clevis fails to unlock root drive on Ubuntu 20.10

[dpantel]

I have a luks2 encrypted partition that contains /. I have added clevis with a tang pin to the partition.

During the boot process, I see the following:

Begin: Running /scripts/init-premount ... done.
Begin: Mounting root file system ... Begin: Running /scripts/local-top ... Please unlock disk crypt_root:
/bin/clevis-luks-common-functions: line 121: /dev/fd/62: No such file or directory
/bin/clevis-luks-common-functions: line 121: /dev/fd/62: No such file or directory
/bin/clevis-luks-common-functions: line 121: /dev/fd/62: No such file or directory
(repeats)

I can't break the error loop to enter the password manually, so I can't boot the system.

[dpantel]

Some more data points... (all of changes to the setup were performed by booting a live CD, followed by unlocking, mounting, and chrooting into the broken system).

I tried to remove the clevis tang pin from the involved drives/partitions and running update-initramfs. The error message persisted and the system was not bootable.

Then I tried adding back the clevis tang pin and using dracut instead of update-initramfs. This led to some interesting changes. I got the password prompt to unlock the drive, but I also saw a hit on the Tang server. Unfortunately, the Tang server started getting hammered with looped requests and the client spammed this error:

[...] dracut-initqueue[...]: /usr/lib/x86_64-linux-gnu/clevis-luks-askpass: line 62: ... done     echo -n "+$pt"
[...] dracut-initqueue[...]:     ... Segmentation fault     | ncat -U -u --send-only "$s"
(repeats)

Then I tried physically disconnecting from the network to see if I got a password prompt. I did and entered the password, which seemed to unlock the drives/partitions. Unfortunately the boot process then stopped with the following error:

[...] dracut-initqueue[...]: Warning: No carrier detected on interface enp2s0

Finally, I re-attached the network cable to see if I could enter the password and unlock the drives before the Tang request error loop. I got the first (of several) password entered before the whole thing dissolved into an error loop. The error was slightly different this time:

[...] dracut-initqueue[...]: Error communicating with the server!
[...] dracut-initqueue[...]: /usr/lib/x86_64-linux-gnu/clevis-luks-askpass: line 62: ... done     echo -n "+$pt"
[...] dracut-initqueue[...]:     ... Segmentation fault     | ncat -U -u --send-only "$s"
(repeats)

Just as last time, the Tang server actually saw a lot of traffic.

Surprisingly, I realized that I could keep typing the password through the errors and cryptsetup unlocked the drives. So I was able to boot the system, but obviously something is not working.

Is it Clevis/Tang, or is my whole setup FUBAR?

[dpantel]

after some more searching, it appears this is a duplicate of #262

applying the fix mentioned in https://bugs.debian.org/968518#10 bug report fixed the issue.

[cbiedl]

@dpantel: I'd like to fix clevis-luks-common-functions as you suggested in #275 - however I cannot see what triggered your error message. Mind to share what's in your line 121?

[dpantel]

Actually it looks like all of those bash process redirects have been removed in the current code. My distribution still ships v12.