From cde2f8605e0c3842f9a87785dd758f955f2d04ba Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@microsoft.com>
Date: Mon, 12 Apr 2021 21:06:59 +0100
Subject: FIDO2: support pin-less LUKS enroll/unlock

Closes: https://github.com/systemd/systemd/issues/19246

Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.
---
 src/home/homectl-fido2.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/home/homectl-fido2.c')

diff --git a/src/home/homectl-fido2.c b/src/home/homectl-fido2.c
index d5edec1bc4..76775ee6bd 100644
--- a/src/home/homectl-fido2.c
+++ b/src/home/homectl-fido2.c
@@ -158,6 +158,7 @@ int identity_add_fido2_parameters(
                         /* user_display_name= */ rn ? json_variant_string(rn) : NULL,
                         /* user_icon_name= */ NULL,
                         /* askpw_icon_name= */ "user-home",
+                        FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll
                         &cid, &cid_size,
                         &salt, &salt_size,
                         &secret, &secret_size,
-- 
cgit v1.2.1