clevis-initramfs: Possible LUKS2 passphrase lockout if clevis token is not bound to a keyslot #524
Description
Greetings,
forwarded from Debian bug report #1109055 https://bugs.debian.org/1109055, credits to the bug submitter:
I discovered, that clevis LUKS2 decrypt will block the possibility to enter a passphrase
if a clevis token is not bound to a LUKS2 keyslot.After several decryption retries it will end up at the initramfs prompt.
The root cause is that in the initrd script scripts/local-top/clevis in function
luks2_decrypt existing unbound clevis tokens are not filtered but then decrypted
and passed to PASSFIFO.
The suggested fix (formatting updated):
--- a/src/initramfs-tools/scripts/local-top/clevis.in
+++ b/src/initramfs-tools/scripts/local-top/clevis.in
@@ -78,7 +78,8 @@ luks1_decrypt() {
luks2_decrypt() {
local CRYPTTAB_SOURCE=$1
local PASSFIFO=$2
- cryptsetup luksDump "$CRYPTTAB_SOURCE" | sed -rn 's|^\s+([0-9]+): clevis|\1|p' | while read -r id; do
+ # Just utilise keyslot assigned token
+ cryptsetup luksDump "$CRYPTTAB_SOURCE" | awk '{ if( $1 == "Keyslot:" && token == "clevis" && id >= 0 && $
2 >= 0 ) {printf( "%d\n", id);}; id = $1; token = $2 ;}' | while read -r id ; do
# jose jwe fmt -c outputs extra \n, so clean it up
cte=$(cryptsetup token export --token-id "$id" "$CRYPTTAB_SOURCE")
I did some tests and it looks sound, with all the three awk variants provided in Debian (gawk, mawk, original-awk), and just in case: awk is already used in clevis' initramfs support so it will be available.
Unless I'm mistake, this was introduced by fabf693 ("initramfs: add support for LUKS2").