FIDO2: support pin-less LUKS enroll/unlock

Closes: https://github.com/systemd/systemd/issues/19246
Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.

diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
index 9751444e50860353c0307ff612da81f0abff9afb..e1c5a41aacf33b0e7288f67db4226c85c6621ff2 100644 (file)
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@@ -125,6 +125,13 @@
         <filename>/etc/crypttab</filename> line.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--fido2-with-client-pin=</option><replaceable>BOOL</replaceable></term>
+
+        <listitem><para>When enrolling a FIDO2 security token, controls whether to require the user to
+        enter a PIN when unlocking the volume. Defaults to <literal>yes</literal>.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>--tpm2-device=</option><replaceable>PATH</replaceable></term>
 

diff --git a/src/cryptenroll/cryptenroll-fido2.c b/src/cryptenroll/cryptenroll-fido2.c
index 1b3ae8d67ce2bcc3cb69ddc38830c76e904d1fbe..213b7795b6d7946354e0631a33c58d0cccc2529a 100644 (file)
--- a/src/cryptenroll/cryptenroll-fido2.c
+++ b/src/cryptenroll/cryptenroll-fido2.c
@@ -11,7 +11,8 @@ int enroll_fido2(
                 struct crypt_device *cd,
                 const void *volume_key,
                 size_t volume_key_size,
-                const char *device) {
+                const char *device,
+                Fido2EnrollFlags lock_with) {
 
         _cleanup_(erase_and_freep) void *salt = NULL, *secret = NULL;
         _cleanup_(erase_and_freep) char *base64_encoded = NULL;
@@ -40,6 +41,7 @@ int enroll_fido2(
                         /* user_display_name= */ node,
                         /* user_icon_name= */ NULL,
                         /* askpw_icon_name= */ "drive-harddisk",
+                        lock_with,
                         &cid, &cid_size,
                         &salt, &salt_size,
                         &secret, &secret_size,
@@ -75,7 +77,8 @@ int enroll_fido2(
                                        JSON_BUILD_PAIR("keyslots", JSON_BUILD_ARRAY(JSON_BUILD_STRING(keyslot_as_string))),
                                        JSON_BUILD_PAIR("fido2-credential", JSON_BUILD_BASE64(cid, cid_size)),
                                        JSON_BUILD_PAIR("fido2-salt", JSON_BUILD_BASE64(salt, salt_size)),
-                                       JSON_BUILD_PAIR("fido2-rp", JSON_BUILD_STRING("io.systemd.cryptsetup"))));
+                                       JSON_BUILD_PAIR("fido2-rp", JSON_BUILD_STRING("io.systemd.cryptsetup")),
+                                       JSON_BUILD_PAIR("fido2-clientPin-required", JSON_BUILD_BOOLEAN(FLAGS_SET(lock_with, FIDO2ENROLL_PIN)))));
         if (r < 0)
                 return log_error_errno(r, "Failed to prepare PKCS#11 JSON token object: %m");
 

diff --git a/src/cryptenroll/cryptenroll-fido2.h b/src/cryptenroll/cryptenroll-fido2.h
index 936792071f3698f88ccf5f938cb1665d8d01cbf8..b82a9ca842cc8800d1f2273adf2e5c4898e39888 100644 (file)
--- a/src/cryptenroll/cryptenroll-fido2.h
+++ b/src/cryptenroll/cryptenroll-fido2.h
@@ -4,12 +4,13 @@
 #include <sys/types.h>
 
 #include "cryptsetup-util.h"
+#include "libfido2-util.h"
 #include "log.h"
 
 #if HAVE_LIBFIDO2
-int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device);
+int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, Fido2EnrollFlags lock_with);
 #else
-static inline int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device) {
+static inline int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, Fido2EnrollFlags lock_with) {
         return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                "FIDO2 key enrollment not supported.");
 }

diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c
index 7d12c427b3099f6feaf2e9f2e471b2a7767e627a..ef6031cb1fb18cddefe57d49cafdf117e4afd1c7 100644 (file)
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@@ -36,6 +36,7 @@ static int *arg_wipe_slots = NULL;
 static size_t arg_n_wipe_slots = 0;
 static WipeScope arg_wipe_slots_scope = WIPE_EXPLICIT;
 static unsigned arg_wipe_slots_mask = 0; /* Bitmask of (1U << EnrollType), for wiping all slots of specific types */
+static Fido2EnrollFlags arg_fido2_lock_with = FIDO2ENROLL_PIN;
 
 assert_cc(sizeof(arg_wipe_slots_mask) * 8 >= _ENROLL_TYPE_MAX);
 
@@ -88,6 +89,8 @@ static int help(void) {
                "                       Specify PKCS#11 security token URI\n"
                "     --fido2-device=PATH\n"
                "                       Enroll a FIDO2-HMAC security token\n"
+               "     --fido2-with-client-pin=BOOL\n"
+               "                       Whether to require entering a PIN to unlock the volume\n"
                "     --tpm2-device=PATH\n"
                "                       Enroll a TPM2 device\n"
                "     --tpm2-pcrs=PCR1,PCR2,PCR3,…\n"
@@ -114,18 +117,20 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_TPM2_DEVICE,
                 ARG_TPM2_PCRS,
                 ARG_WIPE_SLOT,
+                ARG_FIDO2_WITH_PIN,
         };
 
         static const struct option options[] = {
-                { "help",             no_argument,       NULL, 'h'                  },
-                { "version",          no_argument,       NULL, ARG_VERSION          },
-                { "password",         no_argument,       NULL, ARG_PASSWORD         },
-                { "recovery-key",     no_argument,       NULL, ARG_RECOVERY_KEY     },
-                { "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI },
-                { "fido2-device",     required_argument, NULL, ARG_FIDO2_DEVICE     },
-                { "tpm2-device",      required_argument, NULL, ARG_TPM2_DEVICE      },
-                { "tpm2-pcrs",        required_argument, NULL, ARG_TPM2_PCRS        },
-                { "wipe-slot",        required_argument, NULL, ARG_WIPE_SLOT        },
+                { "help",                         no_argument,       NULL, 'h'                  },
+                { "version",                      no_argument,       NULL, ARG_VERSION          },
+                { "password",                     no_argument,       NULL, ARG_PASSWORD         },
+                { "recovery-key",                 no_argument,       NULL, ARG_RECOVERY_KEY     },
+                { "pkcs11-token-uri",             required_argument, NULL, ARG_PKCS11_TOKEN_URI },
+                { "fido2-device",                 required_argument, NULL, ARG_FIDO2_DEVICE     },
+                { "fido2-with-client-pin",        required_argument, NULL, ARG_FIDO2_WITH_PIN   },
+                { "tpm2-device",                  required_argument, NULL, ARG_TPM2_DEVICE      },
+                { "tpm2-pcrs",                    required_argument, NULL, ARG_TPM2_PCRS        },
+                { "wipe-slot",                    required_argument, NULL, ARG_WIPE_SLOT        },
                 {}
         };
 
@@ -144,6 +149,18 @@ static int parse_argv(int argc, char *argv[]) {
                 case ARG_VERSION:
                         return version();
 
+                case ARG_FIDO2_WITH_PIN: {
+                        bool lock_with_pin;
+
+                        r = parse_boolean_argument("--fido2-with-client-pin=", optarg, &lock_with_pin);
+                        if (r < 0)
+                                return r;
+
+                        SET_FLAG(arg_fido2_lock_with, FIDO2ENROLL_PIN, lock_with_pin);
+
+                        break;
+                }
+
                 case ARG_PASSWORD:
                         if (arg_enroll_type >= 0)
                                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
@@ -486,7 +503,7 @@ static int run(int argc, char *argv[]) {
                 break;
 
         case ENROLL_FIDO2:
-                slot = enroll_fido2(cd, vk, vks, arg_fido2_device);
+                slot = enroll_fido2(cd, vk, vks, arg_fido2_device, arg_fido2_lock_with);
                 break;
 
         case ENROLL_TPM2:

diff --git a/src/cryptsetup/cryptsetup-fido2.c b/src/cryptsetup/cryptsetup-fido2.c
index 8238e823cdf3e2d8de7cd86ef57a748b33c97469..339e245575f892fb798158a32bca030ed85bd2d8 100644 (file)
--- a/src/cryptsetup/cryptsetup-fido2.c
+++ b/src/cryptsetup/cryptsetup-fido2.c
@@ -24,6 +24,7 @@ int acquire_fido2_key(
                 size_t key_data_size,
                 usec_t until,
                 bool headless,
+                Fido2EnrollFlags required,
                 void **ret_decrypted_key,
                 size_t *ret_decrypted_key_size) {
 
@@ -73,19 +74,22 @@ int acquire_fido2_key(
         }
 
         for (;;) {
-                r = fido2_use_hmac_hash(
-                                device,
-                                rp_id ?: "io.systemd.cryptsetup",
-                                salt, salt_size,
-                                cid, cid_size,
-                                pins,
-                                /* up= */ true,
-                                ret_decrypted_key,
-                                ret_decrypted_key_size);
-                if (!IN_SET(r,
-                            -ENOANO,   /* needs pin */
-                            -ENOLCK))  /* pin incorrect */
-                        return r;
+                if (!FLAGS_SET(required, FIDO2ENROLL_PIN) || pins) {
+                        r = fido2_use_hmac_hash(
+                                        device,
+                                        rp_id ?: "io.systemd.cryptsetup",
+                                        salt, salt_size,
+                                        cid, cid_size,
+                                        pins,
+                                        /* up= */ true,
+                                        required,
+                                        ret_decrypted_key,
+                                        ret_decrypted_key_size);
+                        if (!IN_SET(r,
+                                    -ENOANO,   /* needs pin */
+                                    -ENOLCK))  /* pin incorrect */
+                                return r;
+                }
 
                 pins = strv_free_erase(pins);
 
@@ -107,12 +111,14 @@ int find_fido2_auto_data(
                 size_t *ret_salt_size,
                 void **ret_cid,
                 size_t *ret_cid_size,
-                int *ret_keyslot) {
+                int *ret_keyslot,
+                Fido2EnrollFlags *ret_required) {
 
         _cleanup_free_ void *cid = NULL, *salt = NULL;
         size_t cid_size = 0, salt_size = 0;
         _cleanup_free_ char *rp = NULL;
         int r, keyslot = -1;
+        Fido2EnrollFlags required = FIDO2ENROLL_PIN; /* For backward compatibility, require pin by default */
 
         assert(cd);
         assert(ret_salt);
@@ -120,6 +126,7 @@ int find_fido2_auto_data(
         assert(ret_cid);
         assert(ret_cid_size);
         assert(ret_keyslot);
+        assert(ret_required);
 
         /* Loads FIDO2 metadata from LUKS2 JSON token headers. */
 
@@ -176,6 +183,17 @@ int find_fido2_auto_data(
                         if (!rp)
                                 return log_oom();
                 }
+
+                w = json_variant_by_key(v, "fido2-clientPin-required");
+                if (w) {
+                        /* The "fido2-clientPin-required" field is optional. */
+
+                        if (!json_variant_is_boolean(w))
+                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                                       "FIDO2 token data's 'fido2-clientPin-required' field is not a boolean.");
+
+                        SET_FLAG(required, FIDO2ENROLL_PIN, json_variant_boolean(w));
+                }
         }
 
         if (!cid)
@@ -190,5 +208,6 @@ int find_fido2_auto_data(
         *ret_salt = TAKE_PTR(salt);
         *ret_salt_size = salt_size;
         *ret_keyslot = keyslot;
+        *ret_required = required;
         return 0;
 }

diff --git a/src/cryptsetup/cryptsetup-fido2.h b/src/cryptsetup/cryptsetup-fido2.h
index d5c5ce59268bdf02db7d58f35f473cd7d81680f6..76ec28b3b185acd8a8b5ef1e05f3ba78a0bbf2eb 100644 (file)
--- a/src/cryptsetup/cryptsetup-fido2.h
+++ b/src/cryptsetup/cryptsetup-fido2.h
@@ -4,6 +4,7 @@
 #include <sys/types.h>
 
 #include "cryptsetup-util.h"
+#include "libfido2-util.h"
 #include "log.h"
 #include "time-util.h"
 
@@ -23,6 +24,7 @@ int acquire_fido2_key(
                 size_t key_data_size,
                 usec_t until,
                 bool headless,
+                Fido2EnrollFlags required,
                 void **ret_decrypted_key,
                 size_t *ret_decrypted_key_size);
 
@@ -33,7 +35,8 @@ int find_fido2_auto_data(
                 size_t *ret_salt_size,
                 void **ret_cid,
                 size_t *ret_cid_size,
-                int *ret_keyslot);
+                int *ret_keyslot,
+                Fido2EnrollFlags *ret_required);
 
 #else
 
@@ -51,6 +54,7 @@ static inline int acquire_fido2_key(
                 size_t key_data_size,
                 usec_t until,
                 bool headless,
+                Fido2EnrollFlags required,
                 void **ret_decrypted_key,
                 size_t *ret_decrypted_key_size) {
 
@@ -65,7 +69,8 @@ static inline int find_fido2_auto_data(
                 size_t *ret_salt_size,
                 void **ret_cid,
                 size_t *ret_cid_size,
-                int *ret_keyslot) {
+                int *ret_keyslot,
+                Fido2EnrollFlags *ret_required) {
 
         return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                "FIDO2 token support not available.");

diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 7902377a25abce6dd5b007332c80a2897cc1269d..9ab42eacb9f59dc9fd58fbca38d95b377935f952 100644 (file)
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -739,6 +739,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
         int keyslot = arg_key_slot, r;
         const char *rp_id;
         const void *cid;
+        Fido2EnrollFlags required;
 
         assert(cd);
         assert(name);
@@ -759,7 +760,8 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
                                 &discovered_salt_size,
                                 &discovered_cid,
                                 &discovered_cid_size,
-                                &keyslot);
+                                &keyslot,
+                                &required);
 
                 if (IN_SET(r, -ENOTUNIQ, -ENXIO))
                         return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
@@ -767,6 +769,10 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
                 if (r < 0)
                         return r;
 
+                if (FLAGS_SET(required, FIDO2ENROLL_PIN) && arg_headless)
+                        return log_error_errno(SYNTHETIC_ERRNO(ENOPKG),
+                                               "A PIN is required to unlock this volume, but the 'headless' parameter was set.");
+
                 rp_id = discovered_rp_id;
                 key_data = discovered_salt;
                 key_data_size = discovered_salt_size;
@@ -791,6 +797,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
                                 key_data, key_data_size,
                                 until,
                                 arg_headless,
+                                required,
                                 &decrypted_key, &decrypted_key_size);
                 if (r >= 0)
                         break;

diff --git a/src/home/homectl-fido2.c b/src/home/homectl-fido2.c
index d5edec1bc4536744961fec4cf06c5df6ef292077..76775ee6bd826b968bd5627fb266e06c7a1ed584 100644 (file)
--- a/src/home/homectl-fido2.c
+++ b/src/home/homectl-fido2.c
@@ -158,6 +158,7 @@ int identity_add_fido2_parameters(
                         /* user_display_name= */ rn ? json_variant_string(rn) : NULL,
                         /* user_icon_name= */ NULL,
                         /* askpw_icon_name= */ "user-home",
+                        FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll
                         &cid, &cid_size,
                         &salt, &salt_size,
                         &secret, &secret_size,

diff --git a/src/home/homework-fido2.c b/src/home/homework-fido2.c
index 87d301c5b43d58f710aea3a4e4f328b15a3c6683..818f2a5d16cab9462e11124f246f98ac7015ec59 100644 (file)
--- a/src/home/homework-fido2.c
+++ b/src/home/homework-fido2.c
@@ -29,6 +29,7 @@ int fido2_use_token(
                         salt->credential.id, salt->credential.size,
                         secret->token_pin,
                         h->fido2_user_presence_permitted > 0,
+                        FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll
                         &hmac,
                         &hmac_size);
         if (r < 0)

diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index 951ed09899c5dce36e0b68fc18dd7daa52724469..66a312bfb6a8ee7c9d8d4444f46756777dabd08b 100644 (file)
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -219,6 +219,7 @@ static int fido2_use_hmac_hash_specific_token(
                 size_t cid_size,
                 char **pins,
                 bool up, /* user presence permitted */
+                Fido2EnrollFlags required, /* client pin required */
                 void **ret_hmac,
                 size_t *ret_hmac_size) {
 
@@ -250,6 +251,11 @@ static int fido2_use_hmac_hash_specific_token(
         if (r < 0)
                 return r;
 
+        if (!has_client_pin && FLAGS_SET(required, FIDO2ENROLL_PIN))
+                return log_error_errno(SYNTHETIC_ERRNO(EHWPOISON),
+                                       "PIN required to unlock, but FIDO2 device %s does not support it.",
+                                       path);
+
         a = sym_fido_assert_new();
         if (!a)
                 return log_oom();
@@ -303,7 +309,7 @@ static int fido2_use_hmac_hash_specific_token(
 
                 r = sym_fido_dev_get_assert(d, a, NULL); /* try without pin but with up now */
         }
-        if (r == FIDO_ERR_PIN_REQUIRED) {
+        if (FLAGS_SET(required, FIDO2ENROLL_PIN)) {
                 char **i;
 
                 if (!has_client_pin)
@@ -367,6 +373,7 @@ int fido2_use_hmac_hash(
                 size_t cid_size,
                 char **pins,
                 bool up, /* user presence permitted */
+                Fido2EnrollFlags required, /* client pin required */
                 void **ret_hmac,
                 size_t *ret_hmac_size) {
 
@@ -379,7 +386,7 @@ int fido2_use_hmac_hash(
                 return log_error_errno(r, "FIDO2 support is not installed.");
 
         if (device)
-                return fido2_use_hmac_hash_specific_token(device, rp_id, salt, salt_size, cid, cid_size, pins, up, ret_hmac, ret_hmac_size);
+                return fido2_use_hmac_hash_specific_token(device, rp_id, salt, salt_size, cid, cid_size, pins, up, required, ret_hmac, ret_hmac_size);
 
         di = sym_fido_dev_info_new(allocated);
         if (!di)
@@ -414,7 +421,7 @@ int fido2_use_hmac_hash(
                         goto finish;
                 }
 
-                r = fido2_use_hmac_hash_specific_token(path, rp_id, salt, salt_size, cid, cid_size, pins, up, ret_hmac, ret_hmac_size);
+                r = fido2_use_hmac_hash_specific_token(path, rp_id, salt, salt_size, cid, cid_size, pins, up, required, ret_hmac, ret_hmac_size);
                 if (!IN_SET(r,
                             -EBADSLT, /* device doesn't understand our credential hash */
                             -ENODEV   /* device is not a FIDO2 device with HMAC-SECRET */))
@@ -439,6 +446,7 @@ int fido2_generate_hmac_hash(
                 const char *user_display_name,
                 const char *user_icon,
                 const char *askpw_icon_name,
+                Fido2EnrollFlags lock_with,
                 void **ret_cid, size_t *ret_cid_size,
                 void **ret_salt, size_t *ret_salt_size,
                 void **ret_secret, size_t *ret_secret_size,
@@ -503,6 +511,11 @@ int fido2_generate_hmac_hash(
         if (r < 0)
                 return r;
 
+        if (!has_client_pin && FLAGS_SET(lock_with, FIDO2ENROLL_PIN))
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                       "Requested to lock with PIN, but FIDO2 device %s does not support it.",
+                                       device);
+
         c = sym_fido_cred_new();
         if (!c)
                 return log_oom();
@@ -648,7 +661,7 @@ int fido2_generate_hmac_hash(
 
         log_info("Generating secret key on FIDO2 security token.");
 
-        r = sym_fido_dev_get_assert(d, a, used_pin);
+        r = sym_fido_dev_get_assert(d, a, FLAGS_SET(lock_with, FIDO2ENROLL_PIN) ? used_pin : NULL);
         if (r == FIDO_ERR_UP_REQUIRED) {
 
                 if (!has_up)
@@ -663,7 +676,7 @@ int fido2_generate_hmac_hash(
                            emoji_enabled() ? special_glyph(SPECIAL_GLYPH_TOUCH) : "",
                            emoji_enabled() ? " " : "");
 
-                r = sym_fido_dev_get_assert(d, a, used_pin);
+                r = sym_fido_dev_get_assert(d, a, FLAGS_SET(lock_with, FIDO2ENROLL_PIN) ? used_pin : NULL);
         }
         if (r == FIDO_ERR_ACTION_TIMEOUT)
                 return log_error_errno(SYNTHETIC_ERRNO(ENOSTR),

diff --git a/src/shared/libfido2-util.h b/src/shared/libfido2-util.h
index 3648ea44c71e2df4c66e7433e7042185dee49ab3..c22deebfcc03ca14887d3db34909ed95920fa2a5 100644 (file)
--- a/src/shared/libfido2-util.h
+++ b/src/shared/libfido2-util.h
@@ -3,6 +3,12 @@
 
 #include "macro.h"
 
+typedef enum Fido2EnrollFlags {
+        FIDO2ENROLL_PIN           = 1 << 0,
+        _FIDO2ENROLL_TYPE_MAX,
+        _FIDO2ENROLL_TYPE_INVALID = -EINVAL,
+} Fido2EnrollFlags;
+
 #if HAVE_LIBFIDO2
 #include <fido.h>
 
@@ -81,6 +87,7 @@ int fido2_use_hmac_hash(
                 size_t cid_size,
                 char **pins,
                 bool up, /* user presence permitted */
+                Fido2EnrollFlags required,
                 void **ret_hmac,
                 size_t *ret_hmac_size);
 
@@ -93,6 +100,7 @@ int fido2_generate_hmac_hash(
                 const char *user_display_name,
                 const char *user_icon,
                 const char *askpw_icon_name,
+                Fido2EnrollFlags lock_with,
                 void **ret_cid, size_t *ret_cid_size,
                 void **ret_salt, size_t *ret_salt_size,
                 void **ret_secret, size_t *ret_secret_size,