sts-sponsors team mailing list archive

Thread
Date
[Bug 1898129] Re: Cannot configure 'cryptsetup luksFormat' at install time

To: sts-sponsors@xxxxxxxxxxxxxxxxxxx
From: Mauricio Faria de Oliveira <1898129@xxxxxxxxxxxxxxxxxx>
Date: Thu, 14 Jan 2021 14:40:58 -0000
Reply-to: Bug 1898129 <1898129@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Verification done for focal-proposed
---

All good, the package from -proposed works correctly in both scenarios
-- without the option (ie, default behavior) and with the option (ie,
opt-in behavior.)

Note: tested on VM with UEFI OVMF firmware with secure boot enabled (OVMF_CODE_4M.ms.fd), as shim-signed is also updated in the upload.
All good -- both scenarios install/boot to login screen w/ secboot.


Steps:
=====

On install, select Try Ubuntu, and launch Terminal.

$ sudo add-apt-repository 'deb http://archive.ubuntu.com/ubuntu focal-proposed main' && sudo apt install -y ubiquity && apt policy ubiquity
...
ubiquity:
  Installed: 20.04.15.3
  Candidate: 20.04.15.3
  Version table:
 *** 20.04.15.3 500
        500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
...

$ grep -c luksopts /lib/partman/lib/crypto-base.sh 
4

$ dmesg | grep -i secure
[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[    0.008398] secureboot: Secure boot enabled

Move on with installer, select install to LVM/Encrypt.

Check on Terminal:

$ lsblk --ascii | grep -B1 crypt
`-vda3                252:3    0   8.8G  0 part  
  `-vda3_crypt        253:0    0   8.8G  0 crypt


Without option (default)
---
        
$ sudo debconf-get partman-crypto/luksformat_options

$

$ sudo cryptsetup luksDump /dev/vda3 | head -n2
LUKS header information
Version:       	2


With option (opt-in)
---

$ sudo debconf-get partman-crypto/luksformat_options
--type luks1
$

$ sudo cryptsetup luksDump /dev/vda3 | head -n3
LUKS header information for /dev/vda3

Version:        1

$ grep luks /var/log/partman 
/usr/bin/autopartition-crypto: Additional options for luksFormat: '--type luks1'


** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1898129

Title:
  Cannot configure 'cryptsetup luksFormat' at install time

Status in partman-crypto package in Ubuntu:
  Invalid
Status in ubiquity package in Ubuntu:
  Fix Released
Status in partman-crypto source package in Focal:
  Fix Committed
Status in ubiquity source package in Focal:
  Fix Committed
Status in partman-crypto source package in Groovy:
  Invalid
Status in ubiquity source package in Groovy:
  Won't Fix
Status in partman-crypto source package in Hirsute:
  Invalid
Status in ubiquity source package in Hirsute:
  Fix Released
Status in partman-crypto package in Debian:
  Unknown

Bug description:
  [Impact]

   * Users cannot specify options for 'cryptsetup luksFormat'
     that is used by the installer.

   * Some deployments need the installed disks in LUKS1 format
     for backward compatibility with older releases that don't
     support LUKS2, for backup/audit/management purposes.

   * However, on Focal and later, cryptsetup defaults to LUKS2,
     which broke that functionality.
     
   * Currently it's not possible to request the LUKS format in
     the installer, so this patch allows for that w/ a preseed
     option ('partman-crypto/luksformat_options') for the user.

  [Test Case]

   * Default behavior: LUKS2
   
     - Install Ubuntu (Focal/later); check LUKS header version:
     
       $ sudo cryptsetup luksDump /dev/vda4
       LUKS header information
       Version: 2
       ...
       
   * Opt-in behavior: LUKS1 (for example; can use other options)
   
     - Install Ubuntu (Focal/later) with preseed file/option:

       ubiquity partman-crypto/luksformat_options string \
         --type luks1

     - Check LUKS header version:
     
       $ sudo cryptsetup luksDump /dev/vda4
       LUKS header information for /dev/vda4
       Version: 1
       ...

     - Check install logs for confirmation:
     
       $ grep luksFormat /var/log/partman
       /usr/bin/autopartition-crypto: Additional options for luksFormat: '--type luks1'
     
  [Where problems could occur]

   * The changes are contained within the partman-crypto functionality,
     so only install with encrypted disks should be affected by issues.

   * Any additional options specified to 'cryptsetup luksFormat' are
     opt-in _and_ specified by the user via the preseed option, thus
     errors are probably tied to particular options (mis) used.

   * If the preseed option is not specified, original behavior remains.

  [Other Info]
   
   * This patch is applied in Hirsute.
   * This patch is not needed in Groovy (rationale in comment #15.)
   * This patch is targeted at Focal (cryptsetup defaulted to LUKS2.)
   * This patch is not needed in Bionic/earlier (^defaults to LUKS1.)

  [Original Description]
  Most users should be fine with the options to
  'cryptsetup luksFormat' used by the installer.

  However, some users may have reasons to use
  other options, and that is not possible now.

  Let's provide a new preseed option for that:
  'partman-crypto/luksformat_options'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/partman-crypto/+bug/1898129/+subscriptions