<filename>/etc/crypttab</filename> line.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--fido2-with-client-pin=</option><replaceable>BOOL</replaceable></term>
+
+ <listitem><para>When enrolling a FIDO2 security token, controls whether to require the user to
+ enter a PIN when unlocking the volume. Defaults to <literal>yes</literal>.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--tpm2-device=</option><replaceable>PATH</replaceable></term>
struct crypt_device *cd,
const void *volume_key,
size_t volume_key_size,
- const char *device) {
+ const char *device,
+ Fido2EnrollFlags lock_with) {
_cleanup_(erase_and_freep) void *salt = NULL, *secret = NULL;
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
/* user_display_name= */ node,
/* user_icon_name= */ NULL,
/* askpw_icon_name= */ "drive-harddisk",
+ lock_with,
&cid, &cid_size,
&salt, &salt_size,
&secret, &secret_size,
JSON_BUILD_PAIR("keyslots", JSON_BUILD_ARRAY(JSON_BUILD_STRING(keyslot_as_string))),
JSON_BUILD_PAIR("fido2-credential", JSON_BUILD_BASE64(cid, cid_size)),
JSON_BUILD_PAIR("fido2-salt", JSON_BUILD_BASE64(salt, salt_size)),
- JSON_BUILD_PAIR("fido2-rp", JSON_BUILD_STRING("io.systemd.cryptsetup"))));
+ JSON_BUILD_PAIR("fido2-rp", JSON_BUILD_STRING("io.systemd.cryptsetup")),
+ JSON_BUILD_PAIR("fido2-clientPin-required", JSON_BUILD_BOOLEAN(FLAGS_SET(lock_with, FIDO2ENROLL_PIN)))));
if (r < 0)
return log_error_errno(r, "Failed to prepare PKCS#11 JSON token object: %m");
#include <sys/types.h>
#include "cryptsetup-util.h"
+#include "libfido2-util.h"
#include "log.h"
#if HAVE_LIBFIDO2
-int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device);
+int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, Fido2EnrollFlags lock_with);
#else
-static inline int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device) {
+static inline int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, Fido2EnrollFlags lock_with) {
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"FIDO2 key enrollment not supported.");
}
static size_t arg_n_wipe_slots = 0;
static WipeScope arg_wipe_slots_scope = WIPE_EXPLICIT;
static unsigned arg_wipe_slots_mask = 0; /* Bitmask of (1U << EnrollType), for wiping all slots of specific types */
+static Fido2EnrollFlags arg_fido2_lock_with = FIDO2ENROLL_PIN;
assert_cc(sizeof(arg_wipe_slots_mask) * 8 >= _ENROLL_TYPE_MAX);
" Specify PKCS#11 security token URI\n"
" --fido2-device=PATH\n"
" Enroll a FIDO2-HMAC security token\n"
+ " --fido2-with-client-pin=BOOL\n"
+ " Whether to require entering a PIN to unlock the volume\n"
" --tpm2-device=PATH\n"
" Enroll a TPM2 device\n"
" --tpm2-pcrs=PCR1,PCR2,PCR3,…\n"
ARG_TPM2_DEVICE,
ARG_TPM2_PCRS,
ARG_WIPE_SLOT,
+ ARG_FIDO2_WITH_PIN,
};
static const struct option options[] = {
- { "help", no_argument, NULL, 'h' },
- { "version", no_argument, NULL, ARG_VERSION },
- { "password", no_argument, NULL, ARG_PASSWORD },
- { "recovery-key", no_argument, NULL, ARG_RECOVERY_KEY },
- { "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI },
- { "fido2-device", required_argument, NULL, ARG_FIDO2_DEVICE },
- { "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
- { "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS },
- { "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT },
+ { "help", no_argument, NULL, 'h' },
+ { "version", no_argument, NULL, ARG_VERSION },
+ { "password", no_argument, NULL, ARG_PASSWORD },
+ { "recovery-key", no_argument, NULL, ARG_RECOVERY_KEY },
+ { "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI },
+ { "fido2-device", required_argument, NULL, ARG_FIDO2_DEVICE },
+ { "fido2-with-client-pin", required_argument, NULL, ARG_FIDO2_WITH_PIN },
+ { "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
+ { "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS },
+ { "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT },
{}
};
case ARG_VERSION:
return version();
+ case ARG_FIDO2_WITH_PIN: {
+ bool lock_with_pin;
+
+ r = parse_boolean_argument("--fido2-with-client-pin=", optarg, &lock_with_pin);
+ if (r < 0)
+ return r;
+
+ SET_FLAG(arg_fido2_lock_with, FIDO2ENROLL_PIN, lock_with_pin);
+
+ break;
+ }
+
case ARG_PASSWORD:
if (arg_enroll_type >= 0)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
break;
case ENROLL_FIDO2:
- slot = enroll_fido2(cd, vk, vks, arg_fido2_device);
+ slot = enroll_fido2(cd, vk, vks, arg_fido2_device, arg_fido2_lock_with);
break;
case ENROLL_TPM2:
size_t key_data_size,
usec_t until,
bool headless,
+ Fido2EnrollFlags required,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size) {
}
for (;;) {
- r = fido2_use_hmac_hash(
- device,
- rp_id ?: "io.systemd.cryptsetup",
- salt, salt_size,
- cid, cid_size,
- pins,
- /* up= */ true,
- ret_decrypted_key,
- ret_decrypted_key_size);
- if (!IN_SET(r,
- -ENOANO, /* needs pin */
- -ENOLCK)) /* pin incorrect */
- return r;
+ if (!FLAGS_SET(required, FIDO2ENROLL_PIN) || pins) {
+ r = fido2_use_hmac_hash(
+ device,
+ rp_id ?: "io.systemd.cryptsetup",
+ salt, salt_size,
+ cid, cid_size,
+ pins,
+ /* up= */ true,
+ required,
+ ret_decrypted_key,
+ ret_decrypted_key_size);
+ if (!IN_SET(r,
+ -ENOANO, /* needs pin */
+ -ENOLCK)) /* pin incorrect */
+ return r;
+ }
pins = strv_free_erase(pins);
size_t *ret_salt_size,
void **ret_cid,
size_t *ret_cid_size,
- int *ret_keyslot) {
+ int *ret_keyslot,
+ Fido2EnrollFlags *ret_required) {
_cleanup_free_ void *cid = NULL, *salt = NULL;
size_t cid_size = 0, salt_size = 0;
_cleanup_free_ char *rp = NULL;
int r, keyslot = -1;
+ Fido2EnrollFlags required = FIDO2ENROLL_PIN; /* For backward compatibility, require pin by default */
assert(cd);
assert(ret_salt);
assert(ret_cid);
assert(ret_cid_size);
assert(ret_keyslot);
+ assert(ret_required);
/* Loads FIDO2 metadata from LUKS2 JSON token headers. */
if (!rp)
return log_oom();
}
+
+ w = json_variant_by_key(v, "fido2-clientPin-required");
+ if (w) {
+ /* The "fido2-clientPin-required" field is optional. */
+
+ if (!json_variant_is_boolean(w))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "FIDO2 token data's 'fido2-clientPin-required' field is not a boolean.");
+
+ SET_FLAG(required, FIDO2ENROLL_PIN, json_variant_boolean(w));
+ }
}
if (!cid)
*ret_salt = TAKE_PTR(salt);
*ret_salt_size = salt_size;
*ret_keyslot = keyslot;
+ *ret_required = required;
return 0;
}
#include <sys/types.h>
#include "cryptsetup-util.h"
+#include "libfido2-util.h"
#include "log.h"
#include "time-util.h"
size_t key_data_size,
usec_t until,
bool headless,
+ Fido2EnrollFlags required,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size);
size_t *ret_salt_size,
void **ret_cid,
size_t *ret_cid_size,
- int *ret_keyslot);
+ int *ret_keyslot,
+ Fido2EnrollFlags *ret_required);
#else
size_t key_data_size,
usec_t until,
bool headless,
+ Fido2EnrollFlags required,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size) {
size_t *ret_salt_size,
void **ret_cid,
size_t *ret_cid_size,
- int *ret_keyslot) {
+ int *ret_keyslot,
+ Fido2EnrollFlags *ret_required) {
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"FIDO2 token support not available.");
int keyslot = arg_key_slot, r;
const char *rp_id;
const void *cid;
+ Fido2EnrollFlags required;
assert(cd);
assert(name);
&discovered_salt_size,
&discovered_cid,
&discovered_cid_size,
- &keyslot);
+ &keyslot,
+ &required);
if (IN_SET(r, -ENOTUNIQ, -ENXIO))
return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
if (r < 0)
return r;
+ if (FLAGS_SET(required, FIDO2ENROLL_PIN) && arg_headless)
+ return log_error_errno(SYNTHETIC_ERRNO(ENOPKG),
+ "A PIN is required to unlock this volume, but the 'headless' parameter was set.");
+
rp_id = discovered_rp_id;
key_data = discovered_salt;
key_data_size = discovered_salt_size;
key_data, key_data_size,
until,
arg_headless,
+ required,
&decrypted_key, &decrypted_key_size);
if (r >= 0)
break;
/* user_display_name= */ rn ? json_variant_string(rn) : NULL,
/* user_icon_name= */ NULL,
/* askpw_icon_name= */ "user-home",
+ FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll
&cid, &cid_size,
&salt, &salt_size,
&secret, &secret_size,
salt->credential.id, salt->credential.size,
secret->token_pin,
h->fido2_user_presence_permitted > 0,
+ FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll
&hmac,
&hmac_size);
if (r < 0)
size_t cid_size,
char **pins,
bool up, /* user presence permitted */
+ Fido2EnrollFlags required, /* client pin required */
void **ret_hmac,
size_t *ret_hmac_size) {
if (r < 0)
return r;
+ if (!has_client_pin && FLAGS_SET(required, FIDO2ENROLL_PIN))
+ return log_error_errno(SYNTHETIC_ERRNO(EHWPOISON),
+ "PIN required to unlock, but FIDO2 device %s does not support it.",
+ path);
+
a = sym_fido_assert_new();
if (!a)
return log_oom();
r = sym_fido_dev_get_assert(d, a, NULL); /* try without pin but with up now */
}
- if (r == FIDO_ERR_PIN_REQUIRED) {
+ if (FLAGS_SET(required, FIDO2ENROLL_PIN)) {
char **i;
if (!has_client_pin)
size_t cid_size,
char **pins,
bool up, /* user presence permitted */
+ Fido2EnrollFlags required, /* client pin required */
void **ret_hmac,
size_t *ret_hmac_size) {
return log_error_errno(r, "FIDO2 support is not installed.");
if (device)
- return fido2_use_hmac_hash_specific_token(device, rp_id, salt, salt_size, cid, cid_size, pins, up, ret_hmac, ret_hmac_size);
+ return fido2_use_hmac_hash_specific_token(device, rp_id, salt, salt_size, cid, cid_size, pins, up, required, ret_hmac, ret_hmac_size);
di = sym_fido_dev_info_new(allocated);
if (!di)
goto finish;
}
- r = fido2_use_hmac_hash_specific_token(path, rp_id, salt, salt_size, cid, cid_size, pins, up, ret_hmac, ret_hmac_size);
+ r = fido2_use_hmac_hash_specific_token(path, rp_id, salt, salt_size, cid, cid_size, pins, up, required, ret_hmac, ret_hmac_size);
if (!IN_SET(r,
-EBADSLT, /* device doesn't understand our credential hash */
-ENODEV /* device is not a FIDO2 device with HMAC-SECRET */))
const char *user_display_name,
const char *user_icon,
const char *askpw_icon_name,
+ Fido2EnrollFlags lock_with,
void **ret_cid, size_t *ret_cid_size,
void **ret_salt, size_t *ret_salt_size,
void **ret_secret, size_t *ret_secret_size,
if (r < 0)
return r;
+ if (!has_client_pin && FLAGS_SET(lock_with, FIDO2ENROLL_PIN))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Requested to lock with PIN, but FIDO2 device %s does not support it.",
+ device);
+
c = sym_fido_cred_new();
if (!c)
return log_oom();
log_info("Generating secret key on FIDO2 security token.");
- r = sym_fido_dev_get_assert(d, a, used_pin);
+ r = sym_fido_dev_get_assert(d, a, FLAGS_SET(lock_with, FIDO2ENROLL_PIN) ? used_pin : NULL);
if (r == FIDO_ERR_UP_REQUIRED) {
if (!has_up)
emoji_enabled() ? special_glyph(SPECIAL_GLYPH_TOUCH) : "",
emoji_enabled() ? " " : "");
- r = sym_fido_dev_get_assert(d, a, used_pin);
+ r = sym_fido_dev_get_assert(d, a, FLAGS_SET(lock_with, FIDO2ENROLL_PIN) ? used_pin : NULL);
}
if (r == FIDO_ERR_ACTION_TIMEOUT)
return log_error_errno(SYNTHETIC_ERRNO(ENOSTR),
#include "macro.h"
+typedef enum Fido2EnrollFlags {
+ FIDO2ENROLL_PIN = 1 << 0,
+ _FIDO2ENROLL_TYPE_MAX,
+ _FIDO2ENROLL_TYPE_INVALID = -EINVAL,
+} Fido2EnrollFlags;
+
#if HAVE_LIBFIDO2
#include <fido.h>
size_t cid_size,
char **pins,
bool up, /* user presence permitted */
+ Fido2EnrollFlags required,
void **ret_hmac,
size_t *ret_hmac_size);
const char *user_display_name,
const char *user_icon,
const char *askpw_icon_name,
+ Fido2EnrollFlags lock_with,
void **ret_cid, size_t *ret_cid_size,
void **ret_salt, size_t *ret_salt_size,
void **ret_secret, size_t *ret_secret_size,