LUKS-encrypted partition is not automatically unlocked during the boot process with a fido2 key

Question

LUKS-encrypted partition is not automatically unlocked during the boot process with a fido2 key

jean-christophe-manciot opened this issue 2 years ago · 5 comments

jean-christophe-manciot commented 2 years ago

What version of libfido2 are you using?
1.10.0-1

What operating system are you running?
ubuntu 22.04
linux 5.19.0-15-generic #15-Ubuntu SMP PREEMPT_DYNAMIC Tue Aug 2 07:35:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

What application are you using in conjunction with libfido2?
not sure what process calls libfido2 during boot, maybe systemd-cryptsetup

How does the problem manifest itself?
only during boot, not after login

Is the problem reproducible?
yes

What are the steps that lead to the problem?

The partition is encrypted with luks2 and a fido2 key has been enrolled.with:

systemd-cryptenroll --fido2-device=auto /dev/<device>

define an entry for an LUKS2 encrypted device in /etc/crypttab

<target_name> LABEL=<label> none luks,fido2-device=auto

define an entry for an LUKS2 encrypted device in /etc/fstab

/dev/mapper/<target_name> /media/<folder> ext4 defaults,noatime 0 0

add a few steps after crypttab modifications

systemctl daemon-reload
update-initramfs -u -k all (not sure if this is required though)

check that the encrypted partition is unlocked and mounted correctly

/lib/systemd/systemd-cryptsetup attach <target_name> /dev/<device> none luks,fido2-device=auto
Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/<device>
Automatically discovered security FIDO2 token unlocks volume.
Asking FIDO2 token for authentication.
👆 Please confirm presence on security token to unlock.

reboot
it fails to unlock the partition
the log shows:

Failed to open FIDO2 device /dev/hidraw5: FIDO_ERR_INTERNAL

or sometimes

Failed to open FIDO2 device /dev/hidraw5: FIDO_ERR_RX

even though the FIDO2 device is plugged into the usb port the whole boot process.

Please include the output of fido2-token -L.

fido2-token -L

$ fido2-token -L
/dev/hidraw5: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)

Please include the output of fido2-token -I.

fido2-token -I

$ fido2-token -I <device>
proto: 0x02
major: 0x05
minor: 0x02
build: 0x04
caps: 0x05 (wink, cbor, msg)
version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE
extension strings: credProtect, hmac-secret
transport strings: nfc, usb
algorithms: es256 (public-key), eddsa (public-key)
aaguid: 2fc0579f811347eab116bb5a8db9202a
options: rk, up, noplat, noclientPin, credentialMgmtPreview
maxmsgsiz: 1200
maxcredcntlst: 8
maxcredlen: 128
fwversion: 0x0
pin protocols: 1
pin retries: undefined
uv retries: undefined

Please include the output of FIDO_DEBUG=1.

FIDO_DEBUG=1

$ export FIDO_DEBUG=1
$ <command1>
$ <command2>
(...)
$ <commandn>

Answer 1 · 2022-08-12T14:13:10.000Z

Thank you for the bug report. There is reason to believe this was recently fixed in 9371b41, which is yet unreleased. Would it be possible for you to try libfido2 built from HEAD?

Answer 2 · 2022-08-12T14:24:46.000Z

OK, I'll try, but first, I'd like to test with an older linux version (5.15).

Answer 3 · 2022-08-12T14:29:15.000Z

Same issue with 5.15.0-46-generic #49-Ubuntu SMP Thu Aug 4 18:03:25 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux.

Answer 4 · 2022-08-12T17:42:04.000Z

I have built 1.11.0-130-g7b7ce2b and the error is gone.
Tha's a relief! Thanks. :-)

I will provide the package online for jammy & bookworm soon.

Answer 5 · 2022-08-12T17:54:43.000Z

Thank you for testing and for the feedback!