[systemd-devel] Ordering units and targets with devices
Michael Cassaniti
michael at cassaniti.id.au
Fri Aug 26 04:46:56 UTC 2022
On 25/8/22 22:22, Lennart Poettering wrote:
> On Do, 25.08.22 10:50, Michael Cassaniti (michael at cassaniti.id.au) wrote:
>
>> It seems to be somewhat more complicated than that, and perhaps it has more
>> to do with my setup. Here's my /etc/crypttab which just might explain a bit:
>>
>> # Mount root and swap
>> # These will initially have an empty password
>> root /dev/disk/by-partlabel/root - fido2-device=/dev/yubico-fido2,token-timeout=0,try-empty-password=true,x-initrd.attach
>> swap /dev/disk/by-partlabel/swap - fido2-device=/dev/yubico-fido2,token-timeout=0,try-empty-password=true,x-initrd.attach
>>
>> I think the fact that both of these get setup at boot and will concurrently
>> try to access the FIDO2 token is causing issues. That crypttab is included
>> in the initrd.
> There was an issue with concurrent access to FIDO2 devices conflicting
> with each other. This was addressed in libfido2 though, it will now
> take a BSD lock on the device while talking to it, thus synchronizing
> access properly.
>
> See this bug:
>
> https://github.com/systemd/systemd/issues/23889
>
> Maybe it's sufficient to update libfido2 on your system?
>
>
> Lennart
>
> --
> Lennart Poettering, Berlin
Hi Lennart,
Thanks for the fast response. I've got version 1.11 of libfido2 and it
seems I'd need 1.12 (to be released) to fix it [1]. It terrifies me to
think what I might break on my system by upgrading libfido2. On Gentoo
there is revdep-rebuild but Ubuntu doesn't have anything like that. I'm
on Ubuntu 22.10 which is the latest development version so I can use
some shiny new systemd features.
For now I've written a rather dodgy generator that will scan through the
generated units for both cryptsetup and resume, then add in some
ordering. Currently it will make the cryptsetup units run serially. I am
yet to test it though.
[1]: https://github.com/Yubico/libfido2/pull/604#issuecomment-1178637796
Thanks,
Michael Cassaniti, Australia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20220826/fae67736/attachment.sig>
More information about the systemd-devel
mailing list