FS#76440 - [cryptsetup] unable to unlock LUKS encrypted devices using Whirlpool during boot

Attached to Project: Arch Linux
Opened by GuZhengxiong (GuZhengxiong) - Sunday, 06 November 2022, 02:12 GMT
Last edited by Evangelos Foutras (foutrelis) - Monday, 07 November 2022, 21:29 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Evangelos Foutras (foutrelis)
Christian Hesse (eworm)
Architecture x86_64
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 6
Private No

Details

Description: After upgrading to openssl3, unable to boot, due to systemd-cryptsetup failure

Hello, if it fits here, my LUKS-encrypted arch failed to boot after latest upgrade.
Stuck at early boot, the root partition, managed with sd-encrypt hook, is not yet available.
No logs.
No emergency shell.
Recovered using liveiso chrooting into the broken system, and rolling back packages.

A likely suspect is the upgrade of openssl from 1 to 3, whereas systemd-cryptsetup still refers to libcrypto.so.1.1 after upgrade.


Additional info:
* package version(s)
systemd-251.7-4-x86_64.pkg.tar.zst


Steps to reproduce:

No, you don't want to reproduce.
Stuck at early boot, the root partition is not yet available.
No logs.
No emergency shell.

Downloaded the latest available version of systemd.

% tar xf systemd-251.7-4-x86_64.pkg.tar.zst usr/lib/systemd/systemd-cryptsetup

% ldd usr/lib/systemd/systemd-cryptsetup
linux-vdso.so.1 (0x00007ffdc89e4000)
libsystemd-shared-251.7-4.so => not found
libcryptsetup.so.12 => /usr/lib/libcryptsetup.so.12 (0x00007f91fcb47000)
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f91fcb27000)
libc.so.6 => /usr/lib/libc.so.6 (0x00007f91fc940000)
libuuid.so.1 => /usr/lib/libuuid.so.1 (0x00007f91fc937000)
libdevmapper.so.1.02 => /usr/lib/libdevmapper.so.1.02 (0x00007f91fc8da000)
libcrypto.so.1.1 => /usr/lib/libcrypto.so.1.1 (0x00007f91fc400000) <------- libcrypto.so.1.1 might be gone if upgraded to openssl3, rihgt?
libargon2.so.1 => /usr/lib/libargon2.so.1 (0x00007f91fc8d0000)
libjson-c.so.5 => /usr/lib/libjson-c.so.5 (0x00007f91fc8bd000)
libblkid.so.1 => /usr/lib/libblkid.so.1 (0x00007f91fc884000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f91fcc02000)
libudev.so.1 => /usr/lib/libudev.so.1 (0x00007f91fc857000)
libm.so.6 => /usr/lib/libm.so.6 (0x00007f91fc76d000)
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f91fc768000)

This task depends upon

Closed by  Evangelos Foutras (foutrelis)
Monday, 07 November 2022, 21:29 GMT
Reason for closing:  Fixed
Additional comments about closing:  cryptsetup 2.5.0-4
Comment by GuZhengxiong (GuZhengxiong) - Sunday, 06 November 2022, 02:18 GMT
Attached the boot log.
Comment by Doug Newgard (Scimmia) - Sunday, 06 November 2022, 02:23 GMT
No, it doesn't. Use lddtree from the pax-utils package instead of ldd.
Comment by GuZhengxiong (GuZhengxiong) - Sunday, 06 November 2022, 02:28 GMT
Hello, lddtree also shows that. Any hints?

% lddtree usr/lib/systemd/systemd-cryptsetup
usr/lib/systemd/systemd-cryptsetup (interpreter => /lib64/ld-linux-x86-64.so.2)
libsystemd-shared-251.7-4.so => None
libcryptsetup.so.12 => /usr/lib/libcryptsetup.so.12
libuuid.so.1 => /usr/lib/libuuid.so.1
libdevmapper.so.1.02 => /usr/lib/libdevmapper.so.1.02
libudev.so.1 => /usr/lib/libudev.so.1
libm.so.6 => /usr/lib/libm.so.6
libcrypto.so.1.1 => /usr/lib/libcrypto.so.1.1 <---------------
libargon2.so.1 => /usr/lib/libargon2.so.1
libpthread.so.0 => /usr/lib/libpthread.so.0
libjson-c.so.5 => /usr/lib/libjson-c.so.5
libblkid.so.1 => /usr/lib/libblkid.so.1
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1
libc.so.6 => /usr/lib/libc.so.6
Comment by Doug Newgard (Scimmia) - Sunday, 06 November 2022, 02:30 GMT
Flyspray's formatting sucks, luckily the notification email came through normally. Look at the tree, you can clearly see that libcrypto.so.1.1 is under libcryptsetup.so.12, so your problem is an out of date cryptsetup package.
Comment by GuZhengxiong (GuZhengxiong) - Sunday, 06 November 2022, 02:45 GMT
Got it. let me try upgrading cryptsetup before upgrading the kernel.
The pacman log corresponding to that troubling upgrade looks normal, though.

[2022-11-03T08:12:51-0400] [PACMAN] Running 'pacman -Sc --noconfirm'
[2022-11-05T01:55:10-0400] [PACMAN] Running 'pacman -Syyu'
[2022-11-05T01:55:10-0400] [PACMAN] synchronizing package lists
[2022-11-05T01:55:11-0400] [PACMAN] starting full system upgrade
[2022-11-05T03:03:39-0400] [PACMAN] Running 'pacman -Sc --noconfirm'
[2022-11-05T03:04:00-0400] [PACMAN] Running 'pacman -Syyu'
[2022-11-05T03:04:00-0400] [PACMAN] synchronizing package lists
[2022-11-05T03:04:01-0400] [PACMAN] starting full system upgrade
[2022-11-05T03:04:35-0400] [ALPM] running '60-mkinitcpio-remove.hook'...
[2022-11-05T03:04:35-0400] [ALPM] running '71-dkms-remove.hook'...
[2022-11-05T03:04:35-0400] [ALPM] transaction started
[2022-11-05T03:04:35-0400] [ALPM] upgraded alsa-card-profiles (1:0.3.59-3 -> 1:0.3.59-5)
[2022-11-05T03:04:35-0400] [ALPM] upgraded libxcrypt (4.4.28-2 -> 4.4.30-1)
[2022-11-05T03:04:36-0400] [ALPM] upgraded openssl (1.1.1.q-1 -> 3.0.7-2)
[2022-11-05T03:04:36-0400] [ALPM] upgraded libsasl (2.1.28-1 -> 2.1.28-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded libldap (2.6.3-1 -> 2.6.3-2)
[2022-11-05T03:04:36-0400] [ALPM] upgraded libevent (2.1.12-2 -> 2.1.12-4)
[2022-11-05T03:04:36-0400] [ALPM] upgraded krb5 (1.20-1 -> 1.20-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded systemd-libs (251.7-1 -> 251.7-4)
[2022-11-05T03:04:36-0400] [ALPM] upgraded coreutils (9.1-1 -> 9.1-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded libdrm (2.4.113-3 -> 2.4.114-1)
[2022-11-05T03:04:36-0400] [ALPM] upgraded libssh2 (1.10.0-1 -> 1.10.0-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded curl (7.86.0-1 -> 7.86.0-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded kmod (30-1 -> 30-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded cryptsetup (2.5.0-1 -> 2.5.0-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded systemd (251.7-1 -> 251.7-4)
[2022-11-05T03:04:36-0400] [ALPM] upgraded qt5-base (5.15.7+kde+r167-1 -> 5.15.7+kde+r168-1)
[2022-11-05T03:04:36-0400] [ALPM] upgraded android-file-transfer (4.2-2 -> 4.2-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded apr-util (1.6.1-9 -> 1.6.1-10)
[2022-11-05T03:04:36-0400] [ALPM] upgraded apache (2.4.54-2 -> 2.4.54-3)
[2022-11-05T03:04:36-0400] [ALPM] upgraded libarchive (3.6.1-2 -> 3.6.1-5)
[2022-11-05T03:04:36-0400] [ALPM] upgraded linux (6.0.6.arch1-1 -> 6.0.7.arch1-1)
[2022-11-05T03:04:36-0400] [ALPM] upgraded bbswitch (0.8-550 -> 0.8-551)
[2022-11-05T03:04:36-0400] [ALPM] upgraded bootconfig (6.0-1 -> 6.0-2)
[2022-11-05T03:04:36-0400] [ALPM] upgraded bpf (6.0-1 -> 6.0-2)
[2022-11-05T03:04:36-0400] [ALPM] upgraded cgroup_event_listener (6.0-1 -> 6.0-2)
[2022-11-05T03:04:36-0400] [ALPM] upgraded cpupower (6.0-1 -> 6.0-2)
[2022-11-05T03:04:36-0400] [ALPM] upgraded fakeroot (1.29-1 -> 1.30.1-1)
[2022-11-05T03:04:37-0400] [ALPM] upgraded libasyncns (1:0.8+r3+g68cd5af-1 -> 1:0.8+r3+g68cd5af-2)
[2022-11-05T03:04:37-0400] [ALPM] upgraded libpulse (16.1-1 -> 16.1-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded srt (1.5.1-1 -> 1.5.1-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded libssh (0.10.4-1 -> 0.10.4-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded sdl2 (2.24.1-1 -> 2.24.2-1)
[2022-11-05T03:04:37-0400] [ALPM] upgraded lcms2 (2.13.1-1 -> 2.14-1)
[2022-11-05T03:04:37-0400] [ALPM] upgraded firefox (106.0.3-1 -> 106.0.4-1)
[2022-11-05T03:04:37-0400] [ALPM] upgraded gstreamer (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded gst-plugins-base-libs (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded python (3.10.8-2 -> 3.10.8-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded freerdp (2:2.8.1-2 -> 2:2.8.1-3)
[2022-11-05T03:04:37-0400] [ALPM] upgraded git (2.38.1-1 -> 2.38.1-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded go-ethereum (1.10.25-1 -> 1.10.26-1)
[2022-11-05T03:04:38-0400] [ALPM] upgraded gsoap (2.8.123-1 -> 2.8.123-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded gst-plugins-bad-libs (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:38-0400] [ALPM] upgraded neon (0.32.4-1 -> 0.32.4-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded pipewire (1:0.3.59-3 -> 1:0.3.59-5)
[2022-11-05T03:04:38-0400] [ALPM] upgraded raptor (2.0.15-20 -> 2.0.15-21)
[2022-11-05T03:04:38-0400] [ALPM] upgraded gst-plugins-bad (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:38-0400] [ALPM] upgraded gst-plugins-base (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:38-0400] [ALPM] upgraded libshout (1:2.4.6-1 -> 1:2.4.6-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded gst-plugins-good (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:38-0400] [ALPM] upgraded gst-plugins-ugly (1.20.4-1 -> 1.20.4-3)
[2022-11-05T03:04:38-0400] [ALPM] upgraded hostapd (2.10-1 -> 2.10-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded hyperv (6.0-1 -> 6.0-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded john (1.9.0.jumbo1-7 -> 1.9.0.jumbo1-8)
[2022-11-05T03:04:38-0400] [ALPM] upgraded qca-qt5 (2.3.5-1 -> 2.3.5-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded tpm2-tss (3.2.0-1 -> 3.2.0-3)
[2022-11-05T03:04:38-0400] [ALPM] upgraded libcanberra (1:0.30+r2+gc0620e4-1 -> 1:0.30+r2+gc0620e4-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded signon-kwallet-extension (22.08.2-1 -> 22.08.3-1)
[2022-11-05T03:04:38-0400] [ALPM] upgraded kaccounts-integration (22.08.2-1 -> 22.08.3-1)
[2022-11-05T03:04:38-0400] [ALPM] upgraded kamoso (22.08.2-1 -> 22.08.3-1)
[2022-11-05T03:04:38-0400] [ALPM] upgraded libktorrent (22.08.2-1 -> 22.08.3-1)
[2022-11-05T03:04:38-0400] [ALPM] upgraded ktorrent (22.08.2-1 -> 22.08.3-1)
[2022-11-05T03:04:38-0400] [ALPM] upgraded ldns (1.8.3-1 -> 1.8.3-2)
[2022-11-05T03:04:38-0400] [ALPM] upgraded libtpms (0.9.5-1 -> 0.9.5-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded linux-headers (6.0.6.arch1-1 -> 6.0.7.arch1-1)
[2022-11-05T03:04:39-0400] [ALPM] upgraded perf (6.0-1 -> 6.0-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded tmon (6.0-1 -> 6.0-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded turbostat (6.0-1 -> 6.0-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded usbip (6.0-1 -> 6.0-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded x86_energy_perf_policy (6.0-1 -> 6.0-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded linux-tools-meta (6.0-1 -> 6.0-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded mariadb-libs (10.9.3-1 -> 10.9.3-3)
[2022-11-05T03:04:39-0400] [ALPM] upgraded net-snmp (5.9.1-4 -> 5.9.1-5)
[2022-11-05T03:04:39-0400] [ALPM] upgraded nmap (7.92-1 -> 7.92-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded nodejs (19.0.0-2 -> 19.0.1-1)
[2022-11-05T03:04:39-0400] [ALPM] upgraded openssh (9.1p1-1 -> 9.1p1-3)
[2022-11-05T03:04:39-0400] [ALPM] upgraded opusfile (0.12-2 -> 0.12-3)
[2022-11-05T03:04:39-0400] [ALPM] upgraded pacman (6.0.1-8 -> 6.0.2-5)
[2022-11-05T03:04:39-0400] [ALPM] upgraded poppler (22.10.0-1 -> 22.11.0-1)
[2022-11-05T03:04:39-0400] [ALPM] upgraded poppler-glib (22.10.0-1 -> 22.11.0-1)
[2022-11-05T03:04:39-0400] [ALPM] upgraded python-cryptography (38.0.2-1 -> 38.0.2-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded python-matplotlib (3.6.1-2 -> 3.6.2-1)
[2022-11-05T03:04:39-0400] [ALPM] upgraded python-websocket-client (1.4.1-1 -> 1.4.2-1)
[2022-11-05T03:04:39-0400] [ALPM] upgraded qpdf (11.1.1-1 -> 11.1.1-2)
[2022-11-05T03:04:39-0400] [ALPM] upgraded qt6-base (6.4.0-2 -> 6.4.0-3)
[2022-11-05T03:04:40-0400] [ALPM] upgraded rsync (3.2.7-1 -> 3.2.7-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded rust (1:1.64.0-1 -> 1:1.65.0-1)
[2022-11-05T03:04:40-0400] [ALPM] upgraded shairplay (20180824.096b61a-3 -> 20180824.096b61a-4)
[2022-11-05T03:04:40-0400] [ALPM] upgraded socat (1.7.4.3-1 -> 1.7.4.3-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded spice-gtk (0.41-4 -> 0.41-5)
[2022-11-05T03:04:40-0400] [ALPM] upgraded sqlcipher (4.5.2-1 -> 4.5.2-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded squid (5.7-1 -> 5.7-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded sudo (1.9.12-1 -> 1.9.12-5)
[2022-11-05T03:04:40-0400] [ALPM] upgraded systemd-sysvcompat (251.7-1 -> 251.7-4)
[2022-11-05T03:04:40-0400] [ALPM] upgraded transmission-cli (3.00-4 -> 3.00-6)
[2022-11-05T03:04:40-0400] [ALPM] upgraded v2ray-domain-list-community (20221102023148-1 -> 20221103024626-1)
[2022-11-05T03:04:40-0400] [ALPM] upgraded v2ray-geoip (202210270100-1 -> 202211030059-1)
[2022-11-05T03:04:40-0400] [ALPM] upgraded virtualbox-host-modules-arch (7.0.2-5 -> 7.0.2-6)
[2022-11-05T03:04:40-0400] [ALPM] upgraded virtualbox (7.0.2-1 -> 7.0.2-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded virtualbox-sdk (7.0.2-1 -> 7.0.2-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded vlc (3.0.17.4-10 -> 3.0.17.4-11)
[2022-11-05T03:04:40-0400] [ALPM] upgraded wimlib (1.13.6-1 -> 1.13.6-2)
[2022-11-05T03:04:40-0400] [ALPM] upgraded wolfssl (5.5.2-1 -> 5.5.3-1)
[2022-11-05T03:04:40-0400] [ALPM] upgraded wpa_supplicant (2:2.10-5 -> 2:2.10-6)
[2022-11-05T03:04:40-0400] [ALPM] upgraded xmlsec (1.2.36-1 -> 1.2.36-2)
[2022-11-05T03:04:41-0400] [ALPM] transaction completed
[2022-11-05T03:04:41-0400] [ALPM] running '20-systemd-sysusers.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-catalog.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-daemon-reload.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-hwdb.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-sysctl.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-tmpfiles.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-udev-reload.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-systemd-update.hook'...
[2022-11-05T03:04:41-0400] [ALPM] running '30-update-mime-database.hook'...
[2022-11-05T03:04:42-0400] [ALPM] running '60-depmod.hook'...
[2022-11-05T03:04:42-0400] [ALPM] running '70-dkms-install.hook'...
[2022-11-05T03:04:42-0400] [ALPM] running '90-mkinitcpio-install.hook'...
[2022-11-05T03:04:42-0400] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
[2022-11-05T03:04:42-0400] [ALPM-SCRIPTLET] -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
[2022-11-05T03:04:42-0400] [ALPM-SCRIPTLET] ==> Starting build: 6.0.7-arch1-1
[2022-11-05T03:04:42-0400] [ALPM-SCRIPTLET] -> Running build hook: [base]
[2022-11-05T03:04:43-0400] [ALPM-SCRIPTLET] -> Running build hook: [systemd]
[2022-11-05T03:04:45-0400] [ALPM-SCRIPTLET] -> Running build hook: [autodetect]
[2022-11-05T03:04:45-0400] [ALPM-SCRIPTLET] -> Running build hook: [modconf]
[2022-11-05T03:04:45-0400] [ALPM-SCRIPTLET] -> Running build hook: [block]
[2022-11-05T03:04:45-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: xhci_pci
[2022-11-05T03:04:45-0400] [ALPM-SCRIPTLET] -> Running build hook: [sd-encrypt]
[2022-11-05T03:04:46-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: qat_4xxx
[2022-11-05T03:04:47-0400] [ALPM-SCRIPTLET] -> Running build hook: [lvm2]
[2022-11-05T03:04:48-0400] [ALPM-SCRIPTLET] -> Running build hook: [filesystems]
[2022-11-05T03:04:48-0400] [ALPM-SCRIPTLET] -> Running build hook: [keyboard]
[2022-11-05T03:04:48-0400] [ALPM-SCRIPTLET] -> Running build hook: [fsck]
[2022-11-05T03:04:48-0400] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2022-11-05T03:04:48-0400] [ALPM-SCRIPTLET] ==> Creating zstd-compressed initcpio image: /boot/initramfs-linux.img
[2022-11-05T03:04:49-0400] [ALPM-SCRIPTLET] ==> Image generation successful
[2022-11-05T03:04:49-0400] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
[2022-11-05T03:04:49-0400] [ALPM-SCRIPTLET] -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
[2022-11-05T03:04:49-0400] [ALPM-SCRIPTLET] ==> Starting build: 6.0.7-arch1-1
[2022-11-05T03:04:49-0400] [ALPM-SCRIPTLET] -> Running build hook: [base]
[2022-11-05T03:04:49-0400] [ALPM-SCRIPTLET] -> Running build hook: [systemd]
[2022-11-05T03:04:51-0400] [ALPM-SCRIPTLET] -> Running build hook: [modconf]
[2022-11-05T03:04:51-0400] [ALPM-SCRIPTLET] -> Running build hook: [block]
[2022-11-05T03:04:51-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: qed
[2022-11-05T03:04:52-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: wd719x
[2022-11-05T03:04:52-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: bfa
[2022-11-05T03:04:52-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: aic94xx
[2022-11-05T03:04:52-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: qla2xxx
[2022-11-05T03:04:52-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: qla1280
[2022-11-05T03:04:53-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: xhci_pci
[2022-11-05T03:04:55-0400] [ALPM-SCRIPTLET] -> Running build hook: [sd-encrypt]
[2022-11-05T03:04:56-0400] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: qat_4xxx
[2022-11-05T03:04:57-0400] [ALPM-SCRIPTLET] -> Running build hook: [lvm2]
[2022-11-05T03:04:58-0400] [ALPM-SCRIPTLET] -> Running build hook: [filesystems]
[2022-11-05T03:04:59-0400] [ALPM-SCRIPTLET] -> Running build hook: [keyboard]
[2022-11-05T03:05:00-0400] [ALPM-SCRIPTLET] -> Running build hook: [fsck]
[2022-11-05T03:05:01-0400] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2022-11-05T03:05:01-0400] [ALPM-SCRIPTLET] ==> Creating zstd-compressed initcpio image: /boot/initramfs-linux-fallback.img
[2022-11-05T03:05:01-0400] [ALPM-SCRIPTLET] ==> Image generation successful
[2022-11-05T03:05:01-0400] [ALPM] running 'dbus-reload.hook'...
[2022-11-05T03:05:01-0400] [ALPM] running 'detect-old-perl-modules.hook'...
[2022-11-05T03:05:01-0400] [ALPM] running 'gtk-update-icon-cache.hook'...
[2022-11-05T03:05:01-0400] [ALPM] running 'texinfo-install.hook'...
[2022-11-05T03:05:01-0400] [ALPM] running 'update-desktop-database.hook'...
[2022-11-05T03:05:01-0400] [ALPM] running 'update-vlc-plugin-cache.hook'...
Comment by Doug Newgard (Scimmia) - Sunday, 06 November 2022, 05:02 GMT
That update includes cryptsetup 2.5.0-3, which doesn't have this problem. You've done some downgrading or something. You have to update again to check things out.
Comment by Toolybird (Toolybird) - Sunday, 06 November 2022, 05:29 GMT
As you are using sd-encrypt hook, is it possible your initrd wasn't regenerated properly? Coz that might explain it. You can check which lib is used:

$ lsinitcpio /boot/initramfs-linux.img | grep libcrypto.so
Comment by Ron OHara (ronohara) - Sunday, 06 November 2022, 05:50 GMT
Looks like the upgrade to openssl3 breaks anything that depends on libcrypto.so.1.1 or libssl.so.1.1

BOTH libraries disappear from the system. This broke postfix and courier-imapd-ssl for me.

uk2 postfix/cleanup[31703]: fatal: load_library_symbols: dlopen failure loading /usr/lib/postfix/postfix-pgsql.so: libcrypto.so.1.1: cannot open shared object file: No such file or directory
uk2 postfix/cleanup[31461]: fatal: load_library_symbols: dlopen failure loading /usr/lib/postfix/postfix-pgsql.so: libssl.so.1.1: cannot open shared object file: No such file or directory





As a very temporary workaround until this is fixed in the packages I located old versions of these libraries in the Tor bundle and manually installed them ... and now need to remember to remove them later.

# temp fix for missing libssl.so.1.1 and libcrypto.so.1.1 .... copy static version from Tor bundle ... while waiting for Arch fix
cp /home/user/.tor-browser/app/Browser/TorBrowser/Tor/libssl.so.1.1 /usr/lib/
cp /home/user/.tor-browser/app/Browser/TorBrowser/Tor/libcrypto.so.1.1 /usr/lib/
chmod 755 /usr/lib/libssl.so.1.1
chmod 755 /usr/lib/libcrypto.so.1.1

Comment by Toolybird (Toolybird) - Sunday, 06 November 2022, 06:10 GMT
@ronohara, please do *not* hijack this ticket...you've completely missed the late news, so please take your issue to the proper support channels (forum/IRC/etc).
Comment by GuZhengxiong (GuZhengxiong) - Sunday, 06 November 2022, 08:46 GMT
@Scimmia, did an upgrade on my recovered system, and booting fails again, stuck at the same scene.
All packages are updated to the latest version available. The problem persists.

@Toolybird, initramfs that cannot boot reports libcrypto.so.3, while the recovered old initramfs reports libcrypto.so.1.1.

Just tried to get more info with kernel cmdline `break=mount`, but it didn't give me a shell.
Is there a way to get into the initramfs shell, so as to manually test decryption process?
Comment by GuZhengxiong (GuZhengxiong) - Sunday, 06 November 2022, 09:26 GMT
Tried `init=/bin/sh`, `-b`, `-s`, still no shell available when boot fails.
Comment by K B (krzysztof1222) - Sunday, 06 November 2022, 12:38 GMT
I have had issue with current version of cryptsetup too
After system update I was unable to decrypt my root partition while using iso from both 1.11.2022 and from spring 2022 I was able to successfully mount it

Only after downgrading OS to 1.11.2022 it booted ( only tried this date )

After submitting password on boot I got following message ( only that was printed to stdout, no more errors )
Keyslot open failed

Also after removing root partition from kernel arguments in grub I was able to start emergency shell

cryptsetup luksDump /dev/sda2 worked fine, but cryptsetup luksOpen ... failed with the same error
Comment by iio7 (iio7) - Sunday, 06 November 2022, 20:39 GMT
Facing the same problem with zfs-dkms requiring libcrypto.so.1.1, which is no longer available on the system since the upgrade of OpenSSL.
Comment by alexander (pavard) - Sunday, 06 November 2022, 21:18 GMT
@Toolybird encrypt hook doesn't work too(for me).

$ lsinitcpio /boot/initramfs-linux.img | grep libcrypto.so
usr/lib/libcrypto.so.3

/bin/cryptsetup links to libcrypto.so.1.1

please, fix it asap.
Comment by Doug Newgard (Scimmia) - Monday, 07 November 2022, 01:11 GMT
iio7, completely different issue, and completely on you for not rebuilding your foreign packages.

pavard, no, it doesn't. You have something wrong with your system if it does.

The original report here is bogus, that's well established. So far, the only seemingly valid error we've seen is "Keyslot open failed"
Comment by alexander (pavard) - Monday, 07 November 2022, 01:22 GMT
@Scimmia please help me understand the reason why password encrypted root partition cannot be opened. as described above, I updated with about the same list of packages, since then when I start the computer it says "Keyslot open failed" when trying to decrypt the root partition. when booting from a live-USB flash drive, everything is decrypted. all the same symptoms.
Comment by Doug Newgard (Scimmia) - Monday, 07 November 2022, 01:26 GMT
I don't know why it would say that, but if your /bin/cryptsetup is linked to libcrypto.so.1.1, something is seriously wrong with your system. First off, /bin/cryptsetup on Arch isn't linked directly to libcrypto.so.1.1 at all. It is linked to libcryptsetup.so.12, which is then linked to libcrypto.so.3
Comment by alexander (pavard) - Monday, 07 November 2022, 01:28 GMT
my mistake. it's linked right.
Comment by Toolybird (Toolybird) - Monday, 07 November 2022, 05:55 GMT
Well, despite lots of mis-information in this ticket, after some VM testing all I can say is that "sd-encrypt" definitely works when set up from scratch with up-to-date pkgs linked against openssl3. IOW, works for me.

It seems quite difficult to debug the early stages of a "systemd" based initramfs. If anyone has any tips, please pipe up.
Comment by alexander (pavard) - Monday, 07 November 2022, 07:23 GMT
@Toolybird could you please check using whirlpool hash. it is seems problem with it and i use it.
Comment by Martin (mampir) - Monday, 07 November 2022, 10:16 GMT
I'm using a fork of Arch and have the same problem - unable to boot from a LUKS partition, with an error "Failed to start Cryptography Setup for crypt". I installed openssl-1.1 and rebuilt the initramfs images, and there were no errors, but the issue remained.

I managed to get the boot logs, by specifying an unencrypted root partition, instead of my real encrypted root partition, just to get the logs. Here's what I got:

Nov 07 07:33:43 parabola systemd[1]: Starting Cryptography Setup for crypt...
Nov 07 07:33:43 parabola kernel: device-mapper: uevent: version 1.0.3
Nov 07 07:33:43 parabola kernel: device-mapper: ioctl: 4.46.0-ioctl (2022-02-22) initialised: dm-devel@redhat.com
Nov 07 07:33:43 parabola systemd-cryptsetup[167]: Requested LUKS hash whirlpool is not supported.
Nov 07 07:33:43 parabola systemd-cryptsetup[167]: Failed to load LUKS superblock on device /dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx: Invalid argument
Nov 07 07:33:43 parabola systemd[1]: systemd-cryptsetup@crypt.service: Main process exited, code=exited, status=1/FAILURE
Nov 07 07:33:43 parabola systemd[1]: systemd-cryptsetup@crypt.service: Failed with result 'exit-code'.
Nov 07 07:33:43 parabola systemd[1]: Failed to start Cryptography Setup for crypt.
Nov 07 07:33:43 parabola systemd[1]: Dependency failed for Local Encrypted Volumes.
Nov 07 07:33:43 parabola systemd[1]: cryptsetup.target: Job cryptsetup.target/start failed with result 'dependency'.
Nov 07 07:33:43 parabola audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-cryptsetup@crypt comm="systemd" exe="/init" hostname=? addr=? terminal=? res=failed'

The issue is probably related to the whirlpool hash. My LUKS disk was formatted with me using the whirlpool hash. It seems like OpenSSL 1.1 has whirlpool, but OpenSSL 3 removed it, so this creates a backwards comparability issue. I tried to change my LUKS hash, but by doing that now I also managed to brake my encrypted drive too, so until I fix that, I'm unable to test if works with some hash other than whirlpool.
Comment by Morten Linderud (Foxboron) - Monday, 07 November 2022, 10:26 GMT
whirlpool has been deprecated in openssl and needs to be explicitly enabled again.

https://github.com/openssl/openssl/pull/10779

Full news section here:

https://github.com/openssl/openssl/commit/83c51006759437b8643264c5fb748030fd6aaef5
Comment by GuZhengxiong (GuZhengxiong) - Monday, 07 November 2022, 12:05 GMT
@Toolybird,

I'm also using whirlpool, the same with pavard and mampir, for my encrypted root.
So vote for whirlpool being the crux that offends, but have to break my system again to really confirm this.

Sorry for filling the title poorly, should have used the fact described in `Description:` line as the title of this ticket,
rather than a false, and naive, diagnosis, blaming wrong parties.

Given that the upstream of openssl is planning removal of whirlpool[1], it's happily accepted that I should use another popular algo.

[1]: Removal of Whirlpool hash algorithm · Issue #5118 · openssl/openssl · GitHub https://github.com/openssl/openssl/issues/5118
Comment by alexander (pavard) - Monday, 07 November 2022, 12:58 GMT Comment by GuZhengxiong (GuZhengxiong) - Monday, 07 November 2022, 14:51 GMT
Confirmed that it's whirlpool that is causing my boot failure, and after migrating to another common hash algo, my system boots fine with openssl3.
cryptsetup made it really convenient to change hash algos thesedays, requiring merely a `cryptsetup reencrypt --hash sha512 --keep-key`.

Am I supposed to click the `Request closure` button, or the status can just be changed by a mod?
It's not a bug.
Comment by Evangelos Foutras (foutrelis) - Monday, 07 November 2022, 15:25 GMT
Try adding /usr/lib/ossl-modules/legacy.so to FILES in /etc/mkinitcpio.conf and then run 'mkinitcpio -P' to regenerate the initramfs. Use lsinitcpio to confirm that legacy.so is included in the initramfs.

While whirlpool is still supported in OpenSSL 3.0, it's in the legacy provider which cryptsetup tries to load but it's unfortunately missing the initramfs.

Edit: We'll be looking into implementing the inclusion of the legacy provider in the initramfs by mkinitcpio.
Comment by Christian Hesse (eworm) - Monday, 07 November 2022, 16:12 GMT
I would like to avoid adding the file in initcpio by default. But not breaking people's setup would be great. :)

How about having something like this in install script for `sd-encrypt` hook?

for DISK in $(lsblk -o NAME,FSTYPE --raw | grep 'crypto_LUKS$' | cut -f1 -d ' '); do
if cryptsetup luksDump "/dev/${DISK}" | grep 'Hash:' | grep -iq 'whirlpool'; then
warning "Looks like your disk /dev/${DISK} uses a legacy hashing algorithm. Please fix!"
add_file '/usr/lib/ossl-modules/legacy.so'
fi
done
Comment by Evangelos Foutras (foutrelis) - Monday, 07 November 2022, 17:10 GMT
cryptsetup 2.5.0-4 updates the encrypt and sd-encrypt hooks to include the legacy provider in the initramfs.

Confirmation that it works (from people who haven't migrated to another hash function yet) would be great.
Comment by CodingCellist (CodingCellist) - Monday, 07 November 2022, 20:01 GMT
@foutrelis cryptsetup 2.5.0-4 works on my machine! I have two partitions which use whirlpool as the hash algorithm, and they now successfully unlock and mount on boot as opposed to this morning when I had just updated.

Just to double-check: despite 2.5.0-4 fixing things, it is still recommended to change to a different hashing algorithm; whirlpool is deprecated, correct?
Comment by Evangelos Foutras (foutrelis) - Monday, 07 November 2022, 20:46 GMT
Thanks for the confirmation. Ideally you'd move to a more commonly used hash, yes. According to the OSSL_PROVIDER-legacy man page:

"Such algorithms have commonly fallen out of use, have been deemed insecure by the cryptography community, or something similar."

"We can consider this the retirement home of cryptographic algorithms."

And from https://www.openssl.org/blog/blog/2022/10/18/rmd160-and-the-legacy-provider/ :

"Our main criteria for moving an algorithm to the legacy provider were that the algorithm was too weak and not recommended for use in security applications, or that the algorithm had commonly fallen out of favour in preference to newer and potentially better algorithms."

Loading...