Added a HSM menu entry (#1196)

* Added a HSM menu entry, but also a safety check to make sure a FIDO device is connected

* flake8 complaints

* Adding FIDO lookup using cryptenroll listing

* Added systemd-cryptenroll --fido2-device=list

* Removed old _select_hsm call

* Fixed flake8 complaints

* Added support for locking and unlocking with a HSM

* Removed hardcoded paths in favor of PR merge

* Removed hardcoded paths in favor of PR merge

* Fixed mypy complaint

* Flake8 issue

* Added sd-encrypt for HSM and revert back to encrypt when HSM is not used (stability reason)

* Added /etc/vconsole.conf and tweaked fido2_enroll() to use the proper paths

* Spelling error

* Using UUID instead of PARTUUID when using HSM. I can't figure out how to get sd-encrypt to use PARTUUID instead. Added a Partition().part_uuid function. Actually renamed .uuid to .part_uuid and created a .uuid instead.

* Adding missing package libfido2 and removed tpm2-device=auto as it overrides everything and forces password prompt to be used over FIDO2, no matter the order of the options.

* Added some notes to clarify some choices.

* Had to move libfido2 package install to later in the chain, as there's not even a base during mounting :P

2 files changed, 51 insertions, 0 deletions

diff --git a/archinstall/lib/hsm/__init__.py b/archinstall/lib/hsm/__init__.py
new file mode 100644
index 00000000..c0888b04
--- /dev/null
+++ b/archinstall/lib/hsm/__init__.py
@@ -0,0 +1,4 @@
+from .fido import (
+	get_fido2_devices,
+	fido2_enroll
+)
\ No newline at end of file
diff --git a/archinstall/lib/hsm/fido.py b/archinstall/lib/hsm/fido.py
new file mode 100644
index 00000000..69f42890
--- /dev/null
+++ b/archinstall/lib/hsm/fido.py
@@ -0,0 +1,47 @@
+import typing
+import pathlib
+from ..general import SysCommand, SysCommandWorker, clear_vt100_escape_codes
+from ..disk.partition import Partition
+
+def get_fido2_devices() -> typing.Dict[str, typing.Dict[str, str]]:
+	"""
+	Uses systemd-cryptenroll to list the FIDO2 devices
+	connected that supports FIDO2.
+	Some devices might show up in udevadm as FIDO2 compliant
+	when they are in fact not.
+
+	The drawback of systemd-cryptenroll is that it uses human readable format.
+	That means we get this weird table like structure that is of no use.
+
+	So we'll look for `MANUFACTURER` and `PRODUCT`, we take their index
+	and we split each line based on those positions.
+	"""
+	worker = clear_vt100_escape_codes(SysCommand(f"systemd-cryptenroll --fido2-device=list").decode('UTF-8'))
+
+	MANUFACTURER_POS = 0
+	PRODUCT_POS = 0
+	devices = {}
+	for line in worker.split('\r\n'):
+		if '/dev' not in line:
+			MANUFACTURER_POS = line.find('MANUFACTURER')
+			PRODUCT_POS = line.find('PRODUCT')
+			continue
+
+		path = line[:MANUFACTURER_POS].rstrip()
+		manufacturer = line[MANUFACTURER_POS:PRODUCT_POS].rstrip()
+		product = line[PRODUCT_POS:]
+
+		devices[path] = {
+			'manufacturer' : manufacturer,
+			'product' : product
+		}
+
+	return devices
+	
+def fido2_enroll(hsm_device_path :pathlib.Path, partition :Partition, password :str) -> bool:
+	worker = SysCommandWorker(f"systemd-cryptenroll --fido2-device={hsm_device_path} {partition.real_device}", peak_output=True)
+	pw_inputted = False
+	while worker.is_alive():
+		if pw_inputted is False and bytes(f"please enter current passphrase for disk {partition.real_device}", 'UTF-8') in worker._trace_log.lower():
+			worker.write(bytes(password, 'UTF-8'))
+			pw_inputted = True