Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Boot with crypt-gpg stuck at password prompt #2004

Closed
lapseofreason opened this issue Oct 16, 2022 · 8 comments · Fixed by #2154
Closed

Boot with crypt-gpg stuck at password prompt #2004

lapseofreason opened this issue Oct 16, 2022 · 8 comments · Fixed by #2154
Labels
bug Our bugs crypt-gpg Issues related to the crypt-gpg module

Comments

@lapseofreason
Copy link
Contributor

lapseofreason commented Oct 16, 2022
edited
Loading

Describe the bug
I am using crypt-gpg to decrypt a luks partition that contains a volume group with the root partition. However, the boot is stuck at the command prompt, as entering the correct password just displays the password prompt again.

Distribution used
I am using Fedora 36.

Dracut version
dracut-057-3.fc36
dracut-056-1.fc36 (tested by downgrading & running dracut -f --kver ...)
linux-5.19.15-201.fc36.x86_64

Dracut config

add_dracutmodules+=" resume crypt-gpg "
filesystems+=" fat msdos vfat "
# https://bugzilla.redhat.com/show_bug.cgi?id=1754055
omit_dracutmodules+=" systemd systemd-initrd dracut-systemd ifcfg network "

Init system
systemd, but it is excluded in dracut (see config above) for crypt-gpg to work

To Reproduce

  1. When the system boots up, a password prompt is presented: Password (XXX on /dev/sdYY for /dev/sdZZ)
  2. After entering the (correct) password, the prompt appears again without any error message.
    1. This is subjective, but I think it appears too quicky to have tried to decrypt the partition.
  3. After repeating for 3 times, the prompt disappears, but the boot does not continue.
    1. A couple of messages are displayed (No key available with this passphrase (multiple times)), but nothing that stood out to me as being specific enough for debugging.

Expected behavior
After entering the correct password, the partition is decrypted and boot continues normally.

Additional context
I just tried a fresh install of fedora server and ran into the same issues there:
dracut-056-1.fc36
linux-5.17.5-300.fc36.x86_64
@lapseofreason lapseofreason added the bug Our bugs label Oct 16, 2022
@lapseofreason
Copy link
Contributor Author

After trying out different things, I found out that the following change resolves the issue:

diff -c crypt-gpg-lib.sh.orig crypt-gpg-lib.sh.fixed 
*** crypt-gpg-lib.sh.orig	2022-10-16 15:18:28.978321618 +0200
--- crypt-gpg-lib.sh.fixed	2022-10-16 15:17:37.442958543 +0200
***************
*** 51,57 ****
      fi
  
      ask_for_password \
!         --cmd "GNUPGHOME=$gpghome gpg --card-status --no-tty > /dev/null 2>&1; gpg $opts --decrypt $mntp/$keypath" \
          --prompt "${inputPrompt:-Password ($keypath on $keydev for $device)}" \
          --tries 3 --tty-echo-off
  
--- 51,57 ----
      fi
  
      ask_for_password \
!         --cmd "gpg $opts --decrypt $mntp/$keypath" \
          --prompt "${inputPrompt:-Password ($keypath on $keydev for $device)}" \
          --tries 3 --tty-echo-off

I'd be happy to create a pull request, but I am not sure what gpg --card-status is supposed to accomplish and what I need to do to preserve that functionality. Can anyone help me out with that?

@LaszloGombos LaszloGombos added the crypt-gpg Issues related to the crypt-gpg module label Nov 29, 2022
@LaszloGombos
Copy link
Collaborator

Likely a regression from #1544 ?
CC @LinkTed

@LinkTed
Copy link
Contributor

LinkTed commented Nov 30, 2022

@lapseofreason Hi, are you using a GPG smartcard?

It is interesting, I do not know why gpg --card-status could cause this. Even if the command fails, the return value is determined by the last command gpg $opts --decrypt $mntp/$keypath.

Could you could try this:

    ask_for_password \
        --cmd "[ \"${useSmartcard}\" = \"1\" ] && GNUPGHOME=$gpghome gpg --card-status --no-tty > /dev/null 2>&1; gpg $opts --decrypt $mntp/$keypath" \
        --prompt "${inputPrompt:-Password ($keypath on $keydev for $device)}" \
        --tries 3 --tty-echo-off

@lapseofreason
Copy link
Contributor Author

lapseofreason commented Dec 10, 2022
edited
Loading

@LinkTed Thank you very much for your reply!

No, I am not using a GPG smartcard. I use a gpg key file + passphrase that is entered by hand.

I tried the command that you proposed, regenerated the initrd and it worked.

Sorry, I made a mistake when saving the file, this is why I initially thought it worked.

In fact, I tried the command you proposed and it did not work: It asks for the passphrase 3 times and then it fails with claiming the passphrase is invalid. Exactly as it was with the current version provided by dracut.

@LinkTed
Copy link
Contributor

LinkTed commented Dec 23, 2022

@LaszloGombos I will try to make a bug fix for that. Could you also try if it works for you then? Because, I test with a gpg card.

@LinkTed
Copy link
Contributor

LinkTed commented Dec 23, 2022

@LaszloGombos I will try to make a bug fix for that. Could you also try if it works for you then? Because, I test with a gpg card.

Here is the commit: f65cffa

@lapseofreason
Copy link
Contributor Author

@LinkTed Thank you very much for the patch!

I tested it with a key file without a gpg card and it works.

@LinkTed
Copy link
Contributor

LinkTed commented Dec 28, 2022

@lapseofreason Thanks for testing. I would do a PR then.

@LinkTed LinkTed mentioned this issue Dec 28, 2022
Merged
3 tasks
LaszloGombos pushed a commit that referenced this issue Jan 6, 2023
@LinkTed @LaszloGombos
fix(crypt-gpg): do not use always --card-status
e3e8108 
If no GPG smart card is used then the card-status breaks the decryption
of the keyfile. Therefore, use the card-status only if a smart card is
used to decrypt the keyfie.

Fixes issue #2004
aafeijoo-suse pushed a commit to aafeijoo-suse/dracut that referenced this issue Jun 15, 2023
@LinkTed @aafeijoo-suse
fix(crypt-gpg): do not use always --card-status
7ebc383 
If no GPG smart card is used then the card-status breaks the decryption
of the keyfile. Therefore, use the card-status only if a smart card is
used to decrypt the keyfie.

Fixes issue dracutdevs#2004

(cherry picked from commit e3e8108)
pvalena pushed a commit to pvalena/dracut that referenced this issue Jul 23, 2023
@LinkTed @pvalena
fix(crypt-gpg): do not use always --card-status
c9a7715 
If no GPG smart card is used then the card-status breaks the decryption
of the keyfile. Therefore, use the card-status only if a smart card is
used to decrypt the keyfie.

Fixes issue dracutdevs#2004
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Our bugs crypt-gpg Issues related to the crypt-gpg module
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(crypt-gpg): Do not use always --card-status
3 participants
@LaszloGombos @lapseofreason @LinkTed