| 2022-06-20 01:54:06 |
fedorowp |
bug |
|
|
added bug |
| 2022-06-20 02:23:38 |
fedorowp |
description |
After upgrading to Ubuntu 22.04 with an encrypted root filesystem, the root drive can no longer be unlocked at the "Please unlock disk <diskname>" prompt on boot.
The encrypted root disk can be unlocked fine from the liveCD, but not from the initramfs environment on boot.
The issue is caused by support for various luks encryption protocols now being missing from the initramfs environment due to changes introduced in OpenSSL 3.0 and Ubuntu pre-release testing not including a test-case of upgrading older Ubuntu versions with an encrypted root to the new version.
The issue can be worked-around by:
1. Booting from the 22.04 liveCD.
2. chrooting into the target system's root.
See https://help.ubuntu.com/community/ManualFullSystemEncryption/Troubleshooting
3. Creating a file /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf containing:
---
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so /usr/lib/x86_64-linux-gnu/ossl-modules/
---
4. Regenerating the initramfs. ie. update-initramfs -k all -u |
After upgrading to Ubuntu 22.04 with an encrypted root filesystem, the root drive can no longer be unlocked at the "Please unlock disk <diskname>" prompt on boot.
The encrypted root disk can be unlocked fine from the liveCD, but not from the initramfs environment on boot.
The issue is caused by support for various luks encryption protocols now being missing from the initramfs environment due to changes introduced in OpenSSL 3.0 and Ubuntu pre-release testing not including a test-case of upgrading older Ubuntu versions with an encrypted root to the new version.
The issue can be worked-around by:
1. Booting from the 22.04 liveCD.
2. chrooting into the target system's root.
See https://help.ubuntu.com/community/ManualFullSystemEncryption/Troubleshooting
3. Creating a file /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf containing:
---
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so /usr/lib/x86_64-linux-gnu/ossl-modules/
---
4. Mark the file as executable: chmod +x /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf
5. Regenerating the initramfs. ie. update-initramfs -k all -u |
|
| 2022-06-24 23:01:03 |
Steve Langasek |
cryptsetup (Ubuntu): importance |
Undecided |
Critical |
|
| 2022-06-24 23:01:07 |
Steve Langasek |
tags |
|
rls-jj-incoming rls-kk-incoming |
|
| 2022-06-27 15:58:55 |
Simon Chopin |
tags |
rls-jj-incoming rls-kk-incoming |
rls-jj-incoming rls-kk-incoming transition-openssl3-jj |
|
| 2022-06-27 15:59:46 |
Matthieu Clemenceau |
tags |
rls-jj-incoming rls-kk-incoming transition-openssl3-jj |
fr-2498 rls-jj-incoming rls-kk-incoming transition-openssl3-jj |
|
| 2022-06-27 16:00:08 |
Lukas Märdian |
nominated for series |
|
Ubuntu Kinetic |
|
| 2022-06-27 16:00:08 |
Lukas Märdian |
bug task added |
|
cryptsetup (Ubuntu Kinetic) |
|
| 2022-06-27 16:00:08 |
Lukas Märdian |
nominated for series |
|
Ubuntu Jammy |
|
| 2022-06-27 16:00:08 |
Lukas Märdian |
bug task added |
|
cryptsetup (Ubuntu Jammy) |
|
| 2022-06-27 16:00:24 |
Steve Langasek |
cryptsetup (Ubuntu Jammy): importance |
Undecided |
Critical |
|
| 2022-06-27 16:00:41 |
Lukas Märdian |
tags |
fr-2498 rls-jj-incoming rls-kk-incoming transition-openssl3-jj |
fr-2498 transition-openssl3-jj |
|
| 2022-07-05 02:01:54 |
Launchpad Janitor |
cryptsetup (Ubuntu): status |
New |
Confirmed |
|
| 2022-07-05 02:01:54 |
Launchpad Janitor |
cryptsetup (Ubuntu Jammy): status |
New |
Confirmed |
|
| 2022-07-08 08:54:30 |
Sébastien S |
bug |
|
|
added subscriber Sébastien S |
| 2022-07-12 11:30:33 |
Łukasz Zemczak |
cryptsetup (Ubuntu Jammy): milestone |
|
ubuntu-22.04.1 |
|
| 2022-07-25 21:36:19 |
Chris Jones |
bug |
|
|
added subscriber Chris Jones |
| 2022-07-26 01:47:59 |
Jesse Johnson |
bug |
|
|
added subscriber Jesse Johnson |
| 2022-07-28 19:14:10 |
Brian Murray |
bug |
|
|
added subscriber Brian Murray |
| 2022-07-29 21:24:21 |
Benjamin Drung |
bug |
|
|
added subscriber Benjamin Drung |
| 2022-08-02 12:50:30 |
Benjamin Drung |
attachment added |
|
0001-Include-ossl-modules-legacy.so-for-MODULES-most.patch https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1979159/+attachment/5606458/+files/0001-Include-ossl-modules-legacy.so-for-MODULES-most.patch |
|
| 2022-08-02 16:21:19 |
Ubuntu Foundations Team Bug Bot |
tags |
fr-2498 transition-openssl3-jj |
fr-2498 patch transition-openssl3-jj |
|
| 2022-08-03 10:49:28 |
Ben Stanley |
bug |
|
|
added subscriber Ben Stanley |
| 2022-08-03 14:09:07 |
Benjamin Drung |
attachment added |
|
0001-Include-OpenSSL-legacy.so-for-ripemd160-and-whirlpoo.patch https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1979159/+attachment/5606727/+files/0001-Include-OpenSSL-legacy.so-for-ripemd160-and-whirlpoo.patch |
|
| 2022-08-03 16:36:58 |
Benjamin Drung |
attachment added |
|
cryptsetup_2.4.3-1ubuntu1.1.debdiff https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1979159/+attachment/5606761/+files/cryptsetup_2.4.3-1ubuntu1.1.debdiff |
|
| 2022-08-04 12:18:01 |
Benjamin Drung |
attachment added |
|
cryptsetup_2.4.3-1ubuntu1.1_v2.patch https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1979159/+attachment/5607015/+files/cryptsetup_2.4.3-1ubuntu1.1_v2.patch |
|
| 2022-08-04 12:18:09 |
Benjamin Drung |
cryptsetup (Ubuntu Jammy): status |
Confirmed |
Fix Committed |
|
| 2022-08-04 12:18:12 |
Benjamin Drung |
cryptsetup (Ubuntu Kinetic): status |
Confirmed |
Fix Committed |
|
| 2022-08-04 12:22:35 |
Benjamin Drung |
description |
After upgrading to Ubuntu 22.04 with an encrypted root filesystem, the root drive can no longer be unlocked at the "Please unlock disk <diskname>" prompt on boot.
The encrypted root disk can be unlocked fine from the liveCD, but not from the initramfs environment on boot.
The issue is caused by support for various luks encryption protocols now being missing from the initramfs environment due to changes introduced in OpenSSL 3.0 and Ubuntu pre-release testing not including a test-case of upgrading older Ubuntu versions with an encrypted root to the new version.
The issue can be worked-around by:
1. Booting from the 22.04 liveCD.
2. chrooting into the target system's root.
See https://help.ubuntu.com/community/ManualFullSystemEncryption/Troubleshooting
3. Creating a file /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf containing:
---
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so /usr/lib/x86_64-linux-gnu/ossl-modules/
---
4. Mark the file as executable: chmod +x /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf
5. Regenerating the initramfs. ie. update-initramfs -k all -u |
[Impact]
After upgrading to Ubuntu 22.04 with an encrypted root filesystem, the root drive can no longer be unlocked at the "Please unlock disk <diskname>" prompt on boot.
The encrypted root disk can be unlocked fine from the liveCD, but not from the initramfs environment on boot.
The issue is caused by support for various luks encryption protocols now being missing from the initramfs environment due to changes introduced in OpenSSL 3.0 and Ubuntu pre-release testing not including a test-case of upgrading older Ubuntu versions with an encrypted root to the new version.
[Test Plan]
Test a fresh installation:
* Use Ubuntu 22.04 installer
* Prepare encrypted disk layout (first partition /boot, second for /) and go one step back
* Then change hash in terminal
```
sudo cryptsetup close vda2_crypt
sudo cryptsetup luksFormat --hash=whirlpool /dev/vda2
sudo cryptsetup luksOpen /dev/vda2 vda2_crypt
sudo mkfs.ext4 /dev/mapper/vda2_crypt
```
* Continue and complete installation
* Ensure that /target/etc/crypttab exists (if not, create it and run "update-initramfs -u" in "chroot /target")
* Reboot
* The system should ask for the password during boot and successfully boot into the desktop
Test an upgrade:
* Install Ubuntu 20.04 (similar to above)
* Upgrade to Ubuntu 22.04
* Reboot
* The system should ask for the password during boot and successfully boot into the desktop
[Workaround]
The issue can be worked-around by:
1. Booting from the 22.04 liveCD.
2. chrooting into the target system's root.
See https://help.ubuntu.com/community/ManualFullSystemEncryption/Troubleshooting
3. Creating a file /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf containing:
---
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so /usr/lib/x86_64-linux-gnu/ossl-modules/
---
4. Mark the file as executable: chmod +x /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf
5. Regenerating the initramfs. ie. update-initramfs -k all -u |
|
| 2022-08-05 09:38:20 |
Benjamin Drung |
attachment added |
|
cryptsetup_2.4.3-1ubuntu1.1_v3.patch https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1979159/+attachment/5607130/+files/cryptsetup_2.4.3-1ubuntu1.1_v3.patch |
|
| 2022-08-08 09:24:17 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2022-08-08 09:24:18 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
| 2022-08-08 09:24:22 |
Łukasz Zemczak |
tags |
fr-2498 patch transition-openssl3-jj |
fr-2498 patch transition-openssl3-jj verification-needed verification-needed-jammy |
|
| 2022-08-08 10:28:57 |
Benjamin Drung |
description |
[Impact]
After upgrading to Ubuntu 22.04 with an encrypted root filesystem, the root drive can no longer be unlocked at the "Please unlock disk <diskname>" prompt on boot.
The encrypted root disk can be unlocked fine from the liveCD, but not from the initramfs environment on boot.
The issue is caused by support for various luks encryption protocols now being missing from the initramfs environment due to changes introduced in OpenSSL 3.0 and Ubuntu pre-release testing not including a test-case of upgrading older Ubuntu versions with an encrypted root to the new version.
[Test Plan]
Test a fresh installation:
* Use Ubuntu 22.04 installer
* Prepare encrypted disk layout (first partition /boot, second for /) and go one step back
* Then change hash in terminal
```
sudo cryptsetup close vda2_crypt
sudo cryptsetup luksFormat --hash=whirlpool /dev/vda2
sudo cryptsetup luksOpen /dev/vda2 vda2_crypt
sudo mkfs.ext4 /dev/mapper/vda2_crypt
```
* Continue and complete installation
* Ensure that /target/etc/crypttab exists (if not, create it and run "update-initramfs -u" in "chroot /target")
* Reboot
* The system should ask for the password during boot and successfully boot into the desktop
Test an upgrade:
* Install Ubuntu 20.04 (similar to above)
* Upgrade to Ubuntu 22.04
* Reboot
* The system should ask for the password during boot and successfully boot into the desktop
[Workaround]
The issue can be worked-around by:
1. Booting from the 22.04 liveCD.
2. chrooting into the target system's root.
See https://help.ubuntu.com/community/ManualFullSystemEncryption/Troubleshooting
3. Creating a file /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf containing:
---
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so /usr/lib/x86_64-linux-gnu/ossl-modules/
---
4. Mark the file as executable: chmod +x /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf
5. Regenerating the initramfs. ie. update-initramfs -k all -u |
[Impact]
After upgrading to Ubuntu 22.04 with an encrypted root filesystem, the root drive can no longer be unlocked at the "Please unlock disk <diskname>" prompt on boot.
The encrypted root disk can be unlocked fine from the liveCD, but not from the initramfs environment on boot.
The issue is caused by support for various luks encryption protocols now being missing from the initramfs environment due to changes introduced in OpenSSL 3.0 and Ubuntu pre-release testing not including a test-case of upgrading older Ubuntu versions with an encrypted root to the new version.
[Test Plan]
Test a fresh installation:
* Use Ubuntu 22.04 installer
* Prepare encrypted disk layout (first partition /boot, second for /) and go one step back
* Then change hash in terminal
```
sudo cryptsetup close vda2_crypt
sudo cryptsetup luksFormat --hash=whirlpool /dev/vda2
sudo cryptsetup luksOpen /dev/vda2 vda2_crypt
sudo mkfs.ext4 /dev/mapper/vda2_crypt
```
* Continue and complete installation
* Ensure that /target/etc/crypttab exists (if not, create it and run "update-initramfs -u" in "chroot /target")
* Reboot
* The system should ask for the password during boot and successfully boot into the desktop
Test an upgrade:
* Install Ubuntu 20.04 (similar to above)
* Upgrade to Ubuntu 22.04
* Reboot
* The system should ask for the password during boot and successfully boot into the desktop
[Regression potential]
The changed code is called when running "update-initramfs". Therefore generating a new initramfs could fail (and the user would stay on an old one). Upgrading the package will trigger "update-initramfs". So bugs in initramfs (or it scripts) can be triggered at that time.
[Workaround]
The issue can be worked-around by:
1. Booting from the 22.04 liveCD.
2. chrooting into the target system's root.
See https://help.ubuntu.com/community/ManualFullSystemEncryption/Troubleshooting
3. Creating a file /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf containing:
---
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so /usr/lib/x86_64-linux-gnu/ossl-modules/
---
4. Mark the file as executable: chmod +x /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf
5. Regenerating the initramfs. ie. update-initramfs -k all -u |
|
| 2022-08-08 10:29:26 |
Benjamin Drung |
description |
[Impact]
After upgrading to Ubuntu 22.04 with an encrypted root filesystem, the root drive can no longer be unlocked at the "Please unlock disk <diskname>" prompt on boot.
The encrypted root disk can be unlocked fine from the liveCD, but not from the initramfs environment on boot.
The issue is caused by support for various luks encryption protocols now being missing from the initramfs environment due to changes introduced in OpenSSL 3.0 and Ubuntu pre-release testing not including a test-case of upgrading older Ubuntu versions with an encrypted root to the new version.
[Test Plan]
Test a fresh installation:
* Use Ubuntu 22.04 installer
* Prepare encrypted disk layout (first partition /boot, second for /) and go one step back
* Then change hash in terminal
```
sudo cryptsetup close vda2_crypt
sudo cryptsetup luksFormat --hash=whirlpool /dev/vda2
sudo cryptsetup luksOpen /dev/vda2 vda2_crypt
sudo mkfs.ext4 /dev/mapper/vda2_crypt
```
* Continue and complete installation
* Ensure that /target/etc/crypttab exists (if not, create it and run "update-initramfs -u" in "chroot /target")
* Reboot
* The system should ask for the password during boot and successfully boot into the desktop
Test an upgrade:
* Install Ubuntu 20.04 (similar to above)
* Upgrade to Ubuntu 22.04
* Reboot
* The system should ask for the password during boot and successfully boot into the desktop
[Regression potential]
The changed code is called when running "update-initramfs". Therefore generating a new initramfs could fail (and the user would stay on an old one). Upgrading the package will trigger "update-initramfs". So bugs in initramfs (or it scripts) can be triggered at that time.
[Workaround]
The issue can be worked-around by:
1. Booting from the 22.04 liveCD.
2. chrooting into the target system's root.
See https://help.ubuntu.com/community/ManualFullSystemEncryption/Troubleshooting
3. Creating a file /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf containing:
---
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so /usr/lib/x86_64-linux-gnu/ossl-modules/
---
4. Mark the file as executable: chmod +x /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf
5. Regenerating the initramfs. ie. update-initramfs -k all -u |
[Impact]
After upgrading to Ubuntu 22.04 with an encrypted root filesystem, the root drive can no longer be unlocked at the "Please unlock disk <diskname>" prompt on boot.
The encrypted root disk can be unlocked fine from the liveCD, but not from the initramfs environment on boot.
The issue is caused by support for various luks encryption protocols now being missing from the initramfs environment due to changes introduced in OpenSSL 3.0 and Ubuntu pre-release testing not including a test-case of upgrading older Ubuntu versions with an encrypted root to the new version.
[Test Plan]
Test a fresh installation:
* Use Ubuntu 22.04 installer
* Prepare encrypted disk layout (first partition /boot, second for /) and go one step back
* Then change hash in terminal
```
sudo cryptsetup close vda2_crypt
sudo cryptsetup luksFormat --hash=whirlpool /dev/vda2
sudo cryptsetup luksOpen /dev/vda2 vda2_crypt
sudo mkfs.ext4 /dev/mapper/vda2_crypt
```
* Continue and complete installation
* Ensure that /target/etc/crypttab exists (if not, create it and run "update-initramfs -u" in "chroot /target")
* Reboot
* The system should ask for the password during boot and successfully boot into the desktop
Test an upgrade:
* Install Ubuntu 20.04 (similar to above)
* Upgrade to Ubuntu 22.04
* Reboot
* The system should ask for the password during boot and successfully boot into the desktop
[Where problems could occur]
The changed code is called when running "update-initramfs". Therefore generating a new initramfs could fail (and the user would stay on an old one). Upgrading the package will trigger "update-initramfs". So bugs in initramfs (or it scripts) can be triggered at that time.
[Workaround]
The issue can be worked-around by:
1. Booting from the 22.04 liveCD.
2. chrooting into the target system's root.
See https://help.ubuntu.com/community/ManualFullSystemEncryption/Troubleshooting
3. Creating a file /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf containing:
---
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so /usr/lib/x86_64-linux-gnu/ossl-modules/
---
4. Mark the file as executable: chmod +x /etc/initramfs-tools/hooks/custom-add-openssl-compat.conf
5. Regenerating the initramfs. ie. update-initramfs -k all -u |
|
| 2022-08-09 11:34:39 |
Benjamin Drung |
tags |
fr-2498 patch transition-openssl3-jj verification-needed verification-needed-jammy |
fr-2498 patch transition-openssl3-jj verification-done verification-done-jammy |
|
| 2022-08-10 18:13:01 |
Åka Sikrom |
bug |
|
|
added subscriber Åka Sikrom |
| 2022-08-11 16:21:09 |
Launchpad Janitor |
cryptsetup (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|
| 2022-08-11 21:10:17 |
Launchpad Janitor |
cryptsetup (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2022-08-11 21:10:39 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2022-08-13 10:06:23 |
Åka Sikrom |
removed subscriber Åka Sikrom |
|
|
|
| 2022-08-17 22:38:35 |
Steve Langasek |
summary |
Cannot unlock encrypted root after upgrading to 22.04 |
Cannot unlock encrypted root after upgrading to 22.04 due to use of non-standard ciphers |
|
| 2023-07-04 07:14:26 |
Sébastien S |
removed subscriber Sébastien S |
|
|
|
| 2023-12-28 02:18:45 |
Alexander Geier |
bug |
|
|
added subscriber Alexander Geier |
