FIDO2: support pin-less LUKS enroll/unlock

Closes: https://github.com/systemd/systemd/issues/19246

Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.

2 files changed, 2 insertions, 0 deletions

diff --git a/src/home/homectl-fido2.c b/src/home/homectl-fido2.c
index d5edec1bc4..76775ee6bd 100644
--- a/src/home/homectl-fido2.c
+++ b/src/home/homectl-fido2.c
@@ -158,6 +158,7 @@ int identity_add_fido2_parameters(
                         /* user_display_name= */ rn ? json_variant_string(rn) : NULL,
                         /* user_icon_name= */ NULL,
                         /* askpw_icon_name= */ "user-home",
+                        FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll
                         &cid, &cid_size,
                         &salt, &salt_size,
                         &secret, &secret_size,
diff --git a/src/home/homework-fido2.c b/src/home/homework-fido2.c
index 87d301c5b4..818f2a5d16 100644
--- a/src/home/homework-fido2.c
+++ b/src/home/homework-fido2.c
@@ -29,6 +29,7 @@ int fido2_use_token(
                         salt->credential.id, salt->credential.size,
                         secret->token_pin,
                         h->fido2_user_presence_permitted > 0,
+                        FIDO2ENROLL_PIN, // FIXME: add a --lock-with-pin parameter like cryptenroll
                         &hmac,
                         &hmac_size);
         if (r < 0)