shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:initcpio
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
..
compare: shimun:setup
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

1 Commits
initcpio ... setup

Author SHA1 Message Date
shimun
f9c2ee092c setup
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-09-24 23:00:18 +02:00
10 changed files with 186 additions and 366 deletions
Expand all files Collapse all files

135
Cargo.lock generated
View File

@@ -86,7 +86,7 @@ dependencies = [
"lazycell", "lazycell",
"log", "log",
"peeking_take_while", "peeking_take_while",
"proc-macro2 1.0.20", "proc-macro2 1.0.21",
"quote 1.0.7", "quote 1.0.7",
"regex", "regex",
"rustc-hash", "rustc-hash",
@@ -100,6 +100,18 @@ version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693" checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
[[package]]
name = "bstr"
version = "0.2.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "31accafdb70df7871592c058eca3985b71104e15ac32f64706022c58867da931"
dependencies = [
"lazy_static",
"memchr",
"regex-automata",
"serde",
]
[[package]] [[package]]
name = "byteorder" name = "byteorder"
version = "1.3.4" version = "1.3.4"
@@ -118,9 +130,9 @@ dependencies = [
[[package]] [[package]]
name = "cc" name = "cc"
version = "1.0.59" version = "1.0.60"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "66120af515773fb005778dc07c261bd201ec8ce50bd6e7144c927753fe013381" checksum = "ef611cc68ff783f18535d77ddd080185275713d852c4f5cbb6122c462a7a825c"
[[package]] [[package]]
name = "cexpr" name = "cexpr"
@@ -244,6 +256,19 @@ dependencies = [
"lazy_static", "lazy_static",
] ]
[[package]]
name = "csv"
version = "1.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "00affe7f6ab566df61b4be3ce8cf16bc2576bca0963ceb0955e45d514bf9a279"
dependencies = [
"bstr",
"csv-core",
"itoa",
"ryu",
"serde",
]
[[package]] [[package]]
name = "csv-core" name = "csv-core"
version = "0.1.10" version = "0.1.10"
@@ -255,14 +280,14 @@ dependencies = [
[[package]] [[package]]
name = "ctap_hmac" name = "ctap_hmac"
version = "0.4.2" version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c5fec79b66e3a7bc6a7ace0f4c98f0748892b36d3c5c317fadfce0344fd185dc" checksum = "33ccc28f298181e943187fa63805e652bc4806ad43708beebd22c230fbe0baa3"
dependencies = [ dependencies = [
"byteorder", "byteorder",
"cbor-codec", "cbor-codec",
"crossbeam", "crossbeam",
"csv-core", "csv",
"derive_builder", "derive_builder",
"failure", "failure",
"failure_derive", "failure_derive",
@@ -271,6 +296,8 @@ dependencies = [
"rand 0.6.5", "rand 0.6.5",
"ring", "ring",
"rust-crypto", "rust-crypto",
"serde",
"serde_derive",
"untrusted", "untrusted",
] ]
@@ -292,10 +319,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
dependencies = [ dependencies = [
"fnv", "fnv",
"ident_case", "ident_case",
"proc-macro2 1.0.20", "proc-macro2 1.0.21",
"quote 1.0.7", "quote 1.0.7",
"strsim 0.9.3", "strsim 0.9.3",
"syn 1.0.40", "syn 1.0.41",
] ]
[[package]] [[package]]
@@ -306,7 +333,7 @@ checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
dependencies = [ dependencies = [
"darling_core", "darling_core",
"quote 1.0.7", "quote 1.0.7",
"syn 1.0.40", "syn 1.0.41",
] ]
[[package]] [[package]]
@@ -317,9 +344,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
dependencies = [ dependencies = [
"darling", "darling",
"derive_builder_core", "derive_builder_core",
"proc-macro2 1.0.20", "proc-macro2 1.0.21",
"quote 1.0.7", "quote 1.0.7",
"syn 1.0.40", "syn 1.0.41",
] ]
[[package]] [[package]]
@@ -329,16 +356,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef" checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
dependencies = [ dependencies = [
"darling", "darling",
"proc-macro2 1.0.20", "proc-macro2 1.0.21",
"quote 1.0.7", "quote 1.0.7",
"syn 1.0.40", "syn 1.0.41",
] ]
[[package]] [[package]]
name = "either" name = "either"
version = "1.6.0" version = "1.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cd56b59865bce947ac5958779cfa508f6c3b9497cc762b7e24a12d11ccde2c4f" checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457"
[[package]] [[package]]
name = "env_logger" name = "env_logger"
@@ -369,15 +396,15 @@ version = "0.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4" checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
dependencies = [ dependencies = [
"proc-macro2 1.0.20", "proc-macro2 1.0.21",
"quote 1.0.7", "quote 1.0.7",
"syn 1.0.40", "syn 1.0.41",
"synstructure", "synstructure",
] ]
[[package]] [[package]]
name = "fido2luks" name = "fido2luks"
version = "0.2.15" version = "0.2.14"
dependencies = [ dependencies = [
"ctap_hmac", "ctap_hmac",
"failure", "failure",
@@ -432,9 +459,9 @@ dependencies = [
[[package]] [[package]]
name = "hermit-abi" name = "hermit-abi"
version = "0.1.15" version = "0.1.16"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9" checksum = "4c30f6d0bc6b00693347368a67d41b58f2fb851215ff1da49e90fe2c5c667151"
dependencies = [ dependencies = [
"libc", "libc",
] ]
@@ -480,9 +507,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
[[package]] [[package]]
name = "libc" name = "libc"
version = "0.2.76" version = "0.2.77"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "755456fae044e6fa1ebbbd1b3e902ae19e73097ed4ed87bb79934a867c007bc3" checksum = "f2f96b10ec2560088a8e76961b00d47107b3a625fecb76dedb29ee7ccbf98235"
[[package]] [[package]]
name = "libcryptsetup-rs" name = "libcryptsetup-rs"
@@ -544,20 +571,21 @@ checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400"
[[package]] [[package]]
name = "memoffset" name = "memoffset"
version = "0.5.5" version = "0.5.6"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f" checksum = "043175f069eda7b85febe4a74abbaeff828d9f8b448515d3151a14a3542811aa"
dependencies = [ dependencies = [
"autocfg 1.0.1", "autocfg 1.0.1",
] ]
[[package]] [[package]]
name = "miniz_oxide" name = "miniz_oxide"
version = "0.4.1" version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4d7559a8a40d0f97e1edea3220f698f78b1c5ab67532e49f68fde3910323b722" checksum = "c60c0dfe32c10b43a144bad8fc83538c52f58302c92300ea7ec7bf7b38d5a7b9"
dependencies = [ dependencies = [
"adler", "adler",
"autocfg 1.0.1",
] ]
[[package]] [[package]]
@@ -615,9 +643,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c" checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
dependencies = [ dependencies = [
"proc-macro-error-attr", "proc-macro-error-attr",
"proc-macro2 1.0.20", "proc-macro2 1.0.21",
"quote 1.0.7", "quote 1.0.7",
"syn 1.0.40", "syn 1.0.41",
"version_check", "version_check",
] ]
@@ -627,7 +655,7 @@ version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869" checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
dependencies = [ dependencies = [
"proc-macro2 1.0.20", "proc-macro2 1.0.21",
"quote 1.0.7", "quote 1.0.7",
"version_check", "version_check",
] ]
@@ -643,9 +671,9 @@ dependencies = [
[[package]] [[package]]
name = "proc-macro2" name = "proc-macro2"
version = "1.0.20" version = "1.0.21"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "175c513d55719db99da20232b06cda8bab6b83ec2d04e3283edf0213c37c1a29" checksum = "36e28516df94f3dd551a587da5357459d9b36d945a7c37c3557928c1c2ff2a2c"
dependencies = [ dependencies = [
"unicode-xid 0.2.1", "unicode-xid 0.2.1",
] ]
@@ -671,7 +699,7 @@ version = "1.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37" checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
dependencies = [ dependencies = [
"proc-macro2 1.0.20", "proc-macro2 1.0.21",
] ]
[[package]] [[package]]
@@ -824,6 +852,15 @@ dependencies = [
"thread_local", "thread_local",
] ]
[[package]]
name = "regex-automata"
version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ae1ded71d66a4a97f5e961fd0cb25a5f366a42a41570d16a763a69c092c26ae4"
dependencies = [
"byteorder",
]
[[package]] [[package]]
name = "regex-syntax" name = "regex-syntax"
version = "0.6.18" version = "0.6.18"
@@ -912,19 +949,19 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
[[package]] [[package]]
name = "serde" name = "serde"
version = "1.0.115" version = "1.0.116"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e54c9a88f2da7238af84b5101443f0c0d0a3bbdc455e34a5c9497b1903ed55d5" checksum = "96fe57af81d28386a513cbc6858332abc6117cfdb5999647c6444b8f43a370a5"
[[package]] [[package]]
name = "serde_derive" name = "serde_derive"
version = "1.0.115" version = "1.0.116"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48" checksum = "f630a6370fd8e457873b4bd2ffdae75408bc291ba72be773772a4c2a065d9ae8"
dependencies = [ dependencies = [
"proc-macro2 1.0.20", "proc-macro2 1.0.21",
"quote 1.0.7", "quote 1.0.7",
"syn 1.0.40", "syn 1.0.41",
] ]
[[package]] [[package]]
@@ -958,9 +995,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
[[package]] [[package]]
name = "structopt" name = "structopt"
version = "0.3.17" version = "0.3.18"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6cc388d94ffabf39b5ed5fadddc40147cb21e605f53db6f8f36a625d27489ac5" checksum = "a33f6461027d7f08a13715659b2948e1602c31a3756aeae9378bfe7518c72e82"
dependencies = [ dependencies = [
"clap", "clap",
"lazy_static", "lazy_static",
@@ -969,15 +1006,15 @@ dependencies = [
[[package]] [[package]]
name = "structopt-derive" name = "structopt-derive"
version = "0.4.10" version = "0.4.11"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5e2513111825077552a6751dfad9e11ce0fba07d7276a3943a037d7e93e64c5f" checksum = "c92e775028122a4b3dd55d58f14fc5120289c69bee99df1d117ae30f84b225c9"
dependencies = [ dependencies = [
"heck", "heck",
"proc-macro-error", "proc-macro-error",
"proc-macro2 1.0.20", "proc-macro2 1.0.21",
"quote 1.0.7", "quote 1.0.7",
"syn 1.0.40", "syn 1.0.41",
] ]
[[package]] [[package]]
@@ -993,11 +1030,11 @@ dependencies = [
[[package]] [[package]]
name = "syn" name = "syn"
version = "1.0.40" version = "1.0.41"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "963f7d3cc59b59b9325165add223142bbf1df27655d07789f109896d353d8350" checksum = "6690e3e9f692504b941dc6c3b188fd28df054f7fb8469ab40680df52fdcc842b"
dependencies = [ dependencies = [
"proc-macro2 1.0.20", "proc-macro2 1.0.21",
"quote 1.0.7", "quote 1.0.7",
"unicode-xid 0.2.1", "unicode-xid 0.2.1",
] ]
@@ -1008,9 +1045,9 @@ version = "0.12.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701" checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
dependencies = [ dependencies = [
"proc-macro2 1.0.20", "proc-macro2 1.0.21",
"quote 1.0.7", "quote 1.0.7",
"syn 1.0.40", "syn 1.0.41",
"unicode-xid 0.2.1", "unicode-xid 0.2.1",
] ]

3
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.15" version = "0.2.14"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@@ -48,7 +48,6 @@ extended-description = "Decrypt your LUKS partition using a FIDO2 compatible aut
assets = [ assets = [
["target/release/fido2luks", "usr/bin/", "755"], ["target/release/fido2luks", "usr/bin/", "755"],
["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"], ["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
["pam_mount/fido2luksmounthelper.sh", "usr/bin/", "755"],
["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ], ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ], ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
["initramfs-tools/fido2luks.conf", "etc/", "644"], ["initramfs-tools/fido2luks.conf", "etc/", "644"],

6
PKGBUILD
View File

@@ -17,13 +17,9 @@ pkgver() {
build() { build() {
cargo build --release --locked --all-features --target-dir=target cargo build --release --locked --all-features --target-dir=target
target/release/${pkgname} completions target
} }
package() { package() {
install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin" install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
install -Dm 755 ../pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin" install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
install -Dm 644 target/fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
install -Dm 755 ../initcpio/hook.sh "${pkgdir}/usr/lib/initcpio/install/fido2luks"
install -Dm 755 ../initcpio/hook.sh "${pkgdir}/usr/lib/initcpio/hooks/fido2luks"
} }

2
README.md
View File

@@ -2,7 +2,7 @@
This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key. This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support)) Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
## Setup ## Setup

74
initcpio/hook.sh
View File

@@ -1,74 +0,0 @@
#!/bin/bash
set -ax
exit_with() {
echo "$1" >&2
exit 1
}
validate() {
[ ! -e /etc/fido2luks.conf ] && exit_with "/etc/fido2luks.conf does not exist! Please configure first"
. /etc/fido2luks.conf
[ ! -e "$FIDO2LUKS_DEVICE" ] && exit_with "FIDO2LUKS_DEVICE='$FIDO2LUKS_DEVICE' does not exist!"
[ -z "$FIDO2LUKS_CREDENTIAL_ID" ] && exit_with "FIDO2LUKS_CREDENTIAL_ID must be set!"
[ -z "$FIDO2LUKS_MAPPER_NAME" ] && exit_with "FIDO2LUKS_MAPPER_NAME must be set!"
}
build() {
local mod
add_binary "cryptsetup"
add_module "dm-crypt"
add_module "dm-integrity"
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules "/crypto/"
fi
add_binary "dmsetup"
add_file "/usr/lib/udev/rules.d/10-dm.rules"
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
add_systemd_unit "systemd-ask-password-console.path"
add_systemd_unit "systemd-ask-password-console.service"
# cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
add_binary "/usr/lib/libgcc_s.so.1"
# add mkswap for creating swap space on the fly (see 'swap' in crypttab(5))
add_binary "mkswap"
[[ -f /etc/crypttab.initramfs ]] && add_file "/etc/crypttab.initramfs" "/etc/crypttab"
validate
add_file "/etc/fido2luks.conf" "/etc/fido2luks.conf"
add_binary "fido2luks"
add_runscipt
}
run_hook() {
modprobe -a -q dm-crypt
. /etc/fido2luks.conf
if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
export FIDO2LUKS_PASSWORD_HELPER="systemd-ask-password 'FIDO2 password salt for $FIDO2LUKS_DEVICE'"
fi
fido2luks open
}
help() {
cat <<HELPEOF
This hook allows for an encrypted root device with systemd initramfs.
See the manpage of systemd-cryptsetup-generator(8) for available kernel
command line options. Alternatively, if the file /etc/crypttab.initramfs
exists, it will be added to the initramfs as /etc/crypttab. See the
crypttab(5) manpage for more information on crypttab syntax.
HELPEOF
}
# vim: set ft=sh ts=4 sw=4 et:

14
initcpio/keyscript.sh
View File

@@ -1,14 +0,0 @@
#!/bin/sh
set -a
. /etc/fido2luks.conf
if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
MSG="FIDO2 password salt for $CRYPTTAB_NAME"
export FIDO2LUKS_PASSWORD_HELPER="systemd-ask-password '$MSG'"
fi
if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
export FIDO2LUKS_CREDENTIAL_ID="$FIDO2LUKS_CREDENTIAL_ID,$(fido2luks token list --csv $CRYPTTAB_SOURCE)"
fi
fido2luks print-secret --bin

220
pam_mount/fido2luksmounthelper.sh
View File

@@ -1,220 +0,0 @@
#!/bin/bash
#
# This is a rather minimal example Argbash potential
# Example taken from http://argbash.readthedocs.io/en/stable/example.html
#
# ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
# ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
# ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
# ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
# ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
# ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
# ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
# ARGBASH_GO()
# needed because of Argbash --> m4_ignore([
### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
# Argbash is a bash code generator used to get arguments parsing right.
# Argbash is FREE SOFTWARE, see https://argbash.io for more info
# Generated online by https://argbash.io/generate
die()
{
local _ret="${2:-1}"
test "${_PRINT_HELP:-no}" = yes && print_help >&2
echo "$1" >&2
exit "${_ret}"
}
begins_with_short_option()
{
local first_option all_short_options='cdmash'
first_option="${1:0:1}"
test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
}
# THE DEFAULTS INITIALIZATION - POSITIONALS
_positionals=()
# THE DEFAULTS INITIALIZATION - OPTIONALS
_arg_credentials_type=
_arg_device=
_arg_mount_point=
_arg_ask_pin="off"
_arg_salt=""
print_help()
{
printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
printf '\t%s\n' "-h, --help: Prints help"
}
parse_commandline()
{
_positionals_count=0
while test $# -gt 0
do
_key="$1"
case "$_key" in
-c|--credentials-type)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_credentials_type="$2"
shift
;;
--credentials-type=*)
_arg_credentials_type="${_key##--credentials-type=}"
;;
-c*)
_arg_credentials_type="${_key##-c}"
;;
-d|--device)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_device="$2"
shift
;;
--device=*)
_arg_device="${_key##--device=}"
;;
-d*)
_arg_device="${_key##-d}"
;;
-m|--mount-point)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_mount_point="$2"
shift
;;
--mount-point=*)
_arg_mount_point="${_key##--mount-point=}"
;;
-m*)
_arg_mount_point="${_key##-m}"
;;
-a|--no-ask-pin|--ask-pin)
_arg_ask_pin="on"
test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
;;
-a*)
_arg_ask_pin="on"
_next="${_key##-a}"
if test -n "$_next" -a "$_next" != "$_key"
then
{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
fi
;;
-s|--salt)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_salt="$2"
shift
;;
--salt=*)
_arg_salt="${_key##--salt=}"
;;
-s*)
_arg_salt="${_key##-s}"
;;
-h|--help)
print_help
exit 0
;;
-h*)
print_help
exit 0
;;
*)
_last_positional="$1"
_positionals+=("$_last_positional")
_positionals_count=$((_positionals_count + 1))
;;
esac
shift
done
}
handle_passed_args_count()
{
local _required_args_string="'operation'"
test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
}
assign_positional_args()
{
local _positional_name _shift_for=$1
_positional_names="_arg_operation "
shift "$_shift_for"
for _positional_name in ${_positional_names}
do
test $# -gt 0 || break
eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
shift
done
}
parse_commandline "$@"
handle_passed_args_count
assign_positional_args 1 "${_positionals[@]}"
# OTHER STUFF GENERATED BY Argbash
### END OF CODE GENERATED BY Argbash (sortof) ### ])
# [ <-- needed because of Argbash
if [ -z ${_arg_mount_point} ]; then
die "Missing '--mount-point' argument"
fi
if [ -z ${_arg_device} ]; then
die "Missing '--device' argument"
fi
ASK_PIN=${_arg_ask_pin}
OPERATION=${_arg_operation}
DEVICE=${_arg_device}
DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
MOUNT_POINT=${_arg_mount_point}
CREDENTIALS_TYPE=${_arg_credentials_type}
SALT=${_arg_salt}
CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
if [ "${OPERATION}" == "mount" ]; then
if [ "${CREDENTIALS_TYPE}" == "external" ]; then
if [ -f ${CONF_FILE_PATH} ]; then
if [ "${ASK_PIN}" == "on" ]; then
read PASSWORD
fi
CREDENTIALS=$(<${CONF_FILE_PATH})
else
die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
fi
printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
if [ "${ASK_PIN}" == "on" ]; then
read PASSWORD
fi
printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
else
die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
fi
mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
elif [ "${OPERATION}" == "umount" ]; then
umount ${MOUNT_POINT}
cryptsetup luksClose ${DEVICE_NAME}
else
die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
fi
exit 0
# ] <-- needed because of Argbash

2
src/cli.rs
View File

@@ -25,7 +25,7 @@ fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
if let Some(src) = ap.pin_source.as_ref() { if let Some(src) = ap.pin_source.as_ref() {
let mut pin = String::new(); let mut pin = String::new();
File::open(src)?.read_to_string(&mut pin)?; File::open(src)?.read_to_string(&mut pin)?;
Ok(pin.trim_end_matches("\n").to_string()) //remove trailing newline Ok(pin)
} else { } else {
util::read_password("Authenticator PIN", false) util::read_password("Authenticator PIN", false)
} }

2
src/cli_args/mod.rs
View File

@@ -5,6 +5,8 @@ use structopt::clap::AppSettings;
use structopt::StructOpt; use structopt::StructOpt;
mod config; mod config;
#[cfg(any(feature = "setup", test))]
mod setup;
pub use config::*; pub use config::*;

94
src/cli_args/setup.rs Normal file
View File

@@ -0,0 +1,94 @@
use crate::cli_args::SecretInput;
use crate::error::Fido2LuksResult;
use crate::luks::LuksDevice;
use std::io::{stdin, BufRead, BufReader};
use std::path::{Path, PathBuf};
enum Setup {
Welcome,
Disks {
disks: Vec<PathBuf>,
},
Unlocked {
disks: Vec<LuksDevice>,
current_secrets: Vec<Vec<u8>>,
},
Salt {
disks: Vec<PathBuf>,
current_secrets: Vec<Vec<u8>>,
salt: SecretInput,
},
Config {
salt: SecretInput,
},
}
impl Setup {
fn description(&self) -> String {
match self {
Self::Welcome => {
"Please enter the device path for all disks you want to protect".into()
}
_ => "".into(),
}
}
fn next(self) -> Fido2LuksResult<Self> {
println!("{}", self.description());
Ok(match self {
Self::Welcome => {
let mut disks = Vec::new();
for path in BufReader::new(stdin()).lines() {
let path_string = path?;
let path = match path_string.as_str() {
"" => break,
path => Path::new(path),
};
if path.exists() {
disks.push(path.to_path_buf());
} else {
eprintln!(
"{} does not exist, try again or hit enter to finish",
path.display()
);
}
}
Self::Disks { disks }
}
Self::Disks { disks } => {
let mut luks_devs = Vec::new();
let add_dev = |path: &Path| -> Fido2LuksResult<Option<LuksDevice>> {
match LuksDevice::load(path) {
Ok(luks) => return Ok(Some(luks)),
Err(dev) => {
let mut ans = String::new();
loop {
eprint!("Failed to open {}\nIs it an LUKS device or could it be the mounted block device? Skip/Replace (s,r): ");
stdin().read_line(&mut ans)?;
match ans.as_str() {
"s" => return Ok(None),
"r" => {
print!("Enter an new device path: ");
stdin().read_line(&mut ans)?;
let path = PathBuf::from(&ans);
return add_dev(path.as_path());
}
_ => (),
}
}
}
}
Ok(None)
};
for dev in disks.iter() {
let path = PathBuf::from(&dev);
if let Some(luks) = add_dev(path.as_path()) {
luks_devs.push(luks);
}
}
unreachable!()
}
_ => unreachable!(),
})
}
}