[Bug 1948598] Re: Can't unlock multiple devices in initramfs

Wed Oct 27 17:22:30 UTC 2021

Hello Niclas, or anyone else affected,

Accepted clevis into hirsute-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/clevis/16-1ubuntu0.1
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
hirsute to verification-done-hirsute. If it does not fix the bug for
you, please add a comment stating that, and change the tag to
verification-failed-hirsute. In either case, without details of your
testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: clevis (Ubuntu Hirsute)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-hirsute

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1948598

Title:
  Can't unlock multiple devices in initramfs

Status in clevis package in Ubuntu:
  Fix Committed
Status in clevis source package in Focal:
  Fix Committed
Status in clevis source package in Hirsute:
  Fix Committed
Status in clevis source package in Impish:
  Fix Released
Status in clevis source package in Jammy:
  Fix Committed

Bug description:
  [Impact]
  clevis can be used to automatically unlock LUKS-encrypted devices during boot by asking a remote server for the key (sort of). It does so by finding the PID of the process that send up the interactive prompt "Please unlock disk xxx:" and then sends a key to that process through a fifo that the process has opened.
  The bug that existed in clevis versions prior to version 17 forgot to clear the saved PID-variable, so when the PID of the first process has been found it won't find any more processes of this type. This means it can only unlock the first device. If you have for example some sort of RAID root filesystem with multiple disks (or a ZFS mirror as me) then clevis does not work at all.

  [Test Plan]
  - Setup a tang server on a different host:
  # sudo apt install tang
  # sudo systemctl enable tangd.socket --now
  # reboot

  - Setup two LUKS-disks that shall be decrypted during early boot
  (append option initramfs to them in /etc/crypttab)

  - Setup clevis:
  # sudo apt install clevis
  # sudo apt install clevis-luks
  # sudo apt install clevis-initramfs

  - Bind the encrypted disks to the tang server:
  # sudo clevis luks bind -d /dev/<disk1> tang '{"url": "http://<tang-server>"}'
  # sudo clevis luks bind -d /dev/<disk2> tang '{"url": "http://<tang-server>"}'

  - Regenerate initramfs
  # sudo update-initramfs -u -k 'all'

  - Reboot
  # reboot

  After the reboot you will be stuck at "Please unlock disk xxx:" until
  you enter the passphrase manually.

  If you perform all the steps using only one disk it will work.

  [Where problems could occur]
  If something is wrong with the patch it will show up when clevis is unlocking a LUKS-encrypted disk during initramfs.

  [Other Info]
  This has been fixed in upstream (https://github.com/latchset/clevis, version 17, commit 0abdfbc7812c8ef588ee22fd35941b5e831fdce7 on Feb 24, 2021)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/1948598/+subscriptions