Re: Hiding systemd-cryptsetup password prompt

[Andrei Borzenkov <arvidjaar@xxxxxxxxx>]

On Fri, Jun 7, 2024 at 2:07 AM Sergio Arroutbi <sarroutb@xxxxxxxxxx> wrote:
...
>
> We are developing a PKCS11 plugin for Clevis (https://github.com/latchset/clevis). Clevis allows automatic boot encrypted disks unlocking by storing some information into LUKS metadata.
> To do so, it is executed in parallel to systemd-cryptsetup and, while the password is prompted to the user (and the agent runs), Clevis provides the key
> by writing to the systemd-cryptsetup ask-password socket.
>
>>
>>
>> I initially thought you don't, but now you do?
>
>
> Let me explain myself. What we want now is to disable systemd-cryptenroll password prompt at boot, (as our software already asks for the PKCS11 PIN), and provide the password as we are doing now,
> by using the socket provided through the agent system. We just want systemd-cryptenroll to not ask for a password in the boot console. I don´t know if there is an option to disable it,
> as using "headless" makes our software not able to communicate the PIN to systemd-cryptenroll.
...
>
> According to api-password.h, (systemd/src/shared/) you can provide different options:
>         ASK_PASSWORD_ACCEPT_CACHED = 1 << 0, /* read from kernel keyring */
> ...
>         ASK_PASSWORD_NO_TTY        = 1 << 4, /* never ask for password on tty */

Isn't that exactly what you need? The problem is, systemd-cryptsetup
does not use it; the only place where this flag is set is
systemd-ask-password or homectl.

This calls for an additional "notty" option to /etc/crypttab. But note that


> ...
>         ASK_PASSWORD_HEADLESS      = 1 << 9, /* headless mode: never query interactively */
>
> So, using headless mode in crypttab should be the way, but it makes systemd-cryptsetup to exit, and we can not inject the password.

Headless completely skips password agent. I wonder if credentials can
be utilized here.