[systemd-devel] [PATCH] add keyscript support to cryptsetup

[Lennart Poettering]

On Tue, 10.07.12 07:36, Tollef Fog Heen (tfheen at err.no) wrote:

> > > A use case for keyscript is something like
> > > https://github.com/tfheen/ykfde/blob/master/helper which (while not
> > > really a keyscript as it is) implements integration with Yubikeys. Doing
> > > that with the full password agent proposal is much, much harder and
> > > doesn't really gain us anything in this case.
> > 
> > Well, but this script is very racy as it expects yubikeys to be
> > instantly available at boot. This really needs to be async and watch
> > both for yubikeys as they are plugged in and for new passwords as they
> > are queired. Also this script expects an interactive console, which is
> > extra racy...
> 
> It's run in the initramfs, so no, it's not racy at all.

That has little to do with where it is run. The simple fact is that
there is no time limit in which USB hw has to be appeared, as kernel
driver probing is entirely asynchronous these days and the USB devices
can take any time they want to initialize.

In older versions of Linux people placed "udevadm settle" and
"/sbin/rmmod scsi_wait_scan ; /sbin/modprobe scsi_wait_scan ;
/sbin/rmmod scsi_wait_scan" in everywhere in an attempt to introduce
some point where all storage hw was probed. But that never worked for
USB hw anyway, slows down the boot immensly, and is also terribly
ugly. One of the big steps forward in systemd is actually that we
cleaned all this up, and devices are now used as they appear and we only
delay boot exactly as long as we need to find the devices we need, but
don't attempt to wait till the point in time "where all devices" have
shown up.

It doesn't work at all for yubikeys. 

So what you do is racy, sorry.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.