search

dracutdevs / dracut

dracut the event driven initramfs infrastructure
https://github.com/dracutdevs/dracut/wiki
GNU General Public License v2.0
598 stars 397 forks source link

Dracut skips adding keys in initramfs, for luks encrypted volume containing the swap partition, if it matches the condition described below. #2424

Closed octal-illumination closed 1 year ago

octal-illumination commented 1 year ago

Describe the bug

Dracut skips adding keys in the initramfs for luks encrypted volumes containing the swap partition, if the identifier in the device mapping line in /etc/crypttab file, matches with the identifier the volume is curently mapped to and mounted/enabled as swap.

I have /dev/sda2 - LUKS encrypted swap partition and /dev/sda3 - LUKS encrypted root/system partition. I want them to be opened by initramfs, with a keyfile already added to the respective LUKS key slots. The relevant lines with the options and the path to the respective keyfiles are added, both in /etc/dracut.conf.d/10-fde-lean.conf, and in /etc/crypttab as shown in the example below.

/etc/crypttab:

 system                 UUID=eb5ecac5-5e07-4d82-ac7a-86ec34099f26       /keys/luks-system.key   luks
 swap                   UUID=bd6056f3-d96d-40e4-9b97-35ccb87b3945       /keys/luks-swap.key     luks

/etc/dracut.conf.d/10-fde-lean.conf:

hostonly=yes
install_items+=" /keys/luks-system.key /keys/luks-swap.key /etc/crypttab "
add_dracutmodules+=" crypt btrfs resume "

/etc/default/grub:

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Void"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=7 rd.luks.uuid=eb5ecac5-5e07-4d82-ac7a-86ec34099f26 rd.luks.uuid=bd6056f3-d96d-40e4-9b97-35ccb87b3945 resume=UUID=4d9a3d2b-79d6-4fbd-a391-d1e9ab6c205c ipv6.disable=1"
GRUB_ENABLE_CRYPTODISK=y

blkid:

/dev/mapper/swap: LABEL="swap" UUID="4d9a3d2b-79d6-4fbd-a391-d1e9ab6c205c" TYPE="swap"
/dev/mapper/system: LABEL="rootbase" UUID="e0cd0d14-2237-46e6-a9af-682411a004fd" UUID_SUB="01927f70-cfa0-4322-84bf-f7b5fd6e4a67" BLOCK_SIZE="4096" TYPE="btrfs"
/dev/sda1: LABEL_FATBOOT="ESP" LABEL="ESP" UUID="519C-2BB8" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="e5138efd-eaee-7948-b01e-342ad54d5ae9"
/dev/sda2: UUID="bd6056f3-d96d-40e4-9b97-35ccb87b3945" TYPE="crypto_LUKS" PARTUUID="6036920f-b9d2-b84e-b035-59f204d1805d"
/dev/sda3: UUID="eb5ecac5-5e07-4d82-ac7a-86ec34099f26" TYPE="crypto_LUKS" PARTUUID="a1c0d611-7939-754a-9bac-3821cd0895fa"

lsblk: - i have mapped luks ecnrypted swap to 'cryptswap' to avoid facing the issue.

NAME       MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda          8:0    0 465.8G  0 disk
├─sda1       8:1    0     1G  0 part  /boot/efi
├─sda2       8:2    0    15G  0 part
│ └─swap   254:0    0    15G  0 crypt [SWAP]
└─sda3       8:3    0 449.8G  0 part
  └─system 254:1    0 449.8G  0 crypt /.snapshots
                                      /var/tmp
                                      /var/log
                                      /var/cache
                                      /opt
                                      /home
                                      /

Distribution used

voidlinux

Dracut version

dracut 059

Init system

runit 2.1.2_15

To Reproduce

  1. Add $identifier UUID=$UUID /path/keyfile.key luks to /etc/crypttab, where the $identifier used for mapping the luks volume can be anything, eg; swap or randomname and the $UUID is the uuid of the luks volume containing the swap partition.

     $identifier                   UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx       /path/keyfile.key     luks

  2. Generate the initramfs eith dracut --force --hostonly --kver ##### or kernal upgrade/downgrade hooks of your distribution.

  3. Reboot, and run dracut --force --hostonly --kver ##### again or let the kernal upgrade/downgrade and use the hooks of your distribution.

Alternate way to reproduce:

  1. Add $identifier UUID=$UUID /path/keyfile.key luks to /etc/crypttab, where the $identifier used for mapping the luks volume can be anything, eg; swap or randomname and the $UUID is the uuid of the luks volume containing the swap partition.

     $identifier                   UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx       /path/keyfile.key     luks

  2. swapoff the swap partition, if already enabled and luksClose the volume if it is already opened/unlocked. Reopen using the same $identifier used in the /etc/crypttab file for the luks volume, the swapon /dev/mapper/$identifier.

  3. Generate the initramfs with dracut --force --hostonly --kver ##### or kernal upgrade/downgrade hooks of your distribution.

Expected behavior

Dracut should not skip luks volume containing swap partitions. In a Full Disk Encryption setup, one of the ways to have an encrypted swap without the use of LVM is to have a seperate LUKS encrypted swap partition. I have a similar setup, where I have a seperate luks encrypted swap partition and i want initramfs to unlock all the luks encrypted partitions, including the ones with swap.

Additional context

Removing the following line from `/bin/dracut' solves the issue.

[[ "$_p" == /* ]] && [[ -f $_p ]] && continue 2

This was added through an old commit, found through the comment for a related but different issue 2128.

Please let me know if more information is needed.

octal-illumination commented 1 year ago

Closed due to too many edits, hence moved it to a new issue for readability. https://github.com/dracutdevs/dracut/issues/2425