logo

Smartcard preboot for Fedora and Debian, at last!

Tutorials
Smartcard preboot for Fedora and Debian, at last!
Publish Date :

Summary

As part of a pre-boot strong authentication project (pre-boot MFA) using YubiKey and LUKS, we identified significant discrepancies between Linux distributions, particularly between Fedora, Debian and Ubuntu, related to dracut-ng's 73pcsc module.

This work led to opening the issue in order to stabilize a uniform, robust and long-term maintainable solution.

This work directly improves the security of the boot chain and will benefit the entire Linux ecosystem. In other words, how to meet security requirements for free and natively on Linux!

Technical context

The initial goal was simple: understand how to unlock a LUKS encrypted volume via a YubiKey (PKCS#11) as soon as the system boots.

We followed cryptsetup's documentation, which works correctly on Fedora. However, when porting to Ubuntu and Debian, we ran into a series of malfunctions. From a technical standpoint, our analysis revealed that:

  • opensc.module files are handled differently depending on the distribution
  • Some OpenSC dependencies are not copied
  • Configuration paths vary from one distribution to another

These discrepancies explain the portability and stability issues between Fedora, Debian and Ubuntu.

When the issue becomes strategic

Ubuntu has officially announced the adoption of dracut:

  • Optional starting with 25.04
  • Default starting with 25.10

The number of affected systems will therefore grow rapidly.
The need for a stable, standardized cross-distribution solution is becoming a strategic issue.

Our contribution

  • Reproduce the Debian/Ubuntu vs Fedora malfunctions
  • Isolate the technical causes
  • Precisely document the cross-distribution discrepancies

We then proposed structural fixes, including:

  • Better detection of p11-kit modules (wildcards)
  • Multi-path handling of OpenSC configurations
  • Reliable, systematic inclusion of OpenSC dependencies
  • Strengthened PC/SC file detection mechanisms

Our approach follows a sustainable, traceable open-source contribution model that benefits the entire cybersecurity community.

A matter of digital sovereignty

The stakes go beyond a simple technical use case: today, we're talking about digital sovereignty.
We offer a solution that significantly increases system security, in a way that is:

  • Native on Linux
  • Compatible with smartcards (beyond just YubiKeys)

We hope for widespread adoption of this approach.

Today vs. tomorrow

Today

  • Paid or proprietary solutions (particularly in the Windows ecosystem)
  • Ad hoc scripts
  • Hard-coded paths
  • Manual library copies
  • Fragile implementations with every update

Tomorrow

  • Open source
  • Standardized
  • Robust
  • Sustainable

What we bring to the table

By fixing the foundations directly in dracut, we bring:

  • A standardized solution
  • An audited, predictable configuration
  • Reproducible deployment

This capability immediately benefits:

  • The hardening of critical configurations
  • Control and inventory of software components
  • Reduced attack surface from boot time

Regulatory compliance

This approach makes it easier to comply with:

  • NIS 2
  • DORA
  • ANSSI – IT hygiene guide
  • Etc.

What's next?

We are currently finalizing several separate PRs to make them easier to review and merge. Once merged, they can be incorporated into upcoming Debian/Ubuntu releases at the pace of dracut adoption.

📌 Public issue and technical discussions:

📌 Full implementation documentation is coming very soon.


I'd like to warmly thank Bastien Roucaries (CNRS researcher) and Matthieu Renard for their valuable contribution and expertise, which made this article possible.

Benjamin Aimard