping $CRYPTTAB_NAME. Please read /usr/share/doc/cryptsetup-initramfs/README.initramfs.gz and" \ + "add the correct '$o' option to your crypttab(5)." + fi + done + fi +} + +# crypttab_validate_option() +# Validate $OPTION=$VALUE (or flag $OPTION if VALUE is unset). return +# 1 on error, unsets OPTION for unknown or useless options. +crypttab_validate_option() { + # option aliases + case "$OPTION" in + read-only) OPTION="readonly";; + key-slot) OPTION="keyslot";; + tcrypt-hidden) OPTION="tcrypthidden";; + tcrypt-veracrypt) OPTION="veracrypt";; + esac + + # sanitize the option name so CRYPTTAB_OPTION_$OPTION is a valid variable name + local o="$OPTION" + case "$o" in + keyfile-offset) OPTION="keyfile_offset";; + keyfile-size) OPTION="keyfile_size";; + sector-size) OPTION="sector_size";; + same-cpu-crypt) OPTION="same_cpu_crypt";; + submit-from-crypt-cpus) OPTION="submit_from_crypt_cpus";; + no-read-workqueue) OPTION="no_read_workqueue";; + no-write-workqueue) OPTION="no_write_workqueue";; + esac + + case "$o" in + # value must be a non-empty string + cipher|hash) + [ -n "${VALUE:+x}" ] || return 1 + ;; + # value must be a non-empty string, and an existing path if --missing-path is set + header) + [ -n "${VALUE:+x}" ] || return 1 + if [ "$missing_path" != "ignore" ]; then + if [ ! -e "$VALUE" ]; then + cryptsetup_message "WARNING: $CRYPTTAB_NAME: $VALUE does not exist"; + [ "$missing_path" = "warn" ] || return 1 + fi + fi + ;; + # numeric options >0 + size|keyfile-size|sector-size) + if ! printf '%s' "${VALUE-}" | grep -Exq "0*[1-9][0-9]*"; then + return 1 + fi + ;; + # numeric options >=0 + offset|skip|tries|keyslot|keyfile-offset) + if ! printf '%s' "${VALUE-}" | grep -Exq "[0-9]+"; then + return 1 + fi + ;; + tmp) + if [ -z "${VALUE+x}" ]; then + VALUE="ext4" # 'tmp flag' + elif [ -z "$VALUE" ]; then + return 1 + fi + ;; + check) + if [ -z "${VALUE+x}" ]; then + if [ -n "${CRYPTDISKS_CHECK-}" ]; then + VALUE="$CRYPTDISKS_CHECK" + else + unset -v OPTION + return 0 + fi + fi + if [ "${VALUE#/}" = "$VALUE" ]; then + VALUE="/lib/cryptsetup/checks/$VALUE" + fi + if [ ! -x "$VALUE" ] || [ ! -f "$VALUE" ]; then + return 1 + fi + ;; + checkargs) + [ -n "${VALUE+x}" ] || return 1 # must have a value (possibly empty) + ;; + keyscript) + [ -n "${VALUE:+x}" ] || return 1 # must have a value + if [ "${VALUE#/}" = "$VALUE" ]; then + VALUE="/lib/cryptsetup/scripts/$VALUE" + fi + if [ ! -x "$VALUE" ] || [ ! -f "$VALUE" ]; then + return 1 + fi + ;; + # and now the flags + verify) ;; + loud) ;; + quiet) ;; + initramfs) ;; + noearly) ;; + noauto) ;; + readonly) ;; + discard) ;; + plain) ;; + luks) ;; + swap) ;; + tcrypt) ;; + veracrypt) ;; + tcrypthidden) ;; + bitlk) ;; + fvault2) ;; + same-cpu-crypt) ;; + submit-from-crypt-cpus) ;; + no-read-workqueue) ;; + no-write-workqueue) ;; + *) + if [ "${quiet:-n}" = "n" ]; then + cryptsetup_message "WARNING: $CRYPTTAB_NAME: ignoring unknown option '$o'"; + fi + unset -v OPTION + ;; + esac +} + +# crypttab_resolve_source() +# Resolve the CRYPTTAB_SOURCE variable, containing value of the second +# field of a crypttab(5)-like file. +# On error (non-existing source), CRYPTTAB_SOURCE is not changed and 1 +# is returned. +crypttab_resolve_source() { + # return immediately if source is a regular file + [ ! -f "$CRYPTTAB_SOURCE" ] || return 0 + # otherwise resolve the block device specification + local dev="$CRYPTTAB_SOURCE" + dev="$(_resolve_device_spec "$dev")" && CRYPTTAB_SOURCE="$dev" || return 1 +} + +# run_keyscript($tried_count) +# exec()'ute `$CRYPTTAB_OPTION_keyscript "$CRYPTTAB_KEY"`. +# If $CRYPTTAB_OPTION_keyscript is unset or null and $CRYPTTAB_KEY is +# "none" (meaning the passphrase is to be read interactively from the +# console), then use `/lib/cryptsetup/askpass` as keyscript with a +# suitable prompt message instead. +# Since the shell process is replaced with the $CRYPTTAB_OPTION_keyscript +# program, run_keyscript() must be used on the left-hand side of a +# pipe, or similar. +run_keyscript() { + local keyscript keyscriptarg="$CRYPTTAB_KEY" + export CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_OPTIONS + export _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_OPTIONS + export CRYPTTAB_TRIED="$1" + + if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ] && \ + [ "$CRYPTTAB_OPTION_keyscript" != "/lib/cryptsetup/askpass" ]; then + # 'keyscript' option is present: export its argument as $CRYPTTAB_KEY + export CRYPTTAB_KEY _CRYPTTAB_KEY + keyscript="$CRYPTTAB_OPTION_keyscript" + elif [ "$keyscriptarg" = "none" ]; then + # don't export the prompt message as CRYPTTAB_KEY + keyscript="/lib/cryptsetup/askpass" + keyscriptarg="Please unlock disk $CRYPTTAB_NAME: " + fi + + exec "$keyscript" "$keyscriptarg" +} + +# _get_crypt_type() +# Set CRYPTTAB_TYPE to the mapping type, depending on its +# $CRYPTTAB_OPTION_<option> values +# Return a non-zero status if the mapping couldn't be determined +_get_crypt_type() { + local s="$CRYPTTAB_SOURCE" t="" blk_t + + if [ "${CRYPTTAB_OPTION_luks-}" = "yes" ]; then + t="luks" + elif [ "${CRYPTTAB_OPTION_tcrypt-}" = "yes" ]; then + t="tcrypt" + elif [ "${CRYPTTAB_OPTION_plain-}" = "yes" ]; then + t="plain" + elif [ "${CRYPTTAB_OPTION_bitlk-}" = "yes" ]; then + t="bitlk" + elif [ "${CRYPTTAB_OPTION_fvault2-}" = "yes" ]; then + t="fvault2" + elif [ -n "${CRYPTTAB_OPTION_header+x}" ]; then + # detached headers are only supported for LUKS devices + if [ -e "$CRYPTTAB_OPTION_header" ] && /sbin/cryptsetup isLuks -- "$CRYPTTAB_OPTION_header"; then + t="luks" + fi + elif [ -f "$s" ] || s="$(_resolve_device_spec "$CRYPTTAB_SOURCE")"; then + if /sbin/cryptsetup isLuks -- "$s"; then + t="luks" + elif blk_t="$(blkid -s TYPE -o value -- "$s")" && [ "$blk_t" = "BitLocker" ]; then + t="bitlk" + fi + fi + + [ -n "$t" ] || return 1 + CRYPTTAB_TYPE="$t" +} + +# unlock_mapping([$keyfile]) +# Run cryptsetup(8) with suitable options and arguments to unlock +# $CRYPTTAB_SOURCE and setup dm-crypt managed device-mapper mapping +# $CRYPTTAB_NAME. +unlock_mapping() { + local keyfile="${1:--}" + + if [ "$CRYPTTAB_TYPE" = "luks" ] || [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then + # ignored for LUKS and TCRYPT devices + unset -v CRYPTTAB_OPTION_cipher \ + CRYPTTAB_OPTION_size \ + CRYPTTAB_OPTION_hash \ + CRYPTTAB_OPTION_offset \ + CRYPTTAB_OPTION_skip + fi + if [ "$CRYPTTAB_TYPE" = "plain" ] || [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then + unset -v CRYPTTAB_OPTION_keyfile_size + fi + if [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then + # ignored for TCRYPT devices + unset -v CRYPTTAB_OPTION_keyfile_offset + else + # ignored for non-TCRYPT devices + unset -v CRYPTTAB_OPTION_veracrypt CRYPTTAB_OPTION_tcrypthidden + fi + + if [ "$CRYPTTAB_TYPE" != "luks" ]; then + # ignored for non-LUKS devices + unset -v CRYPTTAB_OPTION_keyslot + fi + + /sbin/cryptsetup -T1 \ + ${CRYPTTAB_OPTION_header:+--header="$CRYPTTAB_OPTION_header"} \ + ${CRYPTTAB_OPTION_cipher:+--cipher="$CRYPTTAB_OPTION_cipher"} \ + ${CRYPTTAB_OPTION_size:+--key-size="$CRYPTTAB_OPTION_size"} \ + ${CRYPTTAB_OPTION_sector_size:+--sector-size="$CRYPTTAB_OPTION_sector_size"} \ + ${CRYPTTAB_OPTION_hash:+--hash="$CRYPTTAB_OPTION_hash"} \ + ${CRYPTTAB_OPTION_offset:+--offset="$CRYPTTAB_OPTION_offset"} \ + ${CRYPTTAB_OPTION_skip:+--skip="$CRYPTTAB_OPTION_skip"} \ + ${CRYPTTAB_OPTION_verify:+--verify-passphrase} \ + ${CRYPTTAB_OPTION_readonly:+--readonly} \ + ${CRYPTTAB_OPTION_discard:+--allow-discards} \ + ${CRYPTTAB_OPTION_veracrypt:+--veracrypt} \ + ${CRYPTTAB_OPTION_keyslot:+--key-slot="$CRYPTTAB_OPTION_keyslot"} \ + ${CRYPTTAB_OPTION_tcrypthidden:+--tcrypt-hidden} \ + ${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \ + ${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \ + ${CRYPTTAB_OPTION_same_cpu_crypt:+--perf-same_cpu_crypt} \ + ${CRYPTTAB_OPTION_submit_from_crypt_cpus:+--perf-submit_from_crypt_cpus} \ + ${CRYPTTAB_OPTION_no_read_workqueue:+--perf-no_read_workqueue} \ + ${CRYPTTAB_OPTION_no_write_workqueue:+--perf-no_write_workqueue} \ + --type="$CRYPTTAB_TYPE" --key-file="$keyfile" \ + open -- "$CRYPTTAB_SOURCE" "$CRYPTTAB_NAME" +} + +# resume_mapping([$keyfile]) +# Run cryptsetup(8) with suitable options and arguments to resume +# $CRYPTTAB_NAME. +resume_mapping() { + local keyfile="${1:--}" + + /sbin/cryptsetup -T1 \ + ${CRYPTTAB_OPTION_header:+--header="$CRYPTTAB_OPTION_header"} \ + ${CRYPTTAB_OPTION_keyslot:+--key-slot="$CRYPTTAB_OPTION_keyslot"} \ + ${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \ + ${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \ + --type="$CRYPTTAB_TYPE" --key-file="$keyfile" \ + luksResume "$CRYPTTAB_NAME" +} + +# resume_device($device) +# Resume $device with endless retries. Used by cryptsetup-suspend-wrapper. +resume_device() { + local device="$1" + # check if device is really suspended + if [ "$(dmsetup info -c --noheadings -o suspended -- "$device" 2>/dev/null)" != "Suspended" ]; then + cryptsetup_message "ERROR: $device: device was not suspendend" + return 1 + fi + + if ! crypttab_find_entry "$device" || ! crypttab_parse_options --quiet; then + cryptsetup_message "ERROR: $device: not found in $TABFILE" + return 1 + fi + + if [ "$CRYPTTAB_TYPE" != "luks" ]; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: unable to resume non-LUKS device" + return 1 + fi + + # Loop endlessly until the resume command succeeded + while true; do + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then + resume_mapping "$CRYPTTAB_KEY" && break || true + else + run_keyscript 1 | resume_mapping && break || true + fi + done +} + +# crypttab_key_check() +# Sanity checks for keyfile $CRYPTTAB_KEY. CRYPTTAB_NAME and +# CRYPTTAB_OPTION_<option> must be set appropriately. +crypttab_key_check() { + if [ ! -f "$CRYPTTAB_KEY" ] && [ ! -b "$CRYPTTAB_KEY" ] && [ ! -c "$CRYPTTAB_KEY" ] ; then + cryptsetup_message "WARNING: $CRYPTTAB_NAME: keyfile '$CRYPTTAB_KEY' not found" + return 0 + fi + + if [ "$CRYPTTAB_KEY" = "/dev/random" ] || [ "$CRYPTTAB_KEY" = "/dev/urandom" ]; then + if [ -n "${CRYPTTAB_OPTION_luks+x}" ] || [ -n "${CRYPTTAB_OPTION_tcrypt+x}" ]; then + cryptsetup_message "WARNING: $CRYPTTAB_NAME: has random data as key" + return 1 + else + return 0 + fi + fi + + local mode="$(stat -L -c"%04a" -- "$CRYPTTAB_KEY")" + if [ $(stat -L -c"%u" -- "$CRYPTTAB_KEY") -ne 0 ] || [ "${mode%00}" = "$mode" ]; then + cryptsetup_message "WARNING: $CRYPTTAB_NAME: key file $CRYPTTAB_KEY has" \ + "insecure ownership, see /usr/share/doc/cryptsetup/README.Debian.gz." + fi +} + +# _resolve_device_spec($spec) +# Resolve LABEL=<label>, UUID=<uuid>, PARTUUID=<partuuid> and +# PARTLABEL=<partlabel> to a block special device. If $spec is +# already a (link to a block special device) then it is echoed as is. +# Return 1 if $spec doesn't correspond to a block special device. +_resolve_device_spec() { + local spec="$1" + case "$spec" in + UUID=*|LABEL=*|PARTUUID=*|PARTLABEL=*) + # don't use /dev/disk/by-label/... to avoid gessing udev mangling + spec="$(blkid -l -t "$spec" -o device)" || spec= + ;; + esac + [ -b "$spec" ] && printf '%s\n' "$spec" || return 1 +} + +# dm_blkdevname($name) +# Print the mapped device name, or return 1 if the the device doesn't exist. +dm_blkdevname() { + local name="$1" dev + # /dev/mapper/$name isn't reliable due to udev mangling + if dev="$(dmsetup info -c --noheadings -o blkdevname -- "$name" 2>/dev/null)" && + [ -n "$dev" ] && [ -b "/dev/$dev" ]; then + echo "/dev/$dev" + return 0 + else + return 1 + fi +} + +# crypttab_find_entry([--quiet], $target) +# Search in the crypttab(5) for the given $target, and sets the +# variables CRYPTTAB_NAME, CRYPTTAB_SOURCE, CRYPTTAB_KEY and +# CRYPTTAB_OPTIONS accordingly. (In addition _CRYPTTAB_NAME, +# _CRYPTTAB_SOURCE, _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the +# unmangled values before decoding the escape sequence.) If there are +# duplicates then only the first match is considered. +# Return 0 if a match is found, and 1 otherwise. +crypttab_find_entry() { + local target="$1" quiet="n" IFS + if [ "$target" = "--quiet" ] && [ $# -eq 2 ]; then + quiet="y" + target="$2" + fi + + if [ -f "$TABFILE" ]; then + while IFS=" " read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS; do + if [ "${_CRYPTTAB_NAME#\#}" != "$_CRYPTTAB_NAME" ] || [ -z "$_CRYPTTAB_NAME" ]; then + # ignore comments and empty lines + continue + fi + + # unmangle names + CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")" + if [ -z "$_CRYPTTAB_SOURCE" ] || [ -z "$_CRYPTTAB_KEY" ]; then + cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)" + continue + elif [ "$CRYPTTAB_NAME" = "$target" ]; then + CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )" + CRYPTTAB_KEY="$( printf '%b' "$_CRYPTTAB_KEY" )" + CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")" + return 0 + fi + done <"$TABFILE" + fi + + if [ "$quiet" = "n" ]; then + cryptsetup_message "WARNING: target '$target' not found in $TABFILE" + fi + return 1 +} + +# crypttab_foreach_entry($callback) +# Iterate through the crypttab(5) and run the given $callback for each +# entry found. Variables CRYPTTAB_NAME, CRYPTTAB_SOURCE, CRYPTTAB_KEY +# and CRYPTTAB_OPTIONS are set accordingly and available to the +# $callback. (In addition _CRYPTTAB_NAME, _CRYPTTAB_SOURCE, +# _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the original values +# before decoding the escape sequence.) +# Return 0 if a match is found, and 1 otherwise. +crypttab_foreach_entry() { + local callback="$1" IFS + local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS \ + CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_KEY CRYPTTAB_OPTIONS + + [ -f "$TABFILE" ] || return + while IFS=" " read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS <&9; do + if [ "${_CRYPTTAB_NAME#\#}" != "$_CRYPTTAB_NAME" ] || [ -z "$_CRYPTTAB_NAME" ]; then + # ignore comments and empty lines + continue + fi + + # unmangle names + CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")" + + if [ -z "$_CRYPTTAB_SOURCE" ] || [ -z "$_CRYPTTAB_KEY" ]; then + cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)" + continue + fi + + CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )" + CRYPTTAB_KEY="$( printf '%b' "$_CRYPTTAB_KEY" )" + CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")" + + "$callback" 9<&- + done 9<"$TABFILE" +} + +# _device_uuid($device) +# Print the UUID attribute of given block special $device. Return 0 +# on success, 1 on error. +_device_uuid() { + local device="$1" uuid + if uuid="$(blkid -s UUID -o value -- "$device")" && [ -n "$uuid" ]; then + printf '%s\n' "$uuid" + else + return 1 + fi +} + +# _resolve_device({$device | $spec}) +# Take a path to (or spec for) a block special device, and set DEV to +# the (symlink to block) device, and MAJ (resp. MIN) to its major-ID +# (resp. minor ID) decimal value. On error these variables are not +# changed and 1 is returned. +_resolve_device() { + local spec="$1" dev devno maj min + if dev="$(_resolve_device_spec "$spec")" && + devno="$(stat -L -c"%t:%T" -- "$dev" 2>/dev/null)" && + maj="${devno%:*}" && min="${devno#*:}" && + [ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] && + maj=$(( 0x$maj )) && min=$(( 0x$min )) && [ $maj -gt 0 ]; then + DEV="$dev" + MAJ="$maj" + MIN="$min" + return 0 + else + cryptsetup_message "ERROR: Couldn't resolve device $spec" + fi + return 1 +} + +# get_mnt_devno($mountpoint) +# Print the major:minor device ID(s) holding the file system currently +# mounted currenty mounted on $mountpoint. +# Return 0 on success, 1 on error (if $mountpoint is not a mountpoint). +get_mnt_devno() { + local wantmount="$1" devnos="" uuid dev IFS + local spec mountpoint fstype _ DEV MAJ MIN + + while IFS=" " read -r spec mountpoint fstype _; do + # treat lines starting with '#' as comments; /proc/mounts + # doesn't seem to contain these but per procfs(5) the format of + # that file is analogous to fstab(5)'s + if [ "${spec#\#}" = "$spec" ] && [ -n "$spec" ] && + [ "$(printf '%b' "$mountpoint")" = "$wantmount" ]; then + # take the last mountpoint if used several times (shadowed) + unset -v devnos + spec="$(printf '%b' "$spec")" + _resolve_device "$spec" || continue # _resolve_device() already warns on error + fstype="$(printf '%b' "$fstype")" + if [ "$fstype" = "btrfs" ]; then + # btrfs can span over multiple devices + if uuid="$(_device_uuid "$DEV")"; then + for dev in "/sys/fs/$fstype/$uuid/devices"/*/dev; do + devnos="${devnos:+$devnos }$(cat "$dev")" + done + else + cryptsetup_message "ERROR: $spec: Couldn't determine UUID" + fi + elif [ -n "$fstype" ]; then + devnos="$MAJ:$MIN" + fi + fi + done </proc/mounts + + if [ -z "${devnos:+x}" ]; then + return 1 # not found + else + printf '%s' "$devnos" + fi +} + +# foreach_cryptdev([--reverse], $callback, $maj:$min, [$maj:$min ..]) +# Run $callback on the (unmangled) name of each dm-crypt device +# recursively holding $maj:$min (typically corresponding to an md, +# linear, or dm-crypt device). Slaves that aren't dm-crypt devices +# are ignored. +# By default each device is processed after its *slaves*. If +# --reverse is set then each device is processed after its *holders* +# instead. +foreach_cryptdev() { + local callback="$1" reverse="n" devno base + shift + if [ "$callback" = "--reverse" ]; then + reverse="y" + callback="$1" + shift + fi + for devno in "$@"; do + base="/sys/dev/block/$devno" + if [ ! -d "$base" ]; then + cryptsetup_message "ERROR: Couldn't find sysfs directory for $devno" + return 1 + fi + _foreach_cryptdev "$base" + done +} +_foreach_cryptdev() { + local d="$1" devno maj min name t d2 + [ "$reverse" = "y" ] && t="holders" || t="slaves" + [ -d "$d/$t" ] || return 0 + for d2 in "$d/$t"/*; do + if [ -d "$d2" ] && d2="$(realpath -e -- "$d2")"; then + _foreach_cryptdev "$d2" + fi + done + if [ -d "$d/dm" ] && devno="$(cat "$d/dev")" && + maj="${devno%:*}" && min="${devno#*:}" && + [ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] && + [ "$(dmsetup info -c --noheadings -o subsystem -j "$maj" -m "$min")" = "CRYPT" ] && + name="$(dmsetup info -c --noheadings -o unmangled_name -j "$maj" -m "$min")"; then + "$callback" "$name" + fi +} + +# vim: set filetype=sh : diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..e68d2c4 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,11 @@ +[DEFAULT] +debian-branch = debian/bookworm +upstream-branch = upstream/latest +compression = gzip +pristine-tar = False + +[import-orig] +upstream-vcs-tag = v%(version)s + +[pq] +patch-numbers = False diff --git a/debian/initramfs/conf-hook b/debian/initramfs/conf-hook new file mode 100644 index 0000000..0b4389f --- /dev/null +++ b/debian/initramfs/conf-hook @@ -0,0 +1,44 @@ +# +# Configuration file for the cryptroot initramfs hook. +# + +# +# KEYFILE_PATTERN: ... +# +# The value of this variable is interpreted as a shell pattern. +# Matching key files from the crypttab(5) are included in the initramfs +# image. The associated devices can then be unlocked without manual +# intervention. (For instance if /etc/crypttab lists two key files +# /etc/keys/{root,swap}.key, you can set KEYFILE_PATTERN="/etc/keys/*.key" +# to add them to the initrd.) +# +# If KEYFILE_PATTERN if null or unset (default) then no key file is +# copied to the initramfs image. +# +# Note that the glob(7) is not expanded for crypttab(5) entries with a +# 'keyscript=' option. In that case, the field is not treated as a file +# name but given as argument to the keyscript. +# +# WARNING: +# * If the initramfs image is to include private key material, you'll +# want to create it with a restrictive umask in order to keep +# non-privileged users at bay. For instance, set UMASK=0077 in +# /etc/initramfs-tools/initramfs.conf +# * If you use cryptsetup-suspend, private key material inside the +# initramfs will be in memory during suspend period, defeating the +# purpose of cryptsetup-suspend. +# + +#KEYFILE_PATTERN= + +# +# ASKPASS: [ y | n ] +# +# Whether to include the askpass binary to the initramfs image. askpass +# is required for interactive passphrase prompts, and ASKPASS=y (the +# default) is implied when the hook detects that same device needs to be +# unlocked interactively (i.e., not via keyfile nor keyscript) at +# initramfs stage. Setting ASKPASS=n also skips `cryptroot-unlock` +# inclusion as it requires the askpass executable. + +#ASKPASS=y diff --git a/debian/initramfs/conf-hooks.d/cryptsetup b/debian/initramfs/conf-hooks.d/cryptsetup new file mode 100644 index 0000000..883c1ba --- /dev/null +++ b/debian/initramfs/conf-hooks.d/cryptsetup @@ -0,0 +1,9 @@ +# This will setup non-us keyboards in early userspace, +# necessary for punching in passphrases. +KEYMAP=y + +# force busybox on initramfs +BUSYBOX=y + +# and for systems using plymouth instead, use the new option +FRAMEBUFFER=y diff --git a/debian/initramfs/cryptroot-unlock b/debian/initramfs/cryptroot-unlock new file mode 100644 index 0000000..dbc2ad0 --- /dev/null +++ b/debian/initramfs/cryptroot-unlock @@ -0,0 +1,196 @@ +#!/bin/busybox ash + +# Remotely unlock encrypted volumes. +# +# Copyright © 2015-2018 Guilhem Moulin <guilhem@debian.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +set -ue +PATH=/sbin:/bin + +TIMEOUT=10 +PASSFIFO=/lib/cryptsetup/passfifo +ASKPASS=/lib/cryptsetup/askpass +UNLOCK_ALL=n + +[ -f /lib/cryptsetup/functions ] || return 0 +. /lib/cryptsetup/functions +TABFILE="/cryptroot/crypttab" +unset -v IFS + +if [ ! -f "$TABFILE" ] || [ "$TABFILE" -ot "/proc/1" ]; then + # Too early, init-top/cryptroot hasn't finished yet + echo "Try again later" >&2 + exit 1 +fi + +# Print the list of PIDs the executed command of which is $exe. +pgrep_exe() { + local exe pid + exe="$(readlink -f -- "$1" 2>/dev/null)" && [ -f "$exe" ] || return 0 + ps -eo pid= | while read pid; do + [ "$(readlink -f "/proc/$pid/exe")" != "$exe" ] || printf '%d\n' "$pid" + done +} + +# Return 0 if $pid has a file descriptor pointing to $name, and 1 +# otherwise. +in_fds() { + local pid="$1" name fd + name="$(readlink -f -- "$2" 2>/dev/null)" && [ -e "$name" ] || return 1 + for fd in $(find "/proc/$pid/fd" -type l); do + [ "$(readlink -f "$fd")" != "$name" ] || return 0 + done + return 1 +} + +# Print the PID of the askpass process with a file descriptor opened to +# /lib/cryptsetup/passfifo. +get_askpass_pid() { + local pid + for pid in $(pgrep_exe "$ASKPASS"); do + if in_fds "$pid" "$PASSFIFO"; then + echo "$pid" + return 0 + fi + done + return 1 +} + +# Print the number of configured crypt devices that have not been unlocked yet. +count_locked_devices() { + local COUNT=0 + crypttab_foreach_entry count_locked_devices_callback + printf '%d\n' "$COUNT" +} +count_locked_devices_callback() { + dm_blkdevname "$CRYPTTAB_NAME" >/dev/null || COUNT=$(( $COUNT + 1 )) +} + +# Wait for askpass, then set $PID (resp. $BIRTH) to the PID (resp. +# birth date) of the cryptsetup process with same $CRYPTTAB_NAME. +wait_for_prompt() { + local pid timer num_locked_devices=-1 n + + # wait for the fifo + while :; do + n=$(count_locked_devices) + if [ $n -eq 0 ]; then + # all configured devices have been unlocked, we're done + exit 0 + elif [ $num_locked_devices -lt 0 ] || [ $n -lt $num_locked_devices ]; then + # reset $timer if a device was unlocked (for instance using + # a keyscript) while we were waiting + timer=$(( 10 * $TIMEOUT )) + fi + num_locked_devices=$n + + if pid=$(get_askpass_pid) && [ -p "$PASSFIFO" ]; then + break + fi + + usleep 100000 + timer=$(( $timer - 1 )) + if [ $timer -le 0 ]; then + echo "Error: Timeout reached while waiting for askpass." >&2 + exit 1 + fi + done + + # find the cryptsetup process with same $CRYPTTAB_NAME + local o v + for o in NAME TRIED OPTION_tries; do + if v="$(grep -z -m1 "^CRYPTTAB_$o=" "/proc/$pid/environ")"; then + eval "CRYPTTAB_$o"="\${v#CRYPTTAB_$o=}" + else + eval unset -v "CRYPTTAB_$o" + fi + done + if [ -z "${CRYPTTAB_NAME:+x}" ] || [ -z "${CRYPTTAB_TRIED:+x}" ]; then + return 1 + fi + if ( ! crypttab_find_entry --quiet "$CRYPTTAB_NAME" ); then + # use a subshell to avoid polluting our enironment + echo "Error: Refusing to process unknown device $CRYPTTAB_NAME" >&2 + exit 1 + fi + + for pid in $(pgrep_exe "/sbin/cryptsetup"); do + if grep -Fxqz "CRYPTTAB_NAME=$CRYPTTAB_NAME" "/proc/$pid/environ"; then + PID=$pid + BIRTH=$(stat -c"%Z" "/proc/$PID" 2>/dev/null) || break + return 0 + fi + done + + PID= + BIRTH= + return 1 +} + +# Wait until $PID no longer exists or has a birth date greater that +# $BIRTH (ie was reallocated). Then return with exit value 0 if +# /dev/mapper/$CRYPTTAB_NAME exists, and with exit value 1 if the +# maximum number of tries exceeded. Otherwise (if the unlocking +# failed), return with value 1. +wait_for_answer() { + local timer=$(( 10 * $TIMEOUT )) b + while [ -d "/proc/$PID" ] && b=$(stat -c"%Z" "/proc/$PID" 2>/dev/null) && [ $b -le $BIRTH ]; do + usleep 100000 + timer=$(( $timer - 1 )) + if [ $timer -le 0 ]; then + echo "Error: Timeout reached while waiting for PID $PID." >&2 + exit 1 + fi + done + + if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then + echo "cryptsetup: $CRYPTTAB_NAME set up successfully" >&2 + [ "$UNLOCK_ALL" = y ] && return 0 || exit 0 + elif [ $(( ${CRYPTTAB_TRIED:-0} + 1 )) -ge ${CRYPTTAB_OPTION_tries:-3} ] && + [ ${CRYPTTAB_OPTION_tries:-3} -gt 0 ]; then + echo "cryptsetup: maximum number of tries exceeded for $CRYPTTAB_NAME" >&2 + exit 1 + else + echo "cryptsetup: cryptsetup failed, bad password or options?" >&2 + return 1 + fi +} + + +if [ -t 0 ] && [ -x "$ASKPASS" ]; then + # interactive mode on a TTY: keep trying until all configured devices have + # been unlocked or the maximum number of tries exceeded + UNLOCK_ALL=y + while :; do + # note: if the script is not killed before pivot_root it should + # exit on its own once $TIMEOUT is reached + if ! wait_for_prompt; then + usleep 100000 + continue + fi + read -rs -p "Please unlock disk $CRYPTTAB_NAME: "; echo + printf '%s' "$REPLY" >"$PASSFIFO" + wait_for_answer || true + done +else + # non-interactive mode: slurp the passphrase from stdin and exit + wait_for_prompt || exit 1 + echo "Please unlock disk $CRYPTTAB_NAME" + cat >"$PASSFIFO" + wait_for_answer || exit 1 +fi + +# vim: set filetype=sh : diff --git a/debian/initramfs/hooks/cryptgnupg b/debian/initramfs/hooks/cryptgnupg new file mode 100644 index 0000000..dcb5248 --- /dev/null +++ b/debian/initramfs/hooks/cryptgnupg @@ -0,0 +1,46 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +. /lib/cryptsetup/functions + +if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg" ] || [ ! -f "$TABFILE" ]; then + exit 0 +fi + +# Hooks for loading gnupg software and symmetrically encrypted key into +# the initramfs +copy_keys() { + crypttab_parse_options + if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg" ]; then + if [ -f "$CRYPTTAB_KEY" ]; then + [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$? + else + cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY" + RV=1 + fi + fi +} + +RV=0 +crypttab_foreach_entry copy_keys + +# install askpass and GnuPG +copy_exec /lib/cryptsetup/askpass +copy_exec /usr/bin/gpg +exit $RV diff --git a/debian/initramfs/hooks/cryptgnupg-sc b/debian/initramfs/hooks/cryptgnupg-sc new file mode 100644 index 0000000..9e45000 --- /dev/null +++ b/debian/initramfs/hooks/cryptgnupg-sc @@ -0,0 +1,87 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +. /lib/cryptsetup/functions + +if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg-sc" ] || [ ! -f "$TABFILE" ]; then + exit 0 +fi + +# Hooks for loading gnupg software and encrypted key into the initramfs +copy_keys() { + crypttab_parse_options + if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg-sc" ]; then + if [ -f "$CRYPTTAB_KEY" ]; then + [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$? + else + cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY" + RV=1 + fi + fi +} + +RV=0 +crypttab_foreach_entry copy_keys + +PUBRING="/etc/cryptsetup-initramfs/pubring.gpg" +if [ ! -f "$PUBRING" ]; then + cryptsetup_message "WARNING: $PUBRING: No such file" +else + [ -d "$DESTDIR/cryptroot/gnupghome" ] || mkdir -pm0700 "$DESTDIR/cryptroot/gnupghome" + # let gpg(1) create the keyring on the fly; we're not relying on its + # internals since it's the very same binary we're copying to the + # initramfs + /usr/bin/gpg --no-options --no-autostart --trust-model=always \ + --quiet --batch --no-tty --logger-file=/dev/null \ + --homedir="$DESTDIR/cryptroot/gnupghome" --import <"$PUBRING" + # make sure not to clutter the initramfs with backup keyrings + find "$DESTDIR/cryptroot" -name "*~" -type f -delete +fi + +copy_exec /usr/bin/gpg +copy_exec /usr/bin/gpg-agent +copy_exec /usr/lib/gnupg/scdaemon +copy_exec /usr/bin/gpgconf +copy_exec /usr/bin/gpg-connect-agent + +if [ ! -x "$DESTDIR/usr/bin/pinentry" ]; then + if [ -x "/usr/bin/pinentry-curses" ]; then + pinentry="/usr/bin/pinentry-curses" + elif [ -x "/usr/bin/pinentry-tty" ]; then + pinentry="/usr/bin/pinentry-tty" + else + cryptsetup_message "ERROR: missing required binary pinentry-curses or pinentry-tty" + RV=1 + fi + copy_exec "$pinentry" + ln -s "$pinentry" "$DESTDIR/usr/bin/pinentry" +fi + +# #1028202: ncurses-base: move terminfo files from /lib/terminfo to +# /usr/share/terminfo +for d in "/usr/share/terminfo" "/lib/terminfo"; do + if [ -f "$d/l/linux" ]; then + if [ ! -f "$DESTDIR$d/l/linux" ]; then + copy_file terminfo "$d/l/linux" || RV=$? + fi + break + fi +done + +exit $RV diff --git a/debian/initramfs/hooks/cryptkeyctl b/debian/initramfs/hooks/cryptkeyctl new file mode 100644 index 0000000..5ae6ae8 --- /dev/null +++ b/debian/initramfs/hooks/cryptkeyctl @@ -0,0 +1,30 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +# Hooks for loading keyctl software into the initramfs + +# Check whether cryptroot hook has installed decrypt_keyctl script +if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_keyctl" ]; then + exit 0 +fi + +copy_exec /lib/cryptsetup/askpass +copy_exec /bin/keyctl +exit 0 diff --git a/debian/initramfs/hooks/cryptopensc b/debian/initramfs/hooks/cryptopensc new file mode 100644 index 0000000..e0c5167 --- /dev/null +++ b/debian/initramfs/hooks/cryptopensc @@ -0,0 +1,62 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +. /lib/cryptsetup/functions + +if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_opensc" ] || [ ! -f "$TABFILE" ]; then + exit 0 +fi + +# Hooks for loading smartcard reading software into the initramfs +copy_keys() { + crypttab_parse_options + if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_opensc" ]; then + if [ -f "$CRYPTTAB_KEY" ]; then + [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$? + else + cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY" + RV=1 + fi + fi +} + +RV=0 +crypttab_foreach_entry copy_keys + +# Install directories needed by smartcard reading daemon, command, and +# key-script +mkdir -p -- "$DESTDIR/etc/opensc" "$DESTDIR/usr/lib/pcsc" "$DESTDIR/var/run" "$DESTDIR/tmp" + +# Install pcscd daemon, drivers, conf file +copy_exec /usr/sbin/pcscd + +cp -rt "$DESTDIR/usr/lib" /usr/lib/pcsc +cp -t "$DESTDIR/etc" /etc/reader.conf || true +cp -t "$DESTDIR/etc" /etc/libccid_Info.plist + +for so in $(ldconfig -p | sed -nr 's/^\s*(libusb-[0-9.-]+|libpcsclite)\.so\.[0-9]+\s.*=>\s*//p'); do + copy_exec "$so" +done + +# Install opensc commands and conf file +copy_exec /usr/bin/opensc-tool +copy_exec /usr/bin/pkcs15-crypt +cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf + +exit $RV diff --git a/debian/initramfs/hooks/cryptpassdev b/debian/initramfs/hooks/cryptpassdev new file mode 100644 index 0000000..54492f0 --- /dev/null +++ b/debian/initramfs/hooks/cryptpassdev @@ -0,0 +1,38 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +# Hooks for adding filesystem modules to the initramfs when the passdev +# keyscript is used + +# Check whether the passdev script has been included +if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/passdev" ]; then + exit 0 +fi + +# The filesystem type of the removable device is probed at boot-time, so +# we add a generous list of filesystems to include. This also helps with +# recovery situation as including e.g. the vfat module might help a user +# who needs to create a new cryptkey (using a backup of a keyfile) on +# a windows-machine for example. + +# This list needs to be kept in sync with the one defined in passdev.c +manual_add_modules ext4 ext3 ext2 vfat btrfs reiserfs xfs jfs ntfs iso9660 udf +exit 0 + diff --git a/debian/initramfs/hooks/cryptroot b/debian/initramfs/hooks/cryptroot new file mode 100644 index 0000000..c16f7c2 --- /dev/null +++ b/debian/initramfs/hooks/cryptroot @@ -0,0 +1,406 @@ +#!/bin/sh + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +. /lib/cryptsetup/functions +TABFILE="/etc/crypttab" + + +# crypttab_find_and_print_entry($target) +# Find the crypttab(5) entry for the given (unmangled) $target and +# print it - preserving the mangling - to FD nr. 3; but only if the +# target has not already been processed during an earlier function +# call. (Processed target names are stored in +# $DESTDIR/cryptroot/targets.) +# Return 0 on success, 1 on error. +crypttab_find_and_print_entry() { + local target="$1" + local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS + if ! grep -Fxqz -e "$target" -- "$DESTDIR/cryptroot/targets"; then + printf '%s\0' "$target" >>"$DESTDIR/cryptroot/targets" + crypttab_find_entry "$target" || return 1 + crypttab_parse_options --missing-path=warn || return 1 + crypttab_print_entry + fi +} + +# crypttab_print_entry() +# Print an unmangled crypttab(5) entry to FD nr. 3, using CRYPTTAB_* +# and _CRYPTTAB_* values. +# _CRYPTTAB_SOURCE is replaced with UUID=<uuid> if possible (eg, for +# LUKS), unless the value starts with /dev/disk/by- or /dev/mapper/, +# or is already a device specification (such as LABEL= or PARTUUID=). +# If the entry uses the 'decrypt_derived' keyscript, the other +# crypttab(5) entries it depends on are (recursively) printed before +# hand. +# Various checks are performed on the key and crypttab options, but no +# parsing is done so it's the responsibility of the caller to call +# crypttab_parse_options(). +# Return 0 on success, 1 on error. +crypttab_print_entry() { + local DEV MAJ MIN uuid keyfile + if _resolve_device "$CRYPTTAB_SOURCE"; then + if [ "$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" != "$MAJ:$MIN" ]; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: Source mismatch" + elif [ "${_CRYPTTAB_SOURCE#[A-Za-z]*=}" = "$_CRYPTTAB_SOURCE" ] && \ + [ "${CRYPTTAB_SOURCE#/dev/disk/by-}" = "$CRYPTTAB_SOURCE" ] && \ + [ "${CRYPTTAB_SOURCE#/dev/mapper/}" = "$CRYPTTAB_SOURCE" ] && \ + uuid="$(_device_uuid "$DEV")"; then + _CRYPTTAB_SOURCE="UUID=$uuid" + fi + # on failure _resolve_device() prints a warning and we try our + # luck with the unchanged _CRYPTTAB_SOURCE value + fi + + # if keyscript is set, the "key" is just an argument to the script + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then + crypttab_key_check || return 1 + case "$CRYPTTAB_KEY" in + $KEYFILE_PATTERN) + mkdir -pm0700 -- "$DESTDIR/cryptroot/keyfiles" + # $CRYPTTAB_NAME can't contain '/' (even after unmangling) + keyfile="/cryptroot/keyfiles/$CRYPTTAB_NAME.key" + if [ ! -f "$DESTDIR$keyfile" ] && ! copy_file keyfile "$CRYPTTAB_KEY" "$keyfile"; then + cryptsetup_message "WARNING: couldn't copy keyfile $CRYPTTAB_KEY" + fi + _CRYPTTAB_KEY="/cryptroot/keyfiles/$_CRYPTTAB_NAME.key" # preserve mangled name + ;; + *) + if [ "$usage" = rootfs ]; then + cryptsetup_message "WARNING: Skipping root target $CRYPTTAB_NAME: uses a key file" + return 1 + elif [ "$usage" = resume ]; then + cryptsetup_message "WARNING: Resume target $CRYPTTAB_NAME uses a key file" + fi + if [ -L "$CRYPTTAB_KEY" ] && keyfile="$(readlink -- "$CRYPTTAB_KEY")" && + [ "${keyfile#/}" != "$keyfile" ]; then + cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is a symlink with absolute target" + return 1 + elif [ -f "$CRYPTTAB_KEY" ] && [ "$(stat -L -c"%m" -- "$CRYPTTAB_KEY" 2>/dev/null)" != "/" ]; then + cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is not on the root FS" + return 1 + fi + if [ ! -e "$CRYPTTAB_KEY" ]; then + cryptsetup_message "WARNING: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY" + else + _CRYPTTAB_KEY="/FIXME-initramfs-rootmnt$_CRYPTTAB_KEY" # preserve mangled name + fi + esac + fi + + if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ]; then + copy_exec "$CRYPTTAB_OPTION_keyscript" + elif [ "$CRYPTTAB_KEY" = "none" ]; then + ASKPASS="y" + fi + if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_derived" ]; then + # (recursively) list first the device to derive the key from (so + # the boot scripts unlock it first); since _CRYPTTAB_* are local + # to crypttab_find_and_print_entry() the new value won't + # override the new ones + crypttab_find_and_print_entry "$CRYPTTAB_KEY" + fi + printf '%s %s %s %s\n' \ + "$_CRYPTTAB_NAME" "$_CRYPTTAB_SOURCE" "$_CRYPTTAB_KEY" "$_CRYPTTAB_OPTIONS" >&3 +} + +# get_resume_devno() +# Return the device ID(s) used for system suspend/hibernate. +get_resume_devno() { + local dev filename + + # uswsusp + for filename in /etc/uswsusp.conf /etc/suspend.conf; do + [ -e "$filename" ] || continue + dev="$(sed -nr '/^resume device\s*[:=]\s*/ {s///p;q}' "$filename")" + if [ -n "$dev" ] && [ "$dev" != "<path_to_resume_device_file>" ]; then + # trim quotes + dev="$(printf '%s' "$dev" | sed -re 's/^"(.*)"\s*$/\1/' -e "s/^'(.*)'\\s*$/\\1/")" + _print_devno "$(printf '%b' "$dev")" # unmangle + fi + done + + # regular swsusp + dev="$(sed -nr 's,^(.*\s)?resume=(\S+)(\s.*)?$,\2,p' /proc/cmdline)" + _print_devno "$(printf '%b' "$dev")" # unmangle + + # initramfs-tools >=0.129 + dev="${RESUME:-auto}" + if [ "$dev" != none ]; then + if [ "$dev" = auto ]; then + # next line from /usr/share/initramfs-tools/hooks/resume + dev="$(grep ^/dev/ /proc/swaps | sort -rnk3 | head -n 1 | cut -d " " -f 1)" + fi + _print_devno "$(printf '%b' "$dev")" # unmangle + fi +} +_print_devno() { + local DEV MAJ MIN # locally scope the 3 variables _resolve_device() sets + if [ -n "$1" ] && _resolve_device "$1"; then + printf '%d:%d\n' "$MAJ" "$MIN" + fi +} + +# crypttab_print_initramfs_entry() +# Print a crypttab(5) entry - unless it was already processed - if it +# has the 'initramfs' option set. +crypttab_print_initramfs_entry() { + local usage= + if ! grep -Fxqz -e "$CRYPTTAB_NAME" -- "$DESTDIR/cryptroot/targets" && + crypttab_parse_options --quiet && + [ "${CRYPTTAB_OPTION_initramfs-no}" = "yes" ]; then + printf '%s\0' "$CRYPTTAB_NAME" >>"$DESTDIR/cryptroot/targets" + crypttab_print_entry + fi +} + +# generate_initrd_crypttab() +# Generate the crypttab(5) snippet that is relevant at initramfs +# stage. (Devices that aren't required at initramfs stage are +# ignored.) +generate_initrd_crypttab() { + local devnos usage IFS="$(printf '\t\n ')" + mkdir -- "$DESTDIR/cryptroot" + true >"$DESTDIR/cryptroot/targets" + + { + if devnos="$(get_mnt_devno /)"; then + usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos + else + cryptsetup_message "WARNING: Couldn't determine root device" + fi + + if devnos="$(get_resume_devno)"; then + usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos + fi + + if devnos="$(get_mnt_devno /usr)"; then + usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos + fi + + # add crypttab entries with the 'initramfs' option set + crypttab_foreach_entry crypttab_print_initramfs_entry + } 3>"$DESTDIR/cryptroot/crypttab" + rm -f "$DESTDIR/cryptroot/targets" +} + +# populate_CRYPTO_HASHES() +# Find out which crypto hashes are required for a crypttab(5) entry, +# and append them to the CRYPTO_HASHES variable. +populate_CRYPTO_HASHES() { + local hash source newline=" +" + + if crypttab_parse_options --quiet && [ -n "${CRYPTTAB_OPTION_header+x}" ]; then + source="$CRYPTTAB_OPTION_header" + else + source="$(_resolve_device_spec "$CRYPTTAB_SOURCE")" || source="" + fi + + if [ ! -e "$source" ]; then + # missing source device or detached header, can't determine hashing function(s) + hash="@@UNKNOWN@@" + elif [ "$CRYPTTAB_TYPE" = "luks" ]; then + # using --dump-json-metadata would be more robust for LUKS2 but + # we also have to support LUKS1 hence have to parse luksDump output + hash="$(/sbin/cryptsetup luksDump -- "$source" | sed -nr 's/^\s*(AF hash|Hash|Hash spec)\s*:\s*//Ip')" + elif [ "$CRYPTTAB_TYPE" = "plain" ]; then + # --hash is being ignored when opening via key file + if [ "$CRYPTTAB_KEY" = "none" ] && [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then + hash="${CRYPTTAB_OPTION_hash-ripemd160}" # default password hashing as of cryptsetup 2.5 + fi + else + hash="" # or hash="@@UNKNOWN@@"? + fi + + if [ -n "$hash" ]; then + CRYPTO_HASHES="${CRYPTO_HASHES:+$CRYPTO_HASHES$newline}$hash" + fi +} + +# populate_CRYPTO_MODULES() +# Find out which crypto modules are required for a crypttab(5) entry, +# and append them to the CRYPTO_MODULES variable. +populate_CRYPTO_MODULES() { + local cipher iv + + # cf. dmsetup(8) and https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt + cipher="$(dmsetup table --target crypt -- "$CRYPTTAB_NAME" | cut -d' ' -f4)" + if [ -z "$cipher" ]; then + cryptsetup_message "WARNING: Couldn't determine cipher modules to load for $CRYPTTAB_NAME" + elif [ "${cipher#capi:}" = "$cipher" ]; then + # direct specification "cipher[:keycount]-chainmode-ivmode[:ivopts]" + CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${cipher%%[-:]*}" # cipher + cipher="${cipher#"${cipher%%-*}-"}" # chainmode-ivmode[:ivopts]" + CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${cipher%-*}" # chainmode + iv="${cipher##*-}" # ivmode[:ivopts]" + CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${iv%%:*}" # ivmode + if [ "${iv#*:}" != "$iv" ]; then + CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${iv#*:}" # ivopts + fi + else + # kernel crypto API format "capi:cipher_api_spec-ivmode[:ivopts]", since linux 4.12 + cipher="${cipher#capi:}" + cryptsetup_message "WARNING: Couldn't determine cipher modules to load for $CRYPTTAB_NAME" \ + "(kernel crypto API format isn't supported yet)" + fi +} + +# add_modules($glob, $moduledir, [$moduledir ..]) +# Add modules matching under the given $moduledir(s), the name of +# which matching $glob. +# Return 0 if any module was found found, 1 if not. +add_modules() { + local glob="$1" found=n + shift + for mod in $(find -H "$@" -name "$glob.ko*" -type f -printf '%f\n'); do + manual_add_modules "${mod%%.*}" + found=y + done + [ "$found" = y ] && return 0 || return 1 +} + +# add_crypto_modules($name, [$name ..]) +# Determine kernel module name and add to initramfs. +add_crypto_modules() { + local mod + for mod in "$@"; do + # We have several potential sources of modules (in order of preference): + # + # a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko + # b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko + # c) /lib/modules/$VERSION/kernel/crypto/$mod.ko + # + # and (currently ignored): + # + # d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko + add_modules "$mod-*" "$MODULESDIR"/kernel/arch/*/crypto || true + add_modules "${mod}_generic" "$MODULESDIR/kernel/crypto" \ + || add_modules "$mod" "$MODULESDIR/kernel/crypto" \ + || true + done +} + +# copy_libssl_legacy_library() +# Copy ossl-modules/legacy.so (from libssl library) to initramfs if needed. +# OpenSSL 3.0 moved support for some crypto hashes into legacy.so. +# See https://launchpad.net/bugs/1979159 +copy_libssl_legacy_library() { + local libcryptodir CRYPTO_HASHES="" + + libcryptodir="$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -nr '/.*=>\s*(\S+)\/libcrypto\.so\..*/ {s//\1/p;q}')" + [ -d "$libcryptodir" ] || return + + crypttab_foreach_entry populate_CRYPTO_HASHES + # See https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html#Hashing-Algorithms-Message-Digests + if printf '%s\n' "$CRYPTO_HASHES" | grep -Fxq -e @@UNKNOWN@@ -e ripemd160 -e whirlpool; then + # legacy hashes are used so legacy.so needs to be copied to the initramfs + # (assume ossl-modules/legacy.so is relative to the linked libcrypto.so) + copy_exec "$libcryptodir/ossl-modules/legacy.so" || true + fi +} + +# See #1032221: newer libargon2 are built with glibc ≥2.34 hence no +# longer links libpthread. This in turns means that initramfs-tool's +# copy_exec() is no longer able to detect pthread_*() need and thus +# doesn't copy libgcc_s.so anymore. So we need to do it manually +# instead. +copy_libgcc_argon2() { + local libdir rv=0 + libdir="$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -nr '/.*=>\s*(\S+)\/libargon2\.so\..*/ {s//\1/p;q}')" + copy_libgcc "$libdir" || rv=$? + if [ $rv -ne 0 ]; then + # merged-/usr mismatch, see #1032518 + if [ "${libdir#/usr/}" != "$libdir" ]; then + libdir="${libdir#/usr}" + else + libdir="/usr/${libdir#/}" + fi + copy_libgcc "$libdir" && rv=0 || rv=$? + fi + return $rv +} + + +####################################################################### +# Begin real processing + +unset -v ASKPASS KEYFILE_PATTERN +ASKPASS="y" +KEYFILE_PATTERN= + +# Load the hook config +if [ -f "/etc/cryptsetup-initramfs/conf-hook" ]; then + . /etc/cryptsetup-initramfs/conf-hook +fi + +if [ -n "$KEYFILE_PATTERN" ]; then + case "${UMASK:-$(umask)}" in + 0[0-7]77) ;; + *) cryptsetup_message "WARNING: Permissive UMASK (${UMASK:-$(umask)})." \ + "Private key material within the initrd might be left unprotected." + ;; + esac +fi + +CRYPTO_MODULES= +if [ -r "$TABFILE" ]; then + generate_initrd_crypttab + TABFILE="$DESTDIR/cryptroot/crypttab" + crypttab_foreach_entry populate_CRYPTO_MODULES + copy_libssl_legacy_library +fi + +# add required components +manual_add_modules dm_mod +manual_add_modules dm_crypt + +copy_exec /sbin/cryptsetup +copy_exec /sbin/dmsetup +copy_libgcc_argon2 + +[ "$ASKPASS" = n ] || copy_exec /lib/cryptsetup/askpass + +# We need sed. Either via busybox or as standalone binary. +if [ "$BUSYBOX" = n ] || [ -z "$BUSYBOXDIR" ]; then + copy_exec /bin/sed +fi + +# detect whether the host CPU has AES-NI support +if grep -Eq '^flags\s*:(.*\s)?aes(\s.*)?$' /proc/cpuinfo; then + CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }aesni" +else + # workaround for #883595/#901884 (xts depends on ecb) + CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }ecb" +fi + +# add userspace crypto module (only required for opening LUKS2 devices +# we add the module unconditionally as it's the default format) +CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }algif_skcipher" + +if [ "$MODULES" = most ]; then + for d in "$MODULESDIR"/kernel/arch/*/crypto; do + copy_modules_dir "${d#"$MODULESDIR/"}" + done + copy_modules_dir "kernel/crypto" +else + if [ "$MODULES" != "dep" ]; then + # with large initramfs, we always add a basic subset of modules + add_crypto_modules aes cbc chainiv cryptomgr krng sha256 xts + fi + add_crypto_modules $(printf '%s' "${CRYPTO_MODULES-}" | tr ' ' '\n' | sort -u) +fi +copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions diff --git a/debian/initramfs/hooks/cryptroot-unlock b/debian/initramfs/hooks/cryptroot-unlock new file mode 100644 index 0000000..06fe976 --- /dev/null +++ b/debian/initramfs/hooks/cryptroot-unlock @@ -0,0 +1,40 @@ +#!/bin/sh + +prereqs() +{ + # cryptroot-unlock needs to be run last among crypt* since other hooks might include askpass + local req script + for req in "${0%/*}"/crypt*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +if [ ! -f "$DESTDIR/lib/cryptsetup/askpass" ]; then + # cryptroot-unlock is useless without askpass + exit 0 +fi + +. /usr/share/initramfs-tools/hook-functions +if [ ! -f "$DESTDIR/bin/cryptroot-unlock" ] && + ! copy_file script /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock /bin/cryptroot-unlock; then + echo "ERROR: Couldn't copy /bin/cryptroot-unlock" >&2 + exit 1 +fi + +if [ -f /etc/initramfs-tools/etc/motd ]; then + copy_file text /etc/initramfs-tools/etc/motd /etc/motd +else + cat >>"$DESTDIR/etc/motd" <<- EOF + To unlock root partition, and maybe others like swap, run \`cryptroot-unlock\`. + EOF +fi diff --git a/debian/initramfs/scripts/local-block/cryptroot b/debian/initramfs/scripts/local-block/cryptroot new file mode 100644 index 0000000..89c2b1c --- /dev/null +++ b/debian/initramfs/scripts/local-block/cryptroot @@ -0,0 +1,21 @@ +#!/bin/sh + +PREREQ="" + +prereqs() +{ + echo $PREREQ +} + +case $1 in +# get pre-requisites +prereqs) + prereqs + exit 0 + ;; +esac + +if [ -x /scripts/local-top/cryptroot ]; then + export CRYPTROOT_STAGE="local-block" + exec /scripts/local-top/cryptroot +fi diff --git a/debian/initramfs/scripts/local-bottom/cryptgnupg-sc b/debian/initramfs/scripts/local-bottom/cryptgnupg-sc new file mode 100644 index 0000000..47be70b --- /dev/null +++ b/debian/initramfs/scripts/local-bottom/cryptgnupg-sc @@ -0,0 +1,18 @@ +#!/bin/sh + +PREREQ="" + +prereqs() { + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +if [ -x /usr/bin/gpgconf ] && [ -d "/cryptroot/gnupghome" ]; then + gpgconf --homedir="/cryptroot/gnupghome" --kill all +fi diff --git a/debian/initramfs/scripts/local-bottom/cryptopensc b/debian/initramfs/scripts/local-bottom/cryptopensc new file mode 100644 index 0000000..4de8f48 --- /dev/null +++ b/debian/initramfs/scripts/local-bottom/cryptopensc @@ -0,0 +1,32 @@ +#!/bin/sh + +set -e + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +# Hook for stopping smartcard reading software + +if [ ! -x /usr/sbin/pcscd ]; then + exit 0 +fi + +. /scripts/functions + +if PID="$(cat /run/pcscd.pid)" 2>/dev/null && + [ "$(readlink -f "/proc/$PID/exe")" = "/usr/sbin/pcscd" ]; then + log_begin_msg "Stopping pcscd" + kill -TERM "$PID" + log_end_msg +fi diff --git a/debian/initramfs/scripts/local-bottom/cryptroot b/debian/initramfs/scripts/local-bottom/cryptroot new file mode 100644 index 0000000..945739f --- /dev/null +++ b/debian/initramfs/scripts/local-bottom/cryptroot @@ -0,0 +1,22 @@ +#!/bin/sh + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +# If we reached this stage, we do have a rootfs mounted +# so let's clean-up cryptroot setup mess... +[ -f /lib/cryptsetup/functions ] || return 0 +. /lib/cryptsetup/functions + +rm -f -- "$CRYPTROOT_COUNT_FILE" diff --git a/debian/initramfs/scripts/local-top/cryptopensc b/debian/initramfs/scripts/local-top/cryptopensc new file mode 100644 index 0000000..344acc6 --- /dev/null +++ b/debian/initramfs/scripts/local-top/cryptopensc @@ -0,0 +1,37 @@ +#!/bin/sh + +set -e + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +# Hook for starting smartcard reading software + +if [ ! -x /usr/sbin/pcscd ]; then + exit 0 +fi + +. /scripts/functions + +# Start pcscd daemon normally: +# start-stop-daemon --start --quiet \ +# --pidfile /run/pcscd.pid \ +# --exec /usr/sbin/pcscd +# Alternatively, start pcscd daemon in foreground so that it's pretty colored +# output may be seen on the console, useful for watching error messages since +# pcscd uses syslog which is not available (use --error or --critical to filter +# out debug message clutter): +# /usr/sbin/pcscd --error --foreground & +/usr/sbin/pcscd --foreground & +echo $! >/run/pcscd.pid diff --git a/debian/initramfs/scripts/local-top/cryptroot b/debian/initramfs/scripts/local-top/cryptroot new file mode 100644 index 0000000..90b521b --- /dev/null +++ b/debian/initramfs/scripts/local-top/cryptroot @@ -0,0 +1,239 @@ +#!/bin/sh + +PREREQ="cryptroot-prepare" + +# +# Standard initramfs preamble +# +prereqs() +{ + # Make sure that cryptroot is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +[ -f /lib/cryptsetup/functions ] || return 0 +. /lib/cryptsetup/functions + + +# wait_for_source() +# Wait for encrypted $CRYPTTAB_SOURCE . Set $CRYPTTAB_SOURCE +# to its normalized device name when it shows up; +# return 1 if timeout. +wait_for_source() { + wait_for_udev 10 + + if crypttab_resolve_source; then + # the device is here already, no need to loop + return 0 + fi + + # If the source device hasn't shown up yet, give it a little while + # to allow for asynchronous device discovery (e.g. USB). + # + # We also need to take into account RAID or other devices that may + # only be available on local-block stage. So, wait 5 seconds upfront, + # in local-top; if that fails, end execution relying on local-block + # invocations. Allow $ROOTDELAY/4 invocations with 1s sleep times (with + # a minimum of 20 invocations), and if after that we still fail, then it's + # really time to give-up. Variable $initrd_cnt tracks the re-invocations. + # + # Part of the lines below has been taken from initramfs-tools + # scripts/local's local_device_setup(), as suggested per + # https://launchpad.net/bugs/164044 . + + local slumber=5 + if [ "${CRYPTROOT_STAGE-}" = "local-block" ]; then + slumber=1 + fi + + cryptsetup_message "Waiting for encrypted source device $CRYPTTAB_SOURCE..." + + while [ $slumber -gt 0 ]; do + sleep 1 + + if crypttab_resolve_source; then + wait_for_udev 10 + return 0 + fi + + slumber=$(( $slumber - 1 )) + done + return 1 +} + +# setup_mapping() +# Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME, +# $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS. +setup_mapping() { + local dev initrd_cnt + + # We control here the number of re-invocations of this script from + # local-block - the heuristic is $ROOTDELAY/4, with a minimum of 20. + + if [ -f "$CRYPTROOT_COUNT_FILE" ]; then + initrd_cnt="$(cat <"$CRYPTROOT_COUNT_FILE")" + else + initrd_cnt="${ROOTDELAY:-180}" + initrd_cnt=$(( initrd_cnt/4 )) + if [ $initrd_cnt -lt 20 ]; then + initrd_cnt=20 + fi + echo "$initrd_cnt" >"$CRYPTROOT_COUNT_FILE" + fi + + # The same target can be specified multiple times + # e.g. root and resume lvs-on-lvm-on-crypto + if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then + return 0 + fi + + crypttab_parse_options --export --missing-path=fail || return 1 + + if ! wait_for_source; then + if [ $initrd_cnt -eq 0 ]; then + # we've given up + if [ -n "$panic" ]; then + panic "ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME." + else + # let the user fix matters if they can + echo " ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME." + echo " Check cryptopts=source= bootarg: cat /proc/cmdline" + echo " or missing modules, devices: cat /proc/modules; ls /dev" + panic "Dropping to a shell." + fi + return 1 # can't continue because environment is lost + else + initrd_cnt=$(( initrd_cnt - 1 )) + echo "$initrd_cnt" >"$CRYPTROOT_COUNT_FILE" + return 0 # allow some attempts on local-block stage + fi + fi + + # our `cryptroot-unlock` script searches for cryptsetup processes + # with a given CRYPTTAB_NAME it their environment + export CRYPTTAB_NAME + + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then + # no keyscript: interactive unlocking, or key file + + if [ "${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}" != "$CRYPTTAB_KEY" ]; then + # skip the mapping for now if the root FS is not mounted yet + sed -rn 's/^\s*[^#[:blank:]]\S*\s+(\S+)\s.*/\1/p' /proc/mounts | grep -Fxq -- "$rootmnt" || return 1 + # substitute the "/FIXME-initramfs-rootmnt/" prefix by the real root FS mountpoint otherwise + CRYPTTAB_KEY="$rootmnt/${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}" + fi + + if [ "$CRYPTTAB_KEY" != "none" ]; then + if [ ! -e "$CRYPTTAB_KEY" ]; then + cryptsetup_message "ERROR: Skipping target $CRYPTTAB_NAME: non-existing key file $CRYPTTAB_KEY" + return 1 + fi + # try only once if we have a key file + CRYPTTAB_OPTION_tries=1 + fi + fi + + local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype vg rv + while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then + # unlock via keyfile + unlock_mapping "$CRYPTTAB_KEY" + else + # unlock interactively or via keyscript + run_keyscript "$count" | unlock_mapping + fi + rv=$? + count=$(( $count + 1 )) + + if [ $rv -ne 0 ]; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: cryptsetup failed, bad password or options?" + sleep 1 + continue + elif ! dev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown error setting up device mapping" + return 1 + fi + + if ! fstype="$(get_fstype "$dev")" || [ "$fstype" = "unknown" ]; then + if [ "$CRYPTTAB_TYPE" != "luks" ]; then + # bad password for plain dm-crypt device? or mkfs not run yet? + cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown fstype, bad password or options?" + wait_for_udev 10 + /sbin/cryptsetup remove -- "$CRYPTTAB_NAME" + sleep 1 + continue + fi + fi + + cryptsetup_message "$CRYPTTAB_NAME: set up successfully" + wait_for_udev 10 + return 0 + done + + cryptsetup_message "ERROR: $CRYPTTAB_NAME: maximum number of tries exceeded" + exit 1 +} + + +####################################################################### +# Begin real processing + +mkdir -p /cryptroot # might not exist yet if the main system has no crypttab(5) + +# Do we have any kernel boot arguments? +if ! grep -qE '^(.*\s)?cryptopts=' /proc/cmdline; then + # ensure $TABFILE exists and has a mtime greater than the boot time + # (existing $TABFILE is preserved) + touch -- "$TABFILE" +else + # let the read builtin unescape the '\' as GRUB substitutes '\' by '\\' in the cmdline + tr ' ' '\n' </proc/cmdline | sed -n 's/^cryptopts=//p' | while IFS= read cryptopts; do + # skip empty values (which can be used to disable the initramfs + # scripts for a particular boot, cf. #873840) + [ -n "$cryptopts" ] || continue + unset -v target source key options + + IFS="," + for x in $cryptopts; do + case "$x" in + target=*) target="${x#target=}";; + source=*) source="${x#source=}";; + key=*) key="${x#key=}";; + *) options="${options+$options,}$x";; + esac + done + + if [ -z "${source:+x}" ]; then + cryptsetup_message "ERROR: Missing source= value in kernel parameter cryptopts=$cryptopts" + else + # preserve mangling + printf '%s %s %s %s\n' "${target:-cryptroot}" "$source" "${key:-none}" "${options-}" + fi + done >"$TABFILE" +fi + +# Do we have any settings from the $TABFILE? +if [ -s "$TABFILE" ]; then + # Create locking directory before invoking cryptsetup(8) to avoid warnings + mkdir -pm0700 /run/cryptsetup + modprobe -q dm_crypt + + crypttab_foreach_entry setup_mapping +fi + +exit 0 diff --git a/debian/libcryptsetup-dev.docs b/debian/libcryptsetup-dev.docs new file mode 100644 index 0000000..8806d7b --- /dev/null +++ b/debian/libcryptsetup-dev.docs @@ -0,0 +1 @@ +docs/examples diff --git a/debian/libcryptsetup-dev.install b/debian/libcryptsetup-dev.install new file mode 100644 index 0000000..edf075c --- /dev/null +++ b/debian/libcryptsetup-dev.install @@ -0,0 +1,3 @@ +lib/${DEB_HOST_MULTIARCH}/*.so +lib/${DEB_HOST_MULTIARCH}/pkgconfig/*.pc /usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/ +usr/include/*.h diff --git a/debian/libcryptsetup12-udeb.install b/debian/libcryptsetup12-udeb.install new file mode 100644 index 0000000..db6f744 --- /dev/null +++ b/debian/libcryptsetup12-udeb.install @@ -0,0 +1 @@ +lib/${DEB_HOST_MULTIARCH}/*.so.* diff --git a/debian/libcryptsetup12.install b/debian/libcryptsetup12.install new file mode 100644 index 0000000..db6f744 --- /dev/null +++ b/debian/libcryptsetup12.install @@ -0,0 +1 @@ +lib/${DEB_HOST_MULTIARCH}/*.so.* diff --git a/debian/libcryptsetup12.lintian-overrides b/debian/libcryptsetup12.lintian-overrides new file mode 100644 index 0000000..fc6d52e --- /dev/null +++ b/debian/libcryptsetup12.lintian-overrides @@ -0,0 +1,3 @@ +# See reasoning at #843932 ('dev-pkg-without-shlib-symlink' was renamed +# to 'lacks-unversioned-link-to-shared-library') +lacks-unversioned-link-to-shared-library example: usr/lib/x86_64-linux-gnu/libcryptsetup.so [lib/x86_64-linux-gnu/libcryptsetup.so.12.*] diff --git a/debian/libcryptsetup12.symbols b/debian/libcryptsetup12.symbols new file mode 100644 index 0000000..f124910 --- /dev/null +++ b/debian/libcryptsetup12.symbols @@ -0,0 +1,139 @@ +libcryptsetup.so.12 libcryptsetup12 #MINVER# +* Build-Depends-Package: libcryptsetup-dev + CRYPTSETUP_2.0@CRYPTSETUP_2.0 2:2.0 + CRYPTSETUP_2.4@CRYPTSETUP_2.4 2:2.4 + CRYPTSETUP_2.5@CRYPTSETUP_2.5 2:2.5 + CRYPTSETUP_2.6@CRYPTSETUP_2.6 2:2.6 + crypt_activate_by_keyfile@CRYPTSETUP_2.0 2:1.4 + crypt_activate_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3 + crypt_activate_by_keyring@CRYPTSETUP_2.0 2:2.0 + crypt_activate_by_keyfile_device_offset@CRYPTSETUP_2.0 2:2.0.1 + crypt_activate_by_passphrase@CRYPTSETUP_2.0 2:1.4 + crypt_activate_by_signed_key@CRYPTSETUP_2.0 2:2.3 + crypt_activate_by_token@CRYPTSETUP_2.0 2:2.0 + crypt_activate_by_token_pin@CRYPTSETUP_2.4 2:2.4 + crypt_activate_by_volume_key@CRYPTSETUP_2.0 2:1.4 + crypt_keyslot_add_by_keyfile_device_offset@CRYPTSETUP_2.0 2:2.0.1 + crypt_benchmark@CRYPTSETUP_2.0 2:1.6 + crypt_benchmark_pbkdf@CRYPTSETUP_2.0 2:2.0 + crypt_convert@CRYPTSETUP_2.0 2:2.0 + crypt_deactivate@CRYPTSETUP_2.0 2:1.4 + crypt_deactivate_by_name@CRYPTSETUP_2.0 2:2.0 + crypt_dump@CRYPTSETUP_2.0 2:1.4 + crypt_dump_json@CRYPTSETUP_2.4 2:2.4 + crypt_format@CRYPTSETUP_2.0 2:1.4 + crypt_format@CRYPTSETUP_2.4 2:2.4 + crypt_free@CRYPTSETUP_2.0 2:1.4 + crypt_get_active_device@CRYPTSETUP_2.0 2:1.4 + crypt_get_active_integrity_failures@CRYPTSETUP_2.0 2:2.0.3 + crypt_get_cipher@CRYPTSETUP_2.0 2:1.4 + crypt_get_cipher_mode@CRYPTSETUP_2.0 2:1.4 + crypt_get_compatibility@CRYPTSETUP_2.0 2:2.3 + crypt_get_data_offset@CRYPTSETUP_2.0 2:1.4 + crypt_get_default_type@CRYPTSETUP_2.0 2:2.1 + crypt_get_device_name@CRYPTSETUP_2.0 2:1.4 + crypt_get_dir@CRYPTSETUP_2.0 2:1.4 + crypt_get_integrity_info@CRYPTSETUP_2.0 2:2.0 + crypt_get_iv_offset@CRYPTSETUP_2.0 2:1.4 + crypt_get_label@CRYPTSETUP_2.5 2:2.5 + crypt_get_metadata_device_name@CRYPTSETUP_2.0 2:2.1 + crypt_get_metadata_size@CRYPTSETUP_2.0 2:2.1 + crypt_get_pbkdf_default@CRYPTSETUP_2.0 2:2.0.3 + crypt_get_pbkdf_type@CRYPTSETUP_2.0 2:2.0 + crypt_get_pbkdf_type_params@CRYPTSETUP_2.0 2:2.1 + crypt_get_rng_type@CRYPTSETUP_2.0 2:1.4 + crypt_get_sector_size@CRYPTSETUP_2.0 2:2.0 + crypt_get_subsystem@CRYPTSETUP_2.5 2:2.5 + crypt_get_type@CRYPTSETUP_2.0 2:1.4 + crypt_get_uuid@CRYPTSETUP_2.0 2:1.4 + crypt_get_verity_info@CRYPTSETUP_2.0 2:1.5 + crypt_get_volume_key_size@CRYPTSETUP_2.0 2:1.4 + crypt_header_backup@CRYPTSETUP_2.0 2:1.4 + crypt_header_is_detached@CRYPTSETUP_2.4 2:2.4 + crypt_header_restore@CRYPTSETUP_2.0 2:1.4 + crypt_init@CRYPTSETUP_2.0 2:1.4 + crypt_init_by_name@CRYPTSETUP_2.0 2:1.4 + crypt_init_by_name_and_header@CRYPTSETUP_2.0 2:1.4 + crypt_init_data_device@CRYPTSETUP_2.0 2:2.1 + crypt_keyfile_device_read@CRYPTSETUP_2.0 2:2.0.1 + crypt_keyfile_read@CRYPTSETUP_2.0 2:2.0 + crypt_keyslot_add_by_key@CRYPTSETUP_2.0 2:2.0 + crypt_keyslot_add_by_keyfile@CRYPTSETUP_2.0 2:1.4 + crypt_keyslot_add_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3 + crypt_keyslot_add_by_keyslot_context@CRYPTSETUP_2.6 2:2.6 + crypt_keyslot_add_by_passphrase@CRYPTSETUP_2.0 2:1.4 + crypt_keyslot_add_by_volume_key@CRYPTSETUP_2.0 2:1.4 + crypt_keyslot_area@CRYPTSETUP_2.0 2:1.6 + crypt_keyslot_change_by_passphrase@CRYPTSETUP_2.0 2:1.6 + crypt_keyslot_context_free@CRYPTSETUP_2.6 2:2.6 + crypt_keyslot_context_get_error@CRYPTSETUP_2.6 2:2.6 + crypt_keyslot_context_get_type@CRYPTSETUP_2.6 2:2.6 + crypt_keyslot_context_init_by_keyfile@CRYPTSETUP_2.6 2:2.6 + crypt_keyslot_context_init_by_passphrase@CRYPTSETUP_2.6 2:2.6 + crypt_keyslot_context_init_by_token@CRYPTSETUP_2.6 2:2.6 + crypt_keyslot_context_init_by_volume_key@CRYPTSETUP_2.6 2:2.6 + crypt_keyslot_context_set_pin@CRYPTSETUP_2.6 2:2.6 + crypt_keyslot_destroy@CRYPTSETUP_2.0 2:1.4 + crypt_keyslot_get_encryption@CRYPTSETUP_2.0 2:2.1 + crypt_keyslot_get_key_size@CRYPTSETUP_2.0 2:2.0.3 + crypt_keyslot_get_pbkdf@CRYPTSETUP_2.0 2:2.1 + crypt_keyslot_get_priority@CRYPTSETUP_2.0 2:2.0 + crypt_keyslot_max@CRYPTSETUP_2.0 2:1.4 + crypt_keyslot_set_encryption@CRYPTSETUP_2.0 2:2.1 + crypt_keyslot_set_priority@CRYPTSETUP_2.0 2:2.0 + crypt_keyslot_status@CRYPTSETUP_2.0 2:1.4 + crypt_load@CRYPTSETUP_2.0 2:1.4 + crypt_log@CRYPTSETUP_2.0 2:1.4 + crypt_logf@CRYPTSETUP_2.4 2:2.4 + crypt_memory_lock@CRYPTSETUP_2.0 2:1.4 + crypt_metadata_locking@CRYPTSETUP_2.0 2:2.0 + crypt_persistent_flags_get@CRYPTSETUP_2.0 2:2.0 + crypt_persistent_flags_set@CRYPTSETUP_2.0 2:2.0 + crypt_reencrypt@CRYPTSETUP_2.0 2:2.2 + crypt_reencrypt_init_by_keyring@CRYPTSETUP_2.0 2:2.2 + crypt_reencrypt_init_by_passphrase@CRYPTSETUP_2.0 2:2.2 + crypt_reencrypt_run@CRYPTSETUP_2.4 2:2.4 + crypt_reencrypt_status@CRYPTSETUP_2.0 2:2.2 + crypt_repair@CRYPTSETUP_2.0 2:1.4.3 + crypt_resize@CRYPTSETUP_2.0 2:1.4 + crypt_resume_by_keyfile@CRYPTSETUP_2.0 2:1.4 + crypt_resume_by_keyfile_device_offset@CRYPTSETUP_2.0 2:2.0.1 + crypt_resume_by_keyfile_offset@CRYPTSETUP_2.0 2:1.4.3 + crypt_resume_by_passphrase@CRYPTSETUP_2.0 2:1.4 + crypt_resume_by_token_pin@CRYPTSETUP_2.5 2:2.5 + crypt_resume_by_volume_key@CRYPTSETUP_2.0 2:2.3 + crypt_safe_alloc@CRYPTSETUP_2.0 2:2.3 + crypt_safe_free@CRYPTSETUP_2.0 2:2.3 + crypt_safe_memzero@CRYPTSETUP_2.0 2:2.3 + crypt_safe_realloc@CRYPTSETUP_2.0 2:2.3 + crypt_set_compatibility@CRYPTSETUP_2.0 2:2.3 + crypt_set_confirm_callback@CRYPTSETUP_2.0 2:1.4 + crypt_set_data_device@CRYPTSETUP_2.0 2:1.4 + crypt_set_data_offset@CRYPTSETUP_2.0 2:2.1 + crypt_set_debug_level@CRYPTSETUP_2.0 2:1.4 + crypt_set_iteration_time@CRYPTSETUP_2.0 2:1.4.1 + crypt_set_label@CRYPTSETUP_2.0 2:2.0 + crypt_set_log_callback@CRYPTSETUP_2.0 2:1.4 + crypt_set_metadata_size@CRYPTSETUP_2.0 2:2.1 + crypt_set_pbkdf_type@CRYPTSETUP_2.0 2:2.0 + crypt_set_rng_type@CRYPTSETUP_2.0 2:1.4 + crypt_set_uuid@CRYPTSETUP_2.0 2:1.4 + crypt_status@CRYPTSETUP_2.0 2:1.4 + crypt_suspend@CRYPTSETUP_2.0 2:1.4 + crypt_token_assign_keyslot@CRYPTSETUP_2.0 2:2.0 + crypt_token_external_disable@CRYPTSETUP_2.4 2:2.4 + crypt_token_external_path@CRYPTSETUP_2.4 2:2.4 + crypt_token_is_assigned@CRYPTSETUP_2.0 2:2.0.2 + crypt_token_json_get@CRYPTSETUP_2.0 2:2.0 + crypt_token_json_set@CRYPTSETUP_2.0 2:2.0 + crypt_token_luks2_keyring_get@CRYPTSETUP_2.0 2:2.0 + crypt_token_luks2_keyring_set@CRYPTSETUP_2.0 2:2.0 + crypt_token_max@CRYPTSETUP_2.4 2:2.4 + crypt_token_register@CRYPTSETUP_2.0 2:2.0 + crypt_token_status@CRYPTSETUP_2.0 2:2.0 + crypt_token_unassign_keyslot@CRYPTSETUP_2.0 2:2.0 + crypt_volume_key_get@CRYPTSETUP_2.0 2:1.4 + crypt_volume_key_get_by_keyslot_context@CRYPTSETUP_2.6 2:2.6 + crypt_volume_key_keyring@CRYPTSETUP_2.0 2:2.0 + crypt_volume_key_verify@CRYPTSETUP_2.0 2:1.4 + crypt_wipe@CRYPTSETUP_2.0 2:2.0 diff --git a/debian/not-installed b/debian/not-installed new file mode 100644 index 0000000..22b45e1 --- /dev/null +++ b/debian/not-installed @@ -0,0 +1,2 @@ +lib/${DEB_HOST_MULTIARCH}/libcryptsetup.la +lib/${DEB_HOST_MULTIARCH}/cryptsetup/libcryptsetup-token-ssh.la diff --git a/debian/patches/Check-for-physical-memory-available-also-in-PBKDF-benchma.patch b/debian/patches/Check-for-physical-memory-available-also-in-PBKDF-benchma.patch new file mode 100644 index 0000000..2032283 --- /dev/null +++ b/debian/patches/Check-for-physical-memory-available-also-in-PBKDF-benchma.patch @@ -0,0 +1,74 @@ +From: Milan Broz <gmazyland@gmail.com> +Date: Mon, 3 Apr 2023 13:31:16 +0200 +Subject: Check for physical memory available also in PBKDF benchmark. + +Origin: https://gitlab.com/cryptsetup/cryptsetup/-/commit/7893c33d71cde09e240234c484c6c468f22c2fe7 +Bug: https://gitlab.com/cryptsetup/cryptsetup/-/issues/802#note_1328592911 +Bug-Debian: https://bugs.debian.org/1028250 +--- + lib/internal.h | 1 + + lib/utils_benchmark.c | 9 +++++++++ + lib/utils_pbkdf.c | 4 ++-- + 3 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/lib/internal.h b/lib/internal.h +index 98095fa..f261cae 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -89,6 +89,7 @@ int crypt_benchmark_pbkdf_internal(struct crypt_device *cd, + struct crypt_pbkdf_type *pbkdf, + size_t volume_key_size); + const char *crypt_get_cipher_spec(struct crypt_device *cd); ++uint32_t pbkdf_adjusted_phys_memory_kb(void); + + /* Device backend */ + struct device; +diff --git a/lib/utils_benchmark.c b/lib/utils_benchmark.c +index 728e4df..a0326ce 100644 +--- a/lib/utils_benchmark.c ++++ b/lib/utils_benchmark.c +@@ -101,6 +101,7 @@ int crypt_benchmark_pbkdf(struct crypt_device *cd, + { + int r, priority; + const char *kdf_opt; ++ uint32_t memory_kb; + + if (!pbkdf || (!password && password_size)) + return -EINVAL; +@@ -113,6 +114,14 @@ int crypt_benchmark_pbkdf(struct crypt_device *cd, + + log_dbg(cd, "Running %s(%s) benchmark.", pbkdf->type, kdf_opt); + ++ memory_kb = pbkdf_adjusted_phys_memory_kb(); ++ if (memory_kb < pbkdf->max_memory_kb) { ++ log_dbg(cd, "Not enough physical memory detected, " ++ "PBKDF max memory decreased from %dkB to %dkB.", ++ pbkdf->max_memory_kb, memory_kb); ++ pbkdf->max_memory_kb = memory_kb; ++ } ++ + crypt_process_priority(cd, &priority, true); + r = crypt_pbkdf_perf(pbkdf->type, pbkdf->hash, password, password_size, + salt, salt_size, volume_key_size, pbkdf->time_ms, +diff --git a/lib/utils_pbkdf.c b/lib/utils_pbkdf.c +index d8f41c7..b2d4fa0 100644 +--- a/lib/utils_pbkdf.c ++++ b/lib/utils_pbkdf.c +@@ -61,7 +61,7 @@ const struct crypt_pbkdf_type *crypt_get_pbkdf_type_params(const char *pbkdf_typ + return NULL; + } + +-static uint32_t adjusted_phys_memory(void) ++uint32_t pbkdf_adjusted_phys_memory_kb(void) + { + uint64_t free_kb, memory_kb = crypt_getphysmemory_kb(); + +@@ -258,7 +258,7 @@ int init_pbkdf_type(struct crypt_device *cd, + } + + if (cd_pbkdf->max_memory_kb) { +- memory_kb = adjusted_phys_memory(); ++ memory_kb = pbkdf_adjusted_phys_memory_kb(); + if (cd_pbkdf->max_memory_kb > memory_kb) { + log_dbg(cd, "Not enough physical memory detected, " + "PBKDF max memory decreased from %dkB to %dkB.", diff --git a/debian/patches/Print-warning-when-keyslot-requires-more-memory-than-avai.patch b/debian/patches/Print-warning-when-keyslot-requires-more-memory-than-avai.patch new file mode 100644 index 0000000..91bab91 --- /dev/null +++ b/debian/patches/Print-warning-when-keyslot-requires-more-memory-than-avai.patch @@ -0,0 +1,49 @@ +From: Milan Broz <gmazyland@gmail.com> +Date: Tue, 28 Feb 2023 14:18:10 +0100 +Subject: Print warning when keyslot requires more memory than available + +This warning is displayed only if maximum memory was adjusted: +no swap, not enough memory, but is not printed if user set keyslot +memory cost above default limit intentionally. + +In the latter case we have to check all available memory and guess +if swap is enough - this is not job af cryptsetup and also +it should not excessively parse any /sys files during keyslot open. + +Origin: https://gitlab.com/cryptsetup/cryptsetup/-/commit/27f8e5c08f0e0054225c9a2b1eda5b4200d4565b +Bug: https://gitlab.com/cryptsetup/cryptsetup/-/issues/802#note_1287298872 +Bug-Debian: https://bugs.debian.org/1032734 +--- + lib/luks2/luks2_keyslot_luks2.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c +index 491dcad..3be1135 100644 +--- a/lib/luks2/luks2_keyslot_luks2.c ++++ b/lib/luks2/luks2_keyslot_luks2.c +@@ -307,7 +307,7 @@ static int luks2_keyslot_get_key(struct crypt_device *cd, + char *volume_key, size_t volume_key_len) + { + struct volume_key *derived_key = NULL; +- struct crypt_pbkdf_type pbkdf; ++ struct crypt_pbkdf_type pbkdf, *cd_pbkdf; + char *AfKey = NULL; + size_t AFEKSize; + const char *af_hash = NULL; +@@ -360,6 +360,16 @@ static int luks2_keyslot_get_key(struct crypt_device *cd, + goto out; + } + ++ /* ++ * Print warning when keyslot requires more memory than available ++ * (if maximum memory was adjusted - no swap, not enough memory), ++ * but be silent if user set keyslot memory cost above default limit intentionally. ++ */ ++ cd_pbkdf = crypt_get_pbkdf(cd); ++ if (cd_pbkdf->max_memory_kb && pbkdf.max_memory_kb > cd_pbkdf->max_memory_kb && ++ pbkdf.max_memory_kb <= DEFAULT_LUKS2_MEMORY_KB) ++ log_std(cd, _("Warning: keyslot operation could fail as it requires more than available memory.\n")); ++ + /* + * If requested, serialize unlocking for memory-hard KDF. Usually NOOP. + */ diff --git a/debian/patches/Try-to-avoid-OOM-killer-on-low-memory-systems-without-swa.patch b/debian/patches/Try-to-avoid-OOM-killer-on-low-memory-systems-without-swa.patch new file mode 100644 index 0000000..b8f81b9 --- /dev/null +++ b/debian/patches/Try-to-avoid-OOM-killer-on-low-memory-systems-without-swa.patch @@ -0,0 +1,163 @@ +From: Milan Broz <gmazyland@gmail.com> +Date: Mon, 20 Feb 2023 16:45:36 +0100 +Subject: Try to avoid OOM killer on low-memory systems without swap. + +Benchmark for memory-hard KDF is tricky, seems that relying +on maximum half of physical memory is not enough. + +Let's allow only free physical available space if there is no swap. +This should not cause changes on normal systems, at least. + +Origin: https://gitlab.com/cryptsetup/cryptsetup/-/commit/899bad8c06957a94a198d1eaa293ed8db205f1de +Bug: https://gitlab.com/cryptsetup/cryptsetup/-/issues/802 +Bug-Debian: https://bugs.debian.org/1028250 +--- + lib/internal.h | 2 ++ + lib/utils.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ + lib/utils_pbkdf.c | 11 ++++++++++- + tests/api-test-2.c | 12 ++++++++---- + 4 files changed, 67 insertions(+), 5 deletions(-) + +diff --git a/lib/internal.h b/lib/internal.h +index b5cb4e3..98095fa 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -168,6 +168,8 @@ int crypt_uuid_cmp(const char *dm_uuid, const char *hdr_uuid); + size_t crypt_getpagesize(void); + unsigned crypt_cpusonline(void); + uint64_t crypt_getphysmemory_kb(void); ++uint64_t crypt_getphysmemoryfree_kb(void); ++bool crypt_swapavailable(void); + + int init_crypto(struct crypt_device *ctx); + +diff --git a/lib/utils.c b/lib/utils.c +index bfcf60d..e9d5b5b 100644 +--- a/lib/utils.c ++++ b/lib/utils.c +@@ -59,6 +59,53 @@ uint64_t crypt_getphysmemory_kb(void) + return phys_memory_kb; + } + ++uint64_t crypt_getphysmemoryfree_kb(void) ++{ ++ long pagesize, phys_pages; ++ uint64_t phys_memoryfree_kb; ++ ++ pagesize = sysconf(_SC_PAGESIZE); ++ phys_pages = sysconf(_SC_AVPHYS_PAGES); ++ ++ if (pagesize < 0 || phys_pages < 0) ++ return 0; ++ ++ phys_memoryfree_kb = pagesize / 1024; ++ phys_memoryfree_kb *= phys_pages; ++ ++ return phys_memoryfree_kb; ++} ++ ++bool crypt_swapavailable(void) ++{ ++ int fd; ++ ssize_t size; ++ char buf[4096], *p; ++ uint64_t total; ++ ++ if ((fd = open("/proc/meminfo", O_RDONLY)) < 0) ++ return true; ++ ++ size = read(fd, buf, sizeof(buf)); ++ close(fd); ++ if (size < 1) ++ return true; ++ ++ if (size < (ssize_t)sizeof(buf)) ++ buf[size] = 0; ++ else ++ buf[sizeof(buf) - 1] = 0; ++ ++ p = strstr(buf, "SwapTotal:"); ++ if (!p) ++ return true; ++ ++ if (sscanf(p, "SwapTotal: %" PRIu64 " kB", &total) != 1) ++ return true; ++ ++ return total > 0; ++} ++ + void crypt_process_priority(struct crypt_device *cd, int *priority, bool raise) + { + int _priority, new_priority; +diff --git a/lib/utils_pbkdf.c b/lib/utils_pbkdf.c +index 4d7e18d..d8f41c7 100644 +--- a/lib/utils_pbkdf.c ++++ b/lib/utils_pbkdf.c +@@ -63,7 +63,7 @@ const struct crypt_pbkdf_type *crypt_get_pbkdf_type_params(const char *pbkdf_typ + + static uint32_t adjusted_phys_memory(void) + { +- uint64_t memory_kb = crypt_getphysmemory_kb(); ++ uint64_t free_kb, memory_kb = crypt_getphysmemory_kb(); + + /* Ignore bogus value */ + if (memory_kb < (128 * 1024) || memory_kb > UINT32_MAX) +@@ -75,6 +75,15 @@ static uint32_t adjusted_phys_memory(void) + */ + memory_kb /= 2; + ++ /* ++ * Never use more that available free space on system without swap. ++ */ ++ if (!crypt_swapavailable()) { ++ free_kb = crypt_getphysmemoryfree_kb(); ++ if (free_kb > (64 * 1024) && free_kb < memory_kb) ++ return free_kb; ++ } ++ + return memory_kb; + } + +diff --git a/tests/api-test-2.c b/tests/api-test-2.c +index 824ae65..923165c 100644 +--- a/tests/api-test-2.c ++++ b/tests/api-test-2.c +@@ -2802,7 +2802,8 @@ static void Pbkdf(void) + OK_(strcmp(pbkdf->type, default_luks2_pbkdf)); + OK_(strcmp(pbkdf->hash, default_luks1_hash)); + EQ_(pbkdf->time_ms, default_luks2_iter_time); +- EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory()); ++ GE_(pbkdf->max_memory_kb, 64 * 1024); ++ GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb); + EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads)); + // set and verify argon2 type + OK_(crypt_set_pbkdf_type(cd, &argon2)); +@@ -2827,7 +2828,8 @@ static void Pbkdf(void) + OK_(strcmp(pbkdf->type, default_luks2_pbkdf)); + OK_(strcmp(pbkdf->hash, default_luks1_hash)); + EQ_(pbkdf->time_ms, default_luks2_iter_time); +- EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory()); ++ GE_(pbkdf->max_memory_kb, 64 * 1024); ++ GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb); + EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads)); + // try to pass illegal values + argon2.parallel_threads = 0; +@@ -2858,14 +2860,16 @@ static void Pbkdf(void) + OK_(strcmp(pbkdf->type, default_luks2_pbkdf)); + OK_(strcmp(pbkdf->hash, default_luks1_hash)); + EQ_(pbkdf->time_ms, default_luks2_iter_time); +- EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory()); ++ GE_(pbkdf->max_memory_kb, 64 * 1024); ++ GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb); + EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads)); + crypt_set_iteration_time(cd, 1); + OK_(crypt_load(cd, CRYPT_LUKS, NULL)); + OK_(strcmp(pbkdf->type, default_luks2_pbkdf)); + OK_(strcmp(pbkdf->hash, default_luks1_hash)); + EQ_(pbkdf->time_ms, 1); +- EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory()); ++ GE_(pbkdf->max_memory_kb, 64 * 1024); ++ GE_(adjusted_pbkdf_memory(), pbkdf->max_memory_kb); + EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads)); + CRYPT_FREE(cd); + diff --git a/debian/patches/Use-only-half-of-detected-free-memory-on-systems-without-.patch b/debian/patches/Use-only-half-of-detected-free-memory-on-systems-without-.patch new file mode 100644 index 0000000..caf47ce --- /dev/null +++ b/debian/patches/Use-only-half-of-detected-free-memory-on-systems-without-.patch @@ -0,0 +1,43 @@ +From: Milan Broz <gmazyland@gmail.com> +Date: Mon, 17 Apr 2023 13:41:17 +0200 +Subject: Use only half of detected free memory on systems without swap. + +As tests shows, limiting used Argon2 memory to free memory on +systems without swap is still not enough. +Use just half of it, this should bring needed margin while +still use Argon2. + +Note, for very-low memory constrained systems user should +avoid memory-hard PBKDF (IOW manually select PBKDF2), we +do not do this automatically. + +Origin: https://gitlab.com/cryptsetup/cryptsetup/-/commit/6721d3a8b29b13fe88aeeaefe09d457e99d1c6fa +Bug: https://gitlab.com/cryptsetup/cryptsetup/-/issues/802#note_1328592911 +Bug-Debian: https://bugs.debian.org/1028250 +--- + lib/utils_pbkdf.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/utils_pbkdf.c b/lib/utils_pbkdf.c +index b2d4fa0..7399bd2 100644 +--- a/lib/utils_pbkdf.c ++++ b/lib/utils_pbkdf.c +@@ -76,10 +76,17 @@ uint32_t pbkdf_adjusted_phys_memory_kb(void) + memory_kb /= 2; + + /* +- * Never use more that available free space on system without swap. ++ * Never use more that half of available free memory on system without swap. + */ + if (!crypt_swapavailable()) { + free_kb = crypt_getphysmemoryfree_kb(); ++ ++ /* ++ * Using exactly free memory causes OOM too, use only half of the value. ++ * Ignore small values (< 64MB), user should use PBKDF2 in such environment. ++ */ ++ free_kb /= 2; ++ + if (free_kb > (64 * 1024) && free_kb < memory_kb) + return free_kb; + } diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..f64f6f7 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,4 @@ +Try-to-avoid-OOM-killer-on-low-memory-systems-without-swa.patch +Print-warning-when-keyslot-requires-more-memory-than-avai.patch +Check-for-physical-memory-available-also-in-PBKDF-benchma.patch +Use-only-half-of-detected-free-memory-on-systems-without-.patch diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in new file mode 100644 index 0000000..1b3a296 --- /dev/null +++ b/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] cryptsetup.templates diff --git a/debian/po/cs.po b/debian/po/cs.po new file mode 100644 index 0000000..2797fd8 --- /dev/null +++ b/debian/po/cs.po @@ -0,0 +1,53 @@ +# Czech PO debconf template translation of cryptsetup. +# Copyright (C) 2010 Michal Simunek <michal.simunek@gmail.com> +# This file is distributed under the same license as the cryptsetup package. +# Michal Simunek <michal.simunek@gmail.com>, 2011. +# +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup 2:1.3.0-4\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2011-09-23 17:31+0200\n" +"Last-Translator: Michal Simunek <michal.simunek@gmail.com>\n" +"Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n" +"Language: cs\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "Pokračovat v odstraňování cryptsetup?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "Tento systém má odemčená zařízení dm-crypt: ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"Jsou-li tato zařízení spravována s cryptsetup, nebudete je moci po " +"odstranění balíčku uzamknout i přes to, že ke správě zařízení dm-crypt lze " +"použít i jiné nástroje. Jakékoli vypnutí či restart systému tato zařízení " +"uzamkne." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"Chcete-li před odstraněním balíčku zařízení dm-crypt uzamknout, tuto možnost " +"nevybírejte." diff --git a/debian/po/da.po b/debian/po/da.po new file mode 100644 index 0000000..aacbd8b --- /dev/null +++ b/debian/po/da.po @@ -0,0 +1,53 @@ +# Danish translation cryptsetup. +# Copyright (C) 2011 cryptsetup & nedenstående oversættere. +# This file is distributed under the same license as the cryptsetup package. +# Joe Hansen <joedalton2@yahoo.dk>, 2011. +# +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2011-10-09 17:30+01:00\n" +"Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n" +"Language-Team: Danish <debian-l10n-danish@lists.debian.org>\n" +"Language: da\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "Fortsæt med fjernelsen af cryptsetup?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "Dette system har frigjort dm-crypt-enheder: ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"Hvis disse enheder håndteres med cryptsetup, vil du måske ikke kunne låse " +"enhederne efter pakkefjernelsen, dog kan andre værktøjer bruges til at " +"håndtere dm-crypt-enheder. Alle systemnedlukninger eller genstarter vil låse " +"enhederne." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"Vælg ikke denne indstilling hvis du ønsker at låse dm-crypt-enhederne før " +"pakkefjernelse." diff --git a/debian/po/de.po b/debian/po/de.po new file mode 100644 index 0000000..c5fefef --- /dev/null +++ b/debian/po/de.po @@ -0,0 +1,55 @@ +# GERMAN TRANSLATION OF CRYPTSETUP. +# Copyright (C) 2011 Erik Pfannenstein +# This file is distributed under the same license as the cryptsetup package. +# Erik Pfannenstein <debianignatz@gmx.de>, 2011. +msgid "" +msgstr "" +"Project-Id-Version: 1.3.0-4\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2011-09-15 22:10+0200\n" +"Last-Translator: Erik Pfannenstein <debianignatz@gmx.de>\n" +"Language-Team: debian-l10n-german@lists.debian.org\n" +"Language: de\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Virtaal 0.7.0\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "Mit der Entfernung von Cryptsetup fortfahren?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "Dieses System verfügt über entsperrte dm-crypt-Geräte: ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"Wenn diese Geräte über Cryptsetup verwaltet werden, werden Sie nach der " +"Entfernung des Pakets möglicherweise nicht mehr in der Lage sein, sie zu " +"sperren, obwohl für die Handhabung von dm-crypt-verschlüsselten Geräten auch " +"andere Werkzeuge bereit stehen. Jedes Herunterfahren oder Neustarten wird " +"die Geräte sperren." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"Wählen Sie diese Option nicht, wenn Sie die dm-crypt-verschlüsselten Geräte " +"vor der Entfernung des Pakets sperren wollen." diff --git a/debian/po/es.po b/debian/po/es.po new file mode 100644 index 0000000..847c3f0 --- /dev/null +++ b/debian/po/es.po @@ -0,0 +1,88 @@ +# cryptsetup po-debconf translation to Spanish +# Copyright (C) 2010 Software in the Public Interest +# This file is distributed under the same license as the cryptsetup package. +# +# Changes: +# - Initial translation +# Camaleón <noelamac@gmail.com>, 2011 +# +# - Updates +# +# +# Traductores, si no conocen el formato PO, merece la pena leer la +# documentación de gettext, especialmente las secciones dedicadas a este +# formato, por ejemplo ejecutando: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Equipo de traducción al español, por favor lean antes de traducir +# los siguientes documentos: +# +# - El proyecto de traducción de Debian al español +# https://www.debian.org/intl/spanish/ +# especialmente las notas y normas de traducción en +# http://www.debian.org/intl/spanish/notas +# +# - La guía de traducción de po's de debconf: +# /usr/share/doc/po-debconf/README-trans +# o https://www.debian.org/intl/l10n/po-debconf/README-trans +# +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup 2:1.4.1-2\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2012-02-22 15:11+0100\n" +"Last-Translator: Camaleón <noelamac@gmail.com>\n" +"Language-Team: Debian Spanish <debian-l10n-spanish@lists.debian.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "¿Desea continuar con la eliminación de cryptsetup?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "" +"Este sistema tiene los siguientes dispositivos dm-crypt desbloqueados: " +"${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"Si estos dispositivos se administran con cryptsetup es posible que no pueda " +"bloquearlos si elimina el paquete, aunque puede usar otras herramientas para " +"administrar los dispositivos dm-crypt. Apagar o reiniciar el sistema " +"bloqueará los dispositivos." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"No seleccione esta opción si quiere bloquear los dispositivos dm-crypt antes " +"de eliminar el paquete." + +#~ msgid "" +#~ "In case you want to lock the dm-crypt devices before package removal, say " +#~ "no here, and continue with removal after all dm-crypt devices have been " +#~ "locked." +#~ msgstr "" +#~ "Si quiere bloquear los dispositivos dm-crypt antes de eliminar el " +#~ "paquete, seleccione «no» en este apartado y continúe con la eliminación " +#~ "después de que se hayan bloqueado todos los dispositivos dm-crypt." diff --git a/debian/po/fr.po b/debian/po/fr.po new file mode 100644 index 0000000..618f380 --- /dev/null +++ b/debian/po/fr.po @@ -0,0 +1,62 @@ +# Translation to French of cryptsetup debconf templates. +# Copyright (C) 2011 Debian French l10n team <debian-l10n-french@lists.debian.org> +# This file is distributed under the same license as the cryptsetup package. +# Julien Patriarca <patriarcaj@gmail.com>, 2011. +# +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup VERSION\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2011-09-15 15:04+0100\n" +"Last-Translator: Julien Patriarca <patriarcaj@gmail.com>\n" +"Language-Team: FRENCH <debian-l10n-french@lists.debian.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "Poursuivre la suppression de cryptsetup ?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "Ce système a déverrouillé des périphériques dm-crypt : ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"Si ces périphériques sont gérés avec cryptsetup, il pourrait devenir " +"impossible de les verrouiller après la suppression du paquet. Cependant, " +"d'autres outils existent pour gérer des périphériques dm-crypt. Dans tous " +"les cas, un arrêt ou redémarrage du système verrouillera les périphériques." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"Ne sélectionnez pas cette option si vous souhaitez verrouiller les " +"périphériques dm-crypt avant la suppression du paquet." + +#~ msgid "" +#~ "In case you want to lock the dm-crypt devices before package removal, say " +#~ "no here, and continue with removal after all dm-crypt devices have been " +#~ "locked." +#~ msgstr "" +#~ "Refusez la suppression du paquet si vous souhaitez préalablement " +#~ "verrouiller les périphériques dm-crypt et poursuivez-la après que tous " +#~ "les périphériques dm-crypt ont été déverrouillés." diff --git a/debian/po/id.po b/debian/po/id.po new file mode 100644 index 0000000..8aa9d71 --- /dev/null +++ b/debian/po/id.po @@ -0,0 +1,57 @@ +# Translation of cryptsetup debconf templates to Indonesian +# Copyright (C) 2016 L10N Debian Indonesian <debian-l10n-indonesian@lists.debian.org> +# This file is distributed under the same license as the cryptsetup package. +# Translator: +# Izharul Haq <atoz.chevara@yahoo.com>, 2016. +# +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup VERSION\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2016-08-22 20:21+0700\n" +"Last-Translator: Izharul Haq <atoz.chevara@yahoo.com>\n" +"Language-Team: L10N Debian Indonesian <debian-l10n-indonesian@lists.debian." +"org>\n" +"Language: id\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Poedit 1.6.10\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "Lanjutkan dengan penghapusan cryptsetup?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "Sistem ini telah membuka perangkat dm-crypt: ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"Jika perangkat ini dikelola dengan cryptsetup, anda mungkin tidak dapat " +"mengunci perangkat setelah penghapusan paket, meskipun perkakas lainnya " +"dapat digunakan untuk mengelola perangkat dm-crypt. Setiap sistem dimatikan " +"atau dijalankan ulang akan mengunci perangkat." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"Jangan memilih opsi ini jika anda ingin mengunci perangkat dm-crypt sebelum " +"penghapusan paket." diff --git a/debian/po/it.po b/debian/po/it.po new file mode 100644 index 0000000..ecd9ca2 --- /dev/null +++ b/debian/po/it.po @@ -0,0 +1,53 @@ +# Italian translation of debconf template for cryptsetup package. +# Copyright (C) 2011 Jonas meurer +# This file is distributed under the same license as the cryptsetup package. +# Francesca Ciceri <madamezou@zouish.org>, 2012-2014 +# +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2014-03-02 21:33+0100\n" +"Last-Translator: Francesca Ciceri <madamezou@zouish.org>\n" +"Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n" +"Language: Italian\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "Continuare con la rimozione di cryptsetup?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "I seguenti device dm-crypt sono sbloccati: ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"Se questi device erano gestiti con cryptsetup, si potrebbe essere " +"impossibilitati a bloccarli nuovamente dopo la rimozione del pacchetto. " +"Tuttavia, esistono altri strumenti per gestire i device dm-crypt. Lo " +"spegnimento o il riavvio del sistema bloccheranno i device." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"Non scegliere questa opzione se si desidera bloccare i device dm-crypt prima " +"della rimozione del pacchetto." diff --git a/debian/po/ja.po b/debian/po/ja.po new file mode 100644 index 0000000..74f7d05 --- /dev/null +++ b/debian/po/ja.po @@ -0,0 +1,54 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# victory <victory.deb@gmail.com>, 2012. +# +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2012-06-17 00:27+09:00\n" +"Last-Translator: victory <victory.deb@gmail.com>\n" +"Language-Team: Japanese <debian-japanese@lists.debian.org>\n" +"Language: ja\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "cryptsetup の削除を続行しますか?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "" +"このシステムにはロックされていない dm-crypt デバイスがあります: ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"cryptsetup により管理されているデバイスがある場合、パッケージ削除後にデバイス" +"をロックできなくなる可能性がありますが、他のツールを使って dm-crypt デバイス" +"を管理することができます。システムのシャットダウンや再起動が発生するとデバイ" +"スはロックされます。" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"パッケージ削除の前に dm-crypt デバイスをロックしたい場合はこのオプションを選" +"択しないでください。" diff --git a/debian/po/nl.po b/debian/po/nl.po new file mode 100644 index 0000000..5c5bf81 --- /dev/null +++ b/debian/po/nl.po @@ -0,0 +1,54 @@ +# Dutch translation of cryptsetup debconf templates. +# Copyright (C) 2011 THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the cryptsetup package. +# Jeroen Schot <schot@a-eskwadraat.nl>, 2011. +# +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup 2:1.3.0-4\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2011-09-28 11:15+0200\n" +"Last-Translator: Jeroen Schot <schot@a-eskwadraat.nl>\n" +"Language-Team: Debian l10n Dutch <debian-l10n-dutch@lists.debian.org>\n" +"Language: nl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "Doorgaan met het verwijderen van cryptsetup?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "" +"De volgende dm-crypt-apparaten op het systeem zijn ontgrendeld: ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"Als deze apparaten worden beheerd met cryptsetup kunt u ze mogelijk niet " +"meer vergrendelen na het verwijderen van het pakket, hoewel dm-crypt-" +"apparaten ook met andere hulpprogramma's kunnen worden beheerd. Het " +"uitzetten of herstarten van het systeem zal deze apparaten vergrendelen." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"Kies niet voor deze optie indien u de dm-crypt-apparaten wilt vergrendelen " +"voor het verwijderen van het pakket." diff --git a/debian/po/pt.po b/debian/po/pt.po new file mode 100644 index 0000000..33d2e8e --- /dev/null +++ b/debian/po/pt.po @@ -0,0 +1,53 @@ +# Portuguese translation for cryptsetup's package +# Copyright (C) 2011 cryptsetup's copyright holder +# This file is distributed under the same license as the cryptsetup package. +# Miguel Figueiredo <elmig@debianpt.org>, 2011. +# +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2011-09-16 18:48+0100\n" +"Last-Translator: Miguel Figueiredo <elmig@debianpt.org>\n" +"Language-Team: Portuguese <traduz@debianpt.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "Continuar com a remoção do cryptsetup?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "Este sistema tem dispositivos dm-crypt desbloqueados: ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"Se estes dispositivos forem geridos com o cryptsetup, poderá não ser capaz " +"de bloquear os dispositivos após a remoção do pacote, apesar de poderem ser " +"utilizadas outras ferramentas para gerir os dispositivos dm-crypt. Desligar " +"ou reiniciar o sistema irá bloquear os dispositivos." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"Não escolha esta opção se deseja bloquear os dispositivos dm-crypt antes da " +"remoção do pacote." diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po new file mode 100644 index 0000000..c9ba28a --- /dev/null +++ b/debian/po/pt_BR.po @@ -0,0 +1,55 @@ +# Debconf translations for cryptsetup. +# Copyright (C) 2011 THE cryptsetup'S COPYRIGHT HOLDER +# This file is distributed under the same license as the cryptsetup package. +# Adriano Rafael Gomes <adrianorg@gmail.com>, 2011. +# +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2011-10-09 17:56-0300\n" +"Last-Translator: Adriano Rafael Gomes <adrianorg@gmail.com>\n" +"Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian." +"org>\n" +"Language: pt_BR\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "Continuar com a remoção do cryptsetup?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "Esse sistema tem dispositivos dm-crypt desbloqueados: ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"Se esses dispositivos são gerenciados com o cryptsetup, você pode não " +"conseguir bloquear os dispositivos depois da remoção do pacote, embora " +"outras ferramentas possam ser usadas para gerenciar dispositivos dm-crypt. " +"Qualquer desligamento ou reinicialização do sistema bloqueará os " +"dispositivos." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"Não escolha essa opção se você quiser bloquear os dispositivos dm-crypt " +"antes da remoção do pacote." diff --git a/debian/po/ro.po b/debian/po/ro.po new file mode 100644 index 0000000..59f4616 --- /dev/null +++ b/debian/po/ro.po @@ -0,0 +1,62 @@ +# Mesajele în limba română pentru pachetul cryptsetup. +# Romanian translation of cryptsetup. +# Copyright © 2023 THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the cryptsetup package. +# +# Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>, 2023. +# +# Cronologia traducerii fișierului „cryptsetup”: +# Traducerea inițială, făcută de R-GC, pentru versiunea cryptsetup 2:2.6.1-1. +# Actualizare a traducerii pentru versiunea Y, făcută de X, Y(anul). +# +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup 2:2.6.1-1\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2023-02-13 10:03+0100\n" +"Last-Translator: Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>\n" +"Language-Team: Romanian <debian-l10n-romanian@lists.debian.org>\n" +"Language: ro\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n==0 || (n!=1 && n%100>=1 && " +"n%100<=19) ? 1 : 2);\n" +"X-Bugs: Report translation errors to the Language-Team address.\n" +"X-Generator: Poedit 3.2.2\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "Continuați cu eliminarea programului «cryptsetup»?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "Acest sistem are dispozitive dm-crypt deblocate: ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock the " +"devices after the package removal, though other tools can be used for managing " +"dm-crypt devices. Any system shutdown or reboot will lock the devices." +msgstr "" +"Dacă aceste dispozitive sunt gestionate cu «cryptsetup», este posibil să nu " +"puteți bloca dispozitivele după eliminarea pachetului, deși alte instrumente " +"pot fi utilizate pentru gestionarea dispozitivelor dm-crypt. Orice oprire sau " +"repornire a sistemului va bloca dispozitivele." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"Nu alegeți această opțiune dacă doriți să blocați dispozitivele dm-crypt " +"înainte de a elimina pachetul." diff --git a/debian/po/ru.po b/debian/po/ru.po new file mode 100644 index 0000000..a24c4a6 --- /dev/null +++ b/debian/po/ru.po @@ -0,0 +1,64 @@ +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the cryptsetup package. +# +# Yuri Kozlov <yuray@komyakino.ru>, 2011, 2012. +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup 2:1.4.1-2\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2012-02-26 11:02+0400\n" +"Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n" +"Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n" +"Language: ru\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Lokalize 1.0\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "Продолжить удаление cryptsetup?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "В системе имеются незаблокированные устройства dm-crypt: ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"Если эти устройства управляются с помощью cryptsetup, то вы не сможете " +"заблокировать эти устройства после удаления пакета, хотя для управления " +"устройствами dm-crypt можно использовать другие инструменты. При следующем " +"выключении или перезагрузке машины устройства будут заблокированы." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"Ответьте отрицательно, если хотите заблокировать устройства dm-crypt до " +"удаления пакета." + +#~ msgid "" +#~ "In case you want to lock the dm-crypt devices before package removal, say " +#~ "no here, and continue with removal after all dm-crypt devices have been " +#~ "locked." +#~ msgstr "" +#~ "Если вы хотите заблокировать устройства dm-crypt до удаления пакета, то " +#~ "ответьте отрицательно и повторите удаление после того, как все устройства " +#~ "dm-crypt будут заблокированы." diff --git a/debian/po/sv.po b/debian/po/sv.po new file mode 100644 index 0000000..1b73dbd --- /dev/null +++ b/debian/po/sv.po @@ -0,0 +1,63 @@ +# Translation of cryptsetup debconf template to Swedish +# Copyright (C) 2011 Martin Bagge <brother@bsnet.se> +# This file is distributed under the same license as the cryptsetup package. +# +# Martin Bagge <brother@bsnet.se>, 2011 +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup VERSION\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2011-09-22 21:28+0100\n" +"Last-Translator: Martin Bagge / brother <brother@bsnet.se>\n" +"Language-Team: Swedish <debian-l10n-swedish@lists.debian.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Swedish\n" +"X-Poedit-Country: Sweden\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "Ska cryptsetup tas bort?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "Detta system har olåsta dm-crypt-enheter: ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"Om dessa enheter hanteras av cryptsetup kan det innebära att dessa enheter " +"inte kan låsas upp efter paketet tagits bort. Det finns dock andra verktyg " +"för att hantera dm-crypt-enheter. Hur som helst så kommer enheterna att " +"låsas när systemet stängs av eller startas om." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"Välj inte detta alternativ om du vill låsa dm-crypt-enheter innan paketet " +"tas bort." + +#~ msgid "" +#~ "In case you want to lock the dm-crypt devices before package removal, say " +#~ "no here, and continue with removal after all dm-crypt devices have been " +#~ "locked." +#~ msgstr "" +#~ "Vill du låsa dm-crypt-enheterna innan paketet tas bort svara nej här och " +#~ "fortsätt när alla dm-crypt-enheter har låsts." diff --git a/debian/po/templates.pot b/debian/po/templates.pot new file mode 100644 index 0000000..77fa52f --- /dev/null +++ b/debian/po/templates.pot @@ -0,0 +1,48 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the cryptsetup package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" diff --git a/debian/po/vi.po b/debian/po/vi.po new file mode 100644 index 0000000..abf3557 --- /dev/null +++ b/debian/po/vi.po @@ -0,0 +1,56 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup 2:1.3.0-4\n" +"Report-Msgid-Bugs-To: cryptsetup@packages.debian.org\n" +"POT-Creation-Date: 2018-06-18 01:42+0200\n" +"PO-Revision-Date: 2011-09-15 19:27+0700\n" +"Last-Translator: Hung Tran <nguyentieuhau@gmail.com>\n" +"Language-Team: debian-l10n-vietnamese <debian-l10n-vietnamese@lists.debian." +"org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Vietnamese\n" +"X-Poedit-Country: Vietnam\n" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "Continue with cryptsetup removal?" +msgstr "Tiếp tục việc gỡ bỏ cryptsetup?" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "This system has unlocked dm-crypt devices: ${cryptmap}" +msgstr "Hệ thống này đã mở khóa những thiết bị dm-crypt: ${cryptmap}" + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"If these devices are managed with cryptsetup, you might be unable to lock " +"the devices after the package removal, though other tools can be used for " +"managing dm-crypt devices. Any system shutdown or reboot will lock the " +"devices." +msgstr "" +"Nếu các thiết bị này được quản lý với cryptsetup, có thể bạn sẽ không thể " +"khóa các thiết bị sau khi gỡ bỏ gói ứng dụng, mặc dù các công cụ khác có thể " +"được sử dụng để quản lý các thiết bị dm-crypt. Tắt hay khởi động lại hệ " +"thống sẽ khóa các thiết bị." + +#. Type: boolean +#. Description +#: ../cryptsetup.templates:1001 +msgid "" +"Do not choose this option if you want to lock the dm-crypt devices before " +"package removal." +msgstr "" +"Đừng chọn tùy chọn này nếu bạn muốn khóa các thiết bị dm-crypt trước khi gỡ " +"bỏ gói ứng dụng." diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..757085c --- /dev/null +++ b/debian/rules @@ -0,0 +1,100 @@ +#!/usr/bin/make -f + +# Uncomment this to turn on debhelper verbose mode. +#export DH_VERBOSE=1 + +# Set some custom build flags +export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow,+pie +DEB_CFLAGS_MAINT_APPEND = -Wall +include /usr/share/dpkg/architecture.mk +-include /usr/share/dpkg/buildtools.mk + +CONFFLAGS = + +# Used e.g. for manpages (to build them in a reprodicible way) +include /usr/share/dpkg/pkg-info.mk +DEB_DATE := $(strip $(shell LC_ALL=C date -u +%F -d@$(SOURCE_DATE_EPOCH))) + +%: + dh $@ + +ifneq (,$(filter nodoc, $(DEB_BUILD_OPTIONS))) +CONFFLAGS += --disable-asciidoc +endif + +override_dh_auto_configure: + dh_auto_configure -- $(CONFFLAGS) \ + --libdir=/lib/$(DEB_HOST_MULTIARCH) \ + --sbindir=/sbin \ + --with-tmpfilesdir=/usr/lib/tmpfiles.d \ + --enable-libargon2 \ + --enable-shared \ + --enable-cryptsetup-reencrypt + +execute_after_dh_auto_build: + # build askpass and passdev keyscripts + $(CC) -o debian/askpass debian/askpass.c -Wall -Werror $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -pedantic + $(CC) -o debian/scripts/passdev debian/scripts/passdev.c -Wall -Werror $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -pedantic + + # build suspend binary + $(CC) -o debian/scripts/suspend/cryptsetup-suspend debian/scripts/suspend/cryptsetup-suspend.c \ + -Wall -Werror $(CFLAGS) $(CPPFLAGS) -I$(CURDIR)/lib $(LDFLAGS) -L$(CURDIR)/.libs -lcryptsetup -pedantic + +ifeq (,$(filter nodoc, $(DEB_BUILD_OPTIONS))) + # generate manpages + sed 's/VERSION/$(DEB_VERSION)/;s/DATE/$(DEB_DATE)/' \ + debian/doc/variables.xml.in >debian/doc/variables.xml + xsltproc --nonet --xinclude -o debian/doc/ \ + /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl \ + debian/doc/manpages.xml + pod2man --section=8 --center="Administrative commands" \ + --release="$(DEB_VERSION)" debian/scripts/luksformat \ + debian/doc/luksformat.8 +endif + + # generate gettext po files (for luksformat) + $(MAKE) -C debian/scripts/po all luksformat.pot + +execute_before_dh_auto_test: + # tests/fake_token_path.so is built without global $(CFLAGS) + @echo "blhc: ignore-line-regexp: gcc\\s.*\\s\\.\\./tests/[0-9A-Za-z_-]+\\.c\\s.*" + +execute_after_dh_auto_install: + # install gettext po files (for luksformat) + $(MAKE) -C debian/scripts/po DESTDIR=$(CURDIR)/debian/cryptsetup-bin install + +execute_after_dh_install: + # install apport files when building on Ubuntu +ifeq ($(shell dpkg-vendor --is Ubuntu && echo yes),yes) + mkdir -p $(CURDIR)/debian/cryptsetup/usr/share/apport/package-hooks + install -m 0644 debian/cryptsetup.apport \ + $(CURDIR)/debian/cryptsetup/usr/share/apport/package-hooks/cryptsetup.py +endif + +override_dh_installinit: + dh_installinit -pcryptsetup --no-start --name=cryptdisks + dh_installinit -pcryptsetup --no-start --name=cryptdisks-early + +execute_after_dh_auto_clean: + $(MAKE) -C debian/scripts/po update clean + if [ -f $(CURDIR)/debian/cryptsetup-initramfs.preinst.in ]; then \ + mv -fT $(CURDIR)/debian/cryptsetup-initramfs.preinst.in $(CURDIR)/debian/cryptsetup-initramfs.preinst; \ + fi + +override_dh_bugfiles: + dh_bugfiles -A + +execute_after_dh_fixperms-arch: + chmod 0755 debian/cryptsetup/lib/cryptsetup/checks/* + chmod 0755 debian/cryptsetup/lib/cryptsetup/scripts/decrypt_* + chmod 0755 debian/cryptsetup-suspend/lib/cryptsetup/scripts/suspend/cryptsetup-suspend-wrapper + chmod 0755 debian/cryptsetup-suspend/lib/systemd/system-shutdown/cryptsetup-suspend.shutdown +ifeq (,$(filter noudeb, $(DEB_BUILD_PROFILES))) + chmod 0755 debian/cryptsetup-udeb/lib/cryptsetup/checks/* + chmod 0755 debian/cryptsetup-udeb/lib/cryptsetup/scripts/decrypt_* +endif + +execute_after_dh_fixperms-indep: + chmod 0755 debian/cryptsetup-initramfs/usr/share/cryptsetup/initramfs/bin/* + chmod 0755 debian/cryptsetup-initramfs/usr/share/initramfs-tools/hooks/* + chmod 0755 debian/cryptsetup-initramfs/usr/share/initramfs-tools/scripts/*/* diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml new file mode 100644 index 0000000..bb189bb --- /dev/null +++ b/debian/salsa-ci.yml @@ -0,0 +1,64 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'bookworm' + # Skip all DEP-8 tests except 'cryptroot-lvm': each 'cryptroot-*' test + # takes 20-30min on Salsa CI runners as they don't support KVM acceleration + # cf. https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/266 , + # and other tests are skipped anyway since they require machine-level + # isolation which the runners currently don't provide. + # Running 'cryptroot-lvm' and 'cryptroot-legacy' only is significantly + # better than disabling the autopkgtest job altogether. + SALSA_CI_AUTOPKGTEST_ARGS: '--test-name=cryptroot-lvm --test-name=cryptroot-legacy' + +# Run reprotest job under 'nocheck' build profile. The job runs with +# root privileges, which trigger extra tests within the upstream test +# suite. Some of these extra tests want to interact with the kernel, +# load modules, and create/remove loop devices, which is beyond the +# scope of the reprotest job. +reprotest: + extends: .test-reprotest + variables: + DEB_BUILD_OPTIONS: nocheck + +# Add a deploy stage for pages +stages: + - provisioning + - build + - publish + - test + # would be better if we could extend the list rather than override it + - deploy + +pages: + image: debian:11 + script: + - apt-get update + - apt-get -y install pandoc + - mkdir public + # install CSS file + - install -m0644 debian/doc/pandoc/pandoc.css public/pandoc.css + # install index.html + - ${PANDOC} -T "Debian Cryptsetup docs" -o public/index.html + debian/doc/pandoc/index.md + # install README.*.html files + - for readme in Debian debug gnupg gnupg-sc initramfs keyctl opensc; do + ${PANDOC} --toc -T "Debian Cryptsetup docs" + -o public/README.$readme.html debian/README.$readme; done + - ${PANDOC} -pNo public/encrypted-boot.html + debian/doc/pandoc/encrypted-boot.md + stage: deploy + artifacts: + paths: + - public + only: + # only run on debian/latest branch + refs: + - debian/latest + # only run when commit is tagged (to install docs on package releases only) + #variables: + # - $CI_COMMIT_TAG + variables: + PANDOC: 'pandoc -s -c pandoc.css -f markdown+smart -t html' diff --git a/debian/scripts/cryptdisks_start b/debian/scripts/cryptdisks_start new file mode 100644 index 0000000..623423f --- /dev/null +++ b/debian/scripts/cryptdisks_start @@ -0,0 +1,63 @@ +#!/bin/sh + +# cryptdisks_start - wrapper around cryptsetup which parses +# /etc/crypttab, just like mount parses /etc/fstab. + +# Initial code and (c) 2007 Jon Dowland <jon@alcopop.org> +# License: GNU General Public License, v2 or any later +# (https://www.gnu.org/copyleft/gpl.html) + +set -e + +. /lib/cryptsetup/cryptdisks-functions + +INITSTATE="manual" +DEFAULT_LOUD="yes" +FORCE_START="yes" + +usage() { + local rv="${1:-1}" + echo "Usage: $0 [-r|--readonly] <name> [.. <name>]" >&2 + echo >&2 + echo "reads $TABFILE and starts the mapping corresponding to <name>" >&2 + exit $rv +} + +CRYPTTAB_EXTRA_OPTIONS= +while [ $# -gt 0 ]; do + case "$1" in + -r|--readonly) CRYPTTAB_EXTRA_OPTIONS="${CRYPTTAB_EXTRA_OPTIONS:+$CRYPTTAB_EXTRA_OPTIONS,}readonly";; + -h|--help|-\?) usage 0;; + --) shift; break;; + -*) echo "Error: unknown option '$1'" >&2; usage 1;; + *) break;; + esac + shift +done +[ $# -gt 0 ] || usage 1 + +if [ $(id -u) -ne 0 ]; then + log_warning_msg "$0 needs root privileges" + exit 1 +fi + +log_action_begin_msg "Starting crypto disk" +mount_fs + +rv=0 +for name in "$@"; do + if ! crypttab_find_entry --quiet "$name"; then + device_msg "$name" "failed, not found in crypttab" + rv=1 + else + if [ -n "$CRYPTTAB_EXTRA_OPTIONS" ]; then + CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS,$CRYPTTAB_EXTRA_OPTIONS" + _CRYPTTAB_OPTIONS="$_CRYPTTAB_OPTIONS,$CRYPTTAB_EXTRA_OPTIONS" + fi + setup_mapping || rv=$? + fi +done +umount_fs + +log_action_end_msg $rv +exit $rv diff --git a/debian/scripts/cryptdisks_stop b/debian/scripts/cryptdisks_stop new file mode 100644 index 0000000..ea0faaf --- /dev/null +++ b/debian/scripts/cryptdisks_stop @@ -0,0 +1,38 @@ +#!/bin/sh + +# cryptdisks_stop - wrapper around cryptsetup which parses +# /etc/crypttab, just like mount parses /etc/fstab. + +# Initial code stolen from cryptdisks_start by Jon Dowland <jon@alcopop.org> +# Copyright (C) 2008 by Jonas Meurer <jonas@freesources.org> +# License: GNU General Public License, v2 or any later +# (https://www.gnu.org/copyleft/gpl.html) + +set -e + +if [ $# -lt 1 ]; then + echo "usage: $0 <name>" >&2 + echo >&2 + echo "reads /etc/crypttab and stops the mapping corresponding to <name>" >&2 + exit 1 +fi + +. /lib/cryptsetup/cryptdisks-functions + +INITSTATE="manual" +DEFAULT_LOUD="yes" + +if [ $(id -u) -ne 0 ]; then + log_warning_msg "$0 needs root privileges" + exit 1 +fi + +log_action_begin_msg "Stopping crypto disk" + +rv=0 +for name in "$@"; do + remove_mapping "$name" || rv=$? +done + +log_action_end_msg $rv +exit $rv diff --git a/debian/scripts/decrypt_derived b/debian/scripts/decrypt_derived new file mode 100644 index 0000000..0e1e418 --- /dev/null +++ b/debian/scripts/decrypt_derived @@ -0,0 +1,32 @@ +#!/bin/sh + +# WARNING: If you use the decrypt_derived keyscript for devices with +# persistent data (i.e. not swap or temp devices), then you will lose +# access to that data permanently if something damages the LUKS header +# of the LUKS device you derive from. The same applies if you luksFormat +# the device, even if you use the same passphrase(s). A LUKS header +# backup, or better a backup of the data on the derived device may be +# a good idea. See the Cryptsetup FAQ on how to do this right. + +if [ -z "$1" ]; then + echo "$0: must be executed with a crypto device as argument" >&2 + exit 1 +fi + +unset -v keys count +keys="$(dmsetup table --target crypt --showkeys -- "$1" 2>/dev/null | cut -s -d' ' -f5)" +count="$(printf '%s' "$keys" | wc -l)" + +if [ -n "$keys" ] && [ $count -le 1 ]; then + if [ "${keys#:}" = "$keys" ]; then + printf '%s' "$keys" + exit 0 + else + echo "$0: device $1 uses the kernel keyring" >&2 + fi +elif [ $count -eq 0 ]; then + echo "$0: device $1 doesn't exist or isn't a crypto device" >&2 +else + echo "$0: more than one device match" >&2 +fi +exit 1 diff --git a/debian/scripts/decrypt_gnupg b/debian/scripts/decrypt_gnupg new file mode 100644 index 0000000..18ab575 --- /dev/null +++ b/debian/scripts/decrypt_gnupg @@ -0,0 +1,26 @@ +#!/bin/sh + +decrypt_gpg () { + echo "Performing GPG symmetric decryption ..." >&2 + if ! /lib/cryptsetup/askpass "Enter passphrase for key $1: " | \ + /usr/bin/gpg -q --batch --no-options \ + --no-random-seed-file --no-default-keyring \ + --keyring /dev/null --secret-keyring /dev/null \ + --trustdb-name /dev/null --passphrase-fd 0 --decrypt -- "$1"; then + return 1 + fi + return 0 +} + +if [ ! -x /usr/bin/gpg ]; then + echo "$0: /usr/bin/gpg is not available" >&2 + exit 1 +fi + +if [ -z "$1" ]; then + echo "$0: missing key as argument" >&2 + exit 1 +fi + +decrypt_gpg "$1" +exit $? diff --git a/debian/scripts/decrypt_gnupg-sc b/debian/scripts/decrypt_gnupg-sc new file mode 100644 index 0000000..84eb62c --- /dev/null +++ b/debian/scripts/decrypt_gnupg-sc @@ -0,0 +1,44 @@ +#!/bin/sh + +if [ -d "/cryptroot/gnupghome" ]; then + export GNUPGHOME="/cryptroot/gnupghome" +fi + +run_gpg() { + gpg --no-options --trust-model=always "$@" +} +decrypt_gpg () { + local console _ + if ! GPG_TTY="$(tty)"; then + read console _ </proc/consoles + GPG_TTY="/dev/$console" + fi + export GPG_TTY + + if ! run_gpg --decrypt -- "$1"; then + return 1 + fi + return 0 +} + +# `gpg-connect-agent LEARN /bye` is another (lighter) way, but it's +# harder to retrieve the return code +if ! run_gpg --batch --quiet --no-tty --card-status >/dev/null; then + echo "Please insert OpenPGP SmartCard..." >&2 + until run_gpg --batch --quiet --no-tty --card-status; do + sleep 1 + done >/dev/null 2>&1 +fi + +if [ ! -x /usr/bin/gpg ]; then + echo "$0: /usr/bin/gpg is not available" >&2 + exit 1 +fi + +if [ -z "$1" ] || [ ! -f "$1" ]; then + echo "$0: missing key as argument" >&2 + exit 1 +fi + +decrypt_gpg "$1" +exit $? diff --git a/debian/scripts/decrypt_keyctl b/debian/scripts/decrypt_keyctl new file mode 100644 index 0000000..6032db0 --- /dev/null +++ b/debian/scripts/decrypt_keyctl @@ -0,0 +1,55 @@ +#!/bin/sh +# decrypt_keyctl - to use in /etc/crypttab as keyscript +# Allows to cache passwords for cryptdevices for 60s +# The same password is used for for cryptdevices with the same identifier. +# The keyfile parameter, which is the third field from /etc/crypttab, is +# used as identifier in this keyscript. +# +# sample crypttab entries: +# test1 /dev/sda1 test_pw luks,keyscript=decrypt_keyctl +# test2 /dev/sda2 test_pw luks,keyscript=decrypt_keyctl +# test3 /dev/sda3 test_other_pw luks,keyscript=decrypt_keyctl +# +# test1 and test2 have the same identifier thus test2 does not need a password +# typed in manually + +die() +{ + echo "$@" >&2 + exit 1 +} + +if [ -z "${CRYPTTAB_KEY:-}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then + # store the passphrase in the key name used by systemd-ask-password + ID_="cryptsetup" +else + # the keyfile given from crypttab is used as identifier in the keyring + # including the prefix "cryptsetup:" + ID_="cryptsetup:$CRYPTTAB_KEY" +fi +TIMEOUT_='60' +ASKPASS_='/lib/cryptsetup/askpass' +PROMPT_="Caching passphrase for ${CRYPTTAB_NAME}: " + + +if ! KID_="$(keyctl search @u user "$ID_" 2>/dev/null)" || \ + [ -z "$KID_" ] || [ "$CRYPTTAB_TRIED" -gt 0 ]; then + # key not found or wrong, ask the user + KEY_="$($ASKPASS_ "$PROMPT_")" || die "Error executing $ASKPASS_" + if [ -n "$KID_" ]; then + # I have cached wrong password and now i may use either `keyctl update` + # to update $KID_ or just unlink old key, and add new. With `update` i + # may hit "Key has expired", though. So i'll go "unlink and add" way. + keyctl unlink "$KID_" @u + KID_="" + fi + KID_="$(printf "%s" "$KEY_" | keyctl padd user "$ID_" @u)" + [ -n "$KID_" ] || die "Error adding passphrase to kernel keyring" + if ! keyctl timeout "$KID_" "$TIMEOUT_"; then + keyctl unlink "$KID_" @u + die "Error setting timeout on key ($KID_), removing" + fi +else + echo "Using cached passphrase for ${CRYPTTAB_NAME}." >&2 +fi +keyctl pipe "$KID_" diff --git a/debian/scripts/decrypt_opensc b/debian/scripts/decrypt_opensc new file mode 100644 index 0000000..b06fc98 --- /dev/null +++ b/debian/scripts/decrypt_opensc @@ -0,0 +1,46 @@ +#!/bin/sh + +# Why not use "openct-tool rwait" instead of polling opensc-tool exit status? +# Well openct daemon has to be running which interferes with pcscd since both +# implement reader drivers, my particular CCID reader (SCM SCR331-LC1) doesn't +# work with the CCID driver in openct, however it does work with pcscd. + +# Why not use "opensc-tool --wait" instead of polling opensc-tool exit status? +# Although opensc-tool --help reports that there is a --wait option, it doesn't +# seem to be implemented. + +check_card() { + cardfound=0 + + if /usr/bin/opensc-tool -n >/dev/null 2>&1; then + cardfound=1 + fi +} + +wait_card() { + check_card + if [ $cardfound = 0 ] ; then + echo "Waiting for Smart Card..." >&2 + tries=0 + while [ $cardfound = 0 ] && [ $tries -lt 60 ] ; do + sleep 1 + check_card + tries=$(($tries + 1)) + done + if [ $cardfound = 0 ] ; then + echo 'Failed to find Smart Card card!' >&2 + exit 1 + fi + fi +} + +wait_card +if [ -x /bin/plymouth ] && plymouth --ping; then + # Get pin number from plymouth + /usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw \ + --pin "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")" +else + # Get pin number from console + /usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw </dev/console 2>/dev/console +fi +exit $? diff --git a/debian/scripts/decrypt_ssl b/debian/scripts/decrypt_ssl new file mode 100644 index 0000000..6664001 --- /dev/null +++ b/debian/scripts/decrypt_ssl @@ -0,0 +1,17 @@ +#!/bin/sh +# +# Script to decrypt the key which is encrypted with openssl. +# See /usr/share/doc/cryptsetup/examples/gen-ssl-key to create such a key. +# + +decrypt_ssl () { + echo "" >&2 + echo "Decrypting ssl key $1..." >&2 + if ! /usr/bin/openssl enc -aes-256-cbc -d -salt -in "$1" 2>/dev/null; then + return 1 + fi + return 0 +} + +decrypt_ssl "$1" +exit $? diff --git a/debian/scripts/gen-ssl-key b/debian/scripts/gen-ssl-key new file mode 100644 index 0000000..70a6fb3 --- /dev/null +++ b/debian/scripts/gen-ssl-key @@ -0,0 +1,22 @@ +#!/bin/sh +# +# script to generate a keyfile that is encrypted with openssl +# +# Written 2005 by Markus Nass <generalstone@gmx.net> +# Improved 2006 by Jonas Meurer <jonas@freesources.org> +# Further improved 2006 by Markus Nass <generalstone@gmx.net> + +usage() { + echo "Usage: $0 <key>" + exit 1 +} + +if [ -z "${1-}" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then + usage +fi + +if [ -x /usr/bin/openssl ]; then + dd if=/dev/random bs=1c count=256 | openssl enc -aes-256-cbc -e -salt >"$1" +else + echo "/usr/bin/openssl is not available" && exit 1 +fi diff --git a/debian/scripts/luksformat b/debian/scripts/luksformat new file mode 100644 index 0000000..ae17f79 --- /dev/null +++ b/debian/scripts/luksformat @@ -0,0 +1,133 @@ +#!/usr/bin/perl -w + +# luksformat - wrapper around LUKS-capable cryptsetup and mkfs for easy +# creation of an encrypted device. +# +# (C) 2005 Canonical Ltd. +# Author: Martin Pitt <martin.pitt@ubuntu.com> +# License: GNU General Public License, v2 or any later +# (https://www.gnu.org/copyleft/gpl.html) + +use Getopt::Long qw(:config pass_through); + +BEGIN { + eval 'use Locale::gettext'; + if ($@) { + *gettext = sub { shift }; + *textdomain = sub { "" }; + *LC_MESSAGES = sub { 5 }; + } + eval { + require POSIX; + import POSIX qw(setlocale); + }; + if ($@) { + *setlocale = sub { return 1 }; + } +} + +setlocale(LC_MESSAGES, ""); +textdomain("luksformat"); + +if ($> != 0) { + print STDERR gettext("This program needs to be started as root\n"); + exit 1; +} + +sub usage() { + print gettext("luksformat - Create and format an encrypted LUKS device +Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n\n"); + exit 1; +} + +# default file system +$fs = 'vfat'; +exit 1 unless GetOptions ('t|type=s' => \$fs); + +GetOptions ('help', \$help); +if (($#ARGV < 0) || ($help)) { + usage(); +} + +$device = shift(@ARGV); + +open(MOUNTS, "/proc/mounts"); +while (<MOUNTS>) { + die sprintf(gettext("Error: device mounted: %s\n"), $device) if (/\Q$device\E/) +} + +if (-x "/usr/sbin/mkfs.$fs") { + $mkfs = "/usr/sbin/mkfs.$fs"; +} +elsif (-x "/usr/bin/mkfs.$fs") { + $mkfs = "/usr/bin/mkfs.$fs"; +} +elsif (-x "/sbin/mkfs.$fs") { + $mkfs = "/sbin/mkfs.$fs"; +} +elsif (-x "/bin/mkfs.$fs") { + $mkfs = "/bin/mkfs.$fs"; +} +else { + printf STDERR (gettext("Error: invalid file system: %s\n"), $fs); + exit 1; +} + +# generate temporary mapped device name which is not yet used +$name = ""; +for ($i = 1; $i < 100; $i++) { + if (! -e "/dev/mapper/luksformat$i") { + $name = "luksformat$i"; + last; + } +} + +$name or die sprintf(gettext("Error: could not generate temporary mapped device name")); + +# we do not need to be overly concerned with race conditions here, cryptsetup +# will just fail if the name already exists now. +printf (gettext("Creating encrypted device on %s...\n"), $device); +if ((system 'cryptsetup', 'luksFormat', $device)) { + die sprintf(gettext("Could not create LUKS device %s"), $device); +} + +print gettext("Please enter your passphrase again to verify it\n"); +if ((system 'cryptsetup', 'open', '--type', 'luks', $device, $name) != 0) { + print STDERR gettext("The passphrases you entered were not identical\n"); + exit 1; +} + +$result = system $mkfs, "/dev/mapper/$name", @ARGV; +print "\n"; +system 'udevadm', 'settle', '--timeout=30'; +system 'cryptsetup', 'luksClose', $name; + +die sprintf(gettext("Could not format device with file system %s"), $fs) if $result; + +__END__ + +=head1 NAME + +luksformat - Create and format an encrypted LUKS device + +=head1 SYNOPSIS + +B<luksformat> [B<-t> I<fstype>] I<device> [ mkfs options ] + +=head1 DESCRIPTION + +B<luksformat> is a wrapper around B<cryptsetup> and B<mkfs> which provides an +easy interface for creating an encrypted device that follows the LUKS standard +and for putting a file system onto the encrypted device. + +The default file system is B<vfat> since that is most commonly used on +removable devices. However, you can specify any available file system with the +B<-t> option. + +=head1 SEE ALSO + +L<cryptsetup(8)>, L<mkfs(8)> + +=head1 AUTHOR + +This program was written by Martin Pitt <martin.pitt@ubuntu.com>. diff --git a/debian/scripts/passdev.c b/debian/scripts/passdev.c new file mode 100644 index 0000000..845ccae --- /dev/null +++ b/debian/scripts/passdev.c @@ -0,0 +1,286 @@ +/* + * passdev.c - waits for a given device to appear, mounts it and reads a + * key from it which is piped to stdout. + * + * Copyright (C) 2008 David Härdeman <david@hardeman.nu> + * + * This package is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This package is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this package; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + + +#define _DEFAULT_SOURCE +#include <stdio.h> +#include <stdlib.h> +#include <stdarg.h> +#include <stdbool.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/wait.h> +#include <string.h> +#include <fcntl.h> +#include <sys/mount.h> + +static bool do_debug = false; + +static void +debug(const char *fmt, ...) +{ + va_list ap; + + if (!do_debug) + return; + va_start(ap, fmt); + vfprintf(stderr, fmt, ap); + va_end(ap); +} + +static bool +do_mount(const char *device, const char *dir) +{ + pid_t pid; + int status; + char *fstypes[] = { "ext4", "ext3", "ext2", "vfat", "btrfs", "reiserfs", "xfs", "jfs", "ntfs", "iso9660", "udf" }; + int fsindex; + + if (!device || !dir) + return false; + + for (fsindex = 0; + fsindex < (sizeof(fstypes) / sizeof(fstypes[0])); + fsindex++) + { + pid = fork(); + if (pid < 0) { + /* Error */ + return false; + } else if (pid > 0) { + /* We're in the parent process */ + do { + waitpid(pid, &status, 0); + } while (!WIFEXITED(status) && !WIFSIGNALED(status)); + if (WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS) + return true; + + /* Let's try another fstype */ + continue; + } else { + /* We're in the child process */ + debug("Mounting %s at %s\n", device, dir); + close(STDIN_FILENO); + close(STDOUT_FILENO); + close(STDERR_FILENO); + open("/dev/null", O_RDONLY, 0); + open("/dev/null", O_WRONLY, 0); + open("/dev/null", O_WRONLY, 0); + execl("/bin/mount", "/bin/mount", "-n", "-t", + fstypes[fsindex], + /*"ext4,ext3,ext2,vfat,btrfs,reiserfs,xfs,jfs,ntfs,iso9660,udf",*/ + "-o", "noatime,nodiratime,nodev,noexec,nosuid,ro", + device, dir, (char *)NULL); + + /* If execl works, we won't end up here */ + exit(EXIT_FAILURE); + } + } + + /* We've tried all fstypes with no luck */ + return false; +} + +int +main(int argc, char **argv, char **envp) +{ + char *debugval; + char *devpath; + char *filepath; + struct stat st; + char *tmppath; + char tpath[] = "/tmp/passdev.XXXXXX"; + char *keypath; + int fd; + size_t toread; + size_t bytesread; + char *keybuffer; + size_t towrite; + size_t byteswritten; + ssize_t bytes; + char *to; + int timeout = 0; + bool do_timeout = false; + + /* We only take one argument */ + if (argc != 2) { + fprintf(stderr, "Incorrect number of arguments\n"); + goto error; + } + + /* If DEBUG=1 is in the environment, enable debug messages */ + debugval = getenv("DEBUG"); + if (debugval && atoi(debugval) > 0) + do_debug = true; + + /* Split string into device and path (and timeout) */ + devpath = argv[1]; + filepath = strchr(devpath, ':'); + if (!filepath || !(*filepath) || !(*(filepath + 1))) { + fprintf(stderr, "Invalid key path\n"); + goto error; + } + *filepath = '\0'; + filepath++; + to = strchr(filepath, ':'); + if (to && (*to) && (*(to + 1))) { + *to = '\0'; + to++; + timeout = atoi(to); + if (timeout > 0) + do_timeout = true; + } + debug("Path is %p and filepath is %p\n", devpath, filepath); + if (do_timeout) + debug("Timeout is %i\n",timeout); + + /* Wait until device is available */ + if (access(devpath, F_OK)) { + debug("Waiting for %s\n", devpath); + while(access(devpath, F_OK)) { + sleep(1); + if (do_timeout) { + if (timeout <= 0) + break; + timeout--; + } + } + } + + /* Make sure device is a blockdev */ + if (stat(devpath, &st)) { + fprintf(stderr, "Unable to stat %s\n", devpath); + goto error; + } else if (!S_ISBLK(st.st_mode)) { + fprintf(stderr, "%s is no block device\n", devpath); + goto error; + } + + /* Create a tmp dir where we mount the device */ + tmppath = mkdtemp(tpath); + if (!tmppath) { + fprintf(stderr, "Failed to create temporary directory\n"); + goto error; + } + + /* Ok, mount it */ + if (!do_mount(devpath, tmppath)) { + fprintf(stderr, "Failed to mount %s\n", devpath); + goto error_rmdir; + } + + /* Generate the full path to the keyfile */ + keypath = malloc(strlen(tmppath) + 1 + strlen(filepath) + 1); + if (!keypath) { + fprintf(stderr, "Failed to allocate memory\n"); + goto error_umount; + } + sprintf(keypath, "%s/%s", tmppath, filepath); + + /* Check that the keyfile exists */ + if (access(keypath, F_OK)) { + fprintf(stderr, "Keyfile doesn't exist\n"); + goto error_free; + } + + /* Get the size of the keyfile */ + if (stat(keypath, &st)) { + fprintf(stderr, "Unable to stat keyfile\n"); + goto error_free; + } + + /* Check the size of the keyfile */ + if (st.st_size < 0) { + fprintf(stderr, "Invalid keyfile size\n"); + goto error_free; + } + toread = (size_t)st.st_size; + + /* Open the keyfile */ + if ((fd = open(keypath, O_RDONLY)) < 0) { + fprintf(stderr, "Failed to open keyfile\n"); + goto error_free; + } + + /* Allocate a buffer for the keyfile contents */ + keybuffer = malloc(toread); + if (!keybuffer) { + fprintf(stderr, "Failed to allocate memory\n"); + goto error_close; + exit(EXIT_FAILURE); + } + + /* Read the keyfile */ + bytesread = 0; + while (bytesread < toread) { + bytes = read(fd, keybuffer + bytesread, toread - bytesread); + if (bytes <= 0) { + fprintf(stderr, "Failed to read entire key\n"); + goto error_keybuffer; + } + bytesread += bytes; + } + + /* Clean up */ + close(fd); + free(keypath); + umount(tmppath); + rmdir(tmppath); + + /* Write result */ + byteswritten = 0; + towrite = toread; + while (byteswritten < towrite) { + bytes = write(STDOUT_FILENO, keybuffer + byteswritten, + towrite - byteswritten); + if (bytes <= 0) { + fprintf(stderr, "Failed to write entire key\n"); + memset(keybuffer, 0, toread); + free(keybuffer); + goto error; + } + byteswritten += bytes; + } + + /* Clean up */ + memset(keybuffer, 0, toread); + free(keybuffer); + + /* Done */ + exit(EXIT_SUCCESS); + + /* Error handling */ +error_keybuffer: + memset(keybuffer, 0, toread); + free(keybuffer); +error_close: + close(fd); +error_free: + free(keypath); +error_umount: + umount(tmppath); +error_rmdir: + rmdir(tmppath); +error: + exit(EXIT_FAILURE); +} + diff --git a/debian/scripts/po/Makefile b/debian/scripts/po/Makefile new file mode 100644 index 0000000..9eb8acf --- /dev/null +++ b/debian/scripts/po/Makefile @@ -0,0 +1,39 @@ +XGETTEXT = xgettext +MSGFMT = msgfmt +MSGMERGE = msgmerge + +LOCALEDIR = /usr/share/locale + +.SUFFIXES: .po .mo .pot + +%.mo: %.po + $(MSGFMT) -o $@ $< + +PO = $(wildcard *.po) +LANG = $(basename $(PO)) +MO = $(addsuffix .mo,$(LANG)) +SOURCES = ../luksformat + +all: update $(MO) +update: luksformat.pot + -@for po in $(PO); do \ + echo -n "Updating $$po"; \ + $(MSGMERGE) -U $$po luksformat.pot; \ + done; + +luksformat.pot: $(SOURCES) + $(XGETTEXT) -c -L Perl -kgtx \ + --msgid-bugs-address=pkg-cryptsetup-devel@alioth-lists.debian.net \ + -o $@ $(SOURCES) + +install: all + for i in $(MO) ; do \ + t=$(DESTDIR)/$(LOCALEDIR)/`basename $$i .mo`/LC_MESSAGES ;\ + install -d $$t ;\ + install -m 644 $$i $$t/luksformat.mo ;\ + done + +clean: + $(RM) $(MO) *~ + +.PHONY: update diff --git a/debian/scripts/po/de.po b/debian/scripts/po/de.po new file mode 100644 index 0000000..76c7f2f --- /dev/null +++ b/debian/scripts/po/de.po @@ -0,0 +1,76 @@ +# German translations for cryptsetup package +# German messages for luksformat in cryptsetup. +# Copyright (C) 2011 THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the cryptsetup package. +# Jonas Meurer <jonas@freesources.org>, 2011. +# +msgid "" +msgstr "" +"Project-Id-Version: cryptsetup 2:1.3.0-1\n" +"Report-Msgid-Bugs-To: pkg-cryptsetup-devel@alioth-lists.debian.net\n" +"POT-Creation-Date: 2015-12-09 13:09+0100\n" +"PO-Revision-Date: 2011-03-08 19:40+0100\n" +"Last-Translator: Jonas Meurer <jonas@freesources.org>\n" +"Language-Team: German\n" +"Language: de\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#: ../luksformat:33 +msgid "This program needs to be started as root\n" +msgstr "Dieses Programm muss als Benutzer root gestartet werden\n" + +#: ../luksformat:38 +msgid "" +"luksformat - Create and format an encrypted LUKS device\n" +"Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n" +"\n" +msgstr "" +"luksformat - LUKS-verschlüsselte Partition erstellen und formatieren\n" +"Verwendung: luksformat [-t <Dateisystem>] <Partition> [ mkfs Optionen ]\n" +"\n" + +#: ../luksformat:56 +#, perl-format +msgid "Error: device mounted: %s\n" +msgstr "Fehler: Partition ist eingebunden: %s\n" + +#: ../luksformat:72 +#, perl-format +msgid "Error: invalid file system: %s\n" +msgstr "Fehler: Ungültiges Dateisystem: %s\n" + +#: ../luksformat:85 +#, perl-format +msgid "Error: could not generate temporary mapped device name" +msgstr "Fehler: Erstellen einer temporären Partition schlug fehl" + +#. we do not need to be overly concerned with race conditions here, cryptsetup +#. will just fail if the name already exists now. +#: ../luksformat:89 +#, perl-format +msgid "Creating encrypted device on %s...\n" +msgstr "Erstelle verschlüsselte Partition auf %s...\n" + +#: ../luksformat:91 +#, perl-format +msgid "Could not create LUKS device %s" +msgstr "Erstellen der LUKS-Partition %s schlug fehl" + +#: ../luksformat:94 +msgid "Please enter your passphrase again to verify it\n" +msgstr "Bitte zum verifizieren das Passwort erneut eingeben\n" + +#: ../luksformat:96 +msgid "The passphrases you entered were not identical\n" +msgstr "Die eingegebenen Passwörter waren nicht identisch\n" + +#: ../luksformat:105 +#, perl-format +msgid "Could not format device with file system %s" +msgstr "Formatieren der Partition mit dem Dateisystem %s schlug fehl" + +#~ msgid "%s: %s" +#~ msgstr "%s: %s" diff --git a/debian/scripts/po/luksformat.pot b/debian/scripts/po/luksformat.pot new file mode 100644 index 0000000..f6c1e56 --- /dev/null +++ b/debian/scripts/po/luksformat.pot @@ -0,0 +1,69 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: pkg-cryptsetup-devel@alioth-lists.debian.net\n" +"POT-Creation-Date: 2015-12-09 13:09+0100\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../luksformat:33 +msgid "This program needs to be started as root\n" +msgstr "" + +#: ../luksformat:38 +msgid "" +"luksformat - Create and format an encrypted LUKS device\n" +"Usage: luksformat [-t <file system>] <device> [ mkfs options ]\n" +"\n" +msgstr "" + +#: ../luksformat:56 +#, perl-format +msgid "Error: device mounted: %s\n" +msgstr "" + +#: ../luksformat:72 +#, perl-format +msgid "Error: invalid file system: %s\n" +msgstr "" + +#: ../luksformat:85 +#, perl-format +msgid "Error: could not generate temporary mapped device name" +msgstr "" + +#. we do not need to be overly concerned with race conditions here, cryptsetup +#. will just fail if the name already exists now. +#: ../luksformat:89 +#, perl-format +msgid "Creating encrypted device on %s...\n" +msgstr "" + +#: ../luksformat:91 +#, perl-format +msgid "Could not create LUKS device %s" +msgstr "" + +#: ../luksformat:94 +msgid "Please enter your passphrase again to verify it\n" +msgstr "" + +#: ../luksformat:96 +msgid "The passphrases you entered were not identical\n" +msgstr "" + +#: ../luksformat:105 +#, perl-format +msgid "Could not format device with file system %s" +msgstr "" diff --git a/debian/scripts/suspend/cryptsetup-suspend-wrapper b/debian/scripts/suspend/cryptsetup-suspend-wrapper new file mode 100644 index 0000000..953196c --- /dev/null +++ b/debian/scripts/suspend/cryptsetup-suspend-wrapper @@ -0,0 +1,320 @@ +#!/bin/sh + +# Wrapper for cryptsetup-suspend(7) +# +# Copyright © 2019-2020 Tim <tim@systemli.org> +# © 2019-2020 Jonas Meurer <jonas@freesources.org> +# © 2020-2022 Guilhem Moulin <guilhem@debian.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +set -ue +PATH="/usr/sbin:/usr/bin:/sbin:/bin" +export PATH + +# import cryptsetup shell functions +[ -f /lib/cryptsetup/functions ] || return 0 +. /lib/cryptsetup/functions + +INITRAMFS_MNT="/run/cryptsetup/cryptsetup-suspend-initramfs" +SYSTEM_SLEEP_PATH="/lib/systemd/system-sleep" +CONFIG_FILE="/etc/cryptsetup/suspend.conf" +unset -v INITRAMFS_DIR + +read_config() { + # define defaults + export UNLOCK_SESSIONS="false" + export KEEP_INITRAMFS="false" + + # read config file if it exists + # shellcheck source=/etc/cryptsetup/suspend.conf + [ -f "$CONFIG_FILE" ] && . "$CONFIG_FILE" || true +} + +# run_dir ARGS... +# Run all executable scripts in directory SYSTEM_SLEEP_PATH with arguments ARGS +# mimic systemd behavior +run_dir() { + [ -d "$SYSTEM_SLEEP_PATH" ] || return 0 + find "$SYSTEM_SLEEP_PATH" -type f -executable -execdir {} "$@" \; +} + +log_error() { + # arg1 should be message + echo "Error: $1" | systemd-cat -t cryptsetup-suspend -p err + echo "Error: $1" >&2 +} + +mount_initramfs() { + local k v u IFS MemAvailable=0 SwapFree=0 new="n" + # update-initramfs(8) hardcodes /boot also: there is a `-b bootdir` + # option but no config file to put it to + local INITRAMFS="/boot/initrd.img-$(uname -r)" p + if [ ! -f "$INITRAMFS" ]; then + log_error "No initramfs found at $INITRAMFS" + exit 1 + fi + + if [ -d "$INITRAMFS_MNT" ] && [ ! "$INITRAMFS" -ot "$INITRAMFS_MNT" ]; then + # need to unpack again: initramfs is newer than what we unpacked earlier + if mountpoint -q "$INITRAMFS_MNT"; then + umount "$INITRAMFS_MNT" + fi + rmdir "$INITRAMFS_MNT" || exit 1 + fi + + if [ ! -d "$INITRAMFS_MNT" ]; then + # we need at about 300 MiB on ubuntu, 200 on debian + # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=34e431b0ae398fc54ea69ff85ec700722c9da773 + while IFS=" " read -r k v u; do + # /proc/meminfo format is documented in proc(5) + case "$u" in + MB) u=1048576;; + kB) u=1024;; + *) u=1;; + esac + case "$k" in + "MemAvailable:") MemAvailable=$((v*u));; + "SwapFree:") SwapFree=$((v*u));; + esac + done </proc/meminfo + if [ $((MemAvailable+SwapFree)) -lt $((300*1024*1024)) ]; then + log_error "Not enough memory available. Please close some programs or add swap space to suspend successfully." + exit 1 + fi + + mkdir -m0700 "$INITRAMFS_MNT" + mount -t ramfs -o nodev,mode=0700 ramfs "$INITRAMFS_MNT" + + # extract initrd.img to initramfs dir + unmkinitramfs "$INITRAMFS" "$INITRAMFS_MNT" + new="y" + fi + + # unmkinitramfs(8) extracts microcode into folders "early*" and the actual initramfs into "main" + if [ -f "$INITRAMFS_MNT/sbin/cryptsetup" ]; then + INITRAMFS_DIR="$INITRAMFS_MNT" + elif [ -f "$INITRAMFS_MNT/main/sbin/cryptsetup" ]; then + INITRAMFS_DIR="$INITRAMFS_MNT/main" + else + log_error "Directory $INITRAMFS_MNT has unpected content" >&2 + exit 1 + fi + + if [ "$new" = "y" ]; then + for p in /dev /proc /run /sys; do + if [ ! -d "$INITRAMFS_DIR$p" ]; then + mkdir -m0755 "$INITRAMFS_DIR$p" + fi + done + + # copy our binary to ramdisk + install -m0755 -t "$INITRAMFS_DIR/bin" /lib/cryptsetup/scripts/suspend/cryptsetup-suspend + + # copy all firmware files to ramdisk to prevent dead-lock + # see https://salsa.debian.org/mejo/cryptsetup-suspend/issues/38) + # TODO we should try to identify which firmwares need to be loaded + # and only copy those + if [ -d /lib/firmware ] && [ ! -d "$INITRAMFS_DIR/lib/firmware" ]; then + cp -dR -T -- /lib/firmware "$INITRAMFS_DIR/lib/firmware" + fi + fi + + # from initramfs-tools-core's /usr/share/initramfs-tools/init + mount -t devtmpfs -o noexec,nosuid,mode=0755 udev "$INITRAMFS_DIR/dev" + mount -t proc -o nodev,noexec,nosuid proc "$INITRAMFS_DIR/proc" + mount -t ramfs -o nodev,noexec,nosuid,mode=0755 ramfs "$INITRAMFS_DIR/run" + mount -t sysfs -o nodev,noexec,nosuid sysfs "$INITRAMFS_DIR/sys" + + [ -d "$INITRAMFS_DIR/dev/pts" ] || mkdir -m0755 "$INITRAMFS_DIR/dev/pts" + mount -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts "$INITRAMFS_DIR/dev/pts" || true + + # remount read-only, private and unbindable + mount -oremount,ro --make-rprivate --make-runbindable "$INITRAMFS_MNT" +} + +umount_initramfs() { + if [ -d "${INITRAMFS_DIR-}" ]; then + umount -- "$INITRAMFS_DIR/dev/pts" + umount -- "$INITRAMFS_DIR/dev" + umount -- "$INITRAMFS_DIR/proc" + umount -- "$INITRAMFS_DIR/run" + umount -- "$INITRAMFS_DIR/sys" + fi + if [ "$KEEP_INITRAMFS" != "true" ] || [ -z "${INITRAMFS_DIR+x}" ]; then + # always unmount if we error out before setting INITRAMFS_DIR + umount -- "$INITRAMFS_MNT" + rmdir -- "$INITRAMFS_MNT" + fi +} + +CGROUP_FREEZER= +freeze_cgroup() { + local c="$1" v + # freeze cgroup if non-frozen + if [ -f "$c" ] && v="$(cat <"$c")" && [ $v -eq 0 ]; then + echo 1 >"$c" + CGROUP_FREEZER="$c${CGROUP_FREEZER:+" $CGROUP_FREEZER"}" + fi +} +freeze_cgroups() { + local mycgroup c + + # freeze all machines/containers and user cgroups + freeze_cgroup "$hierarchy/machine.slice/cgroup.freeze" + freeze_cgroup "$hierarchy/user.slice/cgroup.freeze" + + # get my second level cgroup + mycgroup="$(grep -m1 "^0::" /proc/self/cgroup | cut -sd/ -f3)" + + # freeze all system cgroups except ours and systemd-suspend + for c in "$hierarchy"/system.slice/*/cgroup.freeze; do + if [ "$c" != "$hierarchy/system.slice/$mycgroup/cgroup.freeze" ] && \ + [ "${c#"$hierarchy/system.slice/systemd-suspend."}" = "$c" ]; then + freeze_cgroup "$c" + fi + done + + # freeze systemd itself + freeze_cgroup "$hierarchy/init.scope/cgroup.freeze" +} + +thaw_cgroups() { + local c + for c in $CGROUP_FREEZER; do + echo 0 >"$c" + done +} + +populate_ACTIVE_DEVICES() { + local DEV MAJ MIN + if ! dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then + # silently ignore unmapped devices + return 0 + elif [ "$(dmsetup info --noheadings -c -o subsystem -- "$CRYPTTAB_NAME")" != "CRYPT" ]; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: Subsystem mismatch" + return 1 + elif ! _resolve_device "$CRYPTTAB_SOURCE"; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: Missing source $CRYPTTAB_SOURCE" + return 1 + elif [ "$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" != "$MAJ:$MIN" ]; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: Source mismatch" + return 1 + fi + + if ! crypttab_parse_options --quiet; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: Unable to parse options field" + return 1 + elif [ "$CRYPTTAB_TYPE" != "luks" ]; then + # XXX does it even work with detached headers? + cryptsetup_message "WARNING: $CRYPTTAB_NAME: unable to suspend non-LUKS device" + return 0 + fi + + # XXX that's not robust since $CRYPTTAB_NAME might contain spaces or + # special characters; we need to create a NUL-delimited list in a + # file instead + ACTIVE_DEVICES="${ACTIVE_DEVICES:+"$ACTIVE_DEVICES "}$CRYPTTAB_NAME" +} + +clean_up() { + # we always want to run through the whole cleanup + set +e + + # thaw all frozen cgroups + thaw_cgroups + + # Run post-suspend scripts + run_dir post suspend + + umount_initramfs + + # unlock sessions + if [ "$UNLOCK_SESSIONS" = "true" ]; then + loginctl unlock-sessions + fi +} + +## Main script + +# check unified cgroups hierarchy +# https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md +if [ -d /sys/fs/cgroup/system.slice ]; then + hierarchy="/sys/fs/cgroup" +elif [ -d /sys/fs/cgroup/unified/system.slice ]; then + # hybrid cgroup hierarchy + hierarchy="/sys/fs/cgroup/unified" +else + log_error "No unified cgroups hierarchy" + exit 1 +fi + +# check that not run as user +# XXX: We should catch also cases where libpam-systemd is not installed +if grep -Eq '^[0-9]+:[^:]*:/user\.slice/' /proc/self/cgroup; then + log_error "Don't run this script as user" + exit 1 +fi + +# always thaw cgroups, re-mount filesystems and remove initramfs at the end of the script +trap clean_up EXIT + +read_config + +# extract temporary filesystem to switch to +mount_initramfs + +# Run pre-suspend scripts +run_dir pre suspend + +# populate list of active crypt devices +ACTIVE_DEVICES="" +crypttab_foreach_entry populate_ACTIVE_DEVICES + +# freeze all cgroups but us +freeze_cgroups + +# No longer fail in case of errors +set +e + +# change into ramdisk +devices_remaining="$(chroot "$INITRAMFS_DIR" /bin/sh -c " + # suspend active luks devices (in reverse order) and system + /bin/cryptsetup-suspend --reverse $ACTIVE_DEVICES + + TABFILE=\"/cryptroot/crypttab\" + . /lib/cryptsetup/functions + + # resume active luks devices (only initramfs devices) + for dev in $ACTIVE_DEVICES; do + if crypttab_find_entry --quiet \"\$dev\"; then + DM_DISABLE_UDEV=y resume_device \"\$dev\" || sleep 5 + else + # write remaining devices to FD3 + printf \"%s \" \"\$dev\" >&3 + fi + done +" 3>&- 3>&1 >&2)" + +# resume remaining active luks devices (non-initramfs devices) +for dev in $devices_remaining; do + if crypttab_find_entry --quiet "$dev"; then + # explicitely disable udev support, cf. #1020553 + # XXX this is not ideal since udev might be required in some situations + # (detached header or key material on removable device comes to mind) + DM_DISABLE_UDEV=y resume_device "$dev" || true + else + log_error "'$dev' not found in /etc/crypttab" + fi +done diff --git a/debian/scripts/suspend/cryptsetup-suspend.c b/debian/scripts/suspend/cryptsetup-suspend.c new file mode 100644 index 0000000..af1b6f6 --- /dev/null +++ b/debian/scripts/suspend/cryptsetup-suspend.c @@ -0,0 +1,225 @@ +/* + * Small program to LUKS suspend devices before system suspend + * + * Copyright: (c) 2018 Guilhem Moulin <guilhem@debian.org> + * (c) 2018-2020 Jonas Meurer <jonas@freesources.org> + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include <stdlib.h> +#include <stdio.h> +#include <stdbool.h> +#include <err.h> +#include <errno.h> +#include <unistd.h> +#include <string.h> +#include <sys/mman.h> +#include <sys/time.h> +#include <sys/resource.h> + +#include <libcryptsetup.h> + +#define SYSFS_POWER_SYNC_ON_SUSPEND "/sys/power/sync_on_suspend" +#define SYSFS_POWER_STATE "/sys/power/state" + +void usage() { + printf("Usage: cryptsetup-suspend [-r|--reverse] <blkdev> [<blkdev> ...]\n" + " -r, --reverse process luks devices in reverse order\n\n"); + exit(1); +} + +/* Calculate free memory (MemAvailable + SwapFree) from /proc/meminfo */ +uint32_t get_mem_swap_avail_kb() { + FILE *meminfo = fopen("/proc/meminfo", "r"); + if (meminfo == NULL) + err(EXIT_FAILURE, "couldn't open /proc/meminfo"); + + int mem_avail_kb, swap_free_kb = 0; + char line[256]; + while (fgets(line, sizeof(line), meminfo)) { + if (strncmp(line, "MemAvailable", strlen("MemAvailable")) == 0) { + if (sscanf(line, "MemAvailable: %d kB", &mem_avail_kb) != 1) + errx(EXIT_FAILURE, "couldn't read MemAvailable from /proc/meminfo"); + } else if (strncmp(line, "SwapFree", strlen("SwapFree")) == 0) { + if (sscanf(line, "SwapFree: %d kB", &swap_free_kb) != 1) + errx(EXIT_FAILURE, "couldn't read SwapFree from /proc/meminfo"); + } + } + fclose(meminfo); + + uint32_t mem_swap_avail_kb = mem_avail_kb + swap_free_kb; + if (mem_swap_avail_kb == 0) + errx(EXIT_FAILURE, "error reading available memory and swap from /proc/meminfo"); + + return mem_swap_avail_kb; +} + +int main(int argc, char *argv[]) { + int rv = 0; + bool reverse = 0; + int d_size; + bool sync_on_suspend_reset = 0; + FILE *sos = NULL; + + /* Process commandline arguments */ + if (argc < 2) { + usage(); + } else if ((strcmp(argv[1], "-r") == 0) || (strcmp(argv[1], "--reverse") == 0)) { + if (argc < 3) + usage(); + + reverse = 1; + d_size = argc-2; + } else { + d_size = argc-1; + } + + /* Read in devices */ + const char *devices[d_size]; + if (!reverse) { + for (int i = 0; i < d_size; i++) { + devices[i] = argv[i+1]; + } + } else { + for (int i = 0; i < d_size; i++) { + devices[i] = argv[argc-i-1]; + } + } + + /* Disable sync_on_suspend in Linux kernel + * + * Only available in Linux kernel >= 5.6 */ + if (access(SYSFS_POWER_SYNC_ON_SUSPEND, W_OK) < 0) { + if (errno == ENOENT) + warnx("kernel too old, can't disable sync on suspend"); + } else { + sos = fopen(SYSFS_POWER_SYNC_ON_SUSPEND, "r+"); + if (!sos) + err(EXIT_FAILURE, "couldn't open sysfs file"); + + int sos_c = fgetc(sos); + if (fgetc(sos) == EOF) + err(EXIT_FAILURE, "couldn't read from file"); + + if (sos_c == '0') { + /* Already disabled */ + } else if (sos_c == '1') { + sync_on_suspend_reset = 1; + if (fputc('0', sos) <= 0) + err(EXIT_FAILURE, "couldn't write to file"); + } else { + errx(EXIT_FAILURE, "unexpected value from %s", SYSFS_POWER_SYNC_ON_SUSPEND); + } + + fclose(sos); + } + + /* Change process priority to -20 (highest) to avoid races between + * the LUKS suspend(s) and the suspend-on-ram. */ + if (setpriority(PRIO_PROCESS, 0, -20) == -1) + warn("can't lower process priority to -20"); + + /* Get memory settings of keyslots from processed LUKS2 devices */ + uint32_t argon2i_max_memory_kb = 0; + for (int i = 0; i < d_size; i++) { + struct crypt_device *cd = NULL; + if (crypt_init_by_name(&cd, devices[i])) { + warnx("couldn't init LUKS device %s", devices[i]); + rv = EXIT_FAILURE; + } else { + /* Only LUKS2 devices may use argon2i PBKDF */ + if (strcmp(crypt_get_type(cd), CRYPT_LUKS2) != 0) + continue; + int ks_max = crypt_keyslot_max(crypt_get_type(cd)); + for (int j = 0; j < ks_max; j++) { + crypt_keyslot_info ki = crypt_keyslot_status(cd, j); + /* Only look at active keyslots */ + if (ki != CRYPT_SLOT_ACTIVE && ki != CRYPT_SLOT_ACTIVE_LAST) + continue; + struct crypt_pbkdf_type pbkdf_ki; + if (crypt_keyslot_get_pbkdf(cd, j, &pbkdf_ki) < 0) { + warn("couldn't get PBKDF for keyslot %d of device %s", j, devices[i]); + rv = EXIT_FAILURE; + } else { + if (pbkdf_ki.max_memory_kb > argon2i_max_memory_kb) + argon2i_max_memory_kb = pbkdf_ki.max_memory_kb; + } + } + } + crypt_free(cd); + } + + /* Add some more memory to be on the safe side + * TODO: find a reasonable value */ + argon2i_max_memory_kb += 2 * 1024; // 2MB + + /* Check if we have enough memory available to prevent mlock() from + * triggering the OOM killer. */ + uint32_t mem_swap_avail_kb = get_mem_swap_avail_kb(); + if (argon2i_max_memory_kb > mem_swap_avail_kb) { + errx(EXIT_FAILURE, "Error: Available memory (%d kb) less than required (%d kb)", + mem_swap_avail_kb, argon2i_max_memory_kb); + } + + /* Allocate and lock memory for later usage by LUKS resume in order to + * prevent swapping out after LUKS devices (which might include swap + * storage) have been suspended. */ + fprintf(stderr, "Allocating and mlocking memory: %d kb\n", argon2i_max_memory_kb); + char *mem; + if (!(mem = malloc(argon2i_max_memory_kb))) + err(EXIT_FAILURE, "couldn't allocate enough memory"); + if (mlock(mem, argon2i_max_memory_kb) == -1) + err(EXIT_FAILURE, "couldn't lock enough memory"); + /* Fill the allocated memory to make sure it's really reserved even if + * memory pages are copy-on-write. */ + size_t i; + size_t page_size = getpagesize(); + for (i = 0; i < argon2i_max_memory_kb; i += page_size) + mem[i] = 0; + + /* Do the final filesystem sync since we disabled sync_on_suspend in + * Linux kernel. */ + sync(); + + for (int i = 0; i < d_size; i++) { + struct crypt_device *cd = NULL; + if (crypt_init_by_name(&cd, devices[i]) || crypt_suspend(cd, devices[i])) { + warnx("couldn't suspend LUKS device %s", devices[i]); + rv = EXIT_FAILURE; + } + crypt_free(cd); + } + + fprintf(stderr, "Sleeping...\n"); + FILE *s = fopen(SYSFS_POWER_STATE, "w"); + if (!s) + err(EXIT_FAILURE, "failed to open %s", SYSFS_POWER_STATE); + if (fputs("mem", s) <= 0) + err(EXIT_FAILURE, "couldn't write to %s", SYSFS_POWER_STATE); + fclose(s); + fprintf(stderr, "Resuming...\n"); + + /* Restore original sync_on_suspend value */ + if (sync_on_suspend_reset) { + sos = fopen(SYSFS_POWER_SYNC_ON_SUSPEND, "w"); + if (!sos) + err(EXIT_FAILURE, "couldn't open sysfs file"); + if (fputc('1', sos) <= 0) + err(EXIT_FAILURE, "couldn't write to file"); + fclose(sos); + } + + return rv; +} diff --git a/debian/scripts/suspend/cryptsetup-suspend.shutdown b/debian/scripts/suspend/cryptsetup-suspend.shutdown new file mode 100644 index 0000000..f7d9f5d --- /dev/null +++ b/debian/scripts/suspend/cryptsetup-suspend.shutdown @@ -0,0 +1,3 @@ +#!/bin/sh +umount -R /run/cryptsetup/cryptsetup-suspend-initramfs +rmdir /run/cryptsetup/cryptsetup-suspend-initramfs diff --git a/debian/scripts/suspend/suspend.conf b/debian/scripts/suspend/suspend.conf new file mode 100644 index 0000000..79b2287 --- /dev/null +++ b/debian/scripts/suspend/suspend.conf @@ -0,0 +1,10 @@ +# Caution: This file will be sourced by another script. +# For security reasons, it should only be writable by root. + +# Automatically unlock user sessions after resume +# UNLOCK_SESSIONS="false" + +# Keep unpacked initramfs in RAM to accelerate suspension (this setting +# is ignored when the default initramfs image is newer than the +# cached/unpacked image) +# KEEP_INITRAMFS="false" diff --git a/debian/scripts/suspend/systemd/cryptsetup-suspend.conf b/debian/scripts/suspend/systemd/cryptsetup-suspend.conf new file mode 100644 index 0000000..10664cf --- /dev/null +++ b/debian/scripts/suspend/systemd/cryptsetup-suspend.conf @@ -0,0 +1,12 @@ +[Service] +# Protect against OOM killer. luksResume with Argon2 needs a lot of memory +OOMScoreAdjust=-1000 +# Give us higher priority +Nice=-10 +# override ExecStart of systemd-suspend.service +ExecStart= +# use VT 8 as workaround for https://gitlab.gnome.org/GNOME/gdm/issues/527 +# XXX on systems specifying the console= kernel parameter (such as a serial +# port) we should probably honor it +ExecStart=/bin/openvt -ws -c8 \ + /lib/cryptsetup/scripts/suspend/cryptsetup-suspend-wrapper diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 0000000..6c7d309 --- /dev/null +++ b/debian/source/lintian-overrides @@ -0,0 +1 @@ +very-long-line-length-in-source-file 1464 > 512 [lib/crypto_backend/argon2/LICENSE:23] diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..52752a3 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,133 @@ +# Run the installed binaries and libraries through the full upstream test suite. +Features: test-name=upstream-testsuite +Test-Command: make -C ./tests -f Makefile.localtest -j tests CRYPTSETUP_PATH=/sbin TESTSUITE_NOSKIP=y +Depends: cryptsetup-bin, +# to compile tests/*.c + gcc, + libcryptsetup-dev, + libdevmapper-dev, +# +# for hexdump(1) + bsdextrautils, +# for dmsetup(8) + dmsetup, +# for expect(1) + expect, +# for jq(1) + jq, +# for keyctl(1) + keyutils, +# for modprobe(8) and rmmod(8) + kmod, +# for free(1) + procps, +# for uuencode(1) + sharutils, +# for xxd(1) + xxd +# +# Use machine-level isolation since some extra tests want to interact +# with the kernel, load modules, and create/remove loop devices +Restrictions: allow-stderr, needs-root, isolation-machine, rw-build-tree + +# Run ./tests/ssh-test-plugin on its own since it has its own dependency set. +Features: test-name=ssh-test-plugin +Test-Command: cd ./tests && CRYPTSETUP_PATH=/sbin TESTSUITE_NOSKIP=y RUN_SSH_PLUGIN_TEST=y ./ssh-test-plugin +Depends: cryptsetup-bin, + cryptsetup-ssh, + netcat-openbsd, + openssh-client, + openssh-server, + openssl, + sshpass +Restrictions: needs-root, isolation-machine + + +Tests: cryptdisks, cryptdisks.init +Depends: cryptsetup, xxd +Restrictions: allow-stderr, needs-root, isolation-machine + +# This test doesn't replace the cryptroot-* tests below which mock a +# complete system incl. unlocking at initramfs stage, but it's also +# significantly faster so we use it for crude checks of our initramfs +# hook and the initramfs image itself. +Tests: initramfs-hook +Depends: cryptsetup-initramfs, e2fsprogs, zstd +Restrictions: allow-stderr, needs-root, isolation-machine + +Tests: cryptroot-lvm, cryptroot-legacy +# Only dependencies required to set the VM here are listed here; +# cryptsetup is not listed since we only install it in the VM. +Depends: cryptsetup-bin, + dosfstools [arm64 armhf], + fdisk, + genext2fs, + initramfs-tools-core, + libjson-perl, + lvm2, + qemu-efi-aarch64 [arm64], + qemu-efi-arm [armhf], + qemu-system-arm [arm64 armhf] | qemu-system-x86 [amd64 i386] | qemu-system, + udev +# We only need root to create /dev/kvm, really. And while it works +# locally and on debci, it doesn't work on salsa CI.. +Restrictions: allow-stderr, needs-root +Architecture: amd64 i386 + +Tests: cryptroot-md +Depends: cryptsetup-bin, + dosfstools [arm64 armhf], + fdisk, + genext2fs, + initramfs-tools-core, + libjson-perl, + lvm2, + mdadm, + qemu-efi-aarch64 [arm64], + qemu-efi-arm [armhf], + qemu-system-arm [arm64 armhf] | qemu-system-x86 [amd64 i386] | qemu-system, + udev +Restrictions: allow-stderr, needs-root +Architecture: amd64 i386 + +Tests: cryptroot-nested +Depends: btrfs-progs, + cryptsetup-bin, + dosfstools [arm64 armhf], + fdisk, + genext2fs, + initramfs-tools-core, + libjson-perl, + lvm2, + mdadm, + qemu-efi-aarch64 [arm64], + qemu-efi-arm [armhf], + qemu-system-arm [arm64 armhf] | qemu-system-x86 [amd64 i386] | qemu-system, + udev +Restrictions: allow-stderr, needs-root +Architecture: amd64 i386 + +Tests: cryptroot-sysvinit +Depends: cryptsetup-bin, + dosfstools [arm64 armhf], + fdisk, + genext2fs, + initramfs-tools-core, + libjson-perl, + qemu-efi-aarch64 [arm64], + qemu-efi-arm [armhf], + qemu-system-arm [arm64 armhf] | qemu-system-x86 [amd64 i386] | qemu-system, + udev +Restrictions: allow-stderr, needs-root +Architecture: amd64 i386 + +# Dummy test so that kernel updates trigger our other autopkgtests on debci +Features: test-name=hint-testsuite-triggers +Test-Command: false +Depends: linux-image-generic, + linux-image-amd64 [amd64], + linux-image-arm64 [arm64], + linux-image-armmp-lpae [armhf], + linux-image-686-pae [i386] +Restrictions: hint-testsuite-triggers +Architecture: amd64 i386 diff --git a/debian/tests/cryptdisks b/debian/tests/cryptdisks new file mode 100755 index 0000000..3d3223b --- /dev/null +++ b/debian/tests/cryptdisks @@ -0,0 +1,764 @@ +#!/bin/bash + +set -eux +PATH="/usr/bin:/bin:/usr/sbin:/sbin" +export PATH + +TMPDIR="$AUTOPKGTEST_TMP" + +# wrappers +luks1Format() { + cryptsetup luksFormat --batch-mode --type=luks1 \ + --pbkdf-force-iterations=1000 \ + "$@" +} +luks2Format() { + cryptsetup luksFormat --batch-mode --type=luks2 \ + --pbkdf=argon2id --pbkdf-force-iterations=4 --pbkdf-memory=32 \ + "$@" +} +diff() { command diff --color=auto --text "$@"; } + +# create disk image +CRYPT_IMG="$TMPDIR/disk.img" +CRYPT_DEV="" +install -m0600 /dev/null "$TMPDIR/keyfile" +disk_setup() { + local lo + for lo in $(losetup -j "$CRYPT_IMG" | cut -sd: -f1); do + losetup -d "$lo" + done + dd if="/dev/zero" of="$CRYPT_IMG" bs=1M count=64 + CRYPT_DEV="$(losetup --find --show -- "$CRYPT_IMG")" +} + + +####################################################################### +# make sure empty passphrases are NEVER accepted + +disk_setup +! cryptsetup luksFormat "$CRYPT_DEV" </dev/null || exit 1 +! blkid -p "$CRYPT_DEV" || exit 1 + +! echo -n "" | cryptsetup luksFormat "$CRYPT_DEV" - || exit 1 +! blkid -p "$CRYPT_DEV" || exit 1 + +! cryptsetup luksFormat --batch-mode "$CRYPT_DEV" /dev/null || exit 1 +! blkid -p "$CRYPT_DEV" || exit 1 + +! cryptsetup luksFormat --batch-mode "$CRYPT_DEV" </dev/null || exit 1 +! blkid -p "$CRYPT_DEV" || exit 1 + +! echo -n "" | luks2Format "$CRYPT_DEV" - || exit 1 +! blkid -p "$CRYPT_DEV" || exit 1 + + +####################################################################### +# LUKS + +# interactive +disk_setup +cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase" +luks2Format -- "$CRYPT_DEV" <"$TMPDIR/passphrase" +t="$(blkid -s TYPE -o value -- "$CRYPT_DEV")" +test "$t" = "crypto_LUKS" + +cat >/etc/crypttab <<-EOF + test0_crypt $CRYPT_DEV none +EOF +cryptdisks_start test0_crypt </dev/tty & pid=$! + +# check command line and environment +until [ -p /lib/cryptsetup/passfifo ]; do sleep 1; done +pid2="$(find /proc/[0-9]* -mindepth 1 -maxdepth 1 -name "exe" \ + -execdir sh -euc 'diff -q -- "$0" /usr/lib/cryptsetup/askpass >/dev/null' {} \; \ + -print 2>/dev/null | cut -sd/ -f3)" +test -n "$pid2" +printf '%s\0Please unlock disk %s: \0' /lib/cryptsetup/askpass test0_crypt >"$TMPDIR/cmdline" +diff -u --label=a/cmdline --label=b/cmdline -- "$TMPDIR/cmdline" "/proc/$pid2/cmdline" +tr '\n' '\0' >"$TMPDIR/environ" <<-EOF + CRYPTTAB_NAME=test0_crypt + CRYPTTAB_OPTIONS= + CRYPTTAB_SOURCE=$CRYPT_DEV + CRYPTTAB_TRIED=0 + _CRYPTTAB_NAME=test0_crypt + _CRYPTTAB_OPTIONS= + _CRYPTTAB_SOURCE=$CRYPT_DEV +EOF +grep -Ez "^_?CRYPTTAB_" <"/proc/$pid2/environ" | sort -z | diff -u --label=a/environ --label=b/environ -- "$TMPDIR/environ" - + +# unlock device +tr -d '\n' <"$TMPDIR/passphrase" >/lib/cryptsetup/passfifo # remove trailing newline +wait $pid +stty sane || true +test -b /dev/mapper/test0_crypt + +# check default cipher (if it changes we probably want to update the doc and revise some scripts) +cipher="$(dmsetup table --target=crypt test0_crypt | cut -d" " -f4)" +test "$cipher" = "aes-xts-plain64" + +# make sure the kernel keyring is used by default for the encryption key +key="$(dmsetup table --target=crypt test0_crypt | cut -d" " -f5)" +test "${key:0:21}" = ":64:logon:cryptsetup:" + +cryptdisks_stop test0_crypt + +# remove trailing newline and unlock via key file +tr -d '\n' <"$TMPDIR/passphrase" >"$TMPDIR/keyfile" +cat >/etc/crypttab <<-EOF + test0_crypt $CRYPT_DEV $TMPDIR/keyfile +EOF +cryptdisks_start test0_crypt +test -b /dev/mapper/test0_crypt +cryptdisks_stop test0_crypt + +# special characters +ln -sT -- keyfile "$TMPDIR/key fi:le" +cat >/etc/crypttab <<-EOF + test0\\0045crypt $CRYPT_DEV $TMPDIR/key\\0040fi\\0072le +EOF +cryptdisks_start "test0%crypt" +dmsetup table --target=crypt "test0%crypt" | cut -d" " -f5 | grep -F ":64:logon:cryptsetup:" # name in /dev/mapper is probably mangled +cryptdisks_stop "test0%crypt" + + +####################################################################### +# cipher=, size= (plain) + +disk_setup +head -c32 </dev/urandom >"$TMPDIR/keyfile" +cat >/etc/crypttab <<-EOF + plain_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=twofish-cbc-essiv:sha256,size=256 +EOF + +cryptdisks_start plain_crypt +test -b /dev/mapper/plain_crypt + +# check cipher +cipher="$(dmsetup table --target=crypt plain_crypt | cut -d" " -f4)" +test "$cipher" = "twofish-cbc-essiv:sha256" + +# check encryption key +xxd -ps -c256 "$TMPDIR/keyfile" >"$TMPDIR/keyfile-hex" +dmsetup table --target=crypt --showkeys plain_crypt | cut -d" " -f5 | \ + diff --label=a/key --label=b/key "$TMPDIR/keyfile-hex" - + +cryptdisks_stop plain_crypt + + +####################################################################### +# sector-size= + +disk_setup +cat >/etc/crypttab <<-EOF + sector_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-cbc-essiv:sha256,size=256,sector-size=4096 +EOF + +cryptdisks_start sector_crypt +test -b /dev/mapper/sector_crypt + +dmsetup table --target=crypt sector_crypt | cut -d" " -f10- | grep -Fw "sector_size:4096" + +cryptdisks_stop sector_crypt + + +####################################################################### +# hash= (interactive, ignored with keyfile) + +disk_setup +cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase" +cat >/etc/crypttab <<-EOF + hash_crypt $CRYPT_DEV none plain,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256 +EOF + +cryptdisks_start hash_crypt </dev/tty & pid=$! +until [ -p /lib/cryptsetup/passfifo ]; do sleep 1; done +tr -d '\n' <"$TMPDIR/passphrase" >/lib/cryptsetup/passfifo # remove trailing newline +wait $pid +stty sane || true +test -b /dev/mapper/hash_crypt + +# check encryption key +tr -d '\n' <"$TMPDIR/passphrase" | sha256sum | cut -d" " -f1 >"$TMPDIR/passphrase-hash" +dmsetup table --target=crypt --showkeys hash_crypt | cut -d" " -f5 | \ + diff --label=a/key --label=b/key "$TMPDIR/passphrase-hash" - +cryptdisks_stop hash_crypt + + +####################################################################### +# offset=, skip= + +offset=2048 # in 512 byte sectors +skip=256 # in 512 byte sectors +disk_setup +cat >/etc/crypttab <<-EOF + offset_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-cbc-essiv:sha256,size=256,offset=$offset,skip=$skip +EOF + +# having an existing file system before the offset has no effect (cf. #994056) +dmsetup create hidden --table "0 $offset linear $CRYPT_DEV 0" +mke2fs -t ext2 -m0 -Fq /dev/mapper/hidden +u="$(blkid -p -s UUID -o value /dev/mapper/hidden)" +dd if=/dev/mapper/hidden of="$TMPDIR/hidden.img" bs=512 +dmsetup remove hidden +u2="$(blkid -p -s UUID -o value -- "$CRYPT_DEV")" +test "$u" = "$u2" + +cryptdisks_start offset_crypt +test -b /dev/mapper/offset_crypt + +# check offset and skip values +offset2="$(dmsetup table --target=crypt offset_crypt | cut -d" " -f8)" && test $offset -eq $offset2 +skip2="$( dmsetup table --target=crypt offset_crypt | cut -d" " -f6)" && test $skip -eq $skip2 + +# ensure that the first 2048 sectors (only) are left zeroed out +dd if=/dev/zero of=/dev/mapper/offset_crypt bs=1M || true +cryptdisks_stop offset_crypt + +dd if="$CRYPT_DEV" of="$TMPDIR/hidden2.img" bs=512 count="$offset" +command diff -q -- "$TMPDIR/hidden.img" "$TMPDIR/hidden2.img" || exit 1 +! xxd -l32 -s$((offset*512)) -ps -c32 <"$CRYPT_DEV" | grep -Fxq 0000000000000000000000000000000000000000000000000000000000000000 +rm -f -- "$TMPDIR/hidden.img" "$TMPDIR/hidden2.img" + + +####################################################################### +# keyfile-offset=, keyfile-size= + +disk_setup +head -c32 </dev/urandom >"$TMPDIR/keyfile" +luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile" +install -m0600 /dev/null "$TMPDIR/keyfile2" + +# keyfile-offset= +head -c1024 </dev/urandom >"$TMPDIR/keyfile2" +cat "$TMPDIR/keyfile" >>"$TMPDIR/keyfile2" +cat >/etc/crypttab <<-EOF + keyfile_crypt $CRYPT_DEV $TMPDIR/keyfile2 keyfile-offset=1024 +EOF +cryptdisks_start keyfile_crypt +test -b /dev/mapper/keyfile_crypt +cryptdisks_stop keyfile_crypt + +# keyfile-size= +cat "$TMPDIR/keyfile" >"$TMPDIR/keyfile2" +head -c1024 </dev/urandom >>"$TMPDIR/keyfile2" +cat >/etc/crypttab <<-EOF + keyfile_crypt $CRYPT_DEV $TMPDIR/keyfile2 keyfile-size=32 +EOF +cryptdisks_start keyfile_crypt +test -b /dev/mapper/keyfile_crypt +cryptdisks_stop keyfile_crypt + +# keyfile-offset= + keyfile-size= +head -c32 </dev/urandom >"$TMPDIR/keyfile2" +cat "$TMPDIR/keyfile" >>"$TMPDIR/keyfile2" +head -c32 </dev/urandom >>"$TMPDIR/keyfile2" +cat >/etc/crypttab <<-EOF + keyfile_crypt $CRYPT_DEV $TMPDIR/keyfile2 keyfile-offset=32,keyfile-size=32 +EOF +cryptdisks_start keyfile_crypt +test -b /dev/mapper/keyfile_crypt +cryptdisks_stop keyfile_crypt + +# make sure the key isn't valid without offset and size +cat >/etc/crypttab <<-EOF + keyfile_crypt $CRYPT_DEV $TMPDIR/keyfile2 +EOF +! cryptdisks_start keyfile_crypt +test ! -b /dev/mapper/keyfile_crypt +rm -vf -- "$TMPDIR/keyfile2" + + +####################################################################### +# key-slot= + +disk_setup +head -c32 </dev/urandom >"$TMPDIR/keyfile" +luks2Format --key-slot=0 -- "$CRYPT_DEV" "$TMPDIR/keyfile" + +install -m0600 /dev/null "$TMPDIR/keyfile2" +head -c32 </dev/urandom >"$TMPDIR/keyfile2" +cryptsetup luksAddKey --key-file="$TMPDIR/keyfile" \ + --pbkdf=pbkdf2 --pbkdf-force-iterations=1000 \ + --key-slot=1 -- "$CRYPT_DEV" "$TMPDIR/keyfile2" + +cryptsetup luksOpen --test-passphrase --key-file="$TMPDIR/keyfile" --key-slot=0 -- "$CRYPT_DEV" +cryptsetup luksOpen --test-passphrase --key-file="$TMPDIR/keyfile2" --key-slot=1 -- "$CRYPT_DEV" + +# use slot #1 after trying #0 +cat >/etc/crypttab <<-EOF + keyslot_crypt $CRYPT_DEV $TMPDIR/keyfile2 +EOF +cryptdisks_start keyslot_crypt +test -b /dev/mapper/keyslot_crypt +cryptdisks_stop keyslot_crypt + +# use wrong slot #0 +cat >/etc/crypttab <<-EOF + keyslot_crypt $CRYPT_DEV $TMPDIR/keyfile2 key-slot=0 +EOF +! cryptdisks_start keyslot_crypt +test ! -b /dev/mapper/keyslot_crypt + +# use right slot #1 +cat >/etc/crypttab <<-EOF + keyslot_crypt $CRYPT_DEV $TMPDIR/keyfile2 key-slot=1 +EOF +cryptdisks_start keyslot_crypt +test -b /dev/mapper/keyslot_crypt +cryptdisks_stop keyslot_crypt +rm -f -- "$TMPDIR/keyfile2" + + +####################################################################### +# header= + +disk_setup +head -c32 </dev/urandom >"$TMPDIR/keyfile" +luks2Format --header="$TMPDIR/crypt_img.hdr" -- "$CRYPT_DEV" "$TMPDIR/keyfile" +test -f "$TMPDIR/crypt_img.hdr" + +# make sure the signature is on the header only +t="$(blkid -s TYPE -o value -- "$TMPDIR/crypt_img.hdr")" +test "$t" = "crypto_LUKS" +! blkid -p -- "$CRYPT_DEV" + +# make sure we can't unlock without the header +cat >/etc/crypttab <<-EOF + header_crypt $CRYPT_DEV $TMPDIR/keyfile luks +EOF +! cryptdisks_start header_crypt +test ! -b /dev/mapper/header_crypt + +# unlock using the header +cat >/etc/crypttab <<-EOF + header_crypt $CRYPT_DEV $TMPDIR/keyfile header=$TMPDIR/crypt_img.hdr +EOF +cryptdisks_start header_crypt +test -b /dev/mapper/header_crypt +cryptdisks_stop header_crypt +rm -f -- "$TMPDIR/crypt_img.hdr" + + +####################################################################### +# readonly + +disk_setup +head -c32 </dev/urandom >"$TMPDIR/keyfile" +luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile" + +# unlock readonly from crypttab(5) +cat >/etc/crypttab <<-EOF + readonly_crypt $CRYPT_DEV $TMPDIR/keyfile readonly +EOF +cryptdisks_start readonly_crypt +test -b /dev/mapper/readonly_crypt +dm="$(readlink -e "/dev/mapper/readonly_crypt")" +ro="$(< "/sys/block/${dm##*/}/ro")" +test "$ro" -eq 1 +cryptdisks_stop readonly_crypt + +# unlock readonly with --readonly +cat >/etc/crypttab <<-EOF + readonly_crypt $CRYPT_DEV $TMPDIR/keyfile +EOF +cryptdisks_start --readonly readonly_crypt +test -b /dev/mapper/readonly_crypt +dm="$(readlink -e "/dev/mapper/readonly_crypt")" +ro="$(< "/sys/block/${dm##*/}/ro")" +test "$ro" -eq 1 +cryptdisks_stop readonly_crypt + +# double check that default is read-write +cryptdisks_start readonly_crypt +test -b /dev/mapper/readonly_crypt +dm="$(readlink -e "/dev/mapper/readonly_crypt")" +ro="$(< "/sys/block/${dm##*/}/ro")" +test "$ro" -eq 0 +cryptdisks_stop readonly_crypt + + +####################################################################### +# tries= + +disk_setup +head -c32 </dev/urandom >"$TMPDIR/keyfile" +luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile" + +# fail after 3 tries default +cat >/etc/crypttab <<-EOF + tries_crypt $CRYPT_DEV none +EOF + +cryptdisks_start tries_crypt </dev/tty & pid=$! +echo -n bad1 >/lib/cryptsetup/passfifo +sleep 1 +echo -n bad2 >/lib/cryptsetup/passfifo +sleep 1 +echo -n bad3 >/lib/cryptsetup/passfifo +! wait $pid +stty sane || true +test ! -b /dev/mapper/tries_crypt + +# success on the 3rd try +cryptdisks_start tries_crypt </dev/tty & pid=$! +echo -n bad1 >/lib/cryptsetup/passfifo +sleep 1 +echo -n bad2 >/lib/cryptsetup/passfifo +sleep 1 +cat <"$TMPDIR/keyfile" >/lib/cryptsetup/passfifo +wait $pid +stty sane || true +test -b /dev/mapper/tries_crypt +cryptdisks_stop tries_crypt + +# force single try +cat >/etc/crypttab <<-EOF + tries_crypt $CRYPT_DEV none tries=1 +EOF + +cryptdisks_start tries_crypt </dev/tty & pid=$! +echo -n bad1 >/lib/cryptsetup/passfifo +! wait $pid +stty sane || true +test ! -b /dev/mapper/tries_crypt + +cryptdisks_start tries_crypt </dev/tty & pid=$! +cat <"$TMPDIR/keyfile" >/lib/cryptsetup/passfifo +wait $pid +stty sane || true +test -b /dev/mapper/tries_crypt +cryptdisks_stop tries_crypt + + +####################################################################### +# discard + +disk_setup +head -c32 </dev/urandom >"$TMPDIR/keyfile" +luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile" + +cat >/etc/crypttab <<-EOF + flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile discard +EOF + +cryptdisks_start flagopt_crypt +dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "allow_discards" +cryptdisks_stop flagopt_crypt + + +####################################################################### +# same-cpu-crypt + +cat >/etc/crypttab <<-EOF + flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile same-cpu-crypt +EOF + +cryptdisks_start flagopt_crypt +dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "same_cpu_crypt" +cryptdisks_stop flagopt_crypt + + +####################################################################### +# submit-from-crypt-cpus + +cat >/etc/crypttab <<-EOF + flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile submit-from-crypt-cpus +EOF + +cryptdisks_start flagopt_crypt +dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "submit_from_crypt_cpus" +cryptdisks_stop flagopt_crypt + + +####################################################################### +# no-read-workqueue + +cat >/etc/crypttab <<-EOF + flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile no-read-workqueue +EOF + +cryptdisks_start flagopt_crypt +dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "no_read_workqueue" +cryptdisks_stop flagopt_crypt + + +####################################################################### +# no-write-workqueue + +cat >/etc/crypttab <<-EOF + flagopt_crypt $CRYPT_DEV $TMPDIR/keyfile no-write-workqueue +EOF + +cryptdisks_start flagopt_crypt +dmsetup table --target=crypt flagopt_crypt | cut -d" " -f10- | grep -Fw "no_write_workqueue" +cryptdisks_stop flagopt_crypt + + +####################################################################### +# swap + +disk_setup +cat >/etc/crypttab <<-EOF + swap_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,swap +EOF + +cryptdisks_start swap_crypt +test -b /dev/mapper/swap_crypt + +t="$(blkid -s TYPE -o value /dev/mapper/swap_crypt)" +test "$t" = "swap" +cryptdisks_stop swap_crypt + +# refuse to proceed if the target contains a file system... +head -c32 </dev/urandom >"$TMPDIR/keyfile" +luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile" + +cat >/etc/crypttab <<-EOF + swap_crypt $CRYPT_DEV $TMPDIR/keyfile swap + swap_crypt2 $CRYPT_DEV $TMPDIR/keyfile +EOF +cryptdisks_start swap_crypt2 +mke2fs -t ext4 -m0 -Fq /dev/mapper/swap_crypt2 +t="$(blkid -s TYPE -o value /dev/mapper/swap_crypt2)" +test "$t" = "ext4" +cryptdisks_stop swap_crypt2 + +! cryptdisks_start swap_crypt +test ! -b /dev/mapper/swap_crypt + +# ... unless that's already a swap device +cryptdisks_start swap_crypt2 +mkswap -f /dev/mapper/swap_crypt2 +t="$(blkid -s TYPE -o value /dev/mapper/swap_crypt2)" +test "$t" = "swap" +u="$(blkid -s UUID -o value /dev/mapper/swap_crypt2)" +cryptdisks_stop swap_crypt2 + +cryptdisks_start swap_crypt +test -b /dev/mapper/swap_crypt +t="$(blkid -s TYPE -o value /dev/mapper/swap_crypt)" +test "$t" = "swap" +u2="$(blkid -s UUID -o value /dev/mapper/swap_crypt)" +test "$u" != "$u2" +cryptdisks_stop swap_crypt + + +####################################################################### +# tmp= + +disk_setup +cat >/etc/crypttab <<-EOF + tmp_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,tmp=ext2 +EOF + +# run mkfs.ext2 +cryptdisks_start tmp_crypt +test -b /dev/mapper/tmp_crypt + +t="$(blkid -s TYPE -o value /dev/mapper/tmp_crypt)" +test "$t" = "ext2" +cryptdisks_stop tmp_crypt + +# default type is ext4 +cat >/etc/crypttab <<-EOF + tmp_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,tmp +EOF +cryptdisks_start tmp_crypt +t="$(blkid -s TYPE -o value /dev/mapper/tmp_crypt)" +test "$t" = "ext4" +cryptdisks_stop tmp_crypt + + +####################################################################### +# check= + +disk_setup +cat >/etc/crypttab <<-EOF + check_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256 +EOF + +# precheck failed: $CRYPT_DEV contains a filesystem +mke2fs -t ext4 -m0 -Fq -- "$CRYPT_DEV" +t="$(blkid -s TYPE -o value -- "$CRYPT_DEV")" +test "$t" = "ext4" +! cryptdisks_start check_crypt +test ! -b /dev/mapper/check_crypt + +# precheck failed: $CRYPT_DEV contains a filesystem at the given offset (cf. #994056) +offset=2048 +disk_setup +cat >/etc/crypttab <<-EOF + check_crypt $CRYPT_DEV /dev/urandom plain,cipher=aes-xts-plain64,size=256,offset=$offset +EOF + +dmsetup create hidden --table "0 4096 linear $CRYPT_DEV $offset" +mke2fs -t ext2 -m0 -Fq /dev/mapper/hidden +u="$(blkid -p -s UUID -o value /dev/mapper/hidden)" +dmsetup remove hidden +u2="$(blkid -p -O$((offset*512)) -s UUID -o value -- "$CRYPT_DEV")" +test "$u" = "$u2" +t="$(blkid -p -O$((offset*512)) -s TYPE -o value -- "$CRYPT_DEV")" +test "$t" = "ext2" + +! cryptdisks_start check_crypt +test ! -b /dev/mapper/check_crypt + +# check failed: mapped device does not contain a known file system +disk_setup +head -c32 </dev/urandom >"$TMPDIR/keyfile" +cat >/etc/crypttab <<-EOF + check_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256,check + check_crypt2 $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256 +EOF + +! cryptdisks_start check_crypt +test ! -b /dev/mapper/check_crypt + +# success +cryptdisks_start check_crypt2 +mke2fs -t ext4 -m0 -Fq /dev/mapper/check_crypt2 +u="$(blkid -s UUID -o value /dev/mapper/check_crypt2)" +cryptdisks_stop check_crypt2 +cryptdisks_start check_crypt +test -b /dev/mapper/check_crypt +u2="$(blkid -s UUID -o value /dev/mapper/check_crypt)" +test "$u" = "$u2" +cryptdisks_stop check_crypt + +# custom check +install -m0755 -- /dev/null "$TMPDIR/check" +cat >"$TMPDIR/check" <<-EOF + #!/bin/bash + printf '%s\\0' "\$0" >"$TMPDIR/cmdline" + while [ \$# -gt 0 ]; do + printf '%s\\0' "\$1" + shift + done >>"$TMPDIR/cmdline" + exit 0 +EOF + +cat >/etc/crypttab <<-EOF + check_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256,check=$TMPDIR/check +EOF +cryptdisks_start check_crypt +dm="$(readlink -e "/dev/mapper/check_crypt")" +cryptdisks_stop check_crypt +printf '%s\0%s\0' "$TMPDIR/check" "$dm" >"$TMPDIR/cmdline2" +diff -u --label=a/cmdline --label=b/cmdline -- "$TMPDIR/cmdline2" "$TMPDIR/cmdline" + + +####################################################################### +# checkargs= + +disk_setup +head -c32 </dev/urandom >"$TMPDIR/keyfile" +cat >/etc/crypttab <<-EOF + checkargs_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256,check,checkargs=ext4 + checkargs_crypt2 $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256 +EOF + +# check failed: mapped device does not contain a known file system +! cryptdisks_start checkargs_crypt +test ! -b /dev/mapper/checkargs_crypt + +# check failed: mapped device is not ext4 +cryptdisks_start checkargs_crypt2 +mke2fs -t ext2 -m0 -Fq /dev/mapper/checkargs_crypt2 +cryptdisks_stop checkargs_crypt2 +! cryptdisks_start checkargs_crypt +test ! -b /dev/mapper/checkargs_crypt + +# success +cryptdisks_start checkargs_crypt2 +mke2fs -t ext4 -m0 -Fq /dev/mapper/checkargs_crypt2 +u="$(blkid -s UUID -o value /dev/mapper/checkargs_crypt2)" +cryptdisks_stop checkargs_crypt2 +cryptdisks_start checkargs_crypt +u2="$(blkid -s UUID -o value /dev/mapper/checkargs_crypt)" +test "$u" = "$u2" +test -b /dev/mapper/checkargs_crypt +cryptdisks_stop checkargs_crypt + +# check failed: mapped device is not ext2 +sed -i "s/checkargs=ext4/checkargs=ext2/" /etc/crypttab +! cryptdisks_start checkargs_crypt +test ! -b /dev/mapper/checkargs_crypt + +# custom check +cat >/etc/crypttab <<-EOF + checkargs_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=aes-xts-plain64,size=256,check=$TMPDIR/check,checkargs=foo\\0012b\\0011a\\0054r\\0040 +EOF +cryptdisks_start checkargs_crypt +dm="$(readlink -e "/dev/mapper/checkargs_crypt")" +cryptdisks_stop checkargs_crypt +printf '%s\0%s\0foo\nb\ta,r \0' "$TMPDIR/check" "$dm" >"$TMPDIR/cmdline2" +diff -u --label=a/cmdline --label=b/cmdline -- "$TMPDIR/cmdline2" "$TMPDIR/cmdline" + + +####################################################################### +# noauto + +disk_setup +head -c32 </dev/urandom >"$TMPDIR/keyfile" +luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile" + +cat >/etc/crypttab <<-EOF + noauto_crypt $CRYPT_DEV $TMPDIR/keyfile noauto +EOF +cryptdisks_start noauto_crypt +test -b /dev/mapper/noauto_crypt +cryptdisks_stop noauto_crypt + + +####################################################################### +# (custom) keyscript + +disk_setup +head -c32 </dev/urandom >"$TMPDIR/keyfile" +luks2Format -- "$CRYPT_DEV" "$TMPDIR/keyfile" + +KEYSCRIPT="$TMPDIR/decrypt_foo,bar +b a z" + +# make sure we export CRYPTTAB_* as documented +install -m0755 -- /dev/null "$KEYSCRIPT" +cat >"$KEYSCRIPT" <<-EOF + #!/bin/bash + printf '%s\\0' "\$0" >"$TMPDIR/cmdline" + while [ \$# -gt 0 ]; do + printf '%s\\0' "\$1" + shift + done >>"$TMPDIR/cmdline" + install -m0600 "/proc/\$\$/environ" "$TMPDIR/environ" + cat <"$TMPDIR/keyfile" +EOF + +# add extra unknown option (visible in $CRYPTTAB_OPTIONS but there is no $CRYPTTAB_OPTION_*) +cat >/etc/crypttab <<-EOF + keyscript\\0045crypt $CRYPT_IMG foo\\0011bar\\0040baz nonexistent,keyscript=$TMPDIR/decrypt_foo\\0054bar\\0012b\\0040a\\0040z,luks +EOF + +cryptdisks_start "keyscript%crypt" +dmsetup table --target=crypt "keyscript%crypt" | cut -d" " -f5 | grep -F ":64:logon:cryptsetup:" # name in /dev/mapper is probably mangled +cryptdisks_stop "keyscript%crypt" + +# compare command line +printf '%s\0foo\tbar baz\0' "$KEYSCRIPT" >"$TMPDIR/cmdline2" +diff -u --label=a/cmdline --label=b/cmdline -- "$TMPDIR/cmdline2" "$TMPDIR/cmdline" + +# compare environment +tr '\n' '\0' <<-EOF | sed -rz "s|@@DECRYPT_FOOBAR@@|${KEYSCRIPT//$'\n'/"\\n"}|" >"$TMPDIR/environ2" + CRYPTTAB_KEY=foo bar baz + CRYPTTAB_NAME=keyscript%crypt + CRYPTTAB_OPTIONS=nonexistent,keyscript=@@DECRYPT_FOOBAR@@,luks + CRYPTTAB_OPTION_keyscript=@@DECRYPT_FOOBAR@@ + CRYPTTAB_OPTION_luks=yes + CRYPTTAB_SOURCE=$CRYPT_IMG + CRYPTTAB_TRIED=0 + _CRYPTTAB_KEY=foo\\0011bar\\0040baz + _CRYPTTAB_NAME=keyscript\\0045crypt + _CRYPTTAB_OPTIONS=nonexistent,keyscript=$TMPDIR/decrypt_foo\\0054bar\\0012b\\0040a\\0040z,luks + _CRYPTTAB_SOURCE=$CRYPT_IMG +EOF +grep -Ez "^_?CRYPTTAB_" <"$TMPDIR/environ" | sort -z | diff -u --label=a/environ --label=b/environ -- "$TMPDIR/environ2" - diff --git a/debian/tests/cryptdisks.init b/debian/tests/cryptdisks.init new file mode 100755 index 0000000..408c325 --- /dev/null +++ b/debian/tests/cryptdisks.init @@ -0,0 +1,84 @@ +#!/bin/bash + +set -eu +PATH="/usr/bin:/bin:/usr/sbin:/sbin" +export PATH + +if [ -d /run/systemd/system ]; then + export SYSTEMCTL_SKIP_REDIRECT="y" + # systemd masks cryptdisks.service and we can't unmask it because /etc/init.d is the only source + rm -f -- $(systemctl show -p FragmentPath --value cryptdisks.service) + systemctl daemon-reload +fi + +# create 64M zero devices +dmsetup create disk0 --table "0 $(( 64 * 2*1024)) zero" +dmsetup create disk1 --table "0 $(( 64 * 2*1024)) zero" +dmsetup create disk2 --table "0 $(( 64 * 2*1024)) zero" +dmsetup create disk3 --table "0 $((128 * 2*1024)) zero" + +# join disk #1 and #2 +dmsetup create disk12 <<-EOF + 0 $((64 * 2*1024)) linear /dev/mapper/disk1 0 + $((64 * 2*1024)) $((64 * 2*1024)) linear /dev/mapper/disk2 0 +EOF + +cipher="aes-cbc-essiv:sha256" +size=32 # bytes +cat >/etc/crypttab <<-EOF + crypt_disk0 /dev/mapper/disk0 /dev/urandom plain,cipher=$cipher,size=$((8*size)) + crypt_disk0a /dev/mapper/crypt_disk0 /dev/urandom plain,cipher=$cipher,size=$((8*size)) + crypt_disk12 /dev/mapper/disk12 /dev/urandom plain,cipher=$cipher,size=$((8*size)) + crypt_disk3 /dev/mapper/disk3 /dev/urandom plain,cipher=$cipher,size=$((8*size)) + crypt_disk3b /dev/mapper/crypt_disk3 /dev/urandom plain,cipher=$cipher,size=$((8*size)),offset=$(( 64 * 2*1024)) + crypt_disk3b0 /dev/mapper/crypt_disk3b /dev/urandom plain,cipher=$cipher,size=$((8*size)) +EOF + +/etc/init.d/cryptdisks start + +# now add crypt_disk3a (preceeding crypt_disk3b) with a size limit (can't do that via crypttab but dmsetup allows it) +dmsetup create crypt_disk3a --uuid "CRYPT-PLAIN-crypt_disk3a" --addnodeoncreate <<-EOF + 0 $((64 * 2*1024)) crypt $cipher $(xxd -l$size -ps -c256 </dev/urandom) 0 /dev/mapper/crypt_disk3 0 +EOF + +lsblk +# disk0 253:0 0 64M 0 dm +# └─crypt_disk0 253:5 0 64M 0 crypt +# └─crypt_disk0a 253:6 0 64M 0 crypt +# disk1 253:1 0 64M 0 dm +# └─disk12 253:4 0 128M 0 dm +# └─crypt_disk12 253:7 0 128M 0 crypt +# disk2 253:2 0 64M 0 dm +# └─disk12 253:4 0 128M 0 dm +# └─crypt_disk12 253:7 0 128M 0 crypt +#disk3 253:3 0 128M 0 dm +#└─crypt_disk3 253:8 0 128M 0 crypt +# ├─crypt_disk3b 253:9 0 64M 0 crypt +# │ └─crypt_disk3b0 253:10 0 64M 0 crypt +# └─crypt_disk3a 253:11 0 64M 0 dm + +# check device-mapper table (crypt target only) +# https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt +# <start_sector> <size> "crypt" <target mapping table> <cipher> <key> <iv_offset> <device path> <offset> [<#opt_params> <opt_params>] +dmsetup table --target="crypt" >"$AUTOPKGTEST_TMP/table" +sed -ri "s/\\s+0{$((2*size))}(\\s+[0-9]+)\\s+[0-9]+:[0-9]+(\s|$)/\\1\\2/" -- "$AUTOPKGTEST_TMP/table" +LC_ALL=C sort -t: -k1,1 <"$AUTOPKGTEST_TMP/table" >"$AUTOPKGTEST_TMP/table2" + +diff -u --color=auto --label="a/table" --label="b/table" -- - "$AUTOPKGTEST_TMP/table2" <<-EOF + crypt_disk0: 0 $((64 * 2*1024)) crypt $cipher 0 0 + crypt_disk0a: 0 $((64 * 2*1024)) crypt $cipher 0 0 + crypt_disk12: 0 $((2*64 * 2*1024)) crypt $cipher 0 0 + crypt_disk3: 0 $((128 * 2*1024)) crypt $cipher 0 0 + crypt_disk3a: 0 $((64 * 2*1024)) crypt $cipher 0 0 + crypt_disk3b: 0 $((64 * 2*1024)) crypt $cipher 0 $((64 * 2*1024)) + crypt_disk3b0: 0 $((64 * 2*1024)) crypt $cipher 0 0 +EOF + +# close disks and ensure there no leftover devices +/etc/init.d/cryptdisks stop +dmsetup table --target="crypt" >"$AUTOPKGTEST_TMP/table" +if [ -s "$AUTOPKGTEST_TMP/table" ]; then + echo "ERROR: leftover crypt devices" >&2 + cat <"$AUTOPKGTEST_TMP/table" + exit 1 +fi diff --git a/debian/tests/cryptroot-legacy b/debian/tests/cryptroot-legacy new file mode 120000 index 0000000..2e34c2d --- /dev/null +++ b/debian/tests/cryptroot-legacy @@ -0,0 +1 @@ +utils/cryptroot-common
\ No newline at end of file diff --git a/debian/tests/cryptroot-legacy.d/bottom b/debian/tests/cryptroot-legacy.d/bottom new file mode 100644 index 0000000..8bf492f --- /dev/null +++ b/debian/tests/cryptroot-legacy.d/bottom @@ -0,0 +1,9 @@ +umount "$ROOT/boot" +umount "$ROOT" + +swapoff /dev/cryptvg/swap +lvm vgchange -an "cryptvg" + +cryptsetup close "vda3_crypt" + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-legacy.d/config b/debian/tests/cryptroot-legacy.d/config new file mode 100644 index 0000000..cff461c --- /dev/null +++ b/debian/tests/cryptroot-legacy.d/config @@ -0,0 +1,14 @@ +PKGS_EXTRA+=( e2fsprogs ) # for fsck.ext4 +PKGS_EXTRA+=( lvm2 ) +PKGS_EXTRA+=( cryptsetup-initramfs ) + +# disable AES and SHA instructions +if [[ "$QEMU_CPU_MODEL" =~ ^(.*),\+aes(,.*)?$ ]]; then + QEMU_CPU_MODEL="${BASH_REMATCH[1]}${BASH_REMATCH[2]}" +fi +if [[ "$QEMU_CPU_MODEL" =~ ^(.*),\+sha-ni(,.*)?$ ]]; then + QEMU_CPU_MODEL="${BASH_REMATCH[1]}${BASH_REMATCH[2]}" +fi +QEMU_CPU_MODEL="$QEMU_CPU_MODEL,-aes,-sha-ni" + +# vim: set filetype=bash : diff --git a/debian/tests/cryptroot-legacy.d/mock b/debian/tests/cryptroot-legacy.d/mock new file mode 100755 index 0000000..b3b7d26 --- /dev/null +++ b/debian/tests/cryptroot-legacy.d/mock @@ -0,0 +1,32 @@ +#!/usr/bin/perl -T + +BEGIN { + require "./debian/tests/utils/mock.pm"; + CryptrootTest::Mock::->import(); +} + +unlock_disk("topsecret"); +login("root"); + +# make sure the root FS and swap are help by dm-crypt devices +shell(q{cryptsetup luksOpen --test-passphrase /dev/vda3 <<<topsecret}, rv => 0); +my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3}); +die unless $out =~ m#^`-vda3_crypt\s+crypt\s*$#m; +die unless $out =~ m#^\s{2}[`|]-cryptvg-root\s+lvm\s+/\s*$#m; +die unless $out =~ m#^\s{2}[`|]-cryptvg-swap\s+lvm\s+\[SWAP\]\s*$#m; + +# assume MODULES=dep won't add too many modules +# XXX lsinitramfs doesn't work on /initrd.img with COMPRESS=zstd, cf. #1015954 +$out = shell(q{lsinitramfs /boot/initrd.img-`uname -r` | grep -Ec "^(usr/)?lib/modules/.*\.ko(\.[a-z]+)?$"}); +die "$out == 0 or $out > 50" unless $out =~ s/\r?\n\z// and $out =~ /\A([0-9]+)\z/ and $out > 0 and $out <= 50; + +# check cipher and key size +$out = shell(q{dmsetup table --target crypt --showkeys vda3_crypt}); +die unless $out =~ m#\A0\s+\d+\s+crypt\s+aes-cbc-essiv:sha256\s+[0-9a-f]{64}\s#; + +# make sure hardware acceleration for AES isn't available +$out = shell(q{cat /proc/crypto}); +die unless $out =~ m#^name\s*:.*\baes\b#mi; +die if $out =~ m#^(?:name|driver)\s*:.*\b__(?:.*\b)?aes\b#mi; + +QMP::quit(); diff --git a/debian/tests/cryptroot-legacy.d/preinst b/debian/tests/cryptroot-legacy.d/preinst new file mode 100644 index 0000000..ee76481 --- /dev/null +++ b/debian/tests/cryptroot-legacy.d/preinst @@ -0,0 +1,14 @@ +cat >/etc/crypttab <<-EOF + vda3_crypt UUID=$(blkid -s UUID -o value /dev/vda3) none luks,discard +EOF + +cat >/etc/fstab <<-EOF + /dev/cryptvg/root / auto errors=remount-ro 0 1 + /dev/cryptvg/swap none swap sw 0 0 + UUID=$(blkid -s UUID -o value /dev/vda2) /boot auto defaults 0 2 +EOF + +# explicitely set MODULES=dep (yes it's the default, but doesn't hurt) +echo "MODULES=dep" >/etc/initramfs-tools/conf.d/modules + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-legacy.d/setup b/debian/tests/cryptroot-legacy.d/setup new file mode 100644 index 0000000..c7ab31f --- /dev/null +++ b/debian/tests/cryptroot-legacy.d/setup @@ -0,0 +1,46 @@ +# LVM-on-LUKS2 layout from an old system: pre-2013 cryptsetup defaults, +# no AES hardware acceleration (and MODULES=dep) + +sfdisk --append /dev/vda <<-EOF + unit: sectors + + start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS} + start=$(((64+128)*1024*2)), type=${GUID_TYPE_LUKS} +EOF +udevadm settle + +# Use pre-2013 (<1.6.0) defaults: LUKS1, aes-cbc-essiv:sha256 cipher, 256bits key +# <1.6.0 default hash was sha1 but we use legacy hash ripemd160 here to test OpenSSL's +# legacy.so +echo -n "topsecret" >/rootfs.key +cryptsetup luksFormat --batch-mode \ + --key-file=/rootfs.key \ + --type=luks1 \ + --pbkdf-force-iterations=1000 \ + --cipher="aes-cbc-essiv:sha256" \ + --hash="ripemd160" \ + --key-size=256 \ + -- /dev/vda3 +cryptsetup luksOpen --key-file=/rootfs.key --allow-discards \ + -- /dev/vda3 "vda3_crypt" +udevadm settle + +lvm pvcreate /dev/mapper/vda3_crypt +lvm vgcreate "cryptvg" /dev/mapper/vda3_crypt +lvm lvcreate -Zn --size 64m --name "swap" "cryptvg" +lvm lvcreate -Zn -l100%FREE --name "root" "cryptvg" +lvm vgchange -ay "cryptvg" +lvm vgmknodes +udevadm settle + +mke2fs -Ft ext4 /dev/cryptvg/root +mount -t ext4 /dev/cryptvg/root "$ROOT" + +mkdir "$ROOT/boot" +mke2fs -Ft ext2 -m0 /dev/vda2 +mount -t ext2 /dev/vda2 "$ROOT/boot" + +mkswap /dev/cryptvg/swap +swapon /dev/cryptvg/swap + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-lvm b/debian/tests/cryptroot-lvm new file mode 120000 index 0000000..2e34c2d --- /dev/null +++ b/debian/tests/cryptroot-lvm @@ -0,0 +1 @@ +utils/cryptroot-common
\ No newline at end of file diff --git a/debian/tests/cryptroot-lvm.d/bottom b/debian/tests/cryptroot-lvm.d/bottom new file mode 100644 index 0000000..8bf492f --- /dev/null +++ b/debian/tests/cryptroot-lvm.d/bottom @@ -0,0 +1,9 @@ +umount "$ROOT/boot" +umount "$ROOT" + +swapoff /dev/cryptvg/swap +lvm vgchange -an "cryptvg" + +cryptsetup close "vda3_crypt" + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-lvm.d/config b/debian/tests/cryptroot-lvm.d/config new file mode 100644 index 0000000..ac595b0 --- /dev/null +++ b/debian/tests/cryptroot-lvm.d/config @@ -0,0 +1,10 @@ +PKGS_EXTRA+=( e2fsprogs ) # for fsck.ext4 +PKGS_EXTRA+=( dbus ) # for systemctl(1) +PKGS_EXTRA+=( lvm2 ) +PKGS_EXTRA+=( cryptsetup-initramfs cryptsetup-suspend ) + +QEMU_MEMORY="size=512M" +GUEST_POWERCYCLE=1 # boot again after hibernation +DRIVE_SIZES=( "3G" ) # need a big enough swap to accomodate the memory + +# vim: set filetype=bash : diff --git a/debian/tests/cryptroot-lvm.d/mock b/debian/tests/cryptroot-lvm.d/mock new file mode 100755 index 0000000..f57e42f --- /dev/null +++ b/debian/tests/cryptroot-lvm.d/mock @@ -0,0 +1,49 @@ +#!/usr/bin/perl -T + +BEGIN { + require "./debian/tests/utils/mock.pm"; + CryptrootTest::Mock::->import(); +} + +my $POWERCYCLE_COUNT = $ARGV[0]; + +unlock_disk("topsecret"); + +if ($POWERCYCLE_COUNT == 0) { + login("root"); + + # make sure the root FS and swap are help by dm-crypt devices + shell(q{cryptsetup luksOpen --test-passphrase /dev/vda3 <<<topsecret}, rv => 0); + my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3}); + die unless $out =~ m#^`-vda3_crypt\s+crypt\s*$#m; + die unless $out =~ m#^\s{2}[`|]-cryptvg-root\s+lvm\s+/\s*$#m; + die unless $out =~ m#^\s{2}[`|]-cryptvg-swap\s+lvm\s+\[SWAP\]\s*$#m; + + # create a stamp in memory, hibernate (suspend on disk) and thaw + shell(q{echo hello >/dev/shm/foo.stamp}); + hibernate(); +} +else { + expect($SERIAL => qr/(?:^|\s)?PM: (?:hibernation: )?hibernation exit\r\n/m); + # no need to relogin, we get the shell as we left it + shell(q{grep -Fx hello </dev/shm/foo.stamp}, rv => 0); + + # briefly suspend + suspend(); + + # make sure wakeup yields a cryptsetup prompt + wakeup(); + expect($SERIAL => qr/(?:^|\s)?PM: suspend exit\r\n/m); + unlock_disk("topsecret"); + + # consume PS1 to make sure we're at a shell prompt + expect($CONSOLE => qr/\A $PS1 \z/aamsx); + my $out = shell(q{dmsetup info -c --noheadings -omangled_name,suspended --separator ' '}); + die if grep !/[:[:blank:]]Active$/i, split(/\r?\n/, $out); + + # test I/O on the root file system + shell(q{cp -vT /dev/shm/foo.stamp /cryptroot.stamp}); + shell(q{grep -Fx hello </cryptroot.stamp}, rv => 0); + + QMP::quit(); +} diff --git a/debian/tests/cryptroot-lvm.d/postinst b/debian/tests/cryptroot-lvm.d/postinst new file mode 100644 index 0000000..b9ffe35 --- /dev/null +++ b/debian/tests/cryptroot-lvm.d/postinst @@ -0,0 +1,17 @@ +mkdir /etc/systemd/system/systemd-suspend.service.d +cat >/etc/systemd/system/systemd-suspend.service.d/zz-cryptsetup-suspend-mock.conf <<-EOF + # override the command and don't call openvt(1) here since VT8 isn't + # available from the mocking logic -- we use /dev/console instead + + [Service] + StandardInput=tty + StandardOutput=inherit + StandardError=inherit + TTYPath=/dev/console + TTYReset=yes + + ExecStart= + ExecStart=/lib/cryptsetup/scripts/suspend/cryptsetup-suspend-wrapper +EOF + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-lvm.d/preinst b/debian/tests/cryptroot-lvm.d/preinst new file mode 100644 index 0000000..650b9b6 --- /dev/null +++ b/debian/tests/cryptroot-lvm.d/preinst @@ -0,0 +1,14 @@ +cat >/etc/crypttab <<-EOF + vda3_crypt PARTUUID=$(blkid -s PARTUUID -o value /dev/vda3) none luks,discard +EOF + +cat >/etc/fstab <<-EOF + /dev/cryptvg/root / auto errors=remount-ro 0 1 + /dev/cryptvg/swap none swap sw 0 0 + UUID=$(blkid -s UUID -o value /dev/vda2) /boot auto defaults 0 2 +EOF + +mkdir -p /etc/initramfs-tools/conf.d +echo "RESUME=/dev/cryptvg/swap" >/etc/initramfs-tools/conf.d/resume + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-lvm.d/setup b/debian/tests/cryptroot-lvm.d/setup new file mode 100644 index 0000000..890bbb6 --- /dev/null +++ b/debian/tests/cryptroot-lvm.d/setup @@ -0,0 +1,45 @@ +# Simple LVM-on-LUKS2 layout -- more or less emulates what one gets out +# of d-i with the "encrypted LVM" partioning method. + +# create two new partitions for /boot and LUKS respectively (the first +# one is always used for BIOS/EFI and never exceeds sector 64*1024*2) +sfdisk --append /dev/vda <<-EOF + unit: sectors + + start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS} + start=$(((64+128)*1024*2)), type=${GUID_TYPE_LUKS} +EOF +udevadm settle + +# initialize a new LUKS partition and open it +echo -n "topsecret" >/rootfs.key +cryptsetup luksFormat --batch-mode \ + --key-file=/rootfs.key \ + --type=luks2 \ + --pbkdf=argon2id \ + --pbkdf-force-iterations=4 \ + --pbkdf-memory=32 \ + -- /dev/vda3 +cryptsetup luksOpen --key-file=/rootfs.key --allow-discards \ + -- /dev/vda3 "vda3_crypt" +udevadm settle + +lvm pvcreate /dev/mapper/vda3_crypt +lvm vgcreate "cryptvg" /dev/mapper/vda3_crypt +lvm lvcreate -Zn --size 1024m --name "swap" "cryptvg" +lvm lvcreate -Zn -l100%FREE --name "root" "cryptvg" +lvm vgchange -ay "cryptvg" +lvm vgmknodes +udevadm settle + +mke2fs -Ft ext4 /dev/cryptvg/root +mount -t ext4 /dev/cryptvg/root "$ROOT" + +mkdir "$ROOT/boot" +mke2fs -Ft ext2 -m0 /dev/vda2 +mount -t ext2 /dev/vda2 "$ROOT/boot" + +mkswap /dev/cryptvg/swap +swapon /dev/cryptvg/swap + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-md b/debian/tests/cryptroot-md new file mode 120000 index 0000000..2e34c2d --- /dev/null +++ b/debian/tests/cryptroot-md @@ -0,0 +1 @@ +utils/cryptroot-common
\ No newline at end of file diff --git a/debian/tests/cryptroot-md.d/bottom b/debian/tests/cryptroot-md.d/bottom new file mode 100644 index 0000000..a771c91 --- /dev/null +++ b/debian/tests/cryptroot-md.d/bottom @@ -0,0 +1,15 @@ +umount "$ROOT/boot" +umount "$ROOT" + +swapoff /dev/md1 +mdadm --stop /dev/md1 +cryptsetup close "vda3_crypt" +cryptsetup close "vdb3_crypt" + +swapoff /dev/cryptvg/swap +lvm vgchange -an "cryptvg" +mdadm --stop /dev/md2 +cryptsetup close "vda4_crypt" +cryptsetup close "vdb4_crypt" + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-md.d/config b/debian/tests/cryptroot-md.d/config new file mode 100644 index 0000000..0c9e5ff --- /dev/null +++ b/debian/tests/cryptroot-md.d/config @@ -0,0 +1,7 @@ +PKGS_EXTRA+=( e2fsprogs ) # for fsck.ext4 +PKGS_EXTRA+=( lvm2 mdadm ) +PKGS_EXTRA+=( cryptsetup-initramfs ) + +DRIVE_SIZES=( "1536M" "1536M" ) + +# vim: set filetype=bash : diff --git a/debian/tests/cryptroot-md.d/mock b/debian/tests/cryptroot-md.d/mock new file mode 100755 index 0000000..51f8c9c --- /dev/null +++ b/debian/tests/cryptroot-md.d/mock @@ -0,0 +1,41 @@ +#!/usr/bin/perl -T + +BEGIN { + require "./debian/tests/utils/mock.pm"; + CryptrootTest::Mock::->import(); +} + +my %passphrases; +$passphrases{$_} = $_ foreach qw/vda3_crypt vda4_crypt vdb3_crypt vdb4_crypt/; +unlock_disk(\%passphrases) for 1 .. scalar(%passphrases); + +# check that the above was done at initramfs stage +expect($SERIAL => qr#\bRunning /scripts/init-bottom\s*\.\.\. #); + +login("root"); + +# make sure the root FS and swap are help by dm-crypt devices +shell(q{cryptsetup luksOpen --test-passphrase /dev/vda3 <<<vda3_crypt}, rv => 0); +shell(q{cryptsetup luksOpen --test-passphrase /dev/vda4 <<<vda4_crypt}, rv => 0); +shell(q{cryptsetup luksOpen --test-passphrase /dev/vdb3 <<<vdb3_crypt}, rv => 0); +shell(q{cryptsetup luksOpen --test-passphrase /dev/vdb4 <<<vdb4_crypt}, rv => 0); + +my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3}); +die unless $out =~ m#^`-vda3_crypt\s+crypt\s*$#m; +die unless $out =~ m#^ `-md1\s+raid0\s+\[SWAP\]\s*$#m; + +$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vdb3}); +die unless $out =~ m#^`-vdb3_crypt\s+crypt\s*$#m; +die unless $out =~ m#^ `-md1\s+raid0\s+\[SWAP\]\s*$#m; + +$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda4}); +die unless $out =~ m#^`-vda4_crypt\s+crypt\s*$#m; +die unless $out =~ m#^ [`|]-cryptvg-swap\s+lvm\s+\[SWAP\]\s*$#m; +die unless $out =~ m#^ [`|]-cryptvg-root\s+lvm\s+/\s*$#m; + +$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vdb4}); +die unless $out =~ m#^`-vdb4_crypt\s+crypt\s*$#m; +die unless $out =~ m#^ [`|]-cryptvg-swap\s+lvm\s+\[SWAP\]\s*$#m; +die unless $out =~ m#^ [`|]-cryptvg-root\s+lvm\s+/\s*$#m; + +QMP::quit(); diff --git a/debian/tests/cryptroot-md.d/preinst b/debian/tests/cryptroot-md.d/preinst new file mode 100644 index 0000000..84bfa7a --- /dev/null +++ b/debian/tests/cryptroot-md.d/preinst @@ -0,0 +1,20 @@ +# intentionally mix UUID= and /dev +cat >/etc/crypttab <<-EOF + vda3_crypt UUID=$(blkid -s UUID -o value /dev/vda3) none discard + vda4_crypt UUID=$(blkid -s UUID -o value /dev/vda4) none discard + vdb3_crypt /dev/vdb3 none discard + vdb4_crypt /dev/vdb4 none discard +EOF + +cat >/etc/fstab <<-EOF + /dev/cryptvg/root / auto errors=remount-ro 0 1 + /dev/cryptvg/swap none swap sw 0 0 + /dev/md1 none swap sw 0 0 + UUID=$(blkid -s UUID -o value /dev/md0) /boot auto defaults 0 2 +EOF + +# force unlocking /dev/md1 holders (/dev/vd[ab]3) at initramfs stage +mkdir -p /etc/initramfs-tools/conf.d +echo "RESUME=/dev/md1" >/etc/initramfs-tools/conf.d/resume + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-md.d/setup b/debian/tests/cryptroot-md.d/setup new file mode 100644 index 0000000..a8f49ed --- /dev/null +++ b/debian/tests/cryptroot-md.d/setup @@ -0,0 +1,84 @@ +# Rather convoluted LVM-on-MD-on-LUKS2 layout with 2 swap areas, /boot +# on RAID1, SWAP0 on RAID0, LVM on RAID1 and 4 independently encrypted +# partitions decrypt at early boot stage: + +# NAME TYPE MOUNTPOINTS +# vda disk +# ├─vda1 part +# ├─vda2 part +# │ └─md0 raid1 /boot +# ├─vda3 part +# │ └─vda3_crypt crypt +# │ └─md1 raid0 [SWAP] +# └─vda4 part +# └─vda4_crypt crypt +# └─md2 raid1 +# ├─cryptvg-swap lvm [SWAP] +# └─cryptvg-root lvm / +# vdb disk +# ├─vdb1 part +# ├─vdb2 part +# │ └─md0 raid1 /boot +# ├─vdb3 part +# │ └─vdb3_crypt crypt +# │ └─md1 raid0 [SWAP] +# └─vdb4 part +# └─vdb4_crypt crypt +# └─md2 raid1 +# ├─cryptvg-swap lvm [SWAP] +# └─cryptvg-root lvm / + +sfdisk --append /dev/vda <<-EOF + unit: sectors + + start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS} + start=$(((64+128)*1024*2)), size=$((64*1024*2)), type=${GUID_TYPE_LUKS} + start=$(((64+128+64)*1024*2)), type=${GUID_TYPE_LUKS} +EOF +udevadm settle + +# copy vda's partition table onto vdb +sfdisk -d /dev/vda | sfdisk /dev/vdb +udevadm settle + +for d in vda3 vda4 vdb3 vdb4; do + echo -n "${d}_crypt" >/keyfile + cryptsetup luksFormat --batch-mode \ + --key-file=/keyfile \ + --type=luks2 \ + --pbkdf=argon2id \ + --pbkdf-force-iterations=4 \ + --pbkdf-memory=32 \ + -- "/dev/$d" + cryptsetup luksOpen --key-file=/keyfile --allow-discards \ + -- "/dev/$d" "${d}_crypt" + udevadm settle +done + +mdadm --create /dev/md0 --metadata=default --level=1 --raid-devices=2 /dev/vda2 /dev/vdb2 +mdadm --create /dev/md1 --metadata=default --level=0 --raid-devices=2 /dev/mapper/vda3_crypt /dev/mapper/vdb3_crypt +mdadm --create /dev/md2 --metadata=default --level=1 --raid-devices=2 /dev/mapper/vda4_crypt /dev/mapper/vdb4_crypt +udevadm settle + +lvm pvcreate /dev/md2 +lvm vgcreate "cryptvg" /dev/md2 +lvm lvcreate -Zn --size 64m --name "swap" "cryptvg" +lvm lvcreate -Zn -l100%FREE --name "root" "cryptvg" +lvm vgchange -ay "cryptvg" +lvm vgmknodes +udevadm settle + + +mke2fs -Ft ext4 /dev/cryptvg/root +mount -t ext4 /dev/cryptvg/root "$ROOT" + +mkdir "$ROOT/boot" +mke2fs -Ft ext2 -m0 /dev/md0 +mount -t ext2 /dev/md0 "$ROOT/boot" + +mkswap /dev/cryptvg/swap +swapon /dev/cryptvg/swap +mkswap /dev/md1 +swapon /dev/md1 + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-nested b/debian/tests/cryptroot-nested new file mode 120000 index 0000000..2e34c2d --- /dev/null +++ b/debian/tests/cryptroot-nested @@ -0,0 +1 @@ +utils/cryptroot-common
\ No newline at end of file diff --git a/debian/tests/cryptroot-nested.d/bottom b/debian/tests/cryptroot-nested.d/bottom new file mode 100644 index 0000000..9c2e07a --- /dev/null +++ b/debian/tests/cryptroot-nested.d/bottom @@ -0,0 +1,17 @@ +umount "$ROOT/boot" +umount "$ROOT/home" +umount "$ROOT/usr" +umount "$ROOT/var" +umount "$ROOT" + +swapoff /dev/mapper/testvg-lv0_crypt +cryptsetup close "testvg-lv0_crypt" +cryptsetup close "vdd_crypt" + +cryptsetup close "md0_crypt" +mdadm --stop /dev/md0 + +cryptsetup close "testvg-lv1_crypt" +lvm vgchange -an "testvg" + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-nested.d/config b/debian/tests/cryptroot-nested.d/config new file mode 100644 index 0000000..995200c --- /dev/null +++ b/debian/tests/cryptroot-nested.d/config @@ -0,0 +1,7 @@ +PKGS_EXTRA+=( btrfs-progs lvm2 mdadm ) +PKGS_EXTRA+=( cryptsetup-initramfs ) + +# /dev/mapper/testvg-lv1_crypt and /dev/vdc are both 1G and used in RAID1 mode +DRIVE_SIZES=( "1G" "264M" "1G" "512M" ) + +# vim: set filetype=bash : diff --git a/debian/tests/cryptroot-nested.d/mock b/debian/tests/cryptroot-nested.d/mock new file mode 100755 index 0000000..cccb35f --- /dev/null +++ b/debian/tests/cryptroot-nested.d/mock @@ -0,0 +1,44 @@ +#!/usr/bin/perl -T + +BEGIN { + require "./debian/tests/utils/mock.pm"; + CryptrootTest::Mock::->import(); +} + +my %passphrases; +$passphrases{$_} = $_ foreach qw/testvg-lv0_crypt testvg-lv1_crypt md0_crypt vdd_crypt/; +unlock_disk(\%passphrases) for 1 .. scalar(%passphrases); + +# check that the above was done at initramfs stage +expect($SERIAL => qr#\bRunning /scripts/init-bottom\s*\.\.\. #); + +login("root"); + +# make sure the root FS and swap are help by dm-crypt devices +shell(q{cryptsetup luksOpen --test-passphrase /dev/md0 <<<md0_crypt}, rv => 0); +shell(q{cryptsetup luksOpen --test-passphrase /dev/vdd <<<vdd_crypt}, rv => 0); +shell(q{cryptsetup luksOpen --test-passphrase /dev/testvg/lv1 <<<testvg-lv1_crypt}, rv => 0); + +my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3}); +die unless $out =~ m#^[`|]-testvg-lv0\s+lvm\s*$#m; +die unless $out =~ m#^[| ] `-testvg-lv0_crypt\s+crypt\s+\[SWAP\]\s*$#m; +die unless $out =~ m#^[`|]-testvg-lv1\s+lvm\s*$#m; +die unless $out =~ m#^[| ] `-testvg-lv1_crypt\s+crypt\s*$#m; +die unless $out =~ m#^[| ] `-md0\s+raid1\s*$#m; +die unless $out =~ m#^[| ] `-md0_crypt\s+crypt(?:\s+/(?:home|usr|var)?)?\s*$#m; + +$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vdb}); +die unless $out =~ m#^`-testvg-lv1\s+lvm\s*$#m; +die unless $out =~ m#^ `-testvg-lv1_crypt\s+crypt\s*$#m; +die unless $out =~ m#^ `-md0\s+raid1\s*$#m; +die unless $out =~ m#^ `-md0_crypt\s+crypt(?:\s+/(?:home|usr|var)?)?\s*$#m; + +$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vdc}); +die unless $out =~ m#^`-md0\s+raid1\s*$#m; +die unless $out =~ m#^ `-md0_crypt\s+crypt(?:\s+/(?:home|usr|var)?)?\s*$#m; + +$out = shell(q{btrfs filesystem show /}); +die unless $out =~ m#^\s*devid\s+1\s.*\s/dev/mapper/vdd_crypt\s*$#m; +die unless $out =~ m#^\s*devid\s+2\s.*\s/dev/mapper/md0_crypt\s*$#m; + +QMP::quit(); diff --git a/debian/tests/cryptroot-nested.d/preinst b/debian/tests/cryptroot-nested.d/preinst new file mode 100644 index 0000000..c5f576b --- /dev/null +++ b/debian/tests/cryptroot-nested.d/preinst @@ -0,0 +1,21 @@ +# check both UUID= and /dev/mapper/NAME sources for testvg-*_crypt to test for regressions a la #902943 +cat >/etc/crypttab <<-EOF + md0_crypt UUID=$(blkid -s UUID -o value /dev/md0) none + vdd_crypt UUID=$(blkid -s UUID -o value /dev/vdd) none + testvg-lv0_crypt /dev/mapper/testvg-lv0 none plain,cipher=aes-cbc-essiv:sha256,size=256,hash=ripemd160 + testvg-lv1_crypt UUID=$(blkid -s UUID -o value /dev/testvg/lv1) none +EOF + +cat >/etc/fstab <<-EOF + /dev/mapper/vdd_crypt / btrfs compress=lzo,subvol=@ 0 1 + /dev/mapper/vdd_crypt /home btrfs compress=lzo,subvol=@home 0 2 + /dev/mapper/vdd_crypt /usr btrfs compress=lzo,subvol=@usr 0 2 + /dev/mapper/vdd_crypt /var btrfs compress=lzo,subvol=@var 0 2 + UUID=$(blkid -s UUID -o value /dev/vda2) /boot ext2 defaults 0 2 + /dev/mapper/testvg-lv0_crypt none swap sw 0 0 +EOF + +mkdir -p /etc/initramfs-tools/conf.d +echo "RESUME=/dev/mapper/testvg-lv0_crypt" >/etc/initramfs-tools/conf.d/resume + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-nested.d/setup b/debian/tests/cryptroot-nested.d/setup new file mode 100644 index 0000000..6fb6ccd --- /dev/null +++ b/debian/tests/cryptroot-nested.d/setup @@ -0,0 +1,107 @@ +# Unrealistic (and frankly stupid) layout with a complex block device +# stack involving multi-device btrfs and btrfs subvolumes, LUKS-on-MD, +# MD-on-LUKS and LUKS-on-LVM incl. nested dm-crypt volumes: + +# NAME TYPE MOUNTPOINTS +# vda disk +# ├─vda1 part +# ├─vda2 part /boot +# └─vda3 part +# ├─testvg-lv0 lvm +# │ └─testvg-lv0_crypt crypt [SWAP] +# └─testvg-lv1 lvm +# └─testvg-lv1_crypt crypt +# └─md0 raid1 +# └─md0_crypt crypt /, /home, /usr, /var +# vdb disk +# └─testvg-lv1 lvm +# └─testvg-lv1_crypt crypt +# └─md0 raid1 +# └─md0_crypt crypt /, /home, /usr, /var +# vdc disk +# └─md0 raid1 +# └─md0_crypt crypt /, /home, /usr, /var +# vdd disk +# └─vdd_crypt crypt /, /home, /usr, /var + +sfdisk --append /dev/vda <<-EOF + unit: sectors + + start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS} + start=$(((64+128)*1024*2)), type=${GUID_TYPE_LUKS} +EOF +udevadm settle + +lvm pvcreate /dev/vda3 +lvm pvcreate /dev/vdb +lvm vgcreate "testvg" /dev/vda3 /dev/vdb +lvm lvcreate -Zn --size 64m --name "lv0" "testvg" +lvm lvcreate -Zn --size 1024m --name "lv1" "testvg" +lvm vgchange -ay "testvg" +lvm vgmknodes +udevadm settle + +echo -n "testvg-lv0_crypt" >/keyfile +cryptsetup open --batch-mode \ + --type=plain \ + --cipher="aes-cbc-essiv:sha256" \ + --key-size=256 \ + --hash="ripemd160" \ + -- "/dev/testvg/lv0" "testvg-lv0_crypt" </keyfile +udevadm settle + +echo -n "testvg-lv1_crypt" >/keyfile +cryptsetup luksFormat --batch-mode \ + --key-file=/keyfile \ + --type=luks1 \ + --pbkdf-force-iterations=1000 \ + -- "/dev/testvg/lv1" +cryptsetup luksOpen --key-file=/keyfile --allow-discards \ + -- "/dev/testvg/lv1" "testvg-lv1_crypt" +udevadm settle + +mdadm --create /dev/md0 --metadata=default --level=1 --raid-devices=2 \ + /dev/mapper/testvg-lv1_crypt /dev/vdc +udevadm settle + +for d in md0 vdd; do + echo -n "${d}_crypt" >/keyfile + cryptsetup luksFormat --batch-mode \ + --key-file=/keyfile \ + --type=luks2 \ + --pbkdf=argon2id \ + --pbkdf-force-iterations=4 \ + --pbkdf-memory=32 \ + -- "/dev/$d" + cryptsetup luksOpen --key-file=/keyfile --allow-discards \ + -- "/dev/${d}" "${d}_crypt" + udevadm settle +done + +# create multi-device btrfs filesystem for the root FS; we list /dev/mapper/vdd_crypt +# first since it's smaller and we want data to span across both devices +mkfs.btrfs -d single /dev/mapper/vdd_crypt /dev/mapper/md0_crypt + +# create subvolumes +mount -t btrfs -o compress=lzo,device=/dev/mapper/md0_crypt /dev/mapper/vdd_crypt "$ROOT" +btrfs subvol create "$ROOT/@" +btrfs subvol create "$ROOT/@usr" +btrfs subvol create "$ROOT/@var" +btrfs subvol create "$ROOT/@home" +umount "$ROOT" + +# now mount the subvolumes +mount -t btrfs -o compress=lzo,device=/dev/mapper/md0_crypt,subvol="@" /dev/mapper/vdd_crypt "$ROOT" +for s in home usr var; do + mkdir -m0755 "$ROOT/$s" + mount -t btrfs -o compress=lzo,device=/dev/mapper/md0_crypt,subvol="@$s" /dev/mapper/vdd_crypt "$ROOT/$s" +done + +mkdir "$ROOT/boot" +mke2fs -Ft ext2 -m0 /dev/vda2 +mount -t ext2 /dev/vda2 "$ROOT/boot" + +mkswap /dev/mapper/testvg-lv0_crypt +swapon /dev/mapper/testvg-lv0_crypt + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-run b/debian/tests/cryptroot-run new file mode 100755 index 0000000..6656bca --- /dev/null +++ b/debian/tests/cryptroot-run @@ -0,0 +1,135 @@ +#!/bin/bash + +# Wrapper for cryptroot-* DEP-8 tests (outside autopkgtest harness) +# This is mostly useful for local tests on the maintainers' machine, +# such as expensive tests we don't want to overload debci with. +# +# Usage: d/t/cryptroot-run [TESTNAME ..] +# +# Copyright © 2022 Guilhem Moulin <guilhem@debian.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +set -ue +PATH="/usr/bin:/bin" +export PATH + +if [ -n "${AUTOPKGTEST_TMP+x}" ]; then + echo "ERROR: This script is a test wrapper not an autopkgtest" >&2 + exit 1 +fi + +# git-buildpackages's 'export-dir' option (XXX hardcoding this is not ideal) +EXPORT_DIR="${XDG_CACHE_HOME:-"$HOME/.cache"}/build-area" + +RV=0 +TESTDIR="$(dirname -- "$0")" +declare -a TESTNAMES=() TIME=() CODE=() + +# determine path to the .changes file and extract .deb file list from it +DEB_VERSION="$(dpkg-parsechangelog -SVersion)" +DEB_SOURCE="$(dpkg-parsechangelog -SSource)" +DEB_BUILD_ARCHITECTURE="$(dpkg-architecture -qDEB_BUILD_ARCH)" +if [[ "$DEB_VERSION" =~ ^[0-9]+:(.+)$ ]]; then + DEB_VERSION_NOEPOCH="${BASH_REMATCH[1]}" +else + DEB_VERSION_NOEPOCH="$DEB_VERSION" +fi + +CHANGES_FILE="${DEB_SOURCE}_${DEB_VERSION_NOEPOCH}_${DEB_BUILD_ARCHITECTURE}.changes" +PKG_DIR="$(mktemp --tmpdir --directory "$DEB_SOURCE.XXXXXXXXXX")" +trap "rm -rf -- \"$PKG_DIR\"" EXIT INT TERM + +if [ ! -f "$EXPORT_DIR/$CHANGES_FILE" ]; then + echo "ERROR: $EXPORT_DIR/$CHANGES_FILE: No such file" >&2 + exit 1 +elif grep -qFxe "-----BEGIN PGP SIGNED MESSAGE-----" <"$EXPORT_DIR/$CHANGES_FILE"; then + gpgv --keyring=/dev/null --output="$PKG_DIR/$CHANGES_FILE" <"$EXPORT_DIR/$CHANGES_FILE" 2>/dev/null || true +else + cp -T -- "$EXPORT_DIR/$CHANGES_FILE" "$PKG_DIR/$CHANGES_FILE" +fi + +declare -a EXTRA_PKGS +EXTRA_PKGS=( $(sed -nr '/^Files:/I {:l;n; /^\S/q; s/^\s.*\s(\S+\.deb)$/\1/p; b l }' "$PKG_DIR/$CHANGES_FILE") ) +if [ ${#EXTRA_PKGS[@]} -eq 0 ]; then + echo "ERROR: Couldn't extract .deb list from $CHANGES_FILE" >&2 + exit 1 +fi + +# create temporary repository to expose locally-built .deb to cryptroot-* tests +for deb in "${EXTRA_PKGS[@]}"; do + ln -st "$PKG_DIR" -- "$EXPORT_DIR/$deb" || exit 1 +done + +( cd "$PKG_DIR" && apt-ftparchive packages . >./Packages && apt-ftparchive release . >./Release ) +EXTRA_REPO="deb file:$PKG_DIR /" + +runtest() { + local rv=0 ts_start ts_stop + if [ -f "$t" ] && [ -d "$t.d" ]; then + t="${t#"$TESTDIR/"}" + echo ">>> Running $t..." + ts_start="$(printf "%(%s)T")" + "$TESTDIR/$t" "$EXTRA_REPO" </dev/null || rv=$? + ts_stop="$(printf "%(%s)T")" + + if [ $rv -ne 0 ] && [ $RV -eq 0 -o $rv -lt $RV ]; then + RV=$rv + fi + + TESTNAMES+=( "$t" ) + TIME+=( $((ts_stop - ts_start)) ) + CODE+=( $rv ) + fi +} + + +if [ $# -eq 0 ]; then + for t in "$TESTDIR"/cryptroot-*; do + runtest "$t" + done +else + for t in "$@"; do + if [ "${t#*/}" = "$t" ]; then + t="$TESTDIR/cryptroot-${t#cryptroot-}" + fi + runtest "$t" + done +fi + +# show summary with test exit codes and elapsed time +echo ============================================================================== +print_sgr() { + local n="$1" msg="$2" fmt + [ -t 1 ] && fmt="\\x1B[${n}m%s\\x1B[0m" || fmt="%s" + printf " $fmt" "$msg" +} +for (( i = 0; i < ${#TESTNAMES[@]}; i++ )); do + printf "%s" "${TESTNAMES[i]}" + if [ ${CODE[i]} -eq 0 ]; then + print_sgr "1;32" "PASSED" + elif [ ${CODE[i]} -eq 77 ]; then + print_sgr "1;36" "SKIPPED" + elif [ ${CODE[i]} -eq 124 ]; then + print_sgr "1;31" "FAILED" + printf " (timeout)" + else + print_sgr "1;31" "FAILED" + printf " (with status %d)" ${CODE[i]} + fi + printf " after %d seconds\\n" ${TIME[i]} +done +echo ============================================================================== + +exit $RV diff --git a/debian/tests/cryptroot-sysvinit b/debian/tests/cryptroot-sysvinit new file mode 120000 index 0000000..2e34c2d --- /dev/null +++ b/debian/tests/cryptroot-sysvinit @@ -0,0 +1 @@ +utils/cryptroot-common
\ No newline at end of file diff --git a/debian/tests/cryptroot-sysvinit.d/bottom b/debian/tests/cryptroot-sysvinit.d/bottom new file mode 100644 index 0000000..13d5190 --- /dev/null +++ b/debian/tests/cryptroot-sysvinit.d/bottom @@ -0,0 +1,9 @@ +umount "$ROOT/boot" +umount "$ROOT" + +swapoff /dev/mapper/vda4_crypt + +cryptsetup close "vda4_crypt" +cryptsetup close "vda5_crypt" + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-sysvinit.d/config b/debian/tests/cryptroot-sysvinit.d/config new file mode 100644 index 0000000..f6b7392 --- /dev/null +++ b/debian/tests/cryptroot-sysvinit.d/config @@ -0,0 +1,5 @@ +PKGS_EXTRA+=( e2fsprogs ) # for fsck.ext4 +PKGS_EXTRA+=( cryptsetup-initramfs cryptsetup ) +PKG_INIT="sysvinit-core" + +# vim: set filetype=bash : diff --git a/debian/tests/cryptroot-sysvinit.d/mock b/debian/tests/cryptroot-sysvinit.d/mock new file mode 100755 index 0000000..b729022 --- /dev/null +++ b/debian/tests/cryptroot-sysvinit.d/mock @@ -0,0 +1,31 @@ +#!/usr/bin/perl -T + +BEGIN { + require "./debian/tests/utils/mock.pm"; + CryptrootTest::Mock::->import(); +} + +unlock_disk("topsecret"); +login("root"); + +# make sure the root FS, swap, and /home are help by dm-crypt devices +shell(q{cryptsetup luksOpen --test-passphrase /dev/vda5 <<<topsecret}, rv => 0); +my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3}); +die unless $out =~ m#\Avda3\s.*\r?\n^`-vda3_crypt\s+crypt\s+/home\s*\r?\n\z#m; + +$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda4}); +die unless $out =~ m#\Avda4\s.*\r?\n^`-vda4_crypt\s+crypt\s+\[SWAP\]\s*\r?\n\z#m; + +$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda5}); +die unless $out =~ m#\Avda5\s.*\r?\n^`-vda5_crypt\s+crypt\s+/\s*\r?\n\z#m; + +# make sure only vda5 is processed at initramfs stage +# XXX unmkinitramfs doesn't work on /initrd.img with COMPRESS=zstd, cf. #1015954 +shell(q{unmkinitramfs /boot/initrd.img-`uname -r` /tmp/initramfs}); +shell(q{grep -E '^vd\S+_crypt\s' </tmp/initramfs/cryptroot/crypttab >/tmp/out}); +shell(q{grep -E '^vda5_crypt\s' </tmp/out}, rv => 0); +shell(q{grep -Ev '^vda5_crypt\s' </tmp/out}, rv => 1); + +# don't use QMP::quit() here since we want to run our init scripts in +# shutdown phase +poweroff(); diff --git a/debian/tests/cryptroot-sysvinit.d/postinst b/debian/tests/cryptroot-sysvinit.d/postinst new file mode 100644 index 0000000..d65e21d --- /dev/null +++ b/debian/tests/cryptroot-sysvinit.d/postinst @@ -0,0 +1,15 @@ +install -m0600 /dev/null /etc/homefs.key +head -c512 /dev/urandom >/etc/homefs.key +cryptsetup luksFormat --batch-mode \ + --key-file=/etc/homefs.key \ + --type=luks2 \ + --pbkdf=argon2id \ + --pbkdf-force-iterations=4 \ + --pbkdf-memory=32 \ + -- /dev/vda3 +cryptsetup luksOpen --key-file=/etc/homefs.key --allow-discards \ + -- /dev/vda3 "vda3_crypt" +mke2fs -Ft ext4 /dev/mapper/vda3_crypt +cryptsetup close "vda3_crypt" + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-sysvinit.d/preinst b/debian/tests/cryptroot-sysvinit.d/preinst new file mode 100644 index 0000000..05157ca --- /dev/null +++ b/debian/tests/cryptroot-sysvinit.d/preinst @@ -0,0 +1,16 @@ +cat >/etc/crypttab <<-EOF + vda3_crypt /dev/vda3 /etc/homefs.key luks,discard + vda4_crypt /dev/vda4 /dev/urandom plain,cipher=aes-xts-plain64,size=256,discard,swap + vda5_crypt UUID=$(blkid -s UUID -o value /dev/vda5) none luks,discard +EOF + +cat >/etc/fstab <<-EOF + /dev/mapper/vda3_crypt /home auto defaults 0 2 + /dev/mapper/vda4_crypt none swap sw 0 0 + /dev/mapper/vda5_crypt / auto errors=remount-ro 0 1 + UUID=$(blkid -s UUID -o value /dev/vda2) /boot auto defaults 0 2 +EOF + +echo "RESUME=none" >/etc/initramfs-tools/conf.d/resume + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-sysvinit.d/setup b/debian/tests/cryptroot-sysvinit.d/setup new file mode 100644 index 0000000..f8598a6 --- /dev/null +++ b/debian/tests/cryptroot-sysvinit.d/setup @@ -0,0 +1,43 @@ +# Separate encrypted root FS and /home partitions, and transient swap -- +# the latter two are not unlocked at initramfs stage but later in the +# boot process. This environment also uses sysvinit as PID1 so we can +# test our init scripts. + +sfdisk --append /dev/vda <<-EOF + unit: sectors + + start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS} + start=$(((64+128)*1024*2)), size=$((64*1024*2)), type=${GUID_TYPE_LUKS} + start=$(((64+128+64)*1024*2)), size=$((64*1024*2)), type=${GUID_TYPE_DMCRYPT} + start=$(((64+128+64+64)*1024*2)), type=${GUID_TYPE_LUKS} +EOF +udevadm settle + +# initialize a new LUKS partition and open it +echo -n "topsecret" >/rootfs.key +cryptsetup luksFormat --batch-mode \ + --key-file=/rootfs.key \ + --type=luks2 \ + --pbkdf=argon2id \ + --pbkdf-force-iterations=4 \ + --pbkdf-memory=32 \ + -- /dev/vda5 +cryptsetup luksOpen --key-file=/rootfs.key --allow-discards \ + -- /dev/vda5 "vda5_crypt" +udevadm settle + +cryptsetup open --type=plain --key-file=/dev/urandom --allow-discards \ + -- /dev/vda4 "vda4_crypt" +udevadm settle + +mke2fs -Ft ext4 /dev/mapper/vda5_crypt +mount -t ext4 /dev/mapper/vda5_crypt "$ROOT" + +mkdir "$ROOT/boot" +mke2fs -Ft ext2 -m0 /dev/vda2 +mount -t ext2 /dev/vda2 "$ROOT/boot" + +mkswap /dev/mapper/vda4_crypt +swapon /dev/mapper/vda4_crypt + +# vim: set filetype=sh : diff --git a/debian/tests/initramfs-hook b/debian/tests/initramfs-hook new file mode 100755 index 0000000..4171102 --- /dev/null +++ b/debian/tests/initramfs-hook @@ -0,0 +1,267 @@ +#!/bin/bash + +set -eux +PATH="/usr/bin:/bin:/usr/sbin:/sbin" +export PATH + +TMPDIR="$AUTOPKGTEST_TMP" + +# wrappers +luks1Format() { + cryptsetup luksFormat --batch-mode --type=luks1 \ + --pbkdf-force-iterations=1000 \ + "$@" +} +luks2Format() { + cryptsetup luksFormat --batch-mode --type=luks2 \ + --pbkdf=argon2id --pbkdf-force-iterations=4 --pbkdf-memory=32 \ + "$@" +} +diff() { command diff --color=auto --text "$@"; } + +# create disk image +CRYPT_IMG="$TMPDIR/disk.img" +CRYPT_DEV="" +install -m0600 /dev/null "$TMPDIR/keyfile" +disk_setup() { + local lo + for lo in $(losetup -j "$CRYPT_IMG" | cut -sd: -f1); do + losetup -d "$lo" + done + dd if="/dev/zero" of="$CRYPT_IMG" bs=1M count=64 + CRYPT_DEV="$(losetup --find --show -- "$CRYPT_IMG")" +} + +# custom initramfs-tools configuration (to speed things up -- we use +# COMPRESS=zstd since it's reasonably fast and COMPRESS=none is not +# supported) +mkdir "$TMPDIR/initramfs-tools" +mkdir "$TMPDIR/initramfs-tools/conf.d" \ + "$TMPDIR/initramfs-tools/scripts" \ + "$TMPDIR/initramfs-tools/hooks" +cat >"$TMPDIR/initramfs-tools/initramfs.conf" <<-EOF + COMPRESS=zstd + MODULES=list + RESUME=none + UMASK=0077 +EOF + +INITRD_IMG="$TMPDIR/initrd.img" +INITRD_DIR="$TMPDIR/initrd" +cleanup_initrd_dir() { + local d + for d in dev proc sys; do + mountpoint -q "$INITRD_DIR/$d" && umount "$INITRD_DIR/$d" || true + done + rm -rf --one-file-system -- "$INITRD_DIR" +} +trap cleanup_initrd_dir EXIT INT TERM + +mkinitramfs() { + local d + command mkinitramfs -d "$TMPDIR/initramfs-tools" -o "$INITRD_IMG" + # `mkinitramfs -k` would be better but we can't set $DESTDIR in advance + cleanup_initrd_dir + command unmkinitramfs "$INITRD_IMG" "$INITRD_DIR" + for d in dev proc sys; do + mkdir -p "$INITRD_DIR/$d" + mount --bind "/$d" "$INITRD_DIR/$d" + done +} +check_initrd_crypttab() { + local rv=0 err="${1+": $1"}" + diff --label=a/cryptroot/crypttab --label=b/cryptroot/crypttab \ + --unified --ignore-space-change \ + -- - "$INITRD_DIR/cryptroot/crypttab" || rv=$? + if [ $rv -ne 0 ]; then + printf "ERROR$err in file %s line %d\\n" "${BASH_SOURCE[0]}" ${BASH_LINENO[0]} >&2 + exit 1 + fi +} + + +####################################################################### +# make sure /cryptroot/crypttab is empty when nothing needs to be unclocked early + +disk_setup +cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase" +luks2Format -- "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup luksOpen "$CRYPT_DEV" test0_crypt <"$TMPDIR/passphrase" +cat >/etc/crypttab <<-EOF + test0_crypt $CRYPT_DEV none +EOF + +mkinitramfs +# make sure cryptsetup exists and doesn't crash (for instance due to missing libraries) in initrd +chroot "$INITRD_DIR" cryptsetup --version +test -f "$INITRD_DIR/lib/cryptsetup/askpass" || exit 1 +check_initrd_crypttab </dev/null + + +####################################################################### +# 'initramfs' crypttab option + +cat >/etc/crypttab <<-EOF + test0_crypt $CRYPT_DEV none initramfs +EOF + +mkinitramfs +chroot "$INITRD_DIR" cryptsetup luksOpen --test-passphrase "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup close test0_crypt +check_initrd_crypttab <<-EOF + test0_crypt UUID=$(blkid -s UUID -o value "$CRYPT_DEV") none initramfs +EOF + + +####################################################################### +# KEYFILE_PATTERN + +disk_setup +cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase" +luks2Format -- "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup luksOpen "$CRYPT_DEV" test1_crypt <"$TMPDIR/passphrase" +cat >/etc/crypttab <<-EOF + test1_crypt $CRYPT_DEV $TMPDIR/keyfile initramfs +EOF + +echo KEYFILE_PATTERN="$TMPDIR/keyfile" >>/etc/cryptsetup-initramfs/conf-hook +tr -d '\n' <"$TMPDIR/passphrase" >"$TMPDIR/keyfile" +mkinitramfs +check_initrd_crypttab <<-EOF + test1_crypt UUID=$(blkid -s UUID -o value "$CRYPT_DEV") /cryptroot/keyfiles/test1_crypt.key initramfs +EOF +test -f "$INITRD_DIR/cryptroot/keyfiles/test1_crypt.key" || exit 1 +chroot "$INITRD_DIR" cryptsetup luksOpen --test-passphrase --key-file="/cryptroot/keyfiles/test1_crypt.key" "$CRYPT_DEV" +cryptsetup close test1_crypt + + +####################################################################### +# ASKPASS + +disk_setup +cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase" +luks2Format -- "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup luksOpen "$CRYPT_DEV" test2_crypt <"$TMPDIR/passphrase" +cat >/etc/crypttab <<-EOF + test2_crypt $CRYPT_DEV none initramfs +EOF + +# interactive unlocking forces ASKPASS=y +echo ASKPASS=n >/etc/cryptsetup-initramfs/conf-hook +mkinitramfs +test -f "$INITRD_DIR/lib/cryptsetup/askpass" || exit 1 + +# check that unlocking via keyscript doesn't copy askpass +cat >/etc/crypttab <<-EOF + test2_crypt $CRYPT_DEV foobar initramfs,keyscript=passdev +EOF +mkinitramfs +! test -f "$INITRD_DIR/lib/cryptsetup/askpass" || exit 1 +test -f "$INITRD_DIR/lib/cryptsetup/scripts/passdev" || exit 1 + +# check that unlocking via keyfile doesn't copy askpass +echo KEYFILE_PATTERN="$TMPDIR/keyfile" >>/etc/cryptsetup-initramfs/conf-hook +tr -d '\n' <"$TMPDIR/passphrase" >"$TMPDIR/keyfile" +cat >/etc/crypttab <<-EOF + test2_crypt $CRYPT_DEV $TMPDIR/keyfile initramfs +EOF +mkinitramfs +! test -f "$INITRD_DIR/lib/cryptsetup/askpass" || exit 1 +chroot "$INITRD_DIR" cryptsetup luksOpen --test-passphrase --key-file="/cryptroot/keyfiles/test2_crypt.key" "$CRYPT_DEV" +cryptsetup close test2_crypt + + +####################################################################### +# legacy ciphers and hashes +# see https://salsa.debian.org/cryptsetup-team/cryptsetup/-/merge_requests/31 + +# LUKS2, blowfish +disk_setup +cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase" +luks2Format --cipher="blowfish" -- "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup luksOpen "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase" +echo "test3_crypt UUID=$(blkid -s UUID -o value "$CRYPT_DEV") none initramfs" >/etc/crypttab +mkinitramfs +legacy_so="$(find "$INITRD_DIR" -xdev -type f -path "*/ossl-modules/legacy.so")" +test -z "$legacy_so" || exit 1 # legacy ciphers don't need legacy.so +chroot "$INITRD_DIR" cryptsetup luksOpen --test-passphrase "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup close test3_crypt + +# plain, blowfish + ripemd160 (ignored due to keyfile) +disk_setup +head -c32 /dev/urandom >"$TMPDIR/keyfile" +cryptsetup open --type=plain --cipher="blowfish" --key-file="$TMPDIR/keyfile" --size=256 --hash="ripemd160" "$CRYPT_DEV" test3_crypt +mkfs.ext2 -m0 /dev/mapper/test3_crypt +echo "test3_crypt $CRYPT_DEV $TMPDIR/keyfile plain,cipher=blowfish,hash=ripemd160,size=256,initramfs" >/etc/crypttab +mkinitramfs +legacy_so="$(find "$INITRD_DIR" -xdev -type f -path "*/ossl-modules/legacy.so")" +test -z "$legacy_so" || exit 1 # don't need legacy.so here +volume_key="$(dmsetup table --target crypt --showkeys -- test3_crypt | cut -s -d' ' -f5)" +test -n "$volume_key" || exit 1 +cryptsetup close test3_crypt +chroot "$INITRD_DIR" /scripts/local-top/cryptroot +test -b /dev/mapper/test3_crypt || exit 1 +volume_key2="$(dmsetup table --target crypt --showkeys -- test3_crypt | cut -s -d' ' -f5)" +test "$volume_key" = "$volume_key2" || exit 1 +cryptsetup close test3_crypt + +# plain, ripemd160 +disk_setup +cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase" +cryptsetup open --type=plain --cipher="aes-cbc-essiv:sha256" --size=256 --hash="ripemd160" "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase" +echo "test3_crypt $CRYPT_DEV none plain,cipher=aes-cbc-essiv:sha256,hash=ripemd160,size=256,initramfs" >/etc/crypttab +mkinitramfs +legacy_so="$(find "$INITRD_DIR" -xdev -type f -path "*/ossl-modules/legacy.so")" +test -n "$legacy_so" || exit 1 # checks that we have legacy.so (positive check for the above) +volume_key="$(dmsetup table --target crypt --showkeys -- test3_crypt | cut -s -d' ' -f5)" +test -n "$volume_key" || exit 1 +cryptsetup close test3_crypt +chroot "$INITRD_DIR" cryptsetup open --type=plain --cipher="aes-cbc-essiv:sha256" --size=256 --hash="ripemd160" "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase" +test -b /dev/mapper/test3_crypt || exit 1 +volume_key2="$(dmsetup table --target crypt --showkeys -- test3_crypt | cut -s -d' ' -f5)" +test "$volume_key" = "$volume_key2" || exit 1 +cryptsetup close test3_crypt + +# LUKS1, whirlpool +disk_setup +cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase" +luks1Format --hash="whirlpool" -- "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup luksOpen "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase" +echo "test3_crypt $CRYPT_DEV none initramfs" >/etc/crypttab +mkinitramfs +chroot "$INITRD_DIR" cryptsetup luksOpen --test-passphrase "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup close test3_crypt + +# LUKS2, ripemd160 +disk_setup +cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase" +luks2Format --hash="ripemd160" -- "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup luksOpen "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase" +echo "test3_crypt $CRYPT_DEV none initramfs" >/etc/crypttab +mkinitramfs +chroot "$INITRD_DIR" cryptsetup luksOpen --test-passphrase "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup close test3_crypt + +# LUKS2 (detached header), ripemd160 +disk_setup +cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase" +luks2Format --hash="ripemd160" --header="$TMPDIR/header.img" -- "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup luksOpen --header="$TMPDIR/header.img" "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase" +echo "test3_crypt $CRYPT_DEV none header=$TMPDIR/header.img,initramfs" >/etc/crypttab +mkinitramfs +cp -T "$TMPDIR/header.img" "$INITRD_DIR/cryptroot/header.img" +chroot "$INITRD_DIR" cryptsetup luksOpen --header="/cryptroot/header.img" --test-passphrase "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup close test3_crypt +rm -f "$TMPDIR/header.img" + +# LUKS2 (detached header, missing), ripemd160 +disk_setup +cat /proc/sys/kernel/random/uuid >"$TMPDIR/passphrase" +luks2Format --hash="ripemd160" --header="$TMPDIR/header.img" -- "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup luksOpen --header="$TMPDIR/header.img" "$CRYPT_DEV" test3_crypt <"$TMPDIR/passphrase" +echo "test3_crypt $CRYPT_DEV none header=/nonexistent,initramfs" >/etc/crypttab +mkinitramfs +cp -T "$TMPDIR/header.img" "$INITRD_DIR/cryptroot/header.img" +chroot "$INITRD_DIR" cryptsetup luksOpen --header="/cryptroot/header.img" --test-passphrase "$CRYPT_DEV" <"$TMPDIR/passphrase" +cryptsetup close test3_crypt +rm -f "$TMPDIR/header.img" diff --git a/debian/tests/utils/cryptroot-common b/debian/tests/utils/cryptroot-common new file mode 100755 index 0000000..a7df37f --- /dev/null +++ b/debian/tests/utils/cryptroot-common @@ -0,0 +1,537 @@ +#!/bin/bash + +# Base test file for cryptroot testing in KVM guests +# +# Copyright © 2021-2022 Guilhem Moulin <guilhem@debian.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +set -eu + +TESTNAME="$(basename -- "$0")" +TESTDIR="$(dirname -- "$0")" +INTERACTIVE="n" # set to "y" to interact with the guest instead of mocking the session +export TESTNAME TESTDIR + +declare -a EXTRA_REPOS=( "$@" ) # blindly append any extra arguments to sources.list +START_TIME="$(printf "%(%s)T")" + +# Try to create /dev/kvm if missing, for instance in a chroot where /dev isn't managed by udev. +# Then we can drop root privileges and run the rest of the script as a normal user +if uid="$(id -u)" && [ $uid -eq 0 ]; then + if [ ! -c /dev/kvm ] && mknod -m0600 /dev/kvm c 10 232; then + echo "INFO: Created character special file /dev/kvm" >&2 + fi + if [ -z "${AUTOPKGTEST_NORMAL_USER-}" ]; then + echo "WARN: \$AUTOPKGTEST_NORMAL_USER is empty or unset, preserving root privileges!" >&2 + else + chown --from="root" -- "$AUTOPKGTEST_NORMAL_USER:" "$AUTOPKGTEST_TMP" + if [ -c /dev/kvm ]; then + if getent group kvm >/dev/null && chgrp -c kvm /dev/kvm; then + # kvm group is created by udev.postinst + chmod -c 0660 /dev/kvm + usermod -a -G kvm -- "$AUTOPKGTEST_NORMAL_USER" + else + chown -c -- "$AUTOPKGTEST_NORMAL_USER" "/dev/kvm" + fi + fi + echo "INFO: Dropping root privileges: re-executing as user '$AUTOPKGTEST_NORMAL_USER'" >&2 + exec runuser -u "$AUTOPKGTEST_NORMAL_USER" -- "$0" "$@" + exit 1 + fi +fi + +set -x +PATH="/usr/bin:/bin" +export PATH + +if [ -t 1 ]; then + # set VT100 autowrap mode (DECAWM) + printf '\033[?7h' +fi + +# get src:cryptsetup current version and distribution +DEB_VERSION="$(dpkg-parsechangelog -SVERSION)" +DEB_DISTRIBUTION="$(dpkg-parsechangelog -SDistribution)" +DEB_BUILD_ARCHITECTURE="$(dpkg-architecture -qDEB_BUILD_ARCH)" +DEB_BUILD_ARCH_BITS="$(dpkg-architecture -qDEB_BUILD_ARCH_BITS)" +if [ "$DEB_DISTRIBUTION" = "UNRELEASED" ]; then + # take Distribution from the previous entry instead + DEB_DISTRIBUTION="$(dpkg-parsechangelog -o1 -c1 -SDistribution)" || DEB_DISTRIBUTION="unstable" + echo "WARN: Using Distribution: $DEB_DISTRIBUTION instead of UNRELEASED" >&2 +fi + +# determine suitable values for the APT repository Origin (for +# autopkgtests) and URI (used outside autopkgtests) fields +load_os_release() { + local os_release # see os-release(5) + [ -e "/etc/os-release" ] && os_release="/etc/os-release" || os_release="/usr/lib/os-release" + . "$os_release" +} +case "${DISTRIBUTOR_ID:="$(load_os_release && printf "%s" "${ID,,[A-Z]}")"}" in + debian) APT_REPO_ORIGIN="Debian"; APT_REPO_URI="http://deb.debian.org/debian";; + # suitable values for derivative can be added here + *) echo "ERROR: Unknown distributor ID '$DISTRIBUTOR_ID', can't extract APT origin" >&2; + exit 1;; +esac + +# QEMU command and default options +unset QEMU_MACHINE_TYPE QEMU_ACCEL QEMU_CPU_MODEL QEMU_SMP QEMU_MEMORY BOOT +if [ -c /dev/kvm ] && dd if=/dev/kvm count=0 status=none; then + QEMU_ACCEL="kvm" +else + echo "WARN: KVM is not available, guests will be slow!" >&2 +fi +case "$DEB_BUILD_ARCHITECTURE" in + # see `kvm -machine help` and `kvm -cpu help` + amd64|i386) + BOOT="bios" + if [ "$DEB_BUILD_ARCHITECTURE" = "amd64" ]; then + QEMU_SYSTEM_CMD="qemu-system-x86_64" + else + QEMU_SYSTEM_CMD="qemu-system-$DEB_BUILD_ARCHITECTURE" + fi + QEMU_MACHINE_TYPE="q35" + if [ "${QEMU_ACCEL-}" = "kvm" ]; then + QEMU_CPU_MODEL="kvm$DEB_BUILD_ARCH_BITS,+aes,+sha-ni" + else + QEMU_CPU_MODEL="qemu$DEB_BUILD_ARCH_BITS,-svm,-vmx" + fi + ;; + arm64) + BOOT="efi" + QEMU_SYSTEM_CMD="qemu-system-aarch64" + QEMU_MACHINE_TYPE="virt" + QEMU_CPU_MODEL="cortex-a72" + ;; + armhf) + BOOT="efi" + QEMU_SYSTEM_CMD="qemu-system-arm" + QEMU_MACHINE_TYPE="virt" + QEMU_CPU_MODEL="cortex-a15" + ;; + *) echo "ERROR: Unknown architecture $DEB_BUILD_ARCHITECTURE" >&2; exit 1;; +esac + +if ! command -v "$QEMU_SYSTEM_CMD" >/dev/null; then + echo "ERROR: Couldn't find $QEMU_SYSTEM_CMD in PATH" >&2 + exit 1 +fi + +CPU_COUNT="$(getconf _NPROCESSORS_ONLN)" && [ -n "$CPU_COUNT" ] || CPU_COUNT=0 +if [ $CPU_COUNT -ge 8 ]; then + QEMU_SMP="cpus=4" +elif [ $CPU_COUNT -ge 4 ]; then + QEMU_SMP="cpus=2" +else + QEMU_SMP="cpus=1" +fi + +MEM_AVAIL="$(awk '/MemAvailable/ { printf "%.0f \n", $2/1024^2 }' </proc/meminfo)" && [ -n "$MEM_AVAIL" ] || MEM_AVAIL=0 +if [ $MEM_AVAIL -gt 2 ] && [ $DEB_BUILD_ARCH_BITS -gt 32 ]; then + QEMU_MEMORY="size=2G" +else + QEMU_MEMORY="size=1G" +fi + +# number of times to powercycle the guest +GUEST_POWERCYCLE=0 + +# kernel flavor +case "$DEB_BUILD_ARCHITECTURE" in + # see `ssh $porterbox.debian.org uname -r` + amd64) KERNEL_ARCH="amd64";; + arm64) KERNEL_ARCH="arm64";; + armhf) KERNEL_ARCH="armmp-lpae";; + i386) KERNEL_ARCH="686-pae";; + *) echo "ERROR: Unknown architecture $DEB_BUILD_ARCHITECTURE" >&2; exit 1;; +esac + +# at the very least we need a boot loader, a kernel, and an init system +case "$BOOT" in + bios) PKG_BOOTLOADER="grub-pc";; + efi) PKG_BOOTLOADER="grub-efi";; + *) echo "ERROR unknown boot method '$BOOT'" >&2; exit 1;; +esac +PKG_KERNEL="linux-image-$KERNEL_ARCH" +PKG_INIT="systemd-sysv" # default pid1 +MERGED_USR="" # use default layout for the target version +declare -a PKGS_EXTRA=() DRIVE_SIZES=( "2G" ) +PKGS_EXTRA+=( "zstd" ) # default initrd compression, see #976054 + +if [ -f "$TESTDIR/$TESTNAME.d/config" ]; then + . "$TESTDIR/$TESTNAME.d/config" || exit 1 +fi + +if [ -n "${AUTOPKGTEST_TMP+x}" ] || [ ! -t 0 ] || [ ! -t 1 ]; then + INTERACTIVE="n" +fi + +unset EFI_CODE EFI_VARS +if [ "$BOOT" = "efi" ]; then + case "$DEB_BUILD_ARCHITECTURE" in + amd64|i386) + efi_fw_pkg="ovmf" + EFI_CODE="/usr/share/OVMF/OVMF_CODE.fd" + EFI_VARS="/usr/share/OVMF/OVMF_VARS.fd" + ;; + arm64) + efi_fw_pkg="qemu-efi-aarch64" + EFI_CODE="/usr/share/AAVMF/AAVMF_CODE.fd" + EFI_VARS="/usr/share/AAVMF/AAVMF_VARS.fd" + ;; + armhf) + efi_fw_pkg="qemu-efi-arm" + EFI_CODE="/usr/share/AAVMF/AAVMF32_CODE.fd" + EFI_VARS="/usr/share/AAVMF/AAVMF32_VARS.fd" + ;; + *) echo "ERROR: Unknown architecture $DEB_BUILD_ARCHITECTURE for EFI boot" >&2; exit 1;; + esac + for p in "$EFI_CODE" "$EFI_VARS"; do + if [ ! -f "$p" ]; then + echo "Couldn't find $p, is the '$efi_fw_pkg' package installed?" >&2 + exit 1 + fi + done +fi + +case "${DEB_DISTRIBUTION%%-*}" in + etch|lenny|squeeze|wheezy|jessie|stretch|buster|bullseye) + if [ -z "$MERGED_USR" ]; then + MERGED_USR="no" + fi + ;; + *) if [ -z "$MERGED_USR" ]; then + MERGED_USR="yes" + elif [ "$MERGED_USR" = "no" ]; then + # #978636: Debian 12 (codename Bookworm) should only support merged-/usr layout + echo "WARN: this system is not supported! (unmerged-/usr)" >&2 + fi + ;; +esac + +# pin versions for all packages in PKGS_EXTRA that are part of this source package +declare -a MYPKGS +MYPKGS=( $(sed -nr 's/^Package:\s*//Ip' debian/control) ) +for i in "${!PKGS_EXTRA[@]}"; do + [ "${PKGS_EXTRA[i]%[=/]*}" = "${PKGS_EXTRA[i]}" ] || continue + for mypkg in "${MYPKGS[@]}"; do + if [ "${PKGS_EXTRA[i]}" = "$mypkg" ]; then + PKGS_EXTRA[i]="${PKGS_EXTRA[i]}=$DEB_VERSION" + fi + done +done + +unset QEMU_PID +TEMPDIR="$(mktemp --tmpdir="${AUTOPKGTEST_TMP:-"${TMPDIR:-/tmp}"}" --directory "$TESTNAME.XXXXXXXXXX")" +teardown() { + local rv=$? ts + if [ -n "${QEMU_PID+x}" ]; then + kill $QEMU_PID || true + fi + rm -rf -- "$TEMPDIR" + trap - EXIT + + # try to fix terminal + [ ! -t 1 ] || printf '\033[?7h' + + ts="$(printf "%(%s)T")" + rv=${1-$rv} + printf "Result for test '%s': exit status %s, runtime %d seconds\\n" "$TESTNAME" $rv $((ts - START_TIME)) + + exit $rv +} +trap "teardown" EXIT +trap "teardown 1" INT TERM + +# set up APT for the testbed +setup_apt() { + # we need a new cache to reliably determine essential and extra packages + APT_CACHE="$TEMPDIR/apt/cache" + APT_LISTS="$TEMPDIR/apt/lists" + mkdir -- "$TEMPDIR/apt" "$APT_CACHE" "$APT_LISTS" + ln -s "cache/archives" "$TEMPDIR/apt/pool" + touch "$TEMPDIR/apt/status" + + if [ -n "${AUTOPKGTEST_TMP-}" ]; then + # reuse existing sources.list + apt-get indextargets \ + --format "\$(TARGET_OF) \$(REPO_URI) \$(RELEASE) \$(COMPONENT)" \ + "Target-Of: deb" "Identifier: Packages" "Origin: $APT_REPO_ORIGIN" \ + >"$TEMPDIR/apt/sources.list" + # local autopkgtest repo has Repo-URI: file:/tmp/autopkgtest.XXXXXX/binaries/ , + # Release: (empty) and no Component: + apt-get indextargets \ + --format "\$(TARGET_OF) \$(REPO_URI) /" \ + "Target-Of: deb" "Identifier: Packages" "Trusted: Yes" "Release: " \ + >>"$TEMPDIR/apt/sources.list" + else + # generate new sources.list + case "$DEB_DISTRIBUTION" in + experimental) cat <<-EOF + deb $APT_REPO_URI unstable main + deb $APT_REPO_URI experimental main + EOF + ;; + *-security) cat <<-EOF + deb $APT_REPO_URI ${DEB_DISTRIBUTION%-security} main + deb $APT_REPO_URI-security $DEB_DISTRIBUTION main + EOF + ;; + *-*) cat <<-EOF + deb $APT_REPO_URI ${DEB_DISTRIBUTION%%-*} main + deb $APT_REPO_URI $DEB_DISTRIBUTION main + EOF + ;; + *) cat <<-EOF + deb $APT_REPO_URI $DEB_DISTRIBUTION main + EOF + ;; + esac >"$TEMPDIR/apt/sources.list" + fi + + local apt_repo + for apt_repo in "${EXTRA_REPOS[@]}"; do + printf "%s\\n" "$apt_repo" >>"$TEMPDIR/apt/sources.list" + done + + # replace file: URIs with copy: as we rely on --download-only copying .deb files to APT's cache + sed -ri 's/^(deb\S*)\s+\[([^]]+)\]\s+file:/\1 [\2,trusted=yes] copy:/; + s/^(deb\S*)\s+file:/\1 [trusted=yes] copy:/' \ + -- "$TEMPDIR/apt/sources.list" + + apt-update +} + +# wrapper arround `apt-get install --download-only` +# (we don't use `--print-uris` since it doesn't include what's been +# included already) +apt-download() { + _apt get install --download-only "$@" +} +apt-update() { + _apt get -o Acquire::Languages="none" update +} +apt-show() { + _apt cache show "$@" +} +_apt() { + local cmd="$1" + shift + env -i DEBIAN_FRONTEND="noninteractive" \ + "apt-$cmd" \ + -o APT::Architecture="$DEB_BUILD_ARCHITECTURE" \ + -o APT::Architectures="$DEB_BUILD_ARCHITECTURE" \ + -o APT::Get::Assume-Yes=true \ + -o APT::Install-Recommends=false \ + -o Dir::Cache="$APT_CACHE" \ + -o Dir::Etc::SourceList="$TEMPDIR/apt/sources.list" \ + -o Dir::Etc::SourceParts="" \ + -o Dir::State::Lists="$APT_LISTS" \ + -o Dir::State::Status="$TEMPDIR/apt/status" \ + ${AUTOPKGTEST_TMP+-o Dir::Etc::Preferences="/etc/apt/preferences" -o Dir::Etc::PreferencesParts="/etc/apt/preferences.d/"} \ + "$@" +} + + +# create a disk image with essential and extra packages +create_debian_img() { + local img="$1" dir size deb usr_is_merged + + dir="$(mktemp --tmpdir="$TEMPDIR" --directory debian.XXXXXXXXXX)" + mkdir -- "$dir/dists" "$dir/pool" + + # TODO remove this once Bookworm is released, assuming + # init-system-helpers no longer has "Depends: usrmerge | usr-is-merged" + [ "$MERGED_USR" = "yes" ] && usr_is_merged="usr-is-merged" || usr_is_merged="" + + # apt considers itself essential so we explicitely exclude it for stage1 + mkdir -- "$dir/__stage1__" + apt-download -- "?and(?essential, ?not(?exact-name(apt)))" ${usr_is_merged:+"$usr_is_merged"} + for deb in "$APT_CACHE"/archives/*.deb; do + ln -sT "../pool/${deb##*/}" "$dir/__stage1__/${deb##*/}" + done + + # useless for stage1 + rm -f "$dir"/__stage1__/usr-is-merged_*.deb "$dir"/__stage1__/usrmerge_*.deb + + mkdir -- "$dir/__essential__" + apt-download -- "?essential" "apt" ${usr_is_merged:+"$usr_is_merged"} + for deb in "$APT_CACHE"/archives/*.deb; do + ln -sT "../pool/${deb##*/}" "$dir/__essential__/${deb##*/}" + done + + makedist "$dir" + extract_kernel "$TEMPDIR/linux-image" + + # for `dpkg --update-avail` + ( cd "$dir/__essential__" && dpkg-scanpackages . >./Packages ) + + size="$(du -sb -- "$dir")" + size=$(( ${size%%[!0-9]*} / 1000 )) # approx 97% (1000/1024) full + genext2fs -qm0 -B 1024 -b "$size" -d "$dir" -L "debian_dist" "$img" + rm -rf -- "$dir" +} +makedist() { + local basedir="$1" + local distdir="$basedir/dists" + apt-download -- "?essential" "apt" ${usr_is_merged:+"$usr_is_merged"} \ + "$PKG_BOOTLOADER" "$PKG_KERNEL" "$PKG_INIT" \ + "${PKGS_EXTRA[@]}" + rm -f -- "$APT_CACHE/archives/$PKG_KERNEL"_*.deb # remove the generic .deb (only keep its dependency with versioned ABI) + for deb in "$APT_CACHE"/archives/*.deb; do + # assume no file conflicts and override existing .debs + ln -ft "$basedir/pool" -- "$deb" + done + ( cd "$APT_CACHE" && dpkg-scanpackages ../pool >"$distdir/Packages" ) +} + +# extract kernel to $TEMPDIR/linux-image and sets KERNEL_VERSION +extract_kernel() { + local destdir="$1" deb_version_regex kernel_deb_regex + deb_version_regex="[0-9][A-Za-z0-9.+:~-]*" # per deb-version(7) + # we use may a kernel version other than what we're running, however the arch much be the same + kernel_deb_regex="linux-image-[0-9][a-z0-9.+-]*-${KERNEL_ARCH}_${deb_version_regex}_${DEB_BUILD_ARCHITECTURE}.deb" + KERNEL_DEB="$(find -P "$APT_CACHE/archives" -mindepth 1 -maxdepth 1 \ + -regextype egrep -regex ".*/$kernel_deb_regex" -type f -printf "%P\\n" | \ + sort -Vt_ -k2 | tail -n1)" + KERNEL_VERSION="${KERNEL_DEB#linux-image-*}" + KERNEL_VERSION="${KERNEL_VERSION%%_*}" + + # extract the kernel of the .deb we downloaded + if [ ! -f "$APT_CACHE/archives/$KERNEL_DEB" ]; then + echo "ERROR: Couldn't find .deb for target kernel $KERNEL_VERSION" >&2 + exit 1 + fi + + mkdir "$destdir" + dpkg-deb --fsys-tarfile "$APT_CACHE/archives/$KERNEL_DEB" | tar -C "$destdir" -xf- \ + "./boot/vmlinuz-$KERNEL_VERSION" \ + "./lib/modules/$KERNEL_VERSION" + ln -T -- "$destdir/boot/vmlinuz-$KERNEL_VERSION" "$TEMPDIR/vmlinuz-$KERNEL_VERSION" +} + +# make sure the desired version of the package is available in the testbed +setup_apt +if ! apt-show "cryptsetup-bin=$DEB_VERSION" >"$TEMPDIR/out" || [ ! -s "$TEMPDIR/out" ]; then + apt-show -a "cryptsetup-bin" || true + echo "ERROR: Cannot find version $DEB_VERSION of package cryptsetup-bin" >&2 + exit 1 +fi + +DEBIAN_IMG="$TEMPDIR/$DEB_DISTRIBUTION-$DEB_BUILD_ARCHITECTURE.img" +create_debian_img "$DEBIAN_IMG" + +case "$DEB_BUILD_ARCHITECTURE" in + arm64|armhf) CONSOLE="ttyAMA0";; + *) CONSOLE="ttyS0";; +esac + +env PACKAGES="$PKG_BOOTLOADER linux-image-$KERNEL_VERSION $PKG_INIT ${PKGS_EXTRA[*]}" \ + BOOT="$BOOT" \ + CONSOLE="$CONSOLE" \ + ARCH="$DEB_BUILD_ARCHITECTURE" \ + MERGED_USR="$MERGED_USR" \ + "$TESTDIR/utils/mkinitramfs" "$TEMPDIR/linux-image" "$KERNEL_VERSION" "$TEMPDIR/initrd.img-$KERNEL_VERSION" +rm -rf -- "$TEMPDIR/apt" "$TEMPDIR/linux-image" # don't need that anymore + +declare -a QEMU_COMMON_ARGS=( + -no-user-config + -nodefaults + -name "autopkgtest-cryptsetup-$TESTNAME" + -machine "${QEMU_MACHINE_TYPE:+"type=$QEMU_MACHINE_TYPE,"}${QEMU_ACCEL:+"accel=$QEMU_ACCEL,"}graphics=off" + ${QEMU_CPU_MODEL:+-cpu "$QEMU_CPU_MODEL"} + ${QEMU_SMP:+-smp "$QEMU_SMP"} + ${QEMU_MEMORY:+-m "$QEMU_MEMORY"} + -vga none + -display none + -object "rng-random,id=rng0,filename=/dev/urandom" -device "virtio-rng-pci,rng=rng0" + -boot "order=c,strict=on" +) + +for ((i=0; i < ${#DRIVE_SIZES[@]}; i++)); do + drive_img="$TEMPDIR/drive$i.img" + fallocate -l "${DRIVE_SIZES[i]}" "$drive_img" + QEMU_COMMON_ARGS+=( + -drive "file=$drive_img,format=raw,cache=unsafe,if=virtio,index=$i,media=disk" + ) +done + +if [ "$BOOT" = "efi" ]; then + # $EFI_VARS needs to be writable so guests can update their variables + install -Tm0644 -- "$EFI_VARS" "$TEMPDIR/efivars.fd" + QEMU_COMMON_ARGS+=( + -drive "file=$EFI_CODE,format=raw,if=pflash,unit=0,read-only=on" + -drive "file=$TEMPDIR/efivars.fd,format=raw,if=pflash,unit=1" + ) +fi + +LOGDIR="$TEMPDIR" +SOCKETDIR="$TEMPDIR" +if [ "$INTERACTIVE" != "y" ]; then + QEMU_COMMON_ARGS+=( + -device "virtio-serial" + -chardev "socket,id=hvc0,path=$SOCKETDIR/hvc0,server=on,wait=off,logfile=$LOGDIR/hvc0.log,logappend=on" + -device "virtconsole,chardev=hvc0" + ) +fi + +declare QEMU_STDIO_ARGS=( + # setup is always fully unattended + -chardev "stdio,id=char0,mux=on,logfile=$LOGDIR/qemu.log,logappend=on" + -serial "chardev:char0" + -mon "chardev=char0,mode=readline" +) +if [ "$INTERACTIVE" != "y" ] || [ -n "${AUTOPKGTEST_TMP+x}" ]; then + # XXX if KVM is detected we could reduce the timeout to 300s or so + QEMU_TIMEOUT="y" + exec </dev/null +else + QEMU_TIMEOUT="" +fi + +QEMU_DEBIANIMG_DRIVE="file=$DEBIAN_IMG,format=raw,if=virtio,readonly=on,media=cdrom" +${QEMU_TIMEOUT:+timeout 3600s} "$QEMU_SYSTEM_CMD" \ + "${QEMU_COMMON_ARGS[@]}" "${QEMU_STDIO_ARGS[@]}" \ + -drive "$QEMU_DEBIANIMG_DRIVE" \ + -kernel "$TEMPDIR/vmlinuz-$KERNEL_VERSION" \ + -append "console=$CONSOLE,115200n8" \ + -initrd "$TEMPDIR/initrd.img-$KERNEL_VERSION" \ + || exit $? + +if [ "$INTERACTIVE" = "y" ]; then + for ((i=0; i <= GUEST_POWERCYCLE; i++)); do + "$QEMU_SYSTEM_CMD" \ + "${QEMU_COMMON_ARGS[@]}" "${QEMU_STDIO_ARGS[@]}" \ + -netdev "user,id=net0" -device "virtio-net-pci,netdev=net0" + done +else + for ((i=0; i <= GUEST_POWERCYCLE; i++)); do + ${QEMU_TIMEOUT:+timeout 900s} "$QEMU_SYSTEM_CMD" \ + "${QEMU_COMMON_ARGS[@]}" \ + -chardev "socket,id=mon0,path=$SOCKETDIR/mon0,server=on,wait=off,logfile=$LOGDIR/mon0.log,logappend=on" \ + -mon "chardev=mon0,mode=control" \ + -chardev "socket,id=ttyS0,path=$SOCKETDIR/ttyS0,server=on,wait=on,logfile=$LOGDIR/ttyS0.log,logappend=on" \ + -serial "chardev:ttyS0" \ + & + QEMU_PID=$! + "$TESTDIR/$TESTNAME.d/mock" "$i" "$SOCKETDIR" || exit 1 + wait $QEMU_PID && rv=0 || rv=$? + unset QEMU_PID + [ $rv -eq 0 ] || exit $rv + done +fi + +echo "PASSED" +exit 0 diff --git a/debian/tests/utils/debootstrap b/debian/tests/utils/debootstrap new file mode 100755 index 0000000..258be5a --- /dev/null +++ b/debian/tests/utils/debootstrap @@ -0,0 +1,125 @@ +#!/bin/sh + +# Debootstrap a target system +# +# Copyright © 2021-2022 Guilhem Moulin <guilhem@debian.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +set -eu +PATH="/usr/sbin:/usr/bin:/sbin:/bin" +export PATH + +ESSENTIAL="/media/__essential__" +TEMPDIR="$(mktemp --tmpdir --directory "debootstrap.XXXXXXXXXX")" +trap "rm -rf -- \"$TEMPDIR\"" EXIT INT TERM + +sed -rn "/^Package:\\s*/I {s///;s/$/ install/p}" "$ESSENTIAL/Packages" >"$TEMPDIR/Packages.sel" + +install -m0644 /dev/null "/var/lib/dpkg/status" +dpkg --update-avail "$ESSENTIAL/Packages" +dpkg --set-selections <"$TEMPDIR/Packages.sel" + +mkdir -- "$TEMPDIR/dpkg" +mkdir -- "$TEMPDIR/dpkg/files" "$TEMPDIR/dpkg/depends" "$TEMPDIR/dpkg/pre-depends" + +# extract metadata (package names, file names, Depends and Pre-Depends +# for easier processing) +for deb in "$ESSENTIAL"/*.deb; do + pkg=$(dpkg-deb --show --showformat="\${Package}" "$deb") + case "$pkg" in + # special case: base-files Pre-Depends on awk but we only have mawk (or gawk) + mawk|gawk) pkg="awk";; + esac + printf "%s\\n" "$pkg" >>"$TEMPDIR/dpkg/avail" + printf "%s\\n" "$deb" >"$TEMPDIR/dpkg/files/$pkg" + dpkg-deb --show --showformat="\${Pre-Depends}\\n" "$deb" >"$TEMPDIR/predeps" + dpkg-deb --show --showformat="\${Depends}\\n" "$deb" >"$TEMPDIR/deps" + sed -ri "s/,\\s*/\\n/g" -- "$TEMPDIR/predeps" "$TEMPDIR/deps" + sed -i "s/[[:blank:]:].*//; /^[[:blank:]]*$/d" -- "$TEMPDIR/predeps" "$TEMPDIR/deps" + mv -T -- "$TEMPDIR/predeps" "$TEMPDIR/dpkg/pre-depends/$pkg" + mv -T -- "$TEMPDIR/deps" "$TEMPDIR/dpkg/depends/$pkg" +done + +if [ -L /bin ] && [ -L /sbin ] && [ -L /lib ]; then + # TODO remove this once Bookworm is released, assuming + # init-system-helpers no longer has "Depends: usrmerge | usr-is-merged" + sed -i "s/^usrmerge$/usr-is-merged/" -- "$TEMPDIR/dpkg/depends/init-system-helpers" +fi + +# recursively append dependencies to $OUT; abort and return 1 if one of +# the (recursive) dependency has an unsatisfied Pre-Depends +resolve_deps() { + local pkg="$1" dep + while read -r dep; do + if grep -Fxq -e "$dep" <"$TEMPDIR/dpkg/avail"; then + # $pkg has an unsatisfied Pre-Depends, can't proceed further + return 1 + fi + done <"$TEMPDIR/dpkg/pre-depends/$pkg" + while read -r dep; do + if grep -Fxq -e "$dep" <"$TEMPDIR/dpkg/avail" && ! grep -Fxq -e "$dep" <"$OUT"; then # break cycles + printf "%s\\n" "$dep" >>"$OUT" + resolve_deps "$dep" || return $? + fi + done <"$TEMPDIR/dpkg/depends/$pkg" + return 0 +} + +# dump to $OUT a list of packages that can be installed (only packages +# without unsatisfied pre-dependencies, and typically packages that are +# pre-dependencies of other packages) -- using `dpkg --predep-package` +# would be convenient but it doesn't work with recursive dependencies, +# cf. #539133 +can_install_next() { + local pkg + while read -r pkg; do + printf "%s\\n" "$pkg" >"$OUT" + if resolve_deps "$pkg"; then + return 0 + fi + done <"$TEMPDIR/dpkg/avail" + + echo "PANIC: No remaining dependencies are satisfiable!" >&2 + cat <"$TEMPDIR/dpkg/avail" >&2 + exit 1 +} + +# keep going until all available packages are installed +OUT="$TEMPDIR/pkg.list" +XARGS_IN="$TEMPDIR/deb.list" +while [ -s "$TEMPDIR/dpkg/avail" ]; do + can_install_next || exit 1 + + echo -n ">>> Installing: " >&2 + paste -sd" " <"$OUT" >&2 + + while read -r pkg; do + cat "$TEMPDIR/dpkg/files/$pkg" + done <"$OUT" >"$XARGS_IN" + xargs -a"$XARGS_IN" -d"\\n" dpkg -i + + grep -Fx -vf "$OUT" <"$TEMPDIR/dpkg/avail" >"$TEMPDIR/dpkg/avail.new" || true + mv -T -- "$TEMPDIR/dpkg/avail.new" "$TEMPDIR/dpkg/avail" +done + +echo apt apt >/var/lib/dpkg/cmethopt +echo "deb [trusted=yes] file:/media/dists /" >/etc/apt/sources.list +cat >/etc/apt/apt.conf.d/99debootstrap <<-EOF + Acquire::Languages "none"; + APT::Install-Recommends "false"; + APT::Install-Suggests "false"; +EOF + +apt-get -oAcquire::Languages="none" -oAPT::Sandbox::User="root" -qq update diff --git a/debian/tests/utils/init b/debian/tests/utils/init new file mode 100755 index 0000000..331cd6f --- /dev/null +++ b/debian/tests/utils/init @@ -0,0 +1,273 @@ +#!/bin/sh + +# PID1 at initramfs stage +# +# Copyright © 2021-2022 Guilhem Moulin <guilhem@debian.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +set -eux +PATH="/usr/sbin:/usr/bin:/sbin:/bin" +export PATH + +trap "echo \"ALERT! Couldn't setup system, dropping to a shell.\" >&2; sh -i" 0 + +# set VT100 autowrap mode again (QEMU might mess the terminal up) +printf '\033[?7h' + +mount -t devtmpfs -o noexec,nosuid,mode=0755 udev /dev + +mkdir /dev/pts /proc /run /sys +mount -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts /dev/pts +mount -t proc -o nodev,noexec,nosuid proc /proc +mount -t tmpfs -o nodev,noexec,nosuid,size=5%,mode=0755 tmpfs /run +mount -t sysfs -o nodev,noexec,nosuid sysfs /sys + +modprobe virtio_rng # /dev/hwrng (avoid entropy starvation) +modprobe virtio_pci +modprobe virtio_blk # /dev/vd[a-z] +modprobe virtio_console # /dev/hvc[0-7] + +# start udevd +/lib/systemd/systemd-udevd --daemon +udevadm trigger --type=subsystems --action=add +udevadm trigger --type=devices --action=add +udevadm settle + +. /init.conf + +# https://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs +GUID_TYPE_MBR="024DEE41-33E7-11D3-9D69-0008C781F39F" # MBR partition scheme +GUID_TYPE_EFI="C12A7328-F81F-11D2-BA4B-00A0C93EC93B" # EFI boot partition +GUID_TYPE_BIOS_boot="21686148-6449-6E6F-744E-656564454649" # BIOS boot partition +GUID_TYPE_Linux_FS="0FC63DAF-8483-4772-8E79-3D69D8477DE4" # Linux filesystem data +GUID_TYPE_LUKS="CA7D7CCB-63ED-4C53-861C-1742536059CC" # LUKS partition +GUID_TYPE_DMCRYPT="7FFEC5C9-2D00-49B7-8941-3EA10A5586B7" # Plain dm-crypt partition +GUID_TYPE_LVM="E6D6D379-F507-44C2-A23C-238F2A3DF928" # Logical Volume Manager partition +GUID_TYPE_RAID="A19D880F-05FC-4D3B-A006-743F0F84911E" # RAID partition + +if [ "$BOOT" = "bios" ]; then + BOOT_PARTITION_SIZE=2 + BOOT_PARTITION_TYPE="$GUID_TYPE_BIOS_boot" +elif [ "$BOOT" = "efi" ]; then + BOOT_PARTITION_SIZE=63 + BOOT_PARTITION_TYPE="$GUID_TYPE_EFI" +else + echo "ERROR unknown boot method '$BOOT'" >&2 + exit 1 +fi + +# format the target disk and create a BIOS/EFI partition +sfdisk /dev/vda <<-EOF + label: gpt + unit: sectors + + start=$((1024*2)), size=$((BOOT_PARTITION_SIZE*1024*2)), type=$BOOT_PARTITION_TYPE +EOF +udevadm settle + +ROOT="/target" +mkdir -m0755 "$ROOT" +# /init.setup is expected to create the root filesystem of the target +# system and mount it (alongside other filesystems) on $ROOT +. /init.setup +udevadm settle + +# inspired by debootstrap's /usr/share/debootstrap/functions +if [ "$MERGED_USR" = "yes" ]; then + case "$ARCH" in + amd64) libdir="lib32 lib64 libx32";; + i386) libdir="lib64 libx32";; + mips|mipsel) libdir="lib32 lib64";; + mips64*|mipsn32*) libdir="lib32 lib64 libo32";; + loongarch64*) libdir="lib32 lib64";; + powerpc) libdir="lib64";; + ppc64) libdir="lib32 lib64";; + ppc64el) libdir="lib64";; + s390x) libdir="lib32";; + sparc) libdir="lib64";; + sparc64) libdir="lib32 lib64";; + x32) libdir="lib32 lib64 libx32";; + *) libdir="";; + esac + for dir in bin sbin lib $libdir; do + ln -s "usr/$dir" "$ROOT/$dir" + mkdir -p "$ROOT/usr/$dir" + done +fi + +mkdir /media +DEBIAN_DIST="$(blkid -l -t LABEL="debian_dist" -o device)" +mount -t ext2 -o ro "$DEBIAN_DIST" /media +for pkg in /media/__stage1__/*.deb; do + dpkg-deb --fsys-tarfile "$pkg" | tar -C "$ROOT" -xf - --keep-directory-symlink +done + +# setup hosts(5) and hostname(5) +echo "$HOSTNAME" >"$ROOT/etc/hostname" +echo "127.0.0.1 localhost $HOSTNAME" >"$ROOT/etc/hosts" + +# EFI +if [ "$BOOT" = "efi" ]; then + modprobe efivarfs + mount -t efivarfs efivarfs /sys/firmware/efi/efivars + + mkfs.vfat -F 32 /dev/vda1 + mkdir "$ROOT/boot/efi" + mount -t vfat /dev/vda1 "$ROOT/boot/efi" + + cat >>"$ROOT/etc/fstab" <<-EOF + UUID=$(blkid -s UUID -o value /dev/vda1) /boot/efi auto defaults 0 2 + EOF +fi + +# bind mount pseudo and temporary filesystems to "$ROOT" +mount -no bind /dev "$ROOT/dev" +mount -no bind /proc "$ROOT/proc" +mount -no bind /sys "$ROOT/sys" +mount -t tmpfs -o nodev,noexec,nosuid,size=5%,mode=0755 tmpfs "$ROOT/run" + +# prevent any services from starting during package installation, taken +# from debootstrap(8) +cat >"$ROOT/usr/sbin/policy-rc.d" <<-EOF + #!/bin/sh + exit 101 +EOF +chmod +x "$ROOT/usr/sbin/policy-rc.d" + +mv "$ROOT/sbin/start-stop-daemon" "$ROOT/sbin/start-stop-daemon.REAL" +cat >"$ROOT/sbin/start-stop-daemon" <<-EOF + #!/bin/sh + echo + echo "Warning: Fake start-stop-daemon called, doing nothing" +EOF +chmod +x "$ROOT/usr/sbin/policy-rc.d" "$ROOT/sbin/start-stop-daemon" + +DEBIAN_FRONTEND="noninteractive" +DEBCONF_NONINTERACTIVE_SEEN="true" +export DEBIAN_FRONTEND DEBCONF_NONINTERACTIVE_SEEN + +# debootstrap the target system +mkdir "$ROOT/media" +mount -no move /media "$ROOT/media" +cp -p /debootstrap "$ROOT/debootstrap" +chroot "$ROOT" /debootstrap +rm -f "$ROOT/debootstrap" + +# use MODULES=dep (if it works with fewer modules then it also works +# with the default MODULES=most) +mkdir -p "$ROOT/etc/initramfs-tools/conf.d" +echo "MODULES=dep" >"$ROOT/etc/initramfs-tools/conf.d/modules" + +cp /init.preinst "$ROOT/init.preinst" +chroot "$ROOT" /bin/sh -eux /init.preinst +rm -f "$ROOT/init.preinst" +udevadm settle + +# install extra packages +chroot "$ROOT" apt-get -oAPT::Sandbox::User="root" install --yes $PACKAGES +rm -f "$ROOT/etc/apt/sources.list" + +# configure and install GRUB +cat >"$ROOT/etc/default/grub" <<-EOF + GRUB_DEFAULT=0 + GRUB_TIMEOUT=0 + GRUB_CMDLINE_LINUX_DEFAULT="" + GRUB_CMDLINE_LINUX="console=$CONSOLE,115200n8" + GRUB_DISABLE_RECOVERY=true + GRUB_TERMINAL="console serial" + GRUB_SERIAL_COMMAND="serial --speed=115200" +EOF +chroot "$ROOT" grub-install --no-floppy --modules=part_gpt /dev/vda +chroot "$ROOT" update-grub + +chroot "$ROOT" passwd --delete root # make root account passwordless + +# show some system info right after login to ease troubleshooting +cat >"$ROOT/root/.profile" <<-EOF + run_verbose() { + printf "\\\`%s\\\` output:\\\\n" "\$*" + "\$@" + } + stty cols 150 + run_verbose dmsetup table + run_verbose lsblk + run_verbose df -h +EOF + +cat >"$ROOT/root/.inputrc" <<-EOF + # disabled bracketed paste mode + set enable-bracketed-paste off +EOF + +if [ -d "$ROOT/etc/systemd/system" ]; then + # systemd + if [ -c "$ROOT/dev/hvc0" ]; then + # serial-getty@ttyS0.service is automatically enabled due to the console= kernel parameter + ln -s "/dev/null" "$ROOT/etc/systemd/system/serial-getty@ttyS0.service" + ln -s "/lib/systemd/system/serial-getty@.service" \ + "$ROOT/etc/systemd/system/getty.target.wants/serial-getty@hvc0.service" + fi + + # mask all timer units + for t in "$ROOT"/lib/systemd/system/*.timer; do + test -f "$t" || continue + ln -s "/dev/null" "$ROOT/etc/systemd/system/${t##*/}" + done + + # mask systemd-firstboot.service + ln -s "/dev/null" "/root/etc/systemd/system/systemd-firstboot.service" +fi + +if [ -f "$ROOT/etc/inittab" ]; then + # sysvinit + if [ -c "$ROOT/dev/hvc0" ]; then + echo "h0:2345:respawn:/sbin/agetty -8 -L 115200 hvc0 linux" + else + echo "S0:23:respawn:/sbin/getty -8 -L 115200 $CONSOLE linux" + fi >>"$ROOT/etc/inittab" +fi + +if [ -f /init.postinst ]; then + cp /init.postinst "$ROOT/init.postinst" + chroot "$ROOT" /bin/sh -eux /init.postinst + rm -f "$ROOT/init.postinst" +fi + +# allow service startup again +mv "$ROOT/sbin/start-stop-daemon.REAL" "$ROOT/sbin/start-stop-daemon" +rm "$ROOT/usr/sbin/policy-rc.d" + +# unmount pseudo filesystems from the target system +umount "$ROOT/dev" +umount "$ROOT/proc" +umount "$ROOT/sys" + +if [ "$BOOT" = "efi" ]; then + umount "$ROOT/boot/efi" +fi +umount "$ROOT/media" +umount "$ROOT/run" + +# /init.bottom is expected to umount $ROOT and its submounts +ROOT="$ROOT" sh -eux /init.bottom + +# stop udevd +udevadm control --exit + +# exiting this script yields "Kernel panic - not syncing: Attempted to +# kill init!", so give the asyncronous SysRq trigger a chance to power +# off (sending a racy C-d would still trigger a panic but we don't care) +echo o >/proc/sysrq-trigger +exec cat >/dev/null diff --git a/debian/tests/utils/mkinitramfs b/debian/tests/utils/mkinitramfs new file mode 100755 index 0000000..6bc70f4 --- /dev/null +++ b/debian/tests/utils/mkinitramfs @@ -0,0 +1,159 @@ +#!/bin/sh + +# Generate an initramfs image, much like mkinitramfs(8) but simpler +# +# Copyright © 2021-2022 Guilhem Moulin <guilhem@debian.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +set -eu +PATH="/usr/sbin:/usr/bin:/sbin:/bin" +export PATH + +unset DEBUG +EXTRACT_DIR="$1" +KERNEL_VERSION="$2" +INITRD="$3" + +UTILS="$(dirname -- "$0")" +DESTDIR="$(mktemp --directory -- "$INITRD.XXXXXXXXXX")" +trap "rm -r${DEBUG:+v}f -- \"$DESTDIR\"" EXIT INT TERM + +# from /usr/sbin/mkinitramfs: create usr-merged filesystem layout, to +# avoid duplicates if the host filesystem is usr-merged +for d in /bin /lib* /sbin; do + [ -d "$d" ] || continue + mkdir -p "$DESTDIR/usr$d" + ln -sT "usr$d" "$DESTDIR$d" +done + +install -m0755 "$UTILS/init" "$DESTDIR/init" +install -m0755 "$UTILS/debootstrap" "$DESTDIR/debootstrap" +cat >"$DESTDIR/init.conf" <<- EOF + HOSTNAME="$TESTNAME" + export HOSTNAME + PACKAGES="$PACKAGES" + BOOT="$BOOT" + CONSOLE="$CONSOLE" + ARCH="$ARCH" + MERGED_USR="$MERGED_USR" +EOF + +for p in setup preinst postinst bottom; do + # setup: sourced after creating the BIOS or EFI boot partition + # preinst: run in chroot after debootstrap, but before installing extra packages + # postinst: optionally run in chroot after installing extra packages + # bottom: last thing to run before shutdown + if [ -f "$TESTDIR/$TESTNAME.d/$p" ]; then + install -m0755 "$TESTDIR/$TESTNAME.d/$p" "$DESTDIR/init.$p" + fi +done + +MODULES="dm_crypt ext4 btrfs raid0 raid1" +if [ "$BOOT" = "efi" ]; then + MODULES="$MODULES efivarfs nls_ascii nls_cp437 vfat" +fi + +depmod -ab "$EXTRACT_DIR" "$KERNEL_VERSION" +for kmod in virtio_console virtio_blk virtio_pci virtio_rng \ + "$EXTRACT_DIR/lib/modules/$KERNEL_VERSION"/kernel/arch/*/crypto/*.ko* \ + "$EXTRACT_DIR/lib/modules/$KERNEL_VERSION"/kernel/crypto/*.ko* \ + $MODULES; do + kmod="${kmod##*/}" + modprobe -aid "$EXTRACT_DIR" -S "$KERNEL_VERSION" --show-depends "${kmod%%.*}" +done | while read -r insmod kmod _; do + [ "$insmod" = "insmod" ] || continue + kmod_rel="${kmod#"$EXTRACT_DIR/lib/modules/$KERNEL_VERSION/"}" + if [ ! -f "$kmod" ] || [ "${kmod_rel#kernel/}" = "$kmod_rel" ]; then + echo "Error: Unexpected modprobe output: $insmod $kmod" >&2 + exit 1 + fi + mkdir -p "$DESTDIR/lib/modules/$KERNEL_VERSION/${kmod_rel%/*}" + ln -f${DEBUG:+v}T -- "$kmod" "$DESTDIR/lib/modules/$KERNEL_VERSION/$kmod_rel" +done + +ln -t "$DESTDIR/lib/modules/$KERNEL_VERSION" -- \ + "$EXTRACT_DIR/lib/modules/$KERNEL_VERSION/modules.order" \ + "$EXTRACT_DIR/lib/modules/$KERNEL_VERSION/modules.builtin" +depmod -wab "$DESTDIR" "$KERNEL_VERSION" + +verbose="${DEBUG-}" +. /usr/share/initramfs-tools/hook-functions # for copy_exec() +if [ -f "$TESTDIR/$TESTNAME.d/mkinitramfs" ]; then + . "$TESTDIR/$TESTNAME.d/mkinitramfs" +fi + +copy_exec /bin/cp +copy_exec /bin/rm +copy_exec /bin/chmod + +copy_exec /sbin/modprobe +copy_exec /sbin/blkid +copy_exec /sbin/sfdisk +copy_exec /sbin/mkswap +copy_exec /sbin/swapon +copy_exec /sbin/swapoff +copy_exec /sbin/cryptsetup +copy_exec /sbin/dmsetup +copy_exec /usr/bin/dpkg-deb +copy_exec /bin/tar + +# assume ossl-modules/legacy.so and libgcc_s.so are relative to the linked libcryptsetup.so +libdir="$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -nr '/.*=>\s*(\S+)\/libcryptsetup\.so\..*/ {s//\1/p;q}')" +copy_exec "$libdir/ossl-modules/legacy.so" || true +copy_libgcc "$libdir" + +for p in /sbin/cryptsetup /sbin/lvm /sbin/mdadm /sbin/mke2fs /sbin/mkfs.btrfs /bin/btrfs; do + if [ -x "$p" ]; then + copy_exec "$p" + fi +done + +if [ "$BOOT" = "efi" ]; then + if [ ! -x "/sbin/mkfs.vfat" ]; then + echo "Couldn't find mkfs.vfat, is the 'dosfstools' package installed?" >&2 + exit 1 + fi + copy_exec /sbin/mkfs.vfat +fi + +cp -pLt "$DESTDIR/lib" /lib/klibc-*.so +for cmd in cat chroot ln ls mkdir mount mv sh umount uname; do + exe="/usr/lib/klibc/bin/$cmd" + if [ ! -f "$exe" ] || [ ! -x "$exe" ]; then + echo "No such executable: $exe" >&2 + exit 1 + fi + copy_exec "$exe" /bin +done + +# copy udevd and (some of) its rules +copy_exec /lib/systemd/systemd-udevd +copy_exec /bin/udevadm + +mkdir -p -- "$DESTDIR/etc/udev" "$DESTDIR/lib/udev/rules.d" +cat >"$DESTDIR/etc/udev/udev.conf" <<-EOF + udev_log=info + resolve_names=never +EOF +for rules in 50-udev-default.rules 55-dm.rules 60-block.rules \ + 60-persistent-storage.rules 60-persistent-storage-dm.rules \ + 63-md-raid-arrays.rules 95-dm-notify.rules; do + if [ -e "/lib/udev/rules.d/$rules" ]; then + cp -T "/lib/udev/rules.d/$rules" "$DESTDIR/lib/udev/rules.d/$rules" + fi +done + +cd "$DESTDIR" +find . -print0 | cpio -o0 -R 0:0 -H newc --quiet ${DEBUG:+--verbose} >"$INITRD" diff --git a/debian/tests/utils/mock.pm b/debian/tests/utils/mock.pm new file mode 100644 index 0000000..10db3e6 --- /dev/null +++ b/debian/tests/utils/mock.pm @@ -0,0 +1,347 @@ +# Mock terminal interaction on a guest system +# +# Copyright © 2021-2022 Guilhem Moulin <guilhem@debian.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +use v5.14.2; +use warnings; +use strict; + +our ($SERIAL, $CONSOLE, $MONITOR); +our $PS1 = qr/root\@[\-\.0-9A-Z_a-z]+ : [~\/][\-\.\/0-9A-Z_a-z]* [\#\$]\ /aax; + +package CryptrootTest::Utils; + +use Socket qw/PF_UNIX SOCK_STREAM SOCK_CLOEXEC SOCK_NONBLOCK SHUT_RD SHUT_WR/; +use Errno qw/EINTR ENOENT ECONNREFUSED/; +use Time::HiRes (); + +my (%SOCKET, %BUFFER, $WBITS, $RBITS); + +BEGIN { + ($SERIAL, $CONSOLE, $MONITOR) = qw/ttyS0 hvc0 mon0/; + my $dir = $ARGV[1] =~ m#\A(/\p{Print}+)\z# ? $1 : die "Invalid base directory\n"; # untaint + my $epoch = Time::HiRes::time(); + foreach my $id ($SERIAL, $CONSOLE, $MONITOR) { + my $path = $dir . "/" . $id; + my $sockaddr = Socket::pack_sockaddr_un($path) // die; + socket(my $socket, PF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) or die "socket: $!"; + + until (connect($socket, $sockaddr)) { + if ($! == EINTR) { + # try again immediatly if connect(2) was interrupted by a signal + } elsif (($! == ENOENT or $! == ECONNREFUSED) and Time::HiRes::time() - $epoch < 30) { + # wait a bit to give QEMU time to create the socket and mark it at listening + Time::HiRes::usleep(100_000); + } else { + die "connect($path): $!"; + } + } + + my $fd = fileno($socket) // die; + vec($WBITS, $fd, 1) = 1; + vec($RBITS, $fd, 1) = 1; + $SOCKET{$id} = $socket; + $BUFFER{$id} = ""; + } +} + +sub read_data($) { + my $bits = shift; + while (my ($chan, $fh) = each %SOCKET) { + next unless vec($bits, fileno($fh), 1); # nothing to read here + my $n = sysread($fh, my $buf, 4096) // die "read: $!"; + if ($n > 0) { + STDOUT->printflush($buf); + $BUFFER{$chan} .= $buf; + } else { + #print STDERR "INFO done reading from $chan\n"; + shutdown($fh, SHUT_RD) or die "shutdown: $!"; + vec($RBITS, fileno($fh), 1) = 0; + } + } +} + +sub expect(;$$) { + my ($chan, $prompt) = @_; + + my $buffer = defined $chan ? \$BUFFER{$chan} : undef; + if (defined $buffer and $$buffer =~ $prompt) { + $$buffer = $' // die; + return %+; + } + + while(unpack("b*", $RBITS) != 0) { + my $rout = $RBITS; + while (select($rout, undef, undef, undef) == -1) { + die "select: $!" unless $! == EINTR; # try again immediately if select(2) was interrupted + } + read_data($rout); + if (defined $buffer and $$buffer =~ $prompt) { + $$buffer = $' // die; + return %+; + } + } + #print STDERR "INFO done reading\n"; +} + +sub write_data($$%) { + my $chan = shift; + my $data = shift; + + my %options = @_; + $options{echo} //= 1; + $options{eol} //= "\r"; + $options{reol} //= "\r\n"; + my $wdata = $data . $options{eol}; + + my $wfh = $SOCKET{$chan} // die; + my $wfd = fileno($wfh) // die; + vec(my $win, $wfd, 1) = 1; + + for (my $offset = 0, my $length = length($wdata); $offset < $length;) { + my $wout = $win; + while (select(undef, $wout, undef, undef) == -1) { + die "select: $!" unless $! == EINTR; # try again immediately if select(2) was interrupted + } + if (vec($wout, $wfd, 1)) { + my $n = syswrite($wfh, $wdata, $length - $offset, $offset) // die "write: $!"; + $offset += $n; + } + } + + my $rdata = $options{echo} ? $data : ""; + $rdata .= $options{reol}; + + if ($rdata ne "") { + my $buf = \$BUFFER{$chan}; + my $rfh = $SOCKET{$chan} // die; + my $rfd = fileno($rfh) // die; + vec(my $rin, $rfd, 1) = 1; + + my $rlen = length($rdata); + while($rlen > 0) { + my $rout = $rin; + while (select($rout, undef, undef, undef) == -1) { + die "select: $!" unless $! == EINTR; # try again immediately if select(2) was interrupted + } + read_data($rout); + + my $got = substr($$buf, 0, $rlen); + my $n = length($got); + if ($got eq substr($rdata, -$rlen, $n)) { + $$buf = substr($$buf, $n); # consume the command + $rlen -= $n; + } else { + my $a = substr($rdata, 0, -$rlen) . substr($rdata, -$rlen, $n); + my $b = substr($rdata, 0, -$rlen) . $got; + s/[^\p{Graph} ]/"\\x".unpack("H*",$&)/ge foreach ($a, $b); + die "Wanted \"$a\", got \"$b\""; + } + } + } +} + +package CryptrootTest::Mock; + +use Exporter qw/import/; +BEGIN { + our @EXPORT = qw/ + unlock_disk + login + shell + suspend + wakeup + hibernate + poweroff + expect + /; +} + +*expect = \&CryptrootTest::Utils::expect; +*write_data = \&CryptrootTest::Utils::write_data; + +sub unlock_disk($) { + my $passphrase = shift; + my %r = expect($SERIAL => qr/\A(?:.*(?:\r\n|\.\.\. ))?Please unlock disk (?<name>\p{Graph}+): \z/aams); + if ((my $ref = ref($passphrase)) ne "") { + my $name = $r{name}; + unless (defined $name) { + undef $passphrase; + } elsif ($ref eq "CODE") { + $passphrase = $passphrase->($name); + } elsif ($ref eq "HASH") { + $passphrase = $passphrase->{$name}; + } else { + die "Unsupported reference $ref"; + } + } + die "Unable to unlock, aborting.\n" unless defined $passphrase; + write_data($SERIAL => $passphrase, echo => 0, reol => "\r"); +} + +sub login($;$) { + my ($username, $password) = @_; + expect($CONSOLE => qr/\r\ncryptroot-[[:alnum:]._-]+ login: \z/aams); + write_data($CONSOLE => $username, reol => "\r"); + + if (defined $password) { + expect($CONSOLE => qr/\A[\r\n]*Password: \z/aams); + write_data($CONSOLE => $username, echo => 0, reol => "\r"); + } + + # consume motd(5) or similar + expect($CONSOLE => qr/\r\n $PS1 \z/aamsx); +} + +sub shell($%); +sub shell($%) { + my $command = shift; + my %options = @_; + + write_data($CONSOLE => $command); + my %r = expect($CONSOLE => qr/\A (?<out>.*) $PS1 \z/aamsx); + my $out = $r{out}; + + if (exists $options{rv}) { + my $rv = shell(q{echo $?}); + unless ($rv =~ s/\r?\n\z// and $rv =~ /\A[0-9]+\z/ and $rv == $options{rv}) { + my @loc = caller; + die "ERROR: Command \`$command\` exited with status $rv != $options{rv}", + " at line $loc[2] in $loc[1]\n"; + } + } + return $out; +} + +# enter S3 sleep state (suspend to ram aka standby) +sub suspend() { + write_data($CONSOLE => q{systemctl suspend}); + # while the command is asynchronous the system might suspend before + # we have a chance to read the next $PS1 + + # wait for the SUSPEND event + QMP::wait_for_event("SUSPEND"); + + # double check that the guest is indeed suspended + my $resp = QMP::command(q{query-status}); + die unless defined $resp->{status} and $resp->{status} eq "suspended" and + defined $resp->{running} and $resp->{running} == JSON::false(); +} + +sub wakeup() { + my $r = QMP::command(q{system_wakeup}); + die if %$r; + + # wait for the WAKEUP event + QMP::wait_for_event("WAKEUP"); + + # double check that the guest is indeed running + my $resp = QMP::command(q{query-status}); + die unless defined $resp->{status} and $resp->{status} eq "running" and + defined $resp->{running} and $resp->{running} == JSON::true(); +} + +# enter S4 sleep state (suspend to disk aka hibernate) +sub hibernate() { + # an alternative is to send {"execute":"guest-suspend-disk"} on the + # guest agent socket, but we don't want to require qemu-guest-agent + # on the guest so this will have to do + write_data($CONSOLE => q{systemctl hibernate}); + # while the command is asynchronous the system might hibernate + # before we have a chance to read the next $PS1 + QMP::wait_for_event("SUSPEND_DISK"); + expect();# wait for QEMU to terminate +} + +sub poweroff() { + # XXX would be nice to use the QEMU monitor here but the guest + # doesn't seem to respond to system_powerdown QMP commands + write_data($CONSOLE => q{poweroff}); + # while the command is asynchronous the system might shutdown + # before we have a chance to read the next $PS1 + QMP::wait_for_event("SHUTDOWN"); + expect(); # wait for QEMU to terminate +} + + +package QMP; + +# QMP protocol +# https://qemu.readthedocs.io/en/latest/interop/qemu-qmp-ref.html + +use JSON (); + +# read and decode a QMP server line +sub getline() { + my %r = CryptrootTest::Utils::expect($MONITOR => qr/\A(?<str>.+?)\r\n/m); + my $str = $r{str} // die; + return JSON::->new->decode($str); +} + +# send a QMP command and optional arguments +sub command($;$) { + my ($command, $arguments) = @_; + my $cmd = { execute => $command }; + $cmd->{arguments} = $arguments if defined $arguments; + + $cmd = JSON::->new->encode($cmd); + STDOUT->printflush($cmd . "\n"); + CryptrootTest::Utils::write_data($MONITOR => $cmd, eol => "\r\n", echo => 0, reol => ""); + + while(1) { + my $resp = QMP::getline() // next; + # ignore unsolicited server responses (such as events) + return $resp->{return} if exists $resp->{return}; + } +} + +# wait for the QMP greeting line +my @CAPABILITIES; +sub greeting() { + my $greeting = QMP::getline() // die; + $greeting = $greeting->{QMP} // die; + @CAPABILITIES = @{$greeting->{capabilities}} if defined $greeting->{capabilities}; +} + +# negotiate QMP capabilities +sub capabilities(@) { + my $r = QMP::command(qmp_capabilities => {enable => \@_}); + die if %$r; +} + +BEGIN { + # https://gitlab.com/qemu-project/qemu/-/blob/master/docs/interop/qmp-spec.txt sec 4 + QMP::greeting(); + QMP::capabilities(); +} + +sub wait_for_event($) { + my $event_name = shift; + while(1) { + my $resp = QMP::getline() // next; + return if exists $resp->{event} and $resp->{event} eq $event_name; + } +} + +sub quit() { + # don't use QMP::command() here since we might never receive a response + my $cmd = JSON::->new->encode({ execute => "quit" }); + STDOUT->printflush($cmd . "\n"); + CryptrootTest::Utils::write_data($MONITOR => $cmd, eol => "\r\n", echo => 0, reol => ""); + CryptrootTest::Utils::expect(); # wait for QEMU to terminate +} + +1; diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..abb325c --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,6 @@ +Bug-Database: https://gitlab.com/cryptsetup/cryptsetup/-/issues +Bug-Submit: https://gitlab.com/cryptsetup/cryptsetup/-/issues/new +Repository: https://gitlab.com/cryptsetup/cryptsetup.git +Repository-Browse: https://gitlab.com/cryptsetup/cryptsetup +FAQ: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions +Security-Contact: https://gitlab.com/cryptsetup/cryptsetup/-/blob/HEAD/SECURITY.md diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc new file mode 100644 index 0000000..a3b5a8f --- /dev/null +++ b/debian/upstream/signing-key.asc @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBE94p38BEADZRET8y1gVxlfDk44/XwBbFjC7eM6EanyCuivUPMmPwYDo9qRe +y0JdOGhWhAZeutGGxsKliozmeTL25Z6wWICu2oeY+ZfbgJQYHFeQ01NVwoYy57hh +ytZw/6IMLFRcIaWSHd7oNdneQg6mVJcGdA/BOX68uo3RKSHj6Q8GoQ54F/NpCotz +VcP1ORpVJ5ptyG0x6OZm5Esn61pKE979wcHsz7EzcDYl+3MS63gZm+O3D1u80bUM +mBUlxyEiC5jo5ksTFheA8m/5CAPQtxzYvgezYlLLS3nkxaq2ERK5DhvMv0NktXSu +tfWQsOI5WLjG7UWStwAnO2W+CVZLcnZV0K6OKDaFbCj4ovg5HV0FyQZknN2O5Qbx +esNlNWkMOJAnnX6c/zowO7jq8GCpa3oJl3xxmwFbCZtH4z3fEVw0wAFc2JlnufR4 +dhaax9fhNoUJ4OSVTi9zqstxhEyywkazakEvAYwOlC5+1FKoc9UIvApAGvgcTJGT +Op7MuHptHGwWvGZEaJqcsqoy7rsYPxtDQ7bJuJJblzGIUxWAl8qsUsF8M4ISxBkf +fcUYiR0wh1luUhXFo2rRTKT+Ic/nJDE66Ee4Ecn9+BPlNODhlEG1vk62rhiYSnyz +y5MAUhUlstDxuEjYK+NGd2aYH0VANZalqlUZFTEdOdA6NYROxkYZVsVtXQARAQAB +tCBNaWxhbiBCcm96IDxnbWF6eWxhbmRAZ21haWwuY29tPokCPgQTAQIAKAUCT3in +fwIbAwUJEswDAAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ2bBXe9k+mPxp +bg//ZWDcQVNAKOWCviNnNvT315WbDrjsJ6FApF83hB52qQO9tvjb5ZY54794uwof +idOqi0XFoLkoLyiJkkvc3Q9SnM89hyhzrxnh2ym4rUr4cL6F9e99uC656er4telM +bg9OSPR2iNuqsAzyMhOGMEnnm97YQ2QWOnvbC8QgoQB5VvF3nZMgqTPTxctlUfc7 +t4BlGcIBLG0oINUNDf441KAXgMP05kVK0CDQd02CTPok2Qshbg6aw56eSSUTB4aq +ZM8St1ySJ2ccMDRC9mCqcNFtuuPyAAJAJFmEvlxahd0BA0mwV3ce38JBbTqs5k0X +2JVljHObgnfp3WDtuY8Lj0u8KvN0CAYJhRuhY40fARh8EPfkNvIx/740ueexsUBW +3N1/lCeABaOKtu11kVUxvDxaFRQc2I5vl/sZMunSjJQQiwrWNbrwZgidwkHzvizm +LjdgHgCJeEC+tu1qifTCOllufvXagjYmrH4hm/Qz6+91lLksrHooxp3nAcN78d5/ +E4reamx0+DleOJ2yD1UeP2wUDdB23OQU3ipVDYwIuIvDWiZSIVwXyDLhuc64ti4t +ScUGfucEKMER1eLTJ+zILHZ9R4K7C2BhEGSAyxkeeX/Z8pLNOJ1RdU+B+ZFNXuIH +LJbgrAiOOqr07WPbvRT1LvO/w/4m31D9Kalc4Jyqn9+pjtm5Ag0ET3infwEQAN6E +dXyfw9xr56CJ1asnQ1PSxpzEGlUsEHvn4wcufyC8KN6VGUlR3WinlaGvOICzvYOi +S06E6PqKDEgbbApBh2//6Ihk1OynS0y4hYepJi+pstdXoiud6NQSNQlcFjCfI8Wz +AT3rensVLmwc3HgRW5qqt5Vc+EWdg9cylZ48QdPyo3WyOd2pyL+yqNZPjMGijE8z +vzurwZiO9aBkJCjulqXMs1YyyIqfTxKQ1GCUQq4SoIQXjD8HvgJ7T/TpuDf9wFhe +onGqxiJpxb02LMEdkPgugKIgG6iOFplzrsySyoiJsGa0mJ0n0O6rXQxl1mK/zdfg +vm4CPDujbgINnIxRxPescCVYcmjM8kTlGYJuKp4GgbwbwkCISs4retaAXiP3a2f3 +eSaJc5SnWWa3JqH5ogkEWvuezjNxW5fMpBWszdQEsgnsdlK37V+aB5oWnnkZRlWk +1YhGwL1ODz+EZzSsGlkIr7BYakK3xRYbxVfQkUr7EeqruXohSOnPAowePYAXCigC +fWvIJMlrPLIOD2GOy9eV3UZ/JDn/7YPfFAjNb0gVdpqBCQNH/fP2ePC0FzW+3YL1 +UbR+qMAEbKbFepycg75LbC08jFuQVvauDQta4EAvBkF460PoskCzcMuREntjMxip +B6IMSoOD74tcGYfUp6/kcgdEaqyK8214couO/u8HABEBAAGJAiUEGAECAA8FAk94 +p38CGwwFCRLMAwAACgkQ2bBXe9k+mPzIRA//bAf0Ng8dJ+IgydRtdT9X2xYKyukk +A3HlrOImOoA4Thrv/HVe7U28AkiQt2DxOmNZYIV0BqvL+dWAD1HYCdQgsgVWVLpr +sFfqOYHnAWKsdqyNZHtPC9J6drnwv0vcER0dtDJjMDP4MJMTa4JNjNJYb29WfbIm +viDRtIcVujYFoZK2ZBa1Ec7yPfk4CsyE+Y3Qh9Gy8Z08NrrxIn+MVATBbocKs7j1 +JAvkFk+o1grGnw3NTXnB8gEygAKHHyUgzr5Nyn5qJ28EZr7Vc1FP2lUiKv0JBcHT +/9vVXJ1Grd+VF2cwYftMWRKR66lTaUS2BX0ta6IQQSj8nSRsoKapRniCfTm1D4I1 +6j9bOoEfFdVsMkcrYFtfhq97qgR8gZtVCJkrX2CARZ+a1J+NP/erASd6M1A3n3aM +F3xBFfFsotzPplmhzExCYwuOCWIBfPerUQh1MughvG/oT8ZapR6x/EVE+K90J10X +pPi8VMi/3QRC5DpCin3Kc14WAE4uEbyUWLKb3PmfmZaS6qFaJNtf2TyZodT0ACgu +v9Xs4el0j8FRaCqLvEZS4rKLNxb8EY3Z4LC61QfyAbg5P114muVZ4ro8dzhZ0zwk +ZLGeEsYPsQpLo6XPT/32PP8aHn/KKX+KM7ouCEhVeWszR20BMK6sxTBR+4aNqSKC +dgr42jrtvzRmJp4= +=E79s +-----END PGP PUBLIC KEY BLOCK----- diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..dabcd8b --- /dev/null +++ b/debian/watch @@ -0,0 +1,6 @@ +version=4 +options="mode=git,pgpmode=gittag, \ + uversionmangle=s/-(alpha|beta|rc)(\d*)$/~$1$2/, \ + compression=gzip" \ + https://gitlab.com/cryptsetup/cryptsetup.git \ + refs/tags/v?@ANY_VERSION@ |