Bug ID | 1197635 |
---|---|
Summary | Dracut from Leap 15.4 beta breaks rd.luks.key initrd option to unlock luks devices with encryption keys on USB keys |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 15.4 |
Hardware | x86-64 |
OS | openSUSE Leap 15.4 |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Basesystem |
Assignee | screening-team-bugs@suse.de |
Reporter | georg.jansing@web.de |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
The crypto keyfile is not read from USB key device, even though the corresponding kernel command line parameter is set (rd.luks.key=/keyfile.bin). More detailed scenario described below. I tracked this down to the following broken call found in in /run/initramfs/init.log (with rd.debug set on kernel command line): ``` + cryptsetup -d - ' ' luksOpen /dev/sdb2 vg ``` Note the one-space string parameter (' ') between "-" and "luksOpen". On a boot on a 15.3 system, this ' ' parameter is not present. It seems to be introduced by quoting around $cryptsetupopts in /usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh, lines 142 or 168: `cryptsetup -d - "$cryptsetupopts" [...]` In commit https://github.com/dracutdevs/dracut/commit/e0abf88a15d23fbf793cf872397016ad86aeaaa8 this quoting is removed (maybe due to this breakage). This fix seems not to be included in the dracut version contained in the current Leap 15.4 package. Is there a way to include this fix in the 15.4 package? Scenario: root fs on LVM on crypto-luks on ssd /etc/crypttab ``` vg /dev/disk/by-uuid/<some uuid> none luks,x-initrd.attach,discard ``` /etc/dracut.conf.d/50-crypt-key.conf ``` add_drivers+=" nls_cp437 nls_iso8859_1 " add_filesystems+=" vfat " filesystems+=" vfat " omit_dracutmodules+=" systemd " ``` Note: rd.luks.key functionality in known to be broken in combination with systemd in dracut initrd, see https://bugzilla.redhat.com/show_bug.cgi?id=905683, also referred in `man dracut.cmdline` in the 15.4 version of dracut. /etc/default/grub ``` GRUB_CMDLINE_LINUX_DEFAULT="rd.luks.key=/keysfile.bin [...]" ``` Update grub2 & initrd with ``` # grub2-mkconfig -o /boot/grub2/grub.cfg # mkinitrd ``` On Leap 15.3 systems this works. Dracut is shipped in a older version though: 055+suse.238.gacab0df5-150400.1.6 (Leap 15.4 beta) vs. 049.1+suse.228.g07676562-3.54.1 (Leap 15.3 with current updates)