diff options
author | Erno Hopearuoho <erno.hopearuoho@gmail.com> | 2023-04-25 16:48:54 +0300 |
---|---|---|
committer | Anderson Torres <torres.anderson.85@protonmail.com> | 2023-09-18 23:10:06 -0300 |
commit | 7d112f7da3312cb07116b5f9bac647f0f943a596 (patch) | |
tree | 1cb289272dc6dc677d59d1bbb36ff43f63710f16 /nixos/modules/system | |
parent | e924d116ce5138ea9efec1448289c7c0898e6e18 (diff) | |
download | nixlib-7d112f7da3312cb07116b5f9bac647f0f943a596.tar nixlib-7d112f7da3312cb07116b5f9bac647f0f943a596.tar.gz nixlib-7d112f7da3312cb07116b5f9bac647f0f943a596.tar.bz2 nixlib-7d112f7da3312cb07116b5f9bac647f0f943a596.tar.lz nixlib-7d112f7da3312cb07116b5f9bac647f0f943a596.tar.xz nixlib-7d112f7da3312cb07116b5f9bac647f0f943a596.tar.zst nixlib-7d112f7da3312cb07116b5f9bac647f0f943a596.zip |
luksroot: fix issue when yubikey is detached during boot process
Fixes #228141, which describes an issue where detaching Yubikey during the boot process causes cryptsetup to write empty passphrase instead of the challenge-response salt stored on the boot drive.
Diffstat (limited to 'nixos/modules/system')
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index dc3fe163116e..06c329e006b8 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -351,6 +351,12 @@ let new_response="$(ykchalresp -${toString dev.yubikey.slot} -x $new_challenge 2>/dev/null)" + if [ -z "$new_response" ]; then + echo "Warning: Unable to generate new challenge response, current challenge persists!" + umount /crypt-storage + return + fi + if [ ! -z "$k_user" ]; then new_k_luks="$(echo -n $k_user | pbkdf2-sha512 ${toString dev.yubikey.keyLength} $new_iterations $new_response | rbtohex)" else |