diff options
| author | Luca Boccassi <luca.boccassi@microsoft.com> | 2021-04-12 23:48:05 +0200 |
|---|---|---|
| committer | Luca Boccassi <bluca@debian.org> | 2021-05-07 22:36:27 +0200 |
| commit | 06f087192d27d6bbb237f8966c2fa2d6b790f7f2 (patch) | |
| tree | 8daf3fe42fdf69acc142c0fe2669e179e7b29bc4 /src/home/homework-fido2.c | |
| parent | FIDO2: support pin-less LUKS enroll/unlock (diff) | |
| download | systemd-06f087192d27d6bbb237f8966c2fa2d6b790f7f2.tar.xz systemd-06f087192d27d6bbb237f8966c2fa2d6b790f7f2.zip | |
FIDO2: ask and record whether user presence was used to lock the volume
In some cases user presence might not be required to get _a_
secret out of a FIDO2 device, but it might be required to
the get actual secret that was used to lock the volume.
Record whether we used it in the LUKS header JSON metadata.
Let the cryptenroll user ask for the feature, but bail out if it is
required by the token and the user disabled it.
Enabled by default.
Diffstat (limited to 'src/home/homework-fido2.c')
| -rw-r--r-- | src/home/homework-fido2.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/src/home/homework-fido2.c b/src/home/homework-fido2.c index 818f2a5d16..8811c00550 100644 --- a/src/home/homework-fido2.c +++ b/src/home/homework-fido2.c @@ -28,8 +28,7 @@ int fido2_use_token( salt->salt, salt->salt_size, salt->credential.id, salt->credential.size, secret->token_pin, - h->fido2_user_presence_permitted > 0, - FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll + FIDO2ENROLL_PIN | (h->fido2_user_presence_permitted > 0 ? FIDO2ENROLL_UP : 0), // FIXME: add a --lock-with-pin parameter like cryptenroll &hmac, &hmac_size); if (r < 0) |