Ubuntu
libfido2 package

LUKS-encrypted partition is not automatically unlocked during the boot process with a fido2 key

Bug #1983784 reported by jean-christophe manciot
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libfido2 (Ubuntu)
Fix Released
Medium
Colin Watson

Bug Description

ubuntu 22.04
systemd 249.11-0ubuntu3.4

The partition is encrypted with luks2 and a fido2 key has been enrolled.with:
systemd-cryptenroll --fido2-device=auto /dev/<device>

/etc/crypttab has been setup with:
<target_name> LABEL=<label> none fido2-device=auto

/etc/fstab has been setup with:
/dev/mapper/<target_name> /media/<folder> ext4 defaults,nofail 0 0

After the boot is complete, the partition has not been unlocked despite the fido2 key being present during the whole boot process.

Also, a manual unlock works with:
/lib/systemd/systemd-cryptsetup attach <target_name> /dev/<device> none fido2-device=auto
Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/<device>
Automatically discovered security FIDO2 token unlocks volume.
Asking FIDO2 token for authentication.
👆 Please confirm presence on security token to unlock.

How to automatically unlock the partition at boot?

Revision history for this message
Aaron Rainbolt (arraybolt3) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please execute the following command only once, as it will automatically gather debugging information, in a terminal:
apport-collect 1983784

When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs.

Revision history for this message
jean-christophe manciot (manciot-jeanchristophe) wrote :

More details about this issue:

libfido2-1: 1.10.0-1

Errors during the boot process:
Failed to open FIDO2 device /dev/hidraw5: FIDO_ERR_INTERNAL
or sometimes
Failed to open FIDO2 device /dev/hidraw5: FIDO_ERR_RX

even though:
- the FIDO2 device is plugged into the usb port the whole time
- such errors do not happen when the partition is manually unlocked **after** I have logged in as shown in my first post.

summary: - LUKS-encrypted partition is not automatically unlocked at boot with
- fido2 key
+ LUKS-encrypted partition is not automatically unlocked during the boot
+ process with a fido2 key
Revision history for this message
jean-christophe manciot (manciot-jeanchristophe) wrote :

I suspect this is a libfido2 issue, so I will post this on their github git repo.

Revision history for this message
jean-christophe manciot (manciot-jeanchristophe) wrote :

This issue has been fixed in the libfido2 upstream project.
Cf. https://github.com/Yubico/libfido2/issues/627

Nick Rosbrook (enr0n)
affects: systemd (Ubuntu) → libfido2 (Ubuntu)
Revision history for this message
Colin Watson (cjwatson) wrote :

Thanks. I've merged the upstream 1.12.0 release into the Debian packaging repository; I expect it's too late for kinetic now, but it'll be in the Ubuntu release after that.

Changed in libfido2 (Ubuntu):
assignee: nobody → Colin Watson (cjwatson)
status: New → Fix Committed
Steve Langasek (vorlon)
Changed in libfido2 (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libfido2 - 1.12.0-1

---------------
libfido2 (1.12.0-1) unstable; urgency=medium

  * New upstream release.
    - hid_linux: reopen hidraw(4) after flock(2) (LP: #1983784).

 -- Colin Watson <email address hidden> Sat, 01 Oct 2022 20:48:17 +0100

Changed in libfido2 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.