After upgrading to Fedora 36, the kernel can't decrypt my system at boot

Ask Fedora
, , , , ,
1

Yesterday I have upgraded and it seems everything went fine. But after entering my decryption password the boot stucks at the following:

4000Ă—3000 1.28 MB

Switching to the latest F35 kernel instead fixes the problem:

238aefef44e4d0baf2a645935e6c36e643057fc5.jpeg
238aefef44e4d0baf2a645935e6c36e643057fc5.jpeg4000Ă—3000 883 KB

PS: It is the KDE spin.

2

The problem still persist with the latest kernel. This time I also tried the latest F35 kernel with this command:

sudo dnf install kernel-5.18.5-100.fc35.x86_64 --releasever=35

But that does still the same. Only the kernel 5.17.11-200.fc35.x86_64 from before the upgrade is working. Something weird is going on. Is there no solution? I already considering a reinstall…

3

Hmm, this is rather weird. If the password was incorrect, it would have asked you to re-enter it up to 3 times, so if it continues with the boot process immediately after you enter the password for the first time, it is likely correct.

Unfortunately, error itself doesn’t give enough information to guess what’s wrong. You could boot from USB into a live session and play a bit from there. So basically try to decrypt and mount drive there and see if it works. If it doesn’t work, then you can search for specific error messages (you’ll be able to look at logs or errors that occur while decrypting/mounting a drive interactively).

If it does work, you can look at the journal messages and inspect the error that happens while trying to decrypt the device during normal boot process.

4

I have found the main cause to the problem and the solution. It is related to OpenSSL v3. OSSL has deprecated many hashing methods including ripemd160 and whirlpool. Fedora 35 was still using OpenSSL v1.1.1. whirlpool is what I use. Here are reports related to the problem:

The solution is to hook legacy libraries to the initramfs. In Fedora the solution is as following:

To hook the legacy library to dracut we need to edit the following file:
/usr/lib/dracut/modules.d/90crypt/module-setup.sh

And add the following below install() {

# Install required legacy libraries.
_arch=${DRACUT_ARCH:-$(uname -m)}
inst_libdir_file \
      {"tls/$_arch/",tls/,"$_arch/",}"/ossl-modules/fips.so" \
      {"tls/$_arch/",tls/,"$_arch/",}"/ossl-modules/legacy.so"

After that just upgrade to the latest kernel or reinstall your latest kernel but avoid dracut --regenerate-all since it can maybe still brake your only entry point, just to be sure.

Source: Unable to enter passphrase · Issue #2137 · dracutdevs/dracut · GitHub

1 Like