Description

When running luks-enable-fido2-unlock on a system without an existing FIDO2 token enrolled, the script exits unexpectedly with no error message. This occurs before any FIDO2 enrollment is attempted, due to a non-zero exit code from a pipeline used to parse keyslot information.

Reproduce

1. Run luks-enable-fido2-unlock as root on a Secureblue system without any FIDO2 token previously enrolled in the LUKS header.
2. Answer y to the confirmation prompt.
3. Observe that the script exits immediately with: error: Recipe setup-luks-fido2-unlock failed with exit code 1.
4. No FIDO2 enrollment occurs and no other output is shown between the prompt and the exit.

Expected

If no FIDO2 token is currently enrolled, the script should proceed to prompt for enrollment, as intended. The absence of a preexisting token should not cause the script to terminate.

Actual

The script fails at this line, which attempts to parse the keyslot number associated with an existing systemd-fido2 token:

Because no systemd-fido2 token is present, grep returns a non-zero exit status. Due to set -eou pipefail, this causes the script to terminate immediately, even though this case is expected during first-time setup.

Image

silverblue-main-hardened:latest

Upstream

n/a – The issue is specific to the luks-enable-fido2-unlock script and is not related to the upstream or base image.

Declaration

• I agree to follow this project's Code of Conduct.
• I declare that this is not a request for alternate community messaging or social platforms.
• I declare that I have read the secureblue website and my feature request is in-scope.