[Bug 915849] New: rd.luks.key kernel command not work.
http://bugzilla.opensuse.org/show_bug.cgi?id=915849 Bug ID: 915849 Summary: rd.luks.key kernel command not work. Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: Other OS: Other Status: NEW Severity: Critical Priority: P5 - None Component: Kernel Assignee: kernel-maintainers@forge.provo.novell.com Reporter: mingzhan@microsoft.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Detail: 1. add the rd.luks.key into /etc/default/grub GRUB_CMDLINE_LINUX="rd.luks.key=/keyfile:LABEL=KEYDISK" 2. add the drivers into the initramfs by editing the /etc/Dracut.conf Add_drivers+=" vfat nls_cp437 nls_iso8859-1" 3. put the file into the KEYDISK with label, a text file with the passphrase. Then reboot, The Plymouth passphrase also prompted. Also I try to turn on the debug shell by adding rd.shell=1 into the GRUB_CMDLINE_LINUX... Also I could not get the shell command. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=915849 Bernhard Wiedemann <bwiedemann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bwiedemann@suse.com, | |lnussel@suse.com, | |trenn@suse.com --- Comment #1 from Bernhard Wiedemann <bwiedemann@suse.com> --- http://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator... talks about the option taking a UUID and I am not sure, if our initrd supports those options. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=915849 Scott Zhang <mingzhan@microsoft.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P1 - Urgent Services Priority| |2 Found By|--- |Customer --- Comment #2 from Scott Zhang <mingzhan@microsoft.com> --- This is the issue cusotmer met when trying to encrypt a disk. We tried Ubuntu, and not this issue. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=915849 --- Comment #3 from Ludwig Nussel <lnussel@suse.com> --- did you regenerate your grub config and rebuild the initrd? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=915849 Björn Voigt <bjoernv@arcor.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bjoernv@arcor.de --- Comment #4 from Björn Voigt <bjoernv@arcor.de> --- I am also unsuccessful with the rd.luks.key option. I tried different formats: rd.luks.key=/usbstick.key:UUID=... rd.luks.key=/usbstick.key:/dev/disk/by-id/... rd.luks.key=/usbstick.key:/dev/disk/by-uuid/... rd.luks.key=/usbstick.key:/dev/sd1 /dev/sda1 is a USB stick with ext4. usbstick.key is a file on the root of the filesystem. I always get the LUKS password prompt instead of automatic unlocking with the USB stick file. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=915849 Andrei Borzenkov <arvidjaar@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arvidjaar@gmail.com --- Comment #5 from Andrei Borzenkov <arvidjaar@gmail.com> --- This cannot work in systemd mode (that openSUSE uses); here is what dracut puts into /etc/crypttab echo "$luks $dev - timeout=0,$allowdiscards" >> /etc/crypttab To actually make it work as is /supposed/ to work in systemd mode 90crypt/crypt-run-generator.sh would need a) put keyfile in crypttab. Not sure when support appeared in systemd. b) generate mount units to mount USB stick. And somehow unmount them before switching root! Current systemd already add RequiresMountsFor to crypto unit if keyfile is specified, so it should be enough to ensure proper ordering. This is actually upstream problem, upstream lacks proper support. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=915849 Bruno Friedmann <bruno@ioda-net.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bruno@ioda-net.ch --- Comment #6 from Bruno Friedmann <bruno@ioda-net.ch> --- I'm surprized if don't work. On my 13.1 (and previous version since age) I've manually added cr_sdb1 /dev/disk/by-id/ata-Corsair_Force_GT_114882050000098800C7-part1 /root/cr_hdd1.key noearly,luks,allow-discards sda1 the first root system is always asking my passphrase for obvious reason. but sdb is unlocked magically. Did editing manually the crypptab adding the path to where the keyfile is and then recreating initrd work? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=915849 --- Comment #7 from Björn Voigt <bjoernv@arcor.de> --- After some debugging with rd.shell=1 kernel command line, I agree to comment #c5. An example: I specified "rd.luks.key=/stick.key:/dev/sda1" on kernel command line. (I used /dev/sda1 because I don't want to use long /dev/disk filenames here.) The file /tmp/luks.keys is generated correctly in Initrd: *:/dev/sda1:/stick.key /etc/crypttab in Initrd: cr_md0 /dev/md0 none none systemd-cryptsetup-generator had generated a file /run/systemd/generator/systemd-cryptsetup@cr_md0.service. It contains [...] ExecStart=/usr/lib/systemd/systemd-cryptsetup attach 'cr_md0' '/dev/md0' 'none' 'none' If I run the "ExecStart" command manually, I get a password prompt. This is a problem. dracut:/# /usr/lib/systemd/systemd-cryptsetup attach 'cr_md0' '/dev/md0' 'none' 'none' Please enter passphrase for disk cr_md0! The correct steps should look like this: dracut:/# mkdir -m 0755 /mnt/testdev1 dracut:/# mount /dev/sda1 /mnt/testdev1 dracut:/# /usr/lib/systemd/systemd-cryptsetup attach 'cr_md0' '/dev/md0' '/mnt/testdev1/stick.key' 'none' -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=915849 http://bugzilla.opensuse.org/show_bug.cgi?id=915849#c21 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |dimstar@opensuse.org Resolution|FIXED |--- --- Comment #21 from Dominique Leuenberger <dimstar@opensuse.org> --- The patch edded to dracut removed all capabilities for luks from initrd. as main missing piece, systemd-tty-ask-password is no longer added to intird, resulting in openqA Failures like: https://openqa.opensuse.org/tests/86382/modules/first_boot/steps/3 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=915849 http://bugzilla.opensuse.org/show_bug.cgi?id=915849#c22 --- Comment #22 from Dominique Leuenberger <dimstar@opensuse.org> --- equest: #335159 submit: home:dimstar:Factory/dracut@2(cleanup) -> Base:System Message: - Disable 0181-no_systemd_cryptsetup.patch: it breaks existing installations of encrypted / on LVM. State: new 2015-10-01T10:10:20 dimstar Comment: <no comment> -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com