Skip to content

0.13

Latest
Latest

Choose a tag to compare

View all tags
@anatol anatol released this 14 Jun 17:38
0.13
This tag was signed with the committer’s verified signature. The key has expired.
anatol Anatol Pomozov
GPG key ID: B02854ED753E0F1F
Expired
Verified
Learn about vigilant mode.
2915125

Booster 0.13

Booster 0.13 is a large encrypted-boot usability release. It improves LUKS unlock orchestration, adds native early-boot SSH unlock, expands /etc/crypttab support, and makes Plymouth/FIDO2/TPM2 flows much smoother and more predictable.

Highlights

  • Added Plymouth boot splash support (#314), including direct Plymouth socket IPC (1110e56) and improved prompt cancellation (25788a7).
  • Fixed DRM device initialization with Plymouth 22.x (#377).
  • Added SSH-based remote LUKS unlock for headless or hard-to-reach systems (c38c904, 2b1df4f).
  • Added /etc/crypttab integration for x-initrd.attach entries (53798b1, 2a932e5).
  • Added support for detached LUKS headers from initramfs files, raw block devices, or files on separate devices (17ec118, cfb31e8).
  • Added support for keyfiles stored on separate devices via crypttab (51080e6).
  • Replaced the external fido2-assert path with native FIDO2 support through Booster’s fido2plugin.so (b442c20, daaf02b).
  • Added automatic FIDO2 plugin bundling when fido2-device= is detected in crypttab (f272f9f).
  • Added support for newer systemd-cryptenroll TPM2 tokens, including systemd v252+ persistent SRK/PBKDF2 PIN tokens (35ab72d).
  • Added passphrase caching for multi-device LUKS unlocks, so sibling volumes can unlock from a successful shared passphrase (b00491d).
  • Added configurable token orchestration with token_timeout, pin_delay, and serialize_tokens (3878422, 6749a36).

LUKS, FIDO2, TPM2, and Tokens

  • Hardware-token unlock now coordinates better with keyboard fallback prompts.
  • PIN-based tokens are prompted in deterministic token-ID order (c1922b2, 75a3dff).
  • Non-interactive token attempts are bounded so a stuck token cannot hang boot indefinitely (0939a2a).
  • FIDO2 credential pre-flight avoids asking for a PIN on the wrong security key (ca95177, 21ac46f).
  • Missing FIDO2-token hints are delayed to avoid noisy boot output when another unlock path wins quickly (4a79130).
  • FIDO2 touch timeout no longer consumes a PIN attempt (849f3d0).
  • TPM2 PIN tokens now support three attempts and empty-Enter skip behavior (7b1e654).
  • Token, keyboard, Plymouth, and SSH prompt paths now cancel cleanly when another unlock path succeeds (5dc4f69, 27ab5b1).

Remote Unlock

This release adds native early-boot SSH unlock using Go’s SSH implementation (c38c904). Configure network.ssh_host_key, network.ssh_authorized_keys, and network.ssh_listen in /etc/booster.yaml to allow pubkey-authenticated passphrase submission during initramfs boot.

Generator and Boot Fixes

  • Added crypttab_path config and --crypttab override (78e7912).
  • Improved handling of unreadable default /etc/crypttab (93df14f, cebca35).
  • Made generated CPIO module ordering deterministic (0dae27b).
  • Sorted booster.alias entries deterministically, fixing #309 (b708efe).
  • Fixed module alias parsing and post-dependency loading (9e6aab6).
  • Fixed LVM symlink race and strip failure handling (e6c8728).
  • Fixed Btrfs device readiness waiting (9bfe45c).
  • Fixed ro/rw kernel command-line handling so the last value wins, fixing #250 (dfc7505).
  • Improved vconsole FONT_MAP and FONT_UNIMAP resolution (6d3a307).
  • Hardened unpacking against path traversal (d04c685).
  • Improved extra_files lookup errors by including the binary name, fixing #328 (74527f3).

Packaging and Docs

  • Added a common kernel-install hook (07f5c5a).
  • Updated Arch packaging for FIDO2/plugin build behavior (c0473ae).
  • Refreshed README and manpage coverage for crypttab, remote unlock, Plymouth, GPT autodiscovery, FIDO2, TPM2, detached headers, and prompt ordering (68c701b, f05a371, eaab8d5).

Fixes

  • Fixed several LUKS prompt, cancellation, and passphrase-cache races (86be496, 20e6699, 145c97c).
  • Fixed TPM policy PCR handling with empty PCR lists (87eef85).
  • Fixed noisy per-keystroke console logging during password entry, closing #360 (d08cbd6).
  • Improved diagnostics when root=/dev/mapper/<name> has no matching LUKS unlock spec (70544fd).
  • Closed leaked device file descriptors in WWID handling (080112b).
  • Added booster.log=null / no-logging support (fd70557).
  • Added binutils to optional dependencies for strip support (b8d9e80).

Thanks

Thanks to everyone who contributed to this release:

  • @pilotstew for the bulk of the encrypted-boot work: crypttab integration, native FIDO2 support, TPM2/FIDO2 token orchestration, SSH remote unlock, Plymouth prompt handling, passphrase caching, and a large amount of test coverage.
  • @basploeger for the Plymouth 22.x DRM initialization fix and WWID file descriptor cleanup.
  • @tmccombs for adding the kernel-install hook.
  • @7Ji for fixing Btrfs device readiness handling.
  • @Indithem for adding no-logging support.
  • @oech3 for improving packaging dependencies around strip.

Full changelog: 0.12...0.13

Contributors

tmccombs, pilotstew, and 4 other contributors
Assets 2
Loading
0 Join discussion