fix: added initramfs verification to luks-enable-fido2-unlock (secure…

…blue#762)
RoyalOughtness · Jan 8, 2025 · 1452ca6 · 1452ca6
1 parent 4848a11
commit 1452ca6
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 16 deletions.
diff --git a/files/system/usr/libexec/luks-disable-fido2-unlock b/files/system/usr/libexec/luks-disable-fido2-unlock
@@ -19,10 +19,11 @@ set -eou pipefail
 [ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
 
 echo "WARNING this script will remove ALL currently configured fido2 luks unlock slots."
-echo "This script utilizes systemd-cryptenroll for removing fido2 auto-unlock."
-echo "You can review systemd-cryptenroll's manpage for more information."
-echo "This will modify your system and disable fido2 auto-unlock of your LUKS partition!"
-echo "This script is designed to work with it's corresponding secureblue fido2 enable script. If you manually enabled fido2 unlock, you may need to manually edit /etc/crypttab or restore a known good backup you may have created." 
+echo ""
+echo "This script utilizes systemd-cryptenroll for removing fido2 auto-unlock. You can review systemd-cryptenroll's manpage for more information." \
+"This will modify your system and disable fido2 auto-unlock of your LUKS partition! This script is designed to work with it's corresponding secureblue" \
+"fido2 enable script. If you manually enabled fido2 unlock, you may need to manually edit /etc/crypttab or restore a known good backup you may have created." 
+echo ""
 echo "INFO if no other nonfido2 slot is currently configured, script will fail. This is a safety precaution systemd-cryptenroll implements."
 echo "WARNING if you have not added an additional method, the recovery key will be the only avaliable unlock method after this script is run"
 read -p "Are you sure are good with this and want to disable fido2 auto-unlock? (y/N): " -n 1 -r

diff --git a/files/system/usr/libexec/luks-enable-fido2-unlock b/files/system/usr/libexec/luks-enable-fido2-unlock
@@ -20,13 +20,17 @@ set -eou pipefail
 
 echo "WARNING LUKS drive encryption must have been enabled at install time for this script to run" 
 echo "ENSURE you save the backup key this script creates at /var/home/$SUDO_USER/Desktop/luks_backup_key.txt ON ANOTHER COMPUTER"
-echo "This script uses systemd-cryptenroll to enable FIDO2 auto-unlock."
-echo "You can review systemd-cryptenroll's manpage for more information."
-echo "If you are using usbguard, plug into your hardware key, run 'usbguard list-devices'. Identify which number on the left is"
-echo "your device then run 'usbguard allow-device <number> -p'. You must exit this script with ctrl-C and do this now, BEFORE proceeding"
-echo "If you previously used TPM luks unlocking, ensure you run 'ujust remove-luks-tpm-unlock' AFTER running this script."
-echo "Otherwise, the system will likely default to TPM auto-unlocking on boot."
-echo "WARNING this script is designed not to, but could clear stored secrets on your fido2 key. Ensure you have backup options."
+echo ""
+echo "This script uses systemd-cryptenroll to enable FIDO2 auto-unlock. You can review systemd-cryptenroll's manpage for more information." \
+"If you previously used TPM luks unlocking, ensure you run 'ujust remove-luks-tpm-unlock' AFTER running this script." \
+"Otherwise, the system will likely default to TPM auto-unlocking on boot."
+echo ""
+echo "If you are using usbguard, plug in your hardware key, run 'usbguard list-devices'. Identify which number on the left is" \
+"your device then run 'usbguard allow-device <number> -p'. You must exit this script with ctrl-C and do this now, BEFORE proceeding"
+echo ""
+echo "WARNING this script is designed not to, but could clear stored secrets on your fido2 key. Ensure you have backup options for" \
+"any sites you may use FIDO2 based authentication on this key."
+echo ""
 read -p "Are you sure are good with this and want to enable FIDO2 auto-unlock? (y/N): " -n 1 -r
 echo
 if [[ ! $REPLY =~ ^[Yy]$ ]]; then
@@ -88,17 +92,29 @@ fi
 echo "Enrolling FIDO2 unlock requires your existing LUKS unlock password"
 systemd-cryptenroll --fido2-device=auto "$CRYPT_DISK"
 cp /etc/crypttab /etc/crypttab.known-good
-sed -i '$ s/$/ fido2-device=auto/' /etc/crypttab
+sed -i "s/UUID=$RD_LUKS_UUID none discard/UUID=$RD_LUKS_UUID - fido2-device=auto - discard/" /etc/crypttab
 
 echo "Creating backup key"
 systemd-cryptenroll --recovery-key "$CRYPT_DISK" > "/var/home/$SUDO_USER/Desktop/luks_backup_key.txt"
 chmod 644 "/var/home/$SUDO_USER/Desktop/luks_backup_key.txt"
 
+if lsinitrd 2>&1 | grep -q fido2 > /dev/null; then
+  ## add fido2 to initramfs
+  if rpm-ostree initramfs | grep fido2 > /dev/null; then
+    echo "FIDO2 already present in rpm-ostree initramfs config."
+    rpm-ostree initramfs
+    echo "Re-running initramfs to pickup changes above."
+  fi
+  rpm-ostree initramfs --enable --arg=--force-add --arg=fido2
+else
+  ## initramfs already contains fido2
+  echo "FIDO2 already present in initramfs."
+fi
+
 echo "Congratulations!"
-echo "Your system is now configured to use FIDO2 unlocking via the hardware key you used earlier."
-echo "If you previously used TPM luks unlocking, ensure you run 'ujust remove-luks-tpm-unlock'."
-echo "Otherwise, the system will likely default to TPM auto-unlocking on boot."
-echo "REMINDER store on another computer, on an encrypted drive, the script created backup key (which is at /var/home/$SUDO_USER/Desktop/luks_backup_key.txt)"
+echo "Your system is now configured to use FIDO2 unlocking via the hardware key you used earlier. If you previously used TPM luks unlocking, ensure you run 'ujust remove-luks-tpm-unlock'. Otherwise, the system will likely default to TPM auto-unlocking on boot."
+echo ""
+echo "REMINDER: Store on another computer, on an encrypted drive, the script created backup key (which is at /var/home/$SUDO_USER/Desktop/luks_backup_key.txt)"
 
 # References
 # https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html