v251 cryptsetup & FIDO2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I just switched from using a custom glue script to systemd for FIDO2
local drive unlocking. From my own experimenting in v251, it seems to me
that the following usability issues are present in my setup (Arch Linux,
no PIN, user presence required):

- When key is not inserted at boot time, there's no prompt asking for
  the key. I can see it in the journal, but it is not shown in the
  console for some reason. Just the usual systemd-cryptsetup@[volume]
  "job is running" line.
- Ditto for when the key is inserted and systemd is supposed to ask for
  user presence verification
- There is no way to fall back to a passphrase. If I realize I don't
  have my FIDO2 key with me, I have to reboot using a different kernel
  command line to enter my passphrase
- For some reason, the systemd-cryptsetup@[volume] unit for the volume
  containing my root partition is deactivated right before partitions
  are remounted during boot

Seems to me that the first two might be caused by something being
misconfigured. Can anyone help me figure out where to look?

About the passphare fallback, I know there's Issue #19872 on GitHub for
a similar setup (PIN required, which offers a workaround.) With some
guidance (mostly, I have little idea how user interaction works in
systemd units), I would be happy to work on a patch myself.

While for the unit getting deactivated, I'm honestly not sure whether it
has been happening for some time or it's new for v251. Is it how it
should work? I'm under the impression that as long as the luks volume is
opened that unit is supposed to stay activated.

Riccardo P. Bestetti
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux