ecryptfs-setup-swap leaves swap unencrypted with GPT partitioning + NVMe/MMC drives
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
System76 |
Fix Released
|
Critical
|
Jason Gerard DeRose | ||
eCryptfs |
Fix Committed
|
Critical
|
Jason Gerard DeRose | ||
ecryptfs-utils (Ubuntu) |
Fix Released
|
Critical
|
Tyler Hicks |
Bug Description
CVE Request: http://
When GPT swap partitions are located on NVMe or MMC drives, ecryptfs-setup-swap fails to mark these swap partitions as "no-auto".
As a consequence, when using encrypted home directory with an NVMe or MMC drive, the swap is left unencrypted. There's also a usability issue in that users are erroneously prompted to enter a pass-phrase to unlock their swap partition at boot.
I have a patch that I'll propose for merging shortly.
==
Aside:
Although not necessarily related, there's another issue System76 encountered when investigating this for a customer using encrypted home directory with an NVMe drive and the proprietary NVDIA driver.
After doing a fresh install of 16.04.1 (choosing "Encrypt my home directory") and then installing the proprietary NVDIA driver with:
sudo apt-get install nvidia-361
During the package installs, we were twice prompted to enter a pass-phrase to unlock the encrypted swap partition. This seemed to happen when installing dkms modules. We know this doesn't happen when the swap partition is correctly marked as "no-auto", but it's still very curious behavior.
Related branches
- Tyler Hicks: Approve
- Jason Gerard DeRose (community): Needs Resubmitting
-
Diff: 20 lines (+8/-2)1 file modifiedsrc/utils/ecryptfs-setup-swap (+8/-2)
- Martin Pitt (community): Approve
- Jason Gerard DeRose (community): Approve
- eCryptfs: Pending requested
-
Diff: 84 lines (+52/-0)3 files modifieddebian/changelog (+6/-0)
debian/ecryptfs-utils.postinst (+42/-0)
src/utils/ecryptfs-setup-swap (+4/-0)
Changed in ecryptfs: | |
assignee: | nobody → Jason Gerard DeRose (jderose) |
Changed in system76: | |
status: | New → In Progress |
importance: | Undecided → Critical |
assignee: | nobody → Jason Gerard DeRose (jderose) |
description: | updated |
Changed in ecryptfs: | |
status: | New → Triaged |
importance: | Undecided → Critical |
description: | updated |
summary: |
- ecryptfs-setup-swap fails with GPT partitioning + NVMe/MMC drives + ecryptfs-setup-swap leaves swap unencrypted with GPT partitioning + + NVMe/MMC drives |
Changed in ecryptfs: | |
status: | Triaged → Fix Committed |
Changed in system76: | |
status: | In Progress → Fix Committed |
description: | updated |
Changed in system76: | |
status: | Fix Committed → Fix Released |
Re the curious "Aside" I mentioned in the bug description, we've narrowed it down a bit: in this scenario, it seems installing/ upgrading/ reinstalling any packages that have systemd services will result in the user getting prompted for a passphrase to unlock their cryptoswap partition. I filed a bug against systemd for this:
https:/ /bugs.launchpad .net/ubuntu/ +source/ systemd/ +bug/1597876