From 4d206f1cf9799c4143b78d2b020dda4ab99a9e53 Mon Sep 17 00:00:00 2001
From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
Date: Wed, 25 Jan 2023 11:53:50 +0100
Subject: [PATCH 1/2] bash-completion: add missing --unlock-fido2-device to
 systemd-cryptenroll

---
 shell-completion/bash/systemd-cryptenroll | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/shell-completion/bash/systemd-cryptenroll b/shell-completion/bash/systemd-cryptenroll
index 59538141591..66c6524fe8b 100644
--- a/shell-completion/bash/systemd-cryptenroll
+++ b/shell-completion/bash/systemd-cryptenroll
@@ -51,6 +51,7 @@ _systemd-cryptenroll() {
         [STANDALONE]='-h --help --version
                      --password --recovery-key'
         [ARG]='--unlock-key-file
+               --unlock-fido2-device
                --pkcs11-token-uri
                --fido2-credential-algorithm
                --fido2-device
@@ -74,6 +75,9 @@ _systemd-cryptenroll() {
                 comps=$(compgen -A file -- "$cur")
                 compopt -o filenames
                 ;;
+            --unlock-fido2-device)
+                comps="auto $(__get_fido2_devices)"
+                ;;
             --pkcs11-token-uri)
                 comps='auto list pkcs11:'
                 ;;

From d8c5bd048cd3690250113c04b05de1c3d52119d3 Mon Sep 17 00:00:00 2001
From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
Date: Wed, 25 Jan 2023 11:58:19 +0100
Subject: [PATCH 2/2] man: add missing --unlock-fido2-device to
 systemd-cryptenroll

---
 man/systemd-cryptenroll.xml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
index a654d492a11..1e9a4457c2c 100644
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@@ -109,6 +109,17 @@
         contain the full key.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--unlock-fido2-device=</option><replaceable>PATH</replaceable></term>
+
+        <listitem><para>Use a FIDO2 device instead of a password/passphrase read from stdin to unlock the
+        volume. Expects a <filename>hidraw</filename> device referring to the FIDO2 device (e.g.
+        <filename>/dev/hidraw1</filename>). Alternatively the special value <literal>auto</literal> may be
+        specified, in order to automatically determine the device node of a currently plugged in security
+        token (of which there must be exactly one). This automatic discovery is unsupported if
+        <option>--fido2-device=</option> option is also specified.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>--pkcs11-token-uri=</option><replaceable>URI</replaceable></term>
 
@@ -151,7 +162,8 @@
         extension (e.g. a YubiKey). Expects a <filename>hidraw</filename> device referring to the FIDO2
         device (e.g. <filename>/dev/hidraw1</filename>). Alternatively the special value
         <literal>auto</literal> may be specified, in order to automatically determine the device node of a
-        currently plugged in security token (of which there must be exactly one). The special value
+        currently plugged in security token (of which there must be exactly one). This automatic discovery
+        is unsupported if <option>--unlock-fido2-device=</option> option is also specified. The special value
         <literal>list</literal> may be used to enumerate all suitable FIDO2 tokens currently plugged in. Note
         that many hardware security tokens that implement FIDO2 also implement the older PKCS#11
         standard. Typically FIDO2 is preferable, given it's simpler to use and more modern.</para>