From 1452ca68e4dca2be0d1c064ddbefcc7ff96a0e1f Mon Sep 17 00:00:00 2001 From: Paul Sherrill <139525564+ShadowSlayer1441@users.noreply.github.com> Date: Wed, 8 Jan 2025 15:57:02 -0500 Subject: [PATCH] fix: added initramfs verification to luks-enable-fido2-unlock (#762) --- .../usr/libexec/luks-disable-fido2-unlock | 9 +++-- .../usr/libexec/luks-enable-fido2-unlock | 40 +++++++++++++------ 2 files changed, 33 insertions(+), 16 deletions(-) diff --git a/files/system/usr/libexec/luks-disable-fido2-unlock b/files/system/usr/libexec/luks-disable-fido2-unlock index 2d22029e..0548cc34 100755 --- a/files/system/usr/libexec/luks-disable-fido2-unlock +++ b/files/system/usr/libexec/luks-disable-fido2-unlock @@ -19,10 +19,11 @@ set -eou pipefail [ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;} echo "WARNING this script will remove ALL currently configured fido2 luks unlock slots." -echo "This script utilizes systemd-cryptenroll for removing fido2 auto-unlock." -echo "You can review systemd-cryptenroll's manpage for more information." -echo "This will modify your system and disable fido2 auto-unlock of your LUKS partition!" -echo "This script is designed to work with it's corresponding secureblue fido2 enable script. If you manually enabled fido2 unlock, you may need to manually edit /etc/crypttab or restore a known good backup you may have created." +echo "" +echo "This script utilizes systemd-cryptenroll for removing fido2 auto-unlock. You can review systemd-cryptenroll's manpage for more information." \ +"This will modify your system and disable fido2 auto-unlock of your LUKS partition! This script is designed to work with it's corresponding secureblue" \ +"fido2 enable script. If you manually enabled fido2 unlock, you may need to manually edit /etc/crypttab or restore a known good backup you may have created." +echo "" echo "INFO if no other nonfido2 slot is currently configured, script will fail. This is a safety precaution systemd-cryptenroll implements." echo "WARNING if you have not added an additional method, the recovery key will be the only avaliable unlock method after this script is run" read -p "Are you sure are good with this and want to disable fido2 auto-unlock? (y/N): " -n 1 -r diff --git a/files/system/usr/libexec/luks-enable-fido2-unlock b/files/system/usr/libexec/luks-enable-fido2-unlock index 59a620a1..383d47c6 100755 --- a/files/system/usr/libexec/luks-enable-fido2-unlock +++ b/files/system/usr/libexec/luks-enable-fido2-unlock @@ -20,13 +20,17 @@ set -eou pipefail echo "WARNING LUKS drive encryption must have been enabled at install time for this script to run" echo "ENSURE you save the backup key this script creates at /var/home/$SUDO_USER/Desktop/luks_backup_key.txt ON ANOTHER COMPUTER" -echo "This script uses systemd-cryptenroll to enable FIDO2 auto-unlock." -echo "You can review systemd-cryptenroll's manpage for more information." -echo "If you are using usbguard, plug into your hardware key, run 'usbguard list-devices'. Identify which number on the left is" -echo "your device then run 'usbguard allow-device -p'. You must exit this script with ctrl-C and do this now, BEFORE proceeding" -echo "If you previously used TPM luks unlocking, ensure you run 'ujust remove-luks-tpm-unlock' AFTER running this script." -echo "Otherwise, the system will likely default to TPM auto-unlocking on boot." -echo "WARNING this script is designed not to, but could clear stored secrets on your fido2 key. Ensure you have backup options." +echo "" +echo "This script uses systemd-cryptenroll to enable FIDO2 auto-unlock. You can review systemd-cryptenroll's manpage for more information." \ +"If you previously used TPM luks unlocking, ensure you run 'ujust remove-luks-tpm-unlock' AFTER running this script." \ +"Otherwise, the system will likely default to TPM auto-unlocking on boot." +echo "" +echo "If you are using usbguard, plug in your hardware key, run 'usbguard list-devices'. Identify which number on the left is" \ +"your device then run 'usbguard allow-device -p'. You must exit this script with ctrl-C and do this now, BEFORE proceeding" +echo "" +echo "WARNING this script is designed not to, but could clear stored secrets on your fido2 key. Ensure you have backup options for" \ +"any sites you may use FIDO2 based authentication on this key." +echo "" read -p "Are you sure are good with this and want to enable FIDO2 auto-unlock? (y/N): " -n 1 -r echo if [[ ! $REPLY =~ ^[Yy]$ ]]; then @@ -88,17 +92,29 @@ fi echo "Enrolling FIDO2 unlock requires your existing LUKS unlock password" systemd-cryptenroll --fido2-device=auto "$CRYPT_DISK" cp /etc/crypttab /etc/crypttab.known-good -sed -i '$ s/$/ fido2-device=auto/' /etc/crypttab +sed -i "s/UUID=$RD_LUKS_UUID none discard/UUID=$RD_LUKS_UUID - fido2-device=auto - discard/" /etc/crypttab echo "Creating backup key" systemd-cryptenroll --recovery-key "$CRYPT_DISK" > "/var/home/$SUDO_USER/Desktop/luks_backup_key.txt" chmod 644 "/var/home/$SUDO_USER/Desktop/luks_backup_key.txt" +if lsinitrd 2>&1 | grep -q fido2 > /dev/null; then + ## add fido2 to initramfs + if rpm-ostree initramfs | grep fido2 > /dev/null; then + echo "FIDO2 already present in rpm-ostree initramfs config." + rpm-ostree initramfs + echo "Re-running initramfs to pickup changes above." + fi + rpm-ostree initramfs --enable --arg=--force-add --arg=fido2 +else + ## initramfs already contains fido2 + echo "FIDO2 already present in initramfs." +fi + echo "Congratulations!" -echo "Your system is now configured to use FIDO2 unlocking via the hardware key you used earlier." -echo "If you previously used TPM luks unlocking, ensure you run 'ujust remove-luks-tpm-unlock'." -echo "Otherwise, the system will likely default to TPM auto-unlocking on boot." -echo "REMINDER store on another computer, on an encrypted drive, the script created backup key (which is at /var/home/$SUDO_USER/Desktop/luks_backup_key.txt)" +echo "Your system is now configured to use FIDO2 unlocking via the hardware key you used earlier. If you previously used TPM luks unlocking, ensure you run 'ujust remove-luks-tpm-unlock'. Otherwise, the system will likely default to TPM auto-unlocking on boot." +echo "" +echo "REMINDER: Store on another computer, on an encrypted drive, the script created backup key (which is at /var/home/$SUDO_USER/Desktop/luks_backup_key.txt)" # References # https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html