diff options
| author | Kamil Szczęk <kamil@szczek.dev> | 2024-06-07 16:48:41 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-06-13 13:50:39 +0200 |
| commit | d5fa6e6ca785140b50cb30361e9ddc4e538c3f40 (patch) | |
| tree | cc076d82da51b23cfa34b55862d324bdb17994f0 /man | |
| parent | Merge pull request #33257 from YHNdnzj/unit-notify-cleanup (diff) | |
| download | systemd-d5fa6e6ca785140b50cb30361e9ddc4e538c3f40.tar.xz systemd-d5fa6e6ca785140b50cb30361e9ddc4e538c3f40.zip | |
cryptsetup: manual FIDO2 PIN, UP and UV configuration
When in FIDO2 mode with manual parameters, i.e. when not reading the
parameters off the LUKS2 header, the current behavior in regards to PIN,
UP and UV features is to default to v248 logic, where we use PIN + UP
when needed, and do not configure UV at all. Let's allow users to
configure those features in manual mode too.
Diffstat (limited to 'man')
| -rw-r--r-- | man/crypttab.xml | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/man/crypttab.xml b/man/crypttab.xml index 955111fe94..3aa809e667 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -769,6 +769,41 @@ </varlistentry> <varlistentry> + <term><option>fido2-pin=</option></term> + + <listitem><para>Controls whether to require the user to enter a PIN when unlocking the volume (the + FIDO2 <literal>clientPin</literal> feature). This option only applies when in manual mode, i.e. + when <option>fido2-cid=</option> option is set. Defaults to neither true or false, but rather to + <constant>v248</constant> behavior, that is: try with no PIN first, but if token reports that PIN + is required, try again asking for PIN.</para> + + <xi:include href="version-info.xml" xpointer="v257"/></listitem> + </varlistentry> + + <varlistentry> + <term><option>fido2-up=</option></term> + + <listitem><para>Controls whether to require the user to verify presence (tap the token, the FIDO2 + <literal>up</literal> feature) when unlocking the volume. This option only applies when in manual + mode, i.e. when <option>fido2-cid=</option> option is set. Defaults to neither true or false, + but rather to <constant>v248</constant> behavior, that is: try with no UP first, but if token reports + that UP is required, try again with UP enabled.</para> + + <xi:include href="version-info.xml" xpointer="v257"/></listitem> + </varlistentry> + + <varlistentry> + <term><option>fido2-uv=</option></term> + + <listitem><para>Controls whether to require user verification (the FIDO2 <literal>uv</literal> feature) + when unlocking the volume. This option only applies when in manual mode, i.e. when + <option>fido2-cid=</option> option is set. Defaults to neither true or false, but rather to + <constant>v248</constant> behavior, that is: omit configuring UV whatsoever.</para> + + <xi:include href="version-info.xml" xpointer="v257"/></listitem> + </varlistentry> + + <varlistentry> <term><option>tpm2-device=</option></term> <listitem><para>Takes either the special value <literal>auto</literal> or the path to a device node |