diff options
| author | Christian Kögler <ck3d@gmx.de> | 2022-09-11 07:42:57 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-11 07:42:57 +0200 |
| commit | 0ea763fab6c73634e11cb9cfbbe1b69372f1fbb0 (patch) | |
| tree | bf264aa2df648676b125e6b606cfd42772e0a29b /nixos | |
| parent | 8a039bc1ddd6bdcc34602f26aaa4b1c980cd502c (diff) | |
| parent | 5e4921013b1999196bc07ec9992a72ebade8ae01 (diff) | |
| download | nixlib-0ea763fab6c73634e11cb9cfbbe1b69372f1fbb0.tar nixlib-0ea763fab6c73634e11cb9cfbbe1b69372f1fbb0.tar.gz nixlib-0ea763fab6c73634e11cb9cfbbe1b69372f1fbb0.tar.bz2 nixlib-0ea763fab6c73634e11cb9cfbbe1b69372f1fbb0.tar.lz nixlib-0ea763fab6c73634e11cb9cfbbe1b69372f1fbb0.tar.xz nixlib-0ea763fab6c73634e11cb9cfbbe1b69372f1fbb0.tar.zst nixlib-0ea763fab6c73634e11cb9cfbbe1b69372f1fbb0.zip | |
Merge pull request #188009 from martiert/fido2luks
nixos/luksroot: Support adding a list of credentials to fido2luks
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index a076ea24a422..38f8b6fd87c2 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -148,6 +148,7 @@ let + optionalString dev.bypassWorkqueues " --perf-no_read_workqueue --perf-no_write_workqueue" + optionalString (dev.header != null) " --header=${dev.header}"; cschange = "cryptsetup luksChangeKey ${dev.device} ${optionalString (dev.header != null) "--header=${dev.header}"}"; + fido2luksCredentials = dev.fido2.credentials ++ optional (dev.fido2.credential != null) dev.fido2.credential; in '' # Wait for luksRoot (and optionally keyFile and/or header) to appear, e.g. # if on a USB drive. @@ -417,7 +418,7 @@ let } ''} - ${optionalString (luks.fido2Support && (dev.fido2.credential != null)) '' + ${optionalString (luks.fido2Support && fido2luksCredentials != []) '' open_with_hardware() { local passsphrase @@ -433,7 +434,7 @@ let echo "Please move your mouse to create needed randomness." ''} echo "Waiting for your FIDO2 device..." - fido2luks open${optionalString dev.allowDiscards " --allow-discards"} ${dev.device} ${dev.name} ${dev.fido2.credential} --await-dev ${toString dev.fido2.gracePeriod} --salt string:$passphrase + fido2luks open${optionalString dev.allowDiscards " --allow-discards"} ${dev.device} ${dev.name} "${builtins.concatStringsSep "," fido2luksCredentials}" --await-dev ${toString dev.fido2.gracePeriod} --salt string:$passphrase if [ $? -ne 0 ]; then echo "No FIDO2 key found, falling back to normal open procedure" open_normally @@ -444,7 +445,7 @@ let # commands to run right before we mount our device ${dev.preOpenCommands} - ${if (luks.yubikeySupport && (dev.yubikey != null)) || (luks.gpgSupport && (dev.gpgCard != null)) || (luks.fido2Support && (dev.fido2.credential != null)) then '' + ${if (luks.yubikeySupport && (dev.yubikey != null)) || (luks.gpgSupport && (dev.gpgCard != null)) || (luks.fido2Support && fido2luksCredentials != []) then '' open_with_hardware '' else '' open_normally @@ -695,6 +696,17 @@ in description = lib.mdDoc "The FIDO2 credential ID."; }; + credentials = mkOption { + default = []; + example = [ "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2" ]; + type = types.listOf types.str; + description = lib.mdDoc '' + List of FIDO2 credential IDs. + + Use this if you have multiple FIDO2 keys you want to use for the same luks device. + ''; + }; + gracePeriod = mkOption { default = 10; type = types.int; |