unlocking LUKS device using fido2 token fails roughly every other time between reboot/replugging #852
Description
What version of libfido2 are you using?
#dnf info libfido2
Updating and loading repositories:
Repositories loaded.
Installed packages
Name : libfido2
Epoch : 0
Version : 1.15.0
Release : 2.fc41
Architecture : x86_64
Installed size : 238.2 KiB
Source : libfido2-1.15.0-2.fc41.src.rpm
From repository : anaconda
What operating system are you running?
OS: Fedora 41
Kernel: x86_64 Linux 6.12.11-200.fc41.x86_64
What application are you using in conjunction with libfido2?
/usr/sbin/cryptsetup
/usr/bin/systemd-cryptsetup
How does the problem manifest itself?
Hi. I'm opening a LUKS2 device using Onlykey Duo FIDO2 device. The problem is, between reboots, it works roughly every other time. Meaning after a reboot, about 50% of the time it will work right away. And keeps working no matter how many time i do cryptsetup open/close.
But roughly the other 50% of the time, or every other reboot, it doesn't work. I say roughly, because sometimes it might not work 2 reboots in a row, and sometimes it might work two reboots in a row. But mostly it's every other reboot.
When it doesn't work, unplugging the fido token, and replugging it, giving the pin, it will then work. And it will continue to work no matter how many times i do cryptsetup open/close after that.
Same thing happens with reboot, without unplugging the device. When it doesn't work, after the next reboot it probably will, and then it will also continue to work no matter how many times i do cryptsetup open/close.
When it works it looks like this:
Asking FIDO2 token for authentication. 👆 Please confirm presence on security token to unlock.
When it doesn't work it will just sit there in an endless timeout, no output on screen or in logs, when it should start blinking to confirm user presence.
Then pressing ctrl-C says this:
^CFailed to open FIDO2 device /dev/hidraw1: FIDO_ERR_RX Token returned error during pre-flight: Input/output error
*** some background info: ***
I'm using this to unlock a LUKS encrypted zvol used as a keystore at boot. At the beginning, now several hundred reboot attempts ago i was unlucky in that manually unlocking happened to always work, but when systemd was supposed to unlock during boot, roughly every other time it failed. Because it had worked manually, i was convinced it was a systemd issue, and i have spend a very long time trying to debug systemd, until finally i tried manually again, and it was only then i discovered that it also happens when manually unlocking, after a reboot.
It was only then i saw the "Token returned error during pre-flight: Input/output error" message.
Searching for that message lead me to this thread:
systemd/systemd#27947
So i don't know if this is a libfido2 issue, or a kernel issue as described in that linked thread. I just thought i would start here in libfido2 github.
Please excuse me if i'm writing this in the wrong place.
I'm currently testing this in a VM, which i can easily reboot over and over, and also snapshot and rollback. I'm not a coder, and i don't know how to do 'git pulls' or systrace or anything like that, but if instructed, i can install anything in this VM and do whatever i can to help solve this issue.
I have also tested this on baremetal, and with a virtual hdd/physical ssd instead of zvol and many other things, it makes no difference.
Because a reboot almost always makes it work the next time, i'm leaning towards it being a kernel issue maybe, rather than libfido2, BUT then again, unplugging and replugging the device results in same behaviour as reboot, it will then likely work, so.. it could also be a combination of libfido2 and kernel?
After now approaching probably a hundred reboots, i would be very very glad for any help.
Regards, Mike
Is the problem reproducible?
yes
What are the steps that lead to the problem?
reboot
Does the problem happen with different authenticators?
Please include the output of fido2-token -L.
fido2-token -L
$ fido2-token -L /dev/hidraw1: vendor=0x1d50, product=0x60fc (CRYPTOTRUST ONLYKEY)
Please include the output of fido2-token -I.
fido2-token -I
$ fido2-token -I <device> proto: 0x02 major: 0x00 minor: 0x00 build: 0x00 caps: 0x05 (wink, cbor, msg) version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE extension strings: credProtect, hmac-secret aaguid: 998f358b2dd24cbea43ae8107438dfb3 options: rk, up, noplat, credMgmt, noclientPin fwversion: 0x0 maxmsgsiz: 1200 maxcredcntlst: 20 maxcredlen: 256 maxcredblob: 0 maxlargeblob: 0 pin protocols: 1 pin retries: 8 pin change required: false uv retries: undefined
Please include the output of FIDO_DEBUG=1.
FIDO_DEBUG=1
$ export FIDO_DEBUG=1 $ <FIDO_DEBUG=1 fido2-token -L> run_manifest: found 1 hid device run_manifest: found 0 nfc devices /dev/hidraw1: vendor=0x1d50, product=0x60fc (CRYPTOTRUST ONLYKEY)