[SOLVED] initramfs creates empty /cryptroot/crypttab file -- is it a bug in Bullseye?

libCognition · 05-28-2021, 11:15 AM

What am I doing wrong? I have a /etc/crypttab file with one line, and update-initramfs is creating an empty /cryptroot/crypttab file inside the initrd image. These are all the steps I took:

Code:

$ sgdisk --clear\
         -a 1    --new=1:34:2047 -c 1:"BIOS boot" --typecode=1:$(sgdisk --list-types | sed -ne 's/.*\(....\).bios.*/\1/gip')\
         -a 2048 --new=2:0:0     -c 2:"mygroup"   --typecode=2:$(sgdisk --list-types | sed -ne 's/.*\(....\).Linux.LUKS.*/\1/gip')\
         /dev/sdb

$ cryptsetup luksFormat --type luks1 /dev/sdb2; # GRUB supports luks1 not luks2
$ cryptsetup open /dev/sdb2 cryptlvm
$ aptitude install lvm2
$ pvcreate /dev/mapper/cryptlvm
$ vgcreate mygroup /dev/mapper/cryptlvm
$ lvcreate -L       6G mygroup -n swap
$ lvcreate -L     106G mygroup -n root
$ lvcreate -L     140G mygroup -n home
$ lvcreate -l 100%FREE mygroup -n var
$ mkswap --label swap /dev/mygroup/swap
$ mkfs.ext4 -L root /dev/mygroup/root
$ mkfs.ext4 -L home /dev/mygroup/home
$ mkfs.ext4 -L var /dev/mygroup/var
$ sync
$ swapon /dev/mygroup/swap
$ mkdir /mnt/debian_target
$ mount /dev/mygroup/root !$
$ for mp in /home /var; do mkdir /mnt/debian_target$mp; done
$ mount /dev/mygroup/home /mnt/debian_target/home
$ mount /dev/mygroup/var /mnt/debian_target/var
$ rsync -va --progress /images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /mnt/debian_target/images/
$ mkdir -p /mnt/debian_target/media/debian_install_bd
$ mount -o loop /mnt/debian_target/images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /mnt/debian_target/media/debian_install_bd
$ torsocks /usr/sbin/debootstrap --no-check-gpg --arch amd64 --include linux-image-amd64,grub-pc,locales,lvm2,cryptsetup,bash-completion,gdisk\
  bullseye /mnt/debian_target file:///mnt/debian_target/media/debian_install_bd
$ mount --rbind /dev /mnt/debian_target/dev
$ cp /old_drive/etc/fstab /mnt/debian_target/etc/
$ blkid -l -t PARTLABEL=mygroup | awk '{gsub(/"/,""); print "cryptlvm " $2 " none luks,discard"}' > /mnt/debian_target/etc/crypttab

Indeed running "cat /mnt/debian_target/etc/crypttab" shows the correct line there in etc/.

Code:

$ blkid
$ emacs /mnt/debian_target/etc/*tab; # replace the blkids with the correct ones
$ cp /old_drive/etc/adjtime /mnt/debian_target/etc/
$ cat /etc/network/interfaces >> /mnt/debian_target/etc/network/interfaces
$ emacs /mnt/debian_target/etc/network/interfaces; # make sure it's proper
$ cp /etc/hosts /mnt/debian_target/etc/
$ cp /etc/modules /mnt/debian_target/etc/
$ emacs /mnt/debian_target/etc/modules; # comment out modules for not-yet-installed pkgs
$ sed -e 's/^deb/#uncomment-me-later#deb/;s/stretch/bullseye/gi' /etc/apt/sources.list > /mnt/debian_target/etc/apt/sources.list
$ find /etc/apt/sources.list.d -type f ! -iname \*~ -exec bash -c 'for fn; do sed -e "s/^deb/#uncomment-me-later#deb/;s/stretch/bullseye/gi" "$fn" > /mnt/debian_target"$fn"; done' _ {} +
$ printf '\n\n%s\n' '/repository/images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /media/debian_install_bd udf,iso9660 loop,ro,user,noauto 0 0' >> /mnt/debian_target/etc/fstab
$ chroot /mnt/debian_target apt-cdrom --no-auto-detect --no-mount -d=/media/debian_install_bd add

Side issue: normally `apt update` should work at this point, but it failed. Not sure where apt-cdrom goes wrong, but it's a red herring. I mention it here in case anyone knows more, but my workaround is to comment out "deb cdrom:..." from sources.list and treat it like local files as follows:

Code:

$ printf '\n\n%s\n' 'deb [trusted=yes check-valid-until=no] file:/media/debian_install_bd/ bullseye main contrib' >> /mnt/debian_target/etc/apt/sources.list
$ chroot /mnt/debian_target apt update

This will overwrite lines that set GRUB_ENABLE_CRYPTODISK to ensure that it gets enabled. If that setting is not present, it will be added to the end. Also add rd.luks.name=<UUID>=cryptlvm kernel option.

Code:

$ buuid=$(blkid -l -t PARTLABEL=mygroup | awk '{gsub(/"/,""); print "rd.luks.name=" $2 "=cryptlvm"}')
$ sed -ie '1{p;s/.*/GRUB_ENABLE_CRYPTODISK=y/;h;d};/^[[:blank:]]*GRUB_ENABLE_CRYPTODISK[[:blank:]]*=/I{s/.*//;x};/GRUB_CMDLINE_LINUX=/s/"/"'"$buuid"'/;$G' /mnt/debian_target/etc/default/grub

That results in these relevant lines in /mnt/debian_target/etc/default/grub:

Code:

GRUB_CMDLINE_LINUX="rd.luks.name=UUID=(proper UUID redacted)=cryptlvm"
GRUB_ENABLE_CRYPTODISK=y

Code:

$ chroot /mnt/debian_target grub-install --recheck /dev/sdb
$ chroot /mnt/debian_target update-grub; # side issue: this searches for boot loaders on all drives even though os-prober is not installed. So all other drives must be unplugged -- is there a better way?
$ chroot /mnt/debian_target dpkg-reconfigure locales
$ chroot /mnt/debian_target update-initramfs -u -t -k all
$ chroot /mnt/debian_target adduser me
$ chroot /mnt/debian_target usermod -aG sudo me

Rebooting at this point fails because (initrd):cryptroot/crypttab is an empty file. The fix is to replace the empty crypttab in the initrd with the one in /etc/, like this:

Code:

$ mkdir /tmp/initrd-hack
$ cd /tmp/initrd-hack
$ gunzip -c /mnt/debian_target/boot/initrd.img-5.10.0-6-amd64 | cpio -i
$ cp /mnt/debian_target/etc/crypttab cryptroot/crypttab
$ find . | cpio -H newc -o | gzip -9 > /mnt/debian_target/boot/initrd.img-5.10.0-6-amd64

That hack should not be necessary. I believe this is a bug in Bullseye's update-initramfs. The workaround is to create a key for the encrypted volume which is the current practice for avoiding redundant password entry. Most people will want to do this anyway, but note that the most diligent people won't be keen because it means the key which can decrypt the /boot partition is potentially subject to compromise in the event that an attacker penetrates the system while it's running. That key can later be used to open everything. So it's a security bug in Bullseye.

Anyway, these are the steps:

Code:

$ mkdir -m 0700 /mnt/debian_target/etc/security/keys
$ (umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/mnt/debian_target/etc/security/keys/cryptlvm.key conv=excl,fsync)
$ cryptsetup luksAddKey /dev/sdb2 /mnt/debian_target/etc/security/keys/cryptlvm.key
$ cryptsetup luksDump /dev/sdb2
$ sed -ie '1{p;s@.*@KEYFILE_PATTERN="/etc/security/keys/*.key"@;h;d};/^[[:blank:]#]*KEYFILE_PATTERN[[:blank:]]*=/I{s/.*//;x};$G' /mnt/debian_target/etc/cryptsetup-initramfs/conf-hook
$ sed -ie '1{p;s@.*@UMASK=0077@;h;d};/^[[:blank:]#]*UMASK[[:blank:]]*=/I{s/.*//;x};$G' /mnt/debian_target/etc/initramfs-tools/initramfs.conf
$ chroot /mnt/debian_target update-initramfs -u -t -k all

By specifying a key file in /etc/cryptsetup-initramfs/conf-hook, the update-initramfs script is forced to populate the crypttab file inside the initrd.img. The bug is that when etc/cryptsetup-initramfs/conf-hook is untouched, update-initramfs should still populate crypttab and the key file should be "none".