Bug 31206 - Luks does not mount encrypted partitions. openssl fails due to missing /etc/crypto-policies/backends/opensslcnf.config
Summary: Luks does not mount encrypted partitions. openssl fails due to missing /etc/c...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Installer (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: release_blocker critical
Target Milestone: ---
Assignee: Mageia tools maintainers
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-30 15:38 CET by Gilberto Silva
Modified: 2022-12-24 16:26 CET (History)
1 user (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Gilberto Silva 2022-11-30 15:38:45 CET 
Description of problem:

Partitions using luks are not enabled. During the boot the password is requested but the process is never completed. The partitions were ready and are used by other distributions.


Version-Release number of selected component (if applicable):

   Mageia 9 Alpha 1



How reproducible:


Steps to Reproduce:
1. Have an encrypted partition with luks.

2. Edit the /etc/crypttab file Here is the Crypttab file of the computer where    the problem is occurring.

grandaj3 UUID=f38b3c67-8271-47de-b68f-66013b7ac89f none luks,check=ext4
home4b   UUID=bb4504aa-f000-4066-9a94-66fd0c585957 none luks,check=ext4
comum4b  UUID=6d51d1ae-197a-463a-8eba-749f453e4e0c none luks,check=ext4

OpenSuse Tumbleweed automatically creates a /etc /crypttab file with a slightly different format but it doesn't work either.

cr-auto-1  UUID=f38b3c67-8271-47de-b68f-66013b7ac89f
cr-auto-3  UUID=6d51d1ae-197a-463a-8eba-749f453e4e0c
cr-auto-2  UUID=bb4504aa-f000-4066-9a94-66fd0c585957


3. Reboot the computer. It asks for the password but never concludes the boot.
David Walser 2022-11-30 16:25:03 CET

QA Contact: security => (none)
Component: Security => RPM Packages

David Walser 2022-11-30 16:25:40 CET

Component: RPM Packages => Installer

Comment 1 Lewis Smith 2022-11-30 20:22:52 CET 
Thank you Gilberto for the report, and DavidW for his admin corrections.
Pity our encryptation guru is presently off-line.

Assigning to the Mageia Tools people re the Installer.

Assignee: bugsquad => mageiatools

Comment 2 Dave Hodgins 2022-11-30 21:02:45 CET 
I just tested creating adding an encrypted file system to an existing
m9 vb install using diskdrake.
# cat /etc/crypttab
crypt_sdb1 UUID=26e4e697-c875-4749-920c-699b1ef4a965

It's working, but with one problem. The boot appeared to freeze. The prompt
to enter the passphrase didn't appear until I pressed a key.

Once it did appear, after entering the passphrase it worked properly and
the data in the partition is accessible.
[root@x9v ~]# grep sdb /proc/mounts
/dev/mapper/crypt_sdb1 /data ext4 rw,noatime 0 0
[root@x9v ~]# cryptsetup status crypt_sdb1
/dev/mapper/crypt_sdb1 is active and is in use.
  type:    LUKS2
  cipher:  aes-xts-benbi
  keysize: 512 bits
  key location: keyring
  device:  /dev/sdb1
  sector size:  512
  offset:  32768 sectors
  size:    33508904 sectors
  mode:    read/write

Note this was before sddm started, the passphrase prompt was in text mode,
not using a gui dialog such as pinentry-qt

I'll test creating the encrypted file system during install, but expect it
will have the same problem.

CC: (none) => davidwhodgins

Comment 3 Dave Hodgins 2022-11-30 21:04:29 CET 
As usual, I'd removed "splash quiet" from the boot options to see what was
going on.
Comment 4 Dave Hodgins 2022-11-30 21:41:03 CET 
Tested a new plasma install using defaults for almost everything and
cryptsetup is working as expected. It included properly using a gui
for entering the passphrase.
Comment 5 Dave Hodgins 2022-11-30 21:46:53 CET 
I didn't add the online repos for the test in comment 4, just the
Mageia-9-alpha1-x86_64.iso. The following crypt related packages were
installed ...
# rpm -q -a|grep -e pine -e crypt|sort
crypto-policies-20210917-1.mga9
cryptsetup-2.5.0-1.mga9
lib64bd_crypto2-2.28-1.mga9
lib64cryptopp8-8.6.0-1.mga9
lib64cryptsetup12-2.5.0-1.mga9
lib64gcrypt20-1.10.1-1.mga9
lib64xcrypt1-4.4.30-1.mga9
pinentry-1.2.1-1.mga9
pinentry-qt5-1.2.1-1.mga9
Comment 6 Dave Hodgins 2022-11-30 21:55:33 CET 
[root@x9v ~]# systemctl status systemd-cryptsetup@crypt_sdb1.servicesystemd-cryptsetup@crypt_sdb1.service - Cryptography Setup for crypt_sdb1
     Loaded: loaded (/etc/crypttab; generated)
     Active: active (exited) since Wed 2022-11-30 15:42:35 EST; 8min ago
       Docs: man:crypttab(5)
             man:systemd-cryptsetup-generator(8)
             man:systemd-cryptsetup@.service(8)
    Process: 579 ExecStart=/usr/lib/systemd/systemd-cryptsetup attach crypt_sdb1 /dev/disk/by-uuid/5bfe3a21-ff91-4604-85cf-0ac690f77548   (code=exited, status=0/SUCCESS)
   Main PID: 579 (code=exited, status=0/SUCCESS)
        CPU: 4.029s

Nov 30 15:42:25 x9v.hodgins.homeip.net systemd[1]: Starting systemd-cryptsetup@crypt_sdb1.service...
Nov 30 15:42:33 x9v.hodgins.homeip.net systemd-cryptsetup[579]: Set cipher aes, mode xts-benbi, key size 512 bits for device /dev/disk/by-uuid/5bfe3a21-ff91-4604-85cf-0ac690f77548.
Nov 30 15:42:35 x9v.hodgins.homeip.net systemd[1]: Finished systemd-cryptsetup@crypt_sdb1.service.
Comment 7 Dave Hodgins 2022-12-24 16:26:48 CET 
See https://bugzilla.redhat.com/show_bug.cgi?id=2133884

Summary: Luks does not mount encrypted partitions. => Luks does not mount encrypted partitions. openssl fails due to missing /etc/crypto-policies/backends/opensslcnf.config
Severity: normal => critical
Priority: Normal => release_blocker
Note You need to log in before you can comment on or make changes to this bug.