Hello, I have the following config (essentially):
{
boot.plymouth.enable = true;
boot.loader.systemd-boot.enable = true;
boot.fileSystems."/".device = "/dev/mapper/root";
boot.initrd.systemd.enable = true;
boot.initrd.luks.fido2Support = false;
# LUKS keyslots have been initialised with:
# systemd-cryptenroll --wipe-slot=fido2 --fido2-device=auto --fido2-with-user-presence=true --fido2-with-user-verification=false --fido2-with-client-pin=true
boot.initrd.luks.devices.root = {
device = "/dev/nvme0n1p3";
crypttabExtraOpts = ["fido2-device=auto"];
};
}
During stage-1 init, plymouth will prompt for my PIN. Then my YubiKey will blink its LED, so I press its button. Then my rootfs is unlocked and the system boots.
My problem is about usability. There is no prompt on screen to say “press the YubiKey button”. Sometimes I don’t notice the YubiKey blinking. So I wait and nothing happens until I remember to press the button.
There is however a journal message which is hidden behind plymouth:
Dec 14 09:30:20 tethys systemd-cryptsetup[211]: Please confirm presence on security token to unlock.
Does anyone know where I should send my bug report? Is it NixOS, plymouth, systemd, libfido2, something else? The only workaround I can think of is to disable plymouth.
Thanks.
PS
Ideally, I would like to boot with client-pin=true user-presence=false, but apparently this is impossible - libfido2 issue #237.