Bug#1110430: systemd-cryptsetup: missing dependencies

David Härdeman david at hardeman.nu
Tue Aug 5 11:32:12 BST 2025


Package: systemd-cryptsetup
Version: 257.7-1
Severity: serious
Justification: potentially renders systemd-cryptenroll unusable

Hello,

depending on how systemd-cryptenroll is used, it will end up dlopen():ing
various libraries, but these libraries are not listed as dependencies of
systemd-cryptenroll. From some quick testing on a qemu VM, these libraries
seem to be necessary (but there might be more depending on the exact
hardware that is detected):

TPM2:
  libtss2-esys.so
  libtss2-sys.so
  libtss2-mu.so
  libtss2-rc.so
  libtss2-tcti-device.so

FIDO2:
  libcbor.so
  libfido2.so

PKCS11:
  libp11-kit.so
  libffi.so

I do not see any dependencies (or suggests, recommends, etc) on these
libraries in systemd-cryptsetup. There are weak indirect dependencies
via libsystemd-shared on some libraries. It suggests:

  libp11-kit0
  libtss2-rc0t64
  libfido2-1

But unless I've overlooked something, that's not sufficient for a
working systemd-cryptenroll installation. Some of this is obscured
by the fact that e.g. fwupd (which I assume is pretty common these
days) pulls in e.g. libtss2-esys, but it's not all the libraries
needed by systemd-cryptenroll.

I assume this is a bug, but I'm not a packaging expert, so please
excuse me if I got something wrong.

Cheers,
David

PS
The description of systemd-cryptsetup should probably be amended to
note that it includes systemd-cryptenroll?



More information about the Pkg-systemd-maintainers mailing list