Receiving "No slots" output from pkcs11-tool at boot time

[sarroutbi]

Problem Description

I am trying to use opensc to unencrypt encrypted disk at boot time. To do so, I am using a Yubikey 5 NFC module.
To unlock the device, I am using next command:

pkcs11-tool -pkcs11-tool --login --test -p 123456-login --test -p 123456
Using slot 0 with a present token (0x0)
...
OK
    RSA-PKCS-OAEP: mgf not set, defaulting to MGF1-SHA256
OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, encoding parameter (Label) not present
OK
...

Command works OK after everything is up and running but, when executing it in the boot process, I am getting next error:

clevis-luks-askpass[2171]: pkcs11-tool -pkcs11-tool --login --test -p 123456-login --test -p 123456
clevis-luks-askpass[2171]: No slots.

Is there any kernel module or similar that needs to be loaded for OpenSC to work appropriately?

[dengert]

Are any files or programs need to run OpenSC on the encrypted disk?

What OS?

OpenSC uses pcscd which is stared in different ways depending on OS.

[sarroutbi]

Are any files or programs need to run OpenSC on the encrypted disk?

Initially, everything required (clevis scripts) are available.

What OS?

I am using Fedora 39

OpenSC uses pcscd which is stared in different ways depending on OS.

It was a problem with Policy kit. I ran "pcscd --disable-polkit" and device was detected at boot time. For some reason, policies are not working appropriately at boot time ...

[Jakuje]

The policies for polkit are stored in /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy which is probably not available in the initramfs, the polkit might not be running or there might be some issues with messaging as it communicates through dbus if I remember well.

I think at the early boot, skipping the polkit policies is likely a valid solution to simplify the whole process.

[sarroutbi]

Thanks for clarifying @Jakuje . I agree in policy disabling for boot process. I will close issue now