This Nix flake packages the necessary software for driving the 06cb:009a fingerprint sensor (used in ThinkPads like the T480 or T480s). It has been tested with a T480. With some small changes, the flake can probably also be used to setup the sensor 138a:0097 used in other ThinkPads (untested!). See further info below.
This repository is very much "work-in-progress", see also this issue: NixOS/nixpkgs#207116. I do not take any responsibility for any issues caused by the use of this flake.
There are two ways this flake can be used to drive the sensor:
-
Using uunicorn's open-fprintd and python-validity. The setup is more straightforward but this solution does not support authentication for fingerprint enrolling. I.e. any user with physical access can register their fingerprint and can access fingerprint protected services. Also, open-fprintd seems incompatible with some services relying on fingerprint authentication (e.g. the GDM screenlock). However, this setup should be compatible with the 138a:0097 sensor without any changes (untested!).
-
Using the libfprint-tod-vfs0090 fork by bingch. This is slightly more complex to set up, but this driver integrates well with fprintd and thus proper authentication mechanisms are in place. Also, this approach is compatible with any service relying on fprintd. With a small change as described below, this setup is probably also compatible with the 138a:0097 sensor (untested!).
- Loading the flake
- Setup based on open-fprintd and python-validity
- Setup based on fprintd and bingch's driver
You can add this flake to your inputs like this:
inputs = {
# ...
nixos-06cb-009a-fingerprint-sensor = {
url = "github:ahbnr/nixos-06cb-009a-fingerprint-sensor";
inputs.nixpkgs.follows = "nixpkgs";
};
};
For general information on using flakes with NixOS, see this guide: https://nixos.wiki/wiki/Flakes#Using_nix_flakes_with_NixOS
- Load the open-fprintd and python-validity modules in your outputs:
outputs = {
self, nixpkgs,
# ...
nixos-06cb-009a-fingerprint-sensor,
...
}@attrs: {
nixosConfigurations.<myhostname> = nixpkgs.lib.nixosSystem {
# ...
modules = [
# ...
nixos-06cb-009a-fingerprint-sensor.nixosModules.open-fprintd
nixos-06cb-009a-fingerprint-sensor.nixosModules.python-validity
];
};
};
- In your system configuration, enable the open-fprintd and python-validity services:
services.open-fprintd.enable = true;
services.python-validity.enable = true;
Also, you need to make sure, services.fprintd
is not enabled, and fprintd
is not in your systemPackages
, otherwise conflicts may arise.
-
After rebuilding your system, you can register fingerprints for a user with
fprintd-enroll
and also use all the otherfprintd-
user tooling. More information and some troubleshooting help can be found in the python-validity repository: https://github.com/uunicorn/python-validity -
Configure PAM to use the fingerprint sensor for authentication. E.g. for configuring
sudo
to ask for a fingerprint, you can use this configuration:
# fingerprint scanning for authentication
# (this makes it so that it prompts for a password first. If none is entered or an incorrect one is entered, it will ask for a fingerprint instead)
security.pam.services.sudo.text = ''
# Account management.
account required pam_unix.so
# Authentication management.
auth sufficient pam_unix.so likeauth try_first_pass nullok
auth sufficient ${nixos-06cb-009a-fingerprint-sensor.localPackages.fprintd-clients}/lib/security/pam_fprintd.so
auth required pam_deny.so
# Password management.
password sufficient pam_unix.so nullok sha512
# Session management.
session required pam_env.so conffile=/etc/pam/environment readenv=0
session required pam_unix.so
'';
- This driver can verify fingerprints, but it can not enroll them. Also, it requires some sensor calibration data which is extracted by python-validity. Hence, you first have to enroll your fingerprints with open-fprintd and python-validity using the steps described above. You do not need to setup any PAM configuration (step 4).
This will result in a file /var/lib/python-validity/calib-data.bin
being generated. Copy this file to some path in your NixOS system configuration directory,
e.g. ./calib-data.bin
-
Now, we can remove open-fprintd and python-validity again. E.g. remove these modules:
nixos-06cb-009a-fingerprint-sensor.nixosModules.open-fprintd nixos-06cb-009a-fingerprint-sensor.nixosModules.python-validity
and comment out or remove the services:
services.open-fprintd.enable = true; services.python-validity.enable = true;
If you had setup any PAM configuration relying on
nixos-06cb-009a-fingerprint-sensor.localPackages.fprintd-clients
you also need to remove it. -
Now, enable the fprintd service that comes with the official package source and configure it to use bingch's custom driver supplied by this flake:
services.fprintd = { enable = true; tod = { enable = true; driver = nixos-06cb-009a-fingerprint-sensor.lib.libfprint-2-tod1-vfs0090-bingch { calib-data-file = ./calib-data.bin; }; }; };
Here, the path
./calib-data.bin
should point to the calibration data you copied in step 1.If you are using the sensor 138a:0097 and not 06cb:009a, you might still be able to make this work by using the original libfprint-tod-vfs0090 driver by Marco Trevisan instead of bingch's fork. That driver is part of the official NixOS packages and it does not require the calibration data file. Hence, the following configuration might work for 138a:0097 (untested):
services.fprintd = { enable = true; tod = { enable = true; driver = pkgs.libfprint-2-tod1-vfs0090; }; };
-
Rebuild your system. The
fprintd
service might fail when being started immediately after shutting downopen-fprintd
, so you might need to restart the service manually once:systemctl restart fprintd
-
The fingerprint enrolling mechanism must be invoked again (i.e. repeat the
fprintd-enroll
invocation of step 1). Now,fprintd
should function normally. By default NixOS comes with PAM configuration to use fingerprints for authenticating sudo. Also GDM now lets you log in using your fingerprint.