added --allow-discards flag

Co-authored-by: cbachert <1316659-cbachert@users.noreply.gitlab.com>

.gitignore

@@ -5,4 +5,6 @@
 fido2luks.bash
 fido2luks.elv
 fido2luks.fish
-fido2luks.zsh
+fido2luks.zsh
+result
+result-*

Cargo.lock

@@ -2,33 +2,33 @@
 # It is not intended for manual editing.
 [[package]]
 name = "addr2line"
-version = "0.13.0"
+version = "0.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b6a2d3371669ab3ca9797670853d61402b03d0b4b9ebf33d677dfa720203072"
+checksum = "b9ecd88a8c8378ca913a680cd98f0f13ac67383d35993f86c90a70e3f137816b"
 dependencies = [
  "gimli",
 ]
 
 [[package]]
 name = "adler"
-version = "0.2.3"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e"
+checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
 
 [[package]]
 name = "aho-corasick"
-version = "0.7.13"
+version = "0.7.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "043164d8ba5c4c3035fec9bbee8647c0261d788f3474306f93bb65901cae0e86"
+checksum = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f"
 dependencies = [
  "memchr",
 ]
 
 [[package]]
 name = "ansi_term"
-version = "0.11.0"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
+checksum = "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2"
 dependencies = [
  "winapi",
 ]
@@ -58,12 +58,13 @@ checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
 
 [[package]]
 name = "backtrace"
-version = "0.3.50"
+version = "0.3.63"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293"
+checksum = "321629d8ba6513061f26707241fa9bc89524ff1cd7a915a97ef0c62c666ce1b6"
 dependencies = [
  "addr2line",
- "cfg-if",
+ "cc",
+ "cfg-if 1.0.0",
  "libc",
  "miniz_oxide",
  "object",
@@ -72,13 +73,12 @@ dependencies = [
 
 [[package]]
 name = "bindgen"
-version = "0.54.0"
+version = "0.59.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "66c0bb6167449588ff70803f4127f0684f9063097eca5016f37eb52b92c2cf36"
+checksum = "2bd2a9a458e8f4304c52c43ebb0cfbd520289f8379a52e329a38afda99bf8eb8"
 dependencies = [
  "bitflags",
  "cexpr",
- "cfg-if",
  "clang-sys",
  "clap",
  "env_logger",
@@ -86,8 +86,8 @@ dependencies = [
  "lazycell",
  "log",
  "peeking_take_while",
- "proc-macro2 1.0.20",
- "quote 1.0.7",
+ "proc-macro2 1.0.36",
+ "quote 1.0.14",
  "regex",
  "rustc-hash",
  "shlex",
@@ -96,15 +96,27 @@ dependencies = [
 
 [[package]]
 name = "bitflags"
-version = "1.2.1"
+version = "1.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
+checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
+
+[[package]]
+name = "bstr"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba3569f383e8f1598449f1a423e72e99569137b47740b1da11ef19af3d5c3223"
+dependencies = [
+ "lazy_static",
+ "memchr",
+ "regex-automata",
+ "serde",
+]
 
 [[package]]
 name = "byteorder"
-version = "1.3.4"
+version = "1.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08c48aae112d48ed9f069b33538ea9e3e90aa263cfa3d1c24309612b1f7472de"
+checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
 
 [[package]]
 name = "cbor-codec"
@@ -118,15 +130,15 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.0.59"
+version = "1.0.72"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "66120af515773fb005778dc07c261bd201ec8ce50bd6e7144c927753fe013381"
+checksum = "22a9137b95ea06864e018375b72adfb7db6e6f68cfc8df5a04d00288050485ee"
 
 [[package]]
 name = "cexpr"
-version = "0.4.0"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f4aedb84272dbe89af497cf81375129abda4fc0a9e7c5d317498c15cc30c0d27"
+checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
 dependencies = [
  "nom",
 ]
@@ -138,10 +150,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822"
 
 [[package]]
-name = "clang-sys"
-version = "0.29.3"
+name = "cfg-if"
+version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fe6837df1d5cba2397b835c8530f51723267e16abbf83892e9e5af4f0e5dd10a"
+checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+
+[[package]]
+name = "clang-sys"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fa66045b9cb23c2e9c1520732030608b02ee07e5cfaa5a521ec15ded7fa24c90"
 dependencies = [
  "glob",
  "libc",
@@ -150,9 +168,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "2.33.3"
+version = "2.34.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
+checksum = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c"
 dependencies = [
  "ansi_term",
  "atty",
@@ -178,7 +196,7 @@ version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "69323bff1fb41c635347b8ead484a5ca6c3f11914d784170b158d8449ab07f8e"
 dependencies = [
- "cfg-if",
+ "cfg-if 0.1.10",
  "crossbeam-channel",
  "crossbeam-deque",
  "crossbeam-epoch",
@@ -198,9 +216,9 @@ dependencies = [
 
 [[package]]
 name = "crossbeam-deque"
-version = "0.7.3"
+version = "0.7.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f02af974daeee82218205558e51ec8768b48cf524bd01d550abe5573a608285"
+checksum = "c20ff29ded3204c5106278a81a38f4b482636ed4fa1e6cfbeef193291beb29ed"
 dependencies = [
  "crossbeam-epoch",
  "crossbeam-utils",
@@ -214,7 +232,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "058ed274caafc1f60c4997b5fc07bf7dc7cca454af7c6e81edffe5f33f70dace"
 dependencies = [
  "autocfg 1.0.1",
- "cfg-if",
+ "cfg-if 0.1.10",
  "crossbeam-utils",
  "lazy_static",
  "maybe-uninit",
@@ -228,7 +246,7 @@ version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "774ba60a54c213d409d5353bda12d49cd68d14e45036a285234c8d6f91f92570"
 dependencies = [
- "cfg-if",
+ "cfg-if 0.1.10",
  "crossbeam-utils",
  "maybe-uninit",
 ]
@@ -240,10 +258,23 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8"
 dependencies = [
  "autocfg 1.0.1",
- "cfg-if",
+ "cfg-if 0.1.10",
  "lazy_static",
 ]
 
+[[package]]
+name = "csv"
+version = "1.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22813a6dc45b335f9bade10bf7271dc477e81113e89eb251a0bc2a8a81c536e1"
+dependencies = [
+ "bstr",
+ "csv-core",
+ "itoa 0.4.8",
+ "ryu",
+ "serde",
+]
+
 [[package]]
 name = "csv-core"
 version = "0.1.10"
@@ -255,14 +286,14 @@ dependencies = [
 
 [[package]]
 name = "ctap_hmac"
-version = "0.4.2"
+version = "0.4.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c5fec79b66e3a7bc6a7ace0f4c98f0748892b36d3c5c317fadfce0344fd185dc"
+checksum = "e9c22d4c95aeeb4e2d41e823912d5460cfa1ebf672363eb97b32fa7c91cab89a"
 dependencies = [
  "byteorder",
  "cbor-codec",
  "crossbeam",
- "csv-core",
+ "csv",
  "derive_builder",
  "failure",
  "failure_derive",
@@ -271,6 +302,8 @@ dependencies = [
  "rand 0.6.5",
  "ring",
  "rust-crypto",
+ "serde",
+ "serde_derive",
  "untrusted",
 ]
 
@@ -292,10 +325,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
 dependencies = [
  "fnv",
  "ident_case",
- "proc-macro2 1.0.20",
- "quote 1.0.7",
+ "proc-macro2 1.0.36",
+ "quote 1.0.14",
  "strsim 0.9.3",
- "syn 1.0.40",
+ "syn 1.0.84",
 ]
 
 [[package]]
@@ -305,8 +338,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
 dependencies = [
  "darling_core",
- "quote 1.0.7",
- "syn 1.0.40",
+ "quote 1.0.14",
+ "syn 1.0.84",
 ]
 
 [[package]]
@@ -317,9 +350,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
 dependencies = [
  "darling",
  "derive_builder_core",
- "proc-macro2 1.0.20",
- "quote 1.0.7",
- "syn 1.0.40",
+ "proc-macro2 1.0.36",
+ "quote 1.0.14",
+ "syn 1.0.84",
 ]
 
 [[package]]
@@ -329,22 +362,22 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
 dependencies = [
  "darling",
- "proc-macro2 1.0.20",
- "quote 1.0.7",
- "syn 1.0.40",
+ "proc-macro2 1.0.36",
+ "quote 1.0.14",
+ "syn 1.0.84",
 ]
 
 [[package]]
 name = "either"
-version = "1.6.0"
+version = "1.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd56b59865bce947ac5958779cfa508f6c3b9497cc762b7e24a12d11ccde2c4f"
+checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457"
 
 [[package]]
 name = "env_logger"
-version = "0.7.1"
+version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44533bbbb3bb3c1fa17d9f2e4e38bbbaf8396ba82193c4cb1b6445d711445d36"
+checksum = "0b2cf0344971ee6c64c31be0d530793fba457d322dfec2810c453d0ef228f9c3"
 dependencies = [
  "atty",
  "humantime",
@@ -369,15 +402,15 @@ version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
 dependencies = [
- "proc-macro2 1.0.20",
- "quote 1.0.7",
- "syn 1.0.40",
+ "proc-macro2 1.0.36",
+ "quote 1.0.14",
+ "syn 1.0.84",
  "synstructure",
 ]
 
 [[package]]
 name = "fido2luks"
-version = "0.2.16"
+version = "0.2.20"
 dependencies = [
  "ctap_hmac",
  "failure",
@@ -410,10 +443,21 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
 
 [[package]]
-name = "gimli"
-version = "0.22.0"
+name = "getrandom"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aaf91faf136cb47367fa430cd46e37a788775e7fa104f8b4bcb3861dc389b724"
+checksum = "7fcd999463524c52659517fe2cea98493cfe485d10565e7b0fb07dbba7ad2753"
+dependencies = [
+ "cfg-if 1.0.0",
+ "libc",
+ "wasi",
+]
+
+[[package]]
+name = "gimli"
+version = "0.26.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78cc372d058dcf6d5ecd98510e7fbc9e5aec4d21de70f65fea8fecebcd881bd4"
 
 [[package]]
 name = "glob"
@@ -423,18 +467,18 @@ checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574"
 
 [[package]]
 name = "heck"
-version = "0.3.1"
+version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "20564e78d53d2bb135c343b3f47714a56af2061f1c928fdb541dc7b9fdd94205"
+checksum = "6d621efb26863f0e9924c6ac577e8275e5e6b77455db64ffa6c65c904e9e132c"
 dependencies = [
  "unicode-segmentation",
 ]
 
 [[package]]
 name = "hermit-abi"
-version = "0.1.15"
+version = "0.1.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9"
+checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
 dependencies = [
  "libc",
 ]
@@ -447,12 +491,9 @@ checksum = "805026a5d0141ffc30abb3be3173848ad46a1b1664fe632428479619a3644d77"
 
 [[package]]
 name = "humantime"
-version = "1.3.0"
+version = "2.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df004cfca50ef23c36850aaaa59ad52cc70d0e90243c3c7737a4dd32dc7a3c4f"
-dependencies = [
- "quick-error",
-]
+checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
 
 [[package]]
 name = "ident_case"
@@ -462,9 +503,15 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
 
 [[package]]
 name = "itoa"
-version = "0.4.6"
+version = "0.4.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc6f3ad7b9d11a0c00842ff8de1b60ee58661048eb8049ed33c73594f359d7e6"
+checksum = "b71991ff56294aa922b450139ee08b3bfc70982c6b2c7562771375cf73542dd4"
+
+[[package]]
+name = "itoa"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1aab8fc367588b89dcee83ab0fd66b72b50b72fa1904d7095045ace2b0c81c35"
 
 [[package]]
 name = "lazy_static"
@@ -480,54 +527,54 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
 
 [[package]]
 name = "libc"
-version = "0.2.76"
+version = "0.2.112"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "755456fae044e6fa1ebbbd1b3e902ae19e73097ed4ed87bb79934a867c007bc3"
+checksum = "1b03d17f364a3a042d5e5d46b053bbbf82c92c9430c592dd4c064dc6ee997125"
 
 [[package]]
 name = "libcryptsetup-rs"
-version = "0.4.2"
+version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b9042dbf4b7e4309494949696496e230c9052af64559d3441627d639898c172c"
+checksum = "dccc914e228f8b36aae1173b8dba2abf62eed833e9f816ec27b0917b26655d09"
 dependencies = [
  "either",
  "libc",
  "libcryptsetup-rs-sys",
  "pkg-config",
- "semver",
+ "semver 0.11.0",
  "serde_json",
  "uuid",
 ]
 
 [[package]]
 name = "libcryptsetup-rs-sys"
-version = "0.1.4"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4b75a2b946509fb39fdb4b232c973166da14be373d09a43eb36b82f775d8244e"
+checksum = "41ef25e923679fe233e3c109702829717404d1266c80d6f30236e82e7b2798dc"
 dependencies = [
  "bindgen",
  "cc",
  "pkg-config",
- "semver",
+ "semver 1.0.4",
 ]
 
 [[package]]
 name = "libloading"
-version = "0.5.2"
+version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2b111a074963af1d37a139918ac6d49ad1d0d5e47f72fd55388619691a7d753"
+checksum = "afe203d669ec979b7128619bae5a63b7b42e9203c1b29146079ee05e2f604b52"
 dependencies = [
- "cc",
+ "cfg-if 1.0.0",
  "winapi",
 ]
 
 [[package]]
 name = "log"
-version = "0.4.11"
+version = "0.4.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b"
+checksum = "51b9bbe6c47d51fc3e1a9b945965946b4c44142ab8792c50835a980d362c2710"
 dependencies = [
- "cfg-if",
+ "cfg-if 1.0.0",
 ]
 
 [[package]]
@@ -538,35 +585,43 @@ checksum = "60302e4db3a61da70c0cb7991976248362f30319e88850c487b9b95bbf059e00"
 
 [[package]]
 name = "memchr"
-version = "2.3.3"
+version = "2.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400"
+checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
 
 [[package]]
 name = "memoffset"
-version = "0.5.5"
+version = "0.5.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f"
+checksum = "043175f069eda7b85febe4a74abbaeff828d9f8b448515d3151a14a3542811aa"
 dependencies = [
  "autocfg 1.0.1",
 ]
 
 [[package]]
-name = "miniz_oxide"
-version = "0.4.1"
+name = "minimal-lexical"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4d7559a8a40d0f97e1edea3220f698f78b1c5ab67532e49f68fde3910323b722"
+checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+
+[[package]]
+name = "miniz_oxide"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a92518e98c078586bc6c934028adcca4c92a53d6a958196de835170a01d84e4b"
 dependencies = [
  "adler",
+ "autocfg 1.0.1",
 ]
 
 [[package]]
 name = "nom"
-version = "5.1.2"
+version = "7.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ffb4262d26ed83a1c0a33a38fe2bb15797329c85770da05e6b828ddb782627af"
+checksum = "1b1d11e1ef389c76fe5b81bcaf2ea32cf88b62bc494e19f493d0b30e7a930109"
 dependencies = [
  "memchr",
+ "minimal-lexical",
  "version_check",
 ]
 
@@ -583,18 +638,21 @@ dependencies = [
 
 [[package]]
 name = "num-traits"
-version = "0.2.12"
+version = "0.2.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac267bcc07f48ee5f8935ab0d24f316fb722d7a1292e2913f0cc196b29ffd611"
+checksum = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290"
 dependencies = [
  "autocfg 1.0.1",
 ]
 
 [[package]]
 name = "object"
-version = "0.20.0"
+version = "0.27.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
+checksum = "67ac1d3f9a1d3616fd9a60c8d74296f22406a238b6a72f5cc1e6f314df4ffbf9"
+dependencies = [
+ "memchr",
+]
 
 [[package]]
 name = "peeking_take_while"
@@ -603,10 +661,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
 
 [[package]]
-name = "pkg-config"
-version = "0.3.18"
+name = "pest"
+version = "2.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33"
+checksum = "10f4872ae94d7b90ae48754df22fd42ad52ce740b8f370b03da4835417403e53"
+dependencies = [
+ "ucd-trie",
+]
+
+[[package]]
+name = "pkg-config"
+version = "0.3.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "58893f751c9b0412871a09abd62ecd2a00298c6c83befa223ef98c52aef40cbe"
 
 [[package]]
 name = "proc-macro-error"
@@ -615,9 +682,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
 dependencies = [
  "proc-macro-error-attr",
- "proc-macro2 1.0.20",
- "quote 1.0.7",
- "syn 1.0.40",
+ "proc-macro2 1.0.36",
+ "quote 1.0.14",
+ "syn 1.0.84",
  "version_check",
 ]
 
@@ -627,8 +694,8 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
 dependencies = [
- "proc-macro2 1.0.20",
- "quote 1.0.7",
+ "proc-macro2 1.0.36",
+ "quote 1.0.14",
  "version_check",
 ]
 
@@ -643,19 +710,13 @@ dependencies = [
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.20"
+version = "1.0.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "175c513d55719db99da20232b06cda8bab6b83ec2d04e3283edf0213c37c1a29"
+checksum = "c7342d5883fbccae1cc37a2353b09c87c9b0f3afd73f5fb9bba687a1f733b029"
 dependencies = [
- "unicode-xid 0.2.1",
+ "unicode-xid 0.2.2",
 ]
 
-[[package]]
-name = "quick-error"
-version = "1.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0"
-
 [[package]]
 name = "quote"
 version = "0.6.13"
@@ -667,11 +728,11 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.7"
+version = "1.0.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
+checksum = "47aa80447ce4daf1717500037052af176af5d38cc3e571d9ec1c7353fc10c87d"
 dependencies = [
- "proc-macro2 1.0.20",
+ "proc-macro2 1.0.36",
 ]
 
 [[package]]
@@ -814,21 +875,26 @@ dependencies = [
 
 [[package]]
 name = "regex"
-version = "1.3.9"
+version = "1.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6"
+checksum = "d07a8629359eb56f1e2fb1652bb04212c072a87ba68546a04065d525673ac461"
 dependencies = [
  "aho-corasick",
  "memchr",
  "regex-syntax",
- "thread_local",
 ]
 
 [[package]]
-name = "regex-syntax"
-version = "0.6.18"
+name = "regex-automata"
+version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8"
+checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
+
+[[package]]
+name = "regex-syntax"
+version = "0.6.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
 
 [[package]]
 name = "ring"
@@ -867,9 +933,9 @@ dependencies = [
 
 [[package]]
 name = "rustc-demangle"
-version = "0.1.16"
+version = "0.1.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c691c0e608126e00913e33f0ccf3727d5fc84573623b8d65b2df340b5201783"
+checksum = "7ef03e0a2b150c7a90d01faf6254c9c48a41e95fb2a8c2ac1c6f0d2b9aefc342"
 
 [[package]]
 name = "rustc-hash"
@@ -885,9 +951,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
 
 [[package]]
 name = "ryu"
-version = "1.0.5"
+version = "1.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
+checksum = "73b4b750c782965c211b42f022f59af1fbceabdd026623714f104152f1ec149f"
 
 [[package]]
 name = "scopeguard"
@@ -897,52 +963,61 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
 
 [[package]]
 name = "semver"
-version = "0.9.0"
+version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d7eb9ef2c18661902cc47e535f9bc51b78acd254da71d375c2f6720d9a40403"
+checksum = "f301af10236f6df4160f7c3f04eec6dbc70ace82d23326abad5edee88801c6b6"
 dependencies = [
  "semver-parser",
 ]
 
 [[package]]
-name = "semver-parser"
-version = "0.7.0"
+name = "semver"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
+checksum = "568a8e6258aa33c13358f81fd834adb854c6f7c9468520910a9b1e8fac068012"
+
+[[package]]
+name = "semver-parser"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0bef5b7f9e0df16536d3961cfb6e84331c065b4066afb39768d0e319411f7"
+dependencies = [
+ "pest",
+]
 
 [[package]]
 name = "serde"
-version = "1.0.115"
+version = "1.0.132"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e54c9a88f2da7238af84b5101443f0c0d0a3bbdc455e34a5c9497b1903ed55d5"
+checksum = "8b9875c23cf305cd1fd7eb77234cbb705f21ea6a72c637a5c6db5fe4b8e7f008"
 
 [[package]]
 name = "serde_derive"
-version = "1.0.115"
+version = "1.0.132"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48"
+checksum = "ecc0db5cb2556c0e558887d9bbdcf6ac4471e83ff66cf696e5419024d1606276"
 dependencies = [
- "proc-macro2 1.0.20",
- "quote 1.0.7",
- "syn 1.0.40",
+ "proc-macro2 1.0.36",
+ "quote 1.0.14",
+ "syn 1.0.84",
 ]
 
 [[package]]
 name = "serde_json"
-version = "1.0.57"
+version = "1.0.73"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "164eacbdb13512ec2745fb09d51fd5b22b0d65ed294a1dcf7285a360c80a675c"
+checksum = "bcbd0344bc6533bc7ec56df11d42fb70f1b912351c0825ccb7211b59d8af7cf5"
 dependencies = [
- "itoa",
+ "itoa 1.0.1",
  "ryu",
  "serde",
 ]
 
 [[package]]
 name = "shlex"
-version = "0.1.1"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fdf1b9db47230893d76faad238fd6097fd6d6a9245cd7a4d90dbd639536bbd2"
+checksum = "43b2853a4d09f215c24cc5489c992ce46052d359b5109343cbafbf26bc62f8a3"
 
 [[package]]
 name = "strsim"
@@ -958,9 +1033,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
 
 [[package]]
 name = "structopt"
-version = "0.3.17"
+version = "0.3.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6cc388d94ffabf39b5ed5fadddc40147cb21e605f53db6f8f36a625d27489ac5"
+checksum = "40b9788f4202aa75c240ecc9c15c65185e6a39ccdeb0fd5d008b98825464c87c"
 dependencies = [
  "clap",
  "lazy_static",
@@ -969,15 +1044,15 @@ dependencies = [
 
 [[package]]
 name = "structopt-derive"
-version = "0.4.10"
+version = "0.4.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5e2513111825077552a6751dfad9e11ce0fba07d7276a3943a037d7e93e64c5f"
+checksum = "dcb5ae327f9cc13b68763b5749770cb9e048a99bd9dfdfa58d0cf05d5f64afe0"
 dependencies = [
  "heck",
  "proc-macro-error",
- "proc-macro2 1.0.20",
- "quote 1.0.7",
- "syn 1.0.40",
+ "proc-macro2 1.0.36",
+ "quote 1.0.14",
+ "syn 1.0.84",
 ]
 
 [[package]]
@@ -993,32 +1068,32 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "1.0.40"
+version = "1.0.84"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "963f7d3cc59b59b9325165add223142bbf1df27655d07789f109896d353d8350"
+checksum = "ecb2e6da8ee5eb9a61068762a32fa9619cc591ceb055b3687f4cd4051ec2e06b"
 dependencies = [
- "proc-macro2 1.0.20",
- "quote 1.0.7",
- "unicode-xid 0.2.1",
+ "proc-macro2 1.0.36",
+ "quote 1.0.14",
+ "unicode-xid 0.2.2",
 ]
 
 [[package]]
 name = "synstructure"
-version = "0.12.4"
+version = "0.12.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
+checksum = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
 dependencies = [
- "proc-macro2 1.0.20",
- "quote 1.0.7",
- "syn 1.0.40",
- "unicode-xid 0.2.1",
+ "proc-macro2 1.0.36",
+ "quote 1.0.14",
+ "syn 1.0.84",
+ "unicode-xid 0.2.2",
 ]
 
 [[package]]
 name = "termcolor"
-version = "1.1.0"
+version = "1.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb6bfa289a4d7c5766392812c0a1f4c1ba45afa1ad47803c11e1f407d846d75f"
+checksum = "2dfed899f0eb03f32ee8c6a0aabdb8a7949659e3466561fc0adf54e26d88c5f4"
 dependencies = [
  "winapi-util",
 ]
@@ -1032,37 +1107,33 @@ dependencies = [
  "unicode-width",
 ]
 
-[[package]]
-name = "thread_local"
-version = "1.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d40c6d1b69745a6ec6fb1ca717914848da4b44ae29d9b3080cbee91d72a69b14"
-dependencies = [
- "lazy_static",
-]
-
 [[package]]
 name = "time"
-version = "0.1.44"
+version = "0.1.43"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255"
+checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
 dependencies = [
  "libc",
- "wasi",
  "winapi",
 ]
 
 [[package]]
-name = "unicode-segmentation"
-version = "1.6.0"
+name = "ucd-trie"
+version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e83e153d1053cbb5a118eeff7fd5be06ed99153f00dbcd8ae310c5fb2b22edc0"
+checksum = "56dee185309b50d1f11bfedef0fe6d036842e3fb77413abef29f8f8d1c5d4c1c"
+
+[[package]]
+name = "unicode-segmentation"
+version = "1.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8895849a949e7845e06bd6dc1aa51731a103c42707010a5b591c0038fb73385b"
 
 [[package]]
 name = "unicode-width"
-version = "0.1.8"
+version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
+checksum = "3ed742d4ea2bd1176e236172c8429aaf54486e7ac098db29ffe6529e0ce50973"
 
 [[package]]
 name = "unicode-xid"
@@ -1072,9 +1143,9 @@ checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
 
 [[package]]
 name = "unicode-xid"
-version = "0.2.1"
+version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564"
+checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
 
 [[package]]
 name = "untrusted"
@@ -1084,11 +1155,11 @@ checksum = "55cd1f4b4e96b46aeb8d4855db4a7a9bd96eeeb5c6a1ab54593328761642ce2f"
 
 [[package]]
 name = "uuid"
-version = "0.7.4"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90dbc611eb48397705a6b0f6e917da23ae517e4d127123d2cf7674206627d32a"
+checksum = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7"
 dependencies = [
- "rand 0.6.5",
+ "getrandom",
 ]
 
 [[package]]
@@ -1099,22 +1170,24 @@ checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
 
 [[package]]
 name = "version_check"
-version = "0.9.2"
+version = "0.9.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed"
+checksum = "5fecdca9a5291cc2b8dcf7dc02453fee791a280f3743cb0905f8822ae463b3fe"
 
 [[package]]
 name = "wasi"
-version = "0.10.0+wasi-snapshot-preview1"
+version = "0.10.2+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
+checksum = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6"
 
 [[package]]
 name = "which"
-version = "3.1.1"
+version = "4.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d011071ae14a2f6671d0b74080ae0cd8ebf3a6f8c9589a2cd45f23126fe29724"
+checksum = "ea187a8ef279bc014ec368c27a920da2024d2a711109bfbe3440585d5cf27ad9"
 dependencies = [
+ "either",
+ "lazy_static",
  "libc",
 ]
 

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.16"
+version = "0.2.20"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
@@ -14,7 +14,7 @@ categories = ["command-line-utilities"]
 license = "MPL-2.0"
 
 [dependencies]
-ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
+ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
 hex = "0.3.2"
 ring = "0.13.5"
 failure = "0.1.5"
@@ -26,7 +26,7 @@ serde_derive = "1.0.106"
 serde = "1.0.106"
 
 [build-dependencies]
-ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
+ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
 hex = "0.3.2"
 ring = "0.13.5"
 failure = "0.1.5"

PKGBUILD

@@ -1,26 +1,37 @@
 # Maintainer: shimunn <shimun@shimun.net>
-pkgname=fido2luks
-pkgver=0.2.12
+
+pkgname=fido2luks-git
+pkgver=0.2.16.7e6b33a
 pkgrel=1
-makedepends=('rust' 'cargo' 'cryptsetup' 'clang')
+makedepends=('rust' 'cargo' 'cryptsetup' 'clang' 'git')
 depends=('cryptsetup')
 arch=('i686' 'x86_64' 'armv6h' 'armv7h')
 pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
 url="https://github.com/shimunn/fido2luks"
 license=('MPL-2.0')
+source=('git+https://github.com/shimunn/fido2luks')
+sha512sums=('SKIP')
 
 pkgver() {
-	# Use tag version if possible otherwise concat project version and git ref
-	git describe --exact-match --tags HEAD 2> /dev/null || \
-		echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
+    cd fido2luks
+
+    # Use tag version if possible otherwise concat project version and git ref
+    git describe --exact-match --tags HEAD 2>/dev/null ||
+        echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
 }
 
 build() {
+    cd fido2luks
     cargo build --release --locked --all-features --target-dir=target
 }
 
 package() {
-    install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
-    install -Dm 755 ../pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
-    install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+    cd fido2luks
+
+    install -Dm 755 target/release/fido2luks -t "${pkgdir}/usr/bin"
+    install -Dm 755 pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
+    install -Dm 644 initcpio/hooks/fido2luks -t "${pkgdir}/usr/lib/initcpio/hooks"
+    install -Dm 644 initcpio/install/fido2luks -t "${pkgdir}/usr/lib/initcpio/install"
+    install -Dm 644 fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+    install -Dm 644 fido2luks.fish -t "${pkgdir}/usr/share/fish/vendor_completions.d"
 }

README.md

@@ -115,6 +115,36 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```
 
+## Theory of operation
+
+fido2luks builds on two basic building blocks, LUKS as an abstraction over linux disk encryption and and the FIDO2 extension [`hmac-secret`](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension).
+The `hmac-secret` extension allows for an secret to be dervied on the FIDO2 device from two inputs, the user supplied salt/password/keyfile and another secret contained within the FID2 device. The output of the `hmac-secret` function will then be used to decrypt the LUKS header which in turn is used to decrypt the disk.
+```
+
+        +-------------------------------------------------------------------------------+
+        |                                                                               |
+        |                       +-----------------------------------------+             |
+        |                       |               FIDO2 device              |             |
+        |                       |                                         |             |
+        |                       |                                         |             |
++-------+--------+   +------+   |                      +---------------+  |             |             +------------------------+
+| Salt/Password  +-> |sha256+------------------------> |               |  |             v             |      LUKS header       |
++----------------+   +------+   |                      |               |  |                           |                        |           +---------------+   
+                                |                      |               |  |        +--------+         +------------------------+-------->  |Disk master key| 
+                                |                      |  sha256_hmac  +---------> | sha256 +-------> | Keyslot 1              |           +---------------+ 
++----------------+              |  +----------+        |               |  |        +--------+         +------------------------+
+| FIDO credential+---------------> |Credential| +----> |               |  |                           | Keyslot 2              |
++----------------+              |  |secret    |        |               |  |                           +------------------------+
+                                |  +----------+        +---------------+  |
+                                |                                         |
+                                |                                         |
+                                +-----------------------------------------+
+
+```
+Since all these components build upon each other losing or damaging just one of them will render the disk undecryptable, it's threfore of paramount importance to backup the LUKS header and ideally set an backup password
+or utilise more than one FIDO2 device. Each additional credential and password combination will require it's own LUKS keyslot since the credential secret is randomly generated for each new credential and will thus result
+in a completly different secret.
+
 ## License
 
 Licensed under

flake.lock

@@ -0,0 +1,62 @@
+{
+  "nodes": {
+    "naersk": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1639947939,
+        "narHash": "sha256-pGsM8haJadVP80GFq4xhnSpNitYNQpaXk4cnA796Cso=",
+        "owner": "nmattia",
+        "repo": "naersk",
+        "rev": "2fc8ce9d3c025d59fee349c1f80be9785049d653",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nmattia",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1638109994,
+        "narHash": "sha256-OpA37PTiPMIqoRJbufbl5rOLII7HeeGcA0yl7FoyCIE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a284564b7f75ac4db73607db02076e8da9d42c9d",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs",
+        "utils": "utils"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1638122382,
+        "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,61 @@
+{
+  description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
+
+  inputs = {
+    utils.url = "github:numtide/flake-utils";
+    naersk = {
+      url = "github:nmattia/naersk";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = { self, nixpkgs, utils, naersk }:
+    let
+      root = ./.;
+      pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
+      forPkgs = pkgs:
+        let
+          naersk-lib = naersk.lib."${pkgs.system}";
+          buildInputs = with pkgs; [ cryptsetup ];
+          LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
+          nativeBuildInputs = with pkgs; [
+            pkgconfig
+            clang
+          ];
+        in
+        rec {
+          # `nix build`
+          packages.${pname} = naersk-lib.buildPackage {
+            inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
+          };
+          defaultPackage = packages.${pname};
+
+          # `nix run`
+          apps.${pname} = utils.lib.mkApp {
+            drv = packages.${pname};
+          };
+          defaultApp = apps.${pname};
+
+          # `nix flake check`
+          checks = {
+            fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
+              cd ${root}
+              cargo fmt -- --check
+              nixpkgs-fmt --check *.nix
+              touch $out
+            '';
+          };
+
+          # `nix develop`
+          devShell = pkgs.mkShell {
+            nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
+            inherit buildInputs LIBCLANG_PATH;
+          };
+        };
+      forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
+    in
+    (utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
+      overlay = final: prev: (forPkgs final).packages;
+    };
+
+}

initcpio/Makefile

@@ -0,0 +1,18 @@
+.PHONY: install remove
+
+install:
+	install -Dm644 hooks/fido2luks -t /usr/lib/initcpio/hooks
+	install -Dm644 install/fido2luks -t /usr/lib/initcpio/install
+ifdef preset
+	mkinitcpio -p $(preset)
+else
+	mkinitcpio -P
+endif
+
+remove:
+	rm /usr/lib/initcpio/{hooks,install}/fido2luks
+ifdef preset
+	mkinitcpio -p $(preset)
+else
+	mkinitcpio -P
+endif

initcpio/README.md

@@ -0,0 +1,52 @@
+## fido2luks hook for mkinitcpio (ArchLinux and derivatives)
+
+> ⚠️ Before proceeding, it is very advised to [backup your existing LUKS2 header](https://wiki.archlinux.org/title/dm-crypt/Device_encryption#Backup_using_cryptsetup) to external storage
+
+### Setup
+
+1. Connect your FIDO2 authenticator
+2. Generate credential id
+
+```shell
+fido2luks credential
+```
+
+3. Generate salt (random string)
+
+```shell
+pwgen 48 1
+```
+
+4. Add key to your LUKS2 device
+
+```shell
+fido2luks add-key -Pt --salt <salt> <block_device> <credential_id>
+```
+
+`-P` - request PIN to unlock the authenticator  
+`-t` - add token (including credential id) to the LUKS2 header  
+`-e` - wipe all other keys  
+
+For the full list of options see `fido2luks add-key --help`
+
+5. Edit [/etc/fido2luks.conf](/initcpio/fido2luks.conf)
+
+Keyslot (`FIDO2LUKS_DEVICE_SLOT`) can be obtained from the output of
+
+```shell
+cryptsetup luksDump <block_device>
+```
+
+6. Add fido2luks hook to /etc/mkinitcpio.conf
+
+Before or instead of `encrypt` hook, for example:
+
+```shell
+HOOKS=(base udev autodetect modconf keyboard block fido2luks filesystems fsck)
+```
+
+7. Recreate initial ramdisk
+
+```shell
+mkinitcpio -p <preset>
+```

initcpio/fido2luks.conf

@@ -0,0 +1,18 @@
+# Set credential *ONLY IF* it's not embedded in the LUKS2 header
+FIDO2LUKS_CREDENTIAL_ID=
+
+# Encrypted device and its name under /dev/mapper
+# Can be overridden by `cryptdevice` kernel parameter
+FIDO2LUKS_DEVICE=
+FIDO2LUKS_MAPPER_NAME=
+
+FIDO2LUKS_SALT=string:<salt>
+
+# Use specific keyslot (ignore all other slots)
+FIDO2LUKS_DEVICE_SLOT=
+
+# Await for an authenticator to be connected (in seconds)
+FIDO2LUKS_DEVICE_AWAIT=
+
+# Set to 1 if PIN is required to unlock the authenticator
+FIDO2LUKS_ASK_PIN=

initcpio/hooks/fido2luks

@@ -0,0 +1,55 @@
+#!/usr/bin/ash
+
+run_hook() {
+    modprobe -a -q dm-crypt >/dev/null 2>&1
+    . /etc/fido2luks.conf
+
+    if [ -z "$cryptdevice" ]; then
+        device="$FIDO2LUKS_DEVICE"
+        dmname="$FIDO2LUKS_MAPPER_NAME"
+    else
+        IFS=: read cryptdev dmname _cryptoptions <<EOF
+$cryptdevice
+EOF
+        if ! device=$(resolve_device "${cryptdev}" ${rootdelay}); then
+            return 1
+        fi
+    fi
+
+    options="--salt $FIDO2LUKS_SALT"
+
+    if [ "$FIDO2LUKS_ASK_PIN" == 1 ]; then
+        options="$options --pin"
+    fi
+
+    if [ -n "$FIDO2LUKS_DEVICE_SLOT" ]; then
+        options="$options --slot $FIDO2LUKS_DEVICE_SLOT"
+    fi
+
+    if [ -n "$FIDO2LUKS_DEVICE_AWAIT" ]; then
+        options="$options --await-dev $FIDO2LUKS_DEVICE_AWAIT"
+    fi
+
+    # HACK: /dev/tty is hardcoded in rpassword, but not accessible from the ramdisk
+    # Temporary link it to /dev/tty1
+    mv /dev/tty /dev/tty.back
+    ln -s /dev/tty1 /dev/tty
+
+    printf "\nAuthentication is required to access the $dmname volume at $device\n"
+
+    if [ -z "$FIDO2LUKS_CREDENTIAL_ID" ]; then
+        fido2luks open-token $device $dmname $options
+    else
+        fido2luks open $device $dmname $FIDO2LUKS_CREDENTIAL_ID $options
+    fi
+    exit_code=$?
+
+    # Restore /dev/tty
+    mv /dev/tty.back /dev/tty
+
+    if [ $exit_code -ne 0 ]; then
+        printf '\n'
+        read -s -p 'Press Enter to continue'
+        printf '\n'
+    fi
+}

initcpio/install/fido2luks

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+build() {
+    local mod
+
+    add_module dm-crypt
+    add_module dm-integrity
+    if [[ $CRYPTO_MODULES ]]; then
+        for mod in $CRYPTO_MODULES; do
+            add_module "$mod"
+        done
+    else
+        add_all_modules /crypto/
+    fi
+
+    add_binary fido2luks
+    add_binary dmsetup
+    add_file /usr/lib/udev/rules.d/10-dm.rules
+    add_file /usr/lib/udev/rules.d/13-dm-disk.rules
+    add_file /usr/lib/udev/rules.d/95-dm-notify.rules
+    add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules
+    add_file /etc/fido2luks.conf /etc/fido2luks.conf
+
+    add_runscript
+}
+
+help() {
+    cat <<HELPEOF
+This hook allows to decrypt LUKS2 partition using FIDO2 compatible authenticator
+HELPEOF
+}

initramfs-tools/fido2luks.conf

@@ -1,3 +1,5 @@
 FIDO2LUKS_SALT=Ask
 #FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
 FIDO2LUKS_CREDENTIAL_ID=
+FIDO2LUKS_USE_TOKEN=0
+FIDO2LUKS_PASSWORD_FALLBACK=1

initramfs-tools/keyscript.sh

@@ -2,6 +2,17 @@
 set -a
 . /etc/fido2luks.conf
 
+# Set Defaults
+if [ -z "$FIDO2LUKS_USE_TOKEN" ]; then
+    FIDO2LUKS_USE_TOKEN=0
+fi
+
+if [ -z "$FIDO2LUKS_PASSWORD_FALLBACK" ]; then
+    FIDO2LUKS_PASSWORD_FALLBACK=1
+fi
+
+
+
 if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
 	MSG="FIDO2 password salt for $CRYPTTAB_NAME"
 	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
@@ -12,3 +23,8 @@ if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
 fi
 
 fido2luks print-secret --bin
+
+# Fall back to passphrase-based unlock if fido2luks fails
+if [ "$?" -gt 0 ] && [ "$FIDO2LUKS_PASSWORD_FALLBACK" -eq 1 ]; then
+  plymouth ask-for-password --prompt "Password for $CRYPTTAB_SOURCE"
+fi

src/cli.rs

@@ -71,6 +71,12 @@ pub fn parse_cmdline() -> Args {
     Args::from_args()
 }
 
+pub fn prompt_interaction(interactive: bool) {
+    if interactive {
+        println!("Authorize using your FIDO device");
+    }
+}
+
 pub fn run_cli() -> Fido2LuksResult<()> {
     let mut stdout = io::stdout();
     let args = parse_cmdline();
@@ -87,7 +93,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             } else {
                 None
             };
-            let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()), pin)?;
+            let cred = make_credential_id(Some(name.as_ref()), pin)?;
             println!("{}", hex::encode(&cred.id));
             Ok(())
         }
@@ -109,6 +115,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             } else {
                 secret.salt.obtain_sha256(&secret.password_helper)
             }?;
+            prompt_interaction(interactive);
             let (secret, _cred) = derive_secret(
                 credentials.ids.0.as_slice(),
                 &salt,
@@ -164,13 +171,16 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                     } => Ok((util::read_keyfile(file)?, None)),
                     OtherSecret {
                         fido_device: true, ..
-                    } => Ok(derive_secret(
-                        &credentials.ids.0,
-                        &salt(salt_q, verify)?,
-                        authenticator.await_time,
-                        pin.as_deref(),
-                    )
-                    .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
+                    } => {
+                        prompt_interaction(interactive);
+                        Ok(derive_secret(
+                            &credentials.ids.0,
+                            &salt(salt_q, verify)?,
+                            authenticator.await_time,
+                            pin.as_deref(),
+                        )
+                        .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
+                    }
                     _ => Ok((
                         util::read_password(salt_q, verify)?.as_bytes().to_vec(),
                         None,
@@ -178,6 +188,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                 }
             };
             let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+                prompt_interaction(interactive);
                 derive_secret(
                     &credentials.ids.0,
                     &salt(q, verify)?,
@@ -248,6 +259,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             secret,
             name,
             retries,
+            allow_discards,
             ..
         }
         | Command::OpenToken {
@@ -256,6 +268,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             secret,
             name,
             retries,
+            allow_discards,
         } => {
             let pin_string;
             let pin = if authenticator.pin {
@@ -274,6 +287,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
 
             // Cow shouldn't be necessary
             let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
+                prompt_interaction(interactive);
                 derive_secret(
                     credentials.as_ref(),
                     &salt("Password", false)?,
@@ -287,7 +301,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             loop {
                 let secret = match &args.command {
                     Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
-                        .and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
+                        .and_then(|(secret, _cred)| {
+                            luks_dev.activate(&name, &secret, luks.slot, *allow_discards)
+                        }),
                     Command::OpenToken { .. } => luks_dev.activate_token(
                         &name,
                         Box::new(|credentials: Vec<String>| {
@@ -299,6 +315,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                                 .map(|(secret, cred)| (secret, hex::encode(&cred.id)))
                         }),
                         luks.slot,
+                        *allow_discards,
                     ),
                     _ => unreachable!(),
                 };

src/cli_args/mod.rs

@@ -216,6 +216,9 @@ pub enum Command {
         secret: SecretParameters,
         #[structopt(short = "r", long = "max-retries", default_value = "0")]
         retries: i32,
+        /// Pass SSD trim instructions to the underlying block device
+        #[structopt(long = "allow-discards")]
+        allow_discards: bool,
     },
     /// Open the LUKS device using credentials embedded in the LUKS 2 header
     #[structopt(name = "open-token")]
@@ -230,15 +233,18 @@ pub enum Command {
         secret: SecretParameters,
         #[structopt(short = "r", long = "max-retries", default_value = "0")]
         retries: i32,
+        /// Pass SSD trim instructions to the underlying block device
+        #[structopt(long = "allow-discards")]
+        allow_discards: bool,
     },
     /// Generate a new FIDO credential
     #[structopt(name = "credential")]
     Credential {
         #[structopt(flatten)]
         authenticator: AuthenticatorParameters,
-        /// Name to be displayed on the authenticator if it has a display
-        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
-        name: Option<String>,
+        /// Name to be displayed on the authenticator display
+        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")]
+        name: String,
     },
     /// Check if an authenticator is connected
     #[structopt(name = "connected")]

src/luks.rs

@@ -1,8 +1,8 @@
 use crate::error::*;
 
 use libcryptsetup_rs::{
-    CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
-    TokenInput,
+    CryptActivateFlag, CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo,
+    EncryptionFormat, KeyslotInfo, TokenInput,
 };
 use std::collections::{HashMap, HashSet};
 use std::path::Path;
@@ -221,10 +221,15 @@ impl LuksDevice {
         name: &str,
         secret: &[u8],
         slot_hint: Option<u32>,
+        allow_discard: bool,
     ) -> Fido2LuksResult<u32> {
+        let mut flags = CryptActivateFlags::empty();
+        if allow_discard {
+            flags = CryptActivateFlags::new(vec![CryptActivateFlag::AllowDiscards]);
+        }
         self.device
             .activate_handle()
-            .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
+            .activate_by_passphrase(Some(name), slot_hint, secret, flags)
             .map_err(LuksError::activate)
     }
 
@@ -233,6 +238,7 @@ impl LuksDevice {
         name: &str,
         secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
         slot_hint: Option<u32>,
+        allow_discard: bool,
     ) -> Fido2LuksResult<u32> {
         if !self.is_luks2()? {
             return Err(LuksError::Luks2Required.into());
@@ -276,7 +282,7 @@ impl LuksDevice {
                 .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
         );
         for slot in slots {
-            match self.activate(name, &secret, slot) {
+            match self.activate(name, &secret, slot, allow_discard) {
                 Err(Fido2LuksError::WrongSecret) => (),
                 res => return res,
             }