cryptsetup not working after upgrade to Fedora 40
by vamos from LinuxQuestions.org on (#6NJGG)
Hello there :)
My Fedora updated already a few months ago to 40 (kernel 6.8), but I got stuck with using 39 (kernel 6.6) because there was some issue with LUKS and unfortunately I didn't have the time to fix it. Now, that I got some time, I investigated several hours but don't move forward at all.
I use systemd-boot and LUKS FDE with btrfs on top. It's multi-boot using a btrfs subvolume per OS.
(See bootctl output below)
Fedora 39 and Arch -> working
Fedora 40 -> both not working
I tried several combinations using rd.luks.name, luks.name, rd.luks.uuid or luks.uuid, root=UUID=f1..., root=/dev/mapper/luks-root, root=/dev/mapper/luks-f1... but none of them works.
The only difference I could create was by using luks.name which let me enter emergency mode. With other combinations I ended up in an endless loop of systemd-cryptsetup failing.
See error output here https://picallow.com/error-32/. The first image is the endless loop. The second image shows /run/initramfs/rdsosreport.txt in emergency mode.
Code:# bootctl
System:
Firmware: UEFI 2.80 (American Megatrends 5.26)
Firmware Arch: x64
Secure Boot: disabled
TPM2 Support: yes
Measured UKI: no
Boot into FW: supported
Current Boot Loader:
Product: systemd-boot 255.7-1.fc40
Features: Boot counting
Menu timeout control
One-shot menu timeout control
Default entry control
One-shot entry control
Support for XBOOTLDR partition
Support for passing random seed to OS
Load drop-in drivers
Support Type #1 sort-key field
Support @saved pseudo-entry
Support Type #1 devicetree field
Enroll SecureBoot keys
Retain SHIM protocols
Menu can be disabled
Boot loader sets ESP information
ESP: /dev/disk/by-partuuid/28...
File: /EFI/systemd/systemd-bootx64.efi
Random Seed:
System Token: set
Exists: yes
Available Boot Loaders on ESP:
ESP: /boot/efi (/dev/disk/by-partuuid/28...)
File: /EFI/systemd/systemd-bootx64.efi (systemd-boot 255.7-1.fc40)
/EFI/BOOT/BOOTX64.EFI
Boot Loaders Listed in EFI Variables:
Title: Linux Boot Manager
ID: 0x0000
Status: active, boot-order
Partition: /dev/disk/by-partuuid/28...
File: /EFI/systemd/systemd-bootx64.efi
Title: UEFI OS
ID: 0x0001
Status: active, boot-order
Partition: /dev/disk/by-partuuid/28...
File: /EFI/BOOT/BOOTX64.EFI
Boot Loader Entries:
$BOOT: /boot (/dev/disk/by-partuuid/5b...)
token: fedora
Default Boot Loader Entry:
type: Boot Loader Specification Type #1 (.conf)
title: Arch Linux
id: arch.conf
source: /boot/efi//loader/entries/arch.conf
sort-key: 01-arch
linux: /boot/efi//arch/vmlinuz-linux
initrd: /boot/efi//arch/initramfs-linux.img
options: systemd.machine_id=29... rhgb rootflags=subvol=@root_arch root=/dev/mapper/luks-root rd.live.check rd.luks.name=65...=luks-root quietCode:# bootctl list
type: Boot Loader Specification Type #1 (.conf)
title: Arch Linux (default)
## see above
type: Boot Loader Specification Type #1 (.conf)
title: Fedora Linux 40 (Workstation Edition) (6.8.10-300.fc40.x86_64)
id: ee...-6.8.10-300.fc40.x86_64.conf
source: /boot/efi//loader/entries/ee...-6.8.10-300.fc40.x86_64.conf
sort-key: 02
version: 6.8.10-300.fc40.x86_64
machine-id: ee...
linux: /boot/efi//ee.../6.8.10-300.fc40.x86_64/linux
initrd: /boot/efi//ee.../6.8.10-300.fc40.x86_64/initrd
options: rd.luks.uuid=luks-65... rd.luks.name=65...=luks-root rhgb quiet root=UUID=f1... rootflags=subvol=root_fedora systemd.machine_id=ee...
type: Boot Loader Specification Type #1 (.conf)
title: Fedora Linux 40 (Workstation Edition) (6.8.11-300.fc40.x86_64)
id: ee...-6.8.11-300.fc40.x86_64.conf
source: /boot/efi//loader/entries/ee...-6.8.11-300.fc40.x86_64.conf
sort-key: 03
version: 6.8.11-300.fc40.x86_64
machine-id: ee...
linux: /boot/efi//ee.../6.8.11-300.fc40.x86_64/linux
initrd: /boot/efi//ee.../6.8.11-300.fc40.x86_64/initrd
options: systemd.machine_id=ee... rhgb rootflags=subvol=root_fedora root=/dev/mapper/luks-root rd.live.check rd.luks.name=65...=luks-root quiet
type: Boot Loader Specification Type #1 (.conf)
title: Fedora (selected)
id: ee...-6.6.3-200.fc39.x86_64.conf
source: /boot/efi//loader/entries/ee...-6.6.3-200.fc39.x86_64.conf
sort-key: 04
version: 6.6.3-200.fc39.x86_64
machine-id: ee...
linux: /boot/efi//ee.../6.6.3-200.fc39.x86_64/linux
initrd: /boot/efi//ee.../6.6.3-200.fc39.x86_64/initrd
options: systemd.machine_id=ee... rhgb rootflags=subvol=root_fedora root=UUID=f1... rd.live.check rd.luks.uuid=luks-65... rd.luks.name=65...=luks-root quiet
type: Automatic
title: EFI Default Loader
id: auto-efi-default
source: /sys/firmware/efi/efivars/LoaderEntries-4a...
type: Automatic
title: Reboot Into Firmware Interface
id: auto-reboot-to-firmware-setup
source: /sys/firmware/efi/efivars/LoaderEntries-4a...There are also some differences between the kernel mods of F39 and F40, but I guess it doesn't have anything to do with the errors I get.
Code:diff /lib/modules/6.6.3-200.fc39.x86_64/modules.builtin /lib/modules/6.8.11-300.fc40.x86_64/modules.builtin
34c34
< kernel/crypto/skcipher.ko
---
> kernel/crypto/crypto_skcipher.ko
56d55
< kernel/crypto/cfb.ko
85d83
< kernel/crypto/ofb.ko
142a141
> kernel/drivers/pwm/pwm-crc.ko
149a149
> kernel/drivers/video/fbdev/core/fb_io_fops.ko
179,180d178
< kernel/drivers/tty/serial/8250/8250_pci.ko
< kernel/drivers/tty/serial/8250/8250_pci1xxxx.ko
182d179
< kernel/drivers/tty/serial/8250/8250_rt288x.ko
183a181,182
> kernel/drivers/tty/serial/8250/8250_pci.ko
> kernel/drivers/tty/serial/8250/8250_pci1xxxx.ko
184a184
> kernel/drivers/tty/serial/8250/8250_rt288x.ko
231a232
> kernel/drivers/net/netkit.ko
235d235
< kernel/drivers/net/phy/realtek.ko
302,303d301
< kernel/drivers/platform/x86/intel/pmc/intel_pmc_core.ko
< kernel/drivers/platform/x86/intel/pmc/intel_pmc_core_pltdrv.ko
320a319
> kernel/net/ipv4/tcp_sigpool.ko
323d321
< kernel/net/unix/unix.ko
The LUKS is also quite new, so nothing should have been removed?!
Code:cryptsetup luksDump /dev/nvme2n1p6
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 65...
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 12
Memory: 1048576
Threads: 4
Salt: ...
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 442064
Salt: ...
Digest: ...All hints or solutions are highly appreciated!
Thanks in advance!
My Fedora updated already a few months ago to 40 (kernel 6.8), but I got stuck with using 39 (kernel 6.6) because there was some issue with LUKS and unfortunately I didn't have the time to fix it. Now, that I got some time, I investigated several hours but don't move forward at all.
I use systemd-boot and LUKS FDE with btrfs on top. It's multi-boot using a btrfs subvolume per OS.
(See bootctl output below)
Fedora 39 and Arch -> working
Fedora 40 -> both not working
I tried several combinations using rd.luks.name, luks.name, rd.luks.uuid or luks.uuid, root=UUID=f1..., root=/dev/mapper/luks-root, root=/dev/mapper/luks-f1... but none of them works.
The only difference I could create was by using luks.name which let me enter emergency mode. With other combinations I ended up in an endless loop of systemd-cryptsetup failing.
See error output here https://picallow.com/error-32/. The first image is the endless loop. The second image shows /run/initramfs/rdsosreport.txt in emergency mode.
Code:# bootctl
System:
Firmware: UEFI 2.80 (American Megatrends 5.26)
Firmware Arch: x64
Secure Boot: disabled
TPM2 Support: yes
Measured UKI: no
Boot into FW: supported
Current Boot Loader:
Product: systemd-boot 255.7-1.fc40
Features: Boot counting
Menu timeout control
One-shot menu timeout control
Default entry control
One-shot entry control
Support for XBOOTLDR partition
Support for passing random seed to OS
Load drop-in drivers
Support Type #1 sort-key field
Support @saved pseudo-entry
Support Type #1 devicetree field
Enroll SecureBoot keys
Retain SHIM protocols
Menu can be disabled
Boot loader sets ESP information
ESP: /dev/disk/by-partuuid/28...
File: /EFI/systemd/systemd-bootx64.efi
Random Seed:
System Token: set
Exists: yes
Available Boot Loaders on ESP:
ESP: /boot/efi (/dev/disk/by-partuuid/28...)
File: /EFI/systemd/systemd-bootx64.efi (systemd-boot 255.7-1.fc40)
/EFI/BOOT/BOOTX64.EFI
Boot Loaders Listed in EFI Variables:
Title: Linux Boot Manager
ID: 0x0000
Status: active, boot-order
Partition: /dev/disk/by-partuuid/28...
File: /EFI/systemd/systemd-bootx64.efi
Title: UEFI OS
ID: 0x0001
Status: active, boot-order
Partition: /dev/disk/by-partuuid/28...
File: /EFI/BOOT/BOOTX64.EFI
Boot Loader Entries:
$BOOT: /boot (/dev/disk/by-partuuid/5b...)
token: fedora
Default Boot Loader Entry:
type: Boot Loader Specification Type #1 (.conf)
title: Arch Linux
id: arch.conf
source: /boot/efi//loader/entries/arch.conf
sort-key: 01-arch
linux: /boot/efi//arch/vmlinuz-linux
initrd: /boot/efi//arch/initramfs-linux.img
options: systemd.machine_id=29... rhgb rootflags=subvol=@root_arch root=/dev/mapper/luks-root rd.live.check rd.luks.name=65...=luks-root quietCode:# bootctl list
type: Boot Loader Specification Type #1 (.conf)
title: Arch Linux (default)
## see above
type: Boot Loader Specification Type #1 (.conf)
title: Fedora Linux 40 (Workstation Edition) (6.8.10-300.fc40.x86_64)
id: ee...-6.8.10-300.fc40.x86_64.conf
source: /boot/efi//loader/entries/ee...-6.8.10-300.fc40.x86_64.conf
sort-key: 02
version: 6.8.10-300.fc40.x86_64
machine-id: ee...
linux: /boot/efi//ee.../6.8.10-300.fc40.x86_64/linux
initrd: /boot/efi//ee.../6.8.10-300.fc40.x86_64/initrd
options: rd.luks.uuid=luks-65... rd.luks.name=65...=luks-root rhgb quiet root=UUID=f1... rootflags=subvol=root_fedora systemd.machine_id=ee...
type: Boot Loader Specification Type #1 (.conf)
title: Fedora Linux 40 (Workstation Edition) (6.8.11-300.fc40.x86_64)
id: ee...-6.8.11-300.fc40.x86_64.conf
source: /boot/efi//loader/entries/ee...-6.8.11-300.fc40.x86_64.conf
sort-key: 03
version: 6.8.11-300.fc40.x86_64
machine-id: ee...
linux: /boot/efi//ee.../6.8.11-300.fc40.x86_64/linux
initrd: /boot/efi//ee.../6.8.11-300.fc40.x86_64/initrd
options: systemd.machine_id=ee... rhgb rootflags=subvol=root_fedora root=/dev/mapper/luks-root rd.live.check rd.luks.name=65...=luks-root quiet
type: Boot Loader Specification Type #1 (.conf)
title: Fedora (selected)
id: ee...-6.6.3-200.fc39.x86_64.conf
source: /boot/efi//loader/entries/ee...-6.6.3-200.fc39.x86_64.conf
sort-key: 04
version: 6.6.3-200.fc39.x86_64
machine-id: ee...
linux: /boot/efi//ee.../6.6.3-200.fc39.x86_64/linux
initrd: /boot/efi//ee.../6.6.3-200.fc39.x86_64/initrd
options: systemd.machine_id=ee... rhgb rootflags=subvol=root_fedora root=UUID=f1... rd.live.check rd.luks.uuid=luks-65... rd.luks.name=65...=luks-root quiet
type: Automatic
title: EFI Default Loader
id: auto-efi-default
source: /sys/firmware/efi/efivars/LoaderEntries-4a...
type: Automatic
title: Reboot Into Firmware Interface
id: auto-reboot-to-firmware-setup
source: /sys/firmware/efi/efivars/LoaderEntries-4a...There are also some differences between the kernel mods of F39 and F40, but I guess it doesn't have anything to do with the errors I get.
Code:diff /lib/modules/6.6.3-200.fc39.x86_64/modules.builtin /lib/modules/6.8.11-300.fc40.x86_64/modules.builtin
34c34
< kernel/crypto/skcipher.ko
---
> kernel/crypto/crypto_skcipher.ko
56d55
< kernel/crypto/cfb.ko
85d83
< kernel/crypto/ofb.ko
142a141
> kernel/drivers/pwm/pwm-crc.ko
149a149
> kernel/drivers/video/fbdev/core/fb_io_fops.ko
179,180d178
< kernel/drivers/tty/serial/8250/8250_pci.ko
< kernel/drivers/tty/serial/8250/8250_pci1xxxx.ko
182d179
< kernel/drivers/tty/serial/8250/8250_rt288x.ko
183a181,182
> kernel/drivers/tty/serial/8250/8250_pci.ko
> kernel/drivers/tty/serial/8250/8250_pci1xxxx.ko
184a184
> kernel/drivers/tty/serial/8250/8250_rt288x.ko
231a232
> kernel/drivers/net/netkit.ko
235d235
< kernel/drivers/net/phy/realtek.ko
302,303d301
< kernel/drivers/platform/x86/intel/pmc/intel_pmc_core.ko
< kernel/drivers/platform/x86/intel/pmc/intel_pmc_core_pltdrv.ko
320a319
> kernel/net/ipv4/tcp_sigpool.ko
323d321
< kernel/net/unix/unix.ko
The LUKS is also quite new, so nothing should have been removed?!
Code:cryptsetup luksDump /dev/nvme2n1p6
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 65...
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 12
Memory: 1048576
Threads: 4
Salt: ...
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 442064
Salt: ...
Digest: ...All hints or solutions are highly appreciated!
Thanks in advance!