Merge pull request #26193 from aafeijoo-suse/cryptenroll-unlock-fido2-device-man-and-bash-completion-fix

Add missing --unlock-fido2-device to systemd-cryptenroll man and bash-completion
2024-10-15 12:34:37 +00:00 · 2023-01-25 13:15:13 +00:00 · 2023-01-25 13:15:13 +00:00 · 6ec7a722ba
parent 43057bf604 d8c5bd048c
commit 6ec7a722ba
2 changed files with 17 additions and 1 deletions
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@ -109,6 +109,17 @@
        contain the full key.</para></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><option>--unlock-fido2-device=</option><replaceable>PATH</replaceable></term>
+
+        <listitem><para>Use a FIDO2 device instead of a password/passphrase read from stdin to unlock the
+        volume. Expects a <filename>hidraw</filename> device referring to the FIDO2 device (e.g.
+        <filename>/dev/hidraw1</filename>). Alternatively the special value <literal>auto</literal> may be
+        specified, in order to automatically determine the device node of a currently plugged in security
+        token (of which there must be exactly one). This automatic discovery is unsupported if
+        <option>--fido2-device=</option> option is also specified.</para></listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><option>--pkcs11-token-uri=</option><replaceable>URI</replaceable></term>

@ -151,7 +162,8 @@
        extension (e.g. a YubiKey). Expects a <filename>hidraw</filename> device referring to the FIDO2
        device (e.g. <filename>/dev/hidraw1</filename>). Alternatively the special value
        <literal>auto</literal> may be specified, in order to automatically determine the device node of a
-        currently plugged in security token (of which there must be exactly one). The special value
+        currently plugged in security token (of which there must be exactly one). This automatic discovery
+        is unsupported if <option>--unlock-fido2-device=</option> option is also specified. The special value
        <literal>list</literal> may be used to enumerate all suitable FIDO2 tokens currently plugged in. Note
        that many hardware security tokens that implement FIDO2 also implement the older PKCS#11
        standard. Typically FIDO2 is preferable, given it's simpler to use and more modern.</para>
--- a/shell-completion/bash/systemd-cryptenroll
+++ b/shell-completion/bash/systemd-cryptenroll
@ -51,6 +51,7 @@ _systemd-cryptenroll() {
        [STANDALONE]='-h --help --version
                     --password --recovery-key'
        [ARG]='--unlock-key-file
+               --unlock-fido2-device
               --pkcs11-token-uri
               --fido2-credential-algorithm
               --fido2-device
@ -74,6 +75,9 @@ _systemd-cryptenroll() {
                comps=$(compgen -A file -- "$cur")
                compopt -o filenames
                ;;
+            --unlock-fido2-device)
+                comps="auto $(__get_fido2_devices)"
+                ;;
            --pkcs11-token-uri)
                comps='auto list pkcs11:'
                ;;