systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

L0g4nAd4ms · 2021-04-02 15:42:41

Hey everybody,

since systemd v248 unlocking your LUKS partition with FIDO2 is officially supported. I think the update landed in stable arch like yesterday, so I tried to do that
with my exisiting LVM on LUKS setup. I followed mainly this blog post explaining the whole stuff by Lennart: http://0pointer.net/blog/unlocking-luks … d-248.html

Basically I just ran

systemd-cryptenroll --fido2-device=auto /dev/sdb2

because /dev/sdb2 is my underlying block device.
This failed first because the libfido2 package was not installed. After installing that it worked.
Then I put

cryptlvm /dev/sdb2 - fido2-device=auto

in my `etc/crypttab`.

However, after refreshing my initramfs it still continues to ask for my passphrase at boot, so I think some modules and binaries settings
are still missing from my `etc/mkinitcpio.conf`. This is the relevant content of mine at the moment:

MODULES=(amdgpu)
BINARIES=()
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt lvm2 filesystems fsck)

Do you happen to know what modifications are needed in the initramfs config for FIDO2 tokens? This is undocumented for arch the moment, I can not find anything in the wiki (yet).

Last edited by L0g4nAd4ms (2021-04-02 16:43:09)

damjan · 2021-04-02 16:06:06

you need to add /usr/lib/libfido2.so.1 in the initramfs too (add it to the BINARIES list)and make sure /etc/crypttab is copied to the initramfs.

I guess now that this version of systemd is released, someone can make the necessary hooks for it too

L0g4nAd4ms · 2021-04-02 16:08:35

Thanks. How can I make sure the /etc/crypttab is copied into the initramfs?
Edit: Ah okay, just include in the FILE setting, I guess.

Last edited by L0g4nAd4ms (2021-04-02 16:19:01)

progandy · 2021-04-02 16:14:24

You need to use /etc/crypttab.initramfs instead (or use the kernel options)

$ mkinitcpio -H sd-encrypt
==> Help for hook 'sd-encrypt':
This hook allows for an encrypted root device with systemd initramfs.

See the manpage of systemd-cryptsetup-generator(8) for available kernel
command line options. Alternatively, if the file /etc/crypttab.initramfs
exists, it will be added to the initramfs as /etc/crypttab. See the
crypttab(5) manpage for more information on crypttab syntax.

L0g4nAd4ms · 2021-04-02 16:41:36

Okay, so I tried it now with those new settings in my mkinitcpio.conf:

MODULES=()
BINARIES=(/usr/lib/libfido2.so.1)
FILES=(/etc/crypttab)
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt lvm2 filesystems fsck)

However, it still does not work. Tried it with the symlink from /etc/crypttab to /etc/crypttab.initramfs without the FILE setting also, but that did not work either.

Edit: Here are my bootloader settings:

title Arch Linux
linux /vmlinuz-linux-lts
initrd /intel-ucode.img
initrd /initramfs-linux-lts.img
options rd.luks.name=2febec65-739a-405e-9180-72165c237b9f=cryptlvm root=/dev/z97-linux-vg/root

Last edited by L0g4nAd4ms (2021-04-02 16:46:44)

damjan · 2021-04-02 17:00:58

if you specify the LUKS/cryptsetup options on the kernel command line you need to add the `fido2-device=auto` here too:
`options rd.luks.name=2febec65-739a-405e-9180-72165c237b9f=cryptlvm root=/dev/z97-linux-vg/root`

see rd.luks.options:
https://wiki.archlinux.org/index.php/Dm … d.luks.key

L0g4nAd4ms · 2021-04-02 17:08:10

Edit: Why is it necessary to additionally specify this kernel option `fido2-device=auto`? It seems kind of redundant when having this already in `etc/crypttab`.

Last edited by L0g4nAd4ms (2021-04-02 17:09:35)

L0g4nAd4ms · 2021-04-03 10:17:33

OK, so I tried to specify

rd.luks.options=fido2-device=auto

on the kernel commandline, that changed something, but only that I could not login anymore.
I had to revert, because systemd waited for the cryptsetup start job.

damjan · 2021-04-05 11:39:16

L0g4nAd4ms wrote:

OK, so I tried to specify
rd.luks.options=fido2-device=auto
on the kernel commandline, that changed something, but only that I could not login anymore.
I had to revert, because systemd waited for the cryptsetup start job.

please read the wiki page/docs

the syntax is

rd.luks.options=<uuid>=the,options,list

Last edited by damjan (2021-04-05 11:39:33)

L0g4nAd4ms · 2021-04-06 18:13:27

Oops, my bad. However, with

options rd.luks.name=2febec65-739a-405e-9180-72165c237b9f=cryptlvm root=/dev/z97-linux-vg/root rd.luks.options=fido2-device=auto,timeout=15s,keyfile-timeout=15s

I still get the same problems.

systemd 248 (248-3-arch)
5.11.11-zen1-1-zen

Last edited by L0g4nAd4ms (2021-04-06 18:13:48)

damjan · 2021-04-13 11:53:15

I don't see that you have fixed the issue?

rd.luks.options=2febec65-739a-405e-9180-72165c237b9f=fido2-device=auto

Last edited by damjan (2021-04-13 11:55:10)

L0g4nAd4ms · 2021-04-18 10:50:39

Thanks, that did work indeed. I initially omitted the UUID in the options because of this section in the arch wiki

Set options for the device specified by it UUID or, if not specified, for all UUIDs not specified elsewhere (e.g., crypttab).

One minor thing is that systemd does not explicitly asks for the FIDO2 token (i.e. it does not tell me to plugin a FIDO2 token) and there is no fallback to password input.

Last edited by L0g4nAd4ms (2021-04-18 10:51:38)

damjan · 2021-04-19 09:55:10

L0g4nAd4ms wrote:

One minor thing is that systemd does not explicitly asks for the FIDO2 token (i.e. it does not tell me to plugin a FIDO2 token) and there is no fallback to password input.

I guess those UX improvements will come in the next release

damjan · 2021-04-19 23:15:04

also, after https://github.com/archlinux/svntogit-p … 0abf207a3a (cryptsetup 2.3.5-2)

BINARIES=(/usr/lib/libfido2.so.1) is not needed any more

Arch Linux

#1 2021-04-02 15:42:41

systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

#2 2021-04-02 16:06:06

Re: systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

#3 2021-04-02 16:08:35

Re: systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

#4 2021-04-02 16:14:24

Re: systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

#5 2021-04-02 16:41:36

Re: systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

#6 2021-04-02 17:00:58

Re: systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

#7 2021-04-02 17:08:10

Re: systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

#8 2021-04-03 10:17:33

Re: systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

#9 2021-04-05 11:39:16

Re: systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

#10 2021-04-06 18:13:27

Re: systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

#11 2021-04-13 11:53:15

Re: systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

#12 2021-04-18 10:50:39

Re: systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

#13 2021-04-19 09:55:10

Re: systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

#14 2021-04-19 23:15:04

Re: systemd 248: Unlocking LUKS partition with FIDO2 Token: initramfs

Board footer