search

cornelinux / yubikey-luks

Two factor authentication for harddisk encryption
605 stars 58 forks source link

Can not extract initramfs image properly (Ubuntu 18.04.1 LTS (Bionic Beaver)) #45

Open erolg opened 5 years ago

erolg commented 5 years ago

System startup usually works very well with Yubikey-luks, but when I try to suspend I get the following errors.

The first one is:

$ sudo  /usr/lib/yubikey-luks-suspend/yubikey-luks-suspend 

gzip: stdin: not in gzip format
cpio: premature end of archive
Press ENTER to continue.

Because my initramfs not gunzip file.

$ file /boot/initrd.img-4.15.0-43-generic 
/boot/initrd.img-4.15.0-43-generic: ASCII cpio archive (SVR4 with no CRC)

Its OK. Then I changed the line with this (cpio --quiet -id) < "${INITRAMFS}"

Then my laptop starts to suspend normally (it could wake up without yubikey) because of the line. When I comment out the line and suspend proccess getting started with the following error:

chroot: failed to run command ‘/suspend’: No such file or directory

I figured out that my initramfs dont have suspend script (which is copied with initramfs hook)

Here is the update-initramfs log: https://gist.github.com/erolg/17d52e92195f8a3d251895ff54ab23b5

And here is my crypttab cryptedlvm UUID=83feeca9-f770-4883-96fc-3d15d98190bd none luks,discard

update-initramfs seems to be OK. But there is no suspend script in the image.


erol@kfir:/tmp$ cat initrd.img-4.15.0-43-generic | cpio -idmv

.
kernel
kernel/x86
kernel/x86/microcode
kernel/x86/microcode/AuthenticAMD.bin
56 blocks

I can't figure out why there is no suspend script in the image? Do you have any opinion?

Btw thank you for this great project!

Vincent43 commented 5 years ago

Are the other files like sbin/ykluks-keyscript and etc/ykluks.cfg correctly copied?

What yubikey-luks version do you use? The newest one need slight modifications of /etc/crypttab to work (however it may be not directly related to your issues.

erolg commented 5 years ago

@Vincent43 The problem is about multi-segmented initramfs image.

We need to use unmkinitramfs instead of cpio.

Can you test it with your setup?

Vincent43 commented 5 years ago

Because my initramfs not gunzip file.

$ file /boot/initrd.img-4.15.0-43-generic /boot/initrd.img-4.15.0-43-generic: ASCII cpio archive (SVR4 with no CRC)

This is ok. I have the same.

gzip: stdin: not in gzip format

Did you changed initramfs compression method in /etc/initramfs-tools/update-initramfs.conf ? The default should be gzip.

erol@kfir:/tmp$ cat initrd.img-4.15.0-43-generic | cpio -idmv

. kernel kernel/x86 kernel/x86/microcode kernel/x86/microcode/AuthenticAMD.bin 56 blocks

I have similar output with that command so it shouldn't matter.

I can't reproduce your problem. What files are extracted when you run (cpio --quiet -id; zcat | cpio --quiet -id) < /boot/initrd.img-4.15.0-43-generic command in terminal?

In my testing it correctly deals with multi-segmented initramfs image, extracting all files under same directory including microcode. On the other hand unmkinitramfs creates two directories, one for microcode under early dir and on for actual initramfs under main dir. In fact its manpage states that "unmkinitramfs cannot deal with multiple-segmented initramfs images, except where an early (uncompressed) initramfs with system firmware is prepended to the regular compressed initramfs.".

So I think the problem is somewhere else.

erolg commented 5 years ago

here is the outputs:

$cat /etc/initramfs-tools/initramfs.conf  | grep COMPRESS
# COMPRESS: [ gzip | bzip2 | lzma | lzop | xz ]
COMPRESS=gzip
$(cpio --quiet -id; zcat | cpio --quiet -id) < /boot/initrd.img-4.15.0-43-generic

gzip: stdin: not in gzip format
cpio: premature end of archive
$tree .
.
└── kernel
    └── x86
        └── microcode
            └── AuthenticAMD.bin

3 directories, 1 file

Cpio extracts only the early part of initramfs image, it can't extract "actual initramfs" in my setup.

Vincent43 commented 5 years ago

The only difference from my setup is that I use microcode for Intel. maybe AMD is screwing something.

cornelinux commented 3 years ago

I have the same issue on intel.

It happens on Ubuntu 18.04 with kernel 4.15 and 5.3.

image

What is this line (https://github.com/cornelinux/yubikey-luks/blob/master/yubikey-luks-suspend#L92) actually supposed to do? I think the unpacking and piping is a bit broken here.

metalsp0rk commented 2 years ago

I wanted to pick this up because I'm running into the same problem on 21.10.

Ubuntu started using a strange process for their initrd, sometime around 18.04. The recommended initramfs decompression method is with the unmkinitramfs tool. This, however, leaves me with a few directories: early, early2, main. We're interested only in main.

I'll work on this for a couple days and see if I can get a working suspend. If I get anywhere, I'll make a PR.

What is this line (https://github.com/cornelinux/yubikey-luks/blob/master/yubikey-luks-suspend#L92) actually supposed to do? I think the unpacking and piping is a bit broken here.

I'm not entirely clear on what that line is supposed to do, but the correct process for unpacking a traditional CPIO archive is to pipe the contents into cpio with the -idmv flags. This is obviously not viable on Ubuntu, so there will likely need to be some logic to handle this. It may be beneficial to readability to rewrite the CPIO extraction into a switch statement that checks for the existence of compression, even if this oneline-magic works on some distributions.