added --allow-discards flag

Co-authored-by: cbachert <1316659-cbachert@users.noreply.gitlab.com>

.gitignore

@@ -5,4 +5,6 @@
 fido2luks.bash
 fido2luks.elv
 fido2luks.fish
-fido2luks.zsh
+fido2luks.zsh
+result
+result-*

Cargo.lock

@@ -2,33 +2,33 @@
 # It is not intended for manual editing.
 [[package]]
 name = "addr2line"
-version = "0.13.0"
+version = "0.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b6a2d3371669ab3ca9797670853d61402b03d0b4b9ebf33d677dfa720203072"
+checksum = "b9ecd88a8c8378ca913a680cd98f0f13ac67383d35993f86c90a70e3f137816b"
 dependencies = [
  "gimli",
 ]
 
 [[package]]
 name = "adler"
-version = "0.2.3"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e"
+checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
 
 [[package]]
 name = "aho-corasick"
-version = "0.7.13"
+version = "0.7.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "043164d8ba5c4c3035fec9bbee8647c0261d788f3474306f93bb65901cae0e86"
+checksum = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f"
 dependencies = [
  "memchr",
 ]
 
 [[package]]
 name = "ansi_term"
-version = "0.11.0"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
+checksum = "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2"
 dependencies = [
  "winapi",
 ]
@@ -58,12 +58,13 @@ checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
 
 [[package]]
 name = "backtrace"
-version = "0.3.50"
+version = "0.3.63"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293"
+checksum = "321629d8ba6513061f26707241fa9bc89524ff1cd7a915a97ef0c62c666ce1b6"
 dependencies = [
  "addr2line",
- "cfg-if",
+ "cc",
+ "cfg-if 1.0.0",
  "libc",
  "miniz_oxide",
  "object",
@@ -72,13 +73,12 @@ dependencies = [
 
 [[package]]
 name = "bindgen"
-version = "0.54.0"
+version = "0.59.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "66c0bb6167449588ff70803f4127f0684f9063097eca5016f37eb52b92c2cf36"
+checksum = "2bd2a9a458e8f4304c52c43ebb0cfbd520289f8379a52e329a38afda99bf8eb8"
 dependencies = [
  "bitflags",
  "cexpr",
- "cfg-if",
  "clang-sys",
  "clap",
  "env_logger",
@@ -86,8 +86,8 @@ dependencies = [
  "lazycell",
  "log",
  "peeking_take_while",
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.36",
- "quote 1.0.7",
+ "quote 1.0.14",
  "regex",
  "rustc-hash",
  "shlex",
@@ -96,15 +96,27 @@ dependencies = [
 
 [[package]]
 name = "bitflags"
-version = "1.2.1"
+version = "1.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
+checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+
+[[package]]
+name = "bstr"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba3569f383e8f1598449f1a423e72e99569137b47740b1da11ef19af3d5c3223"
+dependencies = [
+ "lazy_static",
+ "memchr",
+ "regex-automata",
+ "serde",
+]
 
 [[package]]
 name = "byteorder"
-version = "1.3.4"
+version = "1.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08c48aae112d48ed9f069b33538ea9e3e90aa263cfa3d1c24309612b1f7472de"
+checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
 
 [[package]]
 name = "cbor-codec"
@@ -118,15 +130,15 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.0.59"
+version = "1.0.72"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "66120af515773fb005778dc07c261bd201ec8ce50bd6e7144c927753fe013381"
+checksum = "22a9137b95ea06864e018375b72adfb7db6e6f68cfc8df5a04d00288050485ee"
 
 [[package]]
 name = "cexpr"
-version = "0.4.0"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f4aedb84272dbe89af497cf81375129abda4fc0a9e7c5d317498c15cc30c0d27"
+checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
 dependencies = [
  "nom",
 ]
@@ -138,10 +150,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822"
 
 [[package]]
-name = "clang-sys"
+name = "cfg-if"
-version = "0.29.3"
+version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fe6837df1d5cba2397b835c8530f51723267e16abbf83892e9e5af4f0e5dd10a"
+checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+
+[[package]]
+name = "clang-sys"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fa66045b9cb23c2e9c1520732030608b02ee07e5cfaa5a521ec15ded7fa24c90"
 dependencies = [
  "glob",
  "libc",
@@ -150,9 +168,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "2.33.3"
+version = "2.34.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
+checksum = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c"
 dependencies = [
  "ansi_term",
  "atty",
@@ -178,7 +196,7 @@ version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "69323bff1fb41c635347b8ead484a5ca6c3f11914d784170b158d8449ab07f8e"
 dependencies = [
- "cfg-if",
+ "cfg-if 0.1.10",
  "crossbeam-channel",
  "crossbeam-deque",
  "crossbeam-epoch",
@@ -198,9 +216,9 @@ dependencies = [
 
 [[package]]
 name = "crossbeam-deque"
-version = "0.7.3"
+version = "0.7.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f02af974daeee82218205558e51ec8768b48cf524bd01d550abe5573a608285"
+checksum = "c20ff29ded3204c5106278a81a38f4b482636ed4fa1e6cfbeef193291beb29ed"
 dependencies = [
  "crossbeam-epoch",
  "crossbeam-utils",
@@ -214,7 +232,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "058ed274caafc1f60c4997b5fc07bf7dc7cca454af7c6e81edffe5f33f70dace"
 dependencies = [
  "autocfg 1.0.1",
- "cfg-if",
+ "cfg-if 0.1.10",
  "crossbeam-utils",
  "lazy_static",
  "maybe-uninit",
@@ -228,7 +246,7 @@ version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "774ba60a54c213d409d5353bda12d49cd68d14e45036a285234c8d6f91f92570"
 dependencies = [
- "cfg-if",
+ "cfg-if 0.1.10",
  "crossbeam-utils",
  "maybe-uninit",
 ]
@@ -240,10 +258,23 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8"
 dependencies = [
  "autocfg 1.0.1",
- "cfg-if",
+ "cfg-if 0.1.10",
  "lazy_static",
 ]
 
+[[package]]
+name = "csv"
+version = "1.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22813a6dc45b335f9bade10bf7271dc477e81113e89eb251a0bc2a8a81c536e1"
+dependencies = [
+ "bstr",
+ "csv-core",
+ "itoa 0.4.8",
+ "ryu",
+ "serde",
+]
+
 [[package]]
 name = "csv-core"
 version = "0.1.10"
@@ -255,14 +286,14 @@ dependencies = [
 
 [[package]]
 name = "ctap_hmac"
-version = "0.4.2"
+version = "0.4.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c5fec79b66e3a7bc6a7ace0f4c98f0748892b36d3c5c317fadfce0344fd185dc"
+checksum = "e9c22d4c95aeeb4e2d41e823912d5460cfa1ebf672363eb97b32fa7c91cab89a"
 dependencies = [
  "byteorder",
  "cbor-codec",
  "crossbeam",
- "csv-core",
+ "csv",
  "derive_builder",
  "failure",
  "failure_derive",
@@ -271,6 +302,8 @@ dependencies = [
  "rand 0.6.5",
  "ring",
  "rust-crypto",
+ "serde",
+ "serde_derive",
  "untrusted",
 ]
 
@@ -292,10 +325,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
 dependencies = [
  "fnv",
  "ident_case",
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.36",
- "quote 1.0.7",
+ "quote 1.0.14",
  "strsim 0.9.3",
- "syn 1.0.40",
+ "syn 1.0.84",
 ]
 
 [[package]]
@@ -305,8 +338,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
 dependencies = [
  "darling_core",
- "quote 1.0.7",
+ "quote 1.0.14",
- "syn 1.0.40",
+ "syn 1.0.84",
 ]
 
 [[package]]
@@ -317,9 +350,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
 dependencies = [
  "darling",
  "derive_builder_core",
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.36",
- "quote 1.0.7",
+ "quote 1.0.14",
- "syn 1.0.40",
+ "syn 1.0.84",
 ]
 
 [[package]]
@@ -329,22 +362,22 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
 dependencies = [
  "darling",
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.36",
- "quote 1.0.7",
+ "quote 1.0.14",
- "syn 1.0.40",
+ "syn 1.0.84",
 ]
 
 [[package]]
 name = "either"
-version = "1.6.0"
+version = "1.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd56b59865bce947ac5958779cfa508f6c3b9497cc762b7e24a12d11ccde2c4f"
+checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457"
 
 [[package]]
 name = "env_logger"
-version = "0.7.1"
+version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44533bbbb3bb3c1fa17d9f2e4e38bbbaf8396ba82193c4cb1b6445d711445d36"
+checksum = "0b2cf0344971ee6c64c31be0d530793fba457d322dfec2810c453d0ef228f9c3"
 dependencies = [
  "atty",
  "humantime",
@@ -369,15 +402,15 @@ version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
 dependencies = [
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.36",
- "quote 1.0.7",
+ "quote 1.0.14",
- "syn 1.0.40",
+ "syn 1.0.84",
  "synstructure",
 ]
 
 [[package]]
 name = "fido2luks"
-version = "0.2.14"
+version = "0.2.20"
 dependencies = [
  "ctap_hmac",
  "failure",
@@ -410,10 +443,21 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
 
 [[package]]
-name = "gimli"
+name = "getrandom"
-version = "0.22.0"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aaf91faf136cb47367fa430cd46e37a788775e7fa104f8b4bcb3861dc389b724"
+checksum = "7fcd999463524c52659517fe2cea98493cfe485d10565e7b0fb07dbba7ad2753"
+dependencies = [
+ "cfg-if 1.0.0",
+ "libc",
+ "wasi",
+]
+
+[[package]]
+name = "gimli"
+version = "0.26.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78cc372d058dcf6d5ecd98510e7fbc9e5aec4d21de70f65fea8fecebcd881bd4"
 
 [[package]]
 name = "glob"
@@ -423,18 +467,18 @@ checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574"
 
 [[package]]
 name = "heck"
-version = "0.3.1"
+version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "20564e78d53d2bb135c343b3f47714a56af2061f1c928fdb541dc7b9fdd94205"
+checksum = "6d621efb26863f0e9924c6ac577e8275e5e6b77455db64ffa6c65c904e9e132c"
 dependencies = [
  "unicode-segmentation",
 ]
 
 [[package]]
 name = "hermit-abi"
-version = "0.1.15"
+version = "0.1.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9"
+checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
 dependencies = [
  "libc",
 ]
@@ -447,12 +491,9 @@ checksum = "805026a5d0141ffc30abb3be3173848ad46a1b1664fe632428479619a3644d77"
 
 [[package]]
 name = "humantime"
-version = "1.3.0"
+version = "2.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df004cfca50ef23c36850aaaa59ad52cc70d0e90243c3c7737a4dd32dc7a3c4f"
+checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
-dependencies = [
- "quick-error",
-]
 
 [[package]]
 name = "ident_case"
@@ -462,9 +503,15 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
 
 [[package]]
 name = "itoa"
-version = "0.4.6"
+version = "0.4.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc6f3ad7b9d11a0c00842ff8de1b60ee58661048eb8049ed33c73594f359d7e6"
+checksum = "b71991ff56294aa922b450139ee08b3bfc70982c6b2c7562771375cf73542dd4"
+
+[[package]]
+name = "itoa"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1aab8fc367588b89dcee83ab0fd66b72b50b72fa1904d7095045ace2b0c81c35"
 
 [[package]]
 name = "lazy_static"
@@ -480,54 +527,54 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
 
 [[package]]
 name = "libc"
-version = "0.2.76"
+version = "0.2.112"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "755456fae044e6fa1ebbbd1b3e902ae19e73097ed4ed87bb79934a867c007bc3"
+checksum = "1b03d17f364a3a042d5e5d46b053bbbf82c92c9430c592dd4c064dc6ee997125"
 
 [[package]]
 name = "libcryptsetup-rs"
-version = "0.4.2"
+version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b9042dbf4b7e4309494949696496e230c9052af64559d3441627d639898c172c"
+checksum = "dccc914e228f8b36aae1173b8dba2abf62eed833e9f816ec27b0917b26655d09"
 dependencies = [
  "either",
  "libc",
  "libcryptsetup-rs-sys",
  "pkg-config",
- "semver",
+ "semver 0.11.0",
  "serde_json",
  "uuid",
 ]
 
 [[package]]
 name = "libcryptsetup-rs-sys"
-version = "0.1.4"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4b75a2b946509fb39fdb4b232c973166da14be373d09a43eb36b82f775d8244e"
+checksum = "41ef25e923679fe233e3c109702829717404d1266c80d6f30236e82e7b2798dc"
 dependencies = [
  "bindgen",
  "cc",
  "pkg-config",
- "semver",
+ "semver 1.0.4",
 ]
 
 [[package]]
 name = "libloading"
-version = "0.5.2"
+version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2b111a074963af1d37a139918ac6d49ad1d0d5e47f72fd55388619691a7d753"
+checksum = "afe203d669ec979b7128619bae5a63b7b42e9203c1b29146079ee05e2f604b52"
 dependencies = [
- "cc",
+ "cfg-if 1.0.0",
  "winapi",
 ]
 
 [[package]]
 name = "log"
-version = "0.4.11"
+version = "0.4.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b"
+checksum = "51b9bbe6c47d51fc3e1a9b945965946b4c44142ab8792c50835a980d362c2710"
 dependencies = [
- "cfg-if",
+ "cfg-if 1.0.0",
 ]
 
 [[package]]
@@ -538,35 +585,43 @@ checksum = "60302e4db3a61da70c0cb7991976248362f30319e88850c487b9b95bbf059e00"
 
 [[package]]
 name = "memchr"
-version = "2.3.3"
+version = "2.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400"
+checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
 
 [[package]]
 name = "memoffset"
-version = "0.5.5"
+version = "0.5.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f"
+checksum = "043175f069eda7b85febe4a74abbaeff828d9f8b448515d3151a14a3542811aa"
 dependencies = [
  "autocfg 1.0.1",
 ]
 
 [[package]]
-name = "miniz_oxide"
+name = "minimal-lexical"
-version = "0.4.1"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4d7559a8a40d0f97e1edea3220f698f78b1c5ab67532e49f68fde3910323b722"
+checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+
+[[package]]
+name = "miniz_oxide"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a92518e98c078586bc6c934028adcca4c92a53d6a958196de835170a01d84e4b"
 dependencies = [
  "adler",
+ "autocfg 1.0.1",
 ]
 
 [[package]]
 name = "nom"
-version = "5.1.2"
+version = "7.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ffb4262d26ed83a1c0a33a38fe2bb15797329c85770da05e6b828ddb782627af"
+checksum = "1b1d11e1ef389c76fe5b81bcaf2ea32cf88b62bc494e19f493d0b30e7a930109"
 dependencies = [
  "memchr",
+ "minimal-lexical",
  "version_check",
 ]
 
@@ -583,18 +638,21 @@ dependencies = [
 
 [[package]]
 name = "num-traits"
-version = "0.2.12"
+version = "0.2.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac267bcc07f48ee5f8935ab0d24f316fb722d7a1292e2913f0cc196b29ffd611"
+checksum = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290"
 dependencies = [
  "autocfg 1.0.1",
 ]
 
 [[package]]
 name = "object"
-version = "0.20.0"
+version = "0.27.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
+checksum = "67ac1d3f9a1d3616fd9a60c8d74296f22406a238b6a72f5cc1e6f314df4ffbf9"
+dependencies = [
+ "memchr",
+]
 
 [[package]]
 name = "peeking_take_while"
@@ -603,10 +661,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
 
 [[package]]
-name = "pkg-config"
+name = "pest"
-version = "0.3.18"
+version = "2.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33"
+checksum = "10f4872ae94d7b90ae48754df22fd42ad52ce740b8f370b03da4835417403e53"
+dependencies = [
+ "ucd-trie",
+]
+
+[[package]]
+name = "pkg-config"
+version = "0.3.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "58893f751c9b0412871a09abd62ecd2a00298c6c83befa223ef98c52aef40cbe"
 
 [[package]]
 name = "proc-macro-error"
@@ -615,9 +682,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
 dependencies = [
  "proc-macro-error-attr",
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.36",
- "quote 1.0.7",
+ "quote 1.0.14",
- "syn 1.0.40",
+ "syn 1.0.84",
  "version_check",
 ]
 
@@ -627,8 +694,8 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
 dependencies = [
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.36",
- "quote 1.0.7",
+ "quote 1.0.14",
  "version_check",
 ]
 
@@ -643,19 +710,13 @@ dependencies = [
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.20"
+version = "1.0.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "175c513d55719db99da20232b06cda8bab6b83ec2d04e3283edf0213c37c1a29"
+checksum = "c7342d5883fbccae1cc37a2353b09c87c9b0f3afd73f5fb9bba687a1f733b029"
 dependencies = [
- "unicode-xid 0.2.1",
+ "unicode-xid 0.2.2",
 ]
 
-[[package]]
-name = "quick-error"
-version = "1.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0"
-
 [[package]]
 name = "quote"
 version = "0.6.13"
@@ -667,11 +728,11 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.7"
+version = "1.0.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
+checksum = "47aa80447ce4daf1717500037052af176af5d38cc3e571d9ec1c7353fc10c87d"
 dependencies = [
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.36",
 ]
 
 [[package]]
@@ -814,21 +875,26 @@ dependencies = [
 
 [[package]]
 name = "regex"
-version = "1.3.9"
+version = "1.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6"
+checksum = "d07a8629359eb56f1e2fb1652bb04212c072a87ba68546a04065d525673ac461"
 dependencies = [
  "aho-corasick",
  "memchr",
  "regex-syntax",
- "thread_local",
 ]
 
 [[package]]
-name = "regex-syntax"
+name = "regex-automata"
-version = "0.6.18"
+version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8"
+checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
+
+[[package]]
+name = "regex-syntax"
+version = "0.6.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
 
 [[package]]
 name = "ring"
@@ -867,9 +933,9 @@ dependencies = [
 
 [[package]]
 name = "rustc-demangle"
-version = "0.1.16"
+version = "0.1.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c691c0e608126e00913e33f0ccf3727d5fc84573623b8d65b2df340b5201783"
+checksum = "7ef03e0a2b150c7a90d01faf6254c9c48a41e95fb2a8c2ac1c6f0d2b9aefc342"
 
 [[package]]
 name = "rustc-hash"
@@ -885,9 +951,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
 
 [[package]]
 name = "ryu"
-version = "1.0.5"
+version = "1.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
+checksum = "73b4b750c782965c211b42f022f59af1fbceabdd026623714f104152f1ec149f"
 
 [[package]]
 name = "scopeguard"
@@ -897,52 +963,61 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
 
 [[package]]
 name = "semver"
-version = "0.9.0"
+version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d7eb9ef2c18661902cc47e535f9bc51b78acd254da71d375c2f6720d9a40403"
+checksum = "f301af10236f6df4160f7c3f04eec6dbc70ace82d23326abad5edee88801c6b6"
 dependencies = [
  "semver-parser",
 ]
 
 [[package]]
-name = "semver-parser"
+name = "semver"
-version = "0.7.0"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
+checksum = "568a8e6258aa33c13358f81fd834adb854c6f7c9468520910a9b1e8fac068012"
+
+[[package]]
+name = "semver-parser"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0bef5b7f9e0df16536d3961cfb6e84331c065b4066afb39768d0e319411f7"
+dependencies = [
+ "pest",
+]
 
 [[package]]
 name = "serde"
-version = "1.0.115"
+version = "1.0.132"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e54c9a88f2da7238af84b5101443f0c0d0a3bbdc455e34a5c9497b1903ed55d5"
+checksum = "8b9875c23cf305cd1fd7eb77234cbb705f21ea6a72c637a5c6db5fe4b8e7f008"
 
 [[package]]
 name = "serde_derive"
-version = "1.0.115"
+version = "1.0.132"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48"
+checksum = "ecc0db5cb2556c0e558887d9bbdcf6ac4471e83ff66cf696e5419024d1606276"
 dependencies = [
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.36",
- "quote 1.0.7",
+ "quote 1.0.14",
- "syn 1.0.40",
+ "syn 1.0.84",
 ]
 
 [[package]]
 name = "serde_json"
-version = "1.0.57"
+version = "1.0.73"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "164eacbdb13512ec2745fb09d51fd5b22b0d65ed294a1dcf7285a360c80a675c"
+checksum = "bcbd0344bc6533bc7ec56df11d42fb70f1b912351c0825ccb7211b59d8af7cf5"
 dependencies = [
- "itoa",
+ "itoa 1.0.1",
  "ryu",
  "serde",
 ]
 
 [[package]]
 name = "shlex"
-version = "0.1.1"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fdf1b9db47230893d76faad238fd6097fd6d6a9245cd7a4d90dbd639536bbd2"
+checksum = "43b2853a4d09f215c24cc5489c992ce46052d359b5109343cbafbf26bc62f8a3"
 
 [[package]]
 name = "strsim"
@@ -958,9 +1033,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
 
 [[package]]
 name = "structopt"
-version = "0.3.17"
+version = "0.3.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6cc388d94ffabf39b5ed5fadddc40147cb21e605f53db6f8f36a625d27489ac5"
+checksum = "40b9788f4202aa75c240ecc9c15c65185e6a39ccdeb0fd5d008b98825464c87c"
 dependencies = [
  "clap",
  "lazy_static",
@@ -969,15 +1044,15 @@ dependencies = [
 
 [[package]]
 name = "structopt-derive"
-version = "0.4.10"
+version = "0.4.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5e2513111825077552a6751dfad9e11ce0fba07d7276a3943a037d7e93e64c5f"
+checksum = "dcb5ae327f9cc13b68763b5749770cb9e048a99bd9dfdfa58d0cf05d5f64afe0"
 dependencies = [
  "heck",
  "proc-macro-error",
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.36",
- "quote 1.0.7",
+ "quote 1.0.14",
- "syn 1.0.40",
+ "syn 1.0.84",
 ]
 
 [[package]]
@@ -993,32 +1068,32 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "1.0.40"
+version = "1.0.84"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "963f7d3cc59b59b9325165add223142bbf1df27655d07789f109896d353d8350"
+checksum = "ecb2e6da8ee5eb9a61068762a32fa9619cc591ceb055b3687f4cd4051ec2e06b"
 dependencies = [
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.36",
- "quote 1.0.7",
+ "quote 1.0.14",
- "unicode-xid 0.2.1",
+ "unicode-xid 0.2.2",
 ]
 
 [[package]]
 name = "synstructure"
-version = "0.12.4"
+version = "0.12.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
+checksum = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
 dependencies = [
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.36",
- "quote 1.0.7",
+ "quote 1.0.14",
- "syn 1.0.40",
+ "syn 1.0.84",
- "unicode-xid 0.2.1",
+ "unicode-xid 0.2.2",
 ]
 
 [[package]]
 name = "termcolor"
-version = "1.1.0"
+version = "1.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb6bfa289a4d7c5766392812c0a1f4c1ba45afa1ad47803c11e1f407d846d75f"
+checksum = "2dfed899f0eb03f32ee8c6a0aabdb8a7949659e3466561fc0adf54e26d88c5f4"
 dependencies = [
  "winapi-util",
 ]
@@ -1032,37 +1107,33 @@ dependencies = [
  "unicode-width",
 ]
 
-[[package]]
-name = "thread_local"
-version = "1.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d40c6d1b69745a6ec6fb1ca717914848da4b44ae29d9b3080cbee91d72a69b14"
-dependencies = [
- "lazy_static",
-]
-
 [[package]]
 name = "time"
-version = "0.1.44"
+version = "0.1.43"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255"
+checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
 dependencies = [
  "libc",
- "wasi",
  "winapi",
 ]
 
 [[package]]
-name = "unicode-segmentation"
+name = "ucd-trie"
-version = "1.6.0"
+version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e83e153d1053cbb5a118eeff7fd5be06ed99153f00dbcd8ae310c5fb2b22edc0"
+checksum = "56dee185309b50d1f11bfedef0fe6d036842e3fb77413abef29f8f8d1c5d4c1c"
+
+[[package]]
+name = "unicode-segmentation"
+version = "1.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8895849a949e7845e06bd6dc1aa51731a103c42707010a5b591c0038fb73385b"
 
 [[package]]
 name = "unicode-width"
-version = "0.1.8"
+version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
+checksum = "3ed742d4ea2bd1176e236172c8429aaf54486e7ac098db29ffe6529e0ce50973"
 
 [[package]]
 name = "unicode-xid"
@@ -1072,9 +1143,9 @@ checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
 
 [[package]]
 name = "unicode-xid"
-version = "0.2.1"
+version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564"
+checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
 
 [[package]]
 name = "untrusted"
@@ -1084,11 +1155,11 @@ checksum = "55cd1f4b4e96b46aeb8d4855db4a7a9bd96eeeb5c6a1ab54593328761642ce2f"
 
 [[package]]
 name = "uuid"
-version = "0.7.4"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90dbc611eb48397705a6b0f6e917da23ae517e4d127123d2cf7674206627d32a"
+checksum = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7"
 dependencies = [
- "rand 0.6.5",
+ "getrandom",
 ]
 
 [[package]]
@@ -1099,22 +1170,24 @@ checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
 
 [[package]]
 name = "version_check"
-version = "0.9.2"
+version = "0.9.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed"
+checksum = "5fecdca9a5291cc2b8dcf7dc02453fee791a280f3743cb0905f8822ae463b3fe"
 
 [[package]]
 name = "wasi"
-version = "0.10.0+wasi-snapshot-preview1"
+version = "0.10.2+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
+checksum = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6"
 
 [[package]]
 name = "which"
-version = "3.1.1"
+version = "4.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d011071ae14a2f6671d0b74080ae0cd8ebf3a6f8c9589a2cd45f23126fe29724"
+checksum = "ea187a8ef279bc014ec368c27a920da2024d2a711109bfbe3440585d5cf27ad9"
 dependencies = [
+ "either",
+ "lazy_static",
  "libc",
 ]
 

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.14"
+version = "0.2.20"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
@@ -14,7 +14,7 @@ categories = ["command-line-utilities"]
 license = "MPL-2.0"
 
 [dependencies]
-ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
+ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
 hex = "0.3.2"
 ring = "0.13.5"
 failure = "0.1.5"
@@ -26,7 +26,7 @@ serde_derive = "1.0.106"
 serde = "1.0.106"
 
 [build-dependencies]
-ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
+ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
 hex = "0.3.2"
 ring = "0.13.5"
 failure = "0.1.5"
@@ -48,6 +48,7 @@ extended-description = "Decrypt your LUKS partition using a FIDO2 compatible aut
 assets = [
     ["target/release/fido2luks", "usr/bin/", "755"],
     ["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
+    ["pam_mount/fido2luksmounthelper.sh", "usr/bin/", "755"],
     ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
     ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
     ["initramfs-tools/fido2luks.conf", "etc/", "644"],

PKGBUILD

@@ -1,25 +1,37 @@
 # Maintainer: shimunn <shimun@shimun.net>
-pkgname=fido2luks
+
-pkgver=0.2.12
+pkgname=fido2luks-git
+pkgver=0.2.16.7e6b33a
 pkgrel=1
-makedepends=('rust' 'cargo' 'cryptsetup' 'clang')
+makedepends=('rust' 'cargo' 'cryptsetup' 'clang' 'git')
 depends=('cryptsetup')
 arch=('i686' 'x86_64' 'armv6h' 'armv7h')
 pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
 url="https://github.com/shimunn/fido2luks"
 license=('MPL-2.0')
+source=('git+https://github.com/shimunn/fido2luks')
+sha512sums=('SKIP')
 
 pkgver() {
-	# Use tag version if possible otherwise concat project version and git ref
+    cd fido2luks
-	git describe --exact-match --tags HEAD 2> /dev/null || \
+
-		echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
+    # Use tag version if possible otherwise concat project version and git ref
+    git describe --exact-match --tags HEAD 2>/dev/null ||
+        echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
 }
 
 build() {
+    cd fido2luks
     cargo build --release --locked --all-features --target-dir=target
 }
 
 package() {
-    install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
+    cd fido2luks
-    install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+
+    install -Dm 755 target/release/fido2luks -t "${pkgdir}/usr/bin"
+    install -Dm 755 pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
+    install -Dm 644 initcpio/hooks/fido2luks -t "${pkgdir}/usr/lib/initcpio/hooks"
+    install -Dm 644 initcpio/install/fido2luks -t "${pkgdir}/usr/lib/initcpio/install"
+    install -Dm 644 fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+    install -Dm 644 fido2luks.fish -t "${pkgdir}/usr/share/fish/vendor_completions.d"
 }

README.md

@@ -2,7 +2,7 @@
 
 This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
 
-Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
+Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))
 
 ## Setup
 
@@ -115,6 +115,36 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```
 
+## Theory of operation
+
+fido2luks builds on two basic building blocks, LUKS as an abstraction over linux disk encryption and and the FIDO2 extension [`hmac-secret`](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension).
+The `hmac-secret` extension allows for an secret to be dervied on the FIDO2 device from two inputs, the user supplied salt/password/keyfile and another secret contained within the FID2 device. The output of the `hmac-secret` function will then be used to decrypt the LUKS header which in turn is used to decrypt the disk.
+```
+
+        +-------------------------------------------------------------------------------+
+        |                                                                               |
+        |                       +-----------------------------------------+             |
+        |                       |               FIDO2 device              |             |
+        |                       |                                         |             |
+        |                       |                                         |             |
++-------+--------+   +------+   |                      +---------------+  |             |             +------------------------+
+| Salt/Password  +-> |sha256+------------------------> |               |  |             v             |      LUKS header       |
++----------------+   +------+   |                      |               |  |                           |                        |           +---------------+   
+                                |                      |               |  |        +--------+         +------------------------+-------->  |Disk master key| 
+                                |                      |  sha256_hmac  +---------> | sha256 +-------> | Keyslot 1              |           +---------------+ 
++----------------+              |  +----------+        |               |  |        +--------+         +------------------------+
+| FIDO credential+---------------> |Credential| +----> |               |  |                           | Keyslot 2              |
++----------------+              |  |secret    |        |               |  |                           +------------------------+
+                                |  +----------+        +---------------+  |
+                                |                                         |
+                                |                                         |
+                                +-----------------------------------------+
+
+```
+Since all these components build upon each other losing or damaging just one of them will render the disk undecryptable, it's threfore of paramount importance to backup the LUKS header and ideally set an backup password
+or utilise more than one FIDO2 device. Each additional credential and password combination will require it's own LUKS keyslot since the credential secret is randomly generated for each new credential and will thus result
+in a completly different secret.
+
 ## License
 
 Licensed under

flake.lock

@@ -0,0 +1,62 @@
+{
+  "nodes": {
+    "naersk": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1639947939,
+        "narHash": "sha256-pGsM8haJadVP80GFq4xhnSpNitYNQpaXk4cnA796Cso=",
+        "owner": "nmattia",
+        "repo": "naersk",
+        "rev": "2fc8ce9d3c025d59fee349c1f80be9785049d653",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nmattia",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1638109994,
+        "narHash": "sha256-OpA37PTiPMIqoRJbufbl5rOLII7HeeGcA0yl7FoyCIE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a284564b7f75ac4db73607db02076e8da9d42c9d",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs",
+        "utils": "utils"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1638122382,
+        "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,61 @@
+{
+  description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
+
+  inputs = {
+    utils.url = "github:numtide/flake-utils";
+    naersk = {
+      url = "github:nmattia/naersk";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = { self, nixpkgs, utils, naersk }:
+    let
+      root = ./.;
+      pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
+      forPkgs = pkgs:
+        let
+          naersk-lib = naersk.lib."${pkgs.system}";
+          buildInputs = with pkgs; [ cryptsetup ];
+          LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
+          nativeBuildInputs = with pkgs; [
+            pkgconfig
+            clang
+          ];
+        in
+        rec {
+          # `nix build`
+          packages.${pname} = naersk-lib.buildPackage {
+            inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
+          };
+          defaultPackage = packages.${pname};
+
+          # `nix run`
+          apps.${pname} = utils.lib.mkApp {
+            drv = packages.${pname};
+          };
+          defaultApp = apps.${pname};
+
+          # `nix flake check`
+          checks = {
+            fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
+              cd ${root}
+              cargo fmt -- --check
+              nixpkgs-fmt --check *.nix
+              touch $out
+            '';
+          };
+
+          # `nix develop`
+          devShell = pkgs.mkShell {
+            nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
+            inherit buildInputs LIBCLANG_PATH;
+          };
+        };
+      forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
+    in
+    (utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
+      overlay = final: prev: (forPkgs final).packages;
+    };
+
+}

initcpio/Makefile

@@ -0,0 +1,18 @@
+.PHONY: install remove
+
+install:
+	install -Dm644 hooks/fido2luks -t /usr/lib/initcpio/hooks
+	install -Dm644 install/fido2luks -t /usr/lib/initcpio/install
+ifdef preset
+	mkinitcpio -p $(preset)
+else
+	mkinitcpio -P
+endif
+
+remove:
+	rm /usr/lib/initcpio/{hooks,install}/fido2luks
+ifdef preset
+	mkinitcpio -p $(preset)
+else
+	mkinitcpio -P
+endif

initcpio/README.md

@@ -0,0 +1,52 @@
+## fido2luks hook for mkinitcpio (ArchLinux and derivatives)
+
+> ⚠️ Before proceeding, it is very advised to [backup your existing LUKS2 header](https://wiki.archlinux.org/title/dm-crypt/Device_encryption#Backup_using_cryptsetup) to external storage
+
+### Setup
+
+1. Connect your FIDO2 authenticator
+2. Generate credential id
+
+```shell
+fido2luks credential
+```
+
+3. Generate salt (random string)
+
+```shell
+pwgen 48 1
+```
+
+4. Add key to your LUKS2 device
+
+```shell
+fido2luks add-key -Pt --salt <salt> <block_device> <credential_id>
+```
+
+`-P` - request PIN to unlock the authenticator  
+`-t` - add token (including credential id) to the LUKS2 header  
+`-e` - wipe all other keys  
+
+For the full list of options see `fido2luks add-key --help`
+
+5. Edit [/etc/fido2luks.conf](/initcpio/fido2luks.conf)
+
+Keyslot (`FIDO2LUKS_DEVICE_SLOT`) can be obtained from the output of
+
+```shell
+cryptsetup luksDump <block_device>
+```
+
+6. Add fido2luks hook to /etc/mkinitcpio.conf
+
+Before or instead of `encrypt` hook, for example:
+
+```shell
+HOOKS=(base udev autodetect modconf keyboard block fido2luks filesystems fsck)
+```
+
+7. Recreate initial ramdisk
+
+```shell
+mkinitcpio -p <preset>
+```

initcpio/fido2luks.conf

@@ -0,0 +1,18 @@
+# Set credential *ONLY IF* it's not embedded in the LUKS2 header
+FIDO2LUKS_CREDENTIAL_ID=
+
+# Encrypted device and its name under /dev/mapper
+# Can be overridden by `cryptdevice` kernel parameter
+FIDO2LUKS_DEVICE=
+FIDO2LUKS_MAPPER_NAME=
+
+FIDO2LUKS_SALT=string:<salt>
+
+# Use specific keyslot (ignore all other slots)
+FIDO2LUKS_DEVICE_SLOT=
+
+# Await for an authenticator to be connected (in seconds)
+FIDO2LUKS_DEVICE_AWAIT=
+
+# Set to 1 if PIN is required to unlock the authenticator
+FIDO2LUKS_ASK_PIN=

initcpio/hooks/fido2luks

@@ -0,0 +1,55 @@
+#!/usr/bin/ash
+
+run_hook() {
+    modprobe -a -q dm-crypt >/dev/null 2>&1
+    . /etc/fido2luks.conf
+
+    if [ -z "$cryptdevice" ]; then
+        device="$FIDO2LUKS_DEVICE"
+        dmname="$FIDO2LUKS_MAPPER_NAME"
+    else
+        IFS=: read cryptdev dmname _cryptoptions <<EOF
+$cryptdevice
+EOF
+        if ! device=$(resolve_device "${cryptdev}" ${rootdelay}); then
+            return 1
+        fi
+    fi
+
+    options="--salt $FIDO2LUKS_SALT"
+
+    if [ "$FIDO2LUKS_ASK_PIN" == 1 ]; then
+        options="$options --pin"
+    fi
+
+    if [ -n "$FIDO2LUKS_DEVICE_SLOT" ]; then
+        options="$options --slot $FIDO2LUKS_DEVICE_SLOT"
+    fi
+
+    if [ -n "$FIDO2LUKS_DEVICE_AWAIT" ]; then
+        options="$options --await-dev $FIDO2LUKS_DEVICE_AWAIT"
+    fi
+
+    # HACK: /dev/tty is hardcoded in rpassword, but not accessible from the ramdisk
+    # Temporary link it to /dev/tty1
+    mv /dev/tty /dev/tty.back
+    ln -s /dev/tty1 /dev/tty
+
+    printf "\nAuthentication is required to access the $dmname volume at $device\n"
+
+    if [ -z "$FIDO2LUKS_CREDENTIAL_ID" ]; then
+        fido2luks open-token $device $dmname $options
+    else
+        fido2luks open $device $dmname $FIDO2LUKS_CREDENTIAL_ID $options
+    fi
+    exit_code=$?
+
+    # Restore /dev/tty
+    mv /dev/tty.back /dev/tty
+
+    if [ $exit_code -ne 0 ]; then
+        printf '\n'
+        read -s -p 'Press Enter to continue'
+        printf '\n'
+    fi
+}

initcpio/install/fido2luks

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+build() {
+    local mod
+
+    add_module dm-crypt
+    add_module dm-integrity
+    if [[ $CRYPTO_MODULES ]]; then
+        for mod in $CRYPTO_MODULES; do
+            add_module "$mod"
+        done
+    else
+        add_all_modules /crypto/
+    fi
+
+    add_binary fido2luks
+    add_binary dmsetup
+    add_file /usr/lib/udev/rules.d/10-dm.rules
+    add_file /usr/lib/udev/rules.d/13-dm-disk.rules
+    add_file /usr/lib/udev/rules.d/95-dm-notify.rules
+    add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules
+    add_file /etc/fido2luks.conf /etc/fido2luks.conf
+
+    add_runscript
+}
+
+help() {
+    cat <<HELPEOF
+This hook allows to decrypt LUKS2 partition using FIDO2 compatible authenticator
+HELPEOF
+}

initramfs-tools/fido2luks.conf

@@ -1,3 +1,5 @@
 FIDO2LUKS_SALT=Ask
 #FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
 FIDO2LUKS_CREDENTIAL_ID=
+FIDO2LUKS_USE_TOKEN=0
+FIDO2LUKS_PASSWORD_FALLBACK=1

initramfs-tools/keyscript.sh

@@ -2,6 +2,17 @@
 set -a
 . /etc/fido2luks.conf
 
+# Set Defaults
+if [ -z "$FIDO2LUKS_USE_TOKEN" ]; then
+    FIDO2LUKS_USE_TOKEN=0
+fi
+
+if [ -z "$FIDO2LUKS_PASSWORD_FALLBACK" ]; then
+    FIDO2LUKS_PASSWORD_FALLBACK=1
+fi
+
+
+
 if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
 	MSG="FIDO2 password salt for $CRYPTTAB_NAME"
 	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
@@ -12,3 +23,8 @@ if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
 fi
 
 fido2luks print-secret --bin
+
+# Fall back to passphrase-based unlock if fido2luks fails
+if [ "$?" -gt 0 ] && [ "$FIDO2LUKS_PASSWORD_FALLBACK" -eq 1 ]; then
+  plymouth ask-for-password --prompt "Password for $CRYPTTAB_SOURCE"
+fi

pam_mount/fido2luksmounthelper.sh

@@ -0,0 +1,220 @@
+#!/bin/bash
+#
+# This is a rather minimal example Argbash potential
+# Example taken from http://argbash.readthedocs.io/en/stable/example.html
+#
+# ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
+# ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
+# ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
+# ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
+# ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
+# ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
+# ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
+# ARGBASH_GO()
+# needed because of Argbash --> m4_ignore([
+### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
+# Argbash is a bash code generator used to get arguments parsing right.
+# Argbash is FREE SOFTWARE, see https://argbash.io for more info
+# Generated online by https://argbash.io/generate
+
+
+die()
+{
+	local _ret="${2:-1}"
+	test "${_PRINT_HELP:-no}" = yes && print_help >&2
+	echo "$1" >&2
+	exit "${_ret}"
+}
+
+
+begins_with_short_option()
+{
+	local first_option all_short_options='cdmash'
+	first_option="${1:0:1}"
+	test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
+}
+
+# THE DEFAULTS INITIALIZATION - POSITIONALS
+_positionals=()
+# THE DEFAULTS INITIALIZATION - OPTIONALS
+_arg_credentials_type=
+_arg_device=
+_arg_mount_point=
+_arg_ask_pin="off"
+_arg_salt=""
+
+
+print_help()
+{
+	printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
+	printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
+	printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
+	printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
+	printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
+	printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
+	printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
+	printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
+	printf '\t%s\n' "-h, --help: Prints help"
+}
+
+
+parse_commandline()
+{
+	_positionals_count=0
+	while test $# -gt 0
+	do
+		_key="$1"
+		case "$_key" in
+			-c|--credentials-type)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_credentials_type="$2"
+				shift
+				;;
+			--credentials-type=*)
+				_arg_credentials_type="${_key##--credentials-type=}"
+				;;
+			-c*)
+				_arg_credentials_type="${_key##-c}"
+				;;
+			-d|--device)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_device="$2"
+				shift
+				;;
+			--device=*)
+				_arg_device="${_key##--device=}"
+				;;
+			-d*)
+				_arg_device="${_key##-d}"
+				;;
+			-m|--mount-point)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_mount_point="$2"
+				shift
+				;;
+			--mount-point=*)
+				_arg_mount_point="${_key##--mount-point=}"
+				;;
+			-m*)
+				_arg_mount_point="${_key##-m}"
+				;;
+			-a|--no-ask-pin|--ask-pin)
+				_arg_ask_pin="on"
+				test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
+				;;
+			-a*)
+				_arg_ask_pin="on"
+				_next="${_key##-a}"
+				if test -n "$_next" -a "$_next" != "$_key"
+				then
+					{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
+				fi
+				;;
+			-s|--salt)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_salt="$2"
+				shift
+				;;
+			--salt=*)
+				_arg_salt="${_key##--salt=}"
+				;;
+			-s*)
+				_arg_salt="${_key##-s}"
+				;;
+			-h|--help)
+				print_help
+				exit 0
+				;;
+			-h*)
+				print_help
+				exit 0
+				;;
+			*)
+				_last_positional="$1"
+				_positionals+=("$_last_positional")
+				_positionals_count=$((_positionals_count + 1))
+				;;
+		esac
+		shift
+	done
+}
+
+
+handle_passed_args_count()
+{
+	local _required_args_string="'operation'"
+	test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
+	test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
+}
+
+
+assign_positional_args()
+{
+	local _positional_name _shift_for=$1
+	_positional_names="_arg_operation "
+
+	shift "$_shift_for"
+	for _positional_name in ${_positional_names}
+	do
+		test $# -gt 0 || break
+		eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
+		shift
+	done
+}
+
+parse_commandline "$@"
+handle_passed_args_count
+assign_positional_args 1 "${_positionals[@]}"
+
+# OTHER STUFF GENERATED BY Argbash
+
+### END OF CODE GENERATED BY Argbash (sortof) ### ])
+# [ <-- needed because of Argbash
+
+if [ -z ${_arg_mount_point} ]; then
+  die "Missing '--mount-point' argument"
+fi
+
+if [ -z ${_arg_device} ]; then
+  die "Missing '--device' argument"
+fi
+
+ASK_PIN=${_arg_ask_pin}
+OPERATION=${_arg_operation}
+DEVICE=${_arg_device}
+DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
+MOUNT_POINT=${_arg_mount_point}
+CREDENTIALS_TYPE=${_arg_credentials_type}
+SALT=${_arg_salt}
+CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
+
+if [ "${OPERATION}" == "mount" ]; then
+	if [ "${CREDENTIALS_TYPE}" == "external" ]; then
+    if  [ -f ${CONF_FILE_PATH} ]; then
+			if [ "${ASK_PIN}" == "on" ]; then
+				read PASSWORD
+			fi
+			CREDENTIALS=$(<${CONF_FILE_PATH})
+		else
+			die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
+		fi
+		printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
+	elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
+		if [ "${ASK_PIN}" == "on" ]; then
+			read PASSWORD
+		fi
+		printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
+	else
+		die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
+	fi 
+	mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
+elif [ "${OPERATION}" == "umount" ]; then
+  umount ${MOUNT_POINT}
+  cryptsetup luksClose ${DEVICE_NAME}
+else
+  die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
+fi
+
+exit 0
+
+# ] <-- needed because of Argbash

src/cli.rs

@@ -25,7 +25,7 @@ fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
     if let Some(src) = ap.pin_source.as_ref() {
         let mut pin = String::new();
         File::open(src)?.read_to_string(&mut pin)?;
-        Ok(pin)
+        Ok(pin.trim_end_matches("\n").to_string()) //remove trailing newline
     } else {
         util::read_password("Authenticator PIN", false)
     }
@@ -71,6 +71,12 @@ pub fn parse_cmdline() -> Args {
     Args::from_args()
 }
 
+pub fn prompt_interaction(interactive: bool) {
+    if interactive {
+        println!("Authorize using your FIDO device");
+    }
+}
+
 pub fn run_cli() -> Fido2LuksResult<()> {
     let mut stdout = io::stdout();
     let args = parse_cmdline();
@@ -87,7 +93,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             } else {
                 None
             };
-            let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()), pin)?;
+            let cred = make_credential_id(Some(name.as_ref()), pin)?;
             println!("{}", hex::encode(&cred.id));
             Ok(())
         }
@@ -109,6 +115,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             } else {
                 secret.salt.obtain_sha256(&secret.password_helper)
             }?;
+            prompt_interaction(interactive);
             let (secret, _cred) = derive_secret(
                 credentials.ids.0.as_slice(),
                 &salt,
@@ -164,23 +171,27 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                     } => Ok((util::read_keyfile(file)?, None)),
                     OtherSecret {
                         fido_device: true, ..
-                    } => Ok(derive_secret(
+                    } => {
-                        &credentials.ids.0,
+                        prompt_interaction(interactive);
-                        &salt(salt_q, verify)?,
+                        Ok(derive_secret(
-                        authenticator.await_time,
+                            &credentials.ids.0,
-                        pin.as_deref(),
+                            &salt(salt_q, verify)?,
-                    )
+                            authenticator.await_time,
-                    .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
+                            pin.as_deref(),
+                        )
+                        .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
+                    }
                     _ => Ok((
                         util::read_password(salt_q, verify)?.as_bytes().to_vec(),
                         None,
                     )),
                 }
             };
-            let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+            let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+                prompt_interaction(interactive);
                 derive_secret(
                     &credentials.ids.0,
-                    &salt("Password", verify)?,
+                    &salt(q, verify)?,
                     authenticator.await_time,
                     pin.as_deref(),
                 )
@@ -190,7 +201,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             match &args.command {
                 Command::AddKey { exclusive, .. } => {
                     let (existing_secret, _) = other_secret("Current password", false)?;
-                    let (new_secret, cred) = secret(true)?;
+                    let (new_secret, cred) = secret("Password to be added", true)?;
                     let added_slot = luks_dev.add_key(
                         &new_secret,
                         &existing_secret[..],
@@ -215,7 +226,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                     Ok(())
                 }
                 Command::ReplaceKey { add_password, .. } => {
-                    let (existing_secret, _) = secret(false)?;
+                    let (existing_secret, _) = secret("Current password", false)?;
                     let (replacement_secret, cred) = other_secret("Replacement password", true)?;
                     let slot = if *add_password {
                         luks_dev.add_key(
@@ -248,6 +259,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             secret,
             name,
             retries,
+            allow_discards,
             ..
         }
         | Command::OpenToken {
@@ -256,6 +268,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             secret,
             name,
             retries,
+            allow_discards,
         } => {
             let pin_string;
             let pin = if authenticator.pin {
@@ -274,6 +287,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
 
             // Cow shouldn't be necessary
             let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
+                prompt_interaction(interactive);
                 derive_secret(
                     credentials.as_ref(),
                     &salt("Password", false)?,
@@ -287,7 +301,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             loop {
                 let secret = match &args.command {
                     Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
-                        .and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
+                        .and_then(|(secret, _cred)| {
+                            luks_dev.activate(&name, &secret, luks.slot, *allow_discards)
+                        }),
                     Command::OpenToken { .. } => luks_dev.activate_token(
                         &name,
                         Box::new(|credentials: Vec<String>| {
@@ -299,6 +315,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                                 .map(|(secret, cred)| (secret, hex::encode(&cred.id)))
                         }),
                         luks.slot,
+                        *allow_discards,
                     ),
                     _ => unreachable!(),
                 };

src/cli_args/config.rs

@@ -198,7 +198,7 @@ mod test {
     fn input_salt_obtain() {
         assert_eq!(
             SecretInput::String("abc".into())
-                .obtain(&PasswordHelper::Stdin)
+                .obtain_sha256(&PasswordHelper::Stdin)
                 .unwrap(),
             [
                 186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,

src/cli_args/mod.rs

@@ -216,6 +216,9 @@ pub enum Command {
         secret: SecretParameters,
         #[structopt(short = "r", long = "max-retries", default_value = "0")]
         retries: i32,
+        /// Pass SSD trim instructions to the underlying block device
+        #[structopt(long = "allow-discards")]
+        allow_discards: bool,
     },
     /// Open the LUKS device using credentials embedded in the LUKS 2 header
     #[structopt(name = "open-token")]
@@ -230,15 +233,18 @@ pub enum Command {
         secret: SecretParameters,
         #[structopt(short = "r", long = "max-retries", default_value = "0")]
         retries: i32,
+        /// Pass SSD trim instructions to the underlying block device
+        #[structopt(long = "allow-discards")]
+        allow_discards: bool,
     },
     /// Generate a new FIDO credential
     #[structopt(name = "credential")]
     Credential {
         #[structopt(flatten)]
         authenticator: AuthenticatorParameters,
-        /// Name to be displayed on the authenticator if it has a display
+        /// Name to be displayed on the authenticator display
-        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
+        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")]
-        name: Option<String>,
+        name: String,
     },
     /// Check if an authenticator is connected
     #[structopt(name = "connected")]

src/luks.rs

@@ -1,8 +1,8 @@
 use crate::error::*;
 
 use libcryptsetup_rs::{
-    CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
+    CryptActivateFlag, CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo,
-    TokenInput,
+    EncryptionFormat, KeyslotInfo, TokenInput,
 };
 use std::collections::{HashMap, HashSet};
 use std::path::Path;
@@ -221,10 +221,15 @@ impl LuksDevice {
         name: &str,
         secret: &[u8],
         slot_hint: Option<u32>,
+        allow_discard: bool,
     ) -> Fido2LuksResult<u32> {
+        let mut flags = CryptActivateFlags::empty();
+        if allow_discard {
+            flags = CryptActivateFlags::new(vec![CryptActivateFlag::AllowDiscards]);
+        }
         self.device
             .activate_handle()
-            .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
+            .activate_by_passphrase(Some(name), slot_hint, secret, flags)
             .map_err(LuksError::activate)
     }
 
@@ -233,6 +238,7 @@ impl LuksDevice {
         name: &str,
         secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
         slot_hint: Option<u32>,
+        allow_discard: bool,
     ) -> Fido2LuksResult<u32> {
         if !self.is_luks2()? {
             return Err(LuksError::Luks2Required.into());
@@ -276,7 +282,7 @@ impl LuksDevice {
                 .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
         );
         for slot in slots {
-            match self.activate(name, &secret, slot) {
+            match self.activate(name, &secret, slot, allow_discard) {
                 Err(Fido2LuksError::WrongSecret) => (),
                 res => return res,
             }