You are not logged in.
Hi all,
I am using an EFI/UKI boot with LUKS-encrypted root (high entropy passphrase) and a separate TPM-encrypted swap dedicated hibernation (gets wiped if dirty on every boot or resume) and everything is working well.
The one outstanding issue is getting an on-screen keyboard running in time for root unlock - I am trying to configure an systemd wrapper around unl0kr to include in the mkinitcpio generated kernel.
If I read things correctly it should be doable by implementing a password agent watching /run/systemd/ask-password (which is also the Plymouth seems to do it to my reading)? However I am unfamiliar with systemd and can't seem to get it to even log a kmesg based on /run/systemd/ask-password to fire before root unlock is finished.
sd-unl0kr:
```
#!/bin/sh
depend() {
printf '%s\n' systemd
}
build() {
SRCDIR="/etc/initcpio/install"
# add unl0kr + conf and socat (with all libs)
add_binary unl0kr
add_file "${SRCDIR}/unl0kr.conf" "/etc/unl0kr.conf"
add_binary socat
# add wrapper + units
add_binary "${SRCDIR}/unl0kr-wrapper"
add_file "${SRCDIR}/sd-unl0kr.path" "/usr/lib/systemd/system/sd-unl0kr.path"
add_file "${SRCDIR}/sd-unl0kr.service" "/usr/lib/systemd/system/sd-unl0kr.service"
# install .path unit into cryptsetup-pre.target.wants
add_dir "/usr/lib/systemd/system/cryptsetup-pre.target.wants"
add_symlink "/usr/lib/systemd/system/sd-unl0kr.path" "/usr/lib/systemd/system/cryptsetup-pre.target.wants/sd-unl0kr.path"
}
help() {
cat <<-EOF
sd-unl0kr:
: prompt via unl0kr and feed into systemd-ask-password socket
EOF
}
# /etc/initcpi
```
sd-unl0kr.path:
```
[Unit]
Description=Watch ask-password to launch unl0kr
[Path]
PathExistsGlob=/run/systemd/ask-password/ask.*
PathCreatedGlob=/run/systemd/ask-password/ask.*
Unit=unl0kr.service
[Install]
WantedBy=cryptsetup-pre.target
```
sd-unl0kr.service:
```
[Unit]
Description=Launch unl0kr for systemd-ask-password
DefaultDependencies=no
After=cryptsetup-pre.target
[Service]
Type=oneshot
ExecStartPre=/bin/sh -c 'echo "[sd‑unl0kr] .service starting" > /dev/kmsg'
ExecStart=/usr/bin/unl0kr-wrapper
```
What is the correct way to set up the systemd unit to watch /run/systemd/ask-password and fire before sd-encrypt root unlock finishes?
Thanks!
Last edited by txret (2025-06-10 09:40:07)
Offline
Follow for anyone interested, I got everything working including unl0kr and documented, including custom scripts etc at: https://github.com/txret/uki-encryption-setup.
Short overview of concept:
Reasonably secure Arch Linux UEFI direct boot UKI install with encrypted root and touch screen support (currently through unl0kr AUR) usable on Microsoft Surface Pro 9. Power off should render device hard to compromise even in the face of vulnerabilities/backdoors in Secure Boot/TPM by splitting key between hardware and user so attacker must defeat both Secure Boot/TPM and recover user passphrase. Failure in either should allow for tampering detection. Day-to-day convenience with some security through hibernation and a reasonably high entropy passphrase.
Offline