dracut
dracut copied to clipboard
dracutdevs
dracut should unmount the root encrypted disk `cryptsetup luksClose` during shutdown
Describe the bug
dracut does not unmount the root encrypted disk on shutdown. (Using cryptsetup luksClose.)
Distribution used Debian bullseye
Dracut version 0.51
Init system systemd
To Reproduce
I've wrote a dracut shutdown module that runs dmsetup ls --target crypt which reports that an encrypted disk is still open.
https://github.com/Kicksecure/ram-wipe/blob/master/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh#L52
Also searching inside the dracut source code didn't yield any result for closing the encrypted root disk during shutdown.
I am also seeing an error message during shutdown. (These messages are unreadable because shutdown is so quick. So I used a camera to record a video of the shutdown process to see these messages.)
device-mapper: remote ioctl on host--vg-root failed: Device or resource busy device-mapper: remote ioctl on sda5_crypt failed: Device or resource busy device-mapper: remote ioctl on host--vg-root failed: Device or resource busy Powering off.
That error message is probably caused by /usr/lib/systemd/systemd-shutdown because shutdown.c includes dm_detach_all. log_info("Powering off.");. That could be a bug in systemd but indicates that dracut exitrd didn't properly clean up by running cryptsetup luksClose.
These Device or resource busy messages are also reproducible on unmodified systems (no dracut modifications, no custom modules).
Please let me know if you need better instructions how to reproduce this.
Expected behavior
dracut performs cryptsetup luksClose on shutdown.
Why should dracut perform cryptsetup luksClose on shutdown?
- Good style.
- Everything dracut does to prepare the system for boot (initrd) should be undone, cleaned up during shutdown (exitrd) if it is reasonable to do so. This includes killing remaining processes, unmounting root and why not also
cryptsetup luksClose. - Lower chances of data loss. If the root risk could be unmounted as well as the root luks device. By running
cryptsetup luksClose, it increases chances that the kernel will flush all cashes and write them to the disk. - The time effort for
cryptsetup luksCloseon shutdown is really minimal but nice and clean. - systemd's
/usr/lib/systemd/systemd-shutdownbecauseshutdown.capparently also attempts to unmount the root encrypted luks disk (by calling functiondm_detach_all). - Important for RAM wipe at shutdown to make sure (or at least increase chances) of Linux releasing the LUKS disk encryption key from RAM - https://github.com/dracutdevs/dracut/issues/997
Search dracut source code for luksClose.
grep -r -i luksclose /usr/lib/dracut
90crypt/crypt-cleanup.sh
cryptsetup luksClose $i >/dev/null 2>&1 && do_break=n
91crypt-loop/crypt-loop-lib.sh
printf "%s\n" "cryptsetup luksClose \"$key\"" > ${hookdir}/cleanup/"crypt-loop-cleanup-10-${key##*/}".sh
90crypt/module-setup.sh defines inst_hook cleanup 30 "$moddir/crypt-cleanup.sh" so that isn't about shutdown.
91crypt-loop/crypt-loop-lib.sh isn't about shutdown either.
I also couldn't find any inst_hook shutdown for any crypto related dracut module.
grep -r -i hook /usr/lib/dracut | grep --color -i shutdown
99shutdown/shutdown.sh runs umount but nothing related to crypto.
In conclusion, I don't think that anything like "cryptsetup luksClose" at shutdown is currently implemented in dracut.
Is this only an issue if systemd-cryptsetup is not included in the initramfs ?
