mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-28 01:43:15 +00:00
commit
61dbbe4121
@ -37,4 +37,38 @@ Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***
|
|||||||
on an encrypted partition, it is necessary to add the following grub option:
|
on an encrypted partition, it is necessary to add the following grub option:
|
||||||
<programlisting><xref linkend="opt-boot.loader.grub.enableCryptodisk"/> = true;</programlisting>
|
<programlisting><xref linkend="opt-boot.loader.grub.enableCryptodisk"/> = true;</programlisting>
|
||||||
</para>
|
</para>
|
||||||
|
<section xml:id="sec-luks-file-systems-fido2">
|
||||||
|
<title>FIDO2</title>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
NixOS also supports unlocking your LUKS-Encrypted file system using a FIDO2 compatible token. In the following example, we will create a new FIDO2 credential
|
||||||
|
and add it as a new key to our existing device <filename>/dev/sda2</filename>:
|
||||||
|
|
||||||
|
<screen>
|
||||||
|
# export FIDO2_LABEL="/dev/sda2 @ $HOSTNAME"
|
||||||
|
# fido2luks credential "$FIDO2_LABEL"
|
||||||
|
f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
|
||||||
|
|
||||||
|
# fido2luks -i add-key /dev/sda2 f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
|
||||||
|
Password:
|
||||||
|
Password (again):
|
||||||
|
Old password:
|
||||||
|
Old password (again):
|
||||||
|
Added to key to device /dev/sda2, slot: 2
|
||||||
|
</screen>
|
||||||
|
|
||||||
|
To ensure that this file system is decrypted using the FIDO2 compatible key, add the following to <filename>configuration.nix</filename>:
|
||||||
|
<programlisting>
|
||||||
|
<link linkend="opt-boot.initrd.luks.fido2Support">boot.initrd.luks.fido2Support</link> = true;
|
||||||
|
<link linkend="opt-boot.initrd.luks.devices._name__.fido2.credential">boot.initrd.luks.devices."/dev/sda2".fido2.credential</link> = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7";
|
||||||
|
</programlisting>
|
||||||
|
|
||||||
|
You can also use the FIDO2 passwordless setup, but for security reasons, you might want to enable it only when your device is PIN protected, such as <link xlink:href="https://trezor.io/">Trezor</link>.
|
||||||
|
|
||||||
|
<programlisting>
|
||||||
|
<link linkend="opt-boot.initrd.luks.devices._name__.fido2.passwordLess">boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess</link> = true;
|
||||||
|
</programlisting>
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
</section>
|
</section>
|
||||||
|
@ -485,6 +485,12 @@ users.users.me =
|
|||||||
now uses the short rather than full version string.
|
now uses the short rather than full version string.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
It is now possible to unlock LUKS-Encrypted file systems using a FIDO2 token
|
||||||
|
via <option>boot.initrd.luks.fido2Support</option>.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
@ -4,6 +4,7 @@ with lib;
|
|||||||
|
|
||||||
let
|
let
|
||||||
luks = config.boot.initrd.luks;
|
luks = config.boot.initrd.luks;
|
||||||
|
kernelPackages = config.boot.kernelPackages;
|
||||||
|
|
||||||
commonFunctions = ''
|
commonFunctions = ''
|
||||||
die() {
|
die() {
|
||||||
@ -139,7 +140,7 @@ let
|
|||||||
umount /crypt-ramfs 2>/dev/null
|
umount /crypt-ramfs 2>/dev/null
|
||||||
'';
|
'';
|
||||||
|
|
||||||
openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fallbackToPassword, ... }: assert name' == name;
|
openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, fallbackToPassword, ... }: assert name' == name;
|
||||||
let
|
let
|
||||||
csopen = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}";
|
csopen = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}";
|
||||||
cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}";
|
cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}";
|
||||||
@ -387,7 +388,31 @@ let
|
|||||||
}
|
}
|
||||||
''}
|
''}
|
||||||
|
|
||||||
${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) then ''
|
${optionalString (luks.fido2Support && (fido2.credential != null)) ''
|
||||||
|
|
||||||
|
open_with_hardware() {
|
||||||
|
local passsphrase
|
||||||
|
|
||||||
|
${if fido2.passwordLess then ''
|
||||||
|
export passphrase=""
|
||||||
|
'' else ''
|
||||||
|
read -rsp "FIDO2 salt for ${device}: " passphrase
|
||||||
|
echo
|
||||||
|
''}
|
||||||
|
${optionalString (lib.versionOlder kernelPackages.kernel.version "5.4") ''
|
||||||
|
echo "On systems with Linux Kernel < 5.4, it might take a while to initialize the CRNG, you might want to use linuxPackages_latest."
|
||||||
|
echo "Please move your mouse to create needed randomness."
|
||||||
|
''}
|
||||||
|
echo "Waiting for your FIDO2 device..."
|
||||||
|
fido2luks -i open ${device} ${name} ${fido2.credential} --await-dev ${toString fido2.gracePeriod} --salt string:$passphrase
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
echo "No FIDO2 key found, falling back to normal open procedure"
|
||||||
|
open_normally
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
''}
|
||||||
|
|
||||||
|
${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) then ''
|
||||||
open_with_hardware
|
open_with_hardware
|
||||||
'' else ''
|
'' else ''
|
||||||
open_normally
|
open_normally
|
||||||
@ -608,6 +633,31 @@ in
|
|||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
|
fido2 = {
|
||||||
|
credential = mkOption {
|
||||||
|
default = null;
|
||||||
|
example = "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2";
|
||||||
|
type = types.str;
|
||||||
|
description = "The FIDO2 credential ID.";
|
||||||
|
};
|
||||||
|
|
||||||
|
gracePeriod = mkOption {
|
||||||
|
default = 10;
|
||||||
|
type = types.int;
|
||||||
|
description = "Time in seconds to wait for the FIDO2 key.";
|
||||||
|
};
|
||||||
|
|
||||||
|
passwordLess = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
description = ''
|
||||||
|
Defines whatever to use an empty string as a default salt.
|
||||||
|
|
||||||
|
Enable only when your device is PIN protected, such as <link xlink:href="https://trezor.io/">Trezor</link>.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
yubikey = mkOption {
|
yubikey = mkOption {
|
||||||
default = null;
|
default = null;
|
||||||
description = ''
|
description = ''
|
||||||
@ -706,6 +756,15 @@ in
|
|||||||
and a Yubikey to work with this feature.
|
and a Yubikey to work with this feature.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
boot.initrd.luks.fido2Support = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
description = ''
|
||||||
|
Enables support for authenticating with FIDO2 devices.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf (luks.devices != {} || luks.forceLuksSupportInInitrd) {
|
config = mkIf (luks.devices != {} || luks.forceLuksSupportInInitrd) {
|
||||||
@ -714,6 +773,14 @@ in
|
|||||||
[ { assertion = !(luks.gpgSupport && luks.yubikeySupport);
|
[ { assertion = !(luks.gpgSupport && luks.yubikeySupport);
|
||||||
message = "Yubikey and GPG Card may not be used at the same time.";
|
message = "Yubikey and GPG Card may not be used at the same time.";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{ assertion = !(luks.gpgSupport && luks.fido2Support);
|
||||||
|
message = "FIDO2 and GPG Card may not be used at the same time.";
|
||||||
|
}
|
||||||
|
|
||||||
|
{ assertion = !(luks.fido2Support && luks.yubikeySupport);
|
||||||
|
message = "FIDO2 and Yubikey may not be used at the same time.";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
# actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
|
# actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
|
||||||
@ -753,6 +820,11 @@ in
|
|||||||
chmod +x $out/bin/openssl-wrap
|
chmod +x $out/bin/openssl-wrap
|
||||||
''}
|
''}
|
||||||
|
|
||||||
|
${optionalString luks.fido2Support ''
|
||||||
|
copy_bin_and_libs ${pkgs.fido2luks}/bin/fido2luks
|
||||||
|
''}
|
||||||
|
|
||||||
|
|
||||||
${optionalString luks.gpgSupport ''
|
${optionalString luks.gpgSupport ''
|
||||||
copy_bin_and_libs ${pkgs.gnupg}/bin/gpg
|
copy_bin_and_libs ${pkgs.gnupg}/bin/gpg
|
||||||
copy_bin_and_libs ${pkgs.gnupg}/bin/gpg-agent
|
copy_bin_and_libs ${pkgs.gnupg}/bin/gpg-agent
|
||||||
@ -783,6 +855,9 @@ in
|
|||||||
$out/bin/gpg-agent --version
|
$out/bin/gpg-agent --version
|
||||||
$out/bin/scdaemon --version
|
$out/bin/scdaemon --version
|
||||||
''}
|
''}
|
||||||
|
${optionalString luks.fido2Support ''
|
||||||
|
$out/bin/fido2luks --version
|
||||||
|
''}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
boot.initrd.preFailCommands = postCommands;
|
boot.initrd.preFailCommands = postCommands;
|
||||||
|
@ -7,19 +7,19 @@
|
|||||||
|
|
||||||
rustPlatform.buildRustPackage rec {
|
rustPlatform.buildRustPackage rec {
|
||||||
pname = "fido2luks";
|
pname = "fido2luks";
|
||||||
version = "0.2.2";
|
version = "0.2.3";
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "shimunn";
|
owner = "shimunn";
|
||||||
repo = pname;
|
repo = pname;
|
||||||
rev = version;
|
rev = version;
|
||||||
sha256 = "018qzbgmgm0f0d0c7i54nqqjbr4k5mzy1xfavi6hpifjll971wci";
|
sha256 = "0340xp7q6f0clb7wmqpgllllwsixmsy37k1f5kj3hwvb730rz93x";
|
||||||
};
|
};
|
||||||
|
|
||||||
buildInputs = [ cryptsetup ];
|
buildInputs = [ cryptsetup ];
|
||||||
nativeBuildInputs = [ pkg-config ];
|
nativeBuildInputs = [ pkg-config ];
|
||||||
|
|
||||||
cargoSha256 = "1kf757wxxk5h8dfbz588qw1pnyjbg5qzr7rz14i7x8rhmn5xwb74";
|
cargoSha256 = "1i37k4ih6118z3wip2qh4jqk7ja2z0v1w8dri1lwqwlciqw17zi9";
|
||||||
verifyCargoDeps = true;
|
verifyCargoDeps = true;
|
||||||
|
|
||||||
meta = with stdenv.lib; {
|
meta = with stdenv.lib; {
|
||||||
|
Loading…
Reference in New Issue
Block a user