Bug #15967

udisks doesn't recognize volumes with multiple encryption as unlocked

Added by segfault 2018-09-20 21:52:49 . Updated 2018-11-06 14:47:33 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Tails_3.10.1
Start date:
2018-09-20
Due date:
% Done:

100%

Feature Branch:
feature/14481-TCRYPT-support-beta
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:
299

Description

VeraCrypt supports using multiple encryption (see https://www.veracrypt.fr/en/Cascades.html). When unlocking a volume with multiple encryption, the CryptoBackingDevice property is not set, which seems to be the reason for the volume not being recognized as unlocked (neither in GNOME Disks nor in Unlock VeraCrypt Volumes).

As a result, the timeout for waiting for cleartext object after unlocking is always exceeded (the cleartext object never appears), therefore users using volumes with multiple encryption are also affected by Bug #15733 (and consequently Bug #15757, if they find the cleartext volume in GNOME Disks and try to unlock it).

Upstream merge request: https://github.com/storaged-project/udisks/pull/582 (merged)

Subtasks

Related issues

Related to Tails - Bug #15733: Unlocking TCRYPT volume sometimes shows a confusing error message Resolved 2018-07-16

History

#1 Updated by segfault 2018-09-23 22:49:38

  • Description updated
  • % Done changed from 0 to 50
  • Deliverable for set to 299

Took me quite some time, but I managed to create a patch which fixes this.

#2 Updated by segfault 2018-09-26 11:24:24

  • Description updated
  • Assignee changed from segfault to intrigeri
  • QA Check set to Ready for QA

The patch has been merged in upstream. I backported it and built a new udisks package (2.1.8-1.0tails4) which is ready for review on https://gitlab.com/segfault3/tails-tcrypt-packages.git.

#3 Updated by intrigeri 2018-09-28 09:34:17

  • Assignee changed from intrigeri to segfault
  • QA Check changed from Ready for QA to Info Needed

How about you prepare a branch yourself, now that you have the credentials needed to do so? Steps would be:

  1. fork a branch off stable, check it out and push it to the official repo (needed to that its APT overlay suite is created on our custom APT repo)
  2. run ./bin/add-APT-overlay
  3. take note of the name of the added APT overlay, that’ll be the target distribution you need to set in debian/changelog (which will then make its way to *.changes, which will eventually tell reprepro to which APT suite the package must be added)
  4. update packaging if needed, build, and upload to that new APT suite
  5. push your updated topic branch (with the new APT overlay enabled) which should trigger builds & tests on Jenkins
  6. send back to me for QA

This is only a rough sketch of the involved steps. For some of them you’ll find more detailed doc at the URLs I’ve sent you a few days ago.

#4 Updated by segfault 2018-10-13 13:22:06

  • Feature Branch set to bugfix/15967-veracrypt-multiple-encryption

#5 Updated by segfault 2018-10-14 10:13:50

  • Assignee changed from segfault to intrigeri

I don’t seem to have access to incoming.deb.tails.boum.org:

Uploading to tails (via scp to incoming.deb.tails.boum.org):
Received disconnect from 198.252.153.59 port 3003:2: Too many authentication failures

#6 Updated by segfault 2018-10-14 16:50:50

If I set the IdentitiesOnly ssh option I get this error instead:

reprepro@incoming.deb.tails.boum.org: Permission denied (publickey).

#7 Updated by intrigeri 2018-10-15 09:06:10

  • Assignee changed from intrigeri to segfault
  • QA Check changed from Info Needed to Dev Needed

segfault wrote:
> If I set the IdentitiesOnly ssh option I get this error instead:
>
> […]

Should now be fixed (+ updated our internal checklist about giving commit access to include this step and the 2 SSH host key fingerprints you’ve been missing).

#8 Updated by segfault 2018-10-15 17:52:38

intrigeri wrote:
> Should now be fixed (+ updated our internal checklist about giving commit access to include this step and the 2 SSH host key fingerprints you’ve been missing).

It works, thanks

#9 Updated by segfault 2018-10-16 12:35:20

  • % Done changed from 50 to 60
  • QA Check deleted (Dev Needed)
  • Feature Branch changed from bugfix/15967-veracrypt-multiple-encryption to feature/14481-TCRYPT-support-beta

When I built the packages, I used the old distribution, so I changed the feature branch to feature/14481-TCRYPT-support-beta to avoid rebuilding the packages.

I tested it and it works, I can now successfully unlock VeraCrypt volumes with multiple encryption.

I just pushed the branch with the APT overlay enabled, now waiting for Jenkins tests.

#10 Updated by segfault 2018-10-17 11:34:00

The Jenkins test job failed, but the failure seems to be unrelated to this branch:

18:59:33 Looks like the node went offline during the build. Check the slave log for the details.
18:59:33 FATAL: channel is already closed

I restarted the job, let’s see if it works this time

#11 Updated by segfault 2018-10-17 15:34:14

  • Assignee changed from segfault to intrigeri
  • QA Check set to Ready for QA

The test passed

#12 Updated by intrigeri 2018-10-18 07:11:30

  • Status changed from Confirmed to In Progress

Code review passes.

#13 Updated by intrigeri 2018-10-19 06:52:49

  • Status changed from In Progress to Fix committed
  • Assignee deleted (intrigeri)
  • % Done changed from 60 to 100
  • QA Check changed from Ready for QA to Pass

Test suite passes, merged!

#14 Updated by CyrilBrulebois 2018-10-24 11:19:15

  • Status changed from Fix committed to Resolved

#15 Updated by segfault 2018-11-06 14:47:33

  • Description updated

#16 Updated by segfault 2018-11-06 14:47:45

  • related to Bug #15733: Unlocking TCRYPT volume sometimes shows a confusing error message added