new script

dracut/Makefile

@@ -8,7 +8,8 @@ build:
 install: build
 	sudo mkdir -p ${DRACUT_MODULE_D}
 	sudo cp bin/* /usr/local/bin/
-	sudo cp module-setup.sh ykluks.sh bin/* ${DRACUT_MODULE_D}/
+	sudo cp bin/* ${DRACUT_MODULE_D}/
+	sudo cp module-setup.sh fido2luks.sh bin/* ${DRACUT_MODULE_D}/
 	sudo chown -R root: ${DRACUT_MODULE_D}/
 setup: install
 	sudo bin/fido2luks setup

dracut/fido2luks.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+LUKS_UUIDS="$(getargs rd.fido2luks.uuid | tr ' ' '\n'| cut -d '-' -f 2-)"
+CREDENTIAL_ID="$(getargs rd.fido2luks.credentialid)"
+SALT="$(getargs rd.fido2luks.salt)"
+
+MESSAGE_TIMEOUT=5
+
+display_msg_timeout () {
+	local MSG="$1"
+	(plymouth display-message --text="$MSG";sleep $MESSAGE_TIMEOUT;plymouth hide-message --text="$MSG") &
+}
+
+display_msg () {
+	local MSG="$1"
+	plymouth display-message --text="$MSG" &
+}
+
+hide_msg () {
+	local MSG="$1"
+	plymouth hide-message --text="$MSG" &
+}
+
+handle_authenticator () {
+
+        while ! /bin/f2l connected; do
+              display_msg_timeout "Please connect your authenicator"
+              sleep 1
+        done
+
+        export FIDO2LUKS_CREDENTIAL_ID="$CREDENTIAL_ID"
+        export FIDO2LUKS_SALT="${SALT:-Ask}"
+        export FIDO2LUKS_PASSWORD_HELPER="/usr/bin/systemd-ask-password --no-tty 'Disk 2fa password'"
+        for UUID in $LUKS_UUIDS ; do
+          export FIDO2LUKS_UUID="$UUID"
+          export FIDO2LUKS_MAPPER_NAME="${MAPPER_NAME:-luks-$FIDO2LUKS_UUID}"
+          display_msg_timeout "Watch your authenicator"
+          ERR="$(/bin/f2l open -e 2>&1)"
+          if [ "$?" -eq 1 ]; then
+            display_msg_timeout "Failed to unlock: $ERR"
+            sleep 15
+          fi
+        done
+        
+}

dracut/module-setup.sh

@@ -13,7 +13,7 @@ depends() {
 
 install() {
     #inst_hook pre-trigger 91 "$moddir/ykluks.sh"
-    inst_hook initqueue 01 "$moddir/ykluks.sh"
+    inst_hook initqueue 01 "$moddir/fido2luks.sh"
     #inst_hook pre-mount 1 "$moddir/fix_crypttab.sh"
     #inst_hook pre-trigger 10 "$moddir/ykluks.sh"
     #inst_hook cmdline 5 "$moddir/ykluks.sh"
@@ -26,7 +26,7 @@ install() {
     inst blkid
     inst lsusb
     inst cryptsetup
-    inst fido2luks
+    # inst fido2luks
     # Stolen from qubes-pciback module.
     inst lspci
     inst grep
@@ -37,7 +37,7 @@ install() {
     #inst_simple "/usr/sbin/blkid" "/bin/blkid"
     #inst_simple "/usr/bin/ykchalresp" "/bin/ykchalresp"
     inst_simple "/etc/fido2luks.json" "/etc/fido2luks.json"
-
+    inst_simple "$moddir/fido2luks" "/bin/f2l"
     #inst_rules "$moddir/20-ykfde.rules"
     inst_rules "/usr/lib/udev/rules.d/60-u2f-hidraw.rules"
     #inst_simple "$moddir/ykluks.sh" "/bin/ykluks.sh"

dracut/ykluks.sh

@@ -1,128 +0,0 @@
-#!/bin/sh
-
-type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh
-
-# Set defaults.
-YK_SLOT="2"
-DEVICE_MAX_WAIT="60"
-MESSAGE_TIMEOUT="10"
-SHOW_YK_INSERT_MSG="false"
-LUKS_PROMPT="Passphrase"
-FIDO2LUKS_PROMPT="Password"
-LUKS_PASSPHRASE_FALLBACK="false"
-
-# Load config file.
-FIDO2LUKS_CONFIG="/etc//bin/fido2luks.json"
-if [ -f "$FIDO2LUKS_CONFIG" ] ; then
-	export FIDO2LUKS_CONFIG="$FIDO2LUKS_CONFIG"
-fi
-
-LUKS_UUIDS="$(getargs rd./bin/fido2luks.uuid | tr ' ' '\n'| cut -d '-' -f 2-)"
-
-display_msg_timeout () {
-	local MSG="$1"
-	(plymouth display-message --text="$MSG";sleep $MESSAGE_TIMEOUT;plymouth hide-message --text="$MSG") &
-}
-
-display_msg () {
-	local MSG="$1"
-	plymouth display-message --text="$MSG" &
-}
-
-hide_msg () {
-	local MSG="$1"
-	plymouth hide-message --text="$MSG" &
-}
-
-hide_devices () {
-	# Find all networking devices currenly installed...
-	HIDE_PCI="`lspci -mm -n | grep '^[^ ]* "02'|awk '{print $1}'`"
-
-	# ... and optionally all USB controllers...
-	if getargbool 0 rd./bin/fido2luks.hide_all_usb; then
-	    HIDE_PCI="$HIDE_PCI `lspci -mm -n | grep '^[^ ]* "0c03'|awk '{print $1}'`"
-	fi
-
-	HIDE_PCI="$HIDE_PCI `getarg rd./bin/fido2luks.hide_pci | tr ',' ' '`"
-
-	modprobe xen-pciback 2>/dev/null || :
-
-	# ... and hide them so that Dom0 doesn't load drivers for them
-	for dev in $HIDE_PCI; do
-	    BDF=0000:$dev
-	    if [ -e /sys/bus/pci/devices/$BDF/driver ]; then
-		echo -n $BDF > /sys/bus/pci/devices/$BDF/driver/unbind
-	    fi
-	    echo -n $BDF > /sys/bus/pci/drivers/pciback/new_slot
-	    echo -n $BDF > /sys/bus/pci/drivers/pciback/bind
-	done
-}
-
-handle_authenticator () {
-	WAIT_COUNTER="0"
-	YUBIKEY_TEST=""
-	YUBIKEY_MSG="Please insert your authenticator..."
-	while ! /bin/fido2luks connected 2> /dev/null ; do
-	        YUBIKEY_TEST="1"
-		if [ "$SHOW_YK_INSERT_MSG" != "true" ] ; then
-			break
-		fi
-
-		if [ "$YUBIKEY_MSG" != "" ] ; then
-			display_msg "$YUBIKEY_MSG"
-			HIDE_MSG="$YUBIKEY_MSG"
-			YUBIKEY_MSG=""
-		fi
-
-		if [ "$WAIT_COUNTER" -ge "$DEVICE_MAX_WAIT" ] ; then
-			break
-		fi
-
-		WAIT_COUNTER="$[$WAIT_COUNTER+1]"
-		sleep 1
-	done
-
-	if [ "$HIDE_MSG" != "" ] ; then
-		hide_msg "$HIDE_MSG"
-	fi
-
-	while true ; do
-		if [ "$YUBIKEY_TEST" == "" ] ; then
-			if [ "$LUKS_PASSPHRASE_FALLBACK" != "true" ] ; then
-				break
-			fi
-			LUKS_PASSPHRASE="$(/usr/bin/systemd-ask-password --no-tty "$LUKS_PROMPT")"
-			for UUID in $LUKS_UUIDS ; do
-			        DEV="$(blkid -U "$UUID")"
-			        if echo "$LUKS_PASSPHRASE" | cryptsetup luksOpen "$DEV" luks-$UUID ; then
-				        LUKS_MSG="Luks device opened successful: $DEV"
-				        display_msg_timeout "$LUKS_MSG"
-			        else
-				        LUKS_MSG="Failed to open luks device: $DEV (Wrong password?)"
-				        display_msg_timeout "$LUKS_MSG"
-				        LUKS_OPEN_FAILURE="true"
-			        fi
-		        done
-		else
-			/bin/fido2luks open || display_msg_timeout "Failed to utilise authenticator"
-			YUBIKEY_MSG="Received response from yubikey."
-			display_msg_timeout "$YUBIKEY_MSG"
-			LUKS_OPEN_FAILURE="false"
-		fi
-		
-		
-		if ! $LUKS_OPEN_FAILURE ; then
-			break
-		fi
-	done
-}
-
-if [ "$LUKS_UUIDS" != "" ] ; then
-	handle_authenticator
-fi
-
-rm /etc/udev/rules.d/60-u2f-hidraw.rules
-systemctl daemon-reload
-
-# Make sure we hide devices from dom0 after yubikey/luks setup.
-hide_devices