system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-21 18:24:38 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

FIDO2: support pin-less LUKS enroll/unlock

Browse source 
Closes: https://github.com/systemd/systemd/issues/19246

Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.
This commit is contained in:
Luca Boccassi 2021-04-12 21:06:59 +01:00 committed by Luca Boccassi
parent cd5f57bda7
commit cde2f8605e
11 changed files with 118 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
man/systemd-cryptenroll.xml
View file

@ -125,6 +125,13 @@
<filename>/etc/crypttab</filename> line.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--fido2-with-client-pin=</option><replaceable>BOOL</replaceable></term>
<listitem><para>When enrolling a FIDO2 security token, controls whether to require the user to
enter a PIN when unlocking the volume. Defaults to <literal>yes</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--tpm2-device=</option><replaceable>PATH</replaceable></term>

7
src/cryptenroll/cryptenroll-fido2.c
View file

@ -11,7 +11,8 @@ int enroll_fido2(
struct crypt_device *cd,
const void *volume_key,
size_t volume_key_size,
const char *device) {
const char *device,
Fido2EnrollFlags lock_with) {
_cleanup_(erase_and_freep) void *salt = NULL, *secret = NULL;
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
@ -40,6 +41,7 @@ int enroll_fido2(
/* user_display_name= */ node,
/* user_icon_name= */ NULL,
/* askpw_icon_name= */ "drive-harddisk",
lock_with,
&cid, &cid_size,
&salt, &salt_size,
&secret, &secret_size,
@ -75,7 +77,8 @@ int enroll_fido2(
JSON_BUILD_PAIR("keyslots", JSON_BUILD_ARRAY(JSON_BUILD_STRING(keyslot_as_string))),
JSON_BUILD_PAIR("fido2-credential", JSON_BUILD_BASE64(cid, cid_size)),
JSON_BUILD_PAIR("fido2-salt", JSON_BUILD_BASE64(salt, salt_size)),
JSON_BUILD_PAIR("fido2-rp", JSON_BUILD_STRING("io.systemd.cryptsetup"))));
JSON_BUILD_PAIR("fido2-rp", JSON_BUILD_STRING("io.systemd.cryptsetup")),
JSON_BUILD_PAIR("fido2-clientPin-required", JSON_BUILD_BOOLEAN(FLAGS_SET(lock_with, FIDO2ENROLL_PIN)))));
if (r < 0)
return log_error_errno(r, "Failed to prepare PKCS#11 JSON token object: %m");

5
src/cryptenroll/cryptenroll-fido2.h
View file

@ -4,12 +4,13 @@
#include <sys/types.h>
#include "cryptsetup-util.h"
#include "libfido2-util.h"
#include "log.h"
#if HAVE_LIBFIDO2
int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device);
int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, Fido2EnrollFlags lock_with);
#else
static inline int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device) {
static inline int enroll_fido2(struct crypt_device *cd, const void *volume_key, size_t volume_key_size, const char *device, Fido2EnrollFlags lock_with) {
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"FIDO2 key enrollment not supported.");
}

37
src/cryptenroll/cryptenroll.c
View file

@ -36,6 +36,7 @@ static int *arg_wipe_slots = NULL;
static size_t arg_n_wipe_slots = 0;
static WipeScope arg_wipe_slots_scope = WIPE_EXPLICIT;
static unsigned arg_wipe_slots_mask = 0; /* Bitmask of (1U << EnrollType), for wiping all slots of specific types */
static Fido2EnrollFlags arg_fido2_lock_with = FIDO2ENROLL_PIN;
assert_cc(sizeof(arg_wipe_slots_mask) * 8 >= _ENROLL_TYPE_MAX);
@ -88,6 +89,8 @@ static int help(void) {
" Specify PKCS#11 security token URI\n"
" --fido2-device=PATH\n"
" Enroll a FIDO2-HMAC security token\n"
" --fido2-with-client-pin=BOOL\n"
" Whether to require entering a PIN to unlock the volume\n"
" --tpm2-device=PATH\n"
" Enroll a TPM2 device\n"
" --tpm2-pcrs=PCR1,PCR2,PCR3,…\n"
@ -114,18 +117,20 @@ static int parse_argv(int argc, char *argv[]) {
ARG_TPM2_DEVICE,
ARG_TPM2_PCRS,
ARG_WIPE_SLOT,
ARG_FIDO2_WITH_PIN,
};
static const struct option options[] = {
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, ARG_VERSION },
{ "password", no_argument, NULL, ARG_PASSWORD },
{ "recovery-key", no_argument, NULL, ARG_RECOVERY_KEY },
{ "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI },
{ "fido2-device", required_argument, NULL, ARG_FIDO2_DEVICE },
{ "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
{ "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS },
{ "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT },
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, ARG_VERSION },
{ "password", no_argument, NULL, ARG_PASSWORD },
{ "recovery-key", no_argument, NULL, ARG_RECOVERY_KEY },
{ "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI },
{ "fido2-device", required_argument, NULL, ARG_FIDO2_DEVICE },
{ "fido2-with-client-pin", required_argument, NULL, ARG_FIDO2_WITH_PIN },
{ "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
{ "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS },
{ "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT },
{}
};
@ -144,6 +149,18 @@ static int parse_argv(int argc, char *argv[]) {
case ARG_VERSION:
return version();
case ARG_FIDO2_WITH_PIN: {
bool lock_with_pin;
r = parse_boolean_argument("--fido2-with-client-pin=", optarg, &lock_with_pin);
if (r < 0)
return r;
SET_FLAG(arg_fido2_lock_with, FIDO2ENROLL_PIN, lock_with_pin);
break;
}
case ARG_PASSWORD:
if (arg_enroll_type >= 0)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
@ -486,7 +503,7 @@ static int run(int argc, char *argv[]) {
break;
case ENROLL_FIDO2:
slot = enroll_fido2(cd, vk, vks, arg_fido2_device);
slot = enroll_fido2(cd, vk, vks, arg_fido2_device, arg_fido2_lock_with);
break;
case ENROLL_TPM2:

47
src/cryptsetup/cryptsetup-fido2.c
View file

@ -24,6 +24,7 @@ int acquire_fido2_key(
size_t key_data_size,
usec_t until,
bool headless,
Fido2EnrollFlags required,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size) {
@ -73,19 +74,22 @@ int acquire_fido2_key(
}
for (;;) {
r = fido2_use_hmac_hash(
device,
rp_id ?: "io.systemd.cryptsetup",
salt, salt_size,
cid, cid_size,
pins,
/* up= */ true,
ret_decrypted_key,
ret_decrypted_key_size);
if (!IN_SET(r,
-ENOANO, /* needs pin */
-ENOLCK)) /* pin incorrect */
return r;
if (!FLAGS_SET(required, FIDO2ENROLL_PIN) || pins) {
r = fido2_use_hmac_hash(
device,
rp_id ?: "io.systemd.cryptsetup",
salt, salt_size,
cid, cid_size,
pins,
/* up= */ true,
required,
ret_decrypted_key,
ret_decrypted_key_size);
if (!IN_SET(r,
-ENOANO, /* needs pin */
-ENOLCK)) /* pin incorrect */
return r;
}
pins = strv_free_erase(pins);
@ -107,12 +111,14 @@ int find_fido2_auto_data(
size_t *ret_salt_size,
void **ret_cid,
size_t *ret_cid_size,
int *ret_keyslot) {
int *ret_keyslot,
Fido2EnrollFlags *ret_required) {
_cleanup_free_ void *cid = NULL, *salt = NULL;
size_t cid_size = 0, salt_size = 0;
_cleanup_free_ char *rp = NULL;
int r, keyslot = -1;
Fido2EnrollFlags required = FIDO2ENROLL_PIN; /* For backward compatibility, require pin by default */
assert(cd);
assert(ret_salt);
@ -120,6 +126,7 @@ int find_fido2_auto_data(
assert(ret_cid);
assert(ret_cid_size);
assert(ret_keyslot);
assert(ret_required);
/* Loads FIDO2 metadata from LUKS2 JSON token headers. */
@ -176,6 +183,17 @@ int find_fido2_auto_data(
if (!rp)
return log_oom();
}
w = json_variant_by_key(v, "fido2-clientPin-required");
if (w) {
/* The "fido2-clientPin-required" field is optional. */
if (!json_variant_is_boolean(w))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"FIDO2 token data's 'fido2-clientPin-required' field is not a boolean.");
SET_FLAG(required, FIDO2ENROLL_PIN, json_variant_boolean(w));
}
}
if (!cid)
@ -190,5 +208,6 @@ int find_fido2_auto_data(
*ret_salt = TAKE_PTR(salt);
*ret_salt_size = salt_size;
*ret_keyslot = keyslot;
*ret_required = required;
return 0;
}

9
src/cryptsetup/cryptsetup-fido2.h
View file

@ -4,6 +4,7 @@
#include <sys/types.h>
#include "cryptsetup-util.h"
#include "libfido2-util.h"
#include "log.h"
#include "time-util.h"
@ -23,6 +24,7 @@ int acquire_fido2_key(
size_t key_data_size,
usec_t until,
bool headless,
Fido2EnrollFlags required,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size);
@ -33,7 +35,8 @@ int find_fido2_auto_data(
size_t *ret_salt_size,
void **ret_cid,
size_t *ret_cid_size,
int *ret_keyslot);
int *ret_keyslot,
Fido2EnrollFlags *ret_required);
#else
@ -51,6 +54,7 @@ static inline int acquire_fido2_key(
size_t key_data_size,
usec_t until,
bool headless,
Fido2EnrollFlags required,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size) {
@ -65,7 +69,8 @@ static inline int find_fido2_auto_data(
size_t *ret_salt_size,
void **ret_cid,
size_t *ret_cid_size,
int *ret_keyslot) {
int *ret_keyslot,
Fido2EnrollFlags *ret_required) {
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"FIDO2 token support not available.");

9
src/cryptsetup/cryptsetup.c
View file

@ -739,6 +739,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
int keyslot = arg_key_slot, r;
const char *rp_id;
const void *cid;
Fido2EnrollFlags required;
assert(cd);
assert(name);
@ -759,7 +760,8 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
&discovered_salt_size,
&discovered_cid,
&discovered_cid_size,
&keyslot);
&keyslot,
&required);
if (IN_SET(r, -ENOTUNIQ, -ENXIO))
return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
@ -767,6 +769,10 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
if (r < 0)
return r;
if (FLAGS_SET(required, FIDO2ENROLL_PIN) && arg_headless)
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG),
"A PIN is required to unlock this volume, but the 'headless' parameter was set.");
rp_id = discovered_rp_id;
key_data = discovered_salt;
key_data_size = discovered_salt_size;
@ -791,6 +797,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
key_data, key_data_size,
until,
arg_headless,
required,
&decrypted_key, &decrypted_key_size);
if (r >= 0)
break;

1
src/home/homectl-fido2.c
View file

@ -158,6 +158,7 @@ int identity_add_fido2_parameters(
/* user_display_name= */ rn ? json_variant_string(rn) : NULL,
/* user_icon_name= */ NULL,
/* askpw_icon_name= */ "user-home",
FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll
&cid, &cid_size,
&salt, &salt_size,
&secret, &secret_size,

1
src/home/homework-fido2.c
View file

@ -29,6 +29,7 @@ int fido2_use_token(
salt->credential.id, salt->credential.size,
secret->token_pin,
h->fido2_user_presence_permitted > 0,
FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll
&hmac,
&hmac_size);
if (r < 0)

23
src/shared/libfido2-util.c
View file

@ -219,6 +219,7 @@ static int fido2_use_hmac_hash_specific_token(
size_t cid_size,
char **pins,
bool up, /* user presence permitted */
Fido2EnrollFlags required, /* client pin required */
void **ret_hmac,
size_t *ret_hmac_size) {
@ -250,6 +251,11 @@ static int fido2_use_hmac_hash_specific_token(
if (r < 0)
return r;
if (!has_client_pin && FLAGS_SET(required, FIDO2ENROLL_PIN))
return log_error_errno(SYNTHETIC_ERRNO(EHWPOISON),
"PIN required to unlock, but FIDO2 device %s does not support it.",
path);
a = sym_fido_assert_new();
if (!a)
return log_oom();
@ -303,7 +309,7 @@ static int fido2_use_hmac_hash_specific_token(
r = sym_fido_dev_get_assert(d, a, NULL); /* try without pin but with up now */
}
if (r == FIDO_ERR_PIN_REQUIRED) {
if (FLAGS_SET(required, FIDO2ENROLL_PIN)) {
char **i;
if (!has_client_pin)
@ -367,6 +373,7 @@ int fido2_use_hmac_hash(
size_t cid_size,
char **pins,
bool up, /* user presence permitted */
Fido2EnrollFlags required, /* client pin required */
void **ret_hmac,
size_t *ret_hmac_size) {
@ -379,7 +386,7 @@ int fido2_use_hmac_hash(
return log_error_errno(r, "FIDO2 support is not installed.");
if (device)
return fido2_use_hmac_hash_specific_token(device, rp_id, salt, salt_size, cid, cid_size, pins, up, ret_hmac, ret_hmac_size);
return fido2_use_hmac_hash_specific_token(device, rp_id, salt, salt_size, cid, cid_size, pins, up, required, ret_hmac, ret_hmac_size);
di = sym_fido_dev_info_new(allocated);
if (!di)
@ -414,7 +421,7 @@ int fido2_use_hmac_hash(
goto finish;
}
r = fido2_use_hmac_hash_specific_token(path, rp_id, salt, salt_size, cid, cid_size, pins, up, ret_hmac, ret_hmac_size);
r = fido2_use_hmac_hash_specific_token(path, rp_id, salt, salt_size, cid, cid_size, pins, up, required, ret_hmac, ret_hmac_size);
if (!IN_SET(r,
-EBADSLT, /* device doesn't understand our credential hash */
-ENODEV /* device is not a FIDO2 device with HMAC-SECRET */))
@ -439,6 +446,7 @@ int fido2_generate_hmac_hash(
const char *user_display_name,
const char *user_icon,
const char *askpw_icon_name,
Fido2EnrollFlags lock_with,
void **ret_cid, size_t *ret_cid_size,
void **ret_salt, size_t *ret_salt_size,
void **ret_secret, size_t *ret_secret_size,
@ -503,6 +511,11 @@ int fido2_generate_hmac_hash(
if (r < 0)
return r;
if (!has_client_pin && FLAGS_SET(lock_with, FIDO2ENROLL_PIN))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Requested to lock with PIN, but FIDO2 device %s does not support it.",
device);
c = sym_fido_cred_new();
if (!c)
return log_oom();
@ -648,7 +661,7 @@ int fido2_generate_hmac_hash(
log_info("Generating secret key on FIDO2 security token.");
r = sym_fido_dev_get_assert(d, a, used_pin);
r = sym_fido_dev_get_assert(d, a, FLAGS_SET(lock_with, FIDO2ENROLL_PIN) ? used_pin : NULL);
if (r == FIDO_ERR_UP_REQUIRED) {
if (!has_up)
@ -663,7 +676,7 @@ int fido2_generate_hmac_hash(
emoji_enabled() ? special_glyph(SPECIAL_GLYPH_TOUCH) : "",
emoji_enabled() ? " " : "");
r = sym_fido_dev_get_assert(d, a, used_pin);
r = sym_fido_dev_get_assert(d, a, FLAGS_SET(lock_with, FIDO2ENROLL_PIN) ? used_pin : NULL);
}
if (r == FIDO_ERR_ACTION_TIMEOUT)
return log_error_errno(SYNTHETIC_ERRNO(ENOSTR),

8
src/shared/libfido2-util.h
View file

@ -3,6 +3,12 @@
#include "macro.h"
typedef enum Fido2EnrollFlags {
FIDO2ENROLL_PIN = 1 << 0,
_FIDO2ENROLL_TYPE_MAX,
_FIDO2ENROLL_TYPE_INVALID = -EINVAL,
} Fido2EnrollFlags;
#if HAVE_LIBFIDO2
#include <fido.h>
@ -81,6 +87,7 @@ int fido2_use_hmac_hash(
size_t cid_size,
char **pins,
bool up, /* user presence permitted */
Fido2EnrollFlags required,
void **ret_hmac,
size_t *ret_hmac_size);
@ -93,6 +100,7 @@ int fido2_generate_hmac_hash(
const char *user_display_name,
const char *user_icon,
const char *askpw_icon_name,
Fido2EnrollFlags lock_with,
void **ret_cid, size_t *ret_cid_size,
void **ret_salt, size_t *ret_salt_size,
void **ret_secret, size_t *ret_secret_size,