FIDO2: ask and record whether user verification was used to lock the volume

Some tokens support authorization via fingerprint or other biometric ID. Add support for "user verification" to cryptenroll and cryptsetup. Disable by default, as it is still quite uncommon.
author: Luca Boccassi <luca.boccassi@microsoft.com> 2021-04-13 13:12:46 +0100
committer: Luca Boccassi <bluca@debian.org> 2021-05-07 21:36:27 +0100
commit: 896cc0da986f85980c4377d3f7073ce1f1cae778 (patch)
tree: e678cb598fddf587c83ec6f4e7d9c02339825c69 /man/systemd-cryptenroll.xml
parent: 06f087192d27d6bbb237f8966c2fa2d6b790f7f2 (diff)
download: systemd-896cc0da986f85980c4377d3f7073ce1f1cae778.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
index 5b1b60db64..c7f4e63f60 100644
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@@ -142,6 +142,14 @@
       </varlistentry>
 
       <varlistentry>
+        <term><option>--fido2-with-user-verification=</option><replaceable>BOOL</replaceable></term>
+
+        <listitem><para>When enrolling a FIDO2 security token, controls whether to require user verification
+        when unlocking the volume (the FIDO2 <literal>uv</literal> feature)). Defaults to <literal>no</literal>.
+        </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><option>--tpm2-device=</option><replaceable>PATH</replaceable></term>
 
         <listitem><para>Enroll a TPM2 security chip. Expects a device node path referring to the TPM2 chip
author	Luca Boccassi <luca.boccassi@microsoft.com>	2021-04-13 13:12:46 +0100
committer	Luca Boccassi <bluca@debian.org>	2021-05-07 21:36:27 +0100
commit	896cc0da986f85980c4377d3f7073ce1f1cae778 (patch)
tree	e678cb598fddf587c83ec6f4e7d9c02339825c69 /man/systemd-cryptenroll.xml
parent	06f087192d27d6bbb237f8966c2fa2d6b790f7f2 (diff)
download	systemd-896cc0da986f85980c4377d3f7073ce1f1cae778.tar.gz