Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1023700: cryptsetup: Option fido2-device unknown
455 views
Skip to first unread message
Peter Wienemann
Nov 8, 2022, 3:10:04 PM11/8/22
to
Package: cryptsetup
Version: 2:2.5.0-6
Severity: normal
Dear maintainer,
inspired by [0] I am trying to unlock a LUKS volume using a FIDO2 token
on a system running bookworm/testing using systemd 252-2.
The relevant line in /etc/crypttab looks like this:
--------------------------------------------------------------------
rootfs /dev/nvme0n1p3 none luks,discard,fido2-device=auto
--------------------------------------------------------------------
After running
systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p3
and adding the "fido2-device=auto" option in /etc/crypttab, I obtain the
following warning during updating the initramfs image:
--------------------------------------------------------------------
cryptsetup: WARNING: rootfs: ignoring unknown option 'fido2-device'
--------------------------------------------------------------------
As a result, it comes as no surprise that unlocking the volume using the
FIDO2 token does not work as desired.
Best regards,
Peter
[0] https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
Version: 2:2.5.0-6
Severity: normal
Dear maintainer,
inspired by [0] I am trying to unlock a LUKS volume using a FIDO2 token
on a system running bookworm/testing using systemd 252-2.
The relevant line in /etc/crypttab looks like this:
--------------------------------------------------------------------
rootfs /dev/nvme0n1p3 none luks,discard,fido2-device=auto
--------------------------------------------------------------------
After running
systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p3
and adding the "fido2-device=auto" option in /etc/crypttab, I obtain the
following warning during updating the initramfs image:
--------------------------------------------------------------------
cryptsetup: WARNING: rootfs: ignoring unknown option 'fido2-device'
--------------------------------------------------------------------
As a result, it comes as no surprise that unlocking the volume using the
FIDO2 token does not work as desired.
Best regards,
Peter
[0] https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
micah anderson
Feb 24, 2023, 10:30:05 AM2/24/23
to
I've tried the same thing, and get the same results. It appears that the
systemd support is there, the cryptsetup support is ithere, but just
cryptsetup-initramfs is not somehow there also.
It would be a shame to release bookworm with just the initramfs feature
missing, when all the other pieces are there. Do you have any idea what
might be blocking this?
For what it is worth, dracut does work.
--
micah
Guy Rutenberg
Mar 5, 2023, 3:10:04 PM3/5/23
to
On Fri, 24 Feb 2023 10:25:29 -0500 micah anderson <mi...@riseup.net> wrote:
>
> I've tried the same thing, and get the same results. It appears that the
> systemd support is there, the cryptsetup support is ithere, but just
> cryptsetup-initramfs is not somehow there also.
>
> I've tried the same thing, and get the same results. It appears that the
> systemd support is there, the cryptsetup support is ithere, but just
> cryptsetup-initramfs is not somehow there also.
The old/regular cryptsetup is a different binary than the systemd-cryptsetup. Only systemd-cryptsetup supports fido2 unlocking.
> missing, when all the other pieces are there. Do you have any idea what
> might be blocking this?
>
> For what it is worth, dracut does work.
>
dracut works because it's based on systemd, so it uses systemd-cryptsetup.
Thanks,
Guy
0 new messages