From: Luca Boccassi Date: Mon, 12 Apr 2021 20:06:59 +0000 (+0100) Subject: FIDO2: support pin-less LUKS enroll/unlock X-Git-Tag: v249-rc1~264^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cde2f8605e0c3842f9a87785dd758f955f2d04ba;p=thirdparty%2Fsystemd.git FIDO2: support pin-less LUKS enroll/unlock Closes: https://github.com/systemd/systemd/issues/19246 Some FIDO2 devices allow the user to choose whether to use a PIN or not and will HMAC with a different secret depending on the choice. Some other devices (or some device-specific configuration) can instead make it mandatory. Allow the cryptenroll user to choose whether to use a PIN or not, but fail immediately if it is a hard requirement. Record the choice in the JSON-encoded LUKS header metadata so that the right set of options can be used on unlock. --- diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index 9751444e508..e1c5a41aacf 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -125,6 +125,13 @@ /etc/crypttab line. + + BOOL + + When enrolling a FIDO2 security token, controls whether to require the user to + enter a PIN when unlocking the volume. Defaults to yes. + + PATH diff --git a/src/cryptenroll/cryptenroll-fido2.c b/src/cryptenroll/cryptenroll-fido2.c index 1b3ae8d67ce..213b7795b6d 100644 --- a/src/cryptenroll/cryptenroll-fido2.c +++ b/src/cryptenroll/cryptenroll-fido2.c @@ -11,7 +11,8 @@ int enroll_fido2( struct crypt_device *cd, const void *volume_key, size_t volume_key_size, - const char *device) { + const char *device, + Fido2EnrollFlags lock_with) { _cleanup_(erase_and_freep) void *salt = NULL, *secret = NULL; _cleanup_(erase_and_freep) char *base64_encoded = NULL; @@ -40,6 +41,7 @@ int enroll_fido2( /* user_display_name= */ node, /* user_icon_name= */ NULL, /* askpw_icon_name= */ "drive-harddisk", + lock_with, &cid, &cid_size, &salt, &salt_size, &secret, &secret_size, @@ -75,7 +77,8 @@ int enroll_fido2( JSON_BUILD_PAIR("keyslots", JSON_BUILD_ARRAY(JSON_BUILD_STRING(keyslot_as_string))), JSON_BUILD_PAIR("fido2-credential", JSON_BUILD_BASE64(cid, cid_size)), JSON_BUILD_PAIR("fido2-salt", JSON_BUILD_BASE64(salt, salt_size)), - JSON_BUILD_PAIR("fido2-rp", JSON_BUILD_STRING("io.systemd.cryptsetup")))); + JSON_BUILD_PAIR("fido2-rp", JSON_BUILD_STRING("io.systemd.cryptsetup")), + JSON_BUILD_PAIR("fido2-clientPin-required", JSON_BUILD_BOOLEAN(FLAGS_SET(lock_with, FIDO2ENROLL_PIN))))); if (r < 0) return log_error_errno(r, "Failed to prepare PKCS#11 JSON token object: %m"); diff --git a/src/cryptenroll/cryptenroll-fido2.h b/src/cryptenroll/cryptenroll-fido2.h index 936792071f3..b82a9ca842c 100644 --- a/src/cryptenroll/cryptenroll-fido2.h +++ b/src/cryptenroll/cryptenroll-fido2.h @@ -4,12 +4,13 @@ #include #include "cryptsetup-util.h" +#include "libfido2-util.h" #include "log.h" #if HAVE_LIBFIDO2 -int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device); +int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, Fido2EnrollFlags lock_with); #else -static inline int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device) { +static inline int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, Fido2EnrollFlags lock_with) { return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "FIDO2 key enrollment not supported."); } diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c index 7d12c427b30..ef6031cb1fb 100644 --- a/src/cryptenroll/cryptenroll.c +++ b/src/cryptenroll/cryptenroll.c @@ -36,6 +36,7 @@ static int *arg_wipe_slots = NULL; static size_t arg_n_wipe_slots = 0; static WipeScope arg_wipe_slots_scope = WIPE_EXPLICIT; static unsigned arg_wipe_slots_mask = 0; /* Bitmask of (1U << EnrollType), for wiping all slots of specific types */ +static Fido2EnrollFlags arg_fido2_lock_with = FIDO2ENROLL_PIN; assert_cc(sizeof(arg_wipe_slots_mask) * 8 >= _ENROLL_TYPE_MAX); @@ -88,6 +89,8 @@ static int help(void) { " Specify PKCS#11 security token URI\n" " --fido2-device=PATH\n" " Enroll a FIDO2-HMAC security token\n" + " --fido2-with-client-pin=BOOL\n" + " Whether to require entering a PIN to unlock the volume\n" " --tpm2-device=PATH\n" " Enroll a TPM2 device\n" " --tpm2-pcrs=PCR1,PCR2,PCR3,…\n" @@ -114,18 +117,20 @@ static int parse_argv(int argc, char *argv[]) { ARG_TPM2_DEVICE, ARG_TPM2_PCRS, ARG_WIPE_SLOT, + ARG_FIDO2_WITH_PIN, }; static const struct option options[] = { - { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, ARG_VERSION }, - { "password", no_argument, NULL, ARG_PASSWORD }, - { "recovery-key", no_argument, NULL, ARG_RECOVERY_KEY }, - { "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI }, - { "fido2-device", required_argument, NULL, ARG_FIDO2_DEVICE }, - { "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE }, - { "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS }, - { "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT }, + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, ARG_VERSION }, + { "password", no_argument, NULL, ARG_PASSWORD }, + { "recovery-key", no_argument, NULL, ARG_RECOVERY_KEY }, + { "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI }, + { "fido2-device", required_argument, NULL, ARG_FIDO2_DEVICE }, + { "fido2-with-client-pin", required_argument, NULL, ARG_FIDO2_WITH_PIN }, + { "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE }, + { "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS }, + { "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT }, {} }; @@ -144,6 +149,18 @@ static int parse_argv(int argc, char *argv[]) { case ARG_VERSION: return version(); + case ARG_FIDO2_WITH_PIN: { + bool lock_with_pin; + + r = parse_boolean_argument("--fido2-with-client-pin=", optarg, &lock_with_pin); + if (r < 0) + return r; + + SET_FLAG(arg_fido2_lock_with, FIDO2ENROLL_PIN, lock_with_pin); + + break; + } + case ARG_PASSWORD: if (arg_enroll_type >= 0) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), @@ -486,7 +503,7 @@ static int run(int argc, char *argv[]) { break; case ENROLL_FIDO2: - slot = enroll_fido2(cd, vk, vks, arg_fido2_device); + slot = enroll_fido2(cd, vk, vks, arg_fido2_device, arg_fido2_lock_with); break; case ENROLL_TPM2: diff --git a/src/cryptsetup/cryptsetup-fido2.c b/src/cryptsetup/cryptsetup-fido2.c index 8238e823cdf..339e245575f 100644 --- a/src/cryptsetup/cryptsetup-fido2.c +++ b/src/cryptsetup/cryptsetup-fido2.c @@ -24,6 +24,7 @@ int acquire_fido2_key( size_t key_data_size, usec_t until, bool headless, + Fido2EnrollFlags required, void **ret_decrypted_key, size_t *ret_decrypted_key_size) { @@ -73,19 +74,22 @@ int acquire_fido2_key( } for (;;) { - r = fido2_use_hmac_hash( - device, - rp_id ?: "io.systemd.cryptsetup", - salt, salt_size, - cid, cid_size, - pins, - /* up= */ true, - ret_decrypted_key, - ret_decrypted_key_size); - if (!IN_SET(r, - -ENOANO, /* needs pin */ - -ENOLCK)) /* pin incorrect */ - return r; + if (!FLAGS_SET(required, FIDO2ENROLL_PIN) || pins) { + r = fido2_use_hmac_hash( + device, + rp_id ?: "io.systemd.cryptsetup", + salt, salt_size, + cid, cid_size, + pins, + /* up= */ true, + required, + ret_decrypted_key, + ret_decrypted_key_size); + if (!IN_SET(r, + -ENOANO, /* needs pin */ + -ENOLCK)) /* pin incorrect */ + return r; + } pins = strv_free_erase(pins); @@ -107,12 +111,14 @@ int find_fido2_auto_data( size_t *ret_salt_size, void **ret_cid, size_t *ret_cid_size, - int *ret_keyslot) { + int *ret_keyslot, + Fido2EnrollFlags *ret_required) { _cleanup_free_ void *cid = NULL, *salt = NULL; size_t cid_size = 0, salt_size = 0; _cleanup_free_ char *rp = NULL; int r, keyslot = -1; + Fido2EnrollFlags required = FIDO2ENROLL_PIN; /* For backward compatibility, require pin by default */ assert(cd); assert(ret_salt); @@ -120,6 +126,7 @@ int find_fido2_auto_data( assert(ret_cid); assert(ret_cid_size); assert(ret_keyslot); + assert(ret_required); /* Loads FIDO2 metadata from LUKS2 JSON token headers. */ @@ -176,6 +183,17 @@ int find_fido2_auto_data( if (!rp) return log_oom(); } + + w = json_variant_by_key(v, "fido2-clientPin-required"); + if (w) { + /* The "fido2-clientPin-required" field is optional. */ + + if (!json_variant_is_boolean(w)) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "FIDO2 token data's 'fido2-clientPin-required' field is not a boolean."); + + SET_FLAG(required, FIDO2ENROLL_PIN, json_variant_boolean(w)); + } } if (!cid) @@ -190,5 +208,6 @@ int find_fido2_auto_data( *ret_salt = TAKE_PTR(salt); *ret_salt_size = salt_size; *ret_keyslot = keyslot; + *ret_required = required; return 0; } diff --git a/src/cryptsetup/cryptsetup-fido2.h b/src/cryptsetup/cryptsetup-fido2.h index d5c5ce59268..76ec28b3b18 100644 --- a/src/cryptsetup/cryptsetup-fido2.h +++ b/src/cryptsetup/cryptsetup-fido2.h @@ -4,6 +4,7 @@ #include #include "cryptsetup-util.h" +#include "libfido2-util.h" #include "log.h" #include "time-util.h" @@ -23,6 +24,7 @@ int acquire_fido2_key( size_t key_data_size, usec_t until, bool headless, + Fido2EnrollFlags required, void **ret_decrypted_key, size_t *ret_decrypted_key_size); @@ -33,7 +35,8 @@ int find_fido2_auto_data( size_t *ret_salt_size, void **ret_cid, size_t *ret_cid_size, - int *ret_keyslot); + int *ret_keyslot, + Fido2EnrollFlags *ret_required); #else @@ -51,6 +54,7 @@ static inline int acquire_fido2_key( size_t key_data_size, usec_t until, bool headless, + Fido2EnrollFlags required, void **ret_decrypted_key, size_t *ret_decrypted_key_size) { @@ -65,7 +69,8 @@ static inline int find_fido2_auto_data( size_t *ret_salt_size, void **ret_cid, size_t *ret_cid_size, - int *ret_keyslot) { + int *ret_keyslot, + Fido2EnrollFlags *ret_required) { return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "FIDO2 token support not available."); diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 7902377a25a..9ab42eacb9f 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -739,6 +739,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2( int keyslot = arg_key_slot, r; const char *rp_id; const void *cid; + Fido2EnrollFlags required; assert(cd); assert(name); @@ -759,7 +760,8 @@ static int attach_luks_or_plain_or_bitlk_by_fido2( &discovered_salt_size, &discovered_cid, &discovered_cid_size, - &keyslot); + &keyslot, + &required); if (IN_SET(r, -ENOTUNIQ, -ENXIO)) return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), @@ -767,6 +769,10 @@ static int attach_luks_or_plain_or_bitlk_by_fido2( if (r < 0) return r; + if (FLAGS_SET(required, FIDO2ENROLL_PIN) && arg_headless) + return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), + "A PIN is required to unlock this volume, but the 'headless' parameter was set."); + rp_id = discovered_rp_id; key_data = discovered_salt; key_data_size = discovered_salt_size; @@ -791,6 +797,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2( key_data, key_data_size, until, arg_headless, + required, &decrypted_key, &decrypted_key_size); if (r >= 0) break; diff --git a/src/home/homectl-fido2.c b/src/home/homectl-fido2.c index d5edec1bc45..76775ee6bd8 100644 --- a/src/home/homectl-fido2.c +++ b/src/home/homectl-fido2.c @@ -158,6 +158,7 @@ int identity_add_fido2_parameters( /* user_display_name= */ rn ? json_variant_string(rn) : NULL, /* user_icon_name= */ NULL, /* askpw_icon_name= */ "user-home", + FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll &cid, &cid_size, &salt, &salt_size, &secret, &secret_size, diff --git a/src/home/homework-fido2.c b/src/home/homework-fido2.c index 87d301c5b43..818f2a5d16c 100644 --- a/src/home/homework-fido2.c +++ b/src/home/homework-fido2.c @@ -29,6 +29,7 @@ int fido2_use_token( salt->credential.id, salt->credential.size, secret->token_pin, h->fido2_user_presence_permitted > 0, + FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll &hmac, &hmac_size); if (r < 0) diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c index 951ed09899c..66a312bfb6a 100644 --- a/src/shared/libfido2-util.c +++ b/src/shared/libfido2-util.c @@ -219,6 +219,7 @@ static int fido2_use_hmac_hash_specific_token( size_t cid_size, char **pins, bool up, /* user presence permitted */ + Fido2EnrollFlags required, /* client pin required */ void **ret_hmac, size_t *ret_hmac_size) { @@ -250,6 +251,11 @@ static int fido2_use_hmac_hash_specific_token( if (r < 0) return r; + if (!has_client_pin && FLAGS_SET(required, FIDO2ENROLL_PIN)) + return log_error_errno(SYNTHETIC_ERRNO(EHWPOISON), + "PIN required to unlock, but FIDO2 device %s does not support it.", + path); + a = sym_fido_assert_new(); if (!a) return log_oom(); @@ -303,7 +309,7 @@ static int fido2_use_hmac_hash_specific_token( r = sym_fido_dev_get_assert(d, a, NULL); /* try without pin but with up now */ } - if (r == FIDO_ERR_PIN_REQUIRED) { + if (FLAGS_SET(required, FIDO2ENROLL_PIN)) { char **i; if (!has_client_pin) @@ -367,6 +373,7 @@ int fido2_use_hmac_hash( size_t cid_size, char **pins, bool up, /* user presence permitted */ + Fido2EnrollFlags required, /* client pin required */ void **ret_hmac, size_t *ret_hmac_size) { @@ -379,7 +386,7 @@ int fido2_use_hmac_hash( return log_error_errno(r, "FIDO2 support is not installed."); if (device) - return fido2_use_hmac_hash_specific_token(device, rp_id, salt, salt_size, cid, cid_size, pins, up, ret_hmac, ret_hmac_size); + return fido2_use_hmac_hash_specific_token(device, rp_id, salt, salt_size, cid, cid_size, pins, up, required, ret_hmac, ret_hmac_size); di = sym_fido_dev_info_new(allocated); if (!di) @@ -414,7 +421,7 @@ int fido2_use_hmac_hash( goto finish; } - r = fido2_use_hmac_hash_specific_token(path, rp_id, salt, salt_size, cid, cid_size, pins, up, ret_hmac, ret_hmac_size); + r = fido2_use_hmac_hash_specific_token(path, rp_id, salt, salt_size, cid, cid_size, pins, up, required, ret_hmac, ret_hmac_size); if (!IN_SET(r, -EBADSLT, /* device doesn't understand our credential hash */ -ENODEV /* device is not a FIDO2 device with HMAC-SECRET */)) @@ -439,6 +446,7 @@ int fido2_generate_hmac_hash( const char *user_display_name, const char *user_icon, const char *askpw_icon_name, + Fido2EnrollFlags lock_with, void **ret_cid, size_t *ret_cid_size, void **ret_salt, size_t *ret_salt_size, void **ret_secret, size_t *ret_secret_size, @@ -503,6 +511,11 @@ int fido2_generate_hmac_hash( if (r < 0) return r; + if (!has_client_pin && FLAGS_SET(lock_with, FIDO2ENROLL_PIN)) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Requested to lock with PIN, but FIDO2 device %s does not support it.", + device); + c = sym_fido_cred_new(); if (!c) return log_oom(); @@ -648,7 +661,7 @@ int fido2_generate_hmac_hash( log_info("Generating secret key on FIDO2 security token."); - r = sym_fido_dev_get_assert(d, a, used_pin); + r = sym_fido_dev_get_assert(d, a, FLAGS_SET(lock_with, FIDO2ENROLL_PIN) ? used_pin : NULL); if (r == FIDO_ERR_UP_REQUIRED) { if (!has_up) @@ -663,7 +676,7 @@ int fido2_generate_hmac_hash( emoji_enabled() ? special_glyph(SPECIAL_GLYPH_TOUCH) : "", emoji_enabled() ? " " : ""); - r = sym_fido_dev_get_assert(d, a, used_pin); + r = sym_fido_dev_get_assert(d, a, FLAGS_SET(lock_with, FIDO2ENROLL_PIN) ? used_pin : NULL); } if (r == FIDO_ERR_ACTION_TIMEOUT) return log_error_errno(SYNTHETIC_ERRNO(ENOSTR), diff --git a/src/shared/libfido2-util.h b/src/shared/libfido2-util.h index 3648ea44c71..c22deebfcc0 100644 --- a/src/shared/libfido2-util.h +++ b/src/shared/libfido2-util.h @@ -3,6 +3,12 @@ #include "macro.h" +typedef enum Fido2EnrollFlags { + FIDO2ENROLL_PIN = 1 << 0, + _FIDO2ENROLL_TYPE_MAX, + _FIDO2ENROLL_TYPE_INVALID = -EINVAL, +} Fido2EnrollFlags; + #if HAVE_LIBFIDO2 #include @@ -81,6 +87,7 @@ int fido2_use_hmac_hash( size_t cid_size, char **pins, bool up, /* user presence permitted */ + Fido2EnrollFlags required, void **ret_hmac, size_t *ret_hmac_size); @@ -93,6 +100,7 @@ int fido2_generate_hmac_hash( const char *user_display_name, const char *user_icon, const char *askpw_icon_name, + Fido2EnrollFlags lock_with, void **ret_cid, size_t *ret_cid_size, void **ret_salt, size_t *ret_salt_size, void **ret_secret, size_t *ret_secret_size,