On Wed, 14 Aug 2019 at 14:54:08 +0200, Johannes 'josch' Schauer wrote: > when I upgraded my Squeeze box to Jessie, remote unlocking via dropbear > in my initramfs stopped working. This is a remote host in a datacenter, > so I cannot directly investigate the issue.
Interesting, once you manage to boot I'd be interested to know the reason. Also FWIW I also use remote unlocking via dropbear on production systems, and my setups have survived all upgrade paths, incl. Squeeze → Jessie. And AFAICT you're the first to report a breakage at dist-upgrade stage, so I'm not entirely convinced this would have been caught by a simple autopkgtest :-P > If you like the script, then I could prepare a patch against > src:dropbear which implements an autopkgtest that runs the script. Can't hurt indeed, thanks! A few comments inlined below. > pkgs="linux-image-amd64,openssh-server,systemd-sysv,libpam-systemd,policykit-1" > pkgs="$pkgs,iproute2,util-linux,e2fsprogs,ifupdown,net-tools,netbase" > pkgs="$pkgs,iputils-ping,isc-dhcp-client,lvm2,parted,cryptsetup" > pkgs="$pkgs,dropbear-initramfs,busybox,fdisk,mmdebstrap,udev" If you include ‘dropbear-initramfs’ I guess you want ‘cryptsetup-initramfs’ not ‘cryptsetup’. Also AFAICT ‘iputils-ping’, ‘parted’ and ‘busybox’ are not needed (the latter will be pulled by ‘cryptsetup-initramfs’ and ‘dropbear-initramfs’). > auto ens3 Is the interface name reliable? I was under the impression it wasn't because it depends on how QEMU arranges its devices, unlike the use of ‘eth0’ after adding ‘net.ifnames=0’ to the kernel cmdline. > qemu-img convert -O qcow2 debian-unstable.img debian-unstable.qcow2 The conversion from raw to qcow2 format is not needed, is it? > qemu-system-x86_64 -enable-kvm -m 4G -net user,hostfwd=tcp::10022-:22 \ 4GiB sounds really overkill here, surely 1GiB is enough? This is what I use for testing the various device stacks before src:cryptsetup uploads. I'd also bind to INADDR_LOOPBACK, change the NIC and drive model from the default (resp. e1000 and ide) to virtio, and pass `-no-user-config -nodefaults`. Maybe also set the CPU model to host. Might also help to create a virtio-rng device, given that key material is generated on the guest. > printf myinsecurepassphrase | cryptsetup luksFormat /dev/sdb3 - To speep up things I suggest to skip the the PBKDF benchmark by passing `--pbkdf-force-iterations 4 --pbkdf-memory 32` (for Argon2), or `--pbkdf-force-iterations 1000` (for PBKDF2). cryptsetup <2.0 (up to Stretch) are only able to format and open LUKSv1 volumes, which only supports PBKDF2 as PBKDF algorithm; since cryptsetup 2.0 a new LUKS version format is available (and is the default as for Buster) with support for both Argon2i/d (default) and PBKDF2. > cat > "/mnt/etc/initramfs-tools/conf.d/dropbear" << END > IP=":::::ens3:dhcp" > END AFAICT it's redundant since you have the same thing as boot parameter. > chroot "/mnt" apt-get -y install lvm2 grub2 linux-image-amd64 openssl > cryptsetup dropbear-initramfs busybox udev mount systemd-sysv util-linux > e2fsprogs initramfs-tools cryptsetup-initramfs cryptsetup-run console-setup > openssh-server ifupdown net-tools netbase iproute2 libpam-systemd policykit-1 > iputils-ping isc-dhcp-client Some of these are redundant, and might not be marked as manually installed on a normal installation. ‘cryptsetup-run’, ‘busybox’, ‘initramfs-tools’ at least. Thanks! -- Guilhem.
signature.asc
Description: PGP signature
