diff options
author | Luca Boccassi <luca.boccassi@microsoft.com> | 2021-04-12 21:06:59 +0100 |
---|---|---|
committer | Luca Boccassi <bluca@debian.org> | 2021-05-07 21:36:27 +0100 |
commit | cde2f8605e0c3842f9a87785dd758f955f2d04ba (patch) | |
tree | 26d259cdb23f9ace361340a87d584ab379259fde /src/home/homectl-fido2.c | |
parent | cd5f57bda71dc9485d7eddf6cfcbfba843f5126c (diff) | |
download | systemd-cde2f8605e0c3842f9a87785dd758f955f2d04ba.tar.gz |
FIDO2: support pin-less LUKS enroll/unlock
Closes: https://github.com/systemd/systemd/issues/19246
Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.
Diffstat (limited to 'src/home/homectl-fido2.c')
-rw-r--r-- | src/home/homectl-fido2.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/home/homectl-fido2.c b/src/home/homectl-fido2.c index d5edec1bc4..76775ee6bd 100644 --- a/src/home/homectl-fido2.c +++ b/src/home/homectl-fido2.c @@ -158,6 +158,7 @@ int identity_add_fido2_parameters( /* user_display_name= */ rn ? json_variant_string(rn) : NULL, /* user_icon_name= */ NULL, /* askpw_icon_name= */ "user-home", + FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll &cid, &cid_size, &salt, &salt_size, &secret, &secret_size, |