update for systemd in initramfs

6 files changed, 22 insertions, 40 deletions

diff --git a/bin/ykfde b/bin/ykfde
index c5b522e..c0ce909 100644
--- a/bin/ykfde
+++ b/bin/ykfde
@@ -5,7 +5,7 @@ function help() {
 	echo
 	echo "where OPTIONS are:"
 	echo " -1         use Yubico key slot 1"
-	echo " -2         use Yubico key slot 2"
+	echo " -2         use Yubico key slot 2 (default)"
 	echo " -d DEVICE  add key to device DEVICE"
 	echo " -h         show this help"
 	echo " -k         keep challenge, just add a new slot"
@@ -13,17 +13,18 @@ function help() {
 
 TMPDIR="$(mktemp --tmpdir=/tmp/ .$(basename ${0})-${$}-XXXXXX)"
 PASS=""
-SLOT="1"
+SLOT="2"
 KEEP="0"
 
 while getopts "12d:hk" opt; do
 	case ${opt} in
 		1)
 			SLOT="1"
+			echo "Please update /etc/ykfde.conf if needed!"
 			;;
 		2)
 			SLOT="2"
-			echo "Do not forget to add 'ykfde_slot=2' to your boot parameters!"
+			echo "Please update /etc/ykfde.conf if needed!"
 			;;
 		d)
 			DEVICE="${OPTARG}"
diff --git a/conf/ykfde.conf b/conf/ykfde.conf
new file mode 100644
index 0000000..fa715db
--- /dev/null
+++ b/conf/ykfde.conf
@@ -0,0 +1,2 @@
+# Specify what Yubikey slot to use for full disk encryption
+YKFDE_SLOT=2
diff --git a/hook/ykfde b/hook/ykfde
deleted file mode 100644
index be75694..0000000
--- a/hook/ykfde
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/sh
-
-run_hook() {
-	ykfde_slot="${ykfde_slot:-1}"
-	ykfde_count=0
-
-	if [ -s /ykfde-challenge ]; then
-		modprobe -a -q usbhid >/dev/null 2>&1
-
-		if [ "${ykfde_twofactor}" = "y" ]; then
-			echo -n "Please give two factor key for Yubikey: "
-			stty -echo
-			read TWOFACTOR
-			stty echo
-			echo
-		else
-			TWOFACTOR=""
-		fi
-
-		# Any chance to get this more efficient? Without polling and without long sleep times would be great.
-		while ! ykchalresp -${ykfde_slot} "${TWOFACTOR}$(cat /ykfde-challenge)" > /crypto_keyfile.bin 2>/dev/null; do
-			if [ $((ykfde_count++)) -gt 10 ]; then
-				msg ":: No Yubikey presend, fallback to interactive mode"
-				rm -f /ykfde-challenge
-				return 1
-			fi
-			sleep 0.3
-		done
-
-		msg ":: Created crypto keyfile using Yubikey, handing over to encrypt hook"
-		rm -f /ykfde-challenge
-	else
-		msg ":: No challenge found, falling back to interactive mode"
-		return 1
-	fi
-}
diff --git a/install/ykfde b/install/ykfde
index bbf5bd2..ddb6b4e 100644
--- a/install/ykfde
+++ b/install/ykfde
@@ -1,8 +1,10 @@
 #!/bin/sh
 
 build() {
-	add_runscript
 	add_binary ykchalresp
+	add_binary /usr/lib/udev/ykfde
+	add_file /usr/lib/initcpio/udev/20-ykfde.rules /usr/lib/udev/rules.d/20-ykfde.rules
+	add_file /etc/ykfde.conf
 	add_file /etc/ykfde-challenge /
 	add_module 'usbhid'
 }
diff --git a/udev/20-ykfde.rules b/udev/20-ykfde.rules
new file mode 100644
index 0000000..54cd1c2
--- /dev/null
+++ b/udev/20-ykfde.rules
@@ -0,0 +1,4 @@
+# do challenge response with Yubikey II and try to answer
+# password agent
+ACTION=="add", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111", \
+	RUN+="/usr/lib/udev/ykfde"
diff --git a/udev/ykfde b/udev/ykfde
new file mode 100755
index 0000000..ce83117
--- /dev/null
+++ b/udev/ykfde
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+source /etc/ykfde.conf
+
+# Looks like Yubikey is reset after challenge response, triggering
+# yet another add event. Ignore if the file exists.
+[ -s /crypto_keyfile.bin ] && exit 0
+
+ykchalresp -${YKFDE_SLOT:-2} "$(cat /ykfde-challenge)" > /crypto_keyfile.bin 2>/dev/null