eliott/Linux-Hello
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: wire TPM-backed encrypted template storage into auth pipeline

Browse Source 
Replace plain TemplateStore with SecureTemplateStore in the auth
service. Templates are now encrypted with AES-256-GCM via TPM2 when
available, falling back to software encryption with PBKDF2 key
derivation (600k iterations) otherwise.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
eliott
2026-04-02 15:23:12 +02:00
parent d6ced0743f
commit e359d71db4
2 changed files with 18 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
linux-hello-daemon/src/auth.rs
View File

@@ -3,7 +3,7 @@
//! Handles the authentication flow: capture frames, detect faces, extract embeddings,
//! and match against stored templates.
use linux_hello_common::{Config, FaceTemplate, Result, TemplateStore};
use linux_hello_common::{Config, FaceTemplate, Result};
use tracing::{debug, info, warn};
use std::sync::Arc;
@@ -11,6 +11,7 @@ use crate::anti_spoofing::{AntiSpoofingConfig, AntiSpoofingDetector, AntiSpoofin
use crate::camera::PixelFormat;
use crate::detection::{detect_face_simple, FaceDetection};
use crate::embedding::{EmbeddingExtractor, LbphEmbeddingExtractor};
use crate::secure_template_store::SecureTemplateStore;
#[cfg(feature = "onnx")]
use crate::embedding::OnnxEmbeddingWrapper;
#[cfg(feature = "onnx")]
@@ -102,15 +103,16 @@ impl AuthService {
/// Create a new authentication service
pub fn new(config: Config) -> Self {
Self::with_paths(config, TemplateStore::default_path())
Self::with_paths(config, SecureTemplateStore::default_path())
}
/// Initialize the authentication service
pub fn initialize(&self) -> Result<()> {
info!("Initializing authentication service...");
let template_store = self.template_store();
template_store.initialize()?;
let mut template_store = self.template_store();
let enable_encryption = self.config.tpm.enabled;
template_store.initialize(enable_encryption)?;
// Proactively initialize detection model if ONNX is enabled
#[cfg(feature = "onnx")]
@@ -155,15 +157,16 @@ impl AuthService {
self.is_onnx
}
fn template_store(&self) -> TemplateStore {
TemplateStore::new(&self.template_store_path)
fn template_store(&self) -> SecureTemplateStore {
SecureTemplateStore::new(&self.template_store_path)
}
/// Authenticate a user
pub async fn authenticate(&self, user: &str) -> Result<bool> {
info!("Authenticating user: {}", user);
let template_store = self.template_store();
let mut template_store = self.template_store();
template_store.initialize(self.config.tpm.enabled)?;
// Check if user is enrolled
if !template_store.is_enrolled(user) {
@@ -243,8 +246,9 @@ impl AuthService {
frame_count: embeddings.len() as u32,
};
// Store template
let template_store = self.template_store();
// Store template (encrypted if TPM available)
let mut template_store = self.template_store();
template_store.initialize(self.config.tpm.enabled)?;
template_store.store(&template)?;
info!(

7
linux-hello-daemon/src/main.rs
View File

@@ -14,6 +14,7 @@ use linux_hello_common::{Config, Result, TemplateStore};
use linux_hello_daemon::auth::AuthService;
use linux_hello_daemon::dbus_server::{check_system_bus_available, DbusServer};
use linux_hello_daemon::ipc::IpcServer;
use linux_hello_daemon::secure_template_store::SecureTemplateStore;
use tracing::{error, info, warn, Level};
use tracing_subscriber::FmtSubscriber;
@@ -62,8 +63,8 @@ async fn main() -> Result<()> {
// Initialize authentication service
let template_path = std::env::var("LINUX_HELLO_TEMPLATES")
.map(std::path::PathBuf::from)
.unwrap_or_else(|_| TemplateStore::default_path());
.unwrap_or_else(|_| SecureTemplateStore::default_path());
let auth_service = AuthService::with_paths(config.clone(), template_path.clone());
auth_service.initialize()?;
info!("Authentication service initialized (Templates: {})", template_path.display());
@@ -72,7 +73,7 @@ async fn main() -> Result<()> {
let socket_path = std::env::var("LINUX_HELLO_SOCKET")
.map(std::path::PathBuf::from)
.unwrap_or_else(|_| IpcServer::default_socket_path());
let mut ipc_server = IpcServer::new(socket_path.clone());
// Set authentication handler