For testing, we can create a LUKS device that uses cipher mode cbc-essiv:sha256 and/or hash spec sha1. Then we should be able to reproduce the issue.
Suggested solution: Let openssl ship a initramfs-tools hook that does following:
1. Get the list of encrypted disks:
dmsetup ls --target crypt
2. Map the disk name (e.g. system_crypt) to a dm-X name:
readlink -f readlink -f /dev/mapper/$name
3. Get slave device (i.e. the underlying disk):
ls -1 /sys/block/dm-X/slaves/
4. For each underlying disk check the cipher mode / hash spec:
cryptsetup luksDump /dev/$disk | grep "^Hash spec: $legacy"
5. If the cipher mode / hash spec is legacy, include /usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so
Thanks Steve.
| Key | Ubuntu 10.04 | Ubuntu >= 16.04 |
| Cipher mode | cbc-essiv:sha256 | xts-plain64 |
| Hash spec | sha1 | sha256 |
For testing, we can create a LUKS device that uses cipher mode cbc-essiv:sha256 and/or hash spec sha1. Then we should be able to reproduce the issue.
Suggested solution: Let openssl ship a initramfs-tools hook that does following:
1. Get the list of encrypted disks: dm-X/slaves/ x86_64- linux-gnu/ ossl-modules/ legacy. so
dmsetup ls --target crypt
2. Map the disk name (e.g. system_crypt) to a dm-X name:
readlink -f readlink -f /dev/mapper/$name
3. Get slave device (i.e. the underlying disk):
ls -1 /sys/block/
4. For each underlying disk check the cipher mode / hash spec:
cryptsetup luksDump /dev/$disk | grep "^Hash spec: $legacy"
5. If the cipher mode / hash spec is legacy, include /usr/lib/