[projects/geninitrd] luks: add basic support for waiting for fido2 token insertion

atler atler at pld-linux.org
Sun Jul 28 15:58:14 CEST 2024 

commit 2647eff0cfe45d69a290203b66f79d1a7f66fc09
Author: Jan Palus <atler at pld-linux.org>
Date:   Sun Jul 28 15:15:34 2024 +0200

    luks: add basic support for waiting for fido2 token insertion

 geninitrd.sysconfig |  3 +++
 mod-luks.sh         | 26 +++++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)
---
diff --git a/geninitrd.sysconfig b/geninitrd.sysconfig
index 1268324..db80009 100644
--- a/geninitrd.sysconfig
+++ b/geninitrd.sysconfig
@@ -50,3 +50,6 @@ USE_UDEV=yes
 
 # install firmware to initrd
 #MODULE_qla2xxx_FIRMWARE="ql2300_fw.bin"
+
+# wait (in seconds) for FIDO2 token insertion when decrypting LUKS device
+# FIDO2_TOKEN_TIMEOUT=30
diff --git a/mod-luks.sh b/mod-luks.sh
index 54537ec..4d55908 100644
--- a/mod-luks.sh
+++ b/mod-luks.sh
@@ -117,7 +117,7 @@ luks_crypttab() {
 	local LUKSNAME="$1"
 
 	# copy from /etc/rc.d/init.d/cryptsetup
-	local dst src key opt mode owner failsafe token libdir cryptdir
+	local dst src key opt mode owner failsafe token libdir cryptdir fido2_token_found fido2_device fido2_token_timeout fido2_token_check
 
 	while read dst src key opt; do
 		[ "$dst" != "$LUKSNAME" ] && continue
@@ -170,6 +170,7 @@ luks_crypttab() {
 							if [ -e $libdir/libpcsclite_real.so.1 ]; then
 								inst_exec $libdir/libpcsclite_real.so.1 $libdir
 							fi
+							fido2_token_found=1
 							;;
 						systemd-tpm2)
 							inst_d $cryptdir
@@ -192,6 +193,9 @@ luks_crypttab() {
 					discard|allow-discards)
 						crypttab_opt="$crypttab_opt --allow-discards"
 						;;
+					fido2-device=*)
+						fido2_device=${option#*=}
+						;;
 					*)
 						warn "$dst: option \'$option\' is unsupported for LUKS partitions, ignored"
 						;;
@@ -199,6 +203,26 @@ luks_crypttab() {
 			done
 			IFS="$old_IFS"
 
+			fido2_token_timeout=${FIDO2_TOKEN_TIMEOUT:-30}
+
+			if [ -n "$fido2_token_found" ] && [ $fido2_token_timeout -gt 0 ]; then
+				if [ ${fido2_device:-auto} = "auto" ]; then
+					inst_exec /usr/bin/fido2-token /bin
+					fido2_token_check='[ -z "$(/bin/fido2-token -L 2>/dev/null)" ]'
+				else
+					fido2_token_check="[ ! -e \"$fido2_device\" ]"
+				fi
+				add_linuxrc <<-EOF
+				if $fido2_token_check; then
+					echo '<5>Waiting for FIDO2 token' > /dev/kmsg
+					i=0
+					while $fido2_token_check && [ \$i -lt $fido2_token_timeout ]; do
+						usleep 1000000
+						i=\$((i + 1))
+					done
+				fi
+				EOF
+			fi
 			verbose "+ cryptsetup ${keyfile:+-d $keyfile} open $crypttab_opt '$src' '$dst'"
 			add_linuxrc <<-EOF
 			debugshell
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/projects/geninitrd.git/commitdiff/2647eff0cfe45d69a290203b66f79d1a7f66fc09

More information about the pld-cvs-commit mailing list