[pkg-cryptsetup-devel] Bug#839994: Bug#839994: Newest version prevent boot of full encrypted disk

Klaus Ethgen Klaus at Ethgen.de
Fri Oct 7 12:56:27 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello Guilhem,

Am Fr den  7. Okt 2016 um 13:04 schrieb Guilhem Moulin:
> I see.  Indeed, we've unfortunately been too fast at releasing a fix for
> #786578.  That is, we documented setting KEYFILE_PATTERN
> /etc/initramfs-tools/initramfs.conf (or alternatively, under
> /etc/initramfs-tools/conf.d) while the initramfs-tools maintainers later
> (#807527) objected to using /etc/initramfs-tools for hook configuration:
> 
>     ???If a hook script requires configuration beyond the exported
>     variables listed below, it should read a private configuration file
>     that is separate from the /etc/initramfs-tools directory.  It must
>     not read initramfs-tools configuration files directly.??? ???
>     initramfs-tools(8)
> 
> Can you confirm your system boots as expected once you delete
> /etc/initramfs-tools/conf.d/diskkey and use
> /etc/cryptsetup-initramfs/conf-hook instead?

Partly. It will boot but the rights of the resulting initrd are 0644, so
world-readable with credentials in it.

> I'll push a proper fix
> later today, to make the latter config file take precedence over
> mkinitramfs(8) settings; but *not override them* as it's incorrectly
> done now.

Well, just keep 'em commented out I would says that will fix it?

> (Just to be clear, we *will* drop backward compatibility at
> some point, but after at least one stable release cycle, and with a
> loud warning printed at each update-initramfs run meanwhile.)

Sure... But that should be done via debconf probably.

Regards
   Klaus
- -- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGcBAEBCgAGBQJX95txAAoJEKZ8CrGAGfasRYEL/2+BH8sh2I6OIQy8Nyd9IwIp
yRnltgRepla3lFdC+Kj9AgT18azVZjbOQ9w6RtJ2BkcvHzq6RzDfkmvM0Vzeoz5y
xOuMtfyI4au3TIK0o4Bn1OdJXuKvVzq8HjmFGjrEvsJIN2TA610wNhKwi4fDjdCd
0Ey7moK6u85n4acR18Of+MaX4M7iMbC/WA6cTxZOgHlQEgaxe1FC9Yn+230V1iNL
SAn0Z+uqmHkQZpHBPOunH0hQwfC4XMx8SyOMgeTjy8X8/sL/MBlkVUUiYU158V9E
ESR3QdbCq0mugmBIf1VGpqJ6m/JruvYK3MIQ2rZWO+kxAfSzbT6A7WotjTjKV0jJ
U+SlyzjkVzecKCSxVQ3MSl/TCsqGoBL4t4FPFAtqqTJo3IzMwcwrOD+wDTUIZ6Ew
YZbeOIbRySKTWZJI+GQNfzqsOY/I8eZAov/Yrmk/B9Tx4CbwcJ2Q/Fqji6+zN8+1
uCy3Ix5LDqCgE1PEqAbUDxQZFaXqUmfnWINwMWTHdw==
=fvPC
-----END PGP SIGNATURE-----

More information about the pkg-cryptsetup-devel mailing list