I want to write a CryptoTokenKit plugin to be used to unlock FileVault.
I understand macOS already provides such a plugin for a PIV smart card https://support.apple.com/en-mz/guide/deployment/dep806850525/web
Perfect. I want to do the same for a non-PIV smart card. So I have to provide my own CryptoTokenKit plugin.
I already implemented a smart card plugin TKSmartCardToken. I can use it so pair the user with the smart card and use the smart card to login (except for the 1st login when the disk is still encrypted).
As far as I understand for preboot I need to provide a "persistent token" https://support.apple.com/en-mz/guide/deployment/dep4e2622249/web
From Xcode I created an empty application, and added a "Persistent Token Extension" (instead of a "Smart Card Token Extension").
After built I can see my new token in the output of "pluginkit -m -p com.apple.ctk-tokens".
My questions:
- how and when is my plugin loaded? I added calls to os_log_error() in all the empty methods created by the Xcode template but I do not find my log messages in the console
- Apple provides a sample code for an old (2016) PIV token in https://developer.apple.com/library/archive/samplecode/PIVToken/Introduction/Intro.html Is the source code of the PIV token used at pre-boot also available?
Thanks
As far as I understand for preboot I need to provide a "persistent token"
No, you’ve got that backwards. CryptoTokenKit supports two different types of token:
- Smart card tokens
- Persistent tokens
A smart card token is backed by hardware; a persistent token may be entirely virtual.
A smart card token subclasses TKSmartCardToken. A persistent token subclasses TKToken directly.
Because a smart card token is backed by hardware, it can work at login time. In a persistent token, the information about the credentials in the token is stored in the user’s home directory, and thus it can’t be used to log in. It’s a chicken’n’egg problem.
My understanding is that you have a smart card token working for general login, and now you’re trying to get that work for FileVault unlock. There’s no way to make that work. It’s another chicken’n’egg problem. Your app is stored on the encrypted volume, so it can’t be accessed until the user has unlocked that.
This works for PIV-based smart cards because the pre-boot environment has built-in support for them.
I think it’d be reasonable for you to file an enhancement request for us to support this. I’m not sure if it’s feasible — there are significant challenges, both technically and in terms of wider system security — but it doesn’t hurt to ask (-:
Please post your bug number, just for the record.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"