Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1016727: dracut: FIDO2 support for encrypted root FS is missing libraries (libz.so.*)
102 views
Skip to first unread message
David Härdeman
Aug 6, 2022, 5:40:04 AM8/6/22
to
Package: dracut
Version: 056-3
Severity: normal
X-Debbugs-Cc: da...@hardeman.nu
Dear Maintainer,
I've tried enabling unlocking a LUKS encrypted root partition using a FIDO2
key (Yubikey in my case), mostly by following these instructions:
https://www.guyrutenberg.com/2022/02/17/unlock-luks-volume-with-a-yubikey/
In essence:
1. systemd-cryptenroll <dev> --fido2-device=auto <options>
2. Add "fido2-device=auto" to /etc/crypttab
3. apt install dracut
This gives an error message during boot, saying that FIDO2 isn't supported.
By some trial and error, I've determined that the missing library is
/lib/x86_64-linux-gnu/libz.so.*
root@experiment:~# ldd /usr/lib/systemd/systemd-cryptsetup
linux-vdso.so.1 (0x00007ffd21b7f000)
libsystemd-shared-251.so => /usr/lib/x86_64-linux-gnu/systemd/libsystemd-shared-251.so (0x00007f1105600000)
libcryptsetup.so.12 => /lib/x86_64-linux-gnu/libcryptsetup.so.12 (0x00007f1105913000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1105427000)
libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x00007f110541c000)
libblkid.so.1 => /lib/x86_64-linux-gnu/libblkid.so.1 (0x00007f11053c5000)
libcap.so.2 => /lib/x86_64-linux-gnu/libcap.so.2 (0x00007f11053ba000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f110537f000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1105379000)
libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007f1105232000)
libip4tc.so.2 => /lib/x86_64-linux-gnu/libip4tc.so.2 (0x00007f1105228000)
libkmod.so.2 => /lib/x86_64-linux-gnu/libkmod.so.2 (0x00007f110520b000)
liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x00007f11051e8000)
libmount.so.1 => /lib/x86_64-linux-gnu/libmount.so.1 (0x00007f1105185000)
libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007f1104c00000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007f1105173000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f1105169000)
libseccomp.so.2 => /lib/x86_64-linux-gnu/libseccomp.so.2 (0x00007f1105149000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f110511b000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007f1104b47000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f11050f3000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f1104a04000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f11050d2000)
/lib64/ld-linux-x86-64.so.2 (0x00007f11059a5000)
libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f11050c9000)
libdevmapper.so.1.02.1 => /lib/x86_64-linux-gnu/libdevmapper.so.1.02.1 (0x00007f1104997000)
libargon2.so.1 => /lib/x86_64-linux-gnu/libargon2.so.1 (0x00007f11050bd000)
libjson-c.so.5 => /lib/x86_64-linux-gnu/libjson-c.so.5 (0x00007f11050aa000)
libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007f110496e000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007f110493c000)
libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007f11048a0000)
libudev.so.1 => /lib/x86_64-linux-gnu/libudev.so.1 (0x00007f1104876000)
libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007f11050a0000)
So systemd-cryptsetup doesn't link to libz.so.*...but....
root@experiment:~# ldd /lib/x86_64-linux-gnu/libfido2.so.1
linux-vdso.so.1 (0x00007ffd32a7b000)
libcbor.so.0.8 => /lib/x86_64-linux-gnu/libcbor.so.0.8 (0x00007fd93784f000)
libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007fd937200000)
libudev.so.1 => /lib/x86_64-linux-gnu/libudev.so.1 (0x00007fd937825000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fd937808000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd937027000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd93789d000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd937802000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd9377df000)
libfido2.so.* is included in the generated initrd, but its dependency (libz.so.*) isnt.
As a workaround for now, I've modified /usr/lib/dracut/modules.d/91fido2/module-setup.sh:
root@experiment:/usr/lib/dracut/modules.d/91fido2# diff -u module-setup.sh.orig module-setup.sh
--- module-setup.sh.orig 2022-08-06 11:17:07.545520563 +0200
+++ module-setup.sh 2022-08-06 10:50:16.014249677 +0200
@@ -21,6 +21,7 @@
# Install required libraries.
_arch=${DRACUT_ARCH:-$(uname -m)}
inst_libdir_file \
+ {"tls/$_arch/",tls/,"$_arch/",}"libz.so.*" \
{"tls/$_arch/",tls/,"$_arch/",}"libfido2.so.*" \
{"tls/$_arch/",tls/,"$_arch/",}"libcryptsetup.so.*" \
{"tls/$_arch/",tls/,"$_arch/",}"/cryptsetup/libcryptsetup-token-systemd-fido2.so" \
But I guess dracut should automagically determine the dependencies of libs recursively?
Possibly related bugs:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=997827
https://github.com/dracutdevs/dracut/issues/996
Cheers,
David
Version: 056-3
Severity: normal
X-Debbugs-Cc: da...@hardeman.nu
Dear Maintainer,
I've tried enabling unlocking a LUKS encrypted root partition using a FIDO2
key (Yubikey in my case), mostly by following these instructions:
https://www.guyrutenberg.com/2022/02/17/unlock-luks-volume-with-a-yubikey/
In essence:
1. systemd-cryptenroll <dev> --fido2-device=auto <options>
2. Add "fido2-device=auto" to /etc/crypttab
3. apt install dracut
This gives an error message during boot, saying that FIDO2 isn't supported.
By some trial and error, I've determined that the missing library is
/lib/x86_64-linux-gnu/libz.so.*
root@experiment:~# ldd /usr/lib/systemd/systemd-cryptsetup
linux-vdso.so.1 (0x00007ffd21b7f000)
libsystemd-shared-251.so => /usr/lib/x86_64-linux-gnu/systemd/libsystemd-shared-251.so (0x00007f1105600000)
libcryptsetup.so.12 => /lib/x86_64-linux-gnu/libcryptsetup.so.12 (0x00007f1105913000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1105427000)
libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x00007f110541c000)
libblkid.so.1 => /lib/x86_64-linux-gnu/libblkid.so.1 (0x00007f11053c5000)
libcap.so.2 => /lib/x86_64-linux-gnu/libcap.so.2 (0x00007f11053ba000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f110537f000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1105379000)
libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007f1105232000)
libip4tc.so.2 => /lib/x86_64-linux-gnu/libip4tc.so.2 (0x00007f1105228000)
libkmod.so.2 => /lib/x86_64-linux-gnu/libkmod.so.2 (0x00007f110520b000)
liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x00007f11051e8000)
libmount.so.1 => /lib/x86_64-linux-gnu/libmount.so.1 (0x00007f1105185000)
libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007f1104c00000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007f1105173000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f1105169000)
libseccomp.so.2 => /lib/x86_64-linux-gnu/libseccomp.so.2 (0x00007f1105149000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f110511b000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007f1104b47000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f11050f3000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f1104a04000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f11050d2000)
/lib64/ld-linux-x86-64.so.2 (0x00007f11059a5000)
libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f11050c9000)
libdevmapper.so.1.02.1 => /lib/x86_64-linux-gnu/libdevmapper.so.1.02.1 (0x00007f1104997000)
libargon2.so.1 => /lib/x86_64-linux-gnu/libargon2.so.1 (0x00007f11050bd000)
libjson-c.so.5 => /lib/x86_64-linux-gnu/libjson-c.so.5 (0x00007f11050aa000)
libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007f110496e000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007f110493c000)
libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007f11048a0000)
libudev.so.1 => /lib/x86_64-linux-gnu/libudev.so.1 (0x00007f1104876000)
libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007f11050a0000)
So systemd-cryptsetup doesn't link to libz.so.*...but....
root@experiment:~# ldd /lib/x86_64-linux-gnu/libfido2.so.1
linux-vdso.so.1 (0x00007ffd32a7b000)
libcbor.so.0.8 => /lib/x86_64-linux-gnu/libcbor.so.0.8 (0x00007fd93784f000)
libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007fd937200000)
libudev.so.1 => /lib/x86_64-linux-gnu/libudev.so.1 (0x00007fd937825000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fd937808000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd937027000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd93789d000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd937802000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd9377df000)
libfido2.so.* is included in the generated initrd, but its dependency (libz.so.*) isnt.
As a workaround for now, I've modified /usr/lib/dracut/modules.d/91fido2/module-setup.sh:
root@experiment:/usr/lib/dracut/modules.d/91fido2# diff -u module-setup.sh.orig module-setup.sh
--- module-setup.sh.orig 2022-08-06 11:17:07.545520563 +0200
+++ module-setup.sh 2022-08-06 10:50:16.014249677 +0200
@@ -21,6 +21,7 @@
# Install required libraries.
_arch=${DRACUT_ARCH:-$(uname -m)}
inst_libdir_file \
+ {"tls/$_arch/",tls/,"$_arch/",}"libz.so.*" \
{"tls/$_arch/",tls/,"$_arch/",}"libfido2.so.*" \
{"tls/$_arch/",tls/,"$_arch/",}"libcryptsetup.so.*" \
{"tls/$_arch/",tls/,"$_arch/",}"/cryptsetup/libcryptsetup-token-systemd-fido2.so" \
But I guess dracut should automagically determine the dependencies of libs recursively?
Possibly related bugs:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=997827
https://github.com/dracutdevs/dracut/issues/996
Cheers,
David
Thomas Lange
Nov 15, 2022, 3:50:04 PM11/15/22
to
I can confirm this for Debian bookworm. For bullseye libfido2.so.1 does
not need libz
--
regards Thomas
not need libz
--
regards Thomas
0 new messages