On Fri, Jun 7, 2024 at 2:07 AM Sergio Arroutbi <sarro...@redhat.com> wrote: ... > > We are developing a PKCS11 plugin for Clevis > (https://github.com/latchset/clevis). Clevis allows automatic boot encrypted > disks unlocking by storing some information into LUKS metadata. > To do so, it is executed in parallel to systemd-cryptsetup and, while the > password is prompted to the user (and the agent runs), Clevis provides the key > by writing to the systemd-cryptsetup ask-password socket. > >> >> >> I initially thought you don't, but now you do? > > > Let me explain myself. What we want now is to disable systemd-cryptenroll > password prompt at boot, (as our software already asks for the PKCS11 PIN), > and provide the password as we are doing now, > by using the socket provided through the agent system. We just want > systemd-cryptenroll to not ask for a password in the boot console. I don´t > know if there is an option to disable it, > as using "headless" makes our software not able to communicate the PIN to > systemd-cryptenroll. ... > > According to api-password.h, (systemd/src/shared/) you can provide different > options: > ASK_PASSWORD_ACCEPT_CACHED = 1 << 0, /* read from kernel keyring */ > ... > ASK_PASSWORD_NO_TTY = 1 << 4, /* never ask for password on tty > */
Isn't that exactly what you need? The problem is, systemd-cryptsetup does not use it; the only place where this flag is set is systemd-ask-password or homectl. This calls for an additional "notty" option to /etc/crypttab. But note that > ... > ASK_PASSWORD_HEADLESS = 1 << 9, /* headless mode: never query > interactively */ > > So, using headless mode in crypttab should be the way, but it makes > systemd-cryptsetup to exit, and we can not inject the password. Headless completely skips password agent. I wonder if credentials can be utilized here.
