[systemd-devel] systemd-cryptsetup at .service crash during boot with fido2-device=auto

[Lennart Poettering]

On Di, 17.05.22 23:03, Anton Hvornum (anton at hvornum.se) wrote:

> Hi.
>
> I've been asking around everywhere for some assistance.
> The full issue can be found here:
> https://www.reddit.com/r/archlinux/comments/urnj8x/help_getting_fido2_and_systemdcryptenroll_working/
>
> The short version is, I got `systemd-cryptenroll --fido2-device=auto
> /dev/sda2` to work.
> Unlocking it works with a password, but it's not trying to use the
> fido2-device as expected.
>
> Whenever I add `/etc/crypttab` to the initramfs
> `systemd-cryptsetup at luksdev.service` crashes.

Crashes? What does that mean? As in segfault?

If so, please provide a stacktrace, otherwise this is not actionable
to us.

> And I'm wondering, is it required for the USB device to come alive
> before this service tries to execute?

Some initrds don't pick up the relevant fido2 udev
rules. i.e. 60-fido-id.rules and such. Contact your distro's initrd
maintainers for help on that.

>
> As far as I can tell, it executed:
> /lib/systemd/systemd-cryptsetup attach 'luksdev' '/dev/sda2' 'none'
> 'luks,fido2-device=auto'
>
> And by default if executed on a live medium that will hang waiting for
> the HSM to be inserted and will work. But I can't figure out why the
> service would break if that is all it does.
>
> As soon as I create a /etc/crypttab or omit tpm2-device=auto from the
> kernel command-line, the boot process breaks. Buf it I don't use
> /etc/crypttab or I have tpm2-device=auto the service succeeds - but
> won't use the fido device.. And that's probably obvious for everyone
> here but I'm stumped.

hmm, fido? or tpm?

Lennart

--
Lennart Poettering, Berlin