clevis doesn't support -e when installed with correct cryptsetup version
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
clevis (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
clevis version 19 added support for the -e parameter. This parameter allows using an existing token slot in LUKS2 to provide the existing passphrase to add a clevis binding to the LUKS2 volume without the user having to enter it.
In the lunar Ubuntu release, clevis 19 is available as well as cryptsetup 2.6.1. However, when I install clevis and attempt to use the -e parameter, clevis claims the version of cryptsetup is not high enough to support this.
clevis determines the version of cryptsetup *at build time* so my guess as to what happened is that I know clevis version 19 was released upstream before cryptsetup version 2.6.0 which added the necessary support in cryptsetup. My guess is the build system for Ubuntu didn't yet have cryptsetup 2.6.0 available when clevis 19 was built, resulting in a clevis package that believes it can't support the -e parameter even though cryptsetup 2.6.1 is now in the lunar repos.
We bumped into this in Fedora too and a rebuild of the clevis package on a system that has the 2.6.1 version of cryptsetup installed should resolve the issue.
Here's the amd64 build log for lunar: /launchpadlibra rian.net/ 649772129/ buildlog_ ubuntu- lunar-amd64. clevis_ 19-2_BUILDING. txt.gz
https:/
In there I see: luks/meson. build:23: WARNING: cryptsetup version does not support existing token id
Run-time dependency libcryptsetup found: YES 2.5.0
Dependency libcryptsetup found: NO found 2.5.0 but need: '>=2.6.0' (cached)
../src/
Here's the mantic build log: /launchpadlibra rian.net/ 678645100/ buildlog_ ubuntu- mantic- amd64.clevis_ 19-3_BUILDING. txt.gz
https:/
There I see:
Run-time dependency libcryptsetup found: YES 2.6.1
Dependency libcryptsetup found: YES 2.6.1 (cached)
Message: cryptsetup version supports existing token id
clevis built on 05-Feb, and cryptsetup 2.6.1 wasn't uploaded until 19-Feb, so it does seem like your theory is plausible.
I think the right way to fix this is to add a versioned build-dep on whatever cryptsetup package it is testing so that it will refuse to build with a version that does not have this feature. We inherit this package from Debian, so we'd want to make a pull request there. Are you comfortable proposing that? There's already a build-dep on cryptsetup-bin, but this version dependency might be on libcryptsetup-dev? We'd have to look to see what exactly clevis is testing during build.
Once accepted, we can merge that into the dev release (mantic), and then look into a lunar backport. For the lunar backport, we'll need to reformat the description of this bug using the SRU template:
https:/ /wiki.ubuntu. com/StableRelea seUpdates
That will communicate to our stable release team why we want to do this, and why we believe it is safe to do so. Could you make an attempt at drafting that?