I'm contemplating an attempt at writing a module to enable use of the
challenge-response feature of the Yubikey to provide part of the
passphrase for a luks partition, using grub to do the initial
decryption. I'm after some advice on whether this is going to be
impossible or not.
The device is a USB token, and appears with a few different device
descriptors. The one I'll need is the HID one:
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 3 Human Interface Device
bInterfaceSubClass 0 No Subclass
bInterfaceProtocol 0 None
iInterface 0
HID Device Descriptor:
bLength 9
bDescriptorType 33
bcdHID 1.10
bCountryCode 0 Not supported
bNumDescriptors 1
bDescriptorType 34 Report
wDescriptorLength 34
In the libusb version of the code, the main API calls that are used
(along with the ones to find the devices, etc) are:
usb_claim_interface
usb_control_msg
usb_release_interface
Obviously I'll need to replace these with some code just using grub2
apis. It looks like the usb_keyboard module might already have some
support for HID devices. And grub_usb_control_msg looks like the
equivalent to usb_control_msg.
So, do you think this is realistic? I'll start by trying to expose the
challenge-response as a function before worrying about using it for the
actual crypt.
Also, any tips on debugging this without endless rebooting gratefully
received.
Thanks,
Andy
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
