diff options
author | Marek Mahut <marek.mahut@gmail.com> | 2020-01-17 10:39:22 +0100 |
---|---|---|
committer | Marek Mahut <marek.mahut@gmail.com> | 2020-01-22 16:00:40 +0100 |
commit | c4d75cbb0c4cfe7311ff056d475e46510ccc88ee (patch) | |
tree | 35e067b4593c8049bde47441daa72c333cdb1c5a /nixos | |
parent | a5798cf78ea3ff7ed3f8fadbea5e293c36c96d44 (diff) | |
download | nixpkgs-c4d75cbb0c4cfe7311ff056d475e46510ccc88ee.tar nixpkgs-c4d75cbb0c4cfe7311ff056d475e46510ccc88ee.tar.gz nixpkgs-c4d75cbb0c4cfe7311ff056d475e46510ccc88ee.tar.bz2 nixpkgs-c4d75cbb0c4cfe7311ff056d475e46510ccc88ee.tar.lz nixpkgs-c4d75cbb0c4cfe7311ff056d475e46510ccc88ee.tar.xz nixpkgs-c4d75cbb0c4cfe7311ff056d475e46510ccc88ee.tar.zst nixpkgs-c4d75cbb0c4cfe7311ff056d475e46510ccc88ee.zip |
boot.initrd.luks: adding a warning when using FIDO2 with kernel ≤ 5.4
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 56 |
1 files changed, 16 insertions, 40 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 2253b9251cd..31f1e22cda3 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -4,6 +4,7 @@ with lib; let luks = config.boot.initrd.luks; + kernelPackages = config.boot.kernelPackages; commonFunctions = '' die() { @@ -103,33 +104,6 @@ let fi return 0 } - - wait_fido2key () { - local secs="''${1:-10}" - - fido2luks connected 1>/dev/null 2>&1 - if [ $? != 0 ]; then - echo -n "Waiting $secs seconds for the FIDO2 key to appear..." - local success=false - for try in $(seq $secs); do - echo -n . - sleep 1 - fido2luks connected 1>/dev/null 2>&1 - if [ $? == 0 ]; then - success=true - break - fi - done - if [ $success == true ]; then - echo " - success"; - return 0 - else - echo " - failure"; - return 1 - fi - fi - return 0 - } ''; preCommands = '' @@ -419,19 +393,21 @@ let open_with_hardware() { local passsphrase - if wait_fido2key ${toString fido2.gracePeriod}; then - ${if fido2.passwordLess then '' - export passphrase="" - '' else '' - echo -n "FIDO2 salt for ${device}: " - read -rs passphrase - echo - ''} - echo "Waiting for your FIDO2 device..." - fido2luks -i open ${device} ${name} ${fido2.credential} --salt string:$passphrase - else - echo "No FIDO2 key found, falling back to normal open procedure" - open_normally + ${if fido2.passwordLess then '' + export passphrase="" + '' else '' + read -rsp "FIDO2 salt for ${device}: " passphrase + echo + ''} + ${optionalString (lib.versionOlder kernelPackages.kernel.version "5.4") '' + echo "On systems with Linux Kernel < 5.4, it might take a while to initialize the CRNG, you might want to use linuxPackages_latest." + echo "Please move your mouse to create needed randomness." + ''} + echo "Waiting for your FIDO2 device..." + fido2luks -i open ${device} ${name} ${fido2.credential} --await-dev ${toString fido2.gracePeriod} --salt string:$passphrase + if [ $? -ne 0 ]; then + echo "No FIDO2 key found, falling back to normal open procedure" + open_normally fi } ''} |