boot.initrd.luks: adding a warning when using FIDO2 with kernel ≤ 5.4

2020-01-17 10:39:22 +01:00 · 2020-01-17 10:39:22 +01:00 · c4d75cbb0c
parent a5798cf78e
commit c4d75cbb0c
1 changed files with 16 additions and 40 deletions
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@ -4,6 +4,7 @@ with lib;
 let
  luks = config.boot.initrd.luks;
  kernelPackages = config.boot.kernelPackages;
  commonFunctions = ''
    die() {
@ -103,33 +104,6 @@ let
        fi
        return 0
    }
    wait_fido2key () {
        local secs="''${1:-10}"
        fido2luks connected 1>/dev/null 2>&1
        if [ $? != 0 ]; then
            echo -n "Waiting $secs seconds for the FIDO2 key to appear..."
            local success=false
            for try in $(seq $secs); do
                echo -n .
                sleep 1
                fido2luks connected 1>/dev/null 2>&1
                if [ $? == 0 ]; then
                    success=true
                    break
                fi
            done
            if [ $success == true ]; then
                echo " - success";
                return 0
            else
                echo " - failure";
                return 1
            fi
        fi
        return 0
    }
  '';
  preCommands = ''
@ -419,19 +393,21 @@ let
    open_with_hardware() {
      local passsphrase
-      if wait_fido2key ${toString fido2.gracePeriod}; then
+        ${if fido2.passwordLess then ''
-          ${if fido2.passwordLess then ''
+          export passphrase=""
-            export passphrase=""
+        '' else ''
-          '' else ''
+          read -rsp "FIDO2 salt for ${device}: " passphrase
-            echo -n "FIDO2 salt for ${device}: "
+          echo
-            read -rs passphrase
+        ''}
-            echo
+        ${optionalString (lib.versionOlder kernelPackages.kernel.version "5.4") ''
-          ''}
+          echo "On systems with Linux Kernel < 5.4, it might take a while to initialize the CRNG, you might want to use linuxPackages_latest."
-            echo "Waiting for your FIDO2 device..."
+          echo "Please move your mouse to create needed randomness."
-            fido2luks -i open ${device} ${name} ${fido2.credential} --salt string:$passphrase
+        ''}
-        else
+          echo "Waiting for your FIDO2 device..."
-            echo "No FIDO2 key found, falling back to normal open procedure"
+          fido2luks -i open ${device} ${name} ${fido2.credential} --await-dev ${toString fido2.gracePeriod} --salt string:$passphrase
-            open_normally
+        if [ $? -ne 0 ]; then
          echo "No FIDO2 key found, falling back to normal open procedure"
          open_normally
        fi
    }
    ''}