Found the solution. `/etc/crypttab` had to be removed as it caused a startup crash. `libfido2.so.1` library was missing so installed the appropriate package (in this case libfido2) The kernel option `tpm2-device=auto` had to be removed, as it forces an override and ends up forcing a password prompt.. And this is independently of the order the options come in. I would assume that `fido2-device=auto` would force it to try accessing FIDO2 devices first, and then fallback to tpm2-device but that does not appear to be the case. Apologies for the lengthy email. Best regards, //Anton On Tue, May 17, 2022 at 11:03 PM Anton Hvornum <anton@xxxxxxxxxx> wrote: > > Hi. > > I've been asking around everywhere for some assistance. > The full issue can be found here: > https://www.reddit.com/r/archlinux/comments/urnj8x/help_getting_fido2_and_systemdcryptenroll_working/ > > The short version is, I got `systemd-cryptenroll --fido2-device=auto > /dev/sda2` to work. > Unlocking it works with a password, but it's not trying to use the > fido2-device as expected. > > Whenever I add `/etc/crypttab` to the initramfs > `systemd-cryptsetup@luksdev.service` crashes. > Not sure how to debug it since it's the root partition. But I > increased the loglevel on the kernel to 7 and found that the Yubikey > comes up after the service crashes. > > And I'm wondering, is it required for the USB device to come alive > before this service tries to execute? > > As far as I can tell, it executed: > /lib/systemd/systemd-cryptsetup attach 'luksdev' '/dev/sda2' 'none' > 'luks,fido2-device=auto' > > And by default if executed on a live medium that will hang waiting for > the HSM to be inserted and will work. But I can't figure out why the > service would break if that is all it does. > > As soon as I create a /etc/crypttab or omit tpm2-device=auto from the > kernel command-line, the boot process breaks. Buf it I don't use > /etc/crypttab or I have tpm2-device=auto the service succeeds - but > won't use the fido device.. And that's probably obvious for everyone > here but I'm stumped. > > Any help would be appreciated but is in no way expected. > > //Anton
Re: systemd-cryptsetup@.service crash during boot with fido2-device=auto
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: systemd-cryptsetup@.service crash during boot with fido2-device=auto
- From: Anton Hvornum <anton@xxxxxxxxxx>
- Date: Wed, 18 May 2022 10:25:17 +0200
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <CAG2iS6qQJT=PDfnxMy2RPLdC8kWa6PO+d=+m5GKnTVhd+-fp7w@mail.gmail.com>
- References: <CAG2iS6qQJT=PDfnxMy2RPLdC8kWa6PO+d=+m5GKnTVhd+-fp7w@mail.gmail.com>
- References:
- systemd-cryptsetup@.service crash during boot with fido2-device=auto
- From: Anton Hvornum
- systemd-cryptsetup@.service crash during boot with fido2-device=auto
- Prev by Date: systemd-cryptsetup@.service crash during boot with fido2-device=auto
- Next by Date: Re: systemd-cryptsetup@.service crash during boot with fido2-device=auto
- Previous by thread: systemd-cryptsetup@.service crash during boot with fido2-device=auto
- Next by thread: Re: systemd-cryptsetup@.service crash during boot with fido2-device=auto
- Index(es):
 |