Added a HSM menu entry (#1196)

* Added a HSM menu entry, but also a safety check to make sure a FIDO device is connected

* flake8 complaints

* Adding FIDO lookup using cryptenroll listing

* Added systemd-cryptenroll --fido2-device=list

* Removed old _select_hsm call

* Fixed flake8 complaints

* Added support for locking and unlocking with a HSM

* Removed hardcoded paths in favor of PR merge

* Removed hardcoded paths in favor of PR merge

* Fixed mypy complaint

* Flake8 issue

* Added sd-encrypt for HSM and revert back to encrypt when HSM is not used (stability reason)

* Added /etc/vconsole.conf and tweaked fido2_enroll() to use the proper paths

* Spelling error

* Using UUID instead of PARTUUID when using HSM. I can't figure out how to get sd-encrypt to use PARTUUID instead. Added a Partition().part_uuid function. Actually renamed .uuid to .part_uuid and created a .uuid instead.

* Adding missing package libfido2 and removed tpm2-device=auto as it overrides everything and forces password prompt to be used over FIDO2, no matter the order of the options.

* Added some notes to clarify some choices.

* Had to move libfido2 package install to later in the chain, as there's not even a base during mounting :P

1 files changed, 43 insertions, 1 deletions

diff --git a/archinstall/lib/disk/partition.py b/archinstall/lib/disk/partition.py
index e7568258..c52ca434 100644
--- a/archinstall/lib/disk/partition.py
+++ b/archinstall/lib/disk/partition.py
@@ -184,7 +184,7 @@ class Partition:
 			return device['pttype']
 
 	@property
-	def uuid(self) -> Optional[str]:
+	def part_uuid(self) -> Optional[str]:
 		"""
 		Returns the PARTUUID as returned by lsblk.
 		This is more reliable than relying on /dev/disk/by-partuuid as
@@ -197,6 +197,26 @@ class Partition:
 				
 			time.sleep(max(0.1, storage['DISK_TIMEOUTS'] * i))
 
+			partuuid = self._safe_part_uuid
+			if partuuid:
+				return partuuid
+
+		raise DiskError(f"Could not get PARTUUID for {self.path} using 'blkid -s PARTUUID -o value {self.path}'")
+
+	@property
+	def uuid(self) -> Optional[str]:
+		"""
+		Returns the UUID as returned by lsblk for the **partition**.
+		This is more reliable than relying on /dev/disk/by-uuid as
+		it doesn't seam to be able to detect md raid partitions.
+		For bind mounts all the subvolumes share the same uuid
+		"""
+		for i in range(storage['DISK_RETRY_ATTEMPTS']):
+			if not self.partprobe():
+				raise DiskError(f"Could not perform partprobe on {self.device_path}")
+
+			time.sleep(max(0.1, storage['DISK_TIMEOUTS'] * i))
+
 			partuuid = self._safe_uuid
 			if partuuid:
 				return partuuid
@@ -217,6 +237,28 @@ class Partition:
 			log(f"Could not reliably refresh PARTUUID of partition {self.device_path} due to partprobe error.", level=logging.DEBUG)
 
 		try:
+			return SysCommand(f'blkid -s UUID -o value {self.device_path}').decode('UTF-8').strip()
+		except SysCallError as error:
+			if self.block_device.info.get('TYPE') == 'iso9660':
+				# Parent device is a Optical Disk (.iso dd'ed onto a device for instance)
+				return None
+
+			log(f"Could not get PARTUUID of partition using 'blkid -s UUID -o value {self.device_path}': {error}")
+
+	@property
+	def _safe_part_uuid(self) -> Optional[str]:
+		"""
+		A near copy of self.uuid but without any delays.
+		This function should only be used where uuid is not crucial.
+		For instance when you want to get a __repr__ of the class.
+		"""
+		if not self.partprobe():
+			if self.block_device.info.get('TYPE') == 'iso9660':
+				return None
+
+			log(f"Could not reliably refresh PARTUUID of partition {self.device_path} due to partprobe error.", level=logging.DEBUG)
+
+		try:
 			return SysCommand(f'blkid -s PARTUUID -o value {self.device_path}').decode('UTF-8').strip()
 		except SysCallError as error:
 			if self.block_device.info.get('TYPE') == 'iso9660':