Added a HSM menu entry (#1196)

* Added a HSM menu entry, but also a safety check to make sure a FIDO device is connected

* flake8 complaints

* Adding FIDO lookup using cryptenroll listing

* Added systemd-cryptenroll --fido2-device=list

* Removed old _select_hsm call

* Fixed flake8 complaints

* Added support for locking and unlocking with a HSM

* Removed hardcoded paths in favor of PR merge

* Removed hardcoded paths in favor of PR merge

* Fixed mypy complaint

* Flake8 issue

* Added sd-encrypt for HSM and revert back to encrypt when HSM is not used (stability reason)

* Added /etc/vconsole.conf and tweaked fido2_enroll() to use the proper paths

* Spelling error

* Using UUID instead of PARTUUID when using HSM. I can't figure out how to get sd-encrypt to use PARTUUID instead. Added a Partition().part_uuid function. Actually renamed .uuid to .part_uuid and created a .uuid instead.

* Adding missing package libfido2 and removed tpm2-device=auto as it overrides everything and forces password prompt to be used over FIDO2, no matter the order of the options.

* Added some notes to clarify some choices.

* Had to move libfido2 package install to later in the chain, as there's not even a base during mounting :P

2 files changed, 30 insertions, 0 deletions

diff --git a/archinstall/lib/menu/global_menu.py b/archinstall/lib/menu/global_menu.py
index 13d385ef..d807433c 100644
--- a/archinstall/lib/menu/global_menu.py
+++ b/archinstall/lib/menu/global_menu.py
@@ -85,6 +85,12 @@ class GlobalMenu(GeneralMenu):
 				lambda x: self._select_encrypted_password(),
 				display_func=lambda x: secret(x) if x else 'None',
 				dependencies=['harddrives'])
+		self._menu_options['HSM'] = Selector(
+			description=_('Use HSM to unlock encrypted drive'),
+			func=lambda preset: self._select_hsm(preset),
+			dependencies=['!encryption-password'],
+			default=None
+		)
 		self._menu_options['swap'] = \
 			Selector(
 				_('Swap'),
diff --git a/archinstall/lib/menu/selection_menu.py b/archinstall/lib/menu/selection_menu.py
index 35057e9c..26be4cc7 100644
--- a/archinstall/lib/menu/selection_menu.py
+++ b/archinstall/lib/menu/selection_menu.py
@@ -2,12 +2,14 @@ from __future__ import annotations
 
 import logging
 import sys
+import pathlib
 from typing import Callable, Any, List, Iterator, Tuple, Optional, Dict, TYPE_CHECKING
 
 from .menu import Menu, MenuSelectionType
 from ..locale_helpers import set_keyboard_language
 from ..output import log
 from ..translation import Translation
+from ..hsm.fido import get_fido2_devices
 
 if TYPE_CHECKING:
 	_: Any
@@ -466,3 +468,25 @@ class GeneralMenu:
 			return language
 
 		return preset_value
+
+	def _select_hsm(self, preset :Optional[pathlib.Path] = None) -> Optional[pathlib.Path]:
+		title = _('Select which partitions to mark for formatting:')
+		title += '\n'
+
+		fido_devices = get_fido2_devices()
+
+		indexes = []
+		for index, path in enumerate(fido_devices.keys()):
+			title += f"{index}: {path} ({fido_devices[path]['manufacturer']} - {fido_devices[path]['product']})"
+			indexes.append(f"{index}|{fido_devices[path]['product']}")
+
+		title += '\n'
+
+		choice = Menu(title, indexes, multi=False).run()
+
+		match choice.type_:
+			case MenuSelectionType.Esc: return preset
+			case MenuSelectionType.Selection:
+				return pathlib.Path(list(fido_devices.keys())[int(choice.value.split('|',1)[0])])
+
+		return None
\ No newline at end of file