luksroot: fix issue when yubikey is detached during boot process

Fixes #228141, which describes an issue where detaching Yubikey during the boot process causes cryptsetup to write empty passphrase instead of the challenge-response salt stored on the boot drive.
2025-02-25 13:35:13 +00:00 · 2023-04-25 16:48:54 +03:00 · 2023-04-25 16:48:54 +03:00 · 7d112f7da3
commit 7d112f7da3
parent e924d116ce
1 changed files with 6 additions and 0 deletions
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@ -351,6 +351,12 @@ let

        new_response="$(ykchalresp -${toString dev.yubikey.slot} -x $new_challenge 2>/dev/null)"

+        if [ -z "$new_response" ]; then
+            echo "Warning: Unable to generate new challenge response, current challenge persists!"
+            umount /crypt-storage
+            return
+        fi
+
        if [ ! -z "$k_user" ]; then
            new_k_luks="$(echo -n $k_user | pbkdf2-sha512 ${toString dev.yubikey.keyLength} $new_iterations $new_response | rbtohex)"
        else