Debian Bug report logs - #815480
Linux kernel crypto 'no key' patches break cryptsetup if not carefully backported

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henrique de Moraes Holschuh <hmh@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cryptsetup: versions before 1.7.1 incompatible with latest batch of Linux kernels (mainline and stable)

Date: Sun, 21 Feb 2016 17:40:27 -0300

Source: cryptsetup
Severity: important
Tags: upstream fixed-upstream

This bug is actually severity grave as it renders systems unbootable and
data unaccessible, but since it can only trigger on non-Debian kernels ATM,
I am reporting it at severity important.

https://gitlab.com/cryptsetup/cryptsetup/issues/284
https://bugzilla.kernel.org/show_bug.cgi?id=112631

cryptsetup is rendered useless by the latest batch of upstream stable
kernels, as well as by Linux mainline.

On systems with encrypted root, this renders the system unbootable.
Otherwise, it renders any encrypted partitions and media unaccessible.

Reproduced in Debian stable with a custom 3.18.27 kernel.

The issue has been fixed upstream in the cryptsetup master branch, and in
the cryptsetup v1_7_x branch.  The fix will land in the 1.7.1 release, I
think.

The kernel people did not reply yet due to the weekend, but I expect the
change will be made optional or reverted... for a while (and I hope for the
"optional").

Regardless, it would be nice to have updated cryptsetup uploaded to unstable
ASAP, and an eventual Debian stable backport...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Message #10 received at 815480@bugs.debian.org (full text, mbox, reply):

From: Milan Broz <gmazyland@gmail.com>

To: Henrique de Moraes Holschuh <hmh@debian.org>, 815480@bugs.debian.org

Subject: Re: Bug#815480: cryptsetup: versions before 1.7.1 incompatible with latest batch of Linux kernels (mainline and stable)

Date: Sun, 21 Feb 2016 21:56:21 +0100

On 02/21/2016 09:40 PM, Henrique de Moraes Holschuh wrote:
> Source: cryptsetup
> Severity: important
> Tags: upstream fixed-upstream
> 
> This bug is actually severity grave as it renders systems unbootable and
> data unaccessible, but since it can only trigger on non-Debian kernels ATM,
> I am reporting it at severity important.
> 
> https://gitlab.com/cryptsetup/cryptsetup/issues/284
> https://bugzilla.kernel.org/show_bug.cgi?id=112631
> 
> cryptsetup is rendered useless by the latest batch of upstream stable
> kernels, as well as by Linux mainline.

Only some of stable kernels are problematic because of incomplete backported
patch series.

See http://www.mail-archive.com/linux-crypto@vger.kernel.org/msg17926.html
(I tried to backport missing part there.)

There is no problem in mainline kernel and 4.4.2 and 4.3.6 stable works.

...

> Regardless, it would be nice to have updated cryptsetup uploaded to unstable
> ASAP, and an eventual Debian stable backport...

Debian kernel should be fixed in the first place.

Milan

Message #15 received at 815480@bugs.debian.org (full text, mbox, reply):

From: Henrique de Moraes Holschuh <hmh@debian.org>

To: Milan Broz <gmazyland@gmail.com>

Cc: 815480@bugs.debian.org

Subject: Re: Bug#815480: cryptsetup: versions before 1.7.1 incompatible with latest batch of Linux kernels (mainline and stable)

Date: Sun, 21 Feb 2016 18:33:17 -0300

On Sun, 21 Feb 2016, Milan Broz wrote:
> On 02/21/2016 09:40 PM, Henrique de Moraes Holschuh wrote:
> Only some of stable kernels are problematic because of incomplete backported
> patch series.
> 
> See http://www.mail-archive.com/linux-crypto@vger.kernel.org/msg17926.html
> (I tried to backport missing part there.)
> 
> There is no problem in mainline kernel and 4.4.2 and 4.3.6 stable works.

Thanks for the updated information, and for working in the fix, both
kernel-side and in cryptsetup!

Updating kernel bugzilla #112631 with that information.

> > Regardless, it would be nice to have updated cryptsetup uploaded to unstable
> > ASAP, and an eventual Debian stable backport...
> 
> Debian kernel should be fixed in the first place.

No Debian kernels are affected yet, only Debian users that compile their own
kernels could hit this issue at the moment.

Anyway, if the whole deal can be fixed kernel-side, there's less reason for
a backport of the cryptsetup-side changes to Debian stable.

That said, in the long run it might be better if Debian stable's cryptsetup
does not depend on a compatibility path in the kernel that is not used by
newer code, so it might still make sense to backport the changes in
cryptsetup 1.7 to 1.6.6.  It all depends on the complexity of such a
backport...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Message #20 received at 815480@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: Henrique de Moraes Holschuh <hmh@debian.org>

Cc: 815480@bugs.debian.org

Subject: Re: cryptsetup: versions before 1.7.1 incompatible with latest batch of Linux kernels (mainline and stable)

Date: Sun, 06 Mar 2016 21:27:12 +0000

[Message part 1 (text/plain, inline)]

Control: reassign -1 src:linux
Control: affects -1 cryptsetup

On Sun, 21 Feb 2016 17:40:27 -0300 Henrique de Moraes Holschuh <hmh@debian.org> wrote:
> Source: cryptsetup
> Severity: important
> Tags: upstream fixed-upstream
> 
> This bug is actually severity grave as it renders systems unbootable and
> data unaccessible, but since it can only trigger on non-Debian kernels ATM,
> I am reporting it at severity important.

As already explained, this is a kernel bug and must be fixed there.

Thankfully, no Debian kernel versions have this bug - yet.  I'm
currently working to fix the broken backports for 3.2.y and 3.16.y so
that this bug is not introduced in the next uploads to wheezy-pu and
jessie-py.

Ben.

-- 
Ben Hutchings
When in doubt, use brute force. - Ken Thompson

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 815480@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 815480@bugs.debian.org

Subject: Re: cryptsetup: versions before 1.7.1 incompatible with latest batch of Linux kernels (mainline and stable)

Date: Mon, 07 Mar 2016 03:45:17 +0000

[Message part 1 (text/plain, inline)]

Control: retitle -1 Linux kernel crypto 'no key' patches break cryptsetup if not carefully backported

Linux 3.2.78 and 3.16.7-ckt25 have this problem, but I have fixed it
(at least, the result works on my machine!) before uploading stable
updates based on those versions.

If you use any other stable kernel branch, you'll need to either
upgrade to 4.4 or request the appropriate stable maintainer fixes their
backport of the 'no key' patches.

Ben.

-- 
Ben Hutchings
The most exhausting thing in life is being insincere. - Anne Morrow Lindberg

[signature.asc (application/pgp-signature, inline)]

Message #36 received at 815480@bugs.debian.org (full text, mbox, reply):

From: Jonas Meurer <jonas@freesources.org>

To: 815480@bugs.debian.org

Subject: Re: cryptsetup: versions before 1.7.1 incompatible with latest batch of Linux kernels (mainline and stable)

Date: Wed, 7 Dec 2016 12:49:48 +0100

[Message part 1 (text/plain, inline)]

Hi Ben,

On Mon, 07 Mar 2016 03:45:17 +0000 Ben Hutchings <ben@decadent.org.uk>
wrote:
> Control: retitle -1 Linux kernel crypto 'no key'Â patches break cryptsetup if not carefully backported
> 
> Linux 3.2.78 and 3.16.7-ckt25 have this problem, but I have fixed it
> (at least, the result works on my machine!) before uploading stable
> updates based on those versions.
> 
> If you use any other stable kernel branch, you'll need to either
> upgrade to 4.4 or request the appropriate stable maintainer fixes their
> backport of the 'no key' patches.

Probably this bugreport should be closed, no? To my understanding, the
Linux kernels in Debian are all patched to fix this problem and besides,
cryptsetup packages in Unstable and Stretch are fixed to work with the
backwards-incompatible changes anyway since quite some time.

Cheers,
 jonas

[signature.asc (application/pgp-signature, attachment)]

Message #41 received at 815480-done@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: Jonas Meurer <jonas@freesources.org>, 815480-done@bugs.debian.org

Subject: Re: Bug#815480: cryptsetup: versions before 1.7.1 incompatible with latest batch of Linux kernels (mainline and stable)

Date: Thu, 08 Dec 2016 01:08:54 +0000

[Message part 1 (text/plain, inline)]

On Wed, 2016-12-07 at 12:49 +0100, Jonas Meurer wrote:
> Hi Ben,
> 
> > On Mon, 07 Mar 2016 03:45:17 +0000 Ben Hutchings <ben@decadent.org.uk>
> wrote:
> > Control: retitle -1 Linux kernel crypto 'no key'Â patches break cryptsetup if not carefully backported
> > 
> > Linux 3.2.78 and 3.16.7-ckt25 have this problem, but I have fixed it
> > (at least, the result works on my machine!) before uploading stable
> > updates based on those versions.
> > 
> > If you use any other stable kernel branch, you'll need to either
> > upgrade to 4.4 or request the appropriate stable maintainer fixes their
> > backport of the 'no key' patches.
> 
> Probably this bugreport should be closed, no? To my understanding, the
> Linux kernels in Debian are all patched to fix this problem and besides,
> cryptsetup packages in Unstable and Stretch are fixed to work with the
> backwards-incompatible changes anyway since quite some time.

Right, I don't think this ever really affected the Debian package.

Ben.

-- 
Ben Hutchings
When in doubt, use brute force. - Ken Thompson

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.