[systemd-devel] systemd-cryptsetup at .service crash during boot with fido2-device=auto

Anton Hvornum anton at hvornum.se
Wed May 18 08:25:17 UTC 2022


Found the solution.

`/etc/crypttab` had to be removed as it caused a startup crash.
`libfido2.so.1` library was missing so installed the appropriate
package (in this case libfido2)
The kernel option `tpm2-device=auto` had to be removed, as it forces
an override and ends up forcing a password prompt.. And this is
independently of the order the options come in. I would assume that
`fido2-device=auto` would force it to try accessing FIDO2 devices
first, and then fallback to tpm2-device but that does not appear to be
the case.

Apologies for the lengthy email.
Best regards,
//Anton

On Tue, May 17, 2022 at 11:03 PM Anton Hvornum <anton at hvornum.se> wrote:
>
> Hi.
>
> I've been asking around everywhere for some assistance.
> The full issue can be found here:
> https://www.reddit.com/r/archlinux/comments/urnj8x/help_getting_fido2_and_systemdcryptenroll_working/
>
> The short version is, I got `systemd-cryptenroll --fido2-device=auto
> /dev/sda2` to work.
> Unlocking it works with a password, but it's not trying to use the
> fido2-device as expected.
>
> Whenever I add `/etc/crypttab` to the initramfs
> `systemd-cryptsetup at luksdev.service` crashes.
> Not sure how to debug it since it's the root partition. But I
> increased the loglevel on the kernel to 7 and found that the Yubikey
> comes up after the service crashes.
>
> And I'm wondering, is it required for the USB device to come alive
> before this service tries to execute?
>
> As far as I can tell, it executed:
> /lib/systemd/systemd-cryptsetup attach 'luksdev' '/dev/sda2' 'none'
> 'luks,fido2-device=auto'
>
> And by default if executed on a live medium that will hang waiting for
> the HSM to be inserted and will work. But I can't figure out why the
> service would break if that is all it does.
>
> As soon as I create a /etc/crypttab or omit tpm2-device=auto from the
> kernel command-line, the boot process breaks. Buf it I don't use
> /etc/crypttab or I have tpm2-device=auto the service succeeds - but
> won't use the fido device.. And that's probably obvious for everyone
> here but I'm stumped.
>
> Any help would be appreciated but is in no way expected.
>
> //Anton


More information about the systemd-devel mailing list