I present my mitigation for device bricking. This is quite primitive for now, but it allows you to use a fallback LUKS password to get back into the workstation.
The key is to add a fallback for /lib/cryptsetup/scripts/zk_get_key to /lib/cryptsetup/askpass.
First, create a backup LUKS passphrase:
# Future state: correct the pipelining to avoid a file...
#sudo /lib/cryptsetup/scripts/zk_get_key | sudo cryptsetup luksAddKey --key-file=- /dev/mmcblk0p2
# The call to zkunlockifs frequently crashes on my device, for some reason...
sudo zkunlockifs /var/lib/zymbit/key.bin.lock > key.bin
# Create a backup key
sudo cryptsetup luksAddKey --key-file=key.bin /dev/mmcblk0p2
rm key.bin
Then, edit your /lib/cryptsetup/scripts/zk_get_key to something like:
#!/bin/sh
num_times=30
while [ ${num_times} -gt 0 ]
do
ls /sys/class/net/eth* 1>/dev/null 2>&1
eth=$?
ls /sys/class/net/enx* 1>/dev/null 2>&1
enx=$?
if [ ${eth} -ne 0 ] && [ ${enx} -ne 0 ]
then
num_times=$((num_times-1))
sleep 0.1
else
break
fi
done
num_times=30
while [ ${num_times} -gt 0 ]
do
if [ -d "/var/lib/zymbit" ]
then
break
else
num_times=$((num_times-1))
sleep 0.1
fi
done
if [ -e /var/lib/zymbit/zkenv.conf ]
then
export $(cat /var/lib/zymbit/zkenv.conf)
fi
/sbin/zkunlockifs /var/lib/zymbit/key.bin.lock
err=$?
if [ ${err} -ne 0 ]
then
/lib/cryptsetup/askpass "Zymbit key did not release LUKS key. Enter backup LUKS passphrase:"
fi
Bake:
sudo update-initramfs -u -k all
I have tested this fallback mechanism with ubuntu 20.04 LTS on an rpi4 4gb. In the event the zymbit refuses to pop open the boot disk, or you physically pull the zymbit off of the rpi4, you can enter your fallback LUKS password and get back in.