Zkunlockifs on Debian 12 cannot detect zymkey

ZYMKEY4
1

Hello.
I’ve recently LUKS-encrypted one of Pi 4B with Debian 12 using Zymkey.
Earlier this year there were troubles booting Debian 12 due to change of GPIO numbering. So I have /var/lib/zymbit/zkenv.conf with “ZK_GPIO_WAKE_PIN=516” in it.
My Pi boots OK, zkifc.service does not report any issue.
However when I run zkunlockifc it fails with “ERROR: no zymkeys installed.”
I run zkunlockifc with strace and it tries to open /sys/class/gpio/gpio4 even with /var/lib/zymbit/zkenv.conf configured.

Is it a known issue that will be fixed soon? Is there any workaround?

# dpkg -l | grep zk
ii  libzk                                1.1-22                                  arm64        Zymkey Base Communications Library
ii  zkapputilslib                        1.1-25                                  arm64        Zymkey User API
ii  zkbootrtc                            1.1-15                                  arm64        Zymkey RTC retrieval standalone app
ii  zkifc                                1.2-36                                  arm64        Zymkey Interface Connector
ii  zkpkcs11                             1.0-3                                   arm64        Zymkey PKCS11 Library
ii  zksaapps                             1.0-16                                  arm64        Stand alone zymkey apps

# cat /var/lib/zymbit/zkenv.conf
ZK_GPIO_WAKE_PIN=516

# systemctl status zkifc
● zkifc.service - Zymkey Interface Connector
     Loaded: loaded (/etc/systemd/system/zkifc.service; enabled; preset: enabled)
     Active: active (running) since Sun 2024-06-09 12:33:04 CDT; 11min ago
    Process: 5808 ExecStartPre=/bin/bash -c mkdir -p /run/zkstatus && chown -R zymbit.zymbit /run/zkstatus (code=exited, status=0/SUCCESS)
    Process: 5812 ExecStartPre=/bin/sleep 0.5 (code=exited, status=0/SUCCESS)
   Main PID: 5813 (zkifc)
      Tasks: 3 (limit: 3907)
        CPU: 1.453s
     CGroup: /system.slice/zkifc.service
             └─5813 /usr/bin/zkifc -s /var/lib/zymbit/

Jun 09 12:33:03 nagios-disp1 systemd[1]: Starting zkifc.service - Zymkey Interface Connector...
Jun 09 12:33:03 nagios-disp1 bash[5808]: chown: warning: '.' should be ':': ‘zymbit.zymbit’
Jun 09 12:33:04 nagios-disp1 systemd[1]: Started zkifc.service - Zymkey Interface Connector.

# ll /proc/`pidof zkifc`/fd
...
/sys/devices/platform/soc/fe200000.gpio/gpiochip0/gpio/gpio516/value
...

# lsblk
NAME         MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
mmcblk0      179:0    0 29.5G  0 disk  
├─mmcblk0p1  179:1    0  512M  0 part  /boot/firmware
└─mmcblk0p2  179:2    0   29G  0 part  
  └─cryptrfs 254:0    0   29G  0 crypt /

# uname -a
Linux nagios-disp1 6.6.31+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.6.31-1+rpt1 (2024-05-29) aarch64 GNU/Linux

# cat /etc/debian_version 
12.5

# zkunlockifs /var/lib/zymbit/key.bin.lock > /tmp/key.bin
ERROR: no zymkeys installed.

# strace zkunlockifs /var/lib/zymbit/key.bin.lock
...
openat(AT_FDCWD, "/dev/i2c-1", O_RDWR|O_EXCL) = 6
close(6)                                = 0
faccessat(AT_FDCWD, "/sys/class/gpio/gpio4", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/sys/class/gpio/export", O_WRONLY) = 6
write(6, "4\n\0", 3)                    = -1 EINVAL (Invalid argument)
close(6)                                = 0
...
faccessat(AT_FDCWD, "/sys/class/gpio/gpio4", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/sys/class/gpio/export", O_WRONLY) = 6
write(6, "4\n\0", 3)                    = -1 EINVAL (Invalid argument)
close(6)                                = 0
write(2, "ERROR: no zymkeys installed.\n", 29ERROR: no zymkeys installed.
) = 29
...
2

I’d like to better understand what you’re trying to accomplish with zkunlockifs as this is really meant to be a static app for the boot process and not really an end-user tool. You will likely have better luck, depending on what you’re trying to do, with the python/C/C++ APIs for end-user access to both lock() and unlock().

That being said, if you really want to use the zkunlockifs binary, make sure that you export your pin number first. It will default to GPIO4 but that’s not what you want.

# export ZK_GPIO_WAKE_PIN=516
# zkunlockifs /var/lib/zymbit/key.bin.lock > /tmp/key.bin

Should work for you.

Best Regards,
dg

3

Thank you, that helped.

I’m trying to add a backup passphrase to the LUKS encrypted root FS.

4

Just be aware that the zkunlockifs and zklockifs are not intended as end-user programs and are therefore undocumented and their behavior may change without notice. These are used only by other Zymbit processes so their availability is not guaranteed.

Best Regards,
dg