Include fido2 dracut module in initramfs for disk unlocking (was: rpm-ostree initramfs with arg fails with error)

[mdavistffhrtporg]

Ultimate goal is to be able to unlock LUKS2 volumes encrypted with a FIDO2 key upon boot as an alternative to a password.

Running rpm-ostree initramfs with arg fails with error:

bwrap(rpmostree-dracut-wrapper): Child process killed by signal 1

After performing:

Add fido2 module to configuration

$ echo "add_dracutmodules+=\" fido2 \"" | sudo tee /etc/dracut.conf.d/fido2.conf
add_dracutmodules+=" fido2 "

$ sudo systemd-cryptenroll --fido2-device auto /dev/nvme0n1p3

Update /etc/crypttab by appending fido2-device=auto

Rebuild initramfs by using the following command:

$ rpm-ostree initramfs --enable --arg=--force-add --arg=fido2-device

error: bwrap(rpmostree-dracut-wrapper): Child process killed by signal 1

Expected result is rpm-ostree initramfs with arg will rebuild initramfs and allow for fido2 keys to be used upon booting a disk that is encrypted with LUKS2

OS version:

Fedora Silverblue 39 - fully updated

rpm-ostree status -b

State: idle
BootedDeployment:
● fedora:fedora/39/x86_64/silverblue
                  Version: 39.20240403.0 (2024-04-03T00:41:12Z)
               BaseCommit: 23c1e1e0a565124e5f2fb6dca5189ccc9f717e8b32e9447e12bc63a98997162e
             GPGSignature: Valid signature by E8F23996F23218640CB44CBE75CF5AC418B8E74C
          LayeredPackages: fido2-tools langpacks-en pam-u2f pam_yubico pamu2fcfg
                           yubikey-manager

[travier]

You will have to look at the logs for more information.

[mdavistffhrtporg]

Apr 04 05:16:05 fedora rpm-ostree[5288]: Initiated txn SetInitramfsState for client(id:cli dbus:1.154 unit:vte-spawn-b0a0f3a7-b5cf-49cc-a54e-a738dc8324d4.scope uid:1000): /org/projectatomic/rpmostree1/fedora
Apr 04 05:16:31 fedora rpm-ostree[5779]: dracut: Executing: /usr/bin/dracut --reproducible -v --add ostree --tmpdir=/tmp/dracut -f /tmp/initramfs.img --rebuild usr/lib/modules/6.7.11-200.fc39.x86_64/initramfs.img --no-hostonly --force-add fido2-device --kver 6.7.11-200.fc39.x86_64
Apr 04 05:16:31 fedora rpm-ostree[5288]: Txn SetInitramfsState on /org/projectatomic/rpmostree1/fedora failed: bwrap(rpmostree-dracut-wrapper): Child process killed by signal 1

[travier]

Is this still an issue in Fedora 41? This should not be needed anymore since https://gitlab.com/fedora/ostree/sig/-/issues/33.

[mdavistffhrtporg]

https://gitlab.com/fedora/ostree/sig/-/issues/33 Since that pertains to TPM, it would still be an issue. The problem with TPM is that it is automatic, it someone steals your computer, all they have to do it boot it up and they are in (assuming they have the resources to know your username and password). With a FIDO2 key, there is no way to boot the computer without the FIDO2 key if the computer is stolen.