diff options
| author | Martin Ertsås <martiert@gmail.com> | 2022-08-23 10:27:41 +0200 |
|---|---|---|
| committer | Martin Ertsås <martiert@gmail.com> | 2022-09-01 08:55:46 +0200 |
| commit | 5e4921013b1999196bc07ec9992a72ebade8ae01 (patch) | |
| tree | ff6b2cb2588b8b561b77bb2a73c0643874db9c07 /nixos | |
| parent | 6512b21eabb4d52e87ea2edcf31a288e67b2e4f8 (diff) | |
| download | nixpkgs-5e4921013b1999196bc07ec9992a72ebade8ae01.tar nixpkgs-5e4921013b1999196bc07ec9992a72ebade8ae01.tar.gz nixpkgs-5e4921013b1999196bc07ec9992a72ebade8ae01.tar.bz2 nixpkgs-5e4921013b1999196bc07ec9992a72ebade8ae01.tar.lz nixpkgs-5e4921013b1999196bc07ec9992a72ebade8ae01.tar.xz nixpkgs-5e4921013b1999196bc07ec9992a72ebade8ae01.tar.zst nixpkgs-5e4921013b1999196bc07ec9992a72ebade8ae01.zip | |
nixos/luksroot: Support adding a list of credentials to fido2luks
This adds support for using multiple fido2 keys for luks decryption
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 78301a57bd9..d8f273a4342 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -148,6 +148,7 @@ let + optionalString dev.bypassWorkqueues " --perf-no_read_workqueue --perf-no_write_workqueue" + optionalString (dev.header != null) " --header=${dev.header}"; cschange = "cryptsetup luksChangeKey ${dev.device} ${optionalString (dev.header != null) "--header=${dev.header}"}"; + fido2luksCredentials = dev.fido2.credentials ++ optional (dev.fido2.credential != null) dev.fido2.credential; in '' # Wait for luksRoot (and optionally keyFile and/or header) to appear, e.g. # if on a USB drive. @@ -417,7 +418,7 @@ let } ''} - ${optionalString (luks.fido2Support && (dev.fido2.credential != null)) '' + ${optionalString (luks.fido2Support && fido2luksCredentials != []) '' open_with_hardware() { local passsphrase @@ -433,7 +434,7 @@ let echo "Please move your mouse to create needed randomness." ''} echo "Waiting for your FIDO2 device..." - fido2luks open${optionalString dev.allowDiscards " --allow-discards"} ${dev.device} ${dev.name} ${dev.fido2.credential} --await-dev ${toString dev.fido2.gracePeriod} --salt string:$passphrase + fido2luks open${optionalString dev.allowDiscards " --allow-discards"} ${dev.device} ${dev.name} "${builtins.concatStringsSep "," fido2luksCredentials}" --await-dev ${toString dev.fido2.gracePeriod} --salt string:$passphrase if [ $? -ne 0 ]; then echo "No FIDO2 key found, falling back to normal open procedure" open_normally @@ -444,7 +445,7 @@ let # commands to run right before we mount our device ${dev.preOpenCommands} - ${if (luks.yubikeySupport && (dev.yubikey != null)) || (luks.gpgSupport && (dev.gpgCard != null)) || (luks.fido2Support && (dev.fido2.credential != null)) then '' + ${if (luks.yubikeySupport && (dev.yubikey != null)) || (luks.gpgSupport && (dev.gpgCard != null)) || (luks.fido2Support && fido2luksCredentials != []) then '' open_with_hardware '' else '' open_normally @@ -695,6 +696,17 @@ in description = lib.mdDoc "The FIDO2 credential ID."; }; + credentials = mkOption { + default = []; + example = [ "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2" ]; + type = types.listOf types.str; + description = lib.mdDoc '' + List of FIDO2 credential IDs. + + Use this if you have multiple FIDO2 keys you want to use for the same luks device. + ''; + }; + gracePeriod = mkOption { default = 10; type = types.int; |