[systemd-devel] Antw: [EXT] Re: [systemd‑devel] Ordering units and targets with devices

Ulrich Windl Ulrich.Windl at rz.uni-regensburg.de
Fri Aug 26 07:17:32 UTC 2022 

>>> Michael Cassaniti <michael at cassaniti.id.au> schrieb am 26.08.2022 um 06:46 in
Nachricht
<01000182d8797b39-375650cc-485b-43ec-84e0-9be3a66f22f4-000000 at email.amazonses.co 
>:
> On 25/8/22 22:22, Lennart Poettering wrote:
>> On Do, 25.08.22 10:50, Michael Cassaniti (michael at cassaniti.id.au) wrote:
>>
>>> It seems to be somewhat more complicated than that, and perhaps it has more
>>> to do with my setup. Here's my /etc/crypttab which just might explain a bit:
>>>
>>>      # Mount root and swap
>>>      # These will initially have an empty password
>>>      root /dev/disk/by-partlabel/root - 
> fido2-device=/dev/yubico-fido2,token-timeout=0,try-empty-password=true,x-init
> rd.attach
>>>      swap /dev/disk/by-partlabel/swap - 
> fido2-device=/dev/yubico-fido2,token-timeout=0,try-empty-password=true,x-init
> rd.attach
>>>
>>> I think the fact that both of these get setup at boot and will concurrently
>>> try to access the FIDO2 token is causing issues. That crypttab is included
>>> in the initrd.
>> There was an issue with concurrent access to FIDO2 devices conflicting
>> with each other. This was addressed in libfido2 though, it will now
>> take a BSD lock on the device while talking to it, thus synchronizing
>> access properly.
>>
>> See this bug:
>>
>> https://github.com/systemd/systemd/issues/23889 
>>
>> Maybe it's sufficient to update libfido2 on your system?
>>
>>
>> Lennart
>>
>> --
>> Lennart Poettering, Berlin
> Hi Lennart,
> Thanks for the fast response. I've got version 1.11 of libfido2 and it 
> seems I'd need 1.12 (to be released) to fix it [1]. It terrifies me to 
> think what I might break on my system by upgrading libfido2. On Gentoo 

Or "Use the source, Luke": Try to "patch in" just that missing lock into your current version.

> there is revdep-rebuild but Ubuntu doesn't have anything like that. I'm 
> on Ubuntu 22.10 which is the latest development version so I can use 
> some shiny new systemd features.
> 
> For now I've written a rather dodgy generator that will scan through the 
> generated units for both cryptsetup and resume, then add in some 
> ordering. Currently it will make the cryptsetup units run serially. I am 
> yet to test it though.
> 
> [1]: https://github.com/Yubico/libfido2/pull/604#issuecomment-1178637796 
> 
> Thanks,
> Michael Cassaniti, Australia

More information about the systemd-devel mailing list