diff options
| author | Luca Boccassi <luca.boccassi@microsoft.com> | 2021-04-12 21:06:59 +0100 |
|---|---|---|
| committer | Luca Boccassi <bluca@debian.org> | 2021-05-07 21:36:27 +0100 |
| commit | cde2f8605e0c3842f9a87785dd758f955f2d04ba (patch) | |
| tree | 26d259cdb23f9ace361340a87d584ab379259fde /src/cryptenroll/cryptenroll.c | |
| parent | cd5f57bda71dc9485d7eddf6cfcbfba843f5126c (diff) | |
| download | systemd-cde2f8605e0c3842f9a87785dd758f955f2d04ba.tar.gz | |
FIDO2: support pin-less LUKS enroll/unlock
Closes: https://github.com/systemd/systemd/issues/19246
Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.
Diffstat (limited to 'src/cryptenroll/cryptenroll.c')
| -rw-r--r-- | src/cryptenroll/cryptenroll.c | 37 |
1 files changed, 27 insertions, 10 deletions
diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c index 7d12c427b3..ef6031cb1f 100644 --- a/src/cryptenroll/cryptenroll.c +++ b/src/cryptenroll/cryptenroll.c @@ -36,6 +36,7 @@ static int *arg_wipe_slots = NULL; static size_t arg_n_wipe_slots = 0; static WipeScope arg_wipe_slots_scope = WIPE_EXPLICIT; static unsigned arg_wipe_slots_mask = 0; /* Bitmask of (1U << EnrollType), for wiping all slots of specific types */ +static Fido2EnrollFlags arg_fido2_lock_with = FIDO2ENROLL_PIN; assert_cc(sizeof(arg_wipe_slots_mask) * 8 >= _ENROLL_TYPE_MAX); @@ -88,6 +89,8 @@ static int help(void) { " Specify PKCS#11 security token URI\n" " --fido2-device=PATH\n" " Enroll a FIDO2-HMAC security token\n" + " --fido2-with-client-pin=BOOL\n" + " Whether to require entering a PIN to unlock the volume\n" " --tpm2-device=PATH\n" " Enroll a TPM2 device\n" " --tpm2-pcrs=PCR1,PCR2,PCR3,…\n" @@ -114,18 +117,20 @@ static int parse_argv(int argc, char *argv[]) { ARG_TPM2_DEVICE, ARG_TPM2_PCRS, ARG_WIPE_SLOT, + ARG_FIDO2_WITH_PIN, }; static const struct option options[] = { - { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, ARG_VERSION }, - { "password", no_argument, NULL, ARG_PASSWORD }, - { "recovery-key", no_argument, NULL, ARG_RECOVERY_KEY }, - { "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI }, - { "fido2-device", required_argument, NULL, ARG_FIDO2_DEVICE }, - { "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE }, - { "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS }, - { "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT }, + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, ARG_VERSION }, + { "password", no_argument, NULL, ARG_PASSWORD }, + { "recovery-key", no_argument, NULL, ARG_RECOVERY_KEY }, + { "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI }, + { "fido2-device", required_argument, NULL, ARG_FIDO2_DEVICE }, + { "fido2-with-client-pin", required_argument, NULL, ARG_FIDO2_WITH_PIN }, + { "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE }, + { "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS }, + { "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT }, {} }; @@ -144,6 +149,18 @@ static int parse_argv(int argc, char *argv[]) { case ARG_VERSION: return version(); + case ARG_FIDO2_WITH_PIN: { + bool lock_with_pin; + + r = parse_boolean_argument("--fido2-with-client-pin=", optarg, &lock_with_pin); + if (r < 0) + return r; + + SET_FLAG(arg_fido2_lock_with, FIDO2ENROLL_PIN, lock_with_pin); + + break; + } + case ARG_PASSWORD: if (arg_enroll_type >= 0) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), @@ -486,7 +503,7 @@ static int run(int argc, char *argv[]) { break; case ENROLL_FIDO2: - slot = enroll_fido2(cd, vk, vks, arg_fido2_device); + slot = enroll_fido2(cd, vk, vks, arg_fido2_device, arg_fido2_lock_with); break; case ENROLL_TPM2: |