Bug 448665
Summary: | mkinitrd overrides /dev/urandom encrypted swap | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jason Farrell <farrellj> |
Component: | mkinitrd | Assignee: | Peter Jones <pjones> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 9 | CC: | dcantrell, mike.cloaked, redhat-bugzilla, redhat-bugzilla, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-11-27 23:55:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jason Farrell
2008-05-28 05:40:39 UTC
Confirmed in F9 using keyfile (held in encrypted root) for unlocking swap. In my case I allowed the f9 install to create an encrypted swap and encrypted root partition. Once the install was complete then in the early boot phase the luks passphrase for root is requested, followed immediately by the request for the luks passphrase for the swap partition. Creating a keyfile that is stored in /root, and adding this (luksAddKey) to the swap partition, and then adding the 3rd field to /etc/crypttab with the path to the keyfile does not allow the swap partition to be opened without a passphrase prompt at boot. Manually executing mkinitrd to create a new initial ramdisk file still gives a passphrase prompt for the swap partition during boot. Presumably a modified mkinitrd would bypass this in a newly created initrd? So there would need to be an additional search on /etc/crypttab # where field #3 is /dev/urandom and #4 is "swap" (or blank?) and then exclude the swap partition when running mkinitrd? In comment #2 # where field #3 is /dev/urandom and #4 is "swap" (or blank?) Should perhaps be # where field #3 is /dev/urandom OR !NONE and #4 is "swap" (or blank?) Any filename replacing /dev/urandom, and within the /root area or other place in the root partition would make sense provided the root partition is also encrypted. I've just been bitten by this bug. Only encrypted partition I have is for swap. Entry in /etc/crypttab is swap1 /dev/sda6 /dev/urandom swap,cipher=aes-cbc-essiv:sha256 so I was somewhat perplexed that after rebooting to a new kernel, I was prompted for the LUKS passphrase! The /etc/fstab entry corresponding to this is: /dev/mapper/swap1 swap swap defaults 0 0 mkinitrd version is mkinitrd-6.0.52-2.fc9.x86_64. Is this still an issue with mkinitrd in rawhide? (In reply to comment #5) > Is this still an issue with mkinitrd in rawhide? I wasn't able to reproduce with mkinitrd.6.0.62-1 in rawhide, no. I don't see /etc/crypttab being parsed for exclusions, but neither did I see dm-crypt added or the new emit plymouth cryptsetup added to the initrd this time. When "Looking for driver for device mapper/luks-VolGroup00-LogVol01", it's no longer found. A quick look at the old vs new diff doesn't tell me if that's a fix, or a happy coincidence. fixed in f10. I've converted my swap as above, re-ran mkinitrd, and am not prompted for a password, as expected. |