clevis icon indicating copy to clipboard operation
clevis copied to clipboard

Published 20 hours ago verified publisher icon latchset

Clevis unlock fail on boot volume when Yubikey (yubikey-luks) is also installed.

Open francsw opened this issue 5 years ago • 3 comments

We're using Xubuntu desktops on Ubuntu Focal (20.04). This is more a plymouth problem, so it might not be unique to Xubuntu. Boot time root volume decryption works fine with just the Clevis packages installed, but as soon as you install the yubikey-luks packages Clevis/Tang decryption stops working. The yubikey password prompt script (ykluks-keyscript) breaks the clevis decrypt script that still runs in the background.

The quick fix/workaround is to disable the splash screen (plymouth) by editing '/etc/default/grub' and removing 'splash' from the line GRUB_CMDLINE_LINUX_DEFAULT="quiet " This will cause the clevis and yubikey decrypt scripts to use /lib/cryptsetup/askpass and not /bin/plymouth

Some more information:

I've tracked it down to the following check in the clevisloop() function in the script /usr/share/initramfs-tools/scripts/local-top/clevis until [ "$pid" ] && [ -p "$PASSFIFO" ]; do

The get_fifo_path() function never finds the link to the passfifo file in /proc/$pid/fd/, probably because plymouth doesn't create it like it should in /lib/cryptsetup/passfifo

Other solutions would be to uninstall plymouth.

Maybe someone with a more intimate knowledge of plymouth and the initram boot process can shed some more light on this.

francsw avatar Oct 23 '20 00:10 francsw

/cc @dannf for some insight

sergio-correia avatar Oct 23 '20 15:10 sergio-correia

I'm unable to reproduce. I have a working clevis setup on focal (using latest clevis packages from focal-proposed), I installed yubikey-luks and confirmed I have splash & quiet on the cmdline:

dannf@clevis-focal:~$ cat /proc/cmdline 
BOOT_IMAGE=/vmlinuz-5.4.0-52-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro quiet console=ttyS0 splash vt.handoff=7

Still unlocked fine for me. But, TBH, I don't see how ykluks-keyscript even gets called at boot, so I'm not sure I'm doing the same thing @francsw is.

dannf avatar Oct 23 '20 21:10 dannf

The yubikey-keyscript file is setup in the /etc/crypttab. e.g.

sda6_crypt UUID=97ba8852-5d14-4ee8-ba9e-20b2cd6bb550 none luks,keyscript=/usr/share/yubikey-luks/ykluks-keyscript

You should see the following text prompt at boot "Please insert yubikey and press enter or enter a valid passphrase"

francsw avatar Oct 26 '20 22:10 francsw