Looking for hackers with the skills:

Nothing? Add some keywords!

This project is part of:

Hack Week 21

Activity

  • 11 months ago: dsterba liked this project.
  • 12 months ago: bchou liked this project.
  • 12 months ago: oertel originated this project.

  • Comments

    • oertel
      11 months ago by oertel | Reply

      worked on the luks2.sh script from https://en.opensuse.org/SDB:LUKS2,_TPM2_and_FIDO2 to support the setup of just /boot/efi separate and / including /boot on lvm inside the crypted disk

      #!/bin/bash
      
      LVM=""
      GRUB_MOUNT=$(df /boot/grub2 | tail -n1)
      GRUB_MOUNT=${GRUB_MOUNT%% *}
      set -- $(lsblk -p -r | grep "^$GRUB_MOUNT")
      DEV=$1
      TYP=$6
      MP=$7
      case $TYP in
          lvm)
              LVM="lvm"
              LVM_GRUB=${GRUB_MOUNT#/dev/mapper/}
              GRUB_ROOT="($LVM/$LVM_GRUB)"
              case $MP in
                      /) GRUB_PREFIX=($LVM/$LVM_GRUB)/boot/grub2 ;;
                      /boot) GRUB_PREFIX=($LVM/$LVM_GRUB)/grub2 ;;
                      /boot/grub2) GRUB_PREFIX=($LVM/$LVM_GRUB) ;;
              esac
          ;;
          part)
              LVM=""
              case $DEV in
                      /dev/sda*) DISK=hd0 ;;
                      /dev/sdb*) DISK=hd1 ;;
                      /dev/sdc*) DISK=hd2 ;;
              esac
              PART=${DEV: -1}
              GRUB_PREFIX="($DISK.gpt$PART)"
              case $MP in
                      /) echo "/ not encrypted, not needed here" ; exit 1 ;;
                      /boot) GRUB_PREFIX="$GRUB_PREFIX/grub2" ;;
              esac
          ;;
      esac
      
      set -- $(lsblk -p -r | grep " /$")
      ROOT_DEV=$1
      ROOT_TYP=$6
      case $ROOT_TYP in
          crypt) GRUB_ROOT=crypto0 ;;
      esac
      set -- $(blkid | grep crypto_LUKS)
      #second param is UUID=
      eval $2
      #drop the - dashes
      TARGET=${UUID//-/}
      
      GRUB_MODULES="luks2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512 btrfs gcry_sha256 gcry_sha1 ext2 luks $LVM"
      
      grub2-install --target=x86_64-efi --modules="$GRUB_MODULES"
      
      CONFIG=$(mktemp /tmp/grub-config.XXXXX)
      cat >"$CONFIG" <<EOF
      cryptomount -u "$TARGET"
      set root=$GRUB_ROOT
      set prefix=$GRUB_PREFIX
      insmod normal
      normal
      EOF
      
      
      cat $CONFIG
      
      grub2-mkimage \
          -p "$GRUB_PREFIX" \
          -O x86_64-efi \
          -c "$CONFIG" \
          -o /tmp/image \
          $GRUB_MODULES
      rm "$CONFIG"
      
      cp -v /tmp/image /boot/efi/EFI/opensuse/grubx64.efi
      
      

    • oertel
      11 months ago by oertel | Reply

      hacked up a patch for systemd to have a chance to notice the user should touch the token on bootup

      --- a/src/shared/libfido2-util.c
      +++ b/src/shared/libfido2-util.c
      @@ -345,6 +345,13 @@ static int fido2_use_hmac_hash_specific_token(
                                       log_notice("%s%sPlease confirm presence on security to unlock.",
                                                  emoji_enabled() ? special_glyph(SPECIAL_GLYPH_TOUCH) : "",
                                                  emoji_enabled() ? " " : "");
      +
      +                                if (!retry_with_up) {
      +                                        /* notify user for a few secs on first try */
      +                                        _cleanup_(strv_free_erasep) char **pin = NULL;
      +                                        ask_password_auto("Please confirm presence on security token to unlock.", "drive-harddisk", NULL, "fido2-up", "fido2-up", usec_add(now(CLOCK_MONOTONIC), 5 * USEC_PER_SEC), 0, &pin);
      +                                }
      +
                                       retry_with_up = true;
                               }
      
      
      

    • oertel
      11 months ago by oertel | Reply

      for systemd on 15.4 this is:

      --- systemd-v249.11+suse.129.g17d488c53a/src/shared/libfido2-util.c     2022/07/01 09:41:51     1.1
      +++ systemd-v249.11+suse.129.g17d488c53a/src/shared/libfido2-util.c     2022/07/01 09:42:43
      @@ -292,6 +292,11 @@
                               log_notice("%s%sPlease confirm presence on security token to unlock.",
                                          emoji_enabled() ? special_glyph(SPECIAL_GLYPH_TOUCH) : "",
                                          emoji_enabled() ? " " : "");
      +
      +                        /* notify user for a few secs on first try */
      +                        _cleanup_(strv_free_erasep) char **pin = NULL;
      +                        ask_password_auto("Please confirm presence on security token to unlock.", "drive-harddisk", NULL, "fido2-up", "fido2-up", usec_add(now(CLOCK_MONOTONIC), 5 * USEC_PER_SEC), 0, &pin);
      +
               }
      
               if (has_uv && !FLAGS_SET(required, FIDO2ENROLL_UV_OMIT)) {
      

    Similar Projects

    This project is one of its kind!