diff -Nru ecryptfs-utils-107/debian/changelog ecryptfs-utils-107/debian/changelog --- ecryptfs-utils-107/debian/changelog 2015-03-26 23:02:30.000000000 +0000 +++ ecryptfs-utils-107/debian/changelog 2015-04-24 12:32:43.000000000 +0000 @@ -1,3 +1,14 @@ +ecryptfs-utils (107-0ubuntu1.1) vivid; urgency=medium + + * Add setup-swap-mark-gpt-noauto.patch: In ecryptfs-setup-swap, mark the + "fake" underlying unencrypted swap partition as no-auto Without that, the + swap partition gets auto-activated under systemd as it cannot be told + apart from a real unencrypted swap partition. + * debian/ecryptfs-utils.postinst: Fix existing GPT installations with + cryptswap1 and an offset= for the above issue. (LP: #1447282) + + -- Martin Pitt Fri, 24 Apr 2015 12:15:12 +0100 + ecryptfs-utils (107-0ubuntu1) vivid; urgency=medium [ Dustin Kirkland ] diff -Nru ecryptfs-utils-107/debian/ecryptfs-utils.postinst ecryptfs-utils-107/debian/ecryptfs-utils.postinst --- ecryptfs-utils-107/debian/ecryptfs-utils.postinst 2015-03-11 23:03:30.000000000 +0000 +++ ecryptfs-utils-107/debian/ecryptfs-utils.postinst 2015-04-24 12:48:49.000000000 +0000 @@ -45,6 +45,36 @@ fi fi fi + + # disable auto-activation of inert underlying swap partitions for LP #1447282 + if [ -e /etc/crypttab ] && [ -e /etc/fstab ] && \ + dpkg --compare-versions "$2" lt-nl "107-0ubuntu1.1"; then + while read mapper_dev phys_dev keyfile options; do + # ignore comments + [ "$mapper_dev" = "${mapper_dev#\#}" ] || continue + # ignore devices without offset= + [ "${options%offset=*}" != "$options" ] || continue + # resolve UUID + uuid_dev="/dev/disk/by-uuid/${phys_dev#UUID=}" + if [ -e $uuid_dev ]; then + phys_dev=$(readlink -f "$uuid_dev") + fi + # ignore non-GPT partitions + [ "$(sudo blkid -p -s PART_ENTRY_SCHEME -o value "$phys_dev")" = "gpt" ] || continue + drive="${phys_dev%[0-9]*}" + partno="${phys_dev#$drive}" + [ -b "$drive" ] || continue + # check if we already have the flag set + if /bin/echo -e "x\np\n" | fdisk "$drive" | grep -q "^$phys_dev .* GUID:.*\b63\b"; then + echo "$phys_dev is already marked as no-auto" + else + # toggle flag 63 ("no auto") + echo "marking GPT swap partition $phys_dev as no-auto, so that the encrypted swap partition $mapper_dev will be used..." + # unfortunately fdisk fails on "cannot re-read part table" and is very verbose + /bin/echo -e "x\nS\n$partno\n63\nr\nw\n" | fdisk "$drive" >/dev/null 2>&1 || true + fi + done < /etc/crypttab + fi ;; abort-upgrade|abort-remove|abort-deconfigure) diff -Nru ecryptfs-utils-107/debian/patches/series ecryptfs-utils-107/debian/patches/series --- ecryptfs-utils-107/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ ecryptfs-utils-107/debian/patches/series 2015-04-24 12:24:19.000000000 +0000 @@ -0,0 +1 @@ +setup-swap-mark-gpt-noauto.patch diff -Nru ecryptfs-utils-107/debian/patches/setup-swap-mark-gpt-noauto.patch ecryptfs-utils-107/debian/patches/setup-swap-mark-gpt-noauto.patch --- ecryptfs-utils-107/debian/patches/setup-swap-mark-gpt-noauto.patch 1970-01-01 00:00:00.000000000 +0000 +++ ecryptfs-utils-107/debian/patches/setup-swap-mark-gpt-noauto.patch 2015-04-24 12:30:06.000000000 +0000 @@ -0,0 +1,35 @@ +Author: Martin Pitt +Description: In ecryptfs-setup-swap, mark the "fake" underlying unencrypted swap partition as no-auto + Without that, the swap partition gets auto-activated under systemd as it + cannot be told apart from a real unencrypted swap partition. +Bug-Ubuntu: https://launchpad.net/bugs/1447282 + +Index: ecryptfs-utils-107/src/utils/ecryptfs-setup-swap +=================================================================== +--- ecryptfs-utils-107.orig/src/utils/ecryptfs-setup-swap ++++ ecryptfs-utils-107/src/utils/ecryptfs-setup-swap +@@ -160,6 +160,24 @@ for swap in $swaps; do + i=$((i+1)) + [ -e "/dev/mapper/cryptswap$i" ] || break + done ++ ++ # If this is a GPT partition, mark it as no-auto mounting, to avoid ++ # auto-activating it on boot ++ if [ "$(sudo blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then ++ drive="${swap%[0-9]*}" ++ partno="${swap#$drive}" ++ if [ -b "$drive" ]; then ++ if /bin/echo -e "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then ++ echo "$swap is already marked as no-auto" ++ else ++ # toggle flag 63 ("no auto") ++ echo "marking GPT swap partition $swap as no-auto..." ++ # unfortunately fdisk fails on "cannot re-read part table" and is very verbose ++ /bin/echo -e "x\nS\n$partno\n63\nr\nw\n" | fdisk "$drive" >/dev/null 2>&1 || true ++ fi ++ fi ++ fi ++ + # Add crypttab entry + # Use /dev/urandom, since this is not a long lived key (generated each boot), + # and so that we don't block booting while waiting for entropy