FS#70257 - [systemd] mkinitcpio/dracut: Add 60-fido-id.rules to initramfs hook

Attached to Project: Arch Linux
Opened by hexchain (hexchain) - Thursday, 01 April 2021, 17:36 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:24 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Christian Hesse (eworm)
Giancarlo Razzolini (grazzolini)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Since v248 systemd has gained the ability to unlock LUKS device via a FIDO2 key[1]. However, on Arch, a missing udev rule file causes systemd-cryptsetup to fail when looking for a security token. Please consider adding this file, 60-fido-id.rules, when generating the initramfs.

Details:

When systemd-cryptsetup tries to unlock LUKS with a FIDO key, it registers a udev monitor[3] looking for devices with a "security-token" tag[2], which is assigned in 60-fido-id.rules. Without this rule, systemd cannot find the token even if it is plugged, resulting in a failure to unlock LUKS.

[1] http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
[2] https://github.com/systemd/systemd/blob/v248/src/cryptsetup/cryptsetup.c#L692
[3] https://github.com/systemd/systemd/blob/v248/src/cryptsetup/cryptsetup.c#L794


Additional info:
* package version(s)
* config and/or log files etc.
* link to upstream bug report, if any

systemd 248-1
libfido2 1.6.0-1
cryptsetup 2.3.5-1
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:24 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/systemd/issues/16
Comment by Christian Hesse (eworm) - Thursday, 01 April 2021, 19:23 GMT
Fixed for systemd 248-2.

Grazzolini, the library libfido2.so.1 is dlopen()ed, so possibly you need to add that manually... Not sure how dracut handles these things.
Comment by Giancarlo Razzolini (grazzolini) - Friday, 02 April 2021, 02:13 GMT
I'm thinking here if this should be a hook or part of core mkinitcpio. But, it seems only that lib is needed, right?
Comment by Giancarlo Razzolini (grazzolini) - Friday, 02 April 2021, 02:13 GMT
Also, for dracut, I think we'll have to add a bug report upstream.
Comment by hexchain (hexchain) - Friday, 02 April 2021, 04:54 GMT
Should "installing libfido2.so and this" belong in the "sd-encrypt" hook? That hook is currently a part of cryptsetup, but is it better to distribute with systemd instead?
Comment by Christian Hesse (eworm) - Saturday, 03 April 2021, 19:54 GMT
Yes, probably this should move to the sd-encrypt hook as that brings systemd-cryptsetup into the initramfs...
Will figure the details as is and move if everything works.
Comment by Giancarlo Razzolini (grazzolini) - Monday, 05 April 2021, 03:43 GMT
Yes, this probably belongs on sd-encrypt.
Comment by Gibeom Gwon (gb.gwon) - Monday, 05 April 2021, 17:21 GMT
/usr/lib/udev/fido_id also need to be added.
In systemd hook, add_udev_rule() automatically adds it. But in sd-encrypt, it doesn't.
Comment by Christian Hesse (eworm) - Monday, 05 April 2021, 22:43 GMT
Ah, right... Fixed in cryptsetup 2.3.5-3.
Comment by Giancarlo Razzolini (grazzolini) - Monday, 29 November 2021, 12:24 GMT
Can you please test this with mkinitcpio 31? add_udev_rule was moved to mkinitcpio.
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Loading...