2024-02-27 16:38:17 |
Luca Boccassi |
description |
When libcryptsetup tries to activate a signed dm-verity volume, and the key is not in the kernel keyring, libdevicemapper does not return the appropriate ENOKEY, so the failure cannot be distinguished from other generic issues.
This is fixed in the lvm2 version 2.03.23 upstream release.
Please consider backporting this patch for Noble.
Upstream PR: https://gitlab.com/lvmteam/lvm2/-/merge_requests/3
Upstream commit: 25ef7a7b1a876f491bd361369423d7309358f6c1 |
When libcryptsetup tries to activate a signed dm-verity volume, and the key is not in the kernel keyring, libdevicemapper does not return the appropriate ENOKEY, so the failure cannot be distinguished from other generic issues.
This is a problem when software like systemd via libcryptsetup try to open a volume, and get an unrecognizable error out of it. With the fix in libdm and libcryptsetup, there is a clear ENOKEY returned when a key is missing and activation fails for that reason. This allows systemd (and other applications) to make the right decision depending on the failure case. Without this, the same generic error is returned in any case.
For more details, see:
https://gitlab.com/cryptsetup/cryptsetup/-/issues/841
libcryptsetup 2.7.0, now available in debian stable, and systemd v255, shipped in Noble, make use of this error code.
This is fixed in the lvm2 version 2.03.23 upstream release.
Please consider backporting this patch for Noble.
Upstream PR: https://gitlab.com/lvmteam/lvm2/-/merge_requests/3
Upstream commit: 25ef7a7b1a876f491bd361369423d7309358f6c1 |
|