Package: dracut-core Version: 106-6 Severity: normal X-Debbugs-Cc: [email protected]
I believe this is resolved in the unstable release. I'm still filing a bug report so that users of Trixie know that there is a workaround until the fix from unstable is back-ported. The dracut module pcsc is missing two files that prevent PKCS#11 decryption of LUKS devices during boot. The symptom is that the boot process will stall for 30 seconds, time out, and go to password based decryption. I've attached a dracut configuration file that support LUKS decrytion at boot using systemd-boot, dracut, systemd-cryptenroll and a YubiKey using a PKCS#11 (PIV) RSA key and certificate. Thank you for maintaining dracut! -- System Information: Debian Release: 13.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.17.13+deb13-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dracut-core depends on: ii cpio 2.15+dfsg-2 ii dracut-install 106-6 ii e2fsprogs 1.47.2-3+b7 ii kmod 34.2-2 ii libc6 2.41-12+deb13u1 ii udev 257.9-1~deb13u1 Versions of packages dracut-core recommends: ii binutils 2.44-3 ii console-setup 1.242~deb13u1 ii cryptsetup 2:2.7.5-2 ii dmsetup 2:1.02.205-2 ii kpartx 0.11.1-2 pn lvm2 <none> pn mdadm <none> ii systemd 257.9-1~deb13u1 ii systemd-cryptsetup 257.9-1~deb13u1 ii systemd-sysv 257.9-1~deb13u1 ii zstd 1.5.7+dfsg-1 dracut-core suggests no packages. -- no debconf information -- JP
### # /etc/dracut.conf.d/10-qi-pcsc.conf - support for PIV LUKS decryption # # @copyright copyright 2026 Quoin Inc. # @license CC0 1.0 Universal https://creativecommons.org/publicdomain/zero/1.0/ ## hostonly="no" dracut_rescue_image="yes" # Force include the systemd-cryptsetup logic and PKCS#11 support force_add_dracutmodules+=" systemd systemd-cryptsetup crypt pcsc pkcs11 btrfs " ### # Required library necessary for pkcs#11 pin prompt. # # @todo I discovered this only by accident by installing @c # /usr/bin/opensc-tool into the dracut initrd. This seems to be # fixed in the unstable release of @c dracut-core. ## install_items+=" /usr/lib/x86_64-linux-gnu/libeac.so.3 " ### # Required p11-kit modules. # # @todo I discovered this by trial and error. This seems to be fixed # in the unstable release of @c dracut-core. ## install_items+=" /usr/share/p11-kit/modules/opensc-pkcs11.module "
