Skip to content

end-to-end LUKS2 FIDO2 unlock test in bcvk VM with YubiKey passthrough #20

Open
Open
end-to-end LUKS2 FIDO2 unlock test in bcvk VM with YubiKey passthrough#20
Labels
phase-0Required for Phase 0 launchsecuritySecurity hardening and cryptographic changestesting

Description

@foil-copy-overrate
foil-copy-overrate
opened on Jun 25, 2026

Validates ADR-003 (FIDO2 disk encryption) and ADR-009 (systemd-homed FIDO2) end-to-end in a running VM.

PR #13 merged the systemd-homed LUKS2+FIDO2 code. This issue tracks the first live test.

Test scenario:

  1. Build yubiOS OCI image
  2. Boot with bcvk ephemeral run --yubikey-passthrough
  3. Verify disk unlock prompt appears and resolves on YubiKey tap (FIDO2 hmac-secret)
  4. Verify systemd-homed home creation requires YubiKey touch
  5. Verify ConditionSecurity=measured-os blocks enrollment on non-measured boot

Relates to: issue #9 (YubiKey USB passthrough)
ADR: ADR-003, ADR-009
Branch: feat/luks-fido2-e2e-test

Metadata

Metadata

Assignees

No one assigned

    Labels

    phase-0Required for Phase 0 launchsecuritySecurity hardening and cryptographic changestesting

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions