cryptsetup (2:2.0.3-6ubuntu1) cosmic; urgency=low
* Merge from Debian unstable. LP: #1781912.
* Remaining changes:
- debian/control:
+ Recommend plymouth.
+ Invert the "busybox | busybox-static" Recommends, as the latter
is the one we ship in main as part of the ubuntu-standard task.
- Apply patch from Trent Nelson to fix cryptroot-unlock for busybox
compatibility. LP: #1651818
* Dropped changes, included in Debian:
- Drop explicit libgcrypt20 dependency from libcryptsetup4.
- Drop the CRYPTSETUP variable warning from the initramfs hook, as
overlayroot package ships a dropin in conf-hooks.d triggering false
warnings.
- Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
- Drop c99 std, as the default is now higher than that
* Dropped changes, no longer needed:
- Add maintscript to drop removed upstart system jobs.
cryptsetup (2:2.0.3-6) unstable; urgency=medium
* debian/TODO.md: Remove mention of parent device detection for mdadm
(#629236) as it's fixed since 2:2.0.3-2.
* debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo
fixes.
* debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to
add configure flag '--disable-internal-tests'. The internal test suite is
run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment
variable contains the string "nocheck".
* debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot:
When the 2nd column of a crypttab entry denodes a block special device,
resolve the device but don't convert it to /dev/block/$major:$minor.
(Closes: #903246.)
* debian/initramfs/hooks/cryptroot:
+ Treat null device numbers as invalid in resolve_device(), cf.
/Documentation/admin-guide/devices.txt in the kernel source tree.
+ generate_initrd_crypttab(): add '\n' to the local IFS since
get_resume_devno() prints one major:minor pair per line.
* debian/initramfs/scripts/local-{top,bottom}/cryptopensc:
+ Save process ID of the pcscd daemon at local-top stage, and kill it at
local-bottom stage. Thanks to Pascal Vibet for the patch.
(Closes: #903574.)
+ Fix path to the pcscd executable (the fix for #880750 was incomplete).
* debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone
since 2:2.0.3-2.
* debian/scripts/decrypt_opensc: Fix plymouth prompt message (use
$CRYPTTAB_NAME not $crypttarget).
cryptsetup (2:2.0.3-5) unstable; urgency=medium
[ Jonas Meurer ]
* debian/askpass.c, debian/scripts/passdev.c, debian/rules:
+ Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
+ Drop c99 std, as the default is now higher than that
* debian/control:
+ Drop explicit dependencies on libgcrypt20 and libgpg-error0 from
libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically.
[ Guilhem Moulin ]
* debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the
disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf.
crypttab(5).
* debian/doc/crypttab.xml: Clarify that the 'readonly' flag sets up a
read-only mapping. Cf. `cryptsetup --readonly`.
* debian/initramfs/hooks/cryptroot:
+ Fix generation of initrd crypttab(5) with `update-initramfs -u -v` for
key files matching $KEYFILE_PATTERN, or when a 'keyscript' is specified
in the crypttab options. Regression since 2:2.0.3-2. (Closes: #902733.)
+ Avoid processing entries multiple times in get_crypttab_entry(), which
could happen with 'keyscript=decrypt_derived' for instance.
+ Don't complain that the sysfs dir can't be found when the hook failed to
normalize the device (another warning is shown already).
+ If source device is mapped (for instance if it's a logical volume), put
its dm name into the initrd crypttab. LVM2's local-block script doesn't
work with UUIDs, and giving it a VG+LV is better anyway as we avoid to
activate all volumes at initramfs stage. (Closes: #902943.)
* debian/initramfs/conf-hook: Clarify that if KEYFILE_PATTERN if null or
unset then no key file is copied.
* debian/initramfs/*, debian/functions, debian/cryptdisks-functions:
+ Use major:minor device IDs internally, as this facilitate discovery of
sysfs directories, and we don't have to take care of the udev mangling.
+ Decode octal sequences when reading /etc/crypttab or /etc/fstab. This
means that key files and option values can contain blanks and special
characters encoded as octal sequences.
+ Refactor crypttab(5) parsing logic, to avoid duplication of boilerplate
code.
* debian/functions: If the key file is a symlink, warn about insecure
permissions of the target, not the link itself.
* debian/scripts/decrypt_derived: For devices with keys in the kernel
keyring (e.g., LUKS2 by default), refuse to derive anything.
* debian/patches/disable-internal-tests.patch: Add configure option
'--disable-internal-tests' to disable the internal test suite.
* debian/rules: Don't run upstream's internal test suite if
$DEB_BUILD_OPTIONS contains the string "skip-internal-tests". (Tests are
still run by default.)
* debian/cryptdisks-functions: Restore support for crypttab(5) entries with
regular files as source device. Regression since 2:2.0.3-2.
(Closes: #902879.)
* debian/control: Bump Standards-Version to 4.1.5 (no changes necessary).
cryptsetup (2:2.0.3-4) unstable; urgency=low
* debian/initramfs/hooks/cryptroot:
+ Fix typo in warning message. (Closes: #901971.)
+ sysfs_devdir(): don't croak when the normalized device pathname isn't of
the form /dev/$blk. This is the case in the Debian installer, where the
devtmpfs pseudo-filesystem exposes /dev/mapper/$name as a block device
instead of a symlink to /dev/dm-$index.
+ sysfs_devdir(): return /sys/dev/block/$maj:$min (a symlink pointing the
sysfs directory corresponding to the device) rather than /sys/block/$blk.
While the latter is present for mapped devices, it's not present for
block devices corresponding to disk partitions. See sysfs(5) for
details. (Closes: #902183.)
+ get_crypttab_entry(): skip (harmless) warning if blkid_tag() fails to
get the UUID of a dm-crypt device's slave (it's normal with plain
dm-crypt devices).
+ get_crypttab_entry(): don't warn that key file doesn't exist if it's
e.g., an existing character special device.
* debian/functions:unlock_mapping(): translate crypttab(5) option
'size=<size>' to `cryptsetup --key-size=<size>`, not `--size` (which
doesn't set the key size but the size of the device in number of 512 byte
sectors). Regression since 2:2.0.3-2. (Closes: #902245.)
* debian/initramfs/scripts/local-top/cryptroot, debian/cryptdisks-functions,
debian/initramfs/cryptroot-unlock: Fix off-by-one unlock count. Some
keyscripts (such as decrypt_keyctl) don't work properly if on first try
the CRYPTTAB_TRIED environment variable isn't set to 0. Regression since
2:2.0.3-2. (Closes: #902116.)
* debian/scripts/decrypt_keyctl: replace the source device path with the
mapped device name in messages, to match the new askpass behavior.
cryptsetup (2:2.0.3-3) unstable; urgency=low
[ Jonas Meurer ]
* debian/*: run wrap-and-sort(1)
* debian/control:
+ Add Conflicts and Breaks on 'cryptsetup-bin (<< 2:2.0.3-2)' to
cryptsetup-run. Needed since we moved luksformat between the
packages. (Closes: #901773)
+ Remove all traces of package 'cryptsetup-luks' from dependency
headers. This package has never been part of an official Debian
release and the time it existed is more than 12 years ago.
+ Remove Conflicts/Breaks headers from the split of cryptsetup into
cryptsetup/cryptsetup-bin in release 2:1.4.1-3. The conflicting
version is from Debian Wheezy, which means that there's three
releases in between. We don't support dist-upgrades with skipped
releases anyway.
+ Remove obsolete 'Breaks: hashalot (<< 0.3-2)' from cryptsetup-run.
+ Remove versioned depends of libcryptsetup12 on libgcrypt20 and
libgpg-error0. Both versions are satisfied since more than three
releases.
+ Remove versioned build-depends on docbook-xsl, dpkg-dev,
libdevmapper-dev, libgcrypt20-dev and libtool. All versions are
satisfied since more than three releases.
* debian/*: Change maintainer contact address to @alioth-lists.debian.net.
[ Guilhem Moulin ]
* debian/control: Replace 2:2.0.2-2 with 2:2.0.3-1 in Breaks/Replaces/Depends
fields. (2:2.0.2-2 was never released, the version we released after the
package split was 2:2.0.3-1.)
* debian/initramfs/cryptroot-script: exit immediately when
/lib/cryptsetup/functions is not present. (Closes: #901830.)
* debian/cryptsetup-run.prerm: use `dmsetup table --target crypt` to avoid
manually excluding mapped devices using another subsystem.
* d/initramfs/hooks/cryptroot:
+ Fix parser for cipher specifications in mapping table of crypt targets.
In particular, the cipher mode wasn't parsed properly, potentially
causing missing modules in initrd.img compiled with MODULES=dep.
Regression introduced in 2:2.0.3-2. (Closes: #901884.)
+ Print a warning when the mapping table specifies the cipher in kernel
crypto API format ("capi:" prefix). We don't support these yet.
cryptsetup (2:2.0.3-2) unstable; urgency=medium
The "nights are long in summer" cryptsetup sprint release :-)
Guilhem and Jonas hacked together for three days (and nights), refactored
almost all of the cryptsetup packages, squashed (at least) 19 bugs and
started work on several new features. Yay!
[ Guilhem Moulin ]
* cryptsetup-initramfs: Demote "Depends: console-setup, kbd" to Recommends:
(Closes: #901641.)
* debian/initramfs/*-hook: complete refactoring. Common functions are now in
/lib/cryptsetup/functions (source-able from shell scripts).
(Closes: #784881.)
* debian/initramfs/cryptroot-hook:
+ Use sysfs(5) block (resp. fs) hierarchies to detect slave dm-crypt
devices such as LVM2 on top of LUKS (resp. multiple device filesystems
such as btrfs). This approach is more robust than parsing the output of
`lvs` or `btrfs filesystem`.
+ Export relevant crypttab(5) snippet (for devices that need to be
unlocked at initramfs stage) to the initramfs' /cryptroot/crypttab.
+ Print a warning inviting the user to uninstall 'cryptsetup-initramfs'
if 1/ the CRYPTSETUP configuration option is unset or null (the
default), and 2/ the hook didn't detect any device to be unlocked at
initramfs stage. The benefit is two-fold: it guides users through the
package split, and warns them that their system might not reboot if the
hook script didn't work properly.
* Remove the 'decrypt_openct' keyscript since openct was last seen in
oldoldstable, cf. #760258 (ROM).
* debian/initramfs/cryptroot-script: refactoring, using functions from
/lib/cryptsetup/functions. (Closes: #720952, #826124.)
+ One can disable the cryptsetup initramfs scripts for a particular boot
by passing "cryptopts=" as kernel boot argument. (Closes: #873840.)
+ No longer sleep for a full minute after exceeding the maximum number of
unlocking tries. (This was added in 2:1.7.3-2 as an attempt to mitigate
CVE-2016-4484.) Instead, the script sleeps for 1 second after each failed
attempt in order to defeat online brute-force attacks. (Closes: #898495.)
* debian/README.initramfs: Remove mention that the initramfs scripts and the
crypsetup binary are using a different hash algorithm for plain dm-crypt
volumes. This is no longer true since 2:1.0.6~pre1+svn45-1, cf. #406317.
* debian/cryptdisks.functions:
+ Refactoring, using functions from /lib/cryptsetup/functions.
(Closes: #859953, #891219.)
+ Install to /lib/cryptsetup/cryptdisks-functions.
* crypttab(5):
+ Remove support for the 'precheck' option. The precheck for LUKS devices
is still hardcoded to `cryptsetup isLuks`; the script refuses to unlock
non-LUKS devices (plain dm-crypt and tcrypt devices) containing a known
filesystem (other that swap).
+ Don't ignore the 'plain' option: disable auto-detection and treat the
device as a plain dm-crypt device. (Closes: #886007.)
+ Add support for some option aliases to unify with systemd's crypttab(5)
options. Namely, 'read-only' is an alias for 'readonly', 'key-slot=' is
an alias for 'keyslot=', 'tcrypt-hidden' is an alias for 'tcrypthidden',
and 'tcrypt-veracrypt' is an alias for 'veracrypt'.
+ Add support for 'keyfile-size=' and 'keyfile-offset=' options.
(Closes: #849335.)
+ Source devices can now be specified using their PARTUUID or PARTLABEL,
similar to fstab(5).
* debian/scripts/cryptdisks_start: Add support for '-r'/'--readonly' switch
to setup readonly mappings. (Closes: #782843.)
* debian/scripts/cryptdisks_stop: Add support for closing multiple disks at
once. (Closes: #783194.)
[ Jonas Meurer ]
* debian/doc/crypttab.xml:
+ Add a section about the different crypttab formats of our package and
the systemd cryptsetup wrapper.
+ Document, which options are ignored by the initramfs scripts and which
are unsupported by the systemd implementation. (Closes: #714380)
+ Clarify documentation of option 'tries'. It also applies when using
keyscripts, not only with interactive passphrases. (Closes: #826127)
+ Make it obvious that in case a keyscript is configured, the third option
is passed as argument to the keyscript. Mention the optional requirement
to quote the value. (Closes: #826122)
+ Some minor wording improvements.
* debian/control, debian/combat: Bump debhelper compatibility level to 11.
* debian/rules:
+ Completely refactor the rules file, adapt to debhelper 11 style.
(Closes: #901713)
+ Run the upstream build-time testsuite thanks to dh_auto_test.
+ Move the luksformat script from cryptsetup-bin to cryptsetup-run.
+ Install the bug-script into all packages.
+ No longer install the sysvinit initscripts into cryptsetup-udeb.
+ Remove many old build and compile flags, debhelper takes care of most of
them nowadays.
cryptsetup (2:2.0.3-1) unstable; urgency=medium
[ Guilhem Moulin ]
* Split cryptsetup package into cryptsetup-run (init scripts and libraries)
and cryptsetup-initramfs (initramfs integration). The 'cryptsetup'
package is now a transitional dummy package. (Closes: #783297.)
* debian/cryptsetup-run.preinst: remove logic for rm_conffile
/etc/udev/rules.d/z60_cryptsetup.rules, which was added for #493151 in
2:1.0.6-5.
* debian/cryptdisks.bash_completion: only complete cryptdisks_stop arguments
with crypttab(5) targets that already exist, and only complete
cryptdisks_start targets with crypttab(5) targets that don't exist yet.
(Closes: #827200.)
* debian/initramfs/cryptroot-hook:
+ use copy_file() from hook-functions to copy key files to the initrd.
This ensures that relevant messages are printed in verbose mode.
(Closes: #898516.)
+ remove backward compatibility support for setting CRYPTSETUP and
KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf. Since 2:1.7.2-1
they should be set in /etc/cryptsetup-initramfs/conf-hook.
+ add 'algif_skcipher' kernel module to large initramfs (if the MODULES
variable isn't "dep"). That module is required for unlocking LUKS2
devices.
[ Jonas Meurer ]
* New upstream release 2.0.3
* debian/control:
- Bump standards-version to 4.1.4, no changes required
- Change my mail address to '<email address hidden>'
- Change Vcs links to the new repository on salsa.debian.org
* debian/README.source: minor improvements
* debian/doc/crypttab.xml: Fix typo in manpage
-- Steve Langasek <email address hidden> Mon, 16 Jul 2018 08:27:58 -0400
