-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GPG Card error
after booting with full-disk encryption
#283
Comments
Thank you for the report. I do not have a systemd-cryptenroll setup on hand but I did try to reproduce the issue with kwalletmanager, and failed, with the same versions of GPG and kwallet, even right after boot or after a FIDO2 operation. Are you able to reproduce the same issue on another machine? Do you have any special configuration in Can you try adding to
and in
Then after reproducing issue send us the those logs (note that those logs may contain personal information (name stored in the card, key fingerprints, device serial number...), therefore you may want to either inspect and redact them or send it through a private channel. |
Also, which GPG key algorithm are you using? |
Hello.
I haven't tried yet, but I think I will be able to do that later.
Except of
Collected both. Where should I send them to? Also, please provide me with your GPG public key so that I can encrypt the logs before sending.
RSA4096. Thanks. |
FWIW, if I replug the token during boot after unlocking the disk but before KDE and gpg is even started, things work OK. So, the problem should not be with the gpg config. Also, if I unlock the wallet in KDE successfully and then reboot the machine without replugging the token, the token panics with red LED on disk FIDO decryption. |
Thank you
Thank you for reporting this. I opened another issue for this: #286 |
Logs sent. |
I can also confirm the issue on a freshly installed system on a different machine. |
Thank you. Sadly the log from gpg-agent and scdaemon do not contain enough information to pinpoint the source of the error. There appear to be multiple ways to get systemd-cryptenroll to work on Arch Linux, would you be willing to provide a virtual machine image capable of reproducing the bug, or detailed instruction on how to create such an image? |
Not sure I understand what you mean. All I did was:
Could you please elaborate? |
How did you first setup the full disk encryption? From the arch wiki:
Enabling the |
In
In
And my kernel cmdline is:
I have never used |
Thank you. I am able to reproduce the bug now. First thing I noticed is that it only affects RSA keys, curve25519 keys work fine. Looking at the logs from the device I get the following error:
For the fido panic, I get an |
It looks like we have an issue with the volatile little fs filesystem. The filesystem appears full (1 free block) when there is an RSA 4096 key stored in it. But the key itself is only 2.378 KB, while the volatile filesystem is defined to be 8KiB. Is littlefs that inefficient? |
With a larger block size, entire blocks are taken by empty or near-empty directories, which leads to out of space errors even though the filesystem is mostly empty. Partially fix #283
Reducing Littlefs block size will solve the issue. To avoid this issue from also happening when multiple RSA keys are loaded in volatile storage, Nitrokey/opcard-rs#164 will limit their number. |
With a larger block size, entire blocks are taken by empty or near-empty directories, which leads to out of space errors even though the filesystem is mostly empty. Partially fix #283
Environment:
systemd-cryptenroll
Sequence of events:
gpg-agent
doesn't helpscdaemon
doesn't helpgpg --card-status
shows usual information and does not produce any errorpcscd
is not usedThere's no such issue observed with YubiKey 5 NFC.
The text was updated successfully, but these errors were encountered: