Bug#1016727: dracut: FIDO2 support for encrypted root FS is missing libraries (libz.so.*)

Sat, 06 Aug 2022 02:30:18 -0700 

Package: dracut
Version: 056-3
Severity: normal
X-Debbugs-Cc: da...@hardeman.nu

Dear Maintainer,

I've tried enabling unlocking a LUKS encrypted root partition using a FIDO2
key (Yubikey in my case), mostly by following these instructions:

https://www.guyrutenberg.com/2022/02/17/unlock-luks-volume-with-a-yubikey/

In essence:
1. systemd-cryptenroll <dev> --fido2-device=auto <options>
2. Add "fido2-device=auto" to /etc/crypttab
3. apt install dracut

This gives an error message during boot, saying that FIDO2 isn't supported.

By some trial and error, I've determined that the missing library is
/lib/x86_64-linux-gnu/libz.so.*

root@experiment:~# ldd /usr/lib/systemd/systemd-cryptsetup 
        linux-vdso.so.1 (0x00007ffd21b7f000)
        libsystemd-shared-251.so => 
/usr/lib/x86_64-linux-gnu/systemd/libsystemd-shared-251.so (0x00007f1105600000)
        libcryptsetup.so.12 => /lib/x86_64-linux-gnu/libcryptsetup.so.12 
(0x00007f1105913000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1105427000)
        libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x00007f110541c000)
        libblkid.so.1 => /lib/x86_64-linux-gnu/libblkid.so.1 
(0x00007f11053c5000)
        libcap.so.2 => /lib/x86_64-linux-gnu/libcap.so.2 (0x00007f11053ba000)
        libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 
(0x00007f110537f000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1105379000)
        libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 
(0x00007f1105232000)
        libip4tc.so.2 => /lib/x86_64-linux-gnu/libip4tc.so.2 
(0x00007f1105228000)
        libkmod.so.2 => /lib/x86_64-linux-gnu/libkmod.so.2 (0x00007f110520b000)
        liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1 (0x00007f11051e8000)
        libmount.so.1 => /lib/x86_64-linux-gnu/libmount.so.1 
(0x00007f1105185000)
        libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 
(0x00007f1104c00000)
        libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007f1105173000)
        librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f1105169000)
        libseccomp.so.2 => /lib/x86_64-linux-gnu/libseccomp.so.2 
(0x00007f1105149000)
        libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 
(0x00007f110511b000)
        libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007f1104b47000)
        liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f11050f3000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f1104a04000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
(0x00007f11050d2000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f11059a5000)
        libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f11050c9000)
        libdevmapper.so.1.02.1 => /lib/x86_64-linux-gnu/libdevmapper.so.1.02.1 
(0x00007f1104997000)
        libargon2.so.1 => /lib/x86_64-linux-gnu/libargon2.so.1 
(0x00007f11050bd000)
        libjson-c.so.5 => /lib/x86_64-linux-gnu/libjson-c.so.5 
(0x00007f11050aa000)
        libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 
(0x00007f110496e000)
        libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 
(0x00007f110493c000)
        libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 
(0x00007f11048a0000)
        libudev.so.1 => /lib/x86_64-linux-gnu/libudev.so.1 (0x00007f1104876000)
        libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 
(0x00007f11050a0000)

So systemd-cryptsetup doesn't link to libz.so.*...but....

root@experiment:~# ldd /lib/x86_64-linux-gnu/libfido2.so.1
        linux-vdso.so.1 (0x00007ffd32a7b000)
        libcbor.so.0.8 => /lib/x86_64-linux-gnu/libcbor.so.0.8 
(0x00007fd93784f000)
        libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 
(0x00007fd937200000)
        libudev.so.1 => /lib/x86_64-linux-gnu/libudev.so.1 (0x00007fd937825000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fd937808000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd937027000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fd93789d000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd937802000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
(0x00007fd9377df000)

libfido2.so.* is included in the generated initrd, but its dependency 
(libz.so.*) isnt.

As a workaround for now, I've modified 
/usr/lib/dracut/modules.d/91fido2/module-setup.sh:

root@experiment:/usr/lib/dracut/modules.d/91fido2# diff -u module-setup.sh.orig 
module-setup.sh
--- module-setup.sh.orig        2022-08-06 11:17:07.545520563 +0200
+++ module-setup.sh     2022-08-06 10:50:16.014249677 +0200
@@ -21,6 +21,7 @@
     # Install required libraries.
     _arch=${DRACUT_ARCH:-$(uname -m)}
     inst_libdir_file \
+        {"tls/$_arch/",tls/,"$_arch/",}"libz.so.*" \
         {"tls/$_arch/",tls/,"$_arch/",}"libfido2.so.*" \
         {"tls/$_arch/",tls/,"$_arch/",}"libcryptsetup.so.*" \
         
{"tls/$_arch/",tls/,"$_arch/",}"/cryptsetup/libcryptsetup-token-systemd-fido2.so"
 \

But I guess dracut should automagically determine the dependencies of libs 
recursively?

Possibly related bugs:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=997827
https://github.com/dracutdevs/dracut/issues/996 

Cheers,
David

Reply via email to