Added a HSM menu entry (#1196)

* Added a HSM menu entry, but also a safety check to make sure a FIDO device is connected

* flake8 complaints

* Adding FIDO lookup using cryptenroll listing

* Added systemd-cryptenroll --fido2-device=list

* Removed old _select_hsm call

* Fixed flake8 complaints

* Added support for locking and unlocking with a HSM

* Removed hardcoded paths in favor of PR merge

* Removed hardcoded paths in favor of PR merge

* Fixed mypy complaint

* Flake8 issue

* Added sd-encrypt for HSM and revert back to encrypt when HSM is not used (stability reason)

* Added /etc/vconsole.conf and tweaked fido2_enroll() to use the proper paths

* Spelling error

* Using UUID instead of PARTUUID when using HSM. I can't figure out how to get sd-encrypt to use PARTUUID instead. Added a Partition().part_uuid function. Actually renamed .uuid to .part_uuid and created a .uuid instead.

* Adding missing package libfido2 and removed tpm2-device=auto as it overrides everything and forces password prompt to be used over FIDO2, no matter the order of the options.

* Added some notes to clarify some choices.

* Had to move libfido2 package install to later in the chain, as there's not even a base during mounting :P

1 files changed, 19 insertions, 8 deletions

diff --git a/archinstall/lib/configuration.py b/archinstall/lib/configuration.py
index c971768f..f3fe1e1c 100644
--- a/archinstall/lib/configuration.py
+++ b/archinstall/lib/configuration.py
@@ -1,12 +1,23 @@
 import json
 import logging
-from pathlib import Path
+import pathlib
 from typing import Optional, Dict
 
 from .storage import storage
 from .general import JSON, UNSAFE_JSON
 from .output import log
-
+from .exceptions import RequirementError
+from .hsm import get_fido2_devices
+
+def configuration_sanity_check():
+	if storage['arguments'].get('HSM'):
+		if not get_fido2_devices():
+			raise RequirementError(
+				f"In order to use HSM to pair with the disk encryption,"
+				+ f" one needs to be accessible through /dev/hidraw* and support"
+				+ f" the FIDO2 protocol. You can check this by running"
+				+ f" 'systemd-cryptenroll --fido2-device=list'."
+			)
 
 class ConfigurationOutput:
 	def __init__(self, config: Dict):
@@ -21,7 +32,7 @@ class ConfigurationOutput:
 		self._user_credentials = {}
 		self._disk_layout = None
 		self._user_config = {}
-		self._default_save_path = Path(storage.get('LOG_PATH', '.'))
+		self._default_save_path = pathlib.Path(storage.get('LOG_PATH', '.'))
 		self._user_config_file = 'user_configuration.json'
 		self._user_creds_file = "user_credentials.json"
 		self._disk_layout_file = "user_disk_layout.json"
@@ -84,7 +95,7 @@ class ConfigurationOutput:
 
 		print()
 
-	def _is_valid_path(self, dest_path :Path) -> bool:
+	def _is_valid_path(self, dest_path :pathlib.Path) -> bool:
 		if (not dest_path.exists()) or not (dest_path.is_dir()):
 			log(
 				'Destination directory {} does not exist or is not a directory,\n Configuration files can not be saved'.format(dest_path.resolve()),
@@ -93,26 +104,26 @@ class ConfigurationOutput:
 			return False
 		return True
 
-	def save_user_config(self, dest_path :Path = None):
+	def save_user_config(self, dest_path :pathlib.Path = None):
 		if self._is_valid_path(dest_path):
 			with open(dest_path / self._user_config_file, 'w') as config_file:
 				config_file.write(self.user_config_to_json())
 
-	def save_user_creds(self, dest_path :Path = None):
+	def save_user_creds(self, dest_path :pathlib.Path = None):
 		if self._is_valid_path(dest_path):
 			if user_creds := self.user_credentials_to_json():
 				target = dest_path / self._user_creds_file
 				with open(target, 'w') as config_file:
 					config_file.write(user_creds)
 
-	def save_disk_layout(self, dest_path :Path = None):
+	def save_disk_layout(self, dest_path :pathlib.Path = None):
 		if self._is_valid_path(dest_path):
 			if disk_layout := self.disk_layout_to_json():
 				target = dest_path / self._disk_layout_file
 				with target.open('w') as config_file:
 					config_file.write(disk_layout)
 
-	def save(self, dest_path :Path = None):
+	def save(self, dest_path :pathlib.Path = None):
 		if not dest_path:
 			dest_path = self._default_save_path