initramfs-tools

initramfs-tools/Makefile

@@ -0,0 +1,23 @@
+.PHONY: install clean
+
+DRACUT_MODULES_D=/usr/lib/dracut/modules.d
+DRACUT_CONF_D=/etc/dracut.conf.d
+
+MODULE_CONF_D=dracut.conf.d
+MODULE_CONF=luks-2fa.conf
+MODULE_DIR=96luks-2fa
+
+help:
+	@echo make help to show this help
+	@echo make install to install
+	@echo make clean to remove
+
+install:
+	chmod +x hook/fido2luks.sh keyscript.sh
+	cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
+	mkdir -p /usr/share/fido2luks
+	cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
+	update-initramfs -u
+remove:
+	rm /etc/initramfs-tools/hooks/fido2luks.sh
+	update-initramfs -u

initramfs-tools/fido2luks.conf

@@ -0,0 +1,3 @@
+FIDO2LUKS_SALT=Ask
+#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --promt 'FIDO2 password salt'"
+FIDO2LUKS_CREDENTIAL_ID=

initramfs-tools/hook/fido2luks.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+case "$1" in
+prereqs)
+	echo ""
+	exit 0
+	;;
+
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
+copy_exec /usr/bin/fido2luks
+exit 0

initramfs-tools/keyscript.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+set -a
+. /etc/fido2luks.conf
+
+if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
+	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --promt 'FIDO2 password salt for $CRYPTTAB_NAME'"
+fi
+
+fido2luks print-secret --bin