1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109055: clevis-initramfs: Possible LUKS2 passphrase lockout if cle

    From Wolfgang Zarre@21:1/5 to All on Thu Jul 10 16:10:01 2025
    Package: clevis-initramfs
    Version: 19-2
    Severity: important

    Dear Maintainer,

    I discovered, that clevis LUKS2 decrypt will block the possibility to enter a passphrase
    if a clevis token is not bound to a LUKS2 keyslot.

    After several decryption retries it will end up at the initramfs prompt.

    The root cause is that in the initrd script scripts/local-top/clevis in function
    luks2_decrypt existing unbound clevis tokens are not filtered but then decrypted
    and passed to PASSFIFO.

    It is reproducible with clevis luks bind, e.g.:
    clevis luks bind -f -y -k <our-keyfile> -d <root_device> tpm2 <PCR_bind>

    Then removing the keyslot of a token/keyslot pair with:
    cryptsetup luksKillSlot <root_device> <keyslot number>

    With cryptsetup luksDump <root_device> you would see then e.g.:
    ...
    Tokens:
    0: clevis
    Digests:
    ...

    After a reboot obviously clevis cannot decrypt but furthermore, it is impossible
    to enter the passphrase.


    Suggestion to fix: ---------------------------------------------------------------
    --- /usr/share/initramfs-tools/scripts/local-top/clevis
    +++ /usr/share/initramfs-tools/scripts/local-top/clevis
    @@ -78,7 +78,8 @@ luks1_decrypt() {
    luks2_decrypt() {
    local CRYPTTAB_SOURCE=$1
    local PASSFIFO=$2
    - cryptsetup luksDump "$CRYPTTAB_SOURCE" | sed -rn 's|^\s+([0-9]+): clevis|\1|p' | while read -r
    id; do
    + # Just utilise keyslot assigned token
    + cryptsetup luksDump "$CRYPTTAB_SOURCE" | awk '{ if( $1 == "Keyslot:" && token == "clevis" && id
    = 0 && $2 >= 0 ) {printf( "%d\n", id);}; id = $1; token = $2 ;}' | while read -r id ; do
    # jose jwe fmt -c outputs extra \n, so clean it up
    cte=$(cryptsetup token export --token-id "$id" "$CRYPTTAB_SOURCE")
    [ $? -eq 0 ] || continue ---------------------------------------------------------------

    This could be also fixed with a bash loop without awk or sed if a newer bash syntax would be ok.


    Cheers,
    Wolf



    -- System Information:
    Debian Release: 12.11
    APT prefers stable-security
  • From Christoph Biedl@21:1/5 to All on Thu Jul 10 22:50:01 2025
    Control: tag 1109055 upstream confirmed
    Control: forwarded 1109055 https://github.com/latchset/clevis/issues/524

    Wolfgang Zarre wrote...

    I discovered, that clevis LUKS2 decrypt will block the possibility to enter a passphrase
    if a clevis token is not bound to a LUKS2 keyslot.

    Thanks for catching this, I brought the issue to upstream.

    Christoph

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEWXMI+726A12MfJXdxCxY61kUkv0FAmhwJWQACgkQxCxY61kU kv3jZhAAosGbVAQVBqIxfTUVopXMlr20UkPdBeZLMdNNXrMrKTlc0IPoWXvuttrM 5mIwF8qVnpdYkLdd/ivDEPA6I1FvqcCEf+Mg2erFKcV5efYXeq83NqKaWlEQj7YF xmF1NuwmBaUV/tN36wh2t4hGjhm7XflZAbr78ggj66n3SSERSmx71pg7X0FCaVqM Dx9c/i8OiVJ4QiG8KmX8aynPi341iQqvfs8EkNjCfS8qEjk8mGb2xtnZhhGTiT/e JI23YXhmmqKzFzV1wUKkyqbL7FgoIQL2ZKrQbKOPvI6OGJsX5/FZxCjzzZGuZXn4 6iYT01x7p1OlVXeiybDFZsaTY4RR3ySV/dlVXINQASUKwmWF42UFUGf/YayOwuVv PF3XYKIGhJyW1atLE6sjf+gU0HoFN6qpZ4BZfFbmKtIr5eBOzQRgBXU8WTBFyDHX c12uHPfpUysYLspMR18uKIpYOaRIN2goZR0waOWkJQax9ObdaOygT0j6NwInNZ22 Mqi2Yv4kVqlwqP3P1tlyUVg8Nw0y7JrUsLnaljFf+ey3llhvezoA/Fuao5ynUolH UXTrfv5whGI1wT/2cDbqFRoP/hFqVrXpmQVjcFEmNRWincBYe3gPX0GY4pfanyAI qlKupHRK3kFIg1iC/VgUhXnQxQcB/kxLeLP8Nu4evGreeHsMJqQ=
    =L8sw
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Guilhem Moulin@21:1/5 to All on Fri Jul 11 14:30:01 2025
    Hi,

    [src:cryptsetup co-maintainer here, thanks Christoph for bringing this
    issue to my attention.]

    `cryptsetup luksDump` output has been rather stable in practice, but
    AFAIK upstream provides no guaranty about stability and machine-readable output. If support for cryptsetup <2.4.0 (released Aug 2021) is not
    needed I'd suggest to use the `--dump-json-metadata` flag to dump the
    header JSON metadata area, and massage the JSON output instead. (Note
    that the command fails on LUKS1 devices though.)

    Schema for the LUKS2 header JSON metadata area is documented in ยง2.2 of
    the LUKS2 specification: https://gitlab.com/cryptsetup/LUKS2-docs .

    --
    Guilhem.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmhxArEACgkQ05pJnDwh pVKR/BAAqIQUrlJcHbdUZIKq6rM6GYR4/YH90HWf/PfJeF49/Oz7tg7PVY4cT41U s9BJ79ZMLw6z9jEEOJvoILalnM4HnCt7QO3NTbzF3mf7/fZj/11SlgsxT20pLbxY VYJuuKYm2kQi67xc7uCigcfjLktN4Q/NmWu0VSR2sH/JseBu1WjKzjMsvr7V17DU osuJ94EMBATI5q6ujitzAxPsGSJ3SQ500VQpdSq5HtcwgagW2XVDnx7pleX6e70p 86FtqZJxmmQIVOd9wPPH31ofcsSPRvPFiz/KNaOaXCATlVrmoya6SJmzukywhMRz w7sa1QEiC/DX5Pq6Jsnp3GB26j22cTugQPPS4NsPGOefJ5YK8vdWRXc62moITf/w TExiwlqdpchXoOP/ZVbU3ci2ogR6pRvzPj43ws2UNatx2zzh19B1JohiPVvOTFSp bshBnwHvrEtsbQNkbirwZuPaqBQD1klT/+PY9t0pAtzMM2EtDd0PJII7yOYbqTHX nfmYlVRhOBVo0IQLg8Czf+gYjipoIsYfV6ciPS3m+KZHQuAlth7gU/For88cJJ60 Ykx9/+WlO0bZfjo4GW0iJlsj8xZJ5NcwLp4SxHgDeFcgJS5cAYgMc5IC8tP51/Ga Dnwuv5EkR3j6+VCmhSPhebwsTFdKJYH7c97yARgwnPgYuOXnm9Q=
    =QWSY
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)