latchset
Initiramfs Unlock with Serial/TTY boot console
We use headless devices that use serial connection for the main terminal (no display driver) that are installed with Ubuntu 20.04. Without clevis, we need to enter the LUKS password via the serial console. We use clevis on other Ubuntu 20.04 devices (that do have a graphics output) without issue.
We have clevis-initramfs and dependancies installed, however the looks boot partition doesn't unlock.
After extensive debugging, I think there is an input deadlock or timing issue.
I added set -x to /usr/bin/clevis to trace execution.
Below is an excerpt of a normal boot.
At every boot it hangs at ++ clevis_luks_read_slot /dev/sda3 1 in the log below. However, as soon as I manually enter the LUKS password, it looks like the clevis scripts continue.
+ [[ luks =~ ^- ]]
+ cmd=clevis-luks
+ shift
++ findexe clevis-luks
++ '[' 1 -eq 1 ']'
++ read -r -d: path
++ '[' -f /sbin/clevis-luks ']'
++ read -r -d: path
++ '[' -f /usr/sbin/clevis-luks ']'
++ read -r -d: path
++ '[' -f /bin/clevis-luks ']'
++ read -r -d: path
++ '[' -f /usr/bin/clevis-luks ']'
++ read -r -d: path
++ '[' -f /usr/local/bin/clevis-luks ']'
++ read -r -d: path
++ return 1
+ exe=
+ '[' 3 -gt 0 ']'
+ [[ list =~ ^- ]]
+ cmd=clevis-luks-list
+ shift
++ findexe clevis-luks-list
++ '[' 1 -eq 1 ']'
++ read -r -d: path
++ '[' -f /sbin/clevis-luks-list ']'
++ read -r -d: path
++ '[' -f /usr/sbin/clevis-luks-list ']'
++ read -r -d: path
++ '[' -f /bin/clevis-luks-list ']'
++ '[' -x /bin/clevis-luks-list ']'
++ echo /bin/clevis-luks-list
++ return 0
+ exe=/bin/clevis-luks-list
+ exec /bin/clevis-luks-list -d /dev/sda3
+ . clevis-luks-common-functions
+ SUMMARY='Lists pins bound to a LUKSv1 or LUKSv2 device'
+ '[' 2 -eq 1 ']'
+ getopts :d:s: o
+ case "$o" in
+ DEV=/dev/sda3
+ getopts :d:s: o
+ '[' -z /dev/sda3 ']'
+ cryptsetup isLuks --type luks1 /dev/sda3
+ '[' -n '' ']'
++ clevis_luks_used_slots /dev/sda3
++ local DEV=/dev/sda3
++ local slots
++ cryptsetup isLuks --type luks1 /dev/sda3
++ cryptsetup isLuks --type luks2 /dev/sda3
++ readarray -t slots
+++ cryptsetup luksDump /dev/sda3
+++ sed -rn 's|^\s+([0-9]+): luks2$|\1|p'
++ echo 0 1
+ used_slots='0 1'
+ for s in ${used_slots}
+ clevis_luks_read_pins_from_slot /dev/sda3 0
+ local DEV=/dev/sda3
+ local SLOT=0
+ local jwe
++ clevis_luks_read_slot /dev/sda3 0
+ jwe=
+ return 1
+ continue
+ for s in ${used_slots}
+ clevis_luks_read_pins_from_slot /dev/sda3 1
+ local DEV=/dev/sda3
+ local SLOT=1
+ local jwe
++ clevis_luks_read_slot /dev/sda3 1
### LUKS PASSPHRASE ENTERED MANUALLY HERE ###
cryptsetup: dm_crypt-0: set up successfully
done.
Begin: Running /scripts/local-premount ... [ 16.239273] Btrfs loaded, crc32c=l
Scanning for Btrfs filesystems
done.
Begin: Will now check root file system ... fsck from util-linux 2.34
[ 16.320742] random: fast init done
+ jwe=xxxxx
+ local cfg
++ clevis_luks_decode_pin_config xxxxx
++ local jwe=xxxxx
++ local decoded
+++ clevis_luks_decode_jwe xxxxx
+++ local jwe=xxxxx
+++ local coded
++++ jose jwe fmt -i-
[/usr/sbin/fsck.ext4 (1) -- /dev/mapper/ubuntu--vg-ubuntu--lv] fsck.ext4 -a -C0
+++ coded='{"ciphertext":"xxxxxxxxx'
/dev/mapper/ubuntu--vg-ubuntu--lv: clean, 117787/15499264 files, 2956328/619847s
done.
++++ jose fmt -j- -g protected -u-
++++ tr -d '"'
+++ coded=xxxxxxx
However if I add set -x to the top of /usr/share/initramfs-tools/scripts/local-top/clevis which adds extensive logs to the console, clevis automatically unlocks the partition and the boot completes normally.
I'm wondering if anyone has suggestions on how to get clevis working without adding set -x to the initramfs script?
