Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#70257 - [systemd/mkinitcpio/dracut] Add 60-fido-id.rules to initramfs hook

Attached to Project: Arch Linux
Opened by hexchain (hexchain) - Thursday, 01 April 2021, 17:36 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 21 April 2021, 06:23 GMT
Task Type Feature Request
Category Packages: Extra
Status Assigned
Assigned To Christian Hesse (eworm)
Giancarlo Razzolini (grazzolini)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description:
Since v248 systemd has gained the ability to unlock LUKS device via a FIDO2 key[1]. However, on Arch, a missing udev rule file causes systemd-cryptsetup to fail when looking for a security token. Please consider adding this file, 60-fido-id.rules, when generating the initramfs.

Details:

When systemd-cryptsetup tries to unlock LUKS with a FIDO key, it registers a udev monitor[3] looking for devices with a "security-token" tag[2], which is assigned in 60-fido-id.rules. Without this rule, systemd cannot find the token even if it is plugged, resulting in a failure to unlock LUKS.

[1] http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
[2] https://github.com/systemd/systemd/blob/v248/src/cryptsetup/cryptsetup.c#L692
[3] https://github.com/systemd/systemd/blob/v248/src/cryptsetup/cryptsetup.c#L794


Additional info:
* package version(s)
* config and/or log files etc.
* link to upstream bug report, if any

systemd 248-1
libfido2 1.6.0-1
cryptsetup 2.3.5-1
This task depends upon

Comment by Christian Hesse (eworm) - Thursday, 01 April 2021, 19:23 GMT
Fixed for systemd 248-2.

Grazzolini, the library libfido2.so.1 is dlopen()ed, so possibly you need to add that manually... Not sure how dracut handles these things.
Comment by Giancarlo Razzolini (grazzolini) - Friday, 02 April 2021, 02:13 GMT
I'm thinking here if this should be a hook or part of core mkinitcpio. But, it seems only that lib is needed, right?
Comment by Giancarlo Razzolini (grazzolini) - Friday, 02 April 2021, 02:13 GMT
Also, for dracut, I think we'll have to add a bug report upstream.
Comment by hexchain (hexchain) - Friday, 02 April 2021, 04:54 GMT
Should "installing libfido2.so and this" belong in the "sd-encrypt" hook? That hook is currently a part of cryptsetup, but is it better to distribute with systemd instead?
Comment by Christian Hesse (eworm) - Saturday, 03 April 2021, 19:54 GMT
Yes, probably this should move to the sd-encrypt hook as that brings systemd-cryptsetup into the initramfs...
Will figure the details as is and move if everything works.
Comment by Giancarlo Razzolini (grazzolini) - Monday, 05 April 2021, 03:43 GMT
Yes, this probably belongs on sd-encrypt.
Comment by Gibeom Gwon (gb.gwon) - Monday, 05 April 2021, 17:21 GMT
/usr/lib/udev/fido_id also need to be added.
In systemd hook, add_udev_rule() automatically adds it. But in sd-encrypt, it doesn't.
Comment by Christian Hesse (eworm) - Monday, 05 April 2021, 22:43 GMT
Ah, right... Fixed in cryptsetup 2.3.5-3.

Loading...