Breaking change in cryptsetup 2.6.1-3

streamofron · 5 April 2023 04:45

I just installed the latest stable updates on my laptop and found that my LUKS unlock with TPM2 was broken. Took me a while to track it down but I finally narrowed it down to just the cryptsetup 2.6.1-3 package – by downgrading to 2.6.1-1 the automatic unlock works again.

I strongly suspect that it’s related to this change, but I’m not certain the best route to get it reported to the upstream – I’ve heard that arch folks tend to turn away reports from manjaro users.

Anyone have suggestions with regards to how I would get this reported/fixed upstream in a way that won’t be ignored?

bogdancovaciu · 5 April 2023 05:05

Please follow the announcements

[Stable Update] 2023-03-31 - Kernels, Plasma 5.27 LTS, Pamac, Phosh, Mesa, LibreOffice

GRUB, LUKS and full disk encryption: ‘no such cryptodisk found’

Following grub’s update, new configuration may be needed to be manually applied:

Check for modifications to /etc/default/grub
Most notably, if you use LUKS with full disk encryption, you may need to:

check that GRUB_ENABLE_CRYPTODISK=y is not commented out

Don’t use tools like grub-customizer as it may create issues with the grub.cfg file.

Check if the UUID of your encrypted drive matches in your config files.

Based on the manual , unlike filesystem UUIDs, UUIDs for encrypted devices must be specified without dash separators. So check /boot/grub/grub.cfg for entries like cryptomount -u 3722dfb2-3b32-414b-bd59-4329fa92b6a9 and try to remove the dash separators.

If you modified the above configuration, you then need to update the grub menu with sudo update-grub.

A message “no such cryptodisk found” may appear on the following reboot, but should not prevent you from continuing by typing any key.

You may still want to have a liveUSB ready, in the rare case your bootloader does break, in which case you will need to reinstall grub .

There are more replies regarding this issue.

streamofron · 5 April 2023 05:45

That’s actually a different problem than what I’m experiencing. Grub does not error with mine, it starts the boot sequence and prompts for a passphrase to unlock the volume when it is configured to unlock automatically with the TPM. I tried the grub change recommended by that post and it did not correct the issue. The fix was to downgrade cryptsetup.

philm · 5 April 2023 11:50

I’ll re-release 2.6.1-1 as 2.6.1-3.1 and the current 3 revision as 3.2 to unstable …

LimitX · 18 May 2023 09:44

Having the same issue with cryptsetup-2.6.1-3.2. the following log line appears after booting the system using the recovery key:

systemd-cryptsetup[293]: TPM2 support is not installed.

Downgrading cryptsetup to 2.6.1-1 using:

sudo pacman -U https://archive.org/download/archlinux_pkg_cryptsetup/cryptsetup-2.6.1-1-x86_64.pkg.tar.zst

and re-enrolling the new key in the luks headers with systemd-cryptenroll solved the problem.

AgentP · 18 May 2023 15:12

I had the same problem an tracked it down to to a dependency between cryptsetup and systemd.

Till cryptsetup-26.1-1 tss2-{{esys,rc,mu},tcti-''}* were installed from cryptsetup.
After 26.1-1 this was removed and systemd (253.1-3)installs these files.

The problem is now cryptsetup is up to date with mainstream but systemd is not.

philm · 18 May 2023 19:39

Somehow the wrong cryptsetup was pushed to stable branch. Will fix it again.