vanilla cryptsetup doesn't have access to systemd-cryptsetup plugins (FIDO2, pkcs11, tpm2))

[colemickens]

Describe the bug

We can't currently use cryptsetup to unlock volumes via token plugins (aka, FIDO2, pkcs11, tpm2)

Context:

• cryptsetup doesn't ship with support for FIDO2, etc
• it relies on "plugins" to do this
• we patch the cryptsetup so it will load from LD_LIBRARY_PATH
• we wrap systemd-crypt{setup,enroll} to set LD_LIBRARY_PATH to systemd's cryptsetup plugin dir, which is why enrollment/boot-unlocking works.

Problem:

• we don't do this wrapping for cryptsetup
• I'm not sure how we would without a circular dependency

Evidence:

• if I sudo -s, set LD_LIBRARY_PATH to include ${pkgs.systemd}/lib/cryptsetup, I'm able to use cryptsetup to unlock with my token.
• looking at the pkgs/os-specific/linux/systemd/default.nix where we wrapProgram those the two binaries noted above

Steps To Reproduce

Steps to reproduce the behavior:

1. Add a fido2 token to a luks volume
2. Try to test unlocking, and add --debug because by default it just exits exitcode=1 with no useful error message.

And you'll see this:

# add a token
sudo systemd-cryptsetup --fido2-device auto /dev/nvme0n1p7

# test opening the token
sudo cryptsetup luksOpen --token-only --test-passphrase --debug /dev/nvme0n1p7

# [snip]
# Checking volume passphrase [keyslot 1] using token.
# Trying to load libcryptsetup-token-systemd-fido2.so.
# libcryptsetup-token-systemd-fido2.so: cannot open shared object file: No such file or directory
No usable token is available.

Expected behavior

I'm able to use cryptsetup to unlock a LUKS volume with my FIDO2 key, or to test unlocking, as I'm originally trying to do.

Notify maintainers

cc: @ElvishJerricco

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
output here

[numinit]

@colemickens FYI, we're trying to tackle this now. The problem we're running into is closure size since we have to include systemd in the closure of cryptsetup now (and, notably, it's used in initrds that don't include systemd). Would a separate cryptsetupWithSystemd package to solve this work?

[SaltedFishesNG]

@colemickens FYI, we're trying to tackle this now. The problem we're running into is closure size since we have to include systemd in the closure of cryptsetup now (and, notably, it's used in initrds that don't include systemd). Would a separate cryptsetupWithSystemd package to solve this work?

I think a separate cryptsetupWithSystemd package may be redundant here.

I just thought about it for a moment. Since withLuks2ExternalTokens ? !stdenv.hostPlatform.isStatic, perhaps it could be changed to withLuks2ExternalTokens ? (!stdenv.hostPlatform.isStatic && ???.isMinimal）

BTW，because this is done via RPATH only, systemd is not pulled into cryptsetup’s closure, and initrds without systemd are unaffected.

I’m not entirely sure under which circumstances disabling withLuks2ExternalTokens would be preferable, so ...

[numinit]

BTW，because this is done via RPATH only, systemd is not pulled into cryptsetup’s closure, and initrds without systemd are unaffected.

Oh, very good to know. If that's the case, I retract my suggestion (though I still want to check it for references just in case) since I think technically Nix may still detect the path in $out and add it?

In any case I'll check in more detail when the new PR is up 👍

[numinit]

As indicated in #487497 we figured out how to natively make everything work without expanding closure size to include systemd :)