shimunn / fido2luks Goto Github PK

View Code? Open in Web Editor NEW

132.0 10.0 18.0 447 KB

Decrypt your LUKS partition using a FIDO2 compatible authenticator

License: Mozilla Public License 2.0

Makefile 1.66% Shell 18.27% Rust 77.26% Nix 2.30% Dockerfile 0.51%

cryptsetup luks fido2 u2f

fido2luks's Introduction

fido2luks

0.3.0-alpha

This is just the program itself, all intitrid scripts are mostly taylored to the latest 0.2.x version and will most likely not work with 0.3.0 due to breaking changes in the CLI interface. I've decided it release the version in this state since I just do not have the time now or in the forseeable future to tewak all scripts since it's quite an tedious tasks which involves rebooting VMs countless times. If you're interested to adapt or write scripts for an particular distro I'd be more than happy to accept pull requests.

fido2luks's People

Contributors

Stargazers

Watchers

Forkers

nickray jannic mmahut 1000101 suhancz saravanan30erd sbc64 xcape-inc bonedaddy jestemradek jmbaur licijun mkfssion matze-s fgroenendijk jhohisel ehllie savau

fido2luks's Issues

scarce entropy during boot

One of the issue I'm seeing using fido2luks is that when the system is booting and fido2luks is run during the initrd process, it can take several seconds to initialize because of limited entropy from the pool. Mostly on machines without CONFIG_RANDOM_TRUST_CPU.

[    0.233968] random: get_random_bytes called from start_kernel+0x91/0x4d2 with crng_init=0
[    1.699907] random: fido2luks: uninitialized urandom read (16 bytes read)
[    2.703263] random: fido2luks: uninitialized urandom read (16 bytes read)
[    2.772650] random: fido2luks: uninitialized urandom read (16 bytes read)
[   12.186591] random: crng init done

This is even worse on GRUB as it is not using the UEFI random number protocol that ought to seed the kernel PRNG on boot.

Are they any getrandom() calls we can remove during the open process? Are there any missing GRND_NONBLOCK flags?

Full disk encryption with encrypted boot support

Does this work with an encrypted boot partition and FDE? Thanks

No such device or address (os error 6) during boot

During the initrd process on system boot(Archlinux), I am running fido2luks print-secret --pin to get the response from solokey but getting the No such device or address error. But solokey is detected during initrd and I confirmed with fido2luks connected command.
https://github.com/saravanan30erd/solokey-full-disk-encryption/blob/master/hooks/skfde
In what cases we get this error?

Debian Sid Support?

I have been trying to get fido2luks to work on Debian sid without much success. Currently, I am using four yubikeys and have set up the config as described in the readme. Each yubikey has a pin code assigned to it, which may or may not be the issue when trying to decrypt in initramfs. I installed dracut and then installed the dracut changes in this directory, but when I reboot the computer, I get a bunch of spam on boot that continues even as I enter in my passphrase:

dracut-initqueue[474]: SELinux enabled state cached to: disabled
dracut-initqueue[474]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy

When it asks for the authenticator, I assume it wants the pin, but even when I give it the pin, the yubikey never flashes for touch, and the only passphrase that works is the non-fido key (regular passphrase). Is there something I have to do with SELinux for this to work? Is there another setting I have to set in the grub config if the yubikey uses a pin? I am unsure if this is an issue running on Debian Sid or a misconfiguration on my part; what logs would help debug this issue?

Use with pam_mount

I successfully created a luks container and mounted it with fido2luks (great tool BTW !)
I would like to integrate it with pam_mount and I don't know where to begin.

My current setup dynamically opens a luks container containing my home when I logged in through lightdm.
The password of my session and of my container are the same so I enter the password just one time, it is used by lightdm and passed to cryptsetup to open the container.

I would like to use my U2F key to mount the luks container. As I use a solokey it requests a pin code at each time so I guess I would have to enter it during the lightdm login after the password. Or I can change the password to be the pincode to reuse it.

Do you have an idea of how I can use fido2luks to do this ?

UV Support

rather than using a salt as a pseudo password for this, does this also support using UV from the FIDO device basically using the device and its PIN, FP Sensor or whatever to unlock (and storing the salt in the bootloader which is already supported on its own)?

no need to read password twice

With the current single implementation of read_password fido2luks ask for the password twice. This is not needed in every case, such as inputting the old secret, which we should just check and check for fail.

mkinitcpio support

Any chance we could see support for initcpio at some point? I'm sure many Arch users would appreciate that. Thanks!

Create package for Archlinux

@shimunn

I would like to support for creating the archlinux package for fido2luks, so it will be available via pacman install.
Please provide your input.

Trezor model T not detected as a valid device

When trying fido2luks with my Trezor model T, it is not detected.

Device and software information

$ fido2luks --version
fido2luks 0.2.1 (e7049a281a63e3f72f83b720eb44ccb0c65ed4e1)

$ trezorctl  get-features
Features (155 bytes) {
    backup_type: Bip39 (0),
    capabilities: [
        Bitcoin (1),
        Bitcoin_like (2),
        Binance (3),
        Cardano (4),
        Crypto (5),
        EOS (6),
        Ethereum (7),
        Lisk (8),
        Monero (9),
        NEM (10),
        Ripple (11),
        Stellar (12),
        Tezos (13),
        U2F (14),
        Shamir (15),
        ShamirGroups (16),
    ],
    device_id: '8FD6A92C73B51F1403A27057',
    flags: 0,
    initialized: True,
    label: 'My Trezor',
    language: 'english',
    major_version: 2,
    minor_version: 1,
    model: 'T',
    needs_backup: True,
    no_backup: False,
    passphrase_cached: False,
    passphrase_protection: False,
    patch_version: 8,
    pin_cached: True,
    pin_protection: True,
    recovery_mode: False,
    revision: 8 bytes b'8eb6ce08',
    unfinished_backup: False,
    vendor: 'trezor.io',
}

Debug information

$ strace -ff fido2luks credential

(...)

openat(AT_FDCWD, "/sys/class/hidraw/hidraw1/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "\6\320\361\t\1\241\1\t \25\0&\377\0u\10\225@\201\2\t!\25\0&\377\0u\10\225@\221"..., 4097) = 34
read(4, "", 4063)                       = 0
close(4)                                = 0
openat(AT_FDCWD, "/dev/hidraw1", O_RDWR|O_CLOEXEC) = 4
getrandom("", 0, GRND_NONBLOCK)         = 0
getrandom("\x31\x44\xa2\x66\x55\x6f\xb7\x0e\xcd\xbc\xf1\x12\x4e\xdd\xf6\xc3\x14\x2b\xc4\x2e\x2b\x1a\x47\x35\x74\x9e\xa9\x7f\x31\xcf\x2f\x20", 32, GRND_NONBLOCK) = 32
write(4, "\0\377\377\377\377\206\0\10@\305I\313?\245n\321\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65) = 65
read(4, "\377\377\377\377\206\0\21@\305I\313?\245n\321`Q\24s\2\2\0\0\5\0\0\0\0\0\0\0\0"..., 64) = 64
write(4, "\0`Q\24s\220\0\1\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65) = 65
read(4, "`Q\24s\220\0B\0\244\1\202fU2F_V2hFIDO_2_0\2\201khm"..., 64) = 64
read(4, "`Q\24s\0\365bup\365buv\365\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 64) = 64
close(4)                                = 0
getdents(3, /* 0 entries */, 32768)     = 0
close(3)                                = 0
write(2, "no authenticator found, please e"..., 62no authenticator found, please ensure you device is plugged in) = 62
write(2, "\n", 1
)       
sigaltstack({ss_sp=NULL, ss_flags=SS_DISABLE, ss_size=8192}, NULL) = 0
munmap(0x7fbe3a992000, 8192)            = 0
exit_group(4)                           = ?
+++ exited with 4 +++

$ lsusb | grep -i trezor
Bus 001 Device 061: ID 1209:53c1 Generic SatoshiLabs TREZOR

$ ls -la /sys/class/hidraw/hidraw*/device|grep -i 1209:53c1
lrwxrwxrwx 1 root root 0 Jan  8 14:38 /sys/class/hidraw/hidraw1/device -> ../../../0003:1209:53C1.00F9

$ usbhid-dump

001:061:001:DESCRIPTOR         1578490537.827086
 06 D0 F1 09 01 A1 01 09 20 15 00 26 FF 00 75 08
 95 40 81 02 09 21 15 00 26 FF 00 75 08 95 40 91
 02 C0

$ lsusb -v -s 001:061:001

Bus 001 Device 061: ID 1209:53c1 Generic SatoshiLabs TREZOR
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.10
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x1209 Generic
  idProduct          0x53c1 SatoshiLabs TREZOR
  bcdDevice            2.00
  iManufacturer           1 SatoshiLabs
  iProduct                2 TREZOR
  iSerial                 3 8FD6A92C73B51F1403A27057
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0040
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              5 TREZOR Interface
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              5 TREZOR Interface
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      34
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
Binary Object Store Descriptor:
  bLength                 5
  bDescriptorType        15
  wTotalLength       0x001d
  bNumDeviceCaps          1
  Platform Device Capability:
    bLength                24
    bDescriptorType        16
    bDevCapabilityType      5
    bReserved               0
    PlatformCapabilityUUID    {3408b638-09a9-47a0-8bfd-a0768815b665}
      WebUSB:
        bcdVersion    1.00
        bVendorCode      1
        iLandingPage     1 https://trezor.io/start
can't get debug descriptor: Resource temporarily unavailable
Device Status:     0x0000
  (Bus Powered)

fido2luks 0.2.20 fails to build with cryptsetup 2.5.0

Binding names in cryptsetup were changed in version 2.5.0, and that change breaks builds of libcryptsetup-rs with version lower than 0.5.1.
NixOS/nixpkgs#188524

Ubuntu Support

Thanks for your work. But as expected it doesn't work with Ubuntu. Adding key worked fine, but on reboot the given password isn't working and SoloKey isn't called for authentication. Any ideas are appreciated.

Use CTAP2 canonical CBOR encoding

fido2luks does not use the CTAP2 canonical CBOR encoding, e. g. for encoding COSE keys. See trussed-dev/ctap-types#8 and Nitrokey/nitrokey-3-firmware#177 for more context.

Fail to unlock device with adapted initcpio hook

Hello shimunn,
I am trying to adapt initcpio hook with fido2luks 0.3.0-alpha version, but I get a strange error with my modfied script.

AuthenticatorError { cause: FidoError(

This operating requires a PIN but none was provided.) }

I have tried to print out the options but --pin option had already been specified. When I am using init shell via appending break parameter to kernel commandline, I can launch the hook via source /init_functions; source /hooks/fido2luks; run_hook; command and it can shows Authenticator PIN: normally and I can input pin to unlock my LUKS volume. Do you have any clue about that?

Pin required when creating credentials

Hi,
I am curious to try out your project with a Yubikey 5 NFC on Fedora 33; however, I am running in the following issue when trying to create credentials:

[wmutschl@localhost ~]$ ykman info
Device type: YubiKey 5 NFC
Serial number: 9243118
Firmware version: 5.1.2
Form factor: Keychain (USB-A)
Enabled USB interfaces: OTP+FIDO+CCID
NFC interface is enabled.

Applications	USB    	NFC     
OTP     	Enabled	Enabled 	
FIDO U2F	Enabled	Enabled 	
OpenPGP 	Enabled	Enabled 	
PIV     	Enabled	Disabled	
OATH    	Enabled	Enabled 	
FIDO2   	Enabled	Enabled 	


[wmutschl@localhost ~]$ ykman fido info
PIN is set, with 8 tries left.

[wmutschl@localhost ~]$ fido2luks connected
Found 1 devices

[wmutschl@localhost ~]$ fido2luks credential
AuthenticatorError { cause: FidoError(

This operating requires a PIN but none was provided.) }

Where or how do I set the pin?

Error while decoding CBOR from device when using Trezor model T

When using Trezor model T as a FIDO2 device, the follow error occurs when trying to add it as a new key.

$ printenv |grep FIDO
FIDO2LUKS_CREDENTIAL_ID=f1d002009d27ba4b272e8b7d4af7fc4d58d3e5f3ec6ee40bdc243ebddd622a8c5211ad0f65d8721acf2815a913a79f9e99599bfd
FIDO2LUKS_SALT=Ask

$ fido2luks -i add-key /dev/sdb
Password: 
Password (again): 
authenticator error: Error while decoding CBOR from device.

write(3, "Password (again): ", 18Password (again): )      = 18
close(3)                                = 0
openat(AT_FDCWD, "/dev/tty", O_RDONLY|O_CLOEXEC) = 3
ioctl(3, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon -echo ...}) = 0
read(3, 
"o\n", 8192)                    = 2
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon echo ...}) = 0
close(3)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
getdents(3, /* 8 entries */, 32768)     = 240
openat(AT_FDCWD, "/sys/class/hidraw/hidraw4/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "\5\1\t\200\241\1\205\1\31\201)\203\25\0%\1u\1\225\3\201\2u\5\225\1\201\1\300\5\f\t"..., 4097) = 109
read(4, "", 3988)                       = 0
close(4)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw2/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "\5\1\t\2\241\1\t\1\241\0\205\1\5\t\31\1)\5\25\0%\1\225\5u\1\201\2\225\1u\3"..., 4097) = 215
read(4, "", 3882)                       = 0
close(4)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw0/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "\5\1\t\2\241\1\205\1\t\1\241\0\5\t\31\1)\3\25\0%\1u\1\225\3\201\2\225\5\201\1"..., 4097) = 339
read(4, "", 3758)                       = 0
close(4)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw5/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "\6\320\361\t\1\241\1\t \25\0&\377\0u\10\225@\201\2\t!\25\0&\377\0u\10\225@\221"..., 4097) = 34
read(4, "", 4063)                       = 0
close(4)                                = 0
openat(AT_FDCWD, "/dev/hidraw5", O_RDWR|O_CLOEXEC) = 4
getrandom("", 0, GRND_NONBLOCK)         = 0
getrandom("\x13\x14\xb4\x0e\xc4\x8c\x97\xbe\xb0\xf9\x86\x20\x3d\x51\xe3\x9f\x95\x9a\xd1\xc6\x5b\xb1\xc9\xe3\xed\x30\xed\xec\x72\xd6\x6a\x21", 32, GRND_NONBLOCK) = 32
write(4, "\0\377\377\377\377\206\0\10\247SR\263\201\23g\215\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65) = 65
read(4, "\377\377\377\377\206\0\21\247SR\263\201\23g\215\377}]r\2\2\0\0\5\0\0\0\0\0\0\0\0"..., 64) = 64
write(4, "\0\377}]r\220\0\1\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65) = 65
read(4, "\377}]r\220\0E\0\245\1\202fU2F_V2hFIDO_2_0\2\201khm"..., 64) = 64
read(4, "\377}]r\0\365bup\365buv\365\6\201\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 64) = 64
openat(AT_FDCWD, "/sys/class/hidraw/hidraw3/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(5, "\5\1\t\6\241\1\5\7\31\340)\347\25\0%\1u\1\225\10\201\2\225\1u\10\201\1\225\3u\1"..., 4097) = 65
read(5, "", 4032)                       = 0
close(5)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw1/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 5
fstat(5, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(5, "\5\1\t\6\241\1\5\10\31\1)\3\25\0%\1u\1\225\3\221\2\225\5\221\1\5\7\31\340)\347"..., 4097) = 57
read(5, "", 4040)                       = 0
close(5)                                = 0
getdents(3, /* 0 entries */, 32768)     = 0
close(3)                                = 0
write(4, "\0\377}]r\220\0\6\6\242\1\1\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65) = 65
read(4, "\377}]r\220\0Q\0\241\1\245\1\2\38\30 \1!X \251\332\200\206\305\257O3HxU"..., 64) = 64
read(4, "\377}]r\0u*\10Y\0\253\f\244-\261\307c\224\212\221\347)\269'[\370o\f\0\0\0"..., 64) = 64
getrandom("\x10", 1, 0)                 = 1
getrandom("\x73\x89\x9e\xbb\x4c\x20\x94\xb2\x94\x04\x01\xa7\xf2\x7d\x10\x51\xc5\xa0\x86\x30\x6e\xa9\x78\x34\xcb\x09\x00\xee\x73\x35\x1d\x2b", 32, 0) = 32
write(4, "\0\377}]r\220\1\16\2\245\1dhmac\2X \0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65) = 65
write(4, "\0\377}]r\0i}\353G8\2315\351\17\246\25\260!\272\221\r\"IM\346:B\327X\216D"..., 65) = 65
write(4, "\0\377}]r\1\4\241khmac-secret\243\1\244 \1!X \313\216%\204"..., 65) = 65
write(4, "\0\377}]r\2\315E,z\211\224 \236f2\373\214\1J\201@@\374\270\331N\5\t\303ke"..., 65) = 65
write(4, "\0\377}]r\3\327\340C\255\257\351\306b\3P\0\354\320\t\24p\335XQ\253S\275J\234\267\254"..., 65) = 65
read(4, "\377}]r\220\0\1,\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 64) = 64
close(4)                                = 0
write(2, "authenticator error: ", 21authenticator error: )   = 21
write(2, "Error while decoding CBOR from d"..., 38Error while decoding CBOR from device.) = 38
write(2, "\n", 1
)                       = 1
sigaltstack({ss_sp=NULL, ss_flags=SS_DISABLE, ss_size=8192}, NULL) = 0
munmap(0x7f324d5bb000, 8192)            = 0
exit_group(3)                           = ?
+++ exited with 3 +++

Same happens with print-secret.

Error while decoding CBOR from device when using Yubikey 5 Nano

This sounds the same as #4 , however for me it's even failing at step 1; generating the credential

fido2luks credential
authenticator error: Error while decoding CBOR from device.

Device type: YubiKey 5 Nano
Serial number: xxxxxxxxx
Firmware version: 5.2.4
Form factor: Nano (USB-A)
Enabled USB interfaces: OTP+FIDO+CCID

Applications
OTP     	Enabled	
FIDO U2F	Enabled	
OpenPGP 	Enabled	
PIV     	Enabled	
OATH    	Enabled	
FIDO2   	Enabled

getrandom("\xe7\x29\x0b\x6c\x13\xe4\x98\x49\x7d\xe0\xb3\x8c\xfb\x6a\x70\x27", 16, GRND_NONBLOCK) = 16
openat(AT_FDCWD, "/sys/class/hidraw", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
getdents64(3, /* 9 entries */, 32768)   = 272
openat(AT_FDCWD, "/sys/class/hidraw/hidraw6/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
fcntl(6, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
statx(0, NULL, AT_STATX_SYNC_AS_STAT, STATX_ALL, NULL) = -1 EFAULT (Bad address)
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\f\t\1\241\1\205\1\25\0%\1u\1\t\351\t\352\225\2\201\2\t\265\t\315\t\266\225\3\201\6"..., 4097) = 85
read(6, "", 4012)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw4/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\t\2\241\1\t\1\241\0\5\t\31\1)\20\25\0%\1\225\20u\1\201\2\5\1\26\1\200&"..., 4097) = 67
read(6, "", 4030)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw2/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\t\6\241\1\5\7\31\340)\347\25\0%\1u\1\225\10\201\2\225\1u\10\201\1\225\5u\1"..., 4097) = 65
read(6, "", 4032)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw0/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\t\6\241\1\5\7\31\340)\347\25\0%\1u\1\225\10\201\2\225\1u\10\201\1\225\5u\1"..., 4097) = 71
read(6, "", 4026)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw5/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\t\6\241\1\205\1\5\7\31\340)\347\25\0%\1u\1\225\10\201\2\201\3\225\6u\10\25\0"..., 4097) = 151
read(6, "", 3946)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw3/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\5\1\5\f\t\1\241\1\205\1\25\0%\1u\1\225\7\t\315\t\267\t\266\t\265\t\342\t\352\t\351"..., 4097) = 74
read(6, "", 4023)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/sys/class/hidraw/hidraw1/device/report_descriptor", O_RDONLY|O_CLOEXEC) = 6
statx(6, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_BASIC_STATS, stx_attributes=0, stx_mode=S_IFREG|0444, stx_size=4096, ...}) = 0
read(6, "\6\320\361\t\1\241\1\t \25\0&\377\0u\10\225@\201\2\t!\25\0&\377\0u\10\225@\221"..., 4097) = 34
read(6, "", 4063)                       = 0
close(6)                                = 0
openat(AT_FDCWD, "/dev/hidraw1", O_RDWR|O_CLOEXEC) = 6
getrandom("", 0, GRND_NONBLOCK)         = 0
getrandom("\x6d\xd2\xdd\xa5\x37\x2a\x98\x7a\xbb\xad\xb4\xbc\xcc\x18\xbf\x42\x2b\x6f\xfc\x8d\xba\xf1\x61\xa0\x6c\xf8\xa5\xea\x77\xf9\x31\xbc", 32, GRND_NONBLOCK) = 32
write(6, "\0\377\377\377\377\206\0\10\203\350\351I\37\"\372\251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65) = 65
read(6, "\377\377\377\377\206\0\21\203\350\351I\37\"\372\251\0'\0\2\2\5\2\4\5\0\0\0\0\0\0\0\0"..., 64) = 64
write(6, "\0\0'\0\2\220\0\1\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65) = 65
read(6, "\0'\0\2\220\0\277\0\252\1\203fU2F_V2hFIDO_2_0lFIDO"..., 64) = 64
read(6, "\0'\0\2\0et\3P\356\210(yr\34I\23\227u=\374\316\227\7*\4\245brk\365b"..., 64) = 64
read(6, "\0'\0\2\1gmtPreview\365\5\31\4\260\6\201\1\7\10\10\30\200\t\201cu"..., 64) = 64
read(6, "\0'\0\2\2dtypejpublic-key\0\0\0\0\0\0\0\0\0\0\0"..., 64) = 64
close(6)                                = 0
close(3)                                = 0
write(2, "authenticator error: ", 21authenticator error: )   = 21
write(2, "Error while decoding CBOR from d"..., 38Error while decoding CBOR from device.) = 38
write(2, "\n", 1
)                       = 1
sigaltstack({ss_sp=NULL, ss_flags=SS_DISABLE, ss_size=8192}, NULL) = 0
munmap(0x7f037e337000, 8192)            = 0
exit_group(3)                           = ?
+++ exited with 3 +++

rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID> and multiple keys

how does that part go when you use multiple FIDO Devices which each have their own cred ID, are there any changes needed or do you just have to have one of the cred IDs that work inside?

Build failure on nixpkgs

Currently, it appears that there's some codegen issues happening with 0.2.21 on NixOS. I bumped libcryptsetup-rs to use 0.9 locally, as well as ran cargo update, and that seems to have corrected the issue. If a patch version could be released with those changes, that should unblock things upstream.

Ref: NixOS/nixpkgs#288865

yubikey 5 nano with firmware 5.4.3 not detected

I have several yubikeys. This is a brand new one fresh from Yubico that has the latest firmware 5.4.3. I have several with 5.2.4 which work just find with fido2luks. When i run sudo fido2luks connected with this key, nothing is found. I can see the device with lsusb and ykman. I HAVE set the initial pin for this as required for fido to function, however that doesnt seem to have any effect on the issue and other tokens with old firmware would for connected before the pin is set. I am continuing to debug, but it seems like the device does not meet the ctap device filter for some reason in get_devices, though i have not confirmed this. Below is the ykman --diagnose output. Please advise on how best to proceed.

ykman: 4.0.5
Python: 3.8.5 (default, Jul 28 2020, 12:59:40) 
[GCC 9.3.0]
Platform: linux
Arch: aarch64
Running as admin: True

Detected PC/SC readers:
	Yubico YubiKey OTP+FIDO+CCID 00 00 (connect: Success)

Detected YubiKeys over PC/SC:
	ScardYubiKeyDevice(pid=0407, fingerprint='Yubico YubiKey OTP+FIDO+CCID 00 00')
	RawInfo: 260102033f0302033f020400c8c1de04010205030504030602000007010f0801000a01000f0100
	DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=13156830, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_NANO: 2>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False)
	Device name: YubiKey 5 Nano
	PIV
		PIV version: 5.4.3
		WARNING: Using default PIN!
		PIN tries remaining: 3/3
		WARNING: Using default Management key!
		Management key algorithm: TDES
		CHUID:	No data available.
		CCC: 	No data available.
	OATH
		Oath version: 5.4.3
		Password protected: False
	OpenPGP
		OpenPGP version: 3.4
		Application version: 5.4.3
		PIN tries remaining: 3
		Reset code tries remaining: 0
		Admin PIN tries remaining: 3
		Touch policies
		Signature key           Off
		Encryption key          Off
		Authentication key      Off
		Attestation key         Off


Detected YubiKeys over HID OTP:
	OtpYubiKeyDevice(pid=0407, fingerprint='/dev/hidraw0')
	RawInfo: 260102033f0302033f020400c8c1de04010205030504030602000007010f0801000a01000f0100
	DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=13156830, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_NANO: 2>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False)
	Device name: YubiKey 5 Nano
	OTP: ConfigState(configured: (True, False), touch_triggered: (True, False), led_inverted: False)


Detected YubiKeys over HID FIDO:
	CtapYubiKeyDevice(pid=0407, fingerprint='/dev/hidraw1')
CTAP device version: 5.4.3
CTAPHID protocol version: 2
Capabilities: 5
	RawInfo: 260102033f0302033f020400c8c1de04010205030504030602000007010f0801000a01000f0100
	DeviceInfo(config=DeviceConfig(enabled_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, auto_eject_timeout=0, challenge_response_timeout=15, device_flags=<DEVICE_FLAG.0: 0>), serial=13156830, version=Version(major=5, minor=4, patch=3), form_factor=<FORM_FACTOR.USB_A_NANO: 2>, supported_capabilities={<TRANSPORT.USB: 'usb'>: <CAPABILITY.FIDO2|HSMAUTH|OATH|PIV|OPENPGP|4|U2F|OTP: 831>}, is_locked=False, is_fips=False)
	Device name: YubiKey 5 Nano
	Ctap2Info: {<VERSIONS: 0x01>: ['U2F_V2', 'FIDO_2_0', 'FIDO_2_1_PRE'], <EXTENSIONS: 0x02>: ['credProtect', 'hmac-secret'], <AAGUID: 0x03>: b'\xee\x88(yr\x1cI\x13\x97u=\xfc\xce\x97\x07*', <OPTIONS: 0x04>: {'rk': True, 'up': True, 'plat': False, 'clientPin': True, 'credentialMgmtPreview': True}, <MAX_MSG_SIZE: 0x05>: 1200, <PIN_UV_PROTOCOLS: 0x06>: [2, 1], <MAX_CREDS_IN_LIST: 0x07>: 8, <MAX_CRED_ID_LENGTH: 0x08>: 128, <TRANSPORTS: 0x09>: ['usb'], <ALGORITHMS: 0x0A>: [{'alg': -7, 'type': 'public-key'}, {'alg': -8, 'type': 'public-key'}], <MIN_PIN_LENGTH: 0x0D>: 4, <FIRMWARE_VERSION: 0x0E>: 328707}
PIN retries: (8, None)

End of diagnostics

Note: i realize the architecture here may be unusual, but the other tokens work under these conditions. I have not censored any identifying info on this as i feel it is irrelevant to do so and would only make debugging harder.

Cannot have multiple credentials per YubiKey

I'm not sure if I'm merely misunderstanding something or if this is a bug. If it is a bug, I'm not even sure if it's in fido2luks.

As illustrated below, it appears that no matter what you name the credential, it seems to always clobber the previous credential.

I did some research on whether this is actually expected behavior but as far as I can tell test1 and test2 (being a "username") should be unique credentials even if they're both sharing the Relying Party ID of fido2luks.

I tried digging through the code, both fido2luks at tag 0.2.20 and ctap_hmac, and I couldn't identify a reason for the fact that these credentials are getting clobbered.

Is this intentional? Is there a reason we can't have multiple fido2luks credentials per YubiKey (per FIDO2 device)?

$ fido2luks credential -P 'test1'                                                                                         
Authenticator PIN: 
REDACTED

$ ykman fido credentials list    
Enter your PIN: 
fido2luks 00 test1

$ fido2luks credential -P 'test2'
Authenticator PIN: 
REDACTED

$ ykman fido credentials list    
Enter your PIN: 
fido2luks 00 test2

Versions

$ fido2luks --version            
fido2luks 0.2.20

$ ykman info
Device type: YubiKey 5 NFC
Serial number: REDACTED
Firmware version: 5.2.7

Support options specified by cryptdevice parameter

Currently fido2luks doesn't support parameter specified by cryptdevice parameter like allow-discards. Is there any plan for that?

--max-retries option doesn't work for an invalid pin

When an invalid pin entered, fido2luks just throw an error and exit even with --max-retries option specified. The following is an example.

[root@MkfsSion-LPC ~]# fido2luks -i open-token --pin --max-retries 3 /dev/sdc3 cryptroot
Authenticator PIN: 
Authorize using your FIDO device
Password: 
AuthenticatorError { cause: FidoError(FidoError(

Device returned error: CborError: 0x31: PIN Invalid.)

Error while decoding CBOR from device.) }

Test input_salt_obtain on 0.2.14 tag fails

Test for 0.2.14 version fails.

I checked it on NixOS and ArchLinux.

ArchLinux setup:

Linux structure 5.8.13-arch1-1 #1 SMP PREEMPT Thu, 01 Oct 2020 20:40:35 +0000 x86_64 GNU/Linux

ArchLinux setup:

Linux nixos 5.8.13 #1-NixOS SMP Thu Oct 1 15:36:35 UTC 2020 x86_64 GNU/Linux

Result of cargo test:

...skipping...
running 2 tests
test cli_args::config::test::input_salt_from_str ... ok
test cli_args::config::test::input_salt_obtain ... FAILED

failures:

---- cli_args::config::test::input_salt_obtain stdout ----
thread 'cli_args::config::test::input_salt_obtain' panicked at 'assertion failed: `(left == right)`
  left: `[97, 98, 99]`,
 right: `[186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97, 163, 150, 23, 122, 156, 180, 16, 255, 97, 242, 0, 21, 173]`', src/cli_args/config.rs:199:9
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace


failures:
    cli_args::config::test::input_salt_obtain

Is this critical? Or could we just remove broken test?

CBOR eror with embedded token and solo key firmware 4.1.2

I just updated my solo key to firmware 4.1.2.
I don't exactly know what was changed but my LUKS volume containing embedded token was working perfectly before and now I am unable to unlock it.
Using open instead of open-token command works but I have to provide the credential id.
I tried to re-add a key with credential Id as a token but it didn't worked.
When trying to open the LUKS volume I receive the following error:

AuthenticatorError { cause: FidoError(FidoError(

Device returned error: CborError: 0x10: unknown)

Error while decoding CBOR from device.) }

When adding a new key, make it more obvious what the user is entering

When adding a new key the user could receive better guidance from the cli

What the user sees	How this is likely to be interpreted
`> fido2luks -i add-key /dev/sda2 <id>`	–
`Password:`	which password?
`Password (again):`	repeat
<interaction with the key is expected>	what am I supposed to do here?
`Old password:`	Is the old password goind to be replaced \|\| The one before was the new password?
`Old password (again):`	repeat

I think this could lead to frustration on the user's side. Thus I would recommend on the one hand changing the prompts to the passwd phrasing

> $ passwd
Current password:
New password:
Retype new password:

on the other I would propose notifying the user that an action is needed on the security key side.

Need for more Documentation

Hello, and thank you for working on and providing this software!

I want to use a FIDO2 Stick for decrypting my LUKS device on ArchLinux, but I must admit that I have few knowledge about FIDO2 internals and how to do the setup. I would love to be pointed to some more documentation. I couldn't find much.

Here is what I want to do:
I currently have an encrypted LUKS partition (not the root partition) where /home resides in. Usually I decrypt it by entering the passphrase during boot. Now I want to store the FIDO2LUKS key into a second keyslot, such that I can decrypt /home during boot either by providing the password or by using the FIDO2 stick.

What I have done so far:

I installed fido2luks

$ yay -S fido2luks

I tested the connection with

$ 
$ fido2luks connected
Found 1 devices
$

Generated a new credential:

$ 
$ fido2luks credential
15c9bec7284a5a09e0904006fea70dfe1daac52ec9dd94888c71a9f0d78310fd8c82d61d1df3520808fe832894664533262dae2262619c18ec0141da2be756214b5eaf010000
$

Trying to add a keyslot to the LUKS header:

$ 
$ sudo fido2luks add-key /dev/sda2 15c9bec7284a5a09e0904006fea70dfe1daac52ec9dd94888c71a9f0d78310fd8c82d61d1df3520808fe832894664533262dae2262619c18ec0141da2be756214b5eaf010000
Current password: 
^C
$

In Step 4, I type in a password for an already existing keyslot of the LUKS device. After that nothing happend. Tapping the FIDO2 stick also does nothing. So I canceled the program with Ctrl+C. What is supposed to happen?

credential command not enforcing required name parameter

See #26
It seems the fido2luks credential command used to generate new credentials is resulting in an error message that is a bit cryptic if no name for the credential is supplied. The parameter is currently marked as optional, but if not provided and no value is set in the FIDO2LUKS_CREDENTIAL_NAME environmental variable the following occurs:

user@host:~$ echo '1234' | fido2luks credential --pin --pin-source /dev/stdin
AuthenticatorError { cause: FidoError(FidoError(

Device returned error: CborError: 0x3: Invalid message or item length.)

Error while decoding CBOR from device.) }

The FIDO2 token in use is a yubikey running on firmware 5.2.7(YubiKey 5 Nano (5.2.7) [OTP+FIDO+CCID]).

pin-source flag missing from cli arguments

Hi.
I am trying to use the -pin--source flag which was being used in a project a couple of years back.
Now when I try to use the -pin--source flag with the latest version of fido2luks it gives me an error saying that --pin-source was not an expected argument or isn't valid.
I was going through the source code and I could not find the -pin--source argument in the latest version.

What are the latest changes regarding this or has it is been deprecated and I will not be able to use it anymore?

Thanks

Invalid message or item length

Hi, I am trying to follow your README to install fido2luks, but I cannot succeed. Maybe you can help me out.
What I did:

Step 1: Install packages

sudo dnf install clang cargo cryptsetup-devel -y

No problem.

Step 2: Clone repository and install using cargo

git clone https://github.com/shimunn/fido2luks.git 
cd fido2luks
sudo -E cargo install -f --path . --root /usr

No problem.

Step 3: Create credential with --pin option

fido2luks credential
#AuthenticatorError { cause: FidoError(
#
#This operating requires a PIN but none was provided.) }

fido2luks credential --pin
#Authenticator PIN: 
#AuthenticatorError { cause: FidoError(FidoError(
#
#Device returned error: CborError: 0x3: Invalid message or item length.)
#
#Error while decoding CBOR from device.) }

Am I doing something wrong here?

fido2luks can't find Nitrokey 3A NFC

Hi,
Thank you for creating and maintaining fido2luks.

I've successfully used it with the Nitrokey FIDO2, however the Nitrokey 3A NFC - which supports fido2 - is not detected.
Using fido2luks connected returns nothing with exit code 1, and fido2luks credential hangs indefinitely.
My Rust knowledge is very limited, but I'd like to help get this resolved. I've tried running https://github.com/shimunn/ctap/blob/f982494d5158062b7ebb9f84cd04f28d2be36ce7/examples/hmac.rs but it panics at line 17 with 'No authenticator found'. However, testing the same device on something like https://webauthn.io/ works fine.
If more information is needed I'll do my best to provide it.

shimunn / fido2luks Goto Github PK

fido2luks's Introduction

fido2luks

0.3.0-alpha

fido2luks's People

Contributors

Stargazers

Watchers

Forkers

fido2luks's Issues

Device and software information

Debug information

Versions

Step 1: Install packages

Step 2: Clone repository and install using cargo

Step 3: Create credential with --pin option

Recommend Projects

Recommend Topics

Recommend Org