FIDO2: support pin-less LUKS enroll/unlock

Closes: https://github.com/systemd/systemd/issues/19246

Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.

3 files changed, 35 insertions, 14 deletions

diff --git a/src/cryptenroll/cryptenroll-fido2.c b/src/cryptenroll/cryptenroll-fido2.c
index 1b3ae8d67c..213b7795b6 100644
--- a/src/cryptenroll/cryptenroll-fido2.c
+++ b/src/cryptenroll/cryptenroll-fido2.c
@@ -11,7 +11,8 @@ int enroll_fido2(
                 struct crypt_device *cd,
                 const void *volume_key,
                 size_t volume_key_size,
-                const char *device) {
+                const char *device,
+                Fido2EnrollFlags lock_with) {
 
         _cleanup_(erase_and_freep) void *salt = NULL, *secret = NULL;
         _cleanup_(erase_and_freep) char *base64_encoded = NULL;
@@ -40,6 +41,7 @@ int enroll_fido2(
                         /* user_display_name= */ node,
                         /* user_icon_name= */ NULL,
                         /* askpw_icon_name= */ "drive-harddisk",
+                        lock_with,
                         &cid, &cid_size,
                         &salt, &salt_size,
                         &secret, &secret_size,
@@ -75,7 +77,8 @@ int enroll_fido2(
                                        JSON_BUILD_PAIR("keyslots", JSON_BUILD_ARRAY(JSON_BUILD_STRING(keyslot_as_string))),
                                        JSON_BUILD_PAIR("fido2-credential", JSON_BUILD_BASE64(cid, cid_size)),
                                        JSON_BUILD_PAIR("fido2-salt", JSON_BUILD_BASE64(salt, salt_size)),
-                                       JSON_BUILD_PAIR("fido2-rp", JSON_BUILD_STRING("io.systemd.cryptsetup"))));
+                                       JSON_BUILD_PAIR("fido2-rp", JSON_BUILD_STRING("io.systemd.cryptsetup")),
+                                       JSON_BUILD_PAIR("fido2-clientPin-required", JSON_BUILD_BOOLEAN(FLAGS_SET(lock_with, FIDO2ENROLL_PIN)))));
         if (r < 0)
                 return log_error_errno(r, "Failed to prepare PKCS#11 JSON token object: %m");
 
diff --git a/src/cryptenroll/cryptenroll-fido2.h b/src/cryptenroll/cryptenroll-fido2.h
index 936792071f..b82a9ca842 100644
--- a/src/cryptenroll/cryptenroll-fido2.h
+++ b/src/cryptenroll/cryptenroll-fido2.h
@@ -4,12 +4,13 @@
 #include <sys/types.h>
 
 #include "cryptsetup-util.h"
+#include "libfido2-util.h"
 #include "log.h"
 
 #if HAVE_LIBFIDO2
-int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device);
+int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, Fido2EnrollFlags lock_with);
 #else
-static inline int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device) {
+static inline int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, Fido2EnrollFlags lock_with) {
         return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                "FIDO2 key enrollment not supported.");
 }
diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c
index 7d12c427b3..ef6031cb1f 100644
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@@ -36,6 +36,7 @@ static int *arg_wipe_slots = NULL;
 static size_t arg_n_wipe_slots = 0;
 static WipeScope arg_wipe_slots_scope = WIPE_EXPLICIT;
 static unsigned arg_wipe_slots_mask = 0; /* Bitmask of (1U << EnrollType), for wiping all slots of specific types */
+static Fido2EnrollFlags arg_fido2_lock_with = FIDO2ENROLL_PIN;
 
 assert_cc(sizeof(arg_wipe_slots_mask) * 8 >= _ENROLL_TYPE_MAX);
 
@@ -88,6 +89,8 @@ static int help(void) {
                "                       Specify PKCS#11 security token URI\n"
                "     --fido2-device=PATH\n"
                "                       Enroll a FIDO2-HMAC security token\n"
+               "     --fido2-with-client-pin=BOOL\n"
+               "                       Whether to require entering a PIN to unlock the volume\n"
                "     --tpm2-device=PATH\n"
                "                       Enroll a TPM2 device\n"
                "     --tpm2-pcrs=PCR1,PCR2,PCR3,…\n"
@@ -114,18 +117,20 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_TPM2_DEVICE,
                 ARG_TPM2_PCRS,
                 ARG_WIPE_SLOT,
+                ARG_FIDO2_WITH_PIN,
         };
 
         static const struct option options[] = {
-                { "help",             no_argument,       NULL, 'h'                  },
-                { "version",          no_argument,       NULL, ARG_VERSION          },
-                { "password",         no_argument,       NULL, ARG_PASSWORD         },
-                { "recovery-key",     no_argument,       NULL, ARG_RECOVERY_KEY     },
-                { "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI },
-                { "fido2-device",     required_argument, NULL, ARG_FIDO2_DEVICE     },
-                { "tpm2-device",      required_argument, NULL, ARG_TPM2_DEVICE      },
-                { "tpm2-pcrs",        required_argument, NULL, ARG_TPM2_PCRS        },
-                { "wipe-slot",        required_argument, NULL, ARG_WIPE_SLOT        },
+                { "help",                         no_argument,       NULL, 'h'                  },
+                { "version",                      no_argument,       NULL, ARG_VERSION          },
+                { "password",                     no_argument,       NULL, ARG_PASSWORD         },
+                { "recovery-key",                 no_argument,       NULL, ARG_RECOVERY_KEY     },
+                { "pkcs11-token-uri",             required_argument, NULL, ARG_PKCS11_TOKEN_URI },
+                { "fido2-device",                 required_argument, NULL, ARG_FIDO2_DEVICE     },
+                { "fido2-with-client-pin",        required_argument, NULL, ARG_FIDO2_WITH_PIN   },
+                { "tpm2-device",                  required_argument, NULL, ARG_TPM2_DEVICE      },
+                { "tpm2-pcrs",                    required_argument, NULL, ARG_TPM2_PCRS        },
+                { "wipe-slot",                    required_argument, NULL, ARG_WIPE_SLOT        },
                 {}
         };
 
@@ -144,6 +149,18 @@ static int parse_argv(int argc, char *argv[]) {
                 case ARG_VERSION:
                         return version();
 
+                case ARG_FIDO2_WITH_PIN: {
+                        bool lock_with_pin;
+
+                        r = parse_boolean_argument("--fido2-with-client-pin=", optarg, &lock_with_pin);
+                        if (r < 0)
+                                return r;
+
+                        SET_FLAG(arg_fido2_lock_with, FIDO2ENROLL_PIN, lock_with_pin);
+
+                        break;
+                }
+
                 case ARG_PASSWORD:
                         if (arg_enroll_type >= 0)
                                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
@@ -486,7 +503,7 @@ static int run(int argc, char *argv[]) {
                 break;
 
         case ENROLL_FIDO2:
-                slot = enroll_fido2(cd, vk, vks, arg_fido2_device);
+                slot = enroll_fido2(cd, vk, vks, arg_fido2_device, arg_fido2_lock_with);
                 break;
 
         case ENROLL_TPM2: