1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
systemd/shell-completion/bash/systemd-cryptenroll
Kamil Szczęk e262205eb7 cryptenroll: support for enrolling FIDO2 tokens in manual mode
systemd-cryptsetup supports a FIDO2 mode with manual parameters, where
the user provides all the information necessary for recreating the
secret, such as: credential ID, relaying party ID and the salt. This
feature works great for implementing 2FA schemes, where the salt file
is for example a secret unsealed from the TPM or some other source.
While the unlocking part is quite straightforward to set up, enrolling
such a keyslot - not so easy. There is no clearly documented
way on how to set this up and online resources are scarce on this topic
too. By implementing a straightforward way to enroll such a keyslot
directly from systemd-cryptenroll we streamline the enrollment process
and reduce chances for user error when doing such things manually.
2024-06-20 14:26:24 +02:00

125 lines
3.8 KiB
Bash

# shellcheck shell=bash
# systemd-cryptenroll(1) completion -*- shell-script -*-
# SPDX-License-Identifier: LGPL-2.1-or-later
#
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# systemd is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with systemd; If not, see <https://www.gnu.org/licenses/>.
__contains_word() {
local w word=$1; shift
for w in "$@"; do
[[ $w = "$word" ]] && return
done
}
__get_fido2_devices() {
local i
for i in /dev/hidraw*; do
[ -c "$i" ] && printf '%s\n' "$i"
done
}
__get_tpm2_devices() {
local i
for i in /dev/tpmrm*; do
[ -c "$i" ] && printf '%s\n' "$i"
done
}
__get_block_devices() {
local i
for i in /dev/*; do
[ -b "$i" ] && printf '%s\n' "$i"
done
}
_systemd_cryptenroll() {
local comps
local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
local -A OPTS=(
[STANDALONE]='-h --help --version
--password --recovery-key'
[ARG]='--unlock-key-file
--unlock-fido2-device
--unlock-tpm2-device
--pkcs11-token-uri
--fido2-credential-algorithm
--fido2-device
--fido2-salt-file
--fido2-parameters-in-header
--fido2-with-client-pin
--fido2-with-user-presence
--fido2-with-user-verification
--tpm2-device
--tpm2-device-key
--tpm2-seal-key-handle
--tpm2-pcrs
--tpm2-public-key
--tpm2-public-key-pcrs
--tpm2-signature
--tpm2-with-pin
--tpm2-pcrlock
--wipe-slot'
)
_init_completion || return
if __contains_word "$prev" ${OPTS[ARG]}; then
case $prev in
--unlock-key-file|--fido2-salt-file|--tpm2-device-key|--tpm2-public-key|--tpm2-signature|--tpm2-pcrlock)
comps=$(compgen -A file -- "$cur")
compopt -o filenames
;;
--unlock-fido2-device)
comps="auto $(__get_fido2_devices)"
;;
--unlock-tpm2-device)
comps="auto $(__get_tpm2_devices)"
;;
--pkcs11-token-uri)
comps='auto list pkcs11:'
;;
--fido2-credential-algorithm)
comps='es256 rs256 eddsa'
;;
--fido2-device)
comps="auto list $(__get_fido2_devices)"
;;
--fido2-parameters-in-header|--fido2-with-client-pin|--fido2-with-user-presence|--fido2-with-user-verification|--tpm2-with-pin)
comps='yes no'
;;
--tpm2-device)
comps="auto list $(__get_tpm2_devices)"
;;
--wipe-slot)
comps='all empty password recovery pkcs11 fido2 tpm2'
;;
esac
COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
return 0
fi
if [[ "$cur" = -* ]]; then
COMPREPLY=( $(compgen -W '${OPTS[*]}' -- "$cur") )
return 0
fi
comps=$(__get_block_devices)
COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
return 0
}
complete -F _systemd_cryptenroll systemd-cryptenroll