You are not logged in.
Hey everybody,
since systemd v248 unlocking your LUKS partition with FIDO2 is officially supported. I think the update landed in stable arch like yesterday, so I tried to do that
with my exisiting LVM on LUKS setup. I followed mainly this blog post explaining the whole stuff by Lennart: http://0pointer.net/blog/unlocking-luks … d-248.html
Basically I just ran
systemd-cryptenroll --fido2-device=auto /dev/sdb2
because /dev/sdb2 is my underlying block device.
This failed first because the libfido2 package was not installed. After installing that it worked.
Then I put
cryptlvm /dev/sdb2 - fido2-device=auto
in my `etc/crypttab`.
However, after refreshing my initramfs it still continues to ask for my passphrase at boot, so I think some modules and binaries settings
are still missing from my `etc/mkinitcpio.conf`. This is the relevant content of mine at the moment:
MODULES=(amdgpu)
BINARIES=()
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt lvm2 filesystems fsck)
Do you happen to know what modifications are needed in the initramfs config for FIDO2 tokens? This is undocumented for arch the moment, I can not find anything in the wiki (yet).
Last edited by L0g4nAd4ms (2021-04-02 16:43:09)
Offline
you need to add /usr/lib/libfido2.so.1 in the initramfs too (add it to the BINARIES list)and make sure /etc/crypttab is copied to the initramfs.
I guess now that this version of systemd is released, someone can make the necessary hooks for it too
Offline
Thanks. How can I make sure the /etc/crypttab is copied into the initramfs?
Edit: Ah okay, just include in the FILE setting, I guess.
Last edited by L0g4nAd4ms (2021-04-02 16:19:01)
Offline
You need to use /etc/crypttab.initramfs instead (or use the kernel options)
$ mkinitcpio -H sd-encrypt
==> Help for hook 'sd-encrypt':
This hook allows for an encrypted root device with systemd initramfs.
See the manpage of systemd-cryptsetup-generator(8) for available kernel
command line options. Alternatively, if the file /etc/crypttab.initramfs
exists, it will be added to the initramfs as /etc/crypttab. See the
crypttab(5) manpage for more information on crypttab syntax.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
Okay, so I tried it now with those new settings in my mkinitcpio.conf:
MODULES=()
BINARIES=(/usr/lib/libfido2.so.1)
FILES=(/etc/crypttab)
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt lvm2 filesystems fsck)
However, it still does not work. Tried it with the symlink from /etc/crypttab to /etc/crypttab.initramfs without the FILE setting also, but that did not work either.
Edit: Here are my bootloader settings:
title Arch Linux
linux /vmlinuz-linux-lts
initrd /intel-ucode.img
initrd /initramfs-linux-lts.img
options rd.luks.name=2febec65-739a-405e-9180-72165c237b9f=cryptlvm root=/dev/z97-linux-vg/root
Last edited by L0g4nAd4ms (2021-04-02 16:46:44)
Offline
if you specify the LUKS/cryptsetup options on the kernel command line you need to add the `fido2-device=auto` here too:
`options rd.luks.name=2febec65-739a-405e-9180-72165c237b9f=cryptlvm root=/dev/z97-linux-vg/root`
see rd.luks.options:
https://wiki.archlinux.org/index.php/Dm … d.luks.key
Offline
Edit: Why is it necessary to additionally specify this kernel option `fido2-device=auto`? It seems kind of redundant when having this already in `etc/crypttab`.
Last edited by L0g4nAd4ms (2021-04-02 17:09:35)
Offline
OK, so I tried to specify
rd.luks.options=fido2-device=auto
on the kernel commandline, that changed something, but only that I could not login anymore.
I had to revert, because systemd waited for the cryptsetup start job.
Offline
OK, so I tried to specify
rd.luks.options=fido2-device=auto
on the kernel commandline, that changed something, but only that I could not login anymore.
I had to revert, because systemd waited for the cryptsetup start job.
please read the wiki page/docs
the syntax is
rd.luks.options=<uuid>=the,options,list
Last edited by damjan (2021-04-05 11:39:33)
Offline
Oops, my bad. However, with
options rd.luks.name=2febec65-739a-405e-9180-72165c237b9f=cryptlvm root=/dev/z97-linux-vg/root rd.luks.options=fido2-device=auto,timeout=15s,keyfile-timeout=15s
I still get the same problems.
systemd 248 (248-3-arch)
5.11.11-zen1-1-zen
Last edited by L0g4nAd4ms (2021-04-06 18:13:48)
Offline
I don't see that you have fixed the issue?
rd.luks.options=2febec65-739a-405e-9180-72165c237b9f=fido2-device=auto
Last edited by damjan (2021-04-13 11:55:10)
Offline
Thanks, that did work indeed. I initially omitted the UUID in the options because of this section in the arch wiki
Set options for the device specified by it UUID or, if not specified, for all UUIDs not specified elsewhere (e.g., crypttab).
One minor thing is that systemd does not explicitly asks for the FIDO2 token (i.e. it does not tell me to plugin a FIDO2 token) and there is no fallback to password input.
Last edited by L0g4nAd4ms (2021-04-18 10:51:38)
Offline
One minor thing is that systemd does not explicitly asks for the FIDO2 token (i.e. it does not tell me to plugin a FIDO2 token) and there is no fallback to password input.
I guess those UX improvements will come in the next release
Offline
also, after https://github.com/archlinux/svntogit-p … 0abf207a3a (cryptsetup 2.3.5-2)
BINARIES=(/usr/lib/libfido2.so.1) is not needed any more
Offline