Can't unlock multiple devices in initramfs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
clevis (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Bionic |
Triaged
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Low
|
dann frazier | ||
Hirsute |
Fix Released
|
Low
|
dann frazier | ||
Impish |
Fix Released
|
Low
|
Unassigned | ||
Jammy |
Fix Released
|
Low
|
Unassigned |
Bug Description
[Impact]
clevis can be used to automatically unlock LUKS-encrypted devices during boot by asking a remote server for the key (sort of). It does so by finding the PID of the process that send up the interactive prompt "Please unlock disk xxx:" and then sends a key to that process through a fifo that the process has opened.
The bug that existed in clevis versions prior to version 17 forgot to clear the saved PID-variable, so when the PID of the first process has been found it won't find any more processes of this type. This means it can only unlock the first device. If you have for example some sort of RAID root filesystem with multiple disks (or a ZFS mirror as me) then clevis does not work at all.
[Test Plan]
- Setup a tang server on a different host:
# sudo apt install tang
# sudo systemctl enable tangd.socket --now
# reboot
- Setup two LUKS-disks that shall be decrypted during early boot (append option initramfs to them in /etc/crypttab)
- Setup clevis:
# sudo apt install clevis
# sudo apt install clevis-luks
# sudo apt install clevis-initramfs
- Bind the encrypted disks to the tang server:
# sudo clevis luks bind -d /dev/<disk1> tang '{"url": "http://<tang-server>"}'
# sudo clevis luks bind -d /dev/<disk2> tang '{"url": "http://<tang-server>"}'
- Regenerate initramfs
# sudo update-initramfs -u -k 'all'
- Reboot
# reboot
After the reboot you will be stuck at "Please unlock disk xxx:" until you enter the passphrase manually.
If you perform all the steps using only one disk it will work.
[Where problems could occur]
If something is wrong with the patch it will show up when clevis is unlocking a LUKS-encrypted disk during initramfs.
[Other Info]
This has been fixed in upstream (https:/
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in clevis (Ubuntu Focal): | |
importance: | Undecided → Low |
Changed in clevis (Ubuntu Hirsute): | |
importance: | Undecided → Low |
Changed in clevis (Ubuntu Impish): | |
importance: | Undecided → Low |
Changed in clevis (Ubuntu Jammy): | |
importance: | Undecided → Low |
Changed in clevis (Ubuntu Impish): | |
status: | New → Fix Released |
tags: |
added: verification-done removed: verification-needed |
Changed in clevis (Ubuntu Jammy): | |
status: | Fix Committed → Fix Released |
Changed in clevis (Ubuntu Bionic): | |
status: | New → Triaged |
Marking Fix-Committed because version 18 is in jammy-proposed.