/nixos-06cb-009a-fingerprint-sensor

Nix flake for driving the 06cb:009a fingerprint sensor on NixOS

Primary LanguageNix

This Nix flake packages the necessary software for driving the 06cb:009a fingerprint sensor (used in ThinkPads like the T480 or T480s). It has been tested with a T480. With some small changes, the flake can probably also be used to setup the sensor 138a:0097 used in other ThinkPads (untested!). See further info below.

This repository is very much "work-in-progress", see also this issue: NixOS/nixpkgs#207116. I do not take any responsibility for any issues caused by the use of this flake.

There are two ways this flake can be used to drive the sensor:

  1. Using uunicorn's open-fprintd and python-validity. The setup is more straightforward but this solution does not support authentication for fingerprint enrolling. I.e. any user with physical access can register their fingerprint and can access fingerprint protected services. Also, open-fprintd seems incompatible with some services relying on fingerprint authentication (e.g. the GDM screenlock). However, this setup should be compatible with the 138a:0097 sensor without any changes (untested!).

  2. Using the libfprint-tod-vfs0090 fork by bingch. This is slightly more complex to set up, but this driver integrates well with fprintd and thus proper authentication mechanisms are in place. Also, this approach is compatible with any service relying on fprintd. With a small change as described below, this setup is probably also compatible with the 138a:0097 sensor (untested!).

Table of Contents

Loading this flake

You can add this flake to your inputs like this:

inputs = {
  # ...

  nixos-06cb-009a-fingerprint-sensor = {
    url = "github:ahbnr/nixos-06cb-009a-fingerprint-sensor";
    inputs.nixpkgs.follows = "nixpkgs";
  };
};

For general information on using flakes with NixOS, see this guide: https://nixos.wiki/wiki/Flakes#Using_nix_flakes_with_NixOS

Setup based on open-fprintd and python-validity

  1. Load the open-fprintd and python-validity modules in your outputs:
outputs = {
  self, nixpkgs,
  # ...
  nixos-06cb-009a-fingerprint-sensor,
  ...
}@attrs: {
  nixosConfigurations.<myhostname> = nixpkgs.lib.nixosSystem {
    # ...
    modules = [
      # ...
      nixos-06cb-009a-fingerprint-sensor.nixosModules.open-fprintd
      nixos-06cb-009a-fingerprint-sensor.nixosModules.python-validity
    ];
  };
};
  1. In your system configuration, enable the open-fprintd and python-validity services:
services.open-fprintd.enable = true;
services.python-validity.enable = true;

Also, you need to make sure, services.fprintd is not enabled, and fprintd is not in your systemPackages, otherwise conflicts may arise.

  1. After rebuilding your system, you can register fingerprints for a user with fprintd-enroll and also use all the other fprintd- user tooling. More information and some troubleshooting help can be found in the python-validity repository: https://github.com/uunicorn/python-validity

  2. Configure PAM to use the fingerprint sensor for authentication. E.g. for configuring sudo to ask for a fingerprint, you can use this configuration:

# fingerprint scanning for authentication
# (this makes it so that it prompts for a password first. If none is entered or an incorrect one is entered, it will ask for a fingerprint instead)
security.pam.services.sudo.text = ''
  # Account management.
  account required pam_unix.so
  
  # Authentication management.
  auth sufficient pam_unix.so   likeauth try_first_pass nullok
  auth sufficient ${nixos-06cb-009a-fingerprint-sensor.localPackages.fprintd-clients}/lib/security/pam_fprintd.so
  auth required pam_deny.so
  
  # Password management.
  password sufficient pam_unix.so nullok sha512
  
  # Session management.
  session required pam_env.so conffile=/etc/pam/environment readenv=0
  session required pam_unix.so
'';

Setup based on fprintd and bingch's driver

  1. This driver can verify fingerprints, but it can not enroll them. Also, it requires some sensor calibration data which is extracted by python-validity. Hence, you first have to enroll your fingerprints with open-fprintd and python-validity using the steps described above. You do not need to setup any PAM configuration (step 4).

This will result in a file /var/lib/python-validity/calib-data.bin being generated. Copy this file to some path in your NixOS system configuration directory, e.g. ./calib-data.bin

  1. Now, we can remove open-fprintd and python-validity again. E.g. remove these modules:

    nixos-06cb-009a-fingerprint-sensor.nixosModules.open-fprintd
    nixos-06cb-009a-fingerprint-sensor.nixosModules.python-validity

    and comment out or remove the services:

    services.open-fprintd.enable = true;
    services.python-validity.enable = true;

    If you had setup any PAM configuration relying on nixos-06cb-009a-fingerprint-sensor.localPackages.fprintd-clients you also need to remove it.

  2. Now, enable the fprintd service that comes with the official package source and configure it to use bingch's custom driver supplied by this flake:

    services.fprintd = {
      enable = true;
      tod = {
        enable = true;
        driver = nixos-06cb-009a-fingerprint-sensor.lib.libfprint-2-tod1-vfs0090-bingch {
          calib-data-file = ./calib-data.bin;
        };
      };
    };

    Here, the path ./calib-data.bin should point to the calibration data you copied in step 1.

    If you are using the sensor 138a:0097 and not 06cb:009a, you might still be able to make this work by using the original libfprint-tod-vfs0090 driver by Marco Trevisan instead of bingch's fork. That driver is part of the official NixOS packages and it does not require the calibration data file. Hence, the following configuration might work for 138a:0097 (untested):

    services.fprintd = {
      enable = true;
      tod = {
        enable = true;
        driver = pkgs.libfprint-2-tod1-vfs0090;
      };
    };
  3. Rebuild your system. The fprintd service might fail when being started immediately after shutting down open-fprintd, so you might need to restart the service manually once:

    systemctl restart fprintd
  4. The fingerprint enrolling mechanism must be invoked again (i.e. repeat the fprintd-enroll invocation of step 1). Now, fprintd should function normally. By default NixOS comes with PAM configuration to use fingerprints for authenticating sudo. Also GDM now lets you log in using your fingerprint.