On 25/8/22 22:22, Lennart Poettering wrote:
On Do, 25.08.22 10:50, Michael Cassaniti (michael@xxxxxxxxxxxxxxx) wrote:It seems to be somewhat more complicated than that, and perhaps it has more to do with my setup. Here's my /etc/crypttab which just might explain a bit: # Mount root and swap # These will initially have an empty password root /dev/disk/by-partlabel/root - fido2-device=/dev/yubico-fido2,token-timeout=0,try-empty-password=true,x-initrd.attach swap /dev/disk/by-partlabel/swap - fido2-device=/dev/yubico-fido2,token-timeout=0,try-empty-password=true,x-initrd.attach I think the fact that both of these get setup at boot and will concurrently try to access the FIDO2 token is causing issues. That crypttab is included in the initrd.There was an issue with concurrent access to FIDO2 devices conflicting with each other. This was addressed in libfido2 though, it will now take a BSD lock on the device while talking to it, thus synchronizing access properly. See this bug: https://github.com/systemd/systemd/issues/23889 Maybe it's sufficient to update libfido2 on your system? Lennart -- Lennart Poettering, Berlin
Hi Lennart,Thanks for the fast response. I've got version 1.11 of libfido2 and it seems I'd need 1.12 (to be released) to fix it [1]. It terrifies me to think what I might break on my system by upgrading libfido2. On Gentoo there is revdep-rebuild but Ubuntu doesn't have anything like that. I'm on Ubuntu 22.10 which is the latest development version so I can use some shiny new systemd features.
For now I've written a rather dodgy generator that will scan through the generated units for both cryptsetup and resume, then add in some ordering. Currently it will make the cryptsetup units run serially. I am yet to test it though.
[1]: https://github.com/Yubico/libfido2/pull/604#issuecomment-1178637796 Thanks, Michael Cassaniti, Australia
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
