The officially official Devuan Forum!

unixdan22

Member

Registered: 2022-08-15

Posts: 19  

[SOLVED] cryptroot-unlock in dropbear aborts with "Try again later"

Hello,

I use a Raspberry Pi with a LUKS-encrypted Devuan root partition. I installed dropbear in initramfs to be able to unlock the root partition at boot time remotely without having to attach a keyboard.

Dropbear works fine, I can access it from another machine remotely via SSH. It is showing this prompt:

To unlock root partition, and maybe others like swap, run `cryptroot-unlock`.

BusyBox v1.35.0 (Debian 1:1.35.0-4+b3) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ #

The problem is, if I type cryptroot-unlock, I get this error message:

Try again later

Here is the content of the script /usr/bin/cryptroot-unlock:

#!/bin/busybox ash

# Remotely unlock encrypted volumes.
#
# Copyright © 2015-2018 Guilhem Moulin <guilhem@debian.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

set -ue
PATH=/sbin:/bin

TIMEOUT=10
PASSFIFO=/lib/cryptsetup/passfifo
ASKPASS=/lib/cryptsetup/askpass
UNLOCK_ALL=n

[ -f /lib/cryptsetup/functions ] || return 0
. /lib/cryptsetup/functions
TABFILE="/cryptroot/crypttab"
unset -v IFS

if [ ! -f "$TABFILE" ] || [ "$TABFILE" -ot "/proc/1" ]; then
	# Too early, init-top/cryptroot hasn't finished yet
	echo "Try again later" >&2
	exit 1
fi

# Print the list of PIDs the executed command of which is $exe.
pgrep_exe() {
	local exe pid
	exe="$(readlink -f -- "$1" 2>/dev/null)" && [ -f "$exe" ] || return 0
	ps -eo pid= | while read pid; do
		[ "$(readlink -f "/proc/$pid/exe")" != "$exe" ] || printf '%d\n' "$pid"
	done
}

# Return 0 if $pid has a file descriptor pointing to $name, and 1
# otherwise.
in_fds() {
	local pid="$1" name fd
	name="$(readlink -f -- "$2" 2>/dev/null)" && [ -e "$name" ] || return 1
	for fd in $(find "/proc/$pid/fd" -type l); do
		[ "$(readlink -f "$fd")" != "$name" ] || return 0
	done
	return 1
}

# Print the PID of the askpass process with a file descriptor opened to
# /lib/cryptsetup/passfifo.
get_askpass_pid() {
	local pid
	for pid in $(pgrep_exe "$ASKPASS"); do
		if in_fds "$pid" "$PASSFIFO"; then
			echo "$pid"
			return 0
		fi
	done
	return 1
}

# Print the number of configured crypt devices that have not been unlocked yet.
count_locked_devices() {
	local COUNT=0
	crypttab_foreach_entry count_locked_devices_callback
	printf '%d\n' "$COUNT"
}
count_locked_devices_callback() {
	dm_blkdevname "$CRYPTTAB_NAME" >/dev/null || COUNT=$(( $COUNT + 1 ))
}

# Wait for askpass, then set $PID (resp. $BIRTH) to the PID (resp.
# birth date) of the cryptsetup process with same $CRYPTTAB_NAME.
wait_for_prompt() {
	local pid timer num_locked_devices=-1 n

	# wait for the fifo
	while :; do
		n=$(count_locked_devices)
		if [ $n -eq 0 ]; then
			# all configured devices have been unlocked, we're done
			exit 0
		elif [ $num_locked_devices -lt 0 ] || [ $n -lt $num_locked_devices ]; then
			# reset $timer if a device was unlocked (for instance using
			# a keyscript) while we were waiting
			timer=$(( 10 * $TIMEOUT ))
		fi
		num_locked_devices=$n

		if pid=$(get_askpass_pid) && [ -p "$PASSFIFO" ]; then
			break
		fi

		usleep 100000
		timer=$(( $timer - 1 ))
		if [ $timer -le 0 ]; then
			echo "Error: Timeout reached while waiting for askpass." >&2
			exit 1
		fi
	done

	# find the cryptsetup process with same $CRYPTTAB_NAME
	local o v
	for o in NAME TRIED OPTION_tries; do
		if v="$(grep -z -m1 "^CRYPTTAB_$o=" "/proc/$pid/environ")"; then
			eval "CRYPTTAB_$o"="\${v#CRYPTTAB_$o=}"
		else
			eval unset -v "CRYPTTAB_$o"
		fi
	done
	if [ -z "${CRYPTTAB_NAME:+x}" ] || [ -z "${CRYPTTAB_TRIED:+x}" ]; then
		return 1
	fi
	if ( ! crypttab_find_entry --quiet "$CRYPTTAB_NAME" ); then
		# use a subshell to avoid polluting our enironment
		echo "Error: Refusing to process unknown device $CRYPTTAB_NAME" >&2
		exit 1
	fi

	for pid in $(pgrep_exe "/sbin/cryptsetup"); do
		if grep -Fxqz "CRYPTTAB_NAME=$CRYPTTAB_NAME" "/proc/$pid/environ"; then
			PID=$pid
			BIRTH=$(stat -c"%Z" "/proc/$PID" 2>/dev/null) || break
			return 0
		fi
	done

	PID=
	BIRTH=
	return 1
}

# Wait until $PID no longer exists or has a birth date greater that
# $BIRTH (ie was reallocated).  Then return with exit value 0 if
# /dev/mapper/$CRYPTTAB_NAME exists, and with exit value 1 if the
# maximum number of tries exceeded.  Otherwise (if the unlocking
# failed), return with value 1.
wait_for_answer() {
	local timer=$(( 10 * $TIMEOUT )) b
	while [ -d "/proc/$PID" ] && b=$(stat -c"%Z" "/proc/$PID" 2>/dev/null) && [ $b -le $BIRTH ]; do
		usleep 100000
		timer=$(( $timer - 1 ))
		if [ $timer -le 0 ]; then
			echo "Error: Timeout reached while waiting for PID $PID." >&2
			exit 1
		fi
	done

	if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then
		echo "cryptsetup: $CRYPTTAB_NAME set up successfully" >&2
		[ "$UNLOCK_ALL" = y ] && return 0 || exit 0
	elif [ $(( ${CRYPTTAB_TRIED:-0} + 1 )) -ge ${CRYPTTAB_OPTION_tries:-3} ] &&
			[ ${CRYPTTAB_OPTION_tries:-3} -gt 0 ]; then
		echo "cryptsetup: maximum number of tries exceeded for $CRYPTTAB_NAME" >&2
		exit 1
	else
		echo "cryptsetup: cryptsetup failed, bad password or options?" >&2
		return 1
	fi
}

if [ -t 0 ] && [ -x "$ASKPASS" ]; then
	# interactive mode on a TTY: keep trying until all configured devices have
	# been unlocked or the maximum number of tries exceeded
	UNLOCK_ALL=y
	while :; do
		# note: if the script is not killed before pivot_root it should
		# exit on its own once $TIMEOUT is reached
		if ! wait_for_prompt; then
			usleep 100000
			continue
		fi
		read -rs -p "Please unlock disk $CRYPTTAB_NAME: "; echo
		printf '%s' "$REPLY" >"$PASSFIFO"
		wait_for_answer || true
	done
else
	# non-interactive mode: slurp the passphrase from stdin and exit
	wait_for_prompt || exit 1
	echo "Please unlock disk $CRYPTTAB_NAME"
	cat >"$PASSFIFO"
	wait_for_answer || exit 1
fi

# vim: set filetype=sh :

I figured out, that in the following part the script fails because the timestamp of /cryptroot/crypttab is older than /proc/1:

if [ ! -f "$TABFILE" ] || [ "$TABFILE" -ot "/proc/1" ]; then
	# Too early, init-top/cryptroot hasn't finished yet
	echo "Try again later" >&2
	exit 1
fi

There is no file /scripts/init-top/cryptroot.

If I manually touch /cryptroot/crypttab, cryptroot-unlock works fine and prompts:

Please unlock disk pi_lvm_crypt:

If I enter the LUKS password, the main system boots up normally.

How can I configure the system, so that cryptroot-unlock works directly?

Thank you in advance!

P.S.: I wrote this script encrypt-disk-image.sh to create an encrypted disk image from an image from https://arm-files.devuan.org/:

#!/bin/bash

set -e

LUKS_NAME=pi_lvm_crypt
VG_NAME=pivg00
LV_NAME=rootfs
ROOTFS_MOUNTPOINT="/mount/newcrypt"
BOOT_MOUNTPOINT="${ROOTFS_MOUNTPOINT}/boot/broadcom"

LOOP_DEV_PLAIN=/dev/loop20
LOOP_DEV_ENC=/dev/loop21

cleanup () {
  trap - INT ERR TERM HUP
  echo "Cleaning up..."
  set +e
  umount -f -- "$BOOT_MOUNTPOINT" \
  "${ROOTFS_MOUNTPOINT}/dev/" \
  "${ROOTFS_MOUNTPOINT}/sys/" \
  "${ROOTFS_MOUNTPOINT}/proc/" \
  "${ROOTFS_MOUNTPOINT}"
  rm -rf -- "$BOOT_MOUNTPOINT" "$ROOTFS_MOUNTPOINT"
  vgchange -a n -- "$VG_NAME"
  cryptsetup luksClose -- "$LUKS_NAME"
  losetup -D
  echo "Done."
}

exitfn () {
  cleanup
  exit 1
}

# ERR trap only works in bash
trap exitfn INT ERR TERM HUP

if [ "$#" -lt 2 ]; then
  echo "Usage: $0 SOURCE_PLAIN_IMAGE_OR_DEVICE TARGET_CIPHER_IMAGE_OR_DEVICE [DROPBEAR_PUBLIC_KEY_FILE]" >&2
  exit 1
fi

SOURCE_PLAIN_IMAGE_OR_DEVICE="$1"
TARGET_CIPHER_IMAGE_OR_DEVICE="$2"
DROPBEAR_PUBLIC_KEY_FILE="$3"

# If image files are given as arguments, these files are set up as virtual block devices

if [ -b "$SOURCE_PLAIN_IMAGE_OR_DEVICE" ] ; then
  echo "Source is a device, continuing."
  PLAIN_DEV="$SOURCE_PLAIN_IMAGE_OR_DEVICE"
else
  echo "Setting up plain image as virtual block device..."
  PLAIN_DEV="$LOOP_DEV_PLAIN"
  losetup -Pr --direct-io=on -- "$PLAIN_DEV" "$SOURCE_PLAIN_IMAGE_OR_DEVICE"
  echo "Done."
fi

PART_SIZES="$(/sbin/sfdisk -lo Sectors -- "$PLAIN_DEV" | awk '/^Sectors$/{flag=1;next}{$1=$1};flag')"

if [ "$(echo "${PART_SIZES}" | wc -l)" -ne 2 ] ; then
  echo "Expected 2 partitions (boot and rootfs) on the source device" >&2
  exit 10
fi

BOOT_SIZE="$(echo "${PART_SIZES}" | head -1)"
ROOTFS_SIZE="$(echo "${PART_SIZES}" | tail -1)"

echo "Boot size (sectors): ${BOOT_SIZE}"
echo "Rootfs size (sectors): ${ROOTFS_SIZE}"

# LUKS header has a size of up to 32MiB
# LVM overhead should be 2MiB
# => Reserving 64 MiB for any headers
# 64M / 512 = 131072
RESERVE=131072

SECTOR_SIZE=512

BOOT_START=8192
BOOT_END="$((BOOT_START + BOOT_SIZE - 1))"

LUKS_START="$((BOOT_START + BOOT_SIZE))"
LUKS_START="$((LUKS_START + LUKS_SECTOR_SIZE - LUKS_START % 8))"
LUKS_SIZE="$((ROOTFS_SIZE + RESERVE))"
LUKS_SIZE="$((LUKS_SIZE + LUKS_SECTOR_SIZE - LUKS_SIZE % 8))"
LUKS_END="$((LUKS_START + LUKS_SIZE))"

if [ -b "$TARGET_CIPHER_IMAGE_OR_DEVICE" ] ; then
  echo "Target is a device, continuing."
  ENC_DEV="$TARGET_CIPHER_IMAGE_OR_DEVICE"
else
  echo "Fallocating target image and setting it up as virtual block device..."
  ENC_DEV="$LOOP_DEV_ENC"
  ENC_IMG_SIZE="$((SECTOR_SIZE * (BOOT_START + BOOT_SIZE + LUKS_SIZE)))"
  fallocate -l "$ENC_IMG_SIZE" -- "$TARGET_CIPHER_IMAGE_OR_DEVICE"
  losetup -P --direct-io=on -- "$ENC_DEV" "$TARGET_CIPHER_IMAGE_OR_DEVICE"
  echo "Done."
fi

echo "Creating MBR partition table on new image..."
sfdisk -- "${ENC_DEV}" <<EOF
label: dos
${BOOT_START} ${BOOT_SIZE} b *
${LUKS_START} ${LUKS_SIZE} R -
EOF
echo "Done."

PLAIN_PARTS="$(lsblk -lo NAME -- "${PLAIN_DEV}" | tail -2)"
if [ "$(echo "${PLAIN_PARTS}" | wc -l)" -ne 2 ] ; then
  echo "Expected 2 partitions (boot and rootfs) on the source device" >&2
  exit 10
fi
PLAIN_BOOT="/dev/$(echo "${PLAIN_PARTS}" | head -1)"
PLAIN_ROOTFS="/dev/$(echo "${PLAIN_PARTS}" | tail -1)"

ENC_PARTS="$(lsblk -lo NAME -- "${ENC_DEV}" | tail -2)"
if [ "$(echo "${ENC_PARTS}" | wc -l)" -ne 2 ] ; then
  echo "Expected 2 partitions (boot and rootfs) on the target device after partitioning" >&2
  exit 10
fi
ENC_BOOT="/dev/$(echo "${ENC_PARTS}" | head -1)"
ENC_ROOTFS="/dev/$(echo "${ENC_PARTS}" | tail -1)"

echo "Copying boot partition..."
dd if="$PLAIN_BOOT" of="$ENC_BOOT" bs=4K conv=fsync status=progress
echo "Done."

echo "Creating LUKS partition..."
cryptsetup -y -v --type luks2 luksFormat \
--sector-size 4096 \
--cipher xchacha20,aes-adiantum-plain64 \
--hash sha256 --key-size 256 \
-- "$ENC_ROOTFS"
echo "Done."

echo "Opening encrypted partition..."
cryptsetup luksOpen -- "$ENC_ROOTFS" "$LUKS_NAME"
echo "Done."

echo "Creating LVM physical volume on LUKS partition..."
pvcreate -- "/dev/mapper/$LUKS_NAME"
vgcreate -- "$VG_NAME" "/dev/mapper/$LUKS_NAME"
lvcreate -n "$LV_NAME" -l 100%FREE -- "$VG_NAME"
echo "Done."

echo "Copying rootfs partition..."
dd if="$PLAIN_ROOTFS" of="/dev/${VG_NAME}/${LV_NAME}" bs=4K conv=fsync status=progress
echo "Done."

echo "Getting LUKS partition UUID..."
LUKS_UUID="$(blkid -s UUID -o value -- "${ENC_ROOTFS}")"
echo "Done. LUKS_UUID=${LUKS_UUID}"

echo "Getting encrypted ROOTFS partition UUID..."
ROOTFS_UUID="$(blkid -s UUID -o value -- "/dev/${VG_NAME}/${LV_NAME}")"
echo "Done. ROOTFS_UUID=${ROOTFS_UUID}"

echo "Mounting partitions..."
mkdir -p -- "$ROOTFS_MOUNTPOINT" "$BOOT_MOUNTPOINT"
mount -- "/dev/${VG_NAME}/${LV_NAME}" "$ROOTFS_MOUNTPOINT"
mount -- "$ENC_BOOT" "$BOOT_MOUNTPOINT"
echo "Done."

echo "Patching rootfs..."

echo "${LUKS_NAME} UUID=${LUKS_UUID} none luks,initramfs" > "${ROOTFS_MOUNTPOINT}/etc/crypttab"

mkdir -p -- "${ROOTFS_MOUNTPOINT}/etc/initramfs-tools"

cat >> "${ROOTFS_MOUNTPOINT}/etc/initramfs-tools/modules" <<-"EOF"
algif_skcipher
xchacha20
adiantum
aes_arm
sha256
nhpoly1305
dm_crypt
EOF

DROPBEAR_CONFIG="${ROOTFS_MOUNTPOINT}/etc/dropbear/initramfs/dropbear.conf"
mkdir -p -- "$(dirname -- "${DROPBEAR_CONFIG}")"
cat >> "${DROPBEAR_CONFIG}" <<-"EOF"
DROPBEAR_OPTIONS="-p 2222"
EOF

if [ -n "${DROPBEAR_PUBLIC_KEY_FILE}" ] ; then
  DROPBEAR_AUTHORIZED_KEYS="${ROOTFS_MOUNTPOINT}/etc/dropbear/initramfs/authorized_keys"
  mkdir -p -- "$(dirname -- "${DROPBEAR_AUTHORIZED_KEYS}")"
  cat -- "${DROPBEAR_PUBLIC_KEY_FILE}" > "${DROPBEAR_AUTHORIZED_KEYS}"
fi

echo "console=serial0,115200 console=tty1 root=UUID=${ROOTFS_UUID} cryptdevice=UUID=${LUKS_UUID}:${LUKS_NAME} rootfstype=ext4 fsck.repair=yes loglevel=5 net.ifnames=0 firmware_class.path=/lib/firmware/updates/brcm rootwait rootdelay=2" > "${BOOT_MOUNTPOINT}/cmdline.txt"

# Problem:
# If /cryptroot/crypttab is older than /proc/1,
# cryptdisks-unlock aborts with the message "Try again later".
# /scripts/init-top/cryptroot is expected to update /cryptroot/crypttab,
# but there is no such script on my target machine.
# /cryptroot/crypttab is present anyways.
#
# Tried workaround (did not help):
# Add an initramfs script to update the timestamp of /cryptroot/crypttab.

TOUCH_CRYPTTAB_SCRIPT="${ROOTFS_MOUNTPOINT}/etc/initramfs-tools/scripts/init-premount/touch_crypttab"
mkdir -p -- "$(dirname -- "${TOUCH_CRYPTTAB_SCRIPT}")"
cat > "${TOUCH_CRYPTTAB_SCRIPT}" <<-"EOF"
#!/bin/sh

PREREQ=""

prereqs()
{
    echo "$PREREQ"
}

case $1 in
prereqs)
    prereqs
    exit 0
    ;;
esac

touch /cryptroot/crypttab
EOF

chmod +x -- "${TOUCH_CRYPTTAB_SCRIPT}"

echo "Done."

echo "Chrooting into new image..."
mount --bind /dev "${ROOTFS_MOUNTPOINT}/dev/"
mount --bind /sys "${ROOTFS_MOUNTPOINT}/sys/"
mount --bind /proc "${ROOTFS_MOUNTPOINT}/proc/"

cp -- /usr/bin/qemu-arm-static "${ROOTFS_MOUNTPOINT}/usr/bin/"

chroot -- "${ROOTFS_MOUNTPOINT}" /bin/bash <<-"EOF"
DEBIAN_FRONTEND=noninteractive /usr/bin/apt-get install -yq -o Dpkg::Options::=--force-confold fdisk e2fsprogs lvm2 busybox cryptsetup initramfs-tools cryptsetup-initramfs dropbear-initramfs keyutils && \
/usr/sbin/update-rc.d cryptdisks-early enable && \
/usr/sbin/update-initramfs -vu && \
/bin/cp -t /boot/broadcom /boot/initrd*
EOF

echo "Returned from chroot."

cleanup

Last edited by unixdan22 (2023-10-29 20:04:09)

Danielsan

Member

Registered: 2020-07-14

Posts: 178  

Re: [SOLVED] cryptroot-unlock in dropbear aborts with "Try again later"

Thank you for finding a workaround.

I wonder if using a script from the sysv era would fix it. The fact that is working on Debian but not on Devuan let me think only one thing: systemd... 🤦

unixdan22

Member

Registered: 2022-08-15

Posts: 19  

Re: [SOLVED] cryptroot-unlock in dropbear aborts with "Try again later"

Just noticed this is a duplicate of https://dev1galaxy.org/viewtopic.php?id=3642, sorry!