Open khionu opened 6 months ago
I did some digging, and it looks like the best way to do this would be with fido2luks
, which is what boot.initrd.luks.fido2Support
uses (source).
How it could be implemented would be disko calls fido2luks token add
, using the known device, given slot, and assumed-valid credential-id. Alternatively, if disko is fine with the assumption that the FIDO2 device is present, fido2 add-key
would be viable, though it's my assumption that that is less desired.
I've added it to my fork, and if a PR would be welcome, I'll happily open one. https://github.com/khionu/disko/commit/77a17a1328f0ee82543bbaa1ab0474ccdf794e5a
I've updated the commit. Turns out that this is a far more complicated topic than I realized and it will take more time to figure out how to pregenerate keys. That said, I think it's better to have a solution that assumes the FIDO2 device is present (which my fork now does) than to not have a solution for this in disko at all, so my offer to make a PR still stands.
I'm also interested in seeing systemd-cryptenroll
integration, but with TPM2 options instead of FIDO2.
Looking here, I'm not sure if it's even possible to have disko do the setup without a patch? If a patch is required, I'd be happy to make the patch, but I'm afraid I'm not sure how to do so without
systemd-cryptenroll
, which I don't think is a viable option from an installation context?