martelletto
commented
3 years ago Thank you for the report. Please see https://github.com/systemd/systemd/issues/20664.
Closed iDevOps-pl closed 3 years ago
martelletto
commented
3 years ago Thank you for the report. Please see https://github.com/systemd/systemd/issues/20664.
What version of libfido2 are you using? 1.8.0 What operating system are you running? Gentoo What application are you using in conjunction with libfido2? Systemd How does the problem manifest itself? When libfido2 was upgraded to version 1.8.0 I am unable to enroll/use FIDO2 token with systemd-cryptenroll tool. To be strict, FIDO2 device is Yubikey 5 Is the problem reproducible? Yes What are the steps that lead to the problem? Unable to use systemd-cryptoenroll tool Does the problem happen with different authenticators? N/A
Please include the output of
fido2-token -L.ffido2-token -L /dev/hidraw2: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)Please include the output of
fido2-token -I.fido2-token -I /dev/hidraw2 proto: 0x02 major: 0x05 minor: 0x01 build: 0x02 caps: 0x05 (wink, cbor, msg) version strings: U2F_V2, FIDO_2_0 extension strings: hmac-secret aaguid: fa2b99dc9e3942578f924a30d23c4118 options: rk, up, noplat, clientPin maxmsgsiz: 1200 maxcredcntlst: 0 maxcredlen: 0 fwversion: 0x0 pin protocols: 1 pin retries: 8 uv retries: undefinedPlease include the output of
FIDO_DEBUG=1.FIDO_DEBUG=1FIDO2 device implements extension: hmac-secret FIDO2 device implements option rk: yes FIDO2 device implements option up: yes FIDO2 device implements option plat: no FIDO2 device implements option clientPin: yes Has rk ('Resident Key') support: yes Has clientPin support: yes Has up ('User Presence') support: yes Has uv ('User Verification') support: no Allocating context for crypt device /dev/nvme1n1p3. Trying to open and read device /dev/nvme1n1p3 with direct-io. Initialising device-mapper backend library. Trying to load LUKS2 crypt type from device /dev/nvme1n1p3. Crypto backend (OpenSSL 1.1.1l 24 Aug 2021) initialized in cryptsetup library version 2.4.0. Detected kernel Linux 5.13.14 x86_64. Loading LUKS2 header (repair disabled). Acquiring read lock for device /dev/nvme1n1p3. Opening lock resource file /run/cryptsetup/L_259:8 Verifying lock handle for /dev/nvme1n1p3. Device /dev/nvme1n1p3 READ lock taken. Trying to read primary LUKS2 header at offset 0x0. Opening locked device /dev/nvme1n1p3 Veryfing locked device handle (bdev) LUKS2 header version 2 of size 16384 bytes, checksum sha256. Checksum:9xxxxxxxxxxxx (on-disk) Checksum:9dxxxxxxxxxxx (in-memory) Trying to read secondary LUKS2 header at offset 0x4000. Reusing open ro fd on device /dev/nvme1n1p3 LUKS2 header version 2 of size 16384 bytes, checksum sha256. Checksum:19xxxxxxxxxxx (on-disk) Checksum:19xxxxxxxxxxx (in-memory) Device size 999663820800, offset 16777216. Device /dev/nvme1n1p3 READ lock released. PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4. 🔐 Please enter current passphrase for disk /dev/nvme1n1p3: *********Failed to adjust kernel keyring key timeout: Permission denied Added key to kernel keyring as 1026252107. Keyslot 3 priority 1 != 2 (required), skipped. Keyslot 0 priority 1 != 2 (required), skipped. Keyslot 1 priority 1 != 2 (required), skipped. Keyslot 2 priority 1 != 2 (required), skipped. Trying to open LUKS2 keyslot 3. Reading keyslot area [0xc5000]. Acquiring read lock for device /dev/nvme1n1p3. Opening lock resource file /run/cryptsetup/L_259:8 Verifying lock handle for /dev/nvme1n1p3. Device /dev/nvme1n1p3 READ lock taken. Reusing open ro fd on device /dev/nvme1n1p3 Device /dev/nvme1n1p3 READ lock released. Verifying key from keyslot 3, digest 0. Digest 0 (pbkdf2) verify failed with -1. Trying to open LUKS2 keyslot 0. Reading keyslot area [0x8000]. Acquiring read lock for device /dev/nvme1n1p3. Opening lock resource file /run/cryptsetup/L_259:8 Verifying lock handle for /dev/nvme1n1p3. Device /dev/nvme1n1p3 READ lock taken. Reusing open ro fd on device /dev/nvme1n1p3 Device /dev/nvme1n1p3 READ lock released. Verifying key from keyslot 0, digest 0. Failed to open FIDO2 device /dev/hidraw2: FIDO_ERR_INTERNAL Releasing crypt device /dev/nvme1n1p3 context. Releasing device-mapper backend. Closing read only fd for /dev/nvme1n1p3.