From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Mon, 9 Dec 2024 15:30:04 +0000 (+0100)
Subject: cryptenroll: show which devices support "hmac secret"
X-Git-Tag: v257~5^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7b2ebd7040d655d2e16c5b2b26533ec330f1b60b;p=thirdparty%2Fsystemd.git

cryptenroll: show which devices support "hmac secret"

We'd silently skip devices which don't have the feature in the list.
This looked wrong esp. if no devices were suitable. Instead, list them
and show which ones are usable.

$ build/systemd-cryptenroll --fido2-device=list
PATH          MANUFACTURER PRODUCT                HMAC SECRET
/dev/hidraw7  Yubico       YubiKey OTP+FIDO+CCID  ✓
/dev/hidraw10 Yubico       Security Key by Yubico ✗
/dev/hidraw5  Yubico       Security Key by Yubico ✗
/dev/hidraw9  Yubico       Yubikey 4 OTP+U2F+CCID ✗
---

diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
index ab7bed40e19..83f8b2d8a18 100644
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@@ -720,8 +720,9 @@
         <term><option>--list-devices</option></term>
 
         <listitem><para>Show a list of candidate block devices this command may operate on. Specifically,
-        this enumerates block devices currently present that contain a LUKS superblock, and shows their device
-        node paths along with any of their symlinks.</para>
+        this enumerates block devices currently present that contain a LUKS superblock, and shows their
+        device node paths along with any of their symlinks. The devices must implement the
+        <option>hmac-secret</option> extension to be useable.</para>
 
         <xi:include href="version-info.xml" xpointer="v257"/></listitem>
       </varlistentry>
diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index d19018b331b..ec5235860c2 100644
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -1124,7 +1124,7 @@ int fido2_list_devices(void) {
                 goto finish;
         }
 
-        t = table_new("path", "manufacturer", "product");
+        t = table_new("path", "manufacturer", "product", "compatible");
         if (!t) {
                 r = log_oom();
                 goto finish;
@@ -1143,14 +1143,14 @@ int fido2_list_devices(void) {
                 r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry));
                 if (r < 0)
                         goto finish;
-                if (!r)
-                        continue;
+                bool compatible = r > 0;
 
                 r = table_add_many(
                                 t,
                                 TABLE_PATH, sym_fido_dev_info_path(entry),
                                 TABLE_STRING, sym_fido_dev_info_manufacturer_string(entry),
-                                TABLE_STRING, sym_fido_dev_info_product_string(entry));
+                                TABLE_STRING, sym_fido_dev_info_product_string(entry),
+                                TABLE_BOOLEAN_CHECKMARK, compatible);
                 if (r < 0) {
                         table_log_add_error(r);
                         goto finish;