fix: delay in entering pin or accepting tpm2

brianmcgillion · brianmcgillion · commit e07d7072c1f9 · 2026-02-13T00:18:37.000+04:00
Fixes: SSRCSP-8004

Signed-off-by: Brian McGillion &lt;bmg.avoin@gmail.com&gt;
diff --git a/modules/partitioning/deferred-disk-encryption.nix b/modules/partitioning/deferred-disk-encryption.nix
@@ -570,6 +570,40 @@ let
       systemctl reboot
     '';
   };
+
+  cryptsetupPreCheckScript = pkgs.writeShellApplication {
+    name = "cryptsetup-pre-check";
+    runtimeInputs = [
+      pkgs.cryptsetup
+      pkgs.systemd
+      pkgs.util-linux
+    ];
+    text = ''
+      DEVICE="${lvmPartition}"
+
+      # Wait for device to appear
+      for _ in {1..30}; do
+        if [ -e "$DEVICE" ]; then
+          break
+        fi
+        sleep 1
+      done
+
+      udevadm settle || true
+
+      # Check if the device is LUKS — retry a few times for transient read errors
+      for _ in {1..3}; do
+        if cryptsetup isLuks "$DEVICE"; then
+          mkdir -p /run
+          touch /run/cryptsetup-pre-checked
+          exit 0
+        fi
+        sleep 1
+      done
+
+      # Device is not encrypted; do NOT create marker so cryptsetup is skipped
+    '';
+  };
 in
 {
   _file = ./deferred-disk-encryption.nix;
@@ -616,6 +650,7 @@ in
           pkgs.kmod
           pkgs.pcsclite.lib
           firstBootEncryptScript
+          cryptsetupPreCheckScript
         ];
 
         services = {
@@ -708,6 +743,27 @@ in
             };
           };
 
+          # Lightweight pre-check service that runs before cryptsetup-pre.target.
+          # Creates the /run/cryptsetup-pre-checked marker if the device is LUKS,
+          # allowing systemd-cryptsetup@crypted to start through the normal systemd
+          # path without first-boot-encrypt having to mediate (which causes a TTY
+          # ownership conflict and ~2min input delay).
+          cryptsetup-pre-check = {
+            description = "Check if device is LUKS before cryptsetup";
+            unitConfig.DefaultDependencies = false;
+            before = [
+              "cryptsetup-pre.target"
+              "systemd-cryptsetup@crypted.service"
+            ];
+            wantedBy = [ "cryptsetup-pre.target" ];
+            after = [ "${utils.escapeSystemdPath lvmPartition}.device" ];
+            serviceConfig = {
+              Type = "oneshot";
+              RemainAfterExit = true;
+              ExecStart = getExe cryptsetupPreCheckScript;
+            };
+          };
+
         };
       };
 
