Ubuntu
lvm2 package

libdm returns wrong error code when dm-verity key cannot be found

Bug #2054620 reported by Luca Boccassi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lvm2 (Ubuntu)
Fix Released
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned

Bug Description

When libcryptsetup tries to activate a signed dm-verity volume, and the key is not in the kernel keyring, libdevicemapper does not return the appropriate ENOKEY, so the failure cannot be distinguished from other generic issues.

This is a problem when software like systemd via libcryptsetup try to open a volume, and get an unrecognizable error out of it. With the fix in libdm and libcryptsetup, there is a clear ENOKEY returned when a key is missing and activation fails for that reason. This allows systemd (and other applications) to make the right decision depending on the failure case. Without this, the same generic error is returned in any case.

For more details, see:

https://gitlab.com/cryptsetup/cryptsetup/-/issues/841

libcryptsetup 2.7.0, now available in debian stable, and systemd v255, shipped in Noble, make use of this error code.

This is fixed in the lvm2 version 2.03.23 upstream release.

Please consider backporting this patch for Noble.

Upstream PR: https://gitlab.com/lvmteam/lvm2/-/merge_requests/3
Upstream commit: 25ef7a7b1a876f491bd361369423d7309358f6c1

See original description

Related branches

~bluca/ubuntu/+source/lvm2:errno_backport
Gianfranco Costamagna (community): Approve
git-ubuntu import: Pending requested
Diff: 82 lines (+68/-0)
2 files modified
debian/patches/libdm-propagate-ioctl-errors-back-to-caller.patch (+67/-0)
debian/patches/series (+1/-0)
Revision history for this message
Luca Boccassi (bluca) wrote :

Merge request opened at https://code.launchpad.net/~bluca/ubuntu/+source/lvm2/+git/lvm2/+merge/460984

tags: added: patch patch-accepted-upstream
Luca Boccassi (bluca)
Changed in lvm2 (Ubuntu Noble):
status: New → Confirmed
Revision history for this message
Luca Boccassi (bluca) wrote :

Note that currently in noble lvm2 fails to build due to https://bugs.launchpad.net/ubuntu/+source/lvm2/+bug/2054683 which is unrelated to the MR linked here

Revision history for this message
Paride Legovini (paride) wrote :

I just sponsored lvm2 2.03.16-3ubuntu1 which should fix the FTBFS.

On including libdm-propagate-ioctl-errors-back-to-caller.patch: I am not sure this bug is important enough to grant that. The patch may apply cleanly to 2.03.16, but still it comes from 2.03.23, which is not a trivial change in the upstream codebase.

I can see that better error messages on ENOKEY will result in an overall better UX, however most commits in an upstream devel repo will somehow improve something, still we try to rely on releases as cut by upstream when possible, for the many reasons I certainly don't have to tell you about. :-)

However: I may have missed the point here, and maybe the current UX is both (1) terrible, or at least quite bad (2) affecting many users, and not only users with an niche disk encryption configuration. If you think this is the case, can you please update the bug and elaborate a bit more on it?

Thanks!

Luca Boccassi (bluca)
description: updated
Revision history for this message
Dan Bungert (dbungert) wrote :

With the updated context, I think the proposal looks reasonable and would be comfortable sponsoring the upload. I suggest first waiting for the lvm2 merge to migrate, just to rule out issues on that front.

Revision history for this message
Luca Boccassi (bluca) wrote :

The previous lvm2 upload has now migrated from proposed to noble. cryptsetup 2.7.0 is also now available in noble, which also can make use of this bug fix.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

dput ubuntu ../lvm2_2.03.16-3ubuntu2_source.changes
Uploading lvm2 using ftp to ubuntu (host: upload.ubuntu.com; directory: /ubuntu)
running supported-distribution: check whether the target distribution is currently supported (using distro-info)
{'allowed': ['release', 'proposed', 'backports', 'security'], 'known': ['release', 'proposed', 'updates', 'backports', 'security']}
running required-fields: check whether a field is present and non-empty in the changes file
running checksum: verify checksums before uploading
running suite-mismatch: check the target distribution for common errors
running check-debs: makes sure the upload contains a binary package
running gpg: check GnuPG signatures before the upload
Uploading lvm2_2.03.16-3ubuntu2.dsc
Uploading lvm2_2.03.16-3ubuntu2.debian.tar.xz
Uploading lvm2_2.03.16-3ubuntu2_source.buildinfo
Uploading lvm2_2.03.16-3ubuntu2_source.changes

unsubscribing sponsors!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lvm2 - 2.03.16-3ubuntu2

---------------
lvm2 (2.03.16-3ubuntu2) noble; urgency=medium

  [ Luca Boccassi ]
  * Cherry-pick upstream change for libdm returning wrong error code when
    dm-verity key cannot be found (LP: #2054620)

 -- Gianfranco Costamagna <email address hidden> Wed, 06 Mar 2024 19:53:11 +0100

Changed in lvm2 (Ubuntu Noble):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.