[systemd-devel] Ordering units and targets with devices

Andrei Borzenkov arvidjaar at gmail.com
Thu Aug 25 06:37:19 UTC 2022 

On 17.08.2022 16:23, Michael Cassaniti wrote:
> Hi,
> 
> I'm trying to order my units and targets during early boot so that:
> 1. A symlink to the specific FIDO2 token I'm using gets created. I 
> already have a udev rule in place for this and it successfully creates 
> the symlink under /dev. Because I have two tokens I need to specify 
> which one to use.
> 2. The unit for systemd-cryptsetup at root.service has to wait for this 
> unit. The unit gets generated from systemd-cryptsetup-generator so I 
> can't just add Requires= stanzas to the unit. I do have a /etc/crypttab 
> file.
> 
> I have the following shell code generating everything a the right time 
> within dracut, but this hasn't solved my problem.
> 
>      cat > /etc/systemd/system/dev-yubico\x2dfido2.device << EOF

I wonder if this is even valid to have device unit file and whether
systemd will merge it with auto-generated device. In any case, more
traditional approach is drop-in.

>      [Unit]
>      Description=Device for Yubico FIDO2 token
>      DefaultDependencies=no
>      RequiredBy=cryptsetup-pre.target
> 

RequiredBy is only valid in [Install] section. Where in documentation is
your usage described?

>      [Install]
>      WantedBy=cryptsetup-pre.target
> 
>      EOF
> 
>      systemctl enable dev-yubico\x2dfido2.device
>      systemctl add-wants cryptsetup.target cryptsetup-pre.target
> 

This is very round-about way for simply creating necessary links in
/run/systemd/system/cryptsetup-pre.target and running "systemctl
daemon-reload". Even better would be to create these links in generator
to avoid daemon-reload.

> 
> Any help here is appreciated. The issue is that the FIDO2 token shows up 
> on the USB bus after the disk is detected and the unit 
> systemd-cryptsetup at root.service starts.

Is device /dev/yubico-fido2 actually present and visible to systemd? In
this case just drop necessary symlinks into /etc.

> I don't have a TPM2 chip so that 
> rules out using a TPM instead.
> 
> Thanks in advance,
> Michael Cassaniti, Australia
>

More information about the systemd-devel mailing list