Bug 31206

Summary: Luks does not mount encrypted partitions. openssl fails due to missing /etc/crypto-policies/backends/opensslcnf.config
Product: Mageia Reporter: Gilberto Silva <gfs1989>
Component: InstallerAssignee: Mageia tools maintainers <mageiatools>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: release_blocker CC: davidwhodgins, mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:

Description Gilberto Silva 2022-11-30 15:38:45 CET 
Description of problem:

Partitions using luks are not enabled. During the boot the password is requested but the process is never completed. The partitions were ready and are used by other distributions.


Version-Release number of selected component (if applicable):

   Mageia 9 Alpha 1



How reproducible:


Steps to Reproduce:
1. Have an encrypted partition with luks.

2. Edit the /etc/crypttab file Here is the Crypttab file of the computer where    the problem is occurring.

grandaj3 UUID=f38b3c67-8271-47de-b68f-66013b7ac89f none luks,check=ext4
home4b   UUID=bb4504aa-f000-4066-9a94-66fd0c585957 none luks,check=ext4
comum4b  UUID=6d51d1ae-197a-463a-8eba-749f453e4e0c none luks,check=ext4

OpenSuse Tumbleweed automatically creates a /etc /crypttab file with a slightly different format but it doesn't work either.

cr-auto-1  UUID=f38b3c67-8271-47de-b68f-66013b7ac89f
cr-auto-3  UUID=6d51d1ae-197a-463a-8eba-749f453e4e0c
cr-auto-2  UUID=bb4504aa-f000-4066-9a94-66fd0c585957


3. Reboot the computer. It asks for the password but never concludes the boot.
David Walser 2022-11-30 16:25:03 CET

QA Contact: security => (none)
Component: Security => RPM Packages

David Walser 2022-11-30 16:25:40 CET

Component: RPM Packages => Installer

Comment 1 Lewis Smith 2022-11-30 20:22:52 CET 
Thank you Gilberto for the report, and DavidW for his admin corrections.
Pity our encryptation guru is presently off-line.

Assigning to the Mageia Tools people re the Installer.

Assignee: bugsquad => mageiatools

Comment 2 Dave Hodgins 2022-11-30 21:02:45 CET 
I just tested creating adding an encrypted file system to an existing
m9 vb install using diskdrake.
# cat /etc/crypttab
crypt_sdb1 UUID=26e4e697-c875-4749-920c-699b1ef4a965

It's working, but with one problem. The boot appeared to freeze. The prompt
to enter the passphrase didn't appear until I pressed a key.

Once it did appear, after entering the passphrase it worked properly and
the data in the partition is accessible.
[root@x9v ~]# grep sdb /proc/mounts
/dev/mapper/crypt_sdb1 /data ext4 rw,noatime 0 0
[root@x9v ~]# cryptsetup status crypt_sdb1
/dev/mapper/crypt_sdb1 is active and is in use.
  type:    LUKS2
  cipher:  aes-xts-benbi
  keysize: 512 bits
  key location: keyring
  device:  /dev/sdb1
  sector size:  512
  offset:  32768 sectors
  size:    33508904 sectors
  mode:    read/write

Note this was before sddm started, the passphrase prompt was in text mode,
not using a gui dialog such as pinentry-qt

I'll test creating the encrypted file system during install, but expect it
will have the same problem.

CC: (none) => davidwhodgins

Comment 3 Dave Hodgins 2022-11-30 21:04:29 CET 
As usual, I'd removed "splash quiet" from the boot options to see what was
going on.
Comment 4 Dave Hodgins 2022-11-30 21:41:03 CET 
Tested a new plasma install using defaults for almost everything and
cryptsetup is working as expected. It included properly using a gui
for entering the passphrase.
Comment 5 Dave Hodgins 2022-11-30 21:46:53 CET 
I didn't add the online repos for the test in comment 4, just the
Mageia-9-alpha1-x86_64.iso. The following crypt related packages were
installed ...
# rpm -q -a|grep -e pine -e crypt|sort
crypto-policies-20210917-1.mga9
cryptsetup-2.5.0-1.mga9
lib64bd_crypto2-2.28-1.mga9
lib64cryptopp8-8.6.0-1.mga9
lib64cryptsetup12-2.5.0-1.mga9
lib64gcrypt20-1.10.1-1.mga9
lib64xcrypt1-4.4.30-1.mga9
pinentry-1.2.1-1.mga9
pinentry-qt5-1.2.1-1.mga9
Comment 6 Dave Hodgins 2022-11-30 21:55:33 CET 
[root@x9v ~]# systemctl status systemd-cryptsetup@crypt_sdb1.servicesystemd-cryptsetup@crypt_sdb1.service - Cryptography Setup for crypt_sdb1
     Loaded: loaded (/etc/crypttab; generated)
     Active: active (exited) since Wed 2022-11-30 15:42:35 EST; 8min ago
       Docs: man:crypttab(5)
             man:systemd-cryptsetup-generator(8)
             man:systemd-cryptsetup@.service(8)
    Process: 579 ExecStart=/usr/lib/systemd/systemd-cryptsetup attach crypt_sdb1 /dev/disk/by-uuid/5bfe3a21-ff91-4604-85cf-0ac690f77548   (code=exited, status=0/SUCCESS)
   Main PID: 579 (code=exited, status=0/SUCCESS)
        CPU: 4.029s

Nov 30 15:42:25 x9v.hodgins.homeip.net systemd[1]: Starting systemd-cryptsetup@crypt_sdb1.service...
Nov 30 15:42:33 x9v.hodgins.homeip.net systemd-cryptsetup[579]: Set cipher aes, mode xts-benbi, key size 512 bits for device /dev/disk/by-uuid/5bfe3a21-ff91-4604-85cf-0ac690f77548.
Nov 30 15:42:35 x9v.hodgins.homeip.net systemd[1]: Finished systemd-cryptsetup@crypt_sdb1.service.
Comment 7 Dave Hodgins 2022-12-24 16:26:48 CET 
See https://bugzilla.redhat.com/show_bug.cgi?id=2133884

Severity: normal => critical
Summary: Luks does not mount encrypted partitions. => Luks does not mount encrypted partitions. openssl fails due to missing /etc/crypto-policies/backends/opensslcnf.config
Priority: Normal => release_blocker

Comment 8 Marc Krämer 2023-06-06 10:48:16 CEST 
can U still reproduce this? Just did a install with exactly this setup.

CC: (none) => mageia

Comment 9 Dave Hodgins 2023-06-06 22:01:28 CEST 
In an m9 x86_64 vb guest, added a second hard drive and created an encrypted
partition on it using diskdrake.
[root@x9v ~]# cat /etc/crypttab 
crypt_sdb1 UUID=652e11e1-33d4-4c77-a7bd-f55094d9e320
[root@x9v ~]# grep crypt /etc/fstab
/dev/mapper/crypt_sdb1 /encrypted ext4 noatime 0 0

On reboot, it asks for the password and mounts it.
[dave@x9v ~]$ mount|grep  crypt
/dev/mapper/crypt_sdb1 on /encrypted type ext4 (rw,noatime)
[dave@x9v ~]$ ll /encrypted/
total 16
drwx------ 2 root root 16384 Jun  6 15:43 lost+found/

Virtually inserted the m9 x86_64 beta2 iso image to the cd drive and booted
to the installer. Selected install, custom partitioning. Selected the existing
root partition (none-encrypted) as /. Selected the encrypted partition on
the second drive and selected the Use button. Then selected the partition
and gave it a mount point.

Stopped the install at the point where it's asking for which partitions to
format.

The /etc/crypto-policies/backends/opensslcnf.config file is present in the
installer and in the m9 x86_64 vb guest.

Closing as fixed.

Regarding the message asking for the passphrase not showing in a text boot,
it does show, but there are messages shown after it that make it hard to notice.

Status: NEW => RESOLVED
Resolution: (none) => FIXED