Debian/Ubuntu support

[crispy-landslide]

Initial support for Debian/Ubuntu based systems. Based on discussion in #61, I restructured the repository files to separate the packaging files from the src files. The new file structure is shown at the bottom of this post.

A few notes:

1. Currently does not support any suspend functionality for Debian/Ubuntu
2. testrun.sh does not run automatically after installing, but passes all tests when run by itself
3. Unsure if/how the Arch Linux PKGBUILD file will be affected

yubikey-full-disk-encryption
|- CONTRIBUTING.md
|- LICENSE
|- README.md
|- packaging/
|   |- archlinux/
|   |   |- Makefile
|   |   |- PKGBUILD
|   |- debian/
|   |   |- Makefile
|   |   |- debian/
|   |   |   |- changelog
|   |   |   |- compat
|   |   |   |- control
|   |   |   |- copyright
|   |   |   |- rules
|   |   |   |- ykfde.postinst
|- src/
|   |- ykfde.conf
|   |- ykfde-enroll
|   |- ykfde-format
|   |- ykfde-open
|   |- testrun.sh
|   |- archlinux/
|   |   |- initramfs-suspend
|   |   |- ykfde-suspend
|   |   |- ykfde-suspend.service
|   |   |- hooks/
|   |   |   |- ykfde
|   |   |- install/
|   |   |   |- ykfde
|   |- debian/
|   |   |- key-script
|   |   |- hooks/
|   |   |   |- ykfde

[Vincent43]

Thx again. I left some initial comments

[Vincent43]

I guess you are aware this script needs rewrite as right now it's a copy-paste hybrid from two projects.

I think you have to start from the Arch version then cut-out everything that isn't related to generating secrets (nfc, luks options,trails,timeout, etc.). End result should resemble what debian version does (check if yubikey is available, ask for user secret or read it from config, send to yubikey, print response) but it needs to be consistent with arch version code syntax.

[crispy-landslide]

Well, this took a little longer than I thought, but I just finished modifying the Arch Linux version to work with Debian/Ubuntu. I left in the commented out lines from the original for now so it's easier to see what's different between the Arch and Debian versions. I confirmed that it works for both when the Yubikey is present and when there is no Yubikey present.

[Vincent43]

I see you still left some things like nfc (there is no support for it in debian), trials/timeouts (do the work?) and unused variables:

$ shellcheck -x key-script

In key-script line 8:
YKFDE_DISK_UUID=""
^-------------^ SC2034 (warning): YKFDE_DISK_UUID appears unused. Verify use (or export if used externally).


In key-script line 9:
YKFDE_LUKS_NAME=""
^-------------^ SC2034 (warning): YKFDE_LUKS_NAME appears unused. Verify use (or export if used externally).


In key-script line 10:
YKFDE_LUKS_DEV=""
^------------^ SC2034 (warning): YKFDE_LUKS_DEV appears unused. Verify use (or export if used externally).


In key-script line 11:
YKFDE_LUKS_OPTIONS=""
^----------------^ SC2034 (warning): YKFDE_LUKS_OPTIONS appears unused. Verify use (or export if used externally).


In key-script line 17:
YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP=""
^-- SC2034 (warning): YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP appears unused. Verify use (or export if used externally).


In key-script line 32:
  local cryptopt cryptoptions
        ^------^ SC2034 (warning): cryptopt appears unused. Verify use (or export if used externally).
                 ^----------^ SC2034 (warning): cryptoptions appears unused. Verify use (or export if used externally).


In key-script line 37:
  . "$YKFDE_CONFIG_FILE" || {
    ^------------------^ SC1091 (info): Not following: ../ykfde.conf: openBinaryFile: does not exist (No such file or directory)

For more information:
  https://www.shellcheck.net/wiki/SC2034 -- YKFDE_DISK_UUID appears unused. V...
  https://www.shellcheck.net/wiki/SC1091 -- Not following: ../ykfde.conf: ope...

[crispy-landslide]

I just removed the commented sections of code, along with the NFC code and unused variables.

As far as the trials and timeout goes, I have confirmed that they work. After the given number of trials, the prompt no longer accepts challenges or passphrases. After the given timeout, the prompt switches from asking for the challenge to asking for a passphrase.

The only issue I've come across is that I was unable to get the messages working. If there is no YubiKey present, the message saying > Waiting x for YubiKey does not appear. Also, I believe the message saying Remember to touch the device if necessary. does not appear.

Other than the lack of messages, everything else appears to be working correctly.

[lukas-fichtner]

Hi,

Is this still work in progress or not a active project anymore?
I have Ubuntu 22.04 and can not suspend my Lenovo T14s.

[agherzan]

@lukas-fichtner The project is active but this support never left draft mode.

[lukas-fichtner]

Oh that's too bad :(

In fact, I was lucky and it was due to a different problem. I only had to adjust the power setting "sleep state" in the BIOS and change it to Linux. Now the suspend mode works perfectly on my Lenovo.

[agherzan]

This is a very good hint as my T14s is due on the 13th but yes, sounds off-topic to this specific MR.