GNU bug report logs - #53005
cryptsetup-static aborts opening LUKS2 volume with Argon2i PBKDF

Previous Next

Package: guix;

Reported by: Simon South <simon <at> simonsouth.net>

Date: Tue, 4 Jan 2022 14:38:02 UTC

Severity: serious

Tags: patch

Done: Simon South <simon <at> simonsouth.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Simon South <simon <at> simonsouth.net>
Subject: bug#53005: closed (Re: bug#53005: cryptsetup-static aborts
 opening LUKS2 volume with Argon2i PBKDF)
Date: Wed, 07 Feb 2024 20:00:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#53005: cryptsetup-static aborts opening LUKS2 volume with Argon2i PBKDF

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 53005 <at> debbugs.gnu.org.

-- 
53005: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=53005
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Simon South <simon <at> simonsouth.net>
To: 53005-done <at> debbugs.gnu.org
Subject: Re: bug#53005: cryptsetup-static aborts opening LUKS2 volume with
 Argon2i PBKDF
Date: Wed, 07 Feb 2024 14:59:05 -0500

This issue was fixed with commit 6b6fb7872486, "gnu: glibc: Build with
'--strip-debug' instead of '--strip-all'."

-- 
Simon South
simon <at> simonsouth.net


[Message part 3 (message/rfc822, inline)]
From: Simon South <simon <at> simonsouth.net>
To: bug-guix <at> gnu.org
Subject: cryptsetup-static aborts opening LUKS2 volume with Argon2i PBKDF
Date: Tue, 04 Jan 2022 09:36:57 -0500

Currently cryptsetup from the "cryptsetup-static" package is unable to
open LUKS2 encrypted volumes that use the Argon2i key-derivation
algorithm, the default for LUKS2.  It catches SIGABRT and exits without
opening the volume.

This appears to be a regression following the merge of the
core-updates-frozen branch and because of it, I'm unable to boot into an
up-to-date system as there is no way to get past the "Enter passphrase"
prompt at startup.

I've verified this on both AArch64 and x86-64.  To reproduce:

1. Ensure the "cryptsetup" package is installed in your profile and that
   "cryptsetup-static", the statically-linked equivalent added to the
   initrd and used during startup, is available on your system:

     guix install cryptsetup
     guix build --verbosity=2 cryptsetup-static

2. Create a file containing a dummy LUKS2 volume:

     truncate -s 32M ./dummy-luks-volume
     cryptsetup luksFormat --type luks2 ./dummy-luks-volume

   Make sure the Argon2i PBKDF algorithm was selected during formatting:

     cryptsetup luksDump ./dummy-luks-volume | grep argon

   This should output "PBKDF: argon2i".

3. Verify the volume can be opened using the regular cryptsetup tool:

     sudo cryptsetup open --type luks ./dummy-luks-volume dummy-volume
     ls /dev/mapper/dummy-volume
     sudo cryptsetup close /dev/mapper/dummy-volume

4. Now try opening the volume using the statically-linked cryptsetup:

     sudo `guix build cryptsetup-static`/sbin/cryptsetup open \
       --type luks ./dummy-luks-volume dummy-volume
     ls /dev/mapper/dummy-volume

You should find (on most runs, at least) after you enter the passphrase
the tool exits with "Aborted" and with no entry added beneath
/dev/mapper.

-- 
Simon South
simon <at> simonsouth.net
This bug report was last modified 1 year and 200 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.