initcpio

2020-11-17 19:21:27 +01:00
9 changed files with 106 additions and 151 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,4 @@
 fido2luks.bash
 fido2luks.elv
 fido2luks.fish
-fido2luks.zsh
-result
-result-*
+fido2luks.zsh
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -377,7 +377,7 @@ dependencies = [

 [[package]]
 name = "fido2luks"
-version = "0.2.16"
+version = "0.2.15"
 dependencies = [
 "ctap_hmac",
 "failure",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.16"
+version = "0.2.15"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"

--- a/5
+++ b/5
@@ -17,10 +17,13 @@ pkgver() {

 build() {
    cargo build --release --locked --all-features --target-dir=target
+    target/release/${pkgname} completions target
 }

 package() {
    install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
    install -Dm 755 ../pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
-    install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+    install -Dm 644 target/fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+    install -Dm 755 ../initcpio/hook.sh "${pkgdir}/usr/lib/initcpio/install/fido2luks"
+    install -Dm 755 ../initcpio/hook.sh "${pkgdir}/usr/lib/initcpio/hooks/fido2luks"
 }
--- a/flake.lock
+++ b/flake.lock
@@ -1,61 +0,0 @@
-{
-  "nodes": {
-    "naersk": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1612192764,
-        "narHash": "sha256-7EnLtZQWP6511G1ZPA7FmJlqAr3hWsAYb24tvTvJ/ec=",
-        "owner": "nmattia",
-        "repo": "naersk",
-        "rev": "6e149bfd726a8ebefa415f2d713ba6d942435abd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nmattia",
-        "repo": "naersk",
-        "type": "github"
-      }
-    },
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1611910458,
-        "narHash": "sha256-//j54S14v9lp3YKizS1WZW3WKwLjGTzvwhHfUAaRBPQ=",
-        "path": "/nix/store/z5g10k571cc5q9yvr0bafzswp0ggawjw-source",
-        "rev": "6e7f25001fe6874f7ae271891f709bbf50a22c45",
-        "type": "path"
-      },
-      "original": {
-        "id": "nixpkgs",
-        "type": "indirect"
-      }
-    },
-    "root": {
-      "inputs": {
-        "naersk": "naersk",
-        "nixpkgs": "nixpkgs",
-        "utils": "utils"
-      }
-    },
-    "utils": {
-      "locked": {
-        "lastModified": 1610051610,
-        "narHash": "sha256-U9rPz/usA1/Aohhk7Cmc2gBrEEKRzcW4nwPWMPwja4Y=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "3982c9903e93927c2164caa727cd3f6a0e6d14cc",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}
--- a/flake.nix
+++ b/flake.nix
@@ -1,61 +0,0 @@
-{
-  description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
-
-  inputs = {
-    utils.url = "github:numtide/flake-utils";
-    naersk = {
-      url = "github:nmattia/naersk";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-  };
-
-  outputs = { self, nixpkgs, utils, naersk }:
-    let
-      root = ./.;
-      pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
-      forPkgs = pkgs:
-        let
-          naersk-lib = naersk.lib."${pkgs.system}";
-          buildInputs = with pkgs; [ cryptsetup ];
-          LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
-          nativeBuildInputs = with pkgs; [
-            pkgconfig
-            clang
-          ];
-        in
-        rec {
-          # `nix build`
-          packages.${pname} = naersk-lib.buildPackage {
-            inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
-          };
-          defaultPackage = packages.${pname};
-
-          # `nix run`
-          apps.${pname} = utils.lib.mkApp {
-            drv = packages.${pname};
-          };
-          defaultApp = apps.${pname};
-
-          # `nix flake check`
-          checks = {
-            fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
-              cd ${root}
-              cargo fmt -- --check
-              nixpkgs-fmt --check *.nix
-              touch $out
-            '';
-          };
-
-          # `nix develop`
-          devShell = pkgs.mkShell {
-            nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
-            inherit buildInputs LIBCLANG_PATH;
-          };
-        };
-      forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
-    in
-    (utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
-      overlay = final: prev: (forPkgs final).packages;
-    };
-
-}
--- a/initcpio/hook.sh
+++ b/initcpio/hook.sh
@@ -0,0 +1,74 @@
+#!/bin/bash
+
+set -ax
+
+exit_with() {
+    echo "$1" >&2
+    exit 1
+}
+
+validate() {
+    [ ! -e /etc/fido2luks.conf ] && exit_with "/etc/fido2luks.conf does not exist! Please configure first"
+    . /etc/fido2luks.conf
+    [ ! -e "$FIDO2LUKS_DEVICE" ] && exit_with "FIDO2LUKS_DEVICE='$FIDO2LUKS_DEVICE' does not exist!"
+    [ -z "$FIDO2LUKS_CREDENTIAL_ID" ] && exit_with "FIDO2LUKS_CREDENTIAL_ID must be set!"
+    [ -z "$FIDO2LUKS_MAPPER_NAME" ] && exit_with "FIDO2LUKS_MAPPER_NAME must be set!"
+}
+
+build() {
+    local mod
+    add_binary "cryptsetup"
+    add_module "dm-crypt"
+    add_module "dm-integrity"
+    if [[ $CRYPTO_MODULES ]]; then
+        for mod in $CRYPTO_MODULES; do
+            add_module "$mod"
+        done
+    else
+        add_all_modules "/crypto/"
+    fi
+
+    add_binary "dmsetup"
+    add_file "/usr/lib/udev/rules.d/10-dm.rules"
+    add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
+    add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
+    add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
+
+    add_systemd_unit "systemd-ask-password-console.path"
+    add_systemd_unit "systemd-ask-password-console.service"
+
+    # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
+    add_binary "/usr/lib/libgcc_s.so.1"
+
+    # add mkswap for creating swap space on the fly (see 'swap' in crypttab(5))
+    add_binary "mkswap"
+
+    [[ -f /etc/crypttab.initramfs ]] && add_file "/etc/crypttab.initramfs" "/etc/crypttab"
+
+    validate 
+    add_file "/etc/fido2luks.conf" "/etc/fido2luks.conf"
+    add_binary "fido2luks" 
+    add_runscipt
+}
+
+run_hook() {
+    modprobe -a -q dm-crypt
+    . /etc/fido2luks.conf
+    if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then 
+        export FIDO2LUKS_PASSWORD_HELPER="systemd-ask-password 'FIDO2 password salt for $FIDO2LUKS_DEVICE'"
+    fi
+    fido2luks open
+}
+
+help() {
+    cat <<HELPEOF
+This hook allows for an encrypted root device with systemd initramfs.
+
+See the manpage of systemd-cryptsetup-generator(8) for available kernel
+command line options. Alternatively, if the file /etc/crypttab.initramfs
+exists, it will be added to the initramfs as /etc/crypttab. See the
+crypttab(5) manpage for more information on crypttab syntax.
+HELPEOF
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
--- a/initcpio/keyscript.sh
+++ b/initcpio/keyscript.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+set -a
+. /etc/fido2luks.conf
+
+if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
+	MSG="FIDO2 password salt for $CRYPTTAB_NAME"
+	export FIDO2LUKS_PASSWORD_HELPER="systemd-ask-password '$MSG'"
+fi
+
+if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
+	export FIDO2LUKS_CREDENTIAL_ID="$FIDO2LUKS_CREDENTIAL_ID,$(fido2luks token list --csv $CRYPTTAB_SOURCE)"
+fi
+
+fido2luks print-secret --bin
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -71,12 +71,6 @@ pub fn parse_cmdline() -> Args {
    Args::from_args()
 }

-pub fn prompt_interaction(interactive: bool) {
-    if interactive {
-        println!("Authorize using your FIDO device");
-    }
-}
-
 pub fn run_cli() -> Fido2LuksResult<()> {
    let mut stdout = io::stdout();
    let args = parse_cmdline();
@@ -115,7 +109,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            } else {
                secret.salt.obtain_sha256(&secret.password_helper)
            }?;
-            prompt_interaction(interactive);
            let (secret, _cred) = derive_secret(
                credentials.ids.0.as_slice(),
                &salt,
@@ -171,27 +164,23 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    } => Ok((util::read_keyfile(file)?, None)),
                    OtherSecret {
                        fido_device: true, ..
-                    } => {
-                        prompt_interaction(interactive);
-                        Ok(derive_secret(
-                            &credentials.ids.0,
-                            &salt(salt_q, verify)?,
-                            authenticator.await_time,
-                            pin.as_deref(),
-                        )
-                        .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
-                    }
+                    } => Ok(derive_secret(
+                        &credentials.ids.0,
+                        &salt(salt_q, verify)?,
+                        authenticator.await_time,
+                        pin.as_deref(),
+                    )
+                    .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
                    _ => Ok((
                        util::read_password(salt_q, verify)?.as_bytes().to_vec(),
                        None,
                    )),
                }
            };
-            let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
-                prompt_interaction(interactive);
+            let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
                derive_secret(
                    &credentials.ids.0,
-                    &salt(q, verify)?,
+                    &salt("Password", verify)?,
                    authenticator.await_time,
                    pin.as_deref(),
                )
@@ -201,7 +190,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            match &args.command {
                Command::AddKey { exclusive, .. } => {
                    let (existing_secret, _) = other_secret("Current password", false)?;
-                    let (new_secret, cred) = secret("Password to be added", true)?;
+                    let (new_secret, cred) = secret(true)?;
                    let added_slot = luks_dev.add_key(
                        &new_secret,
                        &existing_secret[..],
@@ -226,7 +215,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    Ok(())
                }
                Command::ReplaceKey { add_password, .. } => {
-                    let (existing_secret, _) = secret("Current password", false)?;
+                    let (existing_secret, _) = secret(false)?;
                    let (replacement_secret, cred) = other_secret("Replacement password", true)?;
                    let slot = if *add_password {
                        luks_dev.add_key(
@@ -285,7 +274,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {

            // Cow shouldn't be necessary
            let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
-                prompt_interaction(interactive);
                derive_secret(
                    credentials.as_ref(),
                    &salt("Password", false)?,