diff options
author | Luca Boccassi <luca.boccassi@microsoft.com> | 2021-04-13 13:12:46 +0100 |
---|---|---|
committer | Luca Boccassi <bluca@debian.org> | 2021-05-07 21:36:27 +0100 |
commit | 896cc0da986f85980c4377d3f7073ce1f1cae778 (patch) | |
tree | e678cb598fddf587c83ec6f4e7d9c02339825c69 /src/cryptenroll | |
parent | 06f087192d27d6bbb237f8966c2fa2d6b790f7f2 (diff) | |
download | systemd-896cc0da986f85980c4377d3f7073ce1f1cae778.tar.gz |
FIDO2: ask and record whether user verification was used to lock the volume
Some tokens support authorization via fingerprint or other biometric
ID. Add support for "user verification" to cryptenroll and cryptsetup.
Disable by default, as it is still quite uncommon.
Diffstat (limited to 'src/cryptenroll')
-rw-r--r-- | src/cryptenroll/cryptenroll-fido2.c | 3 | ||||
-rw-r--r-- | src/cryptenroll/cryptenroll.c | 16 |
2 files changed, 18 insertions, 1 deletions
diff --git a/src/cryptenroll/cryptenroll-fido2.c b/src/cryptenroll/cryptenroll-fido2.c index eab8f220e4..3ba7866738 100644 --- a/src/cryptenroll/cryptenroll-fido2.c +++ b/src/cryptenroll/cryptenroll-fido2.c @@ -79,7 +79,8 @@ int enroll_fido2( JSON_BUILD_PAIR("fido2-salt", JSON_BUILD_BASE64(salt, salt_size)), JSON_BUILD_PAIR("fido2-rp", JSON_BUILD_STRING("io.systemd.cryptsetup")), JSON_BUILD_PAIR("fido2-clientPin-required", JSON_BUILD_BOOLEAN(FLAGS_SET(lock_with, FIDO2ENROLL_PIN))), - JSON_BUILD_PAIR("fido2-up-required", JSON_BUILD_BOOLEAN(FLAGS_SET(lock_with, FIDO2ENROLL_UP))))); + JSON_BUILD_PAIR("fido2-up-required", JSON_BUILD_BOOLEAN(FLAGS_SET(lock_with, FIDO2ENROLL_UP))), + JSON_BUILD_PAIR("fido2-uv-required", JSON_BUILD_BOOLEAN(FLAGS_SET(lock_with, FIDO2ENROLL_UV))))); if (r < 0) return log_error_errno(r, "Failed to prepare PKCS#11 JSON token object: %m"); diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c index 5eca69f851..559a346804 100644 --- a/src/cryptenroll/cryptenroll.c +++ b/src/cryptenroll/cryptenroll.c @@ -93,6 +93,8 @@ static int help(void) { " Whether to require entering a PIN to unlock the volume\n" " --fido2-with-user-presence=BOOL\n" " Whether to require user presence to unlock the volume\n" + " --fido2-with-user-verification=BOOL\n" + " Whether to require user verification to unlock the volume\n" " --tpm2-device=PATH\n" " Enroll a TPM2 device\n" " --tpm2-pcrs=PCR1,PCR2,PCR3,…\n" @@ -121,6 +123,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_WIPE_SLOT, ARG_FIDO2_WITH_PIN, ARG_FIDO2_WITH_UP, + ARG_FIDO2_WITH_UV, }; static const struct option options[] = { @@ -132,6 +135,7 @@ static int parse_argv(int argc, char *argv[]) { { "fido2-device", required_argument, NULL, ARG_FIDO2_DEVICE }, { "fido2-with-client-pin", required_argument, NULL, ARG_FIDO2_WITH_PIN }, { "fido2-with-user-presence", required_argument, NULL, ARG_FIDO2_WITH_UP }, + { "fido2-with-user-verification", required_argument, NULL, ARG_FIDO2_WITH_UV }, { "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE }, { "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS }, { "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT }, @@ -177,6 +181,18 @@ static int parse_argv(int argc, char *argv[]) { break; } + case ARG_FIDO2_WITH_UV: { + bool lock_with_uv; + + r = parse_boolean_argument("--fido2-with-user-verification=", optarg, &lock_with_uv); + if (r < 0) + return r; + + SET_FLAG(arg_fido2_lock_with, FIDO2ENROLL_UV, lock_with_uv); + + break; + } + case ARG_PASSWORD: if (arg_enroll_type >= 0) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), |