mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-20 20:39:04 +02:00
Merge pull request #188009 from martiert/fido2luks
nixos/luksroot: Support adding a list of credentials to fido2luks
This commit is contained in:
commit
0ea763fab6
|
@ -148,6 +148,7 @@ let
|
||||||
+ optionalString dev.bypassWorkqueues " --perf-no_read_workqueue --perf-no_write_workqueue"
|
+ optionalString dev.bypassWorkqueues " --perf-no_read_workqueue --perf-no_write_workqueue"
|
||||||
+ optionalString (dev.header != null) " --header=${dev.header}";
|
+ optionalString (dev.header != null) " --header=${dev.header}";
|
||||||
cschange = "cryptsetup luksChangeKey ${dev.device} ${optionalString (dev.header != null) "--header=${dev.header}"}";
|
cschange = "cryptsetup luksChangeKey ${dev.device} ${optionalString (dev.header != null) "--header=${dev.header}"}";
|
||||||
|
fido2luksCredentials = dev.fido2.credentials ++ optional (dev.fido2.credential != null) dev.fido2.credential;
|
||||||
in ''
|
in ''
|
||||||
# Wait for luksRoot (and optionally keyFile and/or header) to appear, e.g.
|
# Wait for luksRoot (and optionally keyFile and/or header) to appear, e.g.
|
||||||
# if on a USB drive.
|
# if on a USB drive.
|
||||||
|
@ -417,7 +418,7 @@ let
|
||||||
}
|
}
|
||||||
''}
|
''}
|
||||||
|
|
||||||
${optionalString (luks.fido2Support && (dev.fido2.credential != null)) ''
|
${optionalString (luks.fido2Support && fido2luksCredentials != []) ''
|
||||||
|
|
||||||
open_with_hardware() {
|
open_with_hardware() {
|
||||||
local passsphrase
|
local passsphrase
|
||||||
|
@ -433,7 +434,7 @@ let
|
||||||
echo "Please move your mouse to create needed randomness."
|
echo "Please move your mouse to create needed randomness."
|
||||||
''}
|
''}
|
||||||
echo "Waiting for your FIDO2 device..."
|
echo "Waiting for your FIDO2 device..."
|
||||||
fido2luks open${optionalString dev.allowDiscards " --allow-discards"} ${dev.device} ${dev.name} ${dev.fido2.credential} --await-dev ${toString dev.fido2.gracePeriod} --salt string:$passphrase
|
fido2luks open${optionalString dev.allowDiscards " --allow-discards"} ${dev.device} ${dev.name} "${builtins.concatStringsSep "," fido2luksCredentials}" --await-dev ${toString dev.fido2.gracePeriod} --salt string:$passphrase
|
||||||
if [ $? -ne 0 ]; then
|
if [ $? -ne 0 ]; then
|
||||||
echo "No FIDO2 key found, falling back to normal open procedure"
|
echo "No FIDO2 key found, falling back to normal open procedure"
|
||||||
open_normally
|
open_normally
|
||||||
|
@ -444,7 +445,7 @@ let
|
||||||
# commands to run right before we mount our device
|
# commands to run right before we mount our device
|
||||||
${dev.preOpenCommands}
|
${dev.preOpenCommands}
|
||||||
|
|
||||||
${if (luks.yubikeySupport && (dev.yubikey != null)) || (luks.gpgSupport && (dev.gpgCard != null)) || (luks.fido2Support && (dev.fido2.credential != null)) then ''
|
${if (luks.yubikeySupport && (dev.yubikey != null)) || (luks.gpgSupport && (dev.gpgCard != null)) || (luks.fido2Support && fido2luksCredentials != []) then ''
|
||||||
open_with_hardware
|
open_with_hardware
|
||||||
'' else ''
|
'' else ''
|
||||||
open_normally
|
open_normally
|
||||||
|
@ -695,6 +696,17 @@ in
|
||||||
description = lib.mdDoc "The FIDO2 credential ID.";
|
description = lib.mdDoc "The FIDO2 credential ID.";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
credentials = mkOption {
|
||||||
|
default = [];
|
||||||
|
example = [ "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2" ];
|
||||||
|
type = types.listOf types.str;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
List of FIDO2 credential IDs.
|
||||||
|
|
||||||
|
Use this if you have multiple FIDO2 keys you want to use for the same luks device.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
gracePeriod = mkOption {
|
gracePeriod = mkOption {
|
||||||
default = 10;
|
default = 10;
|
||||||
type = types.int;
|
type = types.int;
|
||||||
|
|
Loading…
Reference in a new issue