From c4d75cbb0c4cfe7311ff056d475e46510ccc88ee Mon Sep 17 00:00:00 2001
From: Marek Mahut <marek.mahut@gmail.com>
Date: Fri, 17 Jan 2020 10:39:22 +0100
Subject: [PATCH] =?UTF-8?q?boot.initrd.luks:=20adding=20a=20warning=20when?=
 =?UTF-8?q?=20using=20FIDO2=20with=20kernel=20=E2=89=A4=205.4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 nixos/modules/system/boot/luksroot.nix | 56 ++++++++------------------
 1 file changed, 16 insertions(+), 40 deletions(-)

diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix
index 2253b9251cd..31f1e22cda3 100644
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@@ -4,6 +4,7 @@ with lib;
 
 let
   luks = config.boot.initrd.luks;
+  kernelPackages = config.boot.kernelPackages;
 
   commonFunctions = ''
     die() {
@@ -103,33 +104,6 @@ let
         fi
         return 0
     }
-
-    wait_fido2key () {
-        local secs="''${1:-10}"
-
-        fido2luks connected 1>/dev/null 2>&1
-        if [ $? != 0 ]; then
-            echo -n "Waiting $secs seconds for the FIDO2 key to appear..."
-            local success=false
-            for try in $(seq $secs); do
-                echo -n .
-                sleep 1
-                fido2luks connected 1>/dev/null 2>&1
-                if [ $? == 0 ]; then
-                    success=true
-                    break
-                fi
-            done
-            if [ $success == true ]; then
-                echo " - success";
-                return 0
-            else
-                echo " - failure";
-                return 1
-            fi
-        fi
-        return 0
-    }
   '';
 
   preCommands = ''
@@ -419,19 +393,21 @@ let
     open_with_hardware() {
       local passsphrase
 
-      if wait_fido2key ${toString fido2.gracePeriod}; then
-          ${if fido2.passwordLess then ''
-            export passphrase=""
-          '' else ''
-            echo -n "FIDO2 salt for ${device}: "
-            read -rs passphrase
-            echo
-          ''}
-            echo "Waiting for your FIDO2 device..."
-            fido2luks -i open ${device} ${name} ${fido2.credential} --salt string:$passphrase
-        else
-            echo "No FIDO2 key found, falling back to normal open procedure"
-            open_normally
+        ${if fido2.passwordLess then ''
+          export passphrase=""
+        '' else ''
+          read -rsp "FIDO2 salt for ${device}: " passphrase
+          echo
+        ''}
+        ${optionalString (lib.versionOlder kernelPackages.kernel.version "5.4") ''
+          echo "On systems with Linux Kernel < 5.4, it might take a while to initialize the CRNG, you might want to use linuxPackages_latest."
+          echo "Please move your mouse to create needed randomness."
+        ''}
+          echo "Waiting for your FIDO2 device..."
+          fido2luks -i open ${device} ${name} ${fido2.credential} --await-dev ${toString fido2.gracePeriod} --salt string:$passphrase
+        if [ $? -ne 0 ]; then
+          echo "No FIDO2 key found, falling back to normal open procedure"
+          open_normally
         fi
     }
     ''}