FS#66498 - [cryptsetup] 2.3.2-1: Show warning about changed "allow-discards" behaviour on package upgrade
            Attached to Project:
            Arch Linux
            
Opened by Pascal Ernster (hardfalcon) - Friday, 01 May 2020, 19:06 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 15:20 GMT
          Opened by Pascal Ernster (hardfalcon) - Friday, 01 May 2020, 19:06 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 15:20 GMT
| 
 | Details
                    Cryptsetup 2.3.2-1 refuses to open a LUKS2 device with
                    hmac(sha512) for integrity and the "allow-discards" flag set
                    in the LUKS2 header with the error message "Discard/TRIM is
                    not supported.", which breaks the boot process if that flag
                    is set (which older versions allowed users to do).
                    Cryptsetup 2.3.1-3 opens the very same devices without any
                    complaint whatsoever - not even a warning is shown. This is obviously an especially grave issue for people using full disk encryption on remote systems with cryptsetup unlock over SSH on reboot. Also, at least when using the "sd-encrypt" mkinitcpio hook, users won't even see cryptsetup's error message, making debugging the issue needlessly cumbersome. The new behaviour is loosely documented in upstream's changelog [1], but since this can break the boot process for people, there should be a warning message displayed when the cryptsetup package is upgraded to the new version. [1] https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.2-ReleaseNotes | 
              This task depends upon
              
              
            
            
          
            Closed by  freswa (frederik)
Sunday, 13 September 2020, 15:20 GMT
Reason for closing: Upstream
Additional comments about closing: https://gitlab.com/cryptsetup/cryptsetup /-/issues/558
          
        Sunday, 13 September 2020, 15:20 GMT
Reason for closing: Upstream
Additional comments about closing: https://gitlab.com/cryptsetup/cryptsetup /-/issues/558
 
                      
https://gitlab.com/cryptsetup/cryptsetup/-/issues/558
https://gitlab.com/cryptsetup/cryptsetup/-/issues/558#note_335279806
"cryptsetup refresh $luksname --persistent" works only with opened/unlocked LUKS devices though, so it required a temporary downgrade to cryptsetup 2.3.1.