From 7d112f7da3312cb07116b5f9bac647f0f943a596 Mon Sep 17 00:00:00 2001
From: Erno Hopearuoho <erno.hopearuoho@gmail.com>
Date: Tue, 25 Apr 2023 16:48:54 +0300
Subject: [PATCH] luksroot: fix issue when yubikey is detached during boot
 process Fixes #228141, which describes an issue where detaching Yubikey
 during the boot process causes cryptsetup to write empty passphrase instead
 of the challenge-response salt stored on the boot drive.

---
 nixos/modules/system/boot/luksroot.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix
index dc3fe163116e..06c329e006b8 100644
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@@ -351,6 +351,12 @@ let
 
         new_response="$(ykchalresp -${toString dev.yubikey.slot} -x $new_challenge 2>/dev/null)"
 
+        if [ -z "$new_response" ]; then
+            echo "Warning: Unable to generate new challenge response, current challenge persists!"
+            umount /crypt-storage
+            return
+        fi
+
         if [ ! -z "$k_user" ]; then
             new_k_luks="$(echo -n $k_user | pbkdf2-sha512 ${toString dev.yubikey.keyLength} $new_iterations $new_response | rbtohex)"
         else