[systemd-devel] systemd-cryptsetup at .service crash during boot with fido2-device=auto
Anton Hvornum
anton at hvornum.se
Tue May 17 21:03:46 UTC 2022
Hi.
I've been asking around everywhere for some assistance.
The full issue can be found here:
https://www.reddit.com/r/archlinux/comments/urnj8x/help_getting_fido2_and_systemdcryptenroll_working/
The short version is, I got `systemd-cryptenroll --fido2-device=auto
/dev/sda2` to work.
Unlocking it works with a password, but it's not trying to use the
fido2-device as expected.
Whenever I add `/etc/crypttab` to the initramfs
`systemd-cryptsetup at luksdev.service` crashes.
Not sure how to debug it since it's the root partition. But I
increased the loglevel on the kernel to 7 and found that the Yubikey
comes up after the service crashes.
And I'm wondering, is it required for the USB device to come alive
before this service tries to execute?
As far as I can tell, it executed:
/lib/systemd/systemd-cryptsetup attach 'luksdev' '/dev/sda2' 'none'
'luks,fido2-device=auto'
And by default if executed on a live medium that will hang waiting for
the HSM to be inserted and will work. But I can't figure out why the
service would break if that is all it does.
As soon as I create a /etc/crypttab or omit tpm2-device=auto from the
kernel command-line, the boot process breaks. Buf it I don't use
/etc/crypttab or I have tpm2-device=auto the service succeeds - but
won't use the fido device.. And that's probably obvious for everyone
here but I'm stumped.
Any help would be appreciated but is in no way expected.
//Anton
More information about the systemd-devel
mailing list