add nix flake

* obvious password promt

* prompt interaction with FIDO device

.gitignore

@@ -5,4 +5,6 @@
 fido2luks.bash
 fido2luks.elv
 fido2luks.fish
-fido2luks.zsh
+fido2luks.zsh
+result
+result-*

Cargo.lock

@@ -377,7 +377,7 @@ dependencies = [
 
 [[package]]
 name = "fido2luks"
-version = "0.2.15"
+version = "0.2.16"
 dependencies = [
  "ctap_hmac",
  "failure",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.15"
+version = "0.2.16"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 

PKGBUILD

@@ -17,13 +17,10 @@ pkgver() {
 
 build() {
     cargo build --release --locked --all-features --target-dir=target
-    target/release/${pkgname} completions target
 }
 
 package() {
     install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
     install -Dm 755 ../pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
-    install -Dm 644 target/fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+    install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
-    install -Dm 755 ../initcpio/hook.sh "${pkgdir}/usr/lib/initcpio/install/fido2luks"
-    install -Dm 755 ../initcpio/hook.sh "${pkgdir}/usr/lib/initcpio/hooks/fido2luks"
 }

flake.lock

@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "naersk": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1612192764,
+        "narHash": "sha256-7EnLtZQWP6511G1ZPA7FmJlqAr3hWsAYb24tvTvJ/ec=",
+        "owner": "nmattia",
+        "repo": "naersk",
+        "rev": "6e149bfd726a8ebefa415f2d713ba6d942435abd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nmattia",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1611910458,
+        "narHash": "sha256-//j54S14v9lp3YKizS1WZW3WKwLjGTzvwhHfUAaRBPQ=",
+        "path": "/nix/store/z5g10k571cc5q9yvr0bafzswp0ggawjw-source",
+        "rev": "6e7f25001fe6874f7ae271891f709bbf50a22c45",
+        "type": "path"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs",
+        "utils": "utils"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1610051610,
+        "narHash": "sha256-U9rPz/usA1/Aohhk7Cmc2gBrEEKRzcW4nwPWMPwja4Y=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "3982c9903e93927c2164caa727cd3f6a0e6d14cc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,61 @@
+{
+  description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
+
+  inputs = {
+    utils.url = "github:numtide/flake-utils";
+    naersk = {
+      url = "github:nmattia/naersk";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = { self, nixpkgs, utils, naersk }:
+    let
+      root = ./.;
+      pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
+      forPkgs = pkgs:
+        let
+          naersk-lib = naersk.lib."${pkgs.system}";
+          buildInputs = with pkgs; [ cryptsetup ];
+          LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
+          nativeBuildInputs = with pkgs; [
+            pkgconfig
+            clang
+          ];
+        in
+        rec {
+          # `nix build`
+          packages.${pname} = naersk-lib.buildPackage {
+            inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
+          };
+          defaultPackage = packages.${pname};
+
+          # `nix run`
+          apps.${pname} = utils.lib.mkApp {
+            drv = packages.${pname};
+          };
+          defaultApp = apps.${pname};
+
+          # `nix flake check`
+          checks = {
+            fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
+              cd ${root}
+              cargo fmt -- --check
+              nixpkgs-fmt --check *.nix
+              touch $out
+            '';
+          };
+
+          # `nix develop`
+          devShell = pkgs.mkShell {
+            nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
+            inherit buildInputs LIBCLANG_PATH;
+          };
+        };
+      forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
+    in
+    (utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
+      overlay = final: prev: (forPkgs final).packages;
+    };
+
+}

initcpio/hook.sh

@@ -1,74 +0,0 @@
-#!/bin/bash
-
-set -ax
-
-exit_with() {
-    echo "$1" >&2
-    exit 1
-}
-
-validate() {
-    [ ! -e /etc/fido2luks.conf ] && exit_with "/etc/fido2luks.conf does not exist! Please configure first"
-    . /etc/fido2luks.conf
-    [ ! -e "$FIDO2LUKS_DEVICE" ] && exit_with "FIDO2LUKS_DEVICE='$FIDO2LUKS_DEVICE' does not exist!"
-    [ -z "$FIDO2LUKS_CREDENTIAL_ID" ] && exit_with "FIDO2LUKS_CREDENTIAL_ID must be set!"
-    [ -z "$FIDO2LUKS_MAPPER_NAME" ] && exit_with "FIDO2LUKS_MAPPER_NAME must be set!"
-}
-
-build() {
-    local mod
-    add_binary "cryptsetup"
-    add_module "dm-crypt"
-    add_module "dm-integrity"
-    if [[ $CRYPTO_MODULES ]]; then
-        for mod in $CRYPTO_MODULES; do
-            add_module "$mod"
-        done
-    else
-        add_all_modules "/crypto/"
-    fi
-
-    add_binary "dmsetup"
-    add_file "/usr/lib/udev/rules.d/10-dm.rules"
-    add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
-    add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
-    add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
-
-    add_systemd_unit "systemd-ask-password-console.path"
-    add_systemd_unit "systemd-ask-password-console.service"
-
-    # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
-    add_binary "/usr/lib/libgcc_s.so.1"
-
-    # add mkswap for creating swap space on the fly (see 'swap' in crypttab(5))
-    add_binary "mkswap"
-
-    [[ -f /etc/crypttab.initramfs ]] && add_file "/etc/crypttab.initramfs" "/etc/crypttab"
-
-    validate 
-    add_file "/etc/fido2luks.conf" "/etc/fido2luks.conf"
-    add_binary "fido2luks" 
-    add_runscipt
-}
-
-run_hook() {
-    modprobe -a -q dm-crypt
-    . /etc/fido2luks.conf
-    if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then 
-        export FIDO2LUKS_PASSWORD_HELPER="systemd-ask-password 'FIDO2 password salt for $FIDO2LUKS_DEVICE'"
-    fi
-    fido2luks open
-}
-
-help() {
-    cat <<HELPEOF
-This hook allows for an encrypted root device with systemd initramfs.
-
-See the manpage of systemd-cryptsetup-generator(8) for available kernel
-command line options. Alternatively, if the file /etc/crypttab.initramfs
-exists, it will be added to the initramfs as /etc/crypttab. See the
-crypttab(5) manpage for more information on crypttab syntax.
-HELPEOF
-}
-
-# vim: set ft=sh ts=4 sw=4 et:

initcpio/keyscript.sh

@@ -1,14 +0,0 @@
-#!/bin/sh
-set -a
-. /etc/fido2luks.conf
-
-if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
-	MSG="FIDO2 password salt for $CRYPTTAB_NAME"
-	export FIDO2LUKS_PASSWORD_HELPER="systemd-ask-password '$MSG'"
-fi
-
-if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
-	export FIDO2LUKS_CREDENTIAL_ID="$FIDO2LUKS_CREDENTIAL_ID,$(fido2luks token list --csv $CRYPTTAB_SOURCE)"
-fi
-
-fido2luks print-secret --bin

src/cli.rs

@@ -71,6 +71,12 @@ pub fn parse_cmdline() -> Args {
     Args::from_args()
 }
 
+pub fn prompt_interaction(interactive: bool) {
+    if interactive {
+        println!("Authorize using your FIDO device");
+    }
+}
+
 pub fn run_cli() -> Fido2LuksResult<()> {
     let mut stdout = io::stdout();
     let args = parse_cmdline();
@@ -109,6 +115,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             } else {
                 secret.salt.obtain_sha256(&secret.password_helper)
             }?;
+            prompt_interaction(interactive);
             let (secret, _cred) = derive_secret(
                 credentials.ids.0.as_slice(),
                 &salt,
@@ -164,23 +171,27 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                     } => Ok((util::read_keyfile(file)?, None)),
                     OtherSecret {
                         fido_device: true, ..
-                    } => Ok(derive_secret(
+                    } => {
-                        &credentials.ids.0,
+                        prompt_interaction(interactive);
-                        &salt(salt_q, verify)?,
+                        Ok(derive_secret(
-                        authenticator.await_time,
+                            &credentials.ids.0,
-                        pin.as_deref(),
+                            &salt(salt_q, verify)?,
-                    )
+                            authenticator.await_time,
-                    .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
+                            pin.as_deref(),
+                        )
+                        .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
+                    }
                     _ => Ok((
                         util::read_password(salt_q, verify)?.as_bytes().to_vec(),
                         None,
                     )),
                 }
             };
-            let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+            let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+                prompt_interaction(interactive);
                 derive_secret(
                     &credentials.ids.0,
-                    &salt("Password", verify)?,
+                    &salt(q, verify)?,
                     authenticator.await_time,
                     pin.as_deref(),
                 )
@@ -190,7 +201,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             match &args.command {
                 Command::AddKey { exclusive, .. } => {
                     let (existing_secret, _) = other_secret("Current password", false)?;
-                    let (new_secret, cred) = secret(true)?;
+                    let (new_secret, cred) = secret("Password to be added", true)?;
                     let added_slot = luks_dev.add_key(
                         &new_secret,
                         &existing_secret[..],
@@ -215,7 +226,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                     Ok(())
                 }
                 Command::ReplaceKey { add_password, .. } => {
-                    let (existing_secret, _) = secret(false)?;
+                    let (existing_secret, _) = secret("Current password", false)?;
                     let (replacement_secret, cred) = other_secret("Replacement password", true)?;
                     let slot = if *add_password {
                         luks_dev.add_key(
@@ -274,6 +285,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
 
             // Cow shouldn't be necessary
             let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
+                prompt_interaction(interactive);
                 derive_secret(
                     credentials.as_ref(),
                     &salt("Password", false)?,