FIDO2: support pin-less LUKS enroll/unlock

Closes: https://github.com/systemd/systemd/issues/19246

Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.

1 files changed, 8 insertions, 0 deletions

diff --git a/src/shared/libfido2-util.h b/src/shared/libfido2-util.h
index 3648ea44c7..c22deebfcc 100644
--- a/src/shared/libfido2-util.h
+++ b/src/shared/libfido2-util.h
@@ -3,6 +3,12 @@
 
 #include "macro.h"
 
+typedef enum Fido2EnrollFlags {
+        FIDO2ENROLL_PIN           = 1 << 0,
+        _FIDO2ENROLL_TYPE_MAX,
+        _FIDO2ENROLL_TYPE_INVALID = -EINVAL,
+} Fido2EnrollFlags;
+
 #if HAVE_LIBFIDO2
 #include <fido.h>
 
@@ -81,6 +87,7 @@ int fido2_use_hmac_hash(
                 size_t cid_size,
                 char **pins,
                 bool up, /* user presence permitted */
+                Fido2EnrollFlags required,
                 void **ret_hmac,
                 size_t *ret_hmac_size);
 
@@ -93,6 +100,7 @@ int fido2_generate_hmac_hash(
                 const char *user_display_name,
                 const char *user_icon,
                 const char *askpw_icon_name,
+                Fido2EnrollFlags lock_with,
                 void **ret_cid, size_t *ret_cid_size,
                 void **ret_salt, size_t *ret_salt_size,
                 void **ret_secret, size_t *ret_secret_size,