Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

yubikey-luks initramfs unlock script does not work on Ubuntu 24.04 LTS #95

Open
random578036896547 opened this issue Jun 19, 2024 · 10 comments

Comments

@random578036896547
Copy link

Hi,
on clean new installation of Ubuntu 24.04 yubikey-luks initramfs unlock script does not work.

after insatlation (sudo apt-get install yubikey-luks -y)
I am able to enroll keys in key slots. (both for default system partition (/dev/nvme0n1p3), and for external USB pen drive I used for test /dev/sda3). with yubikey-luks-enroll.
I am able to use yubikey-luks-open for external pendrive (/dev/sda3) I used for testing.
So making key slots and using chalange-responses from yubi keys works.
However after reboot of system OS in LUKS unlock screen, no yubikey-luks welcome text is shown and unlock for keyslots containing enrolled keys are not working. Only those I made with luksAddKeys and therefore with passwords only are working.
I am using same laptop as for previous 18.04-23.10 where everything worked ok. (Dell XPS 13 9350)
Did not work first time (depending on automaticall add keyscript to crypttab - that worked for me before)
Did not work after manual sudo update-initramfs -u
Did not work after adding to /etc/crypttab cryptroot /dev/nvme0n1p3 none luks,keyscript=/usr/share/yubikey-luks/ykluks-keyscript and doing sudo update-initramfs -u again.
Both yubikeys NFC5c I have are initialized for ch-response (ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible)
Thanks in advance for any advice, thx.

@Vincent43
Copy link
Contributor

Vincent43 commented Jun 19, 2024

Do you have cryptsetup-initramfs package installed?

Does sudo update-initramfs -u shown any warnings/errors?

Can you unpack created initramfs and check if /sbin/ykluks-keyscript, /usr/bin/ykchalresp, /usr/bin/ykinfo, /usr/bin/sha256sum and /etc/ykluks.cfg does exist?

Also does passing cryptoptions=target=cryptroot,source=/dev/nvme0n1p3,keyscript=/sbin/ykluks-keyscriptin boot cmdline make any difference?

@random578036896547
Copy link
Author

Hi,

ad) cryptsetup-initramfs yes, it is installed in version: (2:2.7.0-1ubuntu4)

ad) sudo update-initramfs -u
update-initramfs: Generating /boot/initrd.img-6.8.0-35-generic
cp: warning: behavior of -n is non-portable and may change in future; use --update=none instead

ad) unmkinitramfs /boot/initrd.img-$(uname -r) initramfs/
after unpacking i have 4 folders:

main, early, early2, early3
folder main contains all mentioned files (/sbin/ykluks-keyscript, /usr/bin/ykchalresp, /usr/bin/ykinfo, /usr/bin/sha256sum and /etc/ykluks.cfg), they seem to have valid content and config /etc/ykluks.cfg does change accordingly when I for example change welcome text in master config and call sudo update-initramfs -u

ad)cryptoptions=target=cryptroot,source=/dev/nvme0n1p3,keyscript=/sbin/ykluks-keyscript
same outcome (no welcome text, not working in LUKS unlock screen)

@Vincent43
Copy link
Contributor

Ok, so what exactly happens when you boot the OS and want to decrypt the drive? what is shown on the screen?

@random578036896547
Copy link
Author

PXL_20240620_071120906
PXL_20240620_071142470
(before and after I try to enter pasword for yubikey chalenge-response keyslots, pasword-only keyslots work ok.)

@Vincent43
Copy link
Contributor

Does it fallback to console mode when you hit Esc key repeatedly while showing this screen?

yubikey-luks welcome message is Please insert yubikey and press enter or enter a valid passphrase" on your photos there is different text, looks like something else is running than yubikey-luks?

@random578036896547
Copy link
Author

I attached print screen after Esc from my laptop. I do not think that RMRR error has any consequence to yubikey-luks and to test it I took entirely different system (Desktop) and made new clean installation of 24.04 with only default values (only exception to that is using LUKS encrypted disk via installer instead of default non encrypted one.) Outcome was same issue and no errors on the other system, so I would expect that this affects all new Ubuntu 24.04 installations.
signal-2024-07-17-121323
PXL_20240625_180127841
PXL_20240625_180119021
PXL_20240625_180111106
PXL_20240625_180059187

@Vincent43
Copy link
Contributor

It indicates yubikey-luks isn't started for some reason

@Vincent43
Copy link
Contributor

I tested ubuntu 24.04 and didn't observe any change of yubikey-luks initramfs script than before.

@random578036896547
Copy link
Author

So you were able use yubikey-luks initramfs script on new install of 24.04? I took yet another system today (NUC 6i5syh) did clean new default install (except disk is LVM encrypted obviously) both with 24.04 and 24.10, did only apt-get install yubikey-luks -y and rebooted. None of 3 physical systems an one VM I tested worked.

@Vincent43
Copy link
Contributor

I did upgrade from 22.04. I don't see why it would be different on fresh installation - initramfs is created against 24.04 tooling.

I also don't see similar bugreports for ubuntu or debian made by other users. I guess this one is yours.

Since there is no trace yubikey-luks is running in initramfs and you see it being part of created initramfs the only explanation I can made is for some reason you boot with different kernel+initramfs image than what's created. What's the mount-point of your EFI partition? Is it mounted while you're running system?

You may add init=/bin/sh to cmdline which will boot into shell and then you may check again that all yubikey-luks files are avalaible in running initramfs image.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants