added: retry pin

added: allow-discards env var
added --allow-discards flag
2022-01-24 14:36:07 +01:00 · 2022-01-24 14:19:04 +01:00 · 2021-12-28 13:50:21 +01:00 · 2021-12-11 11:52:40 +01:00 · 2021-12-11 11:51:07 +01:00
9 changed files with 40 additions and 319 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1,5 +1,7 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
 version = 3
 [[package]]
 name = "addr2line"
 version = "0.13.0"
@@ -404,7 +406,7 @@ dependencies = [
 [[package]]
 name = "fido2luks"
-version = "0.3.0"
+version = "0.3.0-alpha"
 dependencies = [
 "ctap_hmac",
 "failure",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.3.0"
+version = "0.3.0-alpha"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
--- a/README.md
+++ b/README.md
@@ -1,160 +1,7 @@
 # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
-This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
+## 0.3.0-alpha
 Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))
 ## Setup
 ### Prerequisites
 ```
 dnf install clang cargo cryptsetup-devel -y
 ```
 ### Device
 ```
 git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
 # Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
 sudo -E cargo install -f --path . --root /usr
 # Copy template
 cp dracut/96luks-2fa/fido2luks.conf /etc/
 # Name is optional but useful if your authenticator has a display
 echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
 # Load config into env
 set -a
 . /etc/fido2luks.conf
 # Repeat for each luks volume
 # You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
 # enabling you to use `fido2luks open-token` without passing a credential as parameter
 sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
 # Test(only works if the luks container isn't active)
 sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
 ```
 ### Dracut
 ```
 cd dracut
 sudo make install
 ```
 ### Grub
 Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
 Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
 ```
 grub2-mkconfig > /boot/grub2/grub.cfg
 ```
 I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
 ```
 mkdir /boot/fido2luks/
 cp /usr/bin/fido2luks /boot/fido2luks/
 cp /etc/fido2luks.conf /boot/fido2luks/
 ```
 ## Testing
 Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
 ```
 # Recommend in case you lose your authenticator, store this backupfile somewhere safe
 cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
 # There is no turning back if you mess this up, make sure you made a backup
 # You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
 # which will enable you to use `fido2luks open-token` without passing a credential as parameter
 fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
 ```
 ## Addtional settings
 ### Password less
 Remove your previous secret as described in the next section, in case you've already added one.
 Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
 but be warned that this password will be included to into your initramfs.
 Import the new config into env:
 ```
 set -a
 . /etc/fido2luks.conf
 ```
 Then add the new secret to each device and update dracut afterwards `dracut -f`
 ### Multiple keys
 Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated.
 ```
 FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL1>,<CREDENTIAL2>,<CREDENTIAL3>
 ```
 ## Removal
 Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
 ```
 set -a
 . fido2luks.conf
 sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```
 ## Theory of operation
 fido2luks builds on two basic building blocks, LUKS as an abstraction over linux disk encryption and and the FIDO2 extension [`hmac-secret`](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension).
 The `hmac-secret` extension allows for an secret to be dervied on the FIDO2 device from two inputs, the user supplied salt/password/keyfile and another secret contained within the FID2 device. The output of the `hmac-secret` function will then be used to decrypt the LUKS header which in turn is used to decrypt the disk.
 ```
        +-------------------------------------------------------------------------------+
        |                                                                               |
        |                       +-----------------------------------------+             |
        |                       |               FIDO2 device              |             |
        |                       |                                         |             |
        |                       |                                         |             |
 +-------+--------+   +------+   |                      +---------------+  |             |             +------------------------+
 | Salt/Password  +-> |sha256+------------------------> |               |  |             v             |      LUKS header       |
 +----------------+   +------+   |                      |               |  |                           |                        |           +---------------+   
                                |                      |               |  |        +--------+         +------------------------+-------->  |Disk master key| 
                                |                      |  sha256_hmac  +---------> | sha256 +-------> | Keyslot 1              |           +---------------+ 
 +----------------+              |  +----------+        |               |  |        +--------+         +------------------------+
 | FIDO credential+---------------> |Credential| +----> |               |  |                           | Keyslot 2              |
 +----------------+              |  |secret    |        |               |  |                           +------------------------+
                                |  +----------+        +---------------+  |
                                |                                         |
                                |                                         |
                                +-----------------------------------------+
 ```
 Since all these components build upon each other losing or damaging just one of them will render the disk undecryptable, it's threfore of paramount importance to backup the LUKS header and ideally set an backup password
 or utilise more than one FIDO2 device. Each additional credential and password combination will require it's own LUKS keyslot since the credential secret is randomly generated for each new credential and will thus result
 in a completly different secret.
 ## License
 Licensed under
 * Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/)
 ### Contribution
 Unless you explicitly state otherwise, any contribution intentionally
 submitted for inclusion in the work by you, as defined in the MPL 2.0
 license, shall be licensed as above, without any additional terms or
 conditions.
 This is just the program itself, all intitrid scripts are mostly taylored to the latest 0.2.x version and will most likely not work with 0.3.0 due to breaking changes in the CLI interface.
 I've decided it release the version in this state since I just do not have the time now or in the forseeable future to tewak all scripts since it's quite an tedious tasks which involves rebooting VMs countless times.
 If you're interested to adapt or write scripts for an particular distro I'd be more than happy to accept pull requests.
--- a/README_NEW.md
+++ b/README_NEW.md
@@ -1,79 +0,0 @@
 # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
 This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
 Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
 ## Installation
 ### From Source
 Installing from source requires the following dependencies:
 Ubuntu: `cargo, libclang-dev, libcryptsetup-dev >= 2.2`
 Fedora: `cargo, clang-devel, cryptsetup-devel`
 To compile the fido2luks binary you can simply run `sudo cargo install --root /usr fido2luks` but since you may want to install the scripts included it this repo as well,
 it's recommended to clone the repo and install from there.
 ``
 git clone https://github.com/shimunn/fido2luks.git
 cargo install --root /usr --path fido2luks
 ``
 Continue with further instructions for [Ubuntu](initramfs-tools) or [Fedora](dracut)
 ### From Package
 Ubuntu: see [releases](https://github.com/shimunn/fido2luks/releases)
 NixOS: https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2
 ArchLinux: 
 * [AUR](https://aur.archlinux.org/packages/fido2luks/)
 * [Git](PKGBUILD)
 Fedora: coming soon
 ## Credentials
 Depending on the version of cryptsetup and the age of your installation your LUKS header might be in the LUKS2 format already if that's the case fido2luks will be able to spare you from dealing with just another config file by simply storeing all the required information within your LUKS header. 
 If your header is still using the LUKS1 format you may convert it:
 ```
 cryptsetup convert --type luks2 <device>
 ```
 if you want to keep using LUKS1 due to other software such as pam_mount not being compatible with LUKS2 at the moment, you will have to generate credentials by hand an add them to `/etc/fido2luks.conf` otherwise you can skip this step.
 ```
 fido2luks credential [optional name]
 ```
 the generated hexadecimal credential can then be added to `FIDO2LUKS_CREDENTIAL_ID=` in `/etc/fido2luks.conf` multiple credentials can be separated by comma.
 ## Adding a Key
 If you had to generate a credential in the previous step you'll have to provide it to the following commands as a parameter or via an environment variable:
 ```
 set -a
 . /etc/fido2luks.conf
 ```
 To then add the key you need to have your current password/keyfile ready:
 without having generated a credential in the previous step: `fido2luks -i add-key --gen-cred <device>`
 with a keyfile: `fido2luks -i add-key --keyfile <path-to-keyfile <device>`
 if you've confirmed at a later stage that everything works as expected you may want to remove your keyfile/password by running the previous commands with the `--exclusive` flag which will remove all other keys from the device.
 ## Replacing a Key
 with password: `fido2luks -i replace-key <device>`
 with keyfile: `fido2luks -i replace-key -d <path-to-keyfile> <device>`
 with another fido2 derived key: `fido2luks -i replace-key -f <device>`
--- a/flake.lock
+++ b/flake.lock
@@ -1,21 +1,5 @@
 {
  "nodes": {
    "cargo-deb": {
      "flake": false,
      "locked": {
        "lastModified": 1627137192,
        "narHash": "sha256-zDAwiETJquiViEvBKMuI9WWgSGhVDscL/m1ufKJENBw=",
        "owner": "mmstick",
        "repo": "cargo-deb",
        "rev": "f603d105b4641e00640e46b189c6ee0c8f084de2",
        "type": "github"
      },
      "original": {
        "owner": "mmstick",
        "repo": "cargo-deb",
        "type": "github"
      }
    },
    "naersk": {
      "inputs": {
        "nixpkgs": [
@@ -23,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1623927034,
+        "lastModified": 1639051343,
-        "narHash": "sha256-sGxlmfp5eXL5sAMNqHSb04Zq6gPl+JeltIZ226OYN0w=",
+        "narHash": "sha256-62qARP+5Q0GmudcpuQHJP3/yXIgmUVoHR4orD/+FAC4=",
        "owner": "nmattia",
        "repo": "naersk",
-        "rev": "e09c320446c5c2516d430803f7b19f5833781337",
+        "rev": "ebde51ec0eec82dc71eaca03bc24cf8eb44a3d74",
        "type": "github"
      },
      "original": {
@@ -38,11 +22,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1627245147,
+        "lastModified": 1638109994,
-        "narHash": "sha256-CQzH/4Mbhcx1HD+dtD7pZ0dHUZvX4eKN9b8Ifzz4gC4=",
+        "narHash": "sha256-OpA37PTiPMIqoRJbufbl5rOLII7HeeGcA0yl7FoyCIE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "23098f20376cd1c874af476e5d8ef9169105b020",
+        "rev": "a284564b7f75ac4db73607db02076e8da9d42c9d",
        "type": "github"
      },
      "original": {
@@ -52,7 +36,6 @@
    },
    "root": {
      "inputs": {
        "cargo-deb": "cargo-deb",
        "naersk": "naersk",
        "nixpkgs": "nixpkgs",
        "utils": "utils"
@@ -60,11 +43,11 @@
    },
    "utils": {
      "locked": {
-        "lastModified": 1623875721,
+        "lastModified": 1638122382,
-        "narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
+        "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
+        "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -3,17 +3,13 @@
  inputs = {
    utils.url = "github:numtide/flake-utils";
    cargo-deb = {
      flake = false;
      url = "github:mmstick/cargo-deb";
    };
    naersk = {
      url = "github:nmattia/naersk";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
-  outputs = { self, nixpkgs, utils, naersk, cargo-deb }:
+  outputs = { self, nixpkgs, utils, naersk }:
    let
      root = ./.;
      pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
@@ -32,45 +28,6 @@
          packages.${pname} = naersk-lib.buildPackage {
            inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
          };
          packages."${pname}-deb" =
            let
              cargoDeb = naersk-lib.buildPackage {
                pname = "cargo-deb";
                root = cargo-deb;
              };
              pkg = packages.${pname};
              vm = pkgs.vmTools.diskImageFuns.ubuntu1804x86_64 { extraPackages = [ "cargo" "cryptsetup" "libclang-dev" "libcryptsetup-dev" ]; };
              makefile = pkgs.writeText "Makefile" "
                .PHONY: install
                cargo-deb:
                        cargo install --debug --path cargo-deb
                install: cargo-deb
                        cargo-deb
                        mkdir -p debs
                        cp target/debian/*.deb debs/
              ";
              src = pkgs.runCommandLocal "${pname}-vendored" {} ''
                mkdir -p $out/.cargo $out/cargo-deb/.cargo
                printf '${pkg.cargoconfig}' > $out/.cargo/config.toml; 
                printf '${cargoDeb.cargoconfig}' > $out/cargo-deb/.cargo/config.toml;
                printf '.PHONY: install\ninstall:\n\tcargo install --debug --path cargo-deb\n\tcargo-deb\n\tmkdir -p debs\n\tcp target/debian/*.deb debs/' > $out/Makefile
                cp -r ${pkg.src}/. $out/
                cp -r ${cargoDeb.src}/. $out/cargo-deb/
              '';
              args = {
                diskImage = vm;
                inherit src;
                name = pname;
                buildInputs = [ ];
                meta.description = "No descr";
              };
            in
            pkgs.releaseTools.debBuild args;
          defaultPackage = packages.${pname};
          # `nix run`
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -433,6 +433,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            credentials,
            retries,
            dry_run,
            allow_discards,
            ..
        } => {
            let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
                get_input(&secret, &authenticator, args.interactive, q, verify)
@@ -469,7 +471,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    });
                    secret(Cow::Borrowed(&credentials.0)).and_then(|(secret, cred)| {
                        log(&|| format!("credential used: {}", hex::encode(&cred.id)));
-                        luks_dev.activate(&name, &secret, luks.slot, *dry_run)
+                        luks_dev.activate(&name, &secret, luks.slot, *dry_run, *allow_discards)
                    })
                } else if luks2 && !luks.disable_token {
                    luks_dev.activate_token(
@@ -487,6 +489,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                        }),
                        luks.slot,
                        *dry_run,
                        *allow_discards,
                    )
                } else if luks_dev.is_luks2()? && luks.disable_token {
                    // disable-token is mostly cosmetic in this instance
@@ -499,7 +502,11 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                        match e {
                            Fido2LuksError::WrongSecret if retries > 0 => {}
                            Fido2LuksError::AuthenticatorError { ref cause }
-                                if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
+                                if match cause.kind() {
                                    FidoErrorKind::Timeout => true,
                                    FidoErrorKind::CborError(e) if e.code() == 0x33 => true,
                                    _ => false,
                                } && retries > 0 => {}
                            e => return Err(e),
                        };
--- a/src/cli_args/mod.rs
+++ b/src/cli_args/mod.rs
@@ -244,6 +244,9 @@ pub enum Command {
        /// Perform the whole procedure without mounting the LUKS volume on success
        #[structopt(long = "dry-run")]
        dry_run: bool,
        /// Pass SSD trim instructions to the underlying block device
        #[structopt(long = "allow-discards", env = "FIDO2LUKS_ALLOW_DISCARDS")]
        allow_discards: bool,
    },
    /// Generate a new FIDO credential
    #[structopt(name = "credential")]
--- a/src/luks.rs
+++ b/src/luks.rs
@@ -1,8 +1,8 @@
 use crate::error::*;
 use libcryptsetup_rs::{
-    CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
+    CryptActivateFlag, CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo,
-    TokenInput,
+    EncryptionFormat, KeyslotInfo, TokenInput,
 };
 use std::collections::{HashMap, HashSet};
 use std::path::Path;
@@ -238,15 +238,15 @@ impl LuksDevice {
        secret: &[u8],
        slot_hint: Option<u32>,
        dry_run: bool,
        allow_discard: bool,
    ) -> Fido2LuksResult<u32> {
        let mut flags = CryptActivateFlags::empty();
        if allow_discard {
            flags = CryptActivateFlags::new(vec![CryptActivateFlag::AllowDiscards]);
        }
        self.device
            .activate_handle()
-            .activate_by_passphrase(
+            .activate_by_passphrase(Some(name).filter(|_| !dry_run), slot_hint, secret, flags)
                Some(name).filter(|_| !dry_run),
                slot_hint,
                secret,
                CryptActivateFlags::empty(),
            )
            .map_err(LuksError::activate)
    }
@@ -256,6 +256,7 @@ impl LuksDevice {
        secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
        slot_hint: Option<u32>,
        dry_run: bool,
        allow_discard: bool,
    ) -> Fido2LuksResult<u32> {
        if !self.is_luks2()? {
            return Err(LuksError::Luks2Required.into());
@@ -299,7 +300,7 @@ impl LuksDevice {
                .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
        );
        for slot in slots {
-            match self.activate(name, &secret, slot, dry_run) {
+            match self.activate(name, &secret, slot, dry_run, allow_discard) {
                Err(Fido2LuksError::WrongSecret) => (),
                res => return res,
            }
Author	SHA1	Message	Date
shimun	4ee5965bfa	added: retry pin	2022-01-24 14:36:07 +01:00
shimun	b939e9efcd	added: allow-discards env var	2022-01-24 14:19:04 +01:00
shimun	f6c2bc4cdb	added --allow-discards flag	2021-12-28 13:50:21 +01:00
shimun	4e7ef4b8b7	0.3.0-alpha notice	2021-12-11 11:52:40 +01:00
shimun	e1ad8b37c1	0.3.0-alpha	2021-12-11 11:51:07 +01:00