Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(crypt): Encrypted root FS handling with generic initrd #2520

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix(crypt): Encrypted root FS handling with generic initrd #2520

wants to merge 2 commits into from

Conversation

DanWin
Copy link

@DanWin DanWin commented Sep 16, 2023

This pull request adds missing modules potentially required for disk decryption to a generic initrd. Additionally it changes the default for unlocking LUKS encrypted devices at boot from previously only doing so when rd.auto=1 was specified.

Checklist

  • I have tested it locally
  • I have reviewed and updated any documentation if relevant
  • I am providing new code and test(s) for it

Fixes #2437

@github-actions github-actions bot added modules Issue tracker for all modules crypt Issues related to the crypt module labels Sep 16, 2023
@LaszloGombos LaszloGombos added the bug Our bugs label Oct 30, 2023
paulmenzel
paulmenzel approved these changes Dec 13, 2023
View reviewed changes
Copy link

@paulmenzel paulmenzel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for these patches. No idea, how dracut development process is.

@adrelanos
Copy link

Tested. Works for me. Bug fixed. Please review.

@LaszloGombos LaszloGombos mentioned this pull request Apr 28, 2024
Open
@LaszloGombos
Copy link
Collaborator

LaszloGombos commented Apr 28, 2024
edited
Loading

This PR would make
dracut --no-hostonly -a crypt fail if the host does not have e.g. libfido2.so.* installed (because now fido2 is a mandatory dependency for crypt in no-hostonly mode).

I think this would be undesirable, especially where for this issue there is an obvious workaround just to manually add the missing modules.

Also
https://bugzilla.redhat.com/show_bug.cgi?id=1018930

@DanWin
Copy link
Author

DanWin commented May 5, 2024

Hi @LaszloGombos , actually there are no checks for these modules that require any files to be present. The modules can currently be included as dependency, without copying any files, because their module-setup.sh only copies the library files with inst_libdir_file which in turn has a check on whether the files exist, and otherwise silently ignores them.
So the way I see it, there should be nothing against adding them as dependency, unless there are plans on adding checks whether all libraries exist? If so, we might make them optional dependencies like with the tpm2-tss module.

@LaszloGombos
Copy link
Collaborator

LaszloGombos commented May 6, 2024
edited
Loading

Hi @LaszloGombos , actually there are no checks for these modules that require any files to be present.

I have not had a chance to check, just saw that in some other places (e.g. https://github.com/dracutdevs/dracut/blob/master/modules.d/99squash/module-setup.sh#L46), there is -o, so i just assumed that without -o it would fail.

the library files with inst_libdir_file which in turn has a check on whether the files exist, and otherwise silently ignores them.

Ok, I see. Thanks !

Perhaps you can upload and improved version of dracut-ng/dracut-ng#280 to https://github.com/dracut-ng/dracut-ng/ (without the rd.auto=1 change).

This was referenced May 25, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paulmenzel paulmenzel paulmenzel approved these changes

@haraldh haraldh Awaiting requested review from haraldh haraldh is a code owner

@johannbg johannbg Awaiting requested review from johannbg johannbg is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
bug Our bugs crypt Issues related to the crypt module modules Issue tracker for all modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Generic initrd does not work with encrypted root FS without further configuration
4 participants
@DanWin @adrelanos @LaszloGombos @paulmenzel