cryptenroll: show which devices support "hmac secret"

We'd silently skip devices which don't have the feature in the list.
This looked wrong esp. if no devices were suitable. Instead, list them
and show which ones are usable.

$ build/systemd-cryptenroll --fido2-device=list
PATH          MANUFACTURER PRODUCT                HMAC SECRET
/dev/hidraw7  Yubico       YubiKey OTP+FIDO+CCID  ✓
/dev/hidraw10 Yubico       Security Key by Yubico ✗
/dev/hidraw5  Yubico       Security Key by Yubico ✗
/dev/hidraw9  Yubico       Yubikey 4 OTP+U2F+CCID ✗

diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
index ab7bed40e1961664521b577df28ecb48a9736830..83f8b2d8a181600a56af561c950192559abe6a9a 100644 (file)
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@@ -720,8 +720,9 @@
         <term><option>--list-devices</option></term>
 
         <listitem><para>Show a list of candidate block devices this command may operate on. Specifically,
-        this enumerates block devices currently present that contain a LUKS superblock, and shows their device
-        node paths along with any of their symlinks.</para>
+        this enumerates block devices currently present that contain a LUKS superblock, and shows their
+        device node paths along with any of their symlinks. The devices must implement the
+        <option>hmac-secret</option> extension to be useable.</para>
 
         <xi:include href="version-info.xml" xpointer="v257"/></listitem>
       </varlistentry>

diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index d19018b331b51379edf3f95a58e47017f9084275..ec5235860c2347e90724d0543b4d9e57d9d23627 100644 (file)
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -1124,7 +1124,7 @@ int fido2_list_devices(void) {
                 goto finish;
         }
 
-        t = table_new("path", "manufacturer", "product");
+        t = table_new("path", "manufacturer", "product", "compatible");
         if (!t) {
                 r = log_oom();
                 goto finish;
@@ -1143,14 +1143,14 @@ int fido2_list_devices(void) {
                 r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry));
                 if (r < 0)
                         goto finish;
-                if (!r)
-                        continue;
+                bool compatible = r > 0;
 
                 r = table_add_many(
                                 t,
                                 TABLE_PATH, sym_fido_dev_info_path(entry),
                                 TABLE_STRING, sym_fido_dev_info_manufacturer_string(entry),
-                                TABLE_STRING, sym_fido_dev_info_product_string(entry));
+                                TABLE_STRING, sym_fido_dev_info_product_string(entry),
+                                TABLE_BOOLEAN_CHECKMARK, compatible);
                 if (r < 0) {
                         table_log_add_error(r);
                         goto finish;