FIDO2: support pin-less LUKS enroll/unlock

Closes: https://github.com/systemd/systemd/issues/19246 Some FIDO2 devices allow the user to choose whether to use a PIN or not and will HMAC with a different secret depending on the choice. Some other devices (or some device-specific configuration) can instead make it mandatory. Allow the cryptenroll user to choose whether to use a PIN or not, but fail immediately if it is a hard requirement. Record the choice in the JSON-encoded LUKS header metadata so that the right set of options can be used on unlock.
author: Luca Boccassi <luca.boccassi@microsoft.com> 2021-04-12 21:06:59 +0100
committer: Luca Boccassi <bluca@debian.org> 2021-05-07 21:36:27 +0100
commit: cde2f8605e0c3842f9a87785dd758f955f2d04ba (patch)
tree: 26d259cdb23f9ace361340a87d584ab379259fde /src/home/homectl-fido2.c
parent: cd5f57bda71dc9485d7eddf6cfcbfba843f5126c (diff)
download: systemd-cde2f8605e0c3842f9a87785dd758f955f2d04ba.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/src/home/homectl-fido2.c b/src/home/homectl-fido2.c
index d5edec1bc4..76775ee6bd 100644
--- a/src/home/homectl-fido2.c
+++ b/src/home/homectl-fido2.c
@@ -158,6 +158,7 @@ int identity_add_fido2_parameters(
                         /* user_display_name= */ rn ? json_variant_string(rn) : NULL,
                         /* user_icon_name= */ NULL,
                         /* askpw_icon_name= */ "user-home",
+                        FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll
                         &cid, &cid_size,
                         &salt, &salt_size,
                         &secret, &secret_size,
author	Luca Boccassi <luca.boccassi@microsoft.com>	2021-04-12 21:06:59 +0100
committer	Luca Boccassi <bluca@debian.org>	2021-05-07 21:36:27 +0100
commit	cde2f8605e0c3842f9a87785dd758f955f2d04ba (patch)
tree	26d259cdb23f9ace361340a87d584ab379259fde /src/home/homectl-fido2.c
parent	cd5f57bda71dc9485d7eddf6cfcbfba843f5126c (diff)
download	systemd-cde2f8605e0c3842f9a87785dd758f955f2d04ba.tar.gz