From a3696962e822236c7387a944f8ea12fdf5219ebc Mon Sep 17 00:00:00 2001
From: Vyacheslav Konovalov <crabvk@protonmail.com>
Date: Wed, 14 Jul 2021 15:23:32 +0500
Subject: [PATCH] Support for initcpio (#31)

* Add initcpio hook and install script

* Make PIN optional

* Add README for initcpio

* Fix PKGBUILD, add install of initcpio

* Fix README for initcpio
---
 PKGBUILD                   | 29 +++++++++++++-------
 initcpio/Makefile          | 18 +++++++++++++
 initcpio/README.md         | 52 +++++++++++++++++++++++++++++++++++
 initcpio/fido2luks.conf    | 18 +++++++++++++
 initcpio/hooks/fido2luks   | 55 ++++++++++++++++++++++++++++++++++++++
 initcpio/install/fido2luks | 31 +++++++++++++++++++++
 6 files changed, 194 insertions(+), 9 deletions(-)
 create mode 100644 initcpio/Makefile
 create mode 100644 initcpio/README.md
 create mode 100644 initcpio/fido2luks.conf
 create mode 100644 initcpio/hooks/fido2luks
 create mode 100644 initcpio/install/fido2luks

diff --git a/PKGBUILD b/PKGBUILD
index 99dfb59..d4155b9 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,26 +1,37 @@
 # Maintainer: shimunn <shimun@shimun.net>
-pkgname=fido2luks
-pkgver=0.2.12
+
+pkgname=fido2luks-git
+pkgver=0.2.16.7e6b33a
 pkgrel=1
-makedepends=('rust' 'cargo' 'cryptsetup' 'clang')
+makedepends=('rust' 'cargo' 'cryptsetup' 'clang' 'git')
 depends=('cryptsetup')
 arch=('i686' 'x86_64' 'armv6h' 'armv7h')
 pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
 url="https://github.com/shimunn/fido2luks"
 license=('MPL-2.0')
+source=('git+https://github.com/shimunn/fido2luks')
+sha512sums=('SKIP')
 
 pkgver() {
-	# Use tag version if possible otherwise concat project version and git ref
-	git describe --exact-match --tags HEAD 2> /dev/null || \
-		echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
+    cd fido2luks
+
+    # Use tag version if possible otherwise concat project version and git ref
+    git describe --exact-match --tags HEAD 2>/dev/null ||
+        echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
 }
 
 build() {
+    cd fido2luks
     cargo build --release --locked --all-features --target-dir=target
 }
 
 package() {
-    install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
-    install -Dm 755 ../pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
-    install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+    cd fido2luks
+
+    install -Dm 755 target/release/fido2luks -t "${pkgdir}/usr/bin"
+    install -Dm 755 pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
+    install -Dm 644 initcpio/hooks/fido2luks -t "${pkgdir}/usr/lib/initcpio/hooks"
+    install -Dm 644 initcpio/install/fido2luks -t "${pkgdir}/usr/lib/initcpio/install"
+    install -Dm 644 fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+    install -Dm 644 fido2luks.fish -t "${pkgdir}/usr/share/fish/vendor_completions.d"
 }
diff --git a/initcpio/Makefile b/initcpio/Makefile
new file mode 100644
index 0000000..b752589
--- /dev/null
+++ b/initcpio/Makefile
@@ -0,0 +1,18 @@
+.PHONY: install remove
+
+install:
+	install -Dm644 hooks/fido2luks -t /usr/lib/initcpio/hooks
+	install -Dm644 install/fido2luks -t /usr/lib/initcpio/install
+ifdef preset
+	mkinitcpio -p $(preset)
+else
+	mkinitcpio -P
+endif
+
+remove:
+	rm /usr/lib/initcpio/{hooks,install}/fido2luks
+ifdef preset
+	mkinitcpio -p $(preset)
+else
+	mkinitcpio -P
+endif
diff --git a/initcpio/README.md b/initcpio/README.md
new file mode 100644
index 0000000..f29ddab
--- /dev/null
+++ b/initcpio/README.md
@@ -0,0 +1,52 @@
+## fido2luks hook for mkinitcpio (ArchLinux and derivatives)
+
+> ⚠️ Before proceeding, it is very advised to [backup your existing LUKS2 header](https://wiki.archlinux.org/title/dm-crypt/Device_encryption#Backup_using_cryptsetup) to external storage
+
+### Setup
+
+1. Connect your FIDO2 authenticator
+2. Generate credential id
+
+```shell
+fido2luks credential
+```
+
+3. Generate salt (random string)
+
+```shell
+pwgen 48 1
+```
+
+4. Add key to your LUKS2 device
+
+```shell
+fido2luks add-key -Pt --salt <salt> <block_device> <credential_id>
+```
+
+`-P` - request PIN to unlock the authenticator  
+`-t` - add token (including credential id) to the LUKS2 header  
+`-e` - wipe all other keys  
+
+For the full list of options see `fido2luks add-key --help`
+
+5. Edit [/etc/fido2luks.conf](/initcpio/fido2luks.conf)
+
+Keyslot (`FIDO2LUKS_DEVICE_SLOT`) can be obtained from the output of
+
+```shell
+cryptsetup luksDump <block_device>
+```
+
+6. Add fido2luks hook to /etc/mkinitcpio.conf
+
+Before or instead of `encrypt` hook, for example:
+
+```shell
+HOOKS=(base udev autodetect modconf keyboard block fido2luks filesystems fsck)
+```
+
+7. Recreate initial ramdisk
+
+```shell
+mkinitcpio -p <preset>
+```
diff --git a/initcpio/fido2luks.conf b/initcpio/fido2luks.conf
new file mode 100644
index 0000000..b2fb6fa
--- /dev/null
+++ b/initcpio/fido2luks.conf
@@ -0,0 +1,18 @@
+# Set credential *ONLY IF* it's not embedded in the LUKS2 header
+FIDO2LUKS_CREDENTIAL_ID=
+
+# Encrypted device and its name under /dev/mapper
+# Can be overridden by `cryptdevice` kernel parameter
+FIDO2LUKS_DEVICE=
+FIDO2LUKS_MAPPER_NAME=
+
+FIDO2LUKS_SALT=string:<salt>
+
+# Use specific keyslot (ignore all other slots)
+FIDO2LUKS_DEVICE_SLOT=
+
+# Await for an authenticator to be connected (in seconds)
+FIDO2LUKS_DEVICE_AWAIT=
+
+# Set to 1 if PIN is required to unlock the authenticator
+FIDO2LUKS_ASK_PIN=
diff --git a/initcpio/hooks/fido2luks b/initcpio/hooks/fido2luks
new file mode 100644
index 0000000..f96be78
--- /dev/null
+++ b/initcpio/hooks/fido2luks
@@ -0,0 +1,55 @@
+#!/usr/bin/ash
+
+run_hook() {
+    modprobe -a -q dm-crypt >/dev/null 2>&1
+    . /etc/fido2luks.conf
+
+    if [ -z "$cryptdevice" ]; then
+        device="$FIDO2LUKS_DEVICE"
+        dmname="$FIDO2LUKS_MAPPER_NAME"
+    else
+        IFS=: read cryptdev dmname _cryptoptions <<EOF
+$cryptdevice
+EOF
+        if ! device=$(resolve_device "${cryptdev}" ${rootdelay}); then
+            return 1
+        fi
+    fi
+
+    options="--salt $FIDO2LUKS_SALT"
+
+    if [ "$FIDO2LUKS_ASK_PIN" == 1 ]; then
+        options="$options --pin"
+    fi
+
+    if [ -n "$FIDO2LUKS_DEVICE_SLOT" ]; then
+        options="$options --slot $FIDO2LUKS_DEVICE_SLOT"
+    fi
+
+    if [ -n "$FIDO2LUKS_DEVICE_AWAIT" ]; then
+        options="$options --await-dev $FIDO2LUKS_DEVICE_AWAIT"
+    fi
+
+    # HACK: /dev/tty is hardcoded in rpassword, but not accessible from the ramdisk
+    # Temporary link it to /dev/tty1
+    mv /dev/tty /dev/tty.back
+    ln -s /dev/tty1 /dev/tty
+
+    printf "\nAuthentication is required to access the $dmname volume at $device\n"
+
+    if [ -z "$FIDO2LUKS_CREDENTIAL_ID" ]; then
+        fido2luks open-token $device $dmname $options
+    else
+        fido2luks open $device $dmname $FIDO2LUKS_CREDENTIAL_ID $options
+    fi
+    exit_code=$?
+
+    # Restore /dev/tty
+    mv /dev/tty.back /dev/tty
+
+    if [ $exit_code -ne 0 ]; then
+        printf '\n'
+        read -s -p 'Press Enter to continue'
+        printf '\n'
+    fi
+}
diff --git a/initcpio/install/fido2luks b/initcpio/install/fido2luks
new file mode 100644
index 0000000..acb4a21
--- /dev/null
+++ b/initcpio/install/fido2luks
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+build() {
+    local mod
+
+    add_module dm-crypt
+    add_module dm-integrity
+    if [[ $CRYPTO_MODULES ]]; then
+        for mod in $CRYPTO_MODULES; do
+            add_module "$mod"
+        done
+    else
+        add_all_modules /crypto/
+    fi
+
+    add_binary fido2luks
+    add_binary dmsetup
+    add_file /usr/lib/udev/rules.d/10-dm.rules
+    add_file /usr/lib/udev/rules.d/13-dm-disk.rules
+    add_file /usr/lib/udev/rules.d/95-dm-notify.rules
+    add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules
+    add_file /etc/fido2luks.conf /etc/fido2luks.conf
+
+    add_runscript
+}
+
+help() {
+    cat <<HELPEOF
+This hook allows to decrypt LUKS2 partition using FIDO2 compatible authenticator
+HELPEOF
+}