the PROXY_SELECTOR environment variable proposal

Instead of set an proxy server unconditionally via *_PROXY environment variables and exclude certain host names via NO_PROXY environment variable, let's reverse the semantic by defining a new environment variable PROXY_SELECTOR which points to an executable that is passed a URI as first argument and will return on stdout:

  • "NO_PROXY" -> if no proxy should get used for the input URI
  • a comma separated list of URLs in the *_PROXY environment variable format, e.g.: "http://proxy.example.com:8080" or if multiple proxies are eligible for the given input URI: "http://proxy.example.com:8080,http://proxy2.example.com:8080"

Above proposal will enable a more flexible proxy configuration in complex setups and by reversing the semantic, allow explicit proxy configuration of only know URIs.

the case of the failing boot after upgrade fedora 32

After upgrading one of my machines to Fedora 32 the initramfs image did fail with:

device-mapper: table: 253:0: crypt: Error allocating crypto tfm

Searching for the string "Error allocating crypto tfm" in the linux kernel source code reveals that the message is created at those places:

(using cscope):

Text string: Error allocating crypto tfm

  File       Line
0 dm-crypt.c 2747 ti->error = "Error allocating crypto tfm";
1 dm-crypt.c 2832 ti->error = "Error allocating crypto tfm";

both errors occurs after calling "crypt_alloc_tfms" which calls either "crypt_alloc_tfms_aead" or "crypt_alloc_tfms_skcipher".

Let's follow skcipher as this handles the block chiphers: This function calls "crypto_alloc_skcipher" which calls "crypto_alloc_tfm" which calls "crypto_alloc_tfm_node" which calls "crypto_find_alg" which calls "crypto_alg_mod_lookup" which calls "crypto_larval_lookup" which ends up calling "__request_module".

Here it's get interessting, because we have a trace point:

    trace_module_request(module_name, wait, _RET_IP_);

the trace point is available under debugfs:

$ cat /sys/kernel/debug/tracing/available_events | grep module_request
module:module_request

So all we need to do to find out what kernel module for crypto is missing in the initramfs is:

  • mount the debugs
  • enable the module_request trace point
  • retry to setup luks to trigger the error path
  • check which module was request and did fail in the trace log

here is how to do it:

  1. mount debugfs

    $ mount -t debugs none /sys/kernel/debug

  2. enable module_request trace point

    $ echo 1 > /sys/kernel/debug/tracing/events/module/module_request/enable

  3. retrigger error

    $ lukssetup ??

  4. check trace log

    $ cat /sys/kernel/debug/tracing/trace

now add the missing module to your initramfs!