search

VTimofeenko / dracut-pcscd-cryptsetup

A dracut module that installs pcscd for systemd-cryptsetup to unlock a drive through pkcs#11
GNU General Public License v2.0
1 stars 0 forks source link

Boot ignores PKCS11 enrolled root drive #1

Open bshamanov opened 2 years ago

bshamanov commented 2 years ago

Hey Vladimir!

My boot drive is enrolled with PKCS11 Yubiko card. You can check the details here, especially my last 2 comments: https://github.com/systemd/systemd/issues/22866

My smart card is basically ignored and I use a backup password to decrypt.

I understand I need to include PCKS11 support to initramfs. But I am on Fedora 35 and your plugin is around an year old. Is your plugin still required and can it work on Dracut for Fedora?

Any help very much appreciated!

bshamanov commented 2 years ago

I tried it and unfortunately it does not work. This is the Dracut log:

dracut: *** Including module: pcscd-cryptsetup ***
dracut: Skipping udev rule: /lib/udev/rules.d/99-pcscd-hotplug.rules
dracut-install: ERROR: installing '/lib/udev/pcscd.sh' to '/etc/udev/pcscd.sh'
dracut: FAILED: /usr/lib/dracut/dracut-install -D /var/tmp/dracut.ZqBRvP/initramfs /lib/udev/pcscd.sh /etc/udev/pcscd.sh
dracut-install: ERROR: installing '/usr/lib64/readers/usb/ifd-ccid.bundle/Contents/Linux/libccid.so'
dracut-install: ERROR: installing '/usr/lib64/readers/usb/ifd-ccid.bundle/Contents/Info.plist'
dracut: FAILED: /usr/lib/dracut/dracut-install -D /var/tmp/dracut.ZqBRvP/initramfs -a /usr/lib64/readers/usb/ifd-ccid.bundle/Contents/Linux/libccid.so /usr/lib64/readers/usb/ifd-ccid.bundle/Contents/Info.plist
dracut: Skipping udev rule: /lib/udev/rules.d/92-pcsc-ccid.rules
dracut-install: ERROR: installing '/etc/pkcs11/modules/opensc.module'
dracut: FAILED: /usr/lib/dracut/dracut-install -D /var/tmp/dracut.ZqBRvP/initramfs -a /etc/opensc.conf /etc/pkcs11/modules/opensc.module
dracut-install: ERROR: installing '/etc/pkcs11/pkcs11.conf.example'
dracut: FAILED: /usr/lib/dracut/dracut-install -D /var/tmp/dracut.ZqBRvP/initramfs -a /usr/share/p11-kit/modules/p11-kit-trust.module /etc/pkcs11/pkcs11.conf.example
VTimofeenko commented 2 years ago

Hi!

The details in that issue seem consistent with the lack of smartcard functionality in the initrd. Systemd falls back on asking for the password.

My plugin was developed against Gentoo but in theory should work on other distros. Other distros however may have different compile flags for systemd, so additional incantations may be required.

On one of my machines where this module is enabled:

# > systemctl --version
systemd 249 (249)
+PAM -AUDIT -SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID -CURL -ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE -BZIP2 +LZ4 -XZ -ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified

Can you provide output of the same command? Did you make any other changes to the dracut config?

bshamanov commented 2 years ago

Thanks Vladimir!

It seems very similar:

systemd 249 (v249.9-1.fc35)
+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
bshamanov commented 2 years ago

Btw the people at Dracut told me in version 056 they have a pscs module included, but it is untested. I am trying to test it. If it doesn't work maybe you can contribute there directly. See this message: https://matrix.to/#/!mXoNEgzrLsrhDoJncn:gitter.im/$H1dS8EnQzW8y9vBwfpPjKPjwmPyoSu6IWp8m6OIcq90?via=gitter.im&via=matrix.org&via=jupiterbroadcasting.com

VTimofeenko commented 2 years ago

Oh, thanks, I didn't know about that version. I developed this module against dracut 053.

Let me know how the testing goes, and if the dracut-provided module works properly, I will probably archive this project after running my own tests

bshamanov commented 2 years ago

Thanks Vladimir!

It was quite an adventure to test this! At the end it did not work, not sure of what is the cause exactly. I opened a defect here with all the details: https://bugzilla.redhat.com/show_bug.cgi?id=2070918

This was my dracut conf add_dracutmodules+=" crypt systemd-udevd pcsc pkcs11 " install_optional_items+=" path_to_key "

Not sure how to continue testing this. maybe I should give it one more try with the default modules available.

Take care, Boris Hamanov

Founding partner / CTO Reactive Core Services Ltd.

https://www.recorse.io Mobile (BG): +359 886 980051

------ Original Message ------ From: "Vladimir Timofeenko" @.> To: "VTimofeenko/dracut-pcscd-cryptsetup" @.> Cc: "Boris Hamanov" @.>; "Author" @.> Sent: 30.3.2022 г. 21:58:15 Subject: Re: [VTimofeenko/dracut-pcscd-cryptsetup] Boot ignores PKCS11 enrolled root drive (Issue #1)

Oh, thanks, I didn't know about that version. I developed this module against dracut 053.

Let me know how the testing goes, and if the dracut-provided module works properly, I will probably archive this project after running my own tests

— Reply to this email directly, view it on GitHub https://github.com/VTimofeenko/dracut-pcscd-cryptsetup/issues/1#issuecomment-1083507970, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQB77XGY7UT2LFR73TEFB7DVCSP4PANCNFSM5R6X64CA. You are receiving this because you authored the thread.Message ID: @.***>

VTimofeenko commented 2 years ago

Hm. I see. I could to bring up Fedora on a spare machine to try and test both the official dracut module and mine against Nitrokey 2 and Yubikey 5 NFC. Not sure if it would be related to that bug you raised - IIRC when I was developing this module, the fallback password was always asked.

What kind of Yubikey did you test? Also, to confirm the environment:

Is that correct? Did you build dracut from source? Repology sez Fedora 35 has 055

bshamanov commented 2 years ago

Thanks man!

Mine is Yubikey 4 FIPS. I have two, they work correctly outside of boot / initframs and they seem supported by OpenSC.

I think if you test with any Yubikey it should be the same result.

Take care, Boris Hamanov

Founding partner / CTO Reactive Core Services Ltd.

https://www.recorse.io Mobile (BG): +359 886 980051

------ Original Message ------ From: "Vladimir Timofeenko" @.> To: "VTimofeenko/dracut-pcscd-cryptsetup" @.> Cc: "Boris Hamanov" @.>; "Author" @.> Sent: 3.4.2022 г. 6:58:27 Subject: Re: [VTimofeenko/dracut-pcscd-cryptsetup] Boot ignores PKCS11 enrolled root drive (Issue #1)

Hm. I see. I could try to bring up Fedora on a spare machine to try and test both the official dracut module and mine against Nitrokey 2 and Yubikey 5 NFC. Not sure if it would be related to that bug you raised - IIRC when I was developing this module, the fallback password was always asked.

What kind of Yubikey did you test?

— Reply to this email directly, view it on GitHub https://github.com/VTimofeenko/dracut-pcscd-cryptsetup/issues/1#issuecomment-1086771316, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQB77XFHT3CUTNOOZUADOLLVDEJOHANCNFSM5R6X64CA. You are receiving this because you authored the thread.Message ID: @.***>