git.feebdaed.xyz Git - 0xmirror/systemd.git/commit

author	Luca Boccassi <luca.boccassi@gmail.com>
	Mon, 24 Nov 2025 20:07:00 +0000 (20:07 +0000)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Thu, 18 Dec 2025 09:56:43 +0000 (10:56 +0100)
commit	9a349714219361b79ab9caf2d4a68a3ca8909d2a
tree	9e64d6f087a9103e07d7eced5c14d336103116a3	tree \| snapshot
parent	cc1ed77280ef6b7e196a267ca8ed5c3815b16c26	commit \| diff

fido2: fix enrolling when UV is required ('alwaysUv')

When a Yubikey or other fido2 device has FIPS mode enabled, UV will
always be required and cannot be disabled. Unhelpfully, when it is not
sent down, the hardware token (not the library) returns a generic
FIDO_ERR_MISSING_PARAMETER:

$ systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=no foo
<...>
libfido2: rx: payload_len=1
libfido2: fido_rx: buf=0x55c9ce170940, len=1
libfido2: 0000: 14
libfido2: cbor_parse_reply: blob[0]=0x14
libfido2: fido_dev_get_assert_rx: adjust_assert_count
Failed to ask token for assertion: FIDO_ERR_MISSING_PARAMETER

This can be set even when the token doesn't support UV (as in, fingerprint
reader), in which case using the PIN is required.

Check if 'alwaysUv' is set, and if not already configured, force
either UV (if available) or PIN when enrolling.