Arch Linux

Attached the boot log.

No, it doesn't. Use lddtree from the pax-utils package instead of ldd.

Hello, lddtree also shows that. Any hints?

% lddtree usr/lib/systemd/systemd-cryptsetup
usr/lib/systemd/systemd-cryptsetup (interpreter => /lib64/ld-linux-x86-64.so.2)
libsystemd-shared-251.7-4.so => None
libcryptsetup.so.12 => /usr/lib/libcryptsetup.so.12
libuuid.so.1 => /usr/lib/libuuid.so.1
libdevmapper.so.1.02 => /usr/lib/libdevmapper.so.1.02
libudev.so.1 => /usr/lib/libudev.so.1
libm.so.6 => /usr/lib/libm.so.6
libcrypto.so.1.1 => /usr/lib/libcrypto.so.1.1 <---------------
libargon2.so.1 => /usr/lib/libargon2.so.1
libpthread.so.0 => /usr/lib/libpthread.so.0
libjson-c.so.5 => /usr/lib/libjson-c.so.5
libblkid.so.1 => /usr/lib/libblkid.so.1
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1
libc.so.6 => /usr/lib/libc.so.6

Flyspray's formatting sucks, luckily the notification email came through normally. Look at the tree, you can clearly see that libcrypto.so.1.1 is under libcryptsetup.so.12, so your problem is an out of date cryptsetup package.

Got it. let me try upgrading cryptsetup before upgrading the kernel.
The pacman log corresponding to that troubling upgrade looks normal, though.

[2022-11-03T08:12:51-0400] [PACMAN] Running 'pacman -Sc --noconfirm'
[2022-11-05T01:55:10-0400] [PACMAN] Running 'pacman -Syyu'
[2022-11-05T01:55:10-0400] [PACMAN] synchronizing package lists
[2022-11-05T01:55:11-0400] [PACMAN] starting full system upgrade
[2022-11-05T03:03:39-0400] [PACMAN] Running 'pacman -Sc --noconfirm'
[2022-11-05T03:04:00-0400] [PACMAN] Running 'pacman -Syyu'
[2022-11-05T03:04:00-0400] [PACMAN] synchronizing package lists
[2022-11-05T03:04:01-0400] [PACMAN] starting full system upgrade
[2022-11-05T03:04:35-0400] [ALPM] running '60-mkinitcpio-remove.hook'...
[2022-11-05T03:04:35-0400] [ALPM] running '71-dkms-remove.hook'...
[2022-11-05T03:04:35-0400] [ALPM] transaction started
[2022-11-05T03:04:35-0400] [ALPM] upgraded alsa-card-profiles (1:0.3.59-3 -> 1:0.3.59-5)
[2022-11-05T03:04:35-0400] [ALPM] upgraded libxcrypt (4.4.28-2 -> 4.4.30-1)
[2022-11-05T03:04:36-0400] [ALPM] upgraded openssl (1.1.1.q-1 -> 3.0.7-2)
[2022-11-05T03:04:36-0400] [ALPM] upgraded libsasl (2.1.28-1 -> 2.1.28-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded libldap (2.6.3-1 -> 2.6.3-2)
[2022-11-05T03:04:36-0400] [ALPM] upgraded libevent (2.1.12-2 -> 2.1.12-4)
[2022-11-05T03:04:36-0400] [ALPM] upgraded krb5 (1.20-1 -> 1.20-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded systemd-libs (251.7-1 -> 251.7-4)
[2022-11-05T03:04:36-0400] [ALPM] upgraded coreutils (9.1-1 -> 9.1-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded libdrm (2.4.113-3 -> 2.4.114-1)
[2022-11-05T03:04:36-0400] [ALPM] upgraded libssh2 (1.10.0-1 -> 1.10.0-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded curl (7.86.0-1 -> 7.86.0-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded kmod (30-1 -> 30-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded cryptsetup (2.5.0-1 -> 2.5.0-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded systemd (251.7-1 -> 251.7-4)
[2022-11-05T03:04:36-0400] [ALPM] upgraded qt5-base (5.15.7+kde+r167-1 -> 5.15.7+kde+r168-1)
[2022-11-05T03:04:36-0400] [ALPM] upgraded android-file-transfer (4.2-2 -> 4.2-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded apr-util (1.6.1-9 -> 1.6.1-10)
[2022-11-05T03:04:36-0400] [ALPM] upgraded apache (2.4.54-2 -> 2.4.54-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded libarchive (3.6.1-2 -> 3.6.1-5)
[2022-11-05T03:04:36-0400] [ALPM] upgraded linux (6.0.6.arch1-1 -> 6.0.7.arch1-1)
[2022-11-05T03:04:36-0400] [ALPM] upgraded bbswitch (0.8-550 -> 0.8-551)
[2022-11-05T03:04:36-0400] [ALPM] upgraded bootconfig (6.0-1 -> 6.0-2)
[2022-11-05T03:04:36-0400] [ALPM] upgraded bpf (6.0-1 -> 6.0-2)
[2022-11-05T03:04:36-0400] [ALPM] upgraded cgroup_event_listener (6.0-1 -> 6.0-2)
[2022-11-05T03:04:36-0400] [ALPM] upgraded cpupower (6.0-1 -> 6.0-2)
[2022-11-05T03:04:36-0400] [ALPM] upgraded fakeroot (1.29-1 -> 1.30.1-1)
[2022-11-05T03:04:37-0400] [ALPM] upgraded libasyncns (1:0.8+r3+g68cd5af-1 -> 1:0.8+r3+g68cd5af-2)
[2022-11-05T03:04:37-0400] [ALPM] upgraded libpulse (16.1-1 -> 16.1-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded srt (1.5.1-1 -> 1.5.1-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded libssh (0.10.4-1 -> 0.10.4-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded sdl2 (2.24.1-1 -> 2.24.2-1)
[2022-11-05T03:04:37-0400] [ALPM] upgraded lcms2 (2.13.1-1 -> 2.14-1)
[2022-11-05T03:04:37-0400] [ALPM] upgraded firefox (106.0.3-1 -> 106.0.4-1)
[2022-11-05T03:04:37-0400] [ALPM] upgraded gstreamer (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded gst-plugins-base-libs (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded python (3.10.8-2 -> 3.10.8-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded freerdp (2:2.8.1-2 -> 2:2.8.1-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded git (2.38.1-1 -> 2.38.1-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded go-ethereum (1.10.25-1 -> 1.10.26-1)
[2022-11-05T03:04:38-0400] [ALPM] upgraded gsoap (2.8.123-1 -> 2.8.123-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded gst-plugins-bad-libs (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:38-0400] [ALPM] upgraded neon (0.32.4-1 -> 0.32.4-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded pipewire (1:0.3.59-3 -> 1:0.3.59-5)
[2022-11-05T03:04:38-0400] [ALPM] upgraded raptor (2.0.15-20 -> 2.0.15-21)
[2022-11-05T03:04:38-0400] [ALPM] upgraded gst-plugins-bad (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:38-0400] [ALPM] upgraded gst-plugins-base (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:38-0400] [ALPM] upgraded libshout (1:2.4.6-1 -> 1:2.4.6-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded gst-plugins-good (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:38-0400] [ALPM] upgraded gst-plugins-ugly (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:38-0400] [ALPM] upgraded hostapd (2.10-1 -> 2.10-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded hyperv (6.0-1 -> 6.0-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded john (1.9.0.jumbo1-7 -> 1.9.0.jumbo1-8)
[2022-11-05T03:04:38-0400] [ALPM] upgraded qca-qt5 (2.3.5-1 -> 2.3.5-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded tpm2-tss (3.2.0-1 -> 3.2.0-3)
[2022-11-05T03:04:38-0400] [ALPM] upgraded libcanberra (1:0.30+r2+gc0620e4-1 -> 1:0.30+r2+gc0620e4-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded signon-kwallet-extension (22.08.2-1 -> 22.08.3-1)
[2022-11-05T03:04:38-0400] [ALPM] upgraded kaccounts-integration (22.08.2-1 -> 22.08.3-1)
[2022-11-05T03:04:38-0400] [ALPM] upgraded kamoso (22.08.2-1 -> 22.08.3-1)
[2022-11-05T03:04:38-0400] [ALPM] upgraded libktorrent (22.08.2-1 -> 22.08.3-1)
[2022-11-05T03:04:38-0400] [ALPM] upgraded ktorrent (22.08.2-1 -> 22.08.3-1)
[2022-11-05T03:04:38-0400] [ALPM] upgraded ldns (1.8.3-1 -> 1.8.3-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded libtpms (0.9.5-1 -> 0.9.5-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded linux-headers (6.0.6.arch1-1 -> 6.0.7.arch1-1)
[2022-11-05T03:04:39-0400] [ALPM] upgraded perf (6.0-1 -> 6.0-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded tmon (6.0-1 -> 6.0-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded turbostat (6.0-1 -> 6.0-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded usbip (6.0-1 -> 6.0-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded x86_energy_perf_policy (6.0-1 -> 6.0-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded linux-tools-meta (6.0-1 -> 6.0-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded mariadb-libs (10.9.3-1 -> 10.9.3-3)
[2022-11-05T03:04:39-0400] [ALPM] upgraded net-snmp (5.9.1-4 -> 5.9.1-5)
[2022-11-05T03:04:39-0400] [ALPM] upgraded nmap (7.92-1 -> 7.92-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded nodejs (19.0.0-2 -> 19.0.1-1)
[2022-11-05T03:04:39-0400] [ALPM] upgraded openssh (9.1p1-1 -> 9.1p1-3)
[2022-11-05T03:04:39-0400] [ALPM] upgraded opusfile (0.12-2 -> 0.12-3)
[2022-11-05T03:04:39-0400] [ALPM] upgraded pacman (6.0.1-8 -> 6.0.2-5)
[2022-11-05T03:04:39-0400] [ALPM] upgraded poppler (22.10.0-1 -> 22.11.0-1)
[2022-11-05T03:04:39-0400] [ALPM] upgraded poppler-glib (22.10.0-1 -> 22.11.0-1)
[2022-11-05T03:04:39-0400] [ALPM] upgraded python-cryptography (38.0.2-1 -> 38.0.2-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded python-matplotlib (3.6.1-2 -> 3.6.2-1)
[2022-11-05T03:04:39-0400] [ALPM] upgraded python-websocket-client (1.4.1-1 -> 1.4.2-1)
[2022-11-05T03:04:39-0400] [ALPM] upgraded qpdf (11.1.1-1 -> 11.1.1-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded qt6-base (6.4.0-2 -> 6.4.0-3)
[2022-11-05T03:04:40-0400] [ALPM] upgraded rsync (3.2.7-1 -> 3.2.7-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded rust (1:1.64.0-1 -> 1:1.65.0-1)
[2022-11-05T03:04:40-0400] [ALPM] upgraded shairplay (20180824.096b61a-3 -> 20180824.096b61a-4)
[2022-11-05T03:04:40-0400] [ALPM] upgraded socat (1.7.4.3-1 -> 1.7.4.3-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded spice-gtk (0.41-4 -> 0.41-5)
[2022-11-05T03:04:40-0400] [ALPM] upgraded sqlcipher (4.5.2-1 -> 4.5.2-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded squid (5.7-1 -> 5.7-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded sudo (1.9.12-1 -> 1.9.12-5)
[2022-11-05T03:04:40-0400] [ALPM] upgraded systemd-sysvcompat (251.7-1 -> 251.7-4)
[2022-11-05T03:04:40-0400] [ALPM] upgraded transmission-cli (3.00-4 -> 3.00-6)
[2022-11-05T03:04:40-0400] [ALPM] upgraded v2ray-domain-list-community (20221102023148-1 -> 20221103024626-1)
[2022-11-05T03:04:40-0400] [ALPM] upgraded v2ray-geoip (202210270100-1 -> 202211030059-1)
[2022-11-05T03:04:40-0400] [ALPM] upgraded virtualbox-host-modules-arch (7.0.2-5 -> 7.0.2-6)
[2022-11-05T03:04:40-0400] [ALPM] upgraded virtualbox (7.0.2-1 -> 7.0.2-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded virtualbox-sdk (7.0.2-1 -> 7.0.2-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded vlc (3.0.17.4-10 -> 3.0.17.4-11)
[2022-11-05T03:04:40-0400] [ALPM] upgraded wimlib (1.13.6-1 -> 1.13.6-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded wolfssl (5.5.2-1 -> 5.5.3-1)
[2022-11-05T03:04:40-0400] [ALPM] upgraded wpa_supplicant (2:2.10-5 -> 2:2.10-6)
[2022-11-05T03:04:40-0400] [ALPM] upgraded xmlsec (1.2.36-1 -> 1.2.36-2)
[2022-11-05T03:04:41-0400] [ALPM] transaction completed
[2022-11-05T03:04:41-0400] [ALPM] running '20-systemd-sysusers.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-catalog.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-daemon-reload.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-hwdb.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-sysctl.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-tmpfiles.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-udev-reload.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-update.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-update-mime-database.hook'...
[2022-11-05T03:04:42-0400] [ALPM] running '60-depmod.hook'...
[2022-11-05T03:04:42-0400] [ALPM] running '70-dkms-install.hook'...
[2022-11-05T03:04:42-0400] [ALPM] running '90-mkinitcpio-install.hook'...
[2022-11-05T03:04:42-0400] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
[2022-11-05T03:04:42-0400] [ALPM-SCRIPTLET] -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
[2022-11-05T03:04:42-0400] [ALPM-SCRIPTLET] ==> Starting build: 6.0.7-arch1-1
[2022-11-05T03:04:42-0400] [ALPM-SCRIPTLET] -> Running build hook: [base]
[2022-11-05T03:04:43-0400] [ALPM-SCRIPTLET] -> Running build hook: [systemd]
[2022-11-05T03:04:45-0400] [ALPM-SCRIPTLET] -> Running build hook: [autodetect]
[2022-11-05T03:04:45-0400] [ALPM-SCRIPTLET] -> Running build hook: [modconf]
[2022-11-05T03:04:45-0400] [ALPM-SCRIPTLET] -> Running build hook: [block]
[2022-11-05T03:04:45-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: xhci_pci
[2022-11-05T03:04:45-0400] [ALPM-SCRIPTLET] -> Running build hook: [sd-encrypt]
[2022-11-05T03:04:46-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: qat_4xxx
[2022-11-05T03:04:47-0400] [ALPM-SCRIPTLET] -> Running build hook: [lvm2]
[2022-11-05T03:04:48-0400] [ALPM-SCRIPTLET] -> Running build hook: [filesystems]
[2022-11-05T03:04:48-0400] [ALPM-SCRIPTLET] -> Running build hook: [keyboard]
[2022-11-05T03:04:48-0400] [ALPM-SCRIPTLET] -> Running build hook: [fsck]
[2022-11-05T03:04:48-0400] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2022-11-05T03:04:48-0400] [ALPM-SCRIPTLET] ==> Creating zstd-compressed initcpio image: /boot/initramfs-linux.img
[2022-11-05T03:04:49-0400] [ALPM-SCRIPTLET] ==> Image generation successful
[2022-11-05T03:04:49-0400] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
[2022-11-05T03:04:49-0400] [ALPM-SCRIPTLET] -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
[2022-11-05T03:04:49-0400] [ALPM-SCRIPTLET] ==> Starting build: 6.0.7-arch1-1
[2022-11-05T03:04:49-0400] [ALPM-SCRIPTLET] -> Running build hook: [base]
[2022-11-05T03:04:49-0400] [ALPM-SCRIPTLET] -> Running build hook: [systemd]
[2022-11-05T03:04:51-0400] [ALPM-SCRIPTLET] -> Running build hook: [modconf]
[2022-11-05T03:04:51-0400] [ALPM-SCRIPTLET] -> Running build hook: [block]
[2022-11-05T03:04:51-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: qed
[2022-11-05T03:04:52-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: wd719x
[2022-11-05T03:04:52-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: bfa
[2022-11-05T03:04:52-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: aic94xx
[2022-11-05T03:04:52-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: qla2xxx
[2022-11-05T03:04:52-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: qla1280
[2022-11-05T03:04:53-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: xhci_pci
[2022-11-05T03:04:55-0400] [ALPM-SCRIPTLET] -> Running build hook: [sd-encrypt]
[2022-11-05T03:04:56-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: qat_4xxx
[2022-11-05T03:04:57-0400] [ALPM-SCRIPTLET] -> Running build hook: [lvm2]
[2022-11-05T03:04:58-0400] [ALPM-SCRIPTLET] -> Running build hook: [filesystems]
[2022-11-05T03:04:59-0400] [ALPM-SCRIPTLET] -> Running build hook: [keyboard]
[2022-11-05T03:05:00-0400] [ALPM-SCRIPTLET] -> Running build hook: [fsck]
[2022-11-05T03:05:01-0400] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2022-11-05T03:05:01-0400] [ALPM-SCRIPTLET] ==> Creating zstd-compressed initcpio image: /boot/initramfs-linux-fallback.img
[2022-11-05T03:05:01-0400] [ALPM-SCRIPTLET] ==> Image generation successful
[2022-11-05T03:05:01-0400] [ALPM] running 'dbus-reload.hook'...
[2022-11-05T03:05:01-0400] [ALPM] running 'detect-old-perl-modules.hook'...
[2022-11-05T03:05:01-0400] [ALPM] running 'gtk-update-icon-cache.hook'...
[2022-11-05T03:05:01-0400] [ALPM] running 'texinfo-install.hook'...
[2022-11-05T03:05:01-0400] [ALPM] running 'update-desktop-database.hook'...
[2022-11-05T03:05:01-0400] [ALPM] running 'update-vlc-plugin-cache.hook'...

That update includes cryptsetup 2.5.0-3, which doesn't have this problem. You've done some downgrading or something. You have to update again to check things out.

As you are using sd-encrypt hook, is it possible your initrd wasn't regenerated properly? Coz that might explain it. You can check which lib is used:

$ lsinitcpio /boot/initramfs-linux.img | grep libcrypto.so

Looks like the upgrade to openssl3 breaks anything that depends on libcrypto.so.1.1 or libssl.so.1.1

BOTH libraries disappear from the system. This broke postfix and courier-imapd-ssl for me.

uk2 postfix/cleanup[31703]: fatal: load_library_symbols: dlopen failure loading /usr/lib/postfix/postfix-pgsql.so: libcrypto.so.1.1: cannot open shared object file: No such file or directory
uk2 postfix/cleanup[31461]: fatal: load_library_symbols: dlopen failure loading /usr/lib/postfix/postfix-pgsql.so: libssl.so.1.1: cannot open shared object file: No such file or directory





As a very temporary workaround until this is fixed in the packages I located old versions of these libraries in the Tor bundle and manually installed them ... and now need to remember to remove them later.

# temp fix for missing libssl.so.1.1 and libcrypto.so.1.1 .... copy static version from Tor bundle ... while waiting for Arch fix
cp /home/user/.tor-browser/app/Browser/TorBrowser/Tor/libssl.so.1.1 /usr/lib/
cp /home/user/.tor-browser/app/Browser/TorBrowser/Tor/libcrypto.so.1.1 /usr/lib/
chmod 755 /usr/lib/libssl.so.1.1
chmod 755 /usr/lib/libcrypto.so.1.1

@ronohara, please do *not* hijack this ticket...you've completely missed the late news, so please take your issue to the proper support channels (forum/IRC/etc).

@Scimmia, did an upgrade on my recovered system, and booting fails again, stuck at the same scene.
All packages are updated to the latest version available. The problem persists.

@Toolybird, initramfs that cannot boot reports libcrypto.so.3, while the recovered old initramfs reports libcrypto.so.1.1.

Just tried to get more info with kernel cmdline `break=mount`, but it didn't give me a shell.
Is there a way to get into the initramfs shell, so as to manually test decryption process?

Tried `init=/bin/sh`, `-b`, `-s`, still no shell available when boot fails.

I have had issue with current version of cryptsetup too
After system update I was unable to decrypt my root partition while using iso from both 1.11.2022 and from spring 2022 I was able to successfully mount it

Only after downgrading OS to 1.11.2022 it booted ( only tried this date )

After submitting password on boot I got following message ( only that was printed to stdout, no more errors )
Keyslot open failed

Also after removing root partition from kernel arguments in grub I was able to start emergency shell

cryptsetup luksDump /dev/sda2 worked fine, but cryptsetup luksOpen ... failed with the same error

Facing the same problem with zfs-dkms requiring libcrypto.so.1.1, which is no longer available on the system since the upgrade of OpenSSL.

@Toolybird encrypt hook doesn't work too(for me).

$ lsinitcpio /boot/initramfs-linux.img | grep libcrypto.so
usr/lib/libcrypto.so.3

/bin/cryptsetup links to libcrypto.so.1.1

please, fix it asap.

iio7, completely different issue, and completely on you for not rebuilding your foreign packages.

pavard, no, it doesn't. You have something wrong with your system if it does.

The original report here is bogus, that's well established. So far, the only seemingly valid error we've seen is "Keyslot open failed"

@Scimmia please help me understand the reason why password encrypted root partition cannot be opened. as described above, I updated with about the same list of packages, since then when I start the computer it says "Keyslot open failed" when trying to decrypt the root partition. when booting from a live-USB flash drive, everything is decrypted. all the same symptoms.

I don't know why it would say that, but if your /bin/cryptsetup is linked to libcrypto.so.1.1, something is seriously wrong with your system. First off, /bin/cryptsetup on Arch isn't linked directly to libcrypto.so.1.1 at all. It is linked to libcryptsetup.so.12, which is then linked to libcrypto.so.3

my mistake. it's linked right.

Well, despite lots of mis-information in this ticket, after some VM testing all I can say is that "sd-encrypt" definitely works when set up from scratch with up-to-date pkgs linked against openssl3. IOW, works for me.

It seems quite difficult to debug the early stages of a "systemd" based initramfs. If anyone has any tips, please pipe up.

@Toolybird could you please check using whirlpool hash. it is seems problem with it and i use it.

I'm using a fork of Arch and have the same problem - unable to boot from a LUKS partition, with an error "Failed to start Cryptography Setup for crypt". I installed openssl-1.1 and rebuilt the initramfs images, and there were no errors, but the issue remained.

I managed to get the boot logs, by specifying an unencrypted root partition, instead of my real encrypted root partition, just to get the logs. Here's what I got:

Nov 07 07:33:43 parabola systemd[1]: Starting Cryptography Setup for crypt...
Nov 07 07:33:43 parabola kernel: device-mapper: uevent: version 1.0.3
Nov 07 07:33:43 parabola kernel: device-mapper: ioctl: 4.46.0-ioctl (2022-02-22) initialised: dm-devel@redhat.com
Nov 07 07:33:43 parabola systemd-cryptsetup[167]: Requested LUKS hash whirlpool is not supported.
Nov 07 07:33:43 parabola systemd-cryptsetup[167]: Failed to load LUKS superblock on device /dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx: Invalid argument
Nov 07 07:33:43 parabola systemd[1]: systemd-cryptsetup@crypt.service: Main process exited, code=exited, status=1/FAILURE
Nov 07 07:33:43 parabola systemd[1]: systemd-cryptsetup@crypt.service: Failed with result 'exit-code'.
Nov 07 07:33:43 parabola systemd[1]: Failed to start Cryptography Setup for crypt.
Nov 07 07:33:43 parabola systemd[1]: Dependency failed for Local Encrypted Volumes.
Nov 07 07:33:43 parabola systemd[1]: cryptsetup.target: Job cryptsetup.target/start failed with result 'dependency'.
Nov 07 07:33:43 parabola audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-cryptsetup@crypt comm="systemd" exe="/init" hostname=? addr=? terminal=? res=failed'

The issue is probably related to the whirlpool hash. My LUKS disk was formatted with me using the whirlpool hash. It seems like OpenSSL 1.1 has whirlpool, but OpenSSL 3 removed it, so this creates a backwards comparability issue. I tried to change my LUKS hash, but by doing that now I also managed to brake my encrypted drive too, so until I fix that, I'm unable to test if works with some hash other than whirlpool.

whirlpool has been deprecated in openssl and needs to be explicitly enabled again.

https://github.com/openssl/openssl/pull/10779

Full news section here:

https://github.com/openssl/openssl/commit/83c51006759437b8643264c5fb748030fd6aaef5

@Toolybird,

I'm also using whirlpool, the same with pavard and mampir, for my encrypted root.
So vote for whirlpool being the crux that offends, but have to break my system again to really confirm this.

Sorry for filling the title poorly, should have used the fact described in `Description:` line as the title of this ticket,
rather than a false, and naive, diagnosis, blaming wrong parties.

Given that the upstream of openssl is planning removal of whirlpool[1], it's happily accepted that I should use another popular algo.

[1]: Removal of Whirlpool hash algorithm · Issue #5118 · openssl/openssl · GitHub https://github.com/openssl/openssl/issues/5118

https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Migrating_from_Whirlpool_Hash_on_LUKS
i didnt try yet...

Confirmed that it's whirlpool that is causing my boot failure, and after migrating to another common hash algo, my system boots fine with openssl3.
cryptsetup made it really convenient to change hash algos thesedays, requiring merely a `cryptsetup reencrypt --hash sha512 --keep-key`.

Am I supposed to click the `Request closure` button, or the status can just be changed by a mod?
It's not a bug.

Try adding /usr/lib/ossl-modules/legacy.so to FILES in /etc/mkinitcpio.conf and then run 'mkinitcpio -P' to regenerate the initramfs. Use lsinitcpio to confirm that legacy.so is included in the initramfs.

While whirlpool is still supported in OpenSSL 3.0, it's in the legacy provider which cryptsetup tries to load but it's unfortunately missing the initramfs.

Edit: We'll be looking into implementing the inclusion of the legacy provider in the initramfs by mkinitcpio.

I would like to avoid adding the file in initcpio by default. But not breaking people's setup would be great. :)

How about having something like this in install script for `sd-encrypt` hook?

for DISK in $(lsblk -o NAME,FSTYPE --raw | grep 'crypto_LUKS$' | cut -f1 -d ' '); do
if cryptsetup luksDump "/dev/${DISK}" | grep 'Hash:' | grep -iq 'whirlpool'; then
warning "Looks like your disk /dev/${DISK} uses a legacy hashing algorithm. Please fix!"
add_file '/usr/lib/ossl-modules/legacy.so'
fi
done

cryptsetup 2.5.0-4 updates the encrypt and sd-encrypt hooks to include the legacy provider in the initramfs.

Confirmation that it works (from people who haven't migrated to another hash function yet) would be great.

@foutrelis cryptsetup 2.5.0-4 works on my machine! I have two partitions which use whirlpool as the hash algorithm, and they now successfully unlock and mount on boot as opposed to this morning when I had just updated.

Just to double-check: despite 2.5.0-4 fixing things, it is still recommended to change to a different hashing algorithm; whirlpool is deprecated, correct?

Thanks for the confirmation. Ideally you'd move to a more commonly used hash, yes. According to the OSSL_PROVIDER-legacy man page:

"Such algorithms have commonly fallen out of use, have been deemed insecure by the cryptography community, or something similar."

"We can consider this the retirement home of cryptographic algorithms."

And from https://www.openssl.org/blog/blog/2022/10/18/rmd160-and-the-legacy-provider/ :

"Our main criteria for moving an algorithm to the legacy provider were that the algorithm was too weak and not recommended for use in security applications, or that the algorithm had commonly fallen out of favour in preference to newer and potentially better algorithms."