Description

When there are two keyslots in a LUKS2 header, slot 0 locked with a password and slot 1 with a registered fido2 device, Booster doesn't let the user unlock using the fido2 device. Instead, users are only able to unlock with a password

I can confirm that...

When booting into a flash medium, I am able to unlock my LUKS partition with the same fido2 device

Steps to reproduce

1. systemd-cryptenroll --wipe-slot=all /dev/nvme0n1p2
2. systemd-cryptenroll --password /dev/nvme0n1p2
3. systemd-cryptenroll --fido2-device=auto --fido2-with-user-presence=yes /dev/nvme0n1p2
4. Add "extra_files: fido2-assert" to /etc/booster.yaml
5. Add "modules: hid" to /etc/booster.yaml
6. /usr/lib/booster/regenerate_images

I tried to reproduce when...

• Only having a fido2 keyslot
• Registering the same fido2 device twice, resulting in 3 keyslots

Expected behavior

I should be prompted to use my fido2 device. Also, pressing the fido2 device should unlock the encrypted partition in addition to entering the passphrase

Actual behavior

• I am only able to unlock slot 1 and only prompted to enter a passphrase
• When registering the fido2 device twice, I am able to unlock the encrypted partition

System

distribution: archlinux
booster: 0.10-1
systemd: 253.3-3
libfido2: 1.13.0-1