From a3696962e822236c7387a944f8ea12fdf5219ebc Mon Sep 17 00:00:00 2001
From: Vyacheslav Konovalov <crabvk@protonmail.com>
Date: Wed, 14 Jul 2021 15:23:32 +0500
Subject: [PATCH 1/4] Support for initcpio (#31)

* Add initcpio hook and install script

* Make PIN optional

* Add README for initcpio

* Fix PKGBUILD, add install of initcpio

* Fix README for initcpio
---
 PKGBUILD                   | 29 +++++++++++++-------
 initcpio/Makefile          | 18 +++++++++++++
 initcpio/README.md         | 52 +++++++++++++++++++++++++++++++++++
 initcpio/fido2luks.conf    | 18 +++++++++++++
 initcpio/hooks/fido2luks   | 55 ++++++++++++++++++++++++++++++++++++++
 initcpio/install/fido2luks | 31 +++++++++++++++++++++
 6 files changed, 194 insertions(+), 9 deletions(-)
 create mode 100644 initcpio/Makefile
 create mode 100644 initcpio/README.md
 create mode 100644 initcpio/fido2luks.conf
 create mode 100644 initcpio/hooks/fido2luks
 create mode 100644 initcpio/install/fido2luks

diff --git a/PKGBUILD b/PKGBUILD
index 99dfb59..d4155b9 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,26 +1,37 @@
 # Maintainer: shimunn <shimun@shimun.net>
-pkgname=fido2luks
-pkgver=0.2.12
+
+pkgname=fido2luks-git
+pkgver=0.2.16.7e6b33a
 pkgrel=1
-makedepends=('rust' 'cargo' 'cryptsetup' 'clang')
+makedepends=('rust' 'cargo' 'cryptsetup' 'clang' 'git')
 depends=('cryptsetup')
 arch=('i686' 'x86_64' 'armv6h' 'armv7h')
 pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
 url="https://github.com/shimunn/fido2luks"
 license=('MPL-2.0')
+source=('git+https://github.com/shimunn/fido2luks')
+sha512sums=('SKIP')
 
 pkgver() {
-	# Use tag version if possible otherwise concat project version and git ref
-	git describe --exact-match --tags HEAD 2> /dev/null || \
-		echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
+    cd fido2luks
+
+    # Use tag version if possible otherwise concat project version and git ref
+    git describe --exact-match --tags HEAD 2>/dev/null ||
+        echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
 }
 
 build() {
+    cd fido2luks
     cargo build --release --locked --all-features --target-dir=target
 }
 
 package() {
-    install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
-    install -Dm 755 ../pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
-    install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+    cd fido2luks
+
+    install -Dm 755 target/release/fido2luks -t "${pkgdir}/usr/bin"
+    install -Dm 755 pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
+    install -Dm 644 initcpio/hooks/fido2luks -t "${pkgdir}/usr/lib/initcpio/hooks"
+    install -Dm 644 initcpio/install/fido2luks -t "${pkgdir}/usr/lib/initcpio/install"
+    install -Dm 644 fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+    install -Dm 644 fido2luks.fish -t "${pkgdir}/usr/share/fish/vendor_completions.d"
 }
diff --git a/initcpio/Makefile b/initcpio/Makefile
new file mode 100644
index 0000000..b752589
--- /dev/null
+++ b/initcpio/Makefile
@@ -0,0 +1,18 @@
+.PHONY: install remove
+
+install:
+	install -Dm644 hooks/fido2luks -t /usr/lib/initcpio/hooks
+	install -Dm644 install/fido2luks -t /usr/lib/initcpio/install
+ifdef preset
+	mkinitcpio -p $(preset)
+else
+	mkinitcpio -P
+endif
+
+remove:
+	rm /usr/lib/initcpio/{hooks,install}/fido2luks
+ifdef preset
+	mkinitcpio -p $(preset)
+else
+	mkinitcpio -P
+endif
diff --git a/initcpio/README.md b/initcpio/README.md
new file mode 100644
index 0000000..f29ddab
--- /dev/null
+++ b/initcpio/README.md
@@ -0,0 +1,52 @@
+## fido2luks hook for mkinitcpio (ArchLinux and derivatives)
+
+> ⚠️ Before proceeding, it is very advised to [backup your existing LUKS2 header](https://wiki.archlinux.org/title/dm-crypt/Device_encryption#Backup_using_cryptsetup) to external storage
+
+### Setup
+
+1. Connect your FIDO2 authenticator
+2. Generate credential id
+
+```shell
+fido2luks credential
+```
+
+3. Generate salt (random string)
+
+```shell
+pwgen 48 1
+```
+
+4. Add key to your LUKS2 device
+
+```shell
+fido2luks add-key -Pt --salt <salt> <block_device> <credential_id>
+```
+
+`-P` - request PIN to unlock the authenticator  
+`-t` - add token (including credential id) to the LUKS2 header  
+`-e` - wipe all other keys  
+
+For the full list of options see `fido2luks add-key --help`
+
+5. Edit [/etc/fido2luks.conf](/initcpio/fido2luks.conf)
+
+Keyslot (`FIDO2LUKS_DEVICE_SLOT`) can be obtained from the output of
+
+```shell
+cryptsetup luksDump <block_device>
+```
+
+6. Add fido2luks hook to /etc/mkinitcpio.conf
+
+Before or instead of `encrypt` hook, for example:
+
+```shell
+HOOKS=(base udev autodetect modconf keyboard block fido2luks filesystems fsck)
+```
+
+7. Recreate initial ramdisk
+
+```shell
+mkinitcpio -p <preset>
+```
diff --git a/initcpio/fido2luks.conf b/initcpio/fido2luks.conf
new file mode 100644
index 0000000..b2fb6fa
--- /dev/null
+++ b/initcpio/fido2luks.conf
@@ -0,0 +1,18 @@
+# Set credential *ONLY IF* it's not embedded in the LUKS2 header
+FIDO2LUKS_CREDENTIAL_ID=
+
+# Encrypted device and its name under /dev/mapper
+# Can be overridden by `cryptdevice` kernel parameter
+FIDO2LUKS_DEVICE=
+FIDO2LUKS_MAPPER_NAME=
+
+FIDO2LUKS_SALT=string:<salt>
+
+# Use specific keyslot (ignore all other slots)
+FIDO2LUKS_DEVICE_SLOT=
+
+# Await for an authenticator to be connected (in seconds)
+FIDO2LUKS_DEVICE_AWAIT=
+
+# Set to 1 if PIN is required to unlock the authenticator
+FIDO2LUKS_ASK_PIN=
diff --git a/initcpio/hooks/fido2luks b/initcpio/hooks/fido2luks
new file mode 100644
index 0000000..f96be78
--- /dev/null
+++ b/initcpio/hooks/fido2luks
@@ -0,0 +1,55 @@
+#!/usr/bin/ash
+
+run_hook() {
+    modprobe -a -q dm-crypt >/dev/null 2>&1
+    . /etc/fido2luks.conf
+
+    if [ -z "$cryptdevice" ]; then
+        device="$FIDO2LUKS_DEVICE"
+        dmname="$FIDO2LUKS_MAPPER_NAME"
+    else
+        IFS=: read cryptdev dmname _cryptoptions <<EOF
+$cryptdevice
+EOF
+        if ! device=$(resolve_device "${cryptdev}" ${rootdelay}); then
+            return 1
+        fi
+    fi
+
+    options="--salt $FIDO2LUKS_SALT"
+
+    if [ "$FIDO2LUKS_ASK_PIN" == 1 ]; then
+        options="$options --pin"
+    fi
+
+    if [ -n "$FIDO2LUKS_DEVICE_SLOT" ]; then
+        options="$options --slot $FIDO2LUKS_DEVICE_SLOT"
+    fi
+
+    if [ -n "$FIDO2LUKS_DEVICE_AWAIT" ]; then
+        options="$options --await-dev $FIDO2LUKS_DEVICE_AWAIT"
+    fi
+
+    # HACK: /dev/tty is hardcoded in rpassword, but not accessible from the ramdisk
+    # Temporary link it to /dev/tty1
+    mv /dev/tty /dev/tty.back
+    ln -s /dev/tty1 /dev/tty
+
+    printf "\nAuthentication is required to access the $dmname volume at $device\n"
+
+    if [ -z "$FIDO2LUKS_CREDENTIAL_ID" ]; then
+        fido2luks open-token $device $dmname $options
+    else
+        fido2luks open $device $dmname $FIDO2LUKS_CREDENTIAL_ID $options
+    fi
+    exit_code=$?
+
+    # Restore /dev/tty
+    mv /dev/tty.back /dev/tty
+
+    if [ $exit_code -ne 0 ]; then
+        printf '\n'
+        read -s -p 'Press Enter to continue'
+        printf '\n'
+    fi
+}
diff --git a/initcpio/install/fido2luks b/initcpio/install/fido2luks
new file mode 100644
index 0000000..acb4a21
--- /dev/null
+++ b/initcpio/install/fido2luks
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+build() {
+    local mod
+
+    add_module dm-crypt
+    add_module dm-integrity
+    if [[ $CRYPTO_MODULES ]]; then
+        for mod in $CRYPTO_MODULES; do
+            add_module "$mod"
+        done
+    else
+        add_all_modules /crypto/
+    fi
+
+    add_binary fido2luks
+    add_binary dmsetup
+    add_file /usr/lib/udev/rules.d/10-dm.rules
+    add_file /usr/lib/udev/rules.d/13-dm-disk.rules
+    add_file /usr/lib/udev/rules.d/95-dm-notify.rules
+    add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules
+    add_file /etc/fido2luks.conf /etc/fido2luks.conf
+
+    add_runscript
+}
+
+help() {
+    cat <<HELPEOF
+This hook allows to decrypt LUKS2 partition using FIDO2 compatible authenticator
+HELPEOF
+}

From 51fa26b7d5865dc961828f599cd36a2711d1670d Mon Sep 17 00:00:00 2001
From: shimun <shimun@shimun.net>
Date: Wed, 14 Jul 2021 12:24:58 +0200
Subject: [PATCH 2/4] bump version

---
 Cargo.lock | 2 +-
 Cargo.toml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 0165240..f3060d0 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -377,7 +377,7 @@ dependencies = [
 
 [[package]]
 name = "fido2luks"
-version = "0.2.16"
+version = "0.2.17"
 dependencies = [
  "ctap_hmac",
  "failure",
diff --git a/Cargo.toml b/Cargo.toml
index 4c5d21b..24d4598 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.16"
+version = "0.2.17"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 

From 5496c4e61b211206c6fbd90e50e41cf490a5da3e Mon Sep 17 00:00:00 2001
From: shimun <shimun@shimun.net>
Date: Wed, 14 Jul 2021 15:44:58 +0200
Subject: [PATCH 3/4] always set credential name

---
 Cargo.lock          | 2 +-
 Cargo.toml          | 2 +-
 src/cli.rs          | 2 +-
 src/cli_args/mod.rs | 6 +++---
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index f3060d0..c836f13 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -377,7 +377,7 @@ dependencies = [
 
 [[package]]
 name = "fido2luks"
-version = "0.2.17"
+version = "0.2.18"
 dependencies = [
  "ctap_hmac",
  "failure",
diff --git a/Cargo.toml b/Cargo.toml
index 24d4598..7e885b2 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.17"
+version = "0.2.18"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
diff --git a/src/cli.rs b/src/cli.rs
index 5b248f4..02c4434 100644
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -93,7 +93,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             } else {
                 None
             };
-            let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()), pin)?;
+            let cred = make_credential_id(Some(name.as_ref()), pin)?;
             println!("{}", hex::encode(&cred.id));
             Ok(())
         }
diff --git a/src/cli_args/mod.rs b/src/cli_args/mod.rs
index b02799f..048ae33 100644
--- a/src/cli_args/mod.rs
+++ b/src/cli_args/mod.rs
@@ -236,9 +236,9 @@ pub enum Command {
     Credential {
         #[structopt(flatten)]
         authenticator: AuthenticatorParameters,
-        /// Name to be displayed on the authenticator if it has a display
-        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
-        name: Option<String>,
+        /// Name to be displayed on the authenticator display
+        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")]
+        name: String,
     },
     /// Check if an authenticator is connected
     #[structopt(name = "connected")]

From f53096dc5b42eff95c3e9d86f5cdfddb7a392e58 Mon Sep 17 00:00:00 2001
From: shimun <shimun@shimun.net>
Date: Fri, 16 Jul 2021 15:11:31 +0200
Subject: [PATCH 4/4] password helper: inherit stdin, stderr

should make fido2luks much easier to use in boot scripts since it will
allow for usage as follows:

`fido2luks open-token /dev/disk/by-uuid/sda1 test 'bash -c "read -p Pass PW 1>&2; echo $PW"'`

which will read the password from the current terminal
---
 src/cli_args/config.rs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/cli_args/config.rs b/src/cli_args/config.rs
index cde093f..ed99975 100644
--- a/src/cli_args/config.rs
+++ b/src/cli_args/config.rs
@@ -7,6 +7,7 @@ use std::fs::File;
 use std::io::Read;
 use std::path::PathBuf;
 use std::process::Command;
+use std::process::Stdio;
 use std::str::FromStr;
 
 #[derive(Debug, Clone, PartialEq)]
@@ -156,6 +157,8 @@ impl PasswordHelper {
                 let password = Command::new("sh")
                     .arg("-c")
                     .arg(&password_helper)
+                    .stdin(Stdio::inherit())
+                    .stderr(Stdio::inherit())
                     .output()
                     .map_err(|e| Fido2LuksError::AskPassError {
                         cause: error::AskPassError::IO(e),