Cannot unlock encrypted LUKS partition with fido2 device
R1kaB3rN opened this issue · comments
Description
When there are two keyslots in a LUKS2 header, slot 0 locked with a password and slot 1 with a registered fido2 device, Booster doesn't let the user unlock using the fido2 device. Instead, users are only able to unlock with a password
I can confirm that...
When booting into a flash medium, I am able to unlock my LUKS partition with the same fido2 device
Steps to reproduce
systemd-cryptenroll --wipe-slot=all /dev/nvme0n1p2
systemd-cryptenroll --password /dev/nvme0n1p2
systemd-cryptenroll --fido2-device=auto --fido2-with-user-presence=yes /dev/nvme0n1p2
- Add "extra_files: fido2-assert" to /etc/booster.yaml
- Add "modules: hid" to /etc/booster.yaml
/usr/lib/booster/regenerate_images
I tried to reproduce when...
- Only having a fido2 keyslot
- Registering the same fido2 device twice, resulting in 3 keyslots
Expected behavior
I should be prompted to use my fido2 device. Also, pressing the fido2 device should unlock the encrypted partition in addition to entering the passphrase
Actual behavior
- I am only able to unlock slot 1 and only prompted to enter a passphrase
- When registering the fido2 device twice, I am able to unlock the encrypted partition
System
distribution: archlinux
booster: 0.10-1
systemd: 253.3-3
libfido2: 1.13.0-1