| View previous topic :: View next topic |
| Author |
Message |
starsky
n00b
Joined: 12 May 2020
Posts: 7
|
 Posted: Wed May 15, 2024 12:57 pm Post subject: Systemd unlock LUKS2 with FIDO -- pin assertion |
 |
|
Hi Folks,
I have encrypted home partition, and I use FIDO2 key to unlock it. My /etc/crypttab looks like this:
| Code: |
crypt-home /dev/mapper/latitude7230_disc-home_encrypted none luks,discard,fido2-device=auto
|
I followed more or less this steps to set it up: https://amedeos.github.io/gentoo/2021/04/25/Unlock-rootfs-with-fido2-key.html
Normally when I boot, the prompt should appear that I could type the PIN and then I have to touch the key, and the boot sequence continues.
But from time to time it fails and I am not being ask for the PIN, and the boot sequence stops saying that it cannot mount /home
If I reboot it couple of times finally I will get the PIN prompt and I can unlock /home
I checked the boot logs. When it works I get such output:
| Code: |
maj 15 14:35:15 pluto systemd[1]: Reached target Smart Card.
maj 15 14:35:20 pluto systemd-tty-ask-password-agent[1407]: Password query on /dev/tty1 finished successfully.
maj 15 14:35:20 pluto systemd-cryptsetup[1330]: Asking FIDO2 token for authentication.
maj 15 14:35:20 pluto systemd-cryptsetup[1330]: Please confirm presence on security token to unlock.
|
When it fails I get such output:
| Code: |
maj 15 14:34:46 pluto systemd-tty-ask-password-agent[1367]: Password query on /dev/tty1 finished successfully.
maj 15 14:34:46 pluto systemd-cryptsetup[1329]: Assertion '!pin || pin_size' failed at src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-fido2.c:37, function cryptsetup_token_open_pin(). Aborting.
|
It seems to me, that when it fails I do not get PIN prompt, and empty PIN is returned to systemd-cryptsetup which triggers the assertion.
It also seems to me like some kind of race condition, cause it works from time to time.
Interesting thing is that I have another computer with exactly the same setup, and it works fine.
Now I moved to the new machine and I am having this problem.
I also realized that on the old machine, some time ago I had a prompt like "Please type PIN" when booting, after some update this text stopped to appear, I ignored it cause I was able to type the PIN and unlock the volume.
But I guess this is the same issue where things from systemd-cryptsetup are not being read or written correctly to the terminal when booting.
I am looking for some hints what to check next. |
|
| Back to top |
|
 |
starsky
n00b
Joined: 12 May 2020
Posts: 7
|
| Posted: Wed May 22, 2024 10:52 am Post subject: |
|
|
I have been playing with it already a week and I have two findings:
1. When I use a dock (Dell WD15) the problem does not exist. The booting sequence always stops and waits for the pin.
2. When I use computer w/o dock, first boot sequence fails with the mentioned assertion. But when I reboot it (alt+ctr+del) next time it works fine. I thought that there might be some random factor, but I was testing it for a week and basically every time
it worked, when I did the reboot.
Thus I think that it is hardware related problem -- maybe something needs longer time to initialize - that is why it works when I reboot the computer. And when I am using dock, then I guess different USB controller is used. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
