diff --git a/linux-hello-daemon/src/auth.rs b/linux-hello-daemon/src/auth.rs index bc85381..ea3bc7f 100644 --- a/linux-hello-daemon/src/auth.rs +++ b/linux-hello-daemon/src/auth.rs @@ -3,7 +3,7 @@ //! Handles the authentication flow: capture frames, detect faces, extract embeddings, //! and match against stored templates. -use linux_hello_common::{Config, FaceTemplate, Result, TemplateStore}; +use linux_hello_common::{Config, FaceTemplate, Result}; use tracing::{debug, info, warn}; use std::sync::Arc; @@ -11,6 +11,7 @@ use crate::anti_spoofing::{AntiSpoofingConfig, AntiSpoofingDetector, AntiSpoofin use crate::camera::PixelFormat; use crate::detection::{detect_face_simple, FaceDetection}; use crate::embedding::{EmbeddingExtractor, LbphEmbeddingExtractor}; +use crate::secure_template_store::SecureTemplateStore; #[cfg(feature = "onnx")] use crate::embedding::OnnxEmbeddingWrapper; #[cfg(feature = "onnx")] @@ -102,15 +103,16 @@ impl AuthService { /// Create a new authentication service pub fn new(config: Config) -> Self { - Self::with_paths(config, TemplateStore::default_path()) + Self::with_paths(config, SecureTemplateStore::default_path()) } /// Initialize the authentication service pub fn initialize(&self) -> Result<()> { info!("Initializing authentication service..."); - - let template_store = self.template_store(); - template_store.initialize()?; + + let mut template_store = self.template_store(); + let enable_encryption = self.config.tpm.enabled; + template_store.initialize(enable_encryption)?; // Proactively initialize detection model if ONNX is enabled #[cfg(feature = "onnx")] @@ -155,15 +157,16 @@ impl AuthService { self.is_onnx } - fn template_store(&self) -> TemplateStore { - TemplateStore::new(&self.template_store_path) + fn template_store(&self) -> SecureTemplateStore { + SecureTemplateStore::new(&self.template_store_path) } /// Authenticate a user pub async fn authenticate(&self, user: &str) -> Result { info!("Authenticating user: {}", user); - let template_store = self.template_store(); + let mut template_store = self.template_store(); + template_store.initialize(self.config.tpm.enabled)?; // Check if user is enrolled if !template_store.is_enrolled(user) { @@ -243,8 +246,9 @@ impl AuthService { frame_count: embeddings.len() as u32, }; - // Store template - let template_store = self.template_store(); + // Store template (encrypted if TPM available) + let mut template_store = self.template_store(); + template_store.initialize(self.config.tpm.enabled)?; template_store.store(&template)?; info!( diff --git a/linux-hello-daemon/src/main.rs b/linux-hello-daemon/src/main.rs index c4bda66..17efec4 100644 --- a/linux-hello-daemon/src/main.rs +++ b/linux-hello-daemon/src/main.rs @@ -14,6 +14,7 @@ use linux_hello_common::{Config, Result, TemplateStore}; use linux_hello_daemon::auth::AuthService; use linux_hello_daemon::dbus_server::{check_system_bus_available, DbusServer}; use linux_hello_daemon::ipc::IpcServer; +use linux_hello_daemon::secure_template_store::SecureTemplateStore; use tracing::{error, info, warn, Level}; use tracing_subscriber::FmtSubscriber; @@ -62,8 +63,8 @@ async fn main() -> Result<()> { // Initialize authentication service let template_path = std::env::var("LINUX_HELLO_TEMPLATES") .map(std::path::PathBuf::from) - .unwrap_or_else(|_| TemplateStore::default_path()); - + .unwrap_or_else(|_| SecureTemplateStore::default_path()); + let auth_service = AuthService::with_paths(config.clone(), template_path.clone()); auth_service.initialize()?; info!("Authentication service initialized (Templates: {})", template_path.display()); @@ -72,7 +73,7 @@ async fn main() -> Result<()> { let socket_path = std::env::var("LINUX_HELLO_SOCKET") .map(std::path::PathBuf::from) .unwrap_or_else(|_| IpcServer::default_socket_path()); - + let mut ipc_server = IpcServer::new(socket_path.clone()); // Set authentication handler