Ubuntu 20.10 unlock multiple drives at boot time

[dpantel]

My setup is to have 2 encrypted partitions (on different drives) in a btrfs RAID1 setup for /.

My issue is that clevis only unlocks one of the two partitions during boot. The second one halts with a passphrase prompt.

Any thoughts on why clevis is not used for the second drive?

[dpantel]

Same issue with Ubuntu 20.04.1

[dpantel]

Found the problem...

In the clevisloop() function of the initramfs local-top script, you never rediscover the PID of the askpass process. I assume that the process changes with each encrypted device, but clevisloop() is forever stuck trying to use the PID of the old askpass.

A quick fix involves resetting the askpass PID with each loop.

Just add

pid=""

before

clevis/src/initramfs-tools/scripts/local-top/clevis.in

Line 133 in 1c320cb

until [ "$pid" ] && [ -p "$PASSFIFO" ]; do

Also, of note, I don't know bash very well, but I think the script never knows when it succeeds. The if statement is

if luks2_decrypt "${CRYPTTAB_SOURCE}" "${PASSFIFO}"; then
                echo "Unlocked ${CRYPTTAB_SOURCE} with clevis"

but the function returns 0 on success. Same with the luks1_decrypt() function.
(After looking it up, a return of 0 signifies success in this case)

This will probably also solve #272, and any other multi-device setups.

[sergio-correia]

Could you explain better your setup, so that I can try to reproduce here?

[dpantel]

2 HDDs partitioned identically to have an unencrypted /boot partition and a LUKS2- encrypted / partition.

The 2 root partitions are in a btrfs RAID1 setup.

/etc/crypttab has the UUIDs of the 2 encrypted partitions.

/etc/fstab has the UUID of the unified RAID1 “device” created by btrfs for the root mount.

Let me know if you need other info.

Edit: BIOS system, if that makes a difference.

[Z3120]

Adding pid="" above 133 solves the issue of unlocking multiple encrypted drives at boot with Debian 10 using clevis_15-5, clevis-luks_15-5 & clevis-initramfs_15-5

clevis/src/initramfs-tools/scripts/local-top/clevis.in

Line 133 in 1c320cb

until [ "$pid" ] && [ -p "$PASSFIFO" ]; do

[dpantel]

I think a valid fix would be to reset $pid on success of luks[x]_unlock functions. But as I said above, I don’t know enough bash to know if there is a reason why they don’t seem to ever succeed, even if a volume is unlocked.

[apalacheno]

I can confirm that the suggestion above fixes this issue in Ubuntu 20.04.2 LTS with clevis-initramfs version 12-1ubuntu2.2.

[sergio-correia]

@dpantel: would you submit a pull request with the fix, please?

[apalacheno]

Btw, in the past few days I have tested this fix on a variety of machines with both BIOS and UEFI (if that matters) in Ubuntu 20.04.2 LTS, and so far there were no regressions.

[dpantel]

Well. The edit I posted is more of a hack than a fix. I’ll try to look into a proper fix this weekend.

[dpantel]

After looking at it for a while, my original hack seems to be the most straightforward fix after fall. Pull #293

[sarroutbi]

@dpantel , @sergio-correia : as this was merged ... can this issue be closed?

[arggh]

@dpantel , @sergio-correia : as this was merged ... can this issue be closed?

Using clevis 12-1ubuntu2.3 on Ubuntu 20.04, which I presume should contain the fix implemented in #293 according to changelog, but I still can't unlock multiple LUKS devices during boot - instead, a password prompt is presented for the second (non-root) device.

If I apply the changes described in Bug 1784084 - Automatic unlocking using Clevis + TPM2 doesn't happen for non-root volumes to clevis-luks-askpass.path and clevis-luks-askpass.service services, all drives unlock during boot normally.

For whatever reason the clevis-luks-askpass.path and clevi-luks-askpass.service service files that gets installed on my system contain the old version, that should have gotten changed in this PR #211 years ago.

systemd service files installed on Ubuntu 20.04

/lib/systemd/system/clevis-luks-askpass.path

[Unit]
Description=Clevis systemd-ask-password Watcher
Before=remote-fs-pre.target
Wants=remote-fs-pre.target

[Path]
PathChanged=/run/systemd/ask-password

[Install]
WantedBy=remote-fs.target

/lib/systemd/system/clevis-luks-askpass.service

[Unit]
Description=Clevis LUKS systemd-ask-password Responder
Requires=network-online.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/lib/x86_64-linux-gnu/clevis-luks-askpass -l

I wonder what aspect of this multi-faceted "can't unlock multiple devices during boot" issue is #326 trying to fix, @ngtech?

[ngtech]

I unfortunatelly no longer have access to the server that needed the changes in #326 done to boot, If I remember correctly though the changes were to ulock both volumes early during initramfs initial stages without using the services you mention - in any case we weren't using TPM2 only a local LAN Tang server.