mirror of
https://github.com/systemd/systemd.git
synced 2025-01-12 13:18:14 +03:00
e262205eb7
systemd-cryptsetup supports a FIDO2 mode with manual parameters, where the user provides all the information necessary for recreating the secret, such as: credential ID, relaying party ID and the salt. This feature works great for implementing 2FA schemes, where the salt file is for example a secret unsealed from the TPM or some other source. While the unlocking part is quite straightforward to set up, enrolling such a keyslot - not so easy. There is no clearly documented way on how to set this up and online resources are scarce on this topic too. By implementing a straightforward way to enroll such a keyslot directly from systemd-cryptenroll we streamline the enrollment process and reduce chances for user error when doing such things manually.
125 lines
3.8 KiB
Bash
125 lines
3.8 KiB
Bash
# shellcheck shell=bash
|
|
# systemd-cryptenroll(1) completion -*- shell-script -*-
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# systemd is distributed in the hope that it will be useful, but
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
# General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Lesser General Public License
|
|
# along with systemd; If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
__contains_word() {
|
|
local w word=$1; shift
|
|
for w in "$@"; do
|
|
[[ $w = "$word" ]] && return
|
|
done
|
|
}
|
|
|
|
__get_fido2_devices() {
|
|
local i
|
|
for i in /dev/hidraw*; do
|
|
[ -c "$i" ] && printf '%s\n' "$i"
|
|
done
|
|
}
|
|
|
|
__get_tpm2_devices() {
|
|
local i
|
|
for i in /dev/tpmrm*; do
|
|
[ -c "$i" ] && printf '%s\n' "$i"
|
|
done
|
|
}
|
|
|
|
__get_block_devices() {
|
|
local i
|
|
for i in /dev/*; do
|
|
[ -b "$i" ] && printf '%s\n' "$i"
|
|
done
|
|
}
|
|
|
|
_systemd_cryptenroll() {
|
|
local comps
|
|
local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
|
|
local -A OPTS=(
|
|
[STANDALONE]='-h --help --version
|
|
--password --recovery-key'
|
|
[ARG]='--unlock-key-file
|
|
--unlock-fido2-device
|
|
--unlock-tpm2-device
|
|
--pkcs11-token-uri
|
|
--fido2-credential-algorithm
|
|
--fido2-device
|
|
--fido2-salt-file
|
|
--fido2-parameters-in-header
|
|
--fido2-with-client-pin
|
|
--fido2-with-user-presence
|
|
--fido2-with-user-verification
|
|
--tpm2-device
|
|
--tpm2-device-key
|
|
--tpm2-seal-key-handle
|
|
--tpm2-pcrs
|
|
--tpm2-public-key
|
|
--tpm2-public-key-pcrs
|
|
--tpm2-signature
|
|
--tpm2-with-pin
|
|
--tpm2-pcrlock
|
|
--wipe-slot'
|
|
)
|
|
|
|
_init_completion || return
|
|
|
|
if __contains_word "$prev" ${OPTS[ARG]}; then
|
|
case $prev in
|
|
--unlock-key-file|--fido2-salt-file|--tpm2-device-key|--tpm2-public-key|--tpm2-signature|--tpm2-pcrlock)
|
|
comps=$(compgen -A file -- "$cur")
|
|
compopt -o filenames
|
|
;;
|
|
--unlock-fido2-device)
|
|
comps="auto $(__get_fido2_devices)"
|
|
;;
|
|
--unlock-tpm2-device)
|
|
comps="auto $(__get_tpm2_devices)"
|
|
;;
|
|
--pkcs11-token-uri)
|
|
comps='auto list pkcs11:'
|
|
;;
|
|
--fido2-credential-algorithm)
|
|
comps='es256 rs256 eddsa'
|
|
;;
|
|
--fido2-device)
|
|
comps="auto list $(__get_fido2_devices)"
|
|
;;
|
|
--fido2-parameters-in-header|--fido2-with-client-pin|--fido2-with-user-presence|--fido2-with-user-verification|--tpm2-with-pin)
|
|
comps='yes no'
|
|
;;
|
|
--tpm2-device)
|
|
comps="auto list $(__get_tpm2_devices)"
|
|
;;
|
|
--wipe-slot)
|
|
comps='all empty password recovery pkcs11 fido2 tpm2'
|
|
;;
|
|
esac
|
|
COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
|
|
return 0
|
|
fi
|
|
|
|
if [[ "$cur" = -* ]]; then
|
|
COMPREPLY=( $(compgen -W '${OPTS[*]}' -- "$cur") )
|
|
return 0
|
|
fi
|
|
|
|
comps=$(__get_block_devices)
|
|
COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
|
|
return 0
|
|
}
|
|
|
|
complete -F _systemd_cryptenroll systemd-cryptenroll
|