readme

.drone.yml

@@ -3,32 +3,27 @@ name: default
 
 steps:
  - name: fmt
-   image: rust:1.37.0
+   image: rust:1.43.0
    commands:
      -  rustup component add rustfmt
      -  cargo fmt --all -- --check
  - name: test
-   image: rust:1.37.0
+   image: rust:1.43.0
    commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
+    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
     - cargo test
 
- - name: build
-   image: rust:1.37.0
-   commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
-    - cargo install -f --path . --root .
-   when:
-    event: tag
  - name: publish
-   image: plugins/github-release
+   image: rust:1.43.0
-   settings:
+   environment:
-     api_key:
+    CARGO_REGISTRY_TOKEN:
-      from_secret: github_release
+     from_secret: cargo_tkn
-     files:
+   commands:
-      - bin/fido2luks
+    - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
-     checksum:
+    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
-      - md5
+    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
-      - sha256
+    - cargo package --all-features
+    - cargo publish --all-features
    when:
     event: tag

README.md

@@ -2,7 +2,7 @@
 
 This will allow you to unlock your luks encrypted disk with an fido2 compatible key
 
-Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
+Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
 
 ## Setup
 

initramfs-tools/Makefile

@@ -0,0 +1,23 @@
+.PHONY: install clean
+
+DRACUT_MODULES_D=/usr/lib/dracut/modules.d
+DRACUT_CONF_D=/etc/dracut.conf.d
+
+MODULE_CONF_D=dracut.conf.d
+MODULE_CONF=luks-2fa.conf
+MODULE_DIR=96luks-2fa
+
+help:
+	@echo make help to show this help
+	@echo make install to install
+	@echo make clean to remove
+
+install:
+	chmod +x hook/fido2luks.sh keyscript.sh
+	cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
+	mkdir -p /usr/share/fido2luks
+	cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
+	update-initramfs -u
+remove:
+	rm /etc/initramfs-tools/hooks/fido2luks.sh
+	update-initramfs -u

initramfs-tools/README.md

@@ -0,0 +1,13 @@
+## Initramfs-tools based systems(Ubuntu and derivatives)
+
+After installation generate your credentials and add keys to your disk as described in the top-level README
+then add `initramfs,keyscript=fido2luks` to your `/etc/crypttab`
+
+Example:
+```
+sda6_crypt UUID=9793d81a-4cfb-4712-85f3-c7a8d715112c none luks,discard,initramfs,keyscript=fido2luks
+```
+
+But don't forget to run `make install` which will install all necessary scripts and regenerate your intrid.
+
+[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)

initramfs-tools/fido2luks.conf

@@ -0,0 +1,3 @@
+FIDO2LUKS_SALT=Ask
+#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --promt 'FIDO2 password salt'"
+FIDO2LUKS_CREDENTIAL_ID=

initramfs-tools/hook/fido2luks.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+case "$1" in
+prereqs)
+	echo ""
+	exit 0
+	;;
+
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
+copy_exec /usr/bin/fido2luks
+exit 0

initramfs-tools/keyscript.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+set -a
+. /etc/fido2luks.conf
+
+if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
+	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --promt 'FIDO2 password salt for $CRYPTTAB_NAME'"
+fi
+
+fido2luks print-secret --bin