f41, kernel 6.12.11-200.fc41.x86_64
So this is the deal. This bug concerns fedora. Atleast f40 and f41.
It is NOT systemd related. It is NOT libfido2 related.
I’m unlocking a LUKS volume with a fido2 hardware token, enabled with systemd-cryptenroll.
In fedora, the unlock fails roughly every other time. When it fails during boot, systemd will hang, indefinitely waiting for the hardware token to respond. Only ctrl-alt-del will help, and next boot it will again work.
However, it’s not systemd related. Same thing happens when doing this manually, either using ‘cryptsetup open’, or ‘systemd-cryptsetup attach’
In debian and ubuntu, it works fine every time. tested with ubuntu yammy libfido2 versions 1.10 and 1.15, and debian bookworm libfido2 version 1.12.
I’ve had a lengthy conversation with libfido2 maintainer on github:
https://github.com/Yubico/libfido2/issues/852
I’ve done hundreds of reboots. All i know at this point is the bug exists in f40 and f41. It’s not related to any udev rules in /etc/udev/rules.d/.
Again, this happens roughly every other time. when booting, it hangs right after ‘systemd-udev-settle-service’
then 2 services are waiting indefinitely:
(1 of 2) job dev-mapper-zkeys.device/start running
(2 of 2) job systemd-cryptsetup@zkeys-service/start running
But same thing doing this manually either with cryptsetup or systemd-cryptsetup.
Below is first a systemd debug output from when it works, and then another from when it hangs.
As you can see in the github thread, it hangs waiting indefinitely for the hardware token to respond.
PLEASE any help, this thing is driving me crazy!
# export SYSTEMD_LOG_LEVEL=debug
# systemd-cryptsetup attach zkeys /dev/zvol/zroot/zkeys
Loaded 'libcryptsetup.so.12' via dlopen()
run zkeys ← /dev/zvol/zroot/zkeys type= cipher=
Allocating context for crypt device /dev/zvol/zroot/zkeys.
Trying to open and read device /dev/zvol/zroot/zkeys with direct-io.
Direct-io is supported and works.
Initialising device-mapper backend library.
dm version [ opencount flush ] [16384] (*1)
dm versions [ opencount flush ] [16384] (*1)
Detected dm-ioctl version 4.48.0.
Detected dm-zero version 1.2.0.
Device-mapper backend running with UDEV support enabled.
dm status zkeys [ opencount noflush ] [16384] (*1)
Trying to load any crypt type from device /dev/zvol/zroot/zkeys.
Crypto backend (OpenSSL 3.2.2 4 Jun 2024 [default][legacy][threads][argon2]) initialized in cryptsetup library version 2.7.5.
Detected kernel Linux 6.12.11-200.fc41.x86_64 x86_64.
Loading LUKS2 header (repair disabled).
Acquiring read lock for device /dev/zvol/zroot/zkeys.
Opening lock resource file /run/cryptsetup/L_230:0
Verifying lock handle for /dev/zvol/zroot/zkeys.
Device /dev/zvol/zroot/zkeys READ lock taken.
Trying to read primary LUKS2 header at offset 0x0.
Opening locked device /dev/zvol/zroot/zkeys
Verifying locked device handle (bdev)
LUKS2 header version 2 of size 16384 bytes, checksum sha256.
Checksum:8234c780914d9aa13ed1c3a1f1794c8ca85beb0b24ad8c9cd505a2cadb844f6e (on-disk)
Checksum:8234c780914d9aa13ed1c3a1f1794c8ca85beb0b24ad8c9cd505a2cadb844f6e (in-memory)
Trying to read secondary LUKS2 header at offset 0x4000.
Reusing open ro fd on device /dev/zvol/zroot/zkeys
LUKS2 header version 2 of size 16384 bytes, checksum sha256.
Checksum:8b9ef8c4276f02aa590ec0389e9503c6f86b10ba78a3d13fba0cbb109edaf7f0 (on-disk)
Checksum:8b9ef8c4276f02aa590ec0389e9503c6f86b10ba78a3d13fba0cbb109edaf7f0 (in-memory)
Device size 104857600, offset 16777216.
Device /dev/zvol/zroot/zkeys READ lock released.
PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
Activating volume zkeys [keyslot -1] using token.
dm versions [ opencount flush ] [16384] (*1)
dm status zkeys [ opencount noflush ] [16384] (*1)
Token 0 unusable for segment 0 with desired keyslot priority 2.
Token 1 unusable for segment 0 with desired keyslot priority 2.
Token 2 unusable for segment 0 with desired keyslot priority 2.
Token 0 unusable for segment 0 with desired keyslot priority 1.
Token 1 unusable for segment 0 with desired keyslot priority 1.
Trying to load /usr/lib64/cryptsetup/libcryptsetup-token-systemd-fido2.so.
Loading symbol cryptsetup_token_open@CRYPTSETUP_TOKEN_1.0.
Loading symbol cryptsetup_token_buffer_free@CRYPTSETUP_TOKEN_1.0.
Loading symbol cryptsetup_token_validate@CRYPTSETUP_TOKEN_1.0.
Loading symbol cryptsetup_token_dump@CRYPTSETUP_TOKEN_1.0.
Loading symbol cryptsetup_token_open_pin@CRYPTSETUP_TOKEN_1.0.
Loading symbol cryptsetup_token_version@CRYPTSETUP_TOKEN_1.0.
Token handler systemd-fido2-1.0 systemd-v256.11 (256.11-1.fc41) loaded successfully.
Requesting JSON for token 2.
Loaded 'libfido2.so.1' via dlopen()
libfido2: run_manifest: found 1 hid device
libfido2: run_manifest: found 0 nfc devices
libfido2: fido_tx: dev=0x564b3aa201c0, cmd=0x06
libfido2: fido_tx: buf=0x564b3aa201c0, len=8
libfido2: 0000: 05 1a 63 79 ed 8d df bc
libfido2: fido_rx: dev=0x564b3aa201c0, cmd=0x06, ms=-1
libfido2: rx_preamble: buf=0x7ffd5d18ed20, len=64
libfido2: 0000: ff ff ff ff 86 00 11 05 1a 63 79 ed 8d df bc 0e
libfido2: 0016: 00 00 00 02 00 00 00 05 00 00 00 00 00 00 00 00
libfido2: 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: rx: payload_len=17
libfido2: fido_rx: buf=0x564b3aa201c8, len=17
libfido2: 0000: 05 1a 63 79 ed 8d df bc 0e 00 00 00 02 00 00 00
libfido2: 0016: 05
libfido2: fido_dev_get_cbor_info_tx: dev=0x564b3aa201c0
libfido2: fido_tx: dev=0x564b3aa201c0, cmd=0x10
libfido2: fido_tx: buf=0x7ffd5d18edd7, len=1
libfido2: 0000: 04
libfido2: fido_dev_get_cbor_info_rx: dev=0x564b3aa201c0, ci=0x564b3aa207a0, ms=-1
libfido2: fido_rx: dev=0x564b3aa201c0, cmd=0x10, ms=-1
libfido2: rx_preamble: buf=0x7ffd5d18ecd0, len=64
libfido2: 0000: 0e 00 00 00 90 00 7f 00 a8 01 83 66 55 32 46 5f
libfido2: 0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f
libfido2: 0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50
libfido2: 0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72
libfido2: rx: payload_len=127
libfido2: rx: buf=0x7ffd5d18ecd0, len=64
libfido2: 0000: 0e 00 00 00 00 65 74 03 50 99 8f 35 8b 2d d2 4c
libfido2: 0016: be a4 3a e8 10 74 38 df b3 04 a5 62 72 6b f5 62
libfido2: 0032: 75 70 f5 64 70 6c 61 74 f4 68 63 72 65 64 4d 67
libfido2: 0048: 6d 74 f5 69 63 6c 69 65 6e 74 50 69 6e f4 05 19
libfido2: rx: buf=0x7ffd5d18ecd0, len=64
libfido2: 0000: 0e 00 00 00 01 04 b0 06 81 01 07 14 08 19 01 00
libfido2: 0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: fido_rx: buf=0x564b3aa34f30, len=127
libfido2: 0000: 00 a8 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f
libfido2: 0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
libfido2: 0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b
libfido2: 0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 99 8f 35
libfido2: 0064: 8b 2d d2 4c be a4 3a e8 10 74 38 df b3 04 a5 62
libfido2: 0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 68 63 72
libfido2: 0096: 65 64 4d 67 6d 74 f5 69 63 6c 69 65 6e 74 50 69
libfido2: 0112: 6e f4 05 19 04 b0 06 81 01 07 14 08 19 01 00
libfido2: fido_dev_open_rx: FIDO_MAXMSG=2048, maxmsgsiz=1200
libfido2: fido_dev_get_cbor_info_tx: dev=0x564b3aa201c0
libfido2: fido_tx: dev=0x564b3aa201c0, cmd=0x10
libfido2: fido_tx: buf=0x7ffd5d18ed87, len=1
libfido2: 0000: 04
libfido2: fido_dev_get_cbor_info_rx: dev=0x564b3aa201c0, ci=0x564b3aa32f40, ms=-1
libfido2: fido_rx: dev=0x564b3aa201c0, cmd=0x10, ms=-1
libfido2: rx_preamble: buf=0x7ffd5d18eca0, len=64
libfido2: 0000: 0e 00 00 00 90 00 7f 00 a8 01 83 66 55 32 46 5f
libfido2: 0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f
libfido2: 0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50
libfido2: 0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72
libfido2: rx: payload_len=127
libfido2: rx: buf=0x7ffd5d18eca0, len=64
libfido2: 0000: 0e 00 00 00 00 65 74 03 50 99 8f 35 8b 2d d2 4c
libfido2: 0016: be a4 3a e8 10 74 38 df b3 04 a5 62 72 6b f5 62
libfido2: 0032: 75 70 f5 64 70 6c 61 74 f4 68 63 72 65 64 4d 67
libfido2: 0048: 6d 74 f5 69 63 6c 69 65 6e 74 50 69 6e f4 05 19
libfido2: rx: buf=0x7ffd5d18eca0, len=64
libfido2: 0000: 0e 00 00 00 01 04 b0 06 81 01 07 14 08 19 01 00
libfido2: 0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: fido_rx: buf=0x564b3aa34f30, len=127
libfido2: 0000: 00 a8 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f
libfido2: 0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
libfido2: 0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b
libfido2: 0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 99 8f 35
libfido2: 0064: 8b 2d d2 4c be a4 3a e8 10 74 38 df b3 04 a5 62
libfido2: 0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 68 63 72
libfido2: 0096: 65 64 4d 67 6d 74 f5 69 63 6c 69 65 6e 74 50 69
libfido2: 0112: 6e f4 05 19 04 b0 06 81 01 07 14 08 19 01 00
FIDO2 device implements extension: credProtect
FIDO2 device implements extension: hmac-secret
FIDO2 device implements option rk: yes
FIDO2 device implements option up: yes
FIDO2 device implements option plat: no
FIDO2 device implements option credMgmt: yes
FIDO2 device implements option clientPin: no
Has rk ('Resident Key') support: yes
Has clientPin support: no
Has up ('User Presence') support: yes
Has uv ('User Verification') support: no
libfido2: fido_tx: dev=0x564b3aa201c0, cmd=0x10
libfido2: fido_tx: buf=0x564b3a9fd690, len=160
libfido2: 0000: 02 a4 01 75 69 6f 2e 73 79 73 74 65 6d 64 2e 63
libfido2: 0016: 72 79 70 74 73 65 74 75 70 02 58 20 00 00 00 00
libfido2: 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0048: 00 00 00 00 00 00 00 00 00 00 00 00 03 81 a2 62
libfido2: 0064: 69 64 58 46 cd f9 c1 ae f3 20 b8 81 a9 fa 84 35
libfido2: 0080: 41 ce 1b 77 84 c9 e3 db d2 86 de 7c 42 63 08 bc
libfido2: 0096: 64 c8 6d 30 c9 38 3b a2 a1 21 ff 04 55 14 ab e1
libfido2: 0112: b8 2a 95 99 df d9 be 3c 43 64 db 0d 6c d0 10 00
libfido2: 0128: d7 29 10 1a ba 8f b3 77 14 02 64 74 79 70 65 6a
libfido2: 0144: 70 75 62 6c 69 63 2d 6b 65 79 05 a1 62 75 70 f4
libfido2: fido_rx: dev=0x564b3aa201c0, cmd=0x10, ms=-1
libfido2: rx_preamble: buf=0x7ffd5d18ec40, len=64
libfido2: 0000: 0e 00 00 00 90 00 d1 00 a3 01 a2 62 69 64 58 46
libfido2: 0016: cd f9 c1 ae f3 20 b8 81 a9 fa 84 35 41 ce 1b 77
libfido2: 0032: 84 c9 e3 db d2 86 de 7c 42 63 08 bc 64 c8 6d 30
libfido2: 0048: c9 38 3b a2 a1 21 ff 04 55 14 ab e1 b8 2a 95 99
libfido2: rx: payload_len=209
libfido2: rx: buf=0x7ffd5d18ec40, len=64
libfido2: 0000: 0e 00 00 00 00 df d9 be 3c 43 64 db 0d 6c d0 10
libfido2: 0016: 00 d7 29 10 1a ba 8f b3 77 14 02 64 74 79 70 65
libfido2: 0032: 6a 70 75 62 6c 69 63 2d 6b 65 79 02 58 25 3b a2
libfido2: 0048: a1 21 ff 04 55 14 ab e1 b8 2a 95 99 df d9 be 3c
libfido2: rx: buf=0x7ffd5d18ec40, len=64
libfido2: 0000: 0e 00 00 00 01 43 64 db 0d 6c d0 10 00 d7 29 10
libfido2: 0016: 1a ba 8f 00 02 14 78 04 03 58 47 30 45 02 20 32
libfido2: 0032: c6 8a b7 58 f3 7e db 6f bc bc 6e 79 1f e5 fc 1d
libfido2: 0048: ef 82 25 79 67 6c bf 64 e6 76 f2 ef 39 f6 af 02
libfido2: rx: buf=0x7ffd5d18ec40, len=64
libfido2: 0000: 0e 00 00 00 02 21 00 bd b3 2e b4 4d fb 87 c2 a2
libfido2: 0016: 4d 23 5e f4 46 7e 68 5c a7 dd 5f ae f9 01 1d 23
libfido2: 0032: 30 d6 bb 27 4c 03 8e 00 00 00 00 00 00 00 00 00
libfido2: 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: fido_rx: buf=0x564b3aa34f30, len=209
libfido2: 0000: 00 a3 01 a2 62 69 64 58 46 cd f9 c1 ae f3 20 b8
libfido2: 0016: 81 a9 fa 84 35 41 ce 1b 77 84 c9 e3 db d2 86 de
libfido2: 0032: 7c 42 63 08 bc 64 c8 6d 30 c9 38 3b a2 a1 21 ff
libfido2: 0048: 04 55 14 ab e1 b8 2a 95 99 df d9 be 3c 43 64 db
libfido2: 0064: 0d 6c d0 10 00 d7 29 10 1a ba 8f b3 77 14 02 64
libfido2: 0080: 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 02
libfido2: 0096: 58 25 3b a2 a1 21 ff 04 55 14 ab e1 b8 2a 95 99
libfido2: 0112: df d9 be 3c 43 64 db 0d 6c d0 10 00 d7 29 10 1a
libfido2: 0128: ba 8f 00 02 14 78 04 03 58 47 30 45 02 20 32 c6
libfido2: 0144: 8a b7 58 f3 7e db 6f bc bc 6e 79 1f e5 fc 1d ef
libfido2: 0160: 82 25 79 67 6c bf 64 e6 76 f2 ef 39 f6 af 02 21
libfido2: 0176: 00 bd b3 2e b4 4d fb 87 c2 a2 4d 23 5e f4 46 7e
libfido2: 0192: 68 5c a7 dd 5f ae f9 01 1d 23 30 d6 bb 27 4c 03
libfido2: 0208: 8e
libfido2: adjust_assert_count: cbor_type
libfido2: adjust_assert_count: cbor_type
libfido2: adjust_assert_count: cbor_type
libfido2: cbor_decode_assert_authdata: buf=0x564b3aa20dc0, len=37
libfido2: fido_tx: dev=0x564b3aa33d70, cmd=0x06
libfido2: fido_tx: buf=0x564b3aa33d70, len=8
libfido2: 0000: 26 7b db 0e 42 46 4e c6
libfido2: fido_rx: dev=0x564b3aa33d70, cmd=0x06, ms=-1
libfido2: rx_preamble: buf=0x7ffd5d18ece0, len=64
libfido2: 0000: ff ff ff ff 86 00 11 26 7b db 0e 42 46 4e c6 0f
libfido2: 0016: 00 00 00 02 00 00 00 05 00 00 00 00 00 00 00 00
libfido2: 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: rx: payload_len=17
libfido2: fido_rx: buf=0x564b3aa33d78, len=17
libfido2: 0000: 26 7b db 0e 42 46 4e c6 0f 00 00 00 02 00 00 00
libfido2: 0016: 05
libfido2: fido_dev_get_cbor_info_tx: dev=0x564b3aa33d70
libfido2: fido_tx: dev=0x564b3aa33d70, cmd=0x10
libfido2: fido_tx: buf=0x7ffd5d18ed97, len=1
libfido2: 0000: 04
libfido2: fido_dev_get_cbor_info_rx: dev=0x564b3aa33d70, ci=0x564b3aa20410, ms=-1
libfido2: fido_rx: dev=0x564b3aa33d70, cmd=0x10, ms=-1
libfido2: rx_preamble: buf=0x7ffd5d18ec90, len=64
libfido2: 0000: 0f 00 00 00 90 00 7f 00 a8 01 83 66 55 32 46 5f
libfido2: 0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f
libfido2: 0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50
libfido2: 0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72
libfido2: rx: payload_len=127
libfido2: rx: buf=0x7ffd5d18ec90, len=64
libfido2: 0000: 0f 00 00 00 00 65 74 03 50 99 8f 35 8b 2d d2 4c
libfido2: 0016: be a4 3a e8 10 74 38 df b3 04 a5 62 72 6b f5 62
libfido2: 0032: 75 70 f5 64 70 6c 61 74 f4 68 63 72 65 64 4d 67
libfido2: 0048: 6d 74 f5 69 63 6c 69 65 6e 74 50 69 6e f4 05 19
libfido2: rx: buf=0x7ffd5d18ec90, len=64
libfido2: 0000: 0f 00 00 00 01 04 b0 06 81 01 07 14 08 19 01 00
libfido2: 0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: fido_rx: buf=0x564b3aa34f30, len=127
libfido2: 0000: 00 a8 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f
libfido2: 0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
libfido2: 0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b
libfido2: 0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 99 8f 35
libfido2: 0064: 8b 2d d2 4c be a4 3a e8 10 74 38 df b3 04 a5 62
libfido2: 0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 68 63 72
libfido2: 0096: 65 64 4d 67 6d 74 f5 69 63 6c 69 65 6e 74 50 69
libfido2: 0112: 6e f4 05 19 04 b0 06 81 01 07 14 08 19 01 00
libfido2: fido_dev_open_rx: FIDO_MAXMSG=2048, maxmsgsiz=1200
libfido2: fido_dev_get_cbor_info_tx: dev=0x564b3aa33d70
libfido2: fido_tx: dev=0x564b3aa33d70, cmd=0x10
libfido2: fido_tx: buf=0x7ffd5d18ed47, len=1
libfido2: 0000: 04
libfido2: fido_dev_get_cbor_info_rx: dev=0x564b3aa33d70, ci=0x564b3aa32bd0, ms=-1
libfido2: fido_rx: dev=0x564b3aa33d70, cmd=0x10, ms=-1
libfido2: rx_preamble: buf=0x7ffd5d18ec60, len=64
libfido2: 0000: 0f 00 00 00 90 00 7f 00 a8 01 83 66 55 32 46 5f
libfido2: 0016: 56 32 68 46 49 44 4f 5f 32 5f 30 6c 46 49 44 4f
libfido2: 0032: 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65 64 50
libfido2: 0048: 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65 63 72
libfido2: rx: payload_len=127
libfido2: rx: buf=0x7ffd5d18ec60, len=64
libfido2: 0000: 0f 00 00 00 00 65 74 03 50 99 8f 35 8b 2d d2 4c
libfido2: 0016: be a4 3a e8 10 74 38 df b3 04 a5 62 72 6b f5 62
libfido2: 0032: 75 70 f5 64 70 6c 61 74 f4 68 63 72 65 64 4d 67
libfido2: 0048: 6d 74 f5 69 63 6c 69 65 6e 74 50 69 6e f4 05 19
libfido2: rx: buf=0x7ffd5d18ec60, len=64
libfido2: 0000: 0f 00 00 00 01 04 b0 06 81 01 07 14 08 19 01 00
libfido2: 0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: fido_rx: buf=0x564b3aa34f30, len=127
libfido2: 0000: 00 a8 01 83 66 55 32 46 5f 56 32 68 46 49 44 4f
libfido2: 0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52
libfido2: 0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b
libfido2: 0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 99 8f 35
libfido2: 0064: 8b 2d d2 4c be a4 3a e8 10 74 38 df b3 04 a5 62
libfido2: 0080: 72 6b f5 62 75 70 f5 64 70 6c 61 74 f4 68 63 72
libfido2: 0096: 65 64 4d 67 6d 74 f5 69 63 6c 69 65 6e 74 50 69
libfido2: 0112: 6e f4 05 19 04 b0 06 81 01 07 14 08 19 01 00
FIDO2 device implements extension: credProtect
FIDO2 device implements extension: hmac-secret
FIDO2 device implements option rk: yes
FIDO2 device implements option up: yes
FIDO2 device implements option plat: no
FIDO2 device implements option credMgmt: yes
FIDO2 device implements option clientPin: no
Has rk ('Resident Key') support: yes
Has clientPin support: no
Has up ('User Presence') support: yes
Has uv ('User Verification') support: no
Asking FIDO2 token for authentication.
👆 Please confirm presence on security token to unlock.
libfido2: fido_dev_authkey_tx: dev=0x564b3aa33d70
libfido2: fido_tx: dev=0x564b3aa33d70, cmd=0x10
libfido2: fido_tx: buf=0x564b3aa27980, len=6
libfido2: 0000: 06 a2 01 01 02 02
libfido2: fido_dev_authkey_rx: dev=0x564b3aa33d70, authkey=0x564b3aa27570, ms=-1
libfido2: fido_rx: dev=0x564b3aa33d70, cmd=0x10, ms=-1
libfido2: rx_preamble: buf=0x7ffd5d18eb40, len=64
libfido2: 0000: 0f 00 00 00 90 00 51 00 a1 01 a5 01 02 03 38 18
libfido2: 0016: 20 01 21 58 20 18 d5 07 ca 25 13 60 72 21 21 e8
libfido2: 0032: ab 4f 8e ce 41 ff 2f d3 03 ca 44 41 43 59 a2 f5
libfido2: 0048: 91 76 f0 b0 98 22 58 20 e5 c1 dc 5c fb 47 bc 56
libfido2: rx: payload_len=81
libfido2: rx: buf=0x7ffd5d18eb40, len=64
libfido2: 0000: 0f 00 00 00 00 a2 65 14 77 e1 a8 82 b9 04 ac d9
libfido2: 0016: 21 4e 2b a7 e6 1a 96 71 66 ae 92 52 3a 00 00 00
libfido2: 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: fido_rx: buf=0x564b3aa51bd0, len=81
libfido2: 0000: 00 a1 01 a5 01 02 03 38 18 20 01 21 58 20 18 d5
libfido2: 0016: 07 ca 25 13 60 72 21 21 e8 ab 4f 8e ce 41 ff 2f
libfido2: 0032: d3 03 ca 44 41 43 59 a2 f5 91 76 f0 b0 98 22 58
libfido2: 0048: 20 e5 c1 dc 5c fb 47 bc 56 a2 65 14 77 e1 a8 82
libfido2: 0064: b9 04 ac d9 21 4e 2b a7 e6 1a 96 71 66 ae 92 52
libfido2: 0080: 3a
libfido2: fido_tx: dev=0x564b3aa33d70, cmd=0x10
libfido2: fido_tx: buf=0x564b3aa5b1f0, len=307
libfido2: 0000: 02 a5 01 75 69 6f 2e 73 79 73 74 65 6d 64 2e 63
libfido2: 0016: 72 79 70 74 73 65 74 75 70 02 58 20 00 00 00 00
libfido2: 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0048: 00 00 00 00 00 00 00 00 00 00 00 00 03 81 a2 62
libfido2: 0064: 69 64 58 46 cd f9 c1 ae f3 20 b8 81 a9 fa 84 35
libfido2: 0080: 41 ce 1b 77 84 c9 e3 db d2 86 de 7c 42 63 08 bc
libfido2: 0096: 64 c8 6d 30 c9 38 3b a2 a1 21 ff 04 55 14 ab e1
libfido2: 0112: b8 2a 95 99 df d9 be 3c 43 64 db 0d 6c d0 10 00
libfido2: 0128: d7 29 10 1a ba 8f b3 77 14 02 64 74 79 70 65 6a
libfido2: 0144: 70 75 62 6c 69 63 2d 6b 65 79 04 a1 6b 68 6d 61
libfido2: 0160: 63 2d 73 65 63 72 65 74 a3 01 a5 01 02 03 38 18
libfido2: 0176: 20 01 21 58 20 a2 e7 79 ec 10 fd d1 80 80 25 92
libfido2: 0192: 01 ee aa 1a 1d a2 aa 9b 2c 18 a3 d8 46 6d 15 30
libfido2: 0208: 91 24 98 66 4a 22 58 20 f6 2a a1 f7 78 f9 1a 16
libfido2: 0224: c0 8d 6d 65 12 ea 55 19 f4 8b 3a 94 29 e1 f3 c2
libfido2: 0240: 31 2b 28 35 97 19 3b 51 02 58 20 76 07 79 cc ea
libfido2: 0256: a0 8b d5 c8 b7 50 dc 72 19 01 c3 0a 07 f4 f5 1b
libfido2: 0272: 0a c3 74 eb 28 c5 44 ad 86 e7 bd 03 50 9d 37 09
libfido2: 0288: dc 86 fa c0 be ec ee 7e 32 fe 6f d3 c4 05 a1 62
libfido2: 0304: 75 70 f5
libfido2: fido_rx: dev=0x564b3aa33d70, cmd=0x10, ms=-1
libfido2: rx_preamble: buf=0x7ffd5d18ec00, len=64
libfido2: 0000: 0f 00 00 00 90 01 00 00 a3 01 a2 62 69 64 58 46
libfido2: 0016: cd f9 c1 ae f3 20 b8 81 a9 fa 84 35 41 ce 1b 77
libfido2: 0032: 84 c9 e3 db d2 86 de 7c 42 63 08 bc 64 c8 6d 30
libfido2: 0048: c9 38 3b a2 a1 21 ff 04 55 14 ab e1 b8 2a 95 99
libfido2: rx: payload_len=256
libfido2: rx: buf=0x7ffd5d18ec00, len=64
libfido2: 0000: 0f 00 00 00 00 df d9 be 3c 43 64 db 0d 6c d0 10
libfido2: 0016: 00 d7 29 10 1a ba 8f b3 77 14 02 64 74 79 70 65
libfido2: 0032: 6a 70 75 62 6c 69 63 2d 6b 65 79 02 58 54 3b a2
libfido2: 0048: a1 21 ff 04 55 14 ab e1 b8 2a 95 99 df d9 be 3c
libfido2: rx: buf=0x7ffd5d18ec00, len=64
libfido2: 0000: 0f 00 00 00 01 43 64 db 0d 6c d0 10 00 d7 29 10
libfido2: 0016: 1a ba 8f 81 02 14 78 05 a1 6b 68 6d 61 63 2d 73
libfido2: 0032: 65 63 72 65 74 58 20 68 37 eb c4 aa b9 ad 46 32
libfido2: 0048: 88 d5 5d 6a c9 e7 d3 84 1e 75 4f a8 b5 8a 1c f0
libfido2: rx: buf=0x7ffd5d18ec00, len=64
libfido2: 0000: 0f 00 00 00 02 2b 0b 35 9e b5 66 1c 03 58 47 30
libfido2: 0016: 45 02 20 2f 95 58 8c f5 d3 34 94 37 ed 70 2a 8c
libfido2: 0032: 8a a7 23 c8 23 c3 9b 28 f1 58 cd 7c 35 59 95 2b
libfido2: 0048: 3e 15 8f 02 21 00 da 91 7e 41 51 a5 c2 01 fc 5d
libfido2: rx: buf=0x7ffd5d18ec00, len=64
libfido2: 0000: 0f 00 00 00 03 c0 ac 85 18 4a c7 4e 49 00 e2 57
libfido2: 0016: b3 14 7f 48 71 e6 37 2b 7b 83 8d 00 00 00 00 00
libfido2: 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
libfido2: fido_rx: buf=0x564b3aa5b330, len=256
libfido2: 0000: 00 a3 01 a2 62 69 64 58 46 cd f9 c1 ae f3 20 b8
libfido2: 0016: 81 a9 fa 84 35 41 ce 1b 77 84 c9 e3 db d2 86 de
libfido2: 0032: 7c 42 63 08 bc 64 c8 6d 30 c9 38 3b a2 a1 21 ff
libfido2: 0048: 04 55 14 ab e1 b8 2a 95 99 df d9 be 3c 43 64 db
libfido2: 0064: 0d 6c d0 10 00 d7 29 10 1a ba 8f b3 77 14 02 64
libfido2: 0080: 74 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 02
libfido2: 0096: 58 54 3b a2 a1 21 ff 04 55 14 ab e1 b8 2a 95 99
libfido2: 0112: df d9 be 3c 43 64 db 0d 6c d0 10 00 d7 29 10 1a
libfido2: 0128: ba 8f 81 02 14 78 05 a1 6b 68 6d 61 63 2d 73 65
libfido2: 0144: 63 72 65 74 58 20 68 37 eb c4 aa b9 ad 46 32 88
libfido2: 0160: d5 5d 6a c9 e7 d3 84 1e 75 4f a8 b5 8a 1c f0 2b
libfido2: 0176: 0b 35 9e b5 66 1c 03 58 47 30 45 02 20 2f 95 58
libfido2: 0192: 8c f5 d3 34 94 37 ed 70 2a 8c 8a a7 23 c8 23 c3
libfido2: 0208: 9b 28 f1 58 cd 7c 35 59 95 2b 3e 15 8f 02 21 00
libfido2: 0224: da 91 7e 41 51 a5 c2 01 fc 5d c0 ac 85 18 4a c7
libfido2: 0240: 4e 49 00 e2 57 b3 14 7f 48 71 e6 37 2b 7b 83 8d
libfido2: adjust_assert_count: cbor_type
libfido2: adjust_assert_count: cbor_type
libfido2: adjust_assert_count: cbor_type
libfido2: cbor_decode_assert_authdata: buf=0x564b3aa504d0, len=84
libfido2: decode_assert_extensions: buf=0x564b3aa504f5, len=47
libfido2: 0000: a1 6b 68 6d 61 63 2d 73 65 63 72 65 74 58 20 68
libfido2: 0016: 37 eb c4 aa b9 ad 46 32 88 d5 5d 6a c9 e7 d3 84
libfido2: 0032: 1e 75 4f a8 b5 8a 1c f0 2b 0b 35 9e b5 66 1c
Trying to open keyslot 1 with token 2 (type systemd-fido2).
Trying to open LUKS2 keyslot 1.
Running keyslot key derivation.
Reading keyslot area [0x47000].
Acquiring read lock for device /dev/zvol/zroot/zkeys.
Opening lock resource file /run/cryptsetup/L_230:0
Verifying lock handle for /dev/zvol/zroot/zkeys.
Device /dev/zvol/zroot/zkeys READ lock taken.
Reusing open ro fd on device /dev/zvol/zroot/zkeys
Device /dev/zvol/zroot/zkeys READ lock released.
Verifying key from keyslot 1, digest 0.
dm target-version crypt [ opencount flush ] [16384] (*1)
dm versions [ opencount flush ] [16384] (*1)
Detected dm-crypt version 1.28.0.
Loading key (type logon, name cryptsetup:87c5cf5f-64da-4e5f-a55a-8aac0dbe080b-d0) in thread keyring.
dm versions [ opencount flush ] [16384] (*1)
dm status zkeys [ opencount noflush ] [16384] (*1)
Calculated device size is 139264 sectors (RW), offset 65536.
DM-UUID is CRYPT-LUKS2-87c5cf5f64da4e5fa55a8aac0dbe080b-zkeys
Udev cookie 0xd4d334b (semid 0) created
Udev cookie 0xd4d334b (semid 0) incremented to 1
Udev cookie 0xd4d334b (semid 0) incremented to 2
Udev cookie 0xd4d334b (semid 0) assigned to CREATE task(0) with flags DISABLE_LIBRARY_FALLBACK (0x20)
dm create zkeys CRYPT-LUKS2-87c5cf5f64da4e5fa55a8aac0dbe080b-zkeys [ opencount flush ] [16384] (*1)
dm reload (253:0) [ opencount flush securedata ] [16384] (*1)
dm resume zkeys [ opencount flush securedata ] [16384] (*1)
zkeys: Stacking NODE_ADD (253,0) 0:6 0660 [trust_udev]
zkeys: Stacking NODE_READ_AHEAD 131072 (flags=1)
Udev cookie 0xd4d334b (semid 0) decremented to 1
Udev cookie 0xd4d334b (semid 0) waiting for zero
Udev cookie 0xd4d334b (semid 0) destroyed
zkeys: Skipping NODE_ADD (253,0) 0:6 0660 [trust_udev]
zkeys: Processing NODE_READ_AHEAD 131072 (flags=1)
zkeys (253:0): read ahead is 131072
zkeys: retaining kernel read ahead of 131072 (requested 131072)
Volume zkeys activated with LUKS token id 0.
Releasing crypt device /dev/zvol/zroot/zkeys context.
Releasing device-mapper backend.
Closing read only fd for /dev/zvol/zroot/zkeys.
Unloading systemd-fido2 token handler.
AND when it fails:
Loaded 'libcryptsetup.so.12' via dlopen()
run zkeys ← /dev/zvol/zroot/zkeys type= cipher=
Allocating context for crypt device /dev/zvol/zroot/zkeys.
Trying to open and read device /dev/zvol/zroot/zkeys with direct-io.
Direct-io is supported and works.
Initialising device-mapper backend library.
dm version [ opencount flush ] [16384] (*1)
dm versions [ opencount flush ] [16384] (*1)
Detected dm-ioctl version 4.48.0.
Detected dm-zero version 1.2.0.
Device-mapper backend running with UDEV support enabled.
dm status zkeys [ opencount noflush ] [16384] (*1)
Trying to load any crypt type from device /dev/zvol/zroot/zkeys.
Crypto backend (OpenSSL 3.2.2 4 Jun 2024 [default][legacy][threads][argon2]) initialized in cryptsetup library version 2.7.5.
Detected kernel Linux 6.12.11-200.fc41.x86_64 x86_64.
Loading LUKS2 header (repair disabled).
Acquiring read lock for device /dev/zvol/zroot/zkeys.
Opening lock resource file /run/cryptsetup/L_230:0
Verifying lock handle for /dev/zvol/zroot/zkeys.
Device /dev/zvol/zroot/zkeys READ lock taken.
Trying to read primary LUKS2 header at offset 0x0.
Opening locked device /dev/zvol/zroot/zkeys
Verifying locked device handle (bdev)
LUKS2 header version 2 of size 16384 bytes, checksum sha256.
Checksum:8234c780914d9aa13ed1c3a1f1794c8ca85beb0b24ad8c9cd505a2cadb844f6e (on-disk)
Checksum:8234c780914d9aa13ed1c3a1f1794c8ca85beb0b24ad8c9cd505a2cadb844f6e (in-memory)
Trying to read secondary LUKS2 header at offset 0x4000.
Reusing open ro fd on device /dev/zvol/zroot/zkeys
LUKS2 header version 2 of size 16384 bytes, checksum sha256.
Checksum:8b9ef8c4276f02aa590ec0389e9503c6f86b10ba78a3d13fba0cbb109edaf7f0 (on-disk)
Checksum:8b9ef8c4276f02aa590ec0389e9503c6f86b10ba78a3d13fba0cbb109edaf7f0 (in-memory)
Device size 104857600, offset 16777216.
Device /dev/zvol/zroot/zkeys READ lock released.
PBKDF argon2id, time_ms 2000 (iterations 0), max_memory_kb 1048576, parallel_threads 4.
Activating volume zkeys [keyslot -1] using token.
dm versions [ opencount flush ] [16384] (*1)
dm status zkeys [ opencount noflush ] [16384] (*1)
Token 0 unusable for segment 0 with desired keyslot priority 2.
Token 1 unusable for segment 0 with desired keyslot priority 2.
Token 2 unusable for segment 0 with desired keyslot priority 2.
Token 0 unusable for segment 0 with desired keyslot priority 1.
Token 1 unusable for segment 0 with desired keyslot priority 1.
Trying to load /usr/lib64/cryptsetup/libcryptsetup-token-systemd-fido2.so.
Loading symbol cryptsetup_token_open@CRYPTSETUP_TOKEN_1.0.
Loading symbol cryptsetup_token_buffer_free@CRYPTSETUP_TOKEN_1.0.
Loading symbol cryptsetup_token_validate@CRYPTSETUP_TOKEN_1.0.
Loading symbol cryptsetup_token_dump@CRYPTSETUP_TOKEN_1.0.
Loading symbol cryptsetup_token_open_pin@CRYPTSETUP_TOKEN_1.0.
Loading symbol cryptsetup_token_version@CRYPTSETUP_TOKEN_1.0.
Token handler systemd-fido2-1.0 systemd-v256.11 (256.11-1.fc41) loaded successfully.
Requesting JSON for token 2.
Loaded 'libfido2.so.1' via dlopen()
libfido2: run_manifest: found 1 hid device
libfido2: run_manifest: found 0 nfc devices
libfido2: fido_tx: dev=0x556ce02481c0, cmd=0x06
libfido2: fido_tx: buf=0x556ce02481c0, len=8
libfido2: 0000: 21 c3 1c a0 1c e0 44 30
libfido2: fido_rx: dev=0x556ce02481c0, cmd=0x06, ms=-1
There’s also a third scenario when it hangs, a 20 second timeout coded into libfido2 works, and it reverts to passphrase, that can be seen in the github thread.
PLEASE PLEASE HELP, this must be fedora related, as it works fine in both ubuntu and debian, regardless of libfido2 versions.