Created attachment 737932 [details] emerge info When libfido2 was upgraded to version 1.8.0 I am unable to enroll/use FIDO2 token with systemd-cryptenroll tool. To be strict, FIDO2 device is Yubikey 5: fido2-token -L /dev/hidraw2: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID) Usuall behaviour: systemd-cryptenroll --fido2-device=auto /dev/nvme1n1p3 --fido2-with-client-pin=no --fido2-with-user-verification=no --fido2-with-user-presence=no 🔐 Please enter current passphrase for disk /dev/nvme1n1p3: ********* Initializing FIDO2 credential on security token. 👆 (Hint: This might require confirmation of user presence on security token.) 🔐 Please enter security token PIN: ****** Generating secret key on FIDO2 security token. 👆 Locking without user presence test requested, but FIDO2 device /dev/hidraw2 requires it, enabling. New FIDO2 token enrolled as key slot 2. Current: systemd-cryptenroll --fido2-device=auto /dev/nvme1n1p3 --fido2-with-client-pin=no --fido2-with-user-verification=no --fido2-with-user-presence=no 🔐 Please enter current passphrase for disk /dev/nvme1n1p3: ********* Failed to open FIDO2 device /dev/hidraw2: FIDO_ERR_INTERNAL
What version of systemd?
Please set SYSTEMD_LOGLEVEL=debug in the environment and run systemd-cryptenroll to generate debug output.
(In reply to Mike Gilbert from comment #1) > What version of systemd? sys-apps/systemd-249.4
FIDO2 device implements extension: hmac-secret FIDO2 device implements option rk: yes FIDO2 device implements option up: yes FIDO2 device implements option plat: no FIDO2 device implements option clientPin: yes Has rk ('Resident Key') support: yes Has clientPin support: yes Has up ('User Presence') support: yes Has uv ('User Verification') support: no Allocating context for crypt device /dev/nvme1n1p3. Trying to open and read device /dev/nvme1n1p3 with direct-io. Initialising device-mapper backend library. Trying to load LUKS2 crypt type from device /dev/nvme1n1p3. Crypto backend (OpenSSL 1.1.1l 24 Aug 2021) initialized in cryptsetup library version 2.4.0. Detected kernel Linux 5.13.14 x86_64. Loading LUKS2 header (repair disabled). Acquiring read lock for device /dev/nvme1n1p3. Opening lock resource file /run/cryptsetup/L_259:8 Verifying lock handle for /dev/nvme1n1p3. Device /dev/nvme1n1p3 READ lock taken. Trying to read primary LUKS2 header at offset 0x0. Opening locked device /dev/nvme1n1p3 Veryfing locked device handle (bdev) LUKS2 header version 2 of size 16384 bytes, checksum sha256. Checksum:9xxxxxxxxxxxx (on-disk) Checksum:9dxxxxxxxxxxx (in-memory) Trying to read secondary LUKS2 header at offset 0x4000. Reusing open ro fd on device /dev/nvme1n1p3 LUKS2 header version 2 of size 16384 bytes, checksum sha256. Checksum:19xxxxxxxxxxx (on-disk) Checksum:19xxxxxxxxxxx (in-memory) Device size 999663820800, offset 16777216. Device /dev/nvme1n1p3 READ lock released. PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4. 🔐 Please enter current passphrase for disk /dev/nvme1n1p3: *********Failed to adjust kernel keyring key timeout: Permission denied Added key to kernel keyring as 1026252107. Keyslot 3 priority 1 != 2 (required), skipped. Keyslot 0 priority 1 != 2 (required), skipped. Keyslot 1 priority 1 != 2 (required), skipped. Keyslot 2 priority 1 != 2 (required), skipped. Trying to open LUKS2 keyslot 3. Reading keyslot area [0xc5000]. Acquiring read lock for device /dev/nvme1n1p3. Opening lock resource file /run/cryptsetup/L_259:8 Verifying lock handle for /dev/nvme1n1p3. Device /dev/nvme1n1p3 READ lock taken. Reusing open ro fd on device /dev/nvme1n1p3 Device /dev/nvme1n1p3 READ lock released. Verifying key from keyslot 3, digest 0. Digest 0 (pbkdf2) verify failed with -1. Trying to open LUKS2 keyslot 0. Reading keyslot area [0x8000]. Acquiring read lock for device /dev/nvme1n1p3. Opening lock resource file /run/cryptsetup/L_259:8 Verifying lock handle for /dev/nvme1n1p3. Device /dev/nvme1n1p3 READ lock taken. Reusing open ro fd on device /dev/nvme1n1p3 Device /dev/nvme1n1p3 READ lock released. Verifying key from keyslot 0, digest 0. Failed to open FIDO2 device /dev/hidraw2: FIDO_ERR_INTERNAL Releasing crypt device /dev/nvme1n1p3 context. Releasing device-mapper backend. Closing read only fd for /dev/nvme1n1p3.
Version 1.7.0: FIDO2 device implements extension: hmac-secret FIDO2 device implements option rk: yes FIDO2 device implements option up: yes FIDO2 device implements option plat: no FIDO2 device implements option clientPin: yes Has rk ('Resident Key') support: yes Has clientPin support: yes Has up ('User Presence') support: yes Has uv ('User Verification') support: no Allocating context for crypt device /dev/nvme1n1p3. Trying to open and read device /dev/nvme1n1p3 with direct-io. Initialising device-mapper backend library. Trying to load LUKS2 crypt type from device /dev/nvme1n1p3. Crypto backend (OpenSSL 1.1.1l 24 Aug 2021) initialized in cryptsetup library version 2.4.0. Detected kernel Linux 5.13.14 x86_64. Loading LUKS2 header (repair disabled). Acquiring read lock for device /dev/nvme1n1p3. Opening lock resource file /run/cryptsetup/L_259:8 Verifying lock handle for /dev/nvme1n1p3. Device /dev/nvme1n1p3 READ lock taken. Trying to read primary LUKS2 header at offset 0x0. Opening locked device /dev/nvme1n1p3 Veryfing locked device handle (bdev) LUKS2 header version 2 of size 16384 bytes, checksum sha256. Checksum:9dxxxxxxxxxxxxxxxxxx (on-disk) Checksum:9dxxxxxxxxxxxxxxxxxx (in-memory) Trying to read secondary LUKS2 header at offset 0x4000. Reusing open ro fd on device /dev/nvme1n1p3 LUKS2 header version 2 of size 16384 bytes, checksum sha256. Checksum:19xxxxxxxxxxxxxxxxxx (on-disk) Checksum:19xxxxxxxxxxxxxxxxxx (in-memory) Device size 999663820800, offset 16777216. Device /dev/nvme1n1p3 READ lock released. PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4. 🔐 Please enter current passphrase for disk /dev/nvme1n1p3: *********Failed to adjust kernel keyring key timeout: Permission denied Added key to kernel keyring as 1026252107. Keyslot 3 priority 1 != 2 (required), skipped. Keyslot 0 priority 1 != 2 (required), skipped. Keyslot 1 priority 1 != 2 (required), skipped. Keyslot 2 priority 1 != 2 (required), skipped. Trying to open LUKS2 keyslot 3. Reading keyslot area [0xc5000]. Acquiring read lock for device /dev/nvme1n1p3. Opening lock resource file /run/cryptsetup/L_259:8 Verifying lock handle for /dev/nvme1n1p3. Device /dev/nvme1n1p3 READ lock taken. Reusing open ro fd on device /dev/nvme1n1p3 Device /dev/nvme1n1p3 READ lock released. Verifying key from keyslot 3, digest 0. Digest 0 (pbkdf2) verify failed with -1. Trying to open LUKS2 keyslot 0. Reading keyslot area [0x8000]. Acquiring read lock for device /dev/nvme1n1p3. Opening lock resource file /run/cryptsetup/L_259:8 Verifying lock handle for /dev/nvme1n1p3. Device /dev/nvme1n1p3 READ lock taken. Reusing open ro fd on device /dev/nvme1n1p3 Device /dev/nvme1n1p3 READ lock released. Verifying key from keyslot 0, digest 0. FIDO2 device implements extension: hmac-secret FIDO2 device implements option rk: yes FIDO2 device implements option up: yes FIDO2 device implements option plat: no FIDO2 device implements option clientPin: yes Has rk ('Resident Key') support: yes Has clientPin support: yes Has up ('User Presence') support: yes Has uv ('User Verification') support: no Initializing FIDO2 credential on security token. 👆 (Hint: This might require confirmation of user presence on security token.) 🔐 Please enter security token PIN: ****** Generating secret key on FIDO2 security token. 👆 Locking without user presence test requested, but FIDO2 device /dev/hidraw2 requires it, enabling. Token requires PIN for assertion, enabling. PBKDF pbkdf2-sha512, time_ms 0 (iterations 1000). Adding new keyslot -1 using volume key. Adding new keyslot -1 with volume key assigned to a crypt segment. Selected keyslot 4. Keyslot 4 assigned to digest 0. Trying to allocate LUKS2 keyslot 4. Found area 1064960 -> 1323008 Reusing PBKDF values (no benchmark flag is set). Calculating attributes for LUKS2 keyslot 4. Acquiring write lock for device /dev/nvme1n1p3. Opening lock resource file /run/cryptsetup/L_259:8 Verifying lock handle for /dev/nvme1n1p3. Device /dev/nvme1n1p3 WRITE lock taken. Checking context sequence id matches value stored on disk. Reusing open ro fd on device /dev/nvme1n1p3 Updating keyslot area [0x104000]. Opening locked device /dev/nvme1n1p3 Veryfing locked device handle (bdev) Device size 999663820800, offset 16777216. Device /dev/nvme1n1p3 WRITE lock already held. Trying to write LUKS2 header (16384 bytes) at offset 0. Reusing open rw fd on device /dev/nvme1n1p3 Checksum:f6xxxxxxxxxxxxxxxxxxx (in-memory) Trying to write LUKS2 header (16384 bytes) at offset 16384. Reusing open rw fd on device /dev/nvme1n1p3 Checksum:7cxxxxxxxxxxxxxxxxxxx (in-memory) Device /dev/nvme1n1p3 WRITE lock released. Adding token text <{"type":"systemd-fido2","keyslots":["4"],"fido2-credential":"xxxxxxxxxxxxxxxxxx","fido2-salt":"xxxxxxxxxxxxxxxxxxx","fido2-rp":"io.systemd.cryptsetup","fido2-clientPin-required":true,"fido2-up-required":true,"fido2-uv-required":false}> Updating JSON for token -1. Trying to load /usr/lib64/cryptsetup/libcryptsetup-token-systemd-fido2.so. /usr/lib64/cryptsetup/libcryptsetup-token-systemd-fido2.so: cannot open shared object file: No such file or directory Device size 999663820800, offset 16777216. Acquiring write lock for device /dev/nvme1n1p3. Opening lock resource file /run/cryptsetup/L_259:8 Verifying lock handle for /dev/nvme1n1p3. Device /dev/nvme1n1p3 WRITE lock taken. Checking context sequence id matches value stored on disk. Reusing open ro fd on device /dev/nvme1n1p3 Trying to write LUKS2 header (16384 bytes) at offset 0. Reusing open rw fd on device /dev/nvme1n1p3 Checksum:2c54bcb93b090b44c86e80ca3b9a974df0e7755ebcc5d26bd1c76079c6ade007 (in-memory) Trying to write LUKS2 header (16384 bytes) at offset 16384. Reusing open rw fd on device /dev/nvme1n1p3 Checksum:ee5e887deeb619d7f2ca5461894f0d6e9a3914c2111b1a96d50b1013acb995d1 (in-memory) Device /dev/nvme1n1p3 WRITE lock released. New FIDO2 token enrolled as key slot 4. Releasing crypt device /dev/nvme1n1p3 context. Releasing device-mapper backend. Closing read only fd for /dev/nvme1n1p3. Closing read write fd for /dev/nvme1n1p3.
Ok, this does seem to be an issue in libfido2. I will leave it to other developers more familiar with this library.
I would suggest creating an issue upstream. Hopefully they will be better equipped to help you with this. https://github.com/Yubico/libfido2
Upstream bug report URL: https://github.com/Yubico/libfido2/issues/385
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4f43b6837d616fef3678a80562b0d483d0ce7cb commit b4f43b6837d616fef3678a80562b0d483d0ce7cb Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2021-09-08 18:23:16 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2021-09-08 18:29:25 +0000 sys-apps/systemd: backport FIDO2 fix Closes: https://bugs.gentoo.org/811864 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd/files/249-fido2.patch | 58 ++++++++++++++++++++++ ...emd-249.4-r1.ebuild => systemd-249.4-r2.ebuild} | 1 + 2 files changed, 59 insertions(+)
