Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-14829

Can't unlock Luks crypted block device with pkcs11 smartcard at boot.

XMLWordPrintable

    • None
    • Moderate
    • rhel-sst-cs-plumbers
    • ssg_core_services
    • 5
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      Unlock luks with smartcard at boot

      Please provide the package NVR for which bug is seen:

      cryptsetup

      How reproducible:

      everytime

      Steps to reproduce 

      1. have a smart card or emule one through kvm and add certificates
        1. add smartcard device through virt-manager
        2. choose host-certificates mode
        3. copy past following XML : 

      <smartcard mode="host-certificates">
        <certificate>cert1</certificate>
        <certificate>cert2</certificate>
        <certificate>cert3</certificate>
        <database>/etc/pki/nssdb/</database>
        <alias name="smartcard0"/>
        <address type="ccid" controller="0" slot="0"/>
      </smartcard>

        1. on kvm host exec following command 

      certutil -d /etc/pki/nssdb -x -t CT,CT,CT -S -s CN=cert1 -n cert1
      certutil -d /etc/pki/nssdb -x -t CT,CT,CT -S -s CN=cert2 -n cert2
      certutil -d /etc/pki/nssdb -x -t CT,CT,CT -S -s CN=cert3 -n cert3

      On virtual machine

      1. lvcreate -n lvtest -L 1G rhel  # create testing lv
      2. cryptsetup luksFormat /dev/rhel/lvtest # crypt it with standard passphrase
      3. add pkcs11 in slot with cryptsetup
        1. dnf install gnutls-utils # install p11 tool
        2. p11tool --list-tokens # find the token URL of your smartcard
        3. p11tool  --login --list-certs <token url from previous command> # get URL of ojbect
          use your pin (1234 if emulated one)
          Copy the URL but only until id=XXX (do not copy object=.... to the end)
        4. systemd-cryptenroll --pkcs11-token-uri "<URL just copied>" /dev/rhel/lvtest
      4. optional : test that its work
        1. /usr/lib/systemd/systemd-cryptsetup attach my_choosen_name /dev/rhel/lvtest --pkcs11-uri "auto"
        2. type the smartcard pin
      5. add it to crypttab to auto unlock luks
        1. add following line to crypttab
          my_choosen_name /dev/rhel/lvtest none pkcs11-uri=auto
      6. Reboot

      Expected results

      User is prompted for PIN during boot

      Actual results

      timeout for finding security token and fallback on passphrase

      -----------------

      systemd-cryptsetup[751]: Security token (null) not present for unlocking volume rhel-lvtest (my_luks), please plug it in.

      systemd-cryptsetup[751]: Timed out waiting for security device, aborting security device based authentication attempt.

      ----------------

       

      Other information: 

      • It's look like a dependency issue on systemd unit, after further analyze we can find there seems to be a dependency with dbus and pcscd service/socket.
      • The final goal for customer is to lock root FS, so it must be possible on initramfs too. 

              msekleta@redhat.com Michal Sekletar
              rh-ee-drenard Dorian Renard
              systemd maint mailing list systemd maint mailing list
              Frantisek Sumsal Frantisek Sumsal
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: