FS#70257 - [systemd] mkinitcpio/dracut: Add 60-fido-id.rules to initramfs hook
Attached to Project:
Arch Linux
Opened by hexchain (hexchain) - Thursday, 01 April 2021, 17:36 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:24 GMT
Opened by hexchain (hexchain) - Thursday, 01 April 2021, 17:36 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:24 GMT
|
Details
Description:
Since v248 systemd has gained the ability to unlock LUKS device via a FIDO2 key[1]. However, on Arch, a missing udev rule file causes systemd-cryptsetup to fail when looking for a security token. Please consider adding this file, 60-fido-id.rules, when generating the initramfs. Details: When systemd-cryptsetup tries to unlock LUKS with a FIDO key, it registers a udev monitor[3] looking for devices with a "security-token" tag[2], which is assigned in 60-fido-id.rules. Without this rule, systemd cannot find the token even if it is plugged, resulting in a failure to unlock LUKS. [1] http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html [2] https://github.com/systemd/systemd/blob/v248/src/cryptsetup/cryptsetup.c#L692 [3] https://github.com/systemd/systemd/blob/v248/src/cryptsetup/cryptsetup.c#L794 Additional info: * package version(s) * config and/or log files etc. * link to upstream bug report, if any systemd 248-1 libfido2 1.6.0-1 cryptsetup 2.3.5-1 |
This task depends upon
Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:24 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/systemd/issues/16
Saturday, 25 November 2023, 20:24 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/systemd/issues/16
Grazzolini, the library libfido2.so.1 is dlopen()ed, so possibly you need to add that manually... Not sure how dracut handles these things.
Will figure the details as is and move if everything works.
In systemd hook, add_udev_rule() automatically adds it. But in sd-encrypt, it doesn't.