home  bbs  files  messages ]

      ZZLI4427             linux.debian.maint.boot             505 messages      

[ previous | next | reply ]

[ list messages | list forums ]

  Msg # 435 of 505 on ZZLI4427, Friday 8-14-25, 6:21  
  From: =?UTF-8?B?RGF2AWQGSMOKCMR  
  To: LUCA BOCCASSI  
  Subj: Re: partman-crypto: support for systemd-  
 From: david@hardeman.nu 
  
 August 14, 2025 at 4:26 PM, "Luca Boccassi"  wrote: 
 > > 
 > > I've been hacking on adding support for systemd-cryptenroll(1) style 
 > > keys to partman-crypto. 
 > > ... 
 > > It also forcefully replaces initramfs-tools with dracut (since only 
 > > dracut supports systemd-cryptenroll style keys). 
 > 
 > Are you 100% sure about that? I am running prebuilt ukis these days, 
 > but before that I had just the normal initramfs-tools and I always used 
 > fido2 for luks2 unlocking. It should work, cryptsetup will load the 
 > plugins as long as they are installed in the initrd. 
  
 I'm not 100% sure, no. I just assumed that cryptsetup didn't support these 
 kinds of keys in the initramfs since it spits out warnings about 
 unrecognised 
 options for e.g. "fido2-device=" cfg options in crypttab when the initramfs 
 is regenerated. But if it's the general consensus that systemd-cryptenroll 
 support is useful in debian-installer, I could certainly look into it... 
  
 If it does indeed support it, I'd still need to figure out a way to pass 
 the password/PIN requests from cryptsetup to debconf, like the C utility 
 I wrote (in the branch I linked) for the systemd-style password agent 
 protocol. 
  
 > > 
 > > https://salsa.debian.org/Alphix/partman-crypto/-/tree/systemd-cryptenroll 
 > > 
 > 
 > Please hook this up with opal too - that's just luks2 as well, so 
 > everything will work in exactly the same way, minus the admin password 
 > that still needs to be set separately 
  
 Yeah, I haven't really checked opal yet (I lack the hardware, but I could 
 probably do some hacks to pretend that QEMU has support), and I also need 
 to do testing with FIDO2/PKCS#11 "hardware"...but that's exactly the kind 
 of things that I'd work on if I had an indication that this kind of feature 
 might be accepted into d-i (no, not meant as nagging). 
  
 Another issue that I need to think more about is preseeding. Right now, it's 
 kind of unknowable how many/which prompts will be generated by the enrolling 
 process....("TPM2 PIN", "TPM2 PIN (repeat)", "Please touch your FIDO2 key 
 to verify user presence", PKCS#11 may or may not require a PIN, etc), which 
 makes it hard to come up with a sane preseed scheme. 
  
 Cheers, 
 David 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2) 

[ list messages | list forums | previous | next | reply ]

search for:

328,081 visits
(c) 1994,  bbs@darkrealms.ca