My root partition is a Btrfs on a LUKS2 encrypted partition with a Yubikey 5 NFC enrol

I think I've found the root cause: On my system I've been runn

Hello <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-ur

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

`extra_files: fido2-assert` can't unlock w/ systemd-cryptenroll -ed Yubikey about booster HOT 4 CLOSED

5long commented on June 13, 2024

`extra_files: fido2-assert` can't unlock w/ systemd-cryptenroll -ed Yubikey

from booster.

Comments (4)

5long commented on June 13, 2024

I think I've found the root cause:

On my system I've been running opendoas instead of good old sudo
opendoas sets the PATH environment variable to a hardcode set of "safepath" instead of inheriting the value of $PATH from current shell
and this "safepath" puts /bin at the top of the list
booster build picks up executables in /bin because it's at the top of the list

sudo has a simillar setting named secure_path but somehow plays nice with booster. I just tried running sudo booster build ... and images have /usr/bin/fido2-assert which should work just fine.

But still, right now booster(1) claims that a relative path is resolved from /usr/bin without mentioning the PATH environmental variable. Meanwhile in CHANGES.md (which is not necessarily packaged by Linux distros) it claims that booster will actually lookup executables in PATH.

Before I could come up with some constructive suggestions I could really use a break...

from booster.

anatol commented on June 13, 2024

Hello @5long thank you for this extensive analysis.

right now booster(1) claims that a relative path is resolved from /usr/bin without mentioning the PATH environmental variable. Meanwhile in CHANGES.md (which is not necessarily packaged by Linux distros) it claims that booster will actually lookup executables in PATH.

Until recently booster was using golan's exec.LookPath function that is relying on PATH envvar.

But recently (commit 7766b07) booster has switched to predefined list of directories to lookup. It was done for the security and reproducibility reasons. The list is here

booster/generator/generator.go

Lines 306 to 313 in 7766b07

 paths := []string{ 

 "/usr/bin", 

 "/usr/sbin", 

 "/bin", 

 "/sbin", 

 "/usr/local/bin", 

 "/usr/local/sbin", 

 }

The change is not part of a released version. It targets the upcoming 0.11 release.

from booster.

c3Ls1US commented on June 13, 2024

@5long By any chance, are you still experiencing this issue? On my host machine, booster's default minimal generated initramfs would not reliably unlock my encrypted device using a Yubikey unless it was configured to generate a universal image.

I was able to get around this by force loading my graphics module, usbhid and hid_sensor_hub.

booster.yaml:

modules_force_load: amdgpu,usbhid,hid_sensor_hub
extra_files: fido2-assert

from booster.

5long commented on June 13, 2024

@c3Ls1US Upgrading to booster=v0.11-1 solved my issue. Can't be of help here, sorry.

from booster.

`extra_files: fido2-assert` can't unlock w/ systemd-cryptenroll -ed Yubikey about booster HOT 4 CLOSED

Comments (4)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

	paths := []string{
	"/usr/bin",
	"/usr/sbin",
	"/bin",
	"/sbin",
	"/usr/local/bin",
	"/usr/local/sbin",
	}