Added a HSM menu entry (#1196)

* Added a HSM menu entry, but also a safety check to make sure a FIDO device is connected

* flake8 complaints

* Adding FIDO lookup using cryptenroll listing

* Added systemd-cryptenroll --fido2-device=list

* Removed old _select_hsm call

* Fixed flake8 complaints

* Added support for locking and unlocking with a HSM

* Removed hardcoded paths in favor of PR merge

* Removed hardcoded paths in favor of PR merge

* Fixed mypy complaint

* Flake8 issue

* Added sd-encrypt for HSM and revert back to encrypt when HSM is not used (stability reason)

* Added /etc/vconsole.conf and tweaked fido2_enroll() to use the proper paths

* Spelling error

* Using UUID instead of PARTUUID when using HSM. I can't figure out how to get sd-encrypt to use PARTUUID instead. Added a Partition().part_uuid function. Actually renamed .uuid to .part_uuid and created a .uuid instead.

* Adding missing package libfido2 and removed tpm2-device=auto as it overrides everything and forces password prompt to be used over FIDO2, no matter the order of the options.

* Added some notes to clarify some choices.

* Had to move libfido2 package install to later in the chain, as there's not even a base during mounting :P

3 files changed, 48 insertions, 6 deletions

diff --git a/archinstall/lib/disk/blockdevice.py b/archinstall/lib/disk/blockdevice.py
index 4978f19c..995ca355 100644
--- a/archinstall/lib/disk/blockdevice.py
+++ b/archinstall/lib/disk/blockdevice.py
@@ -275,7 +275,7 @@ class BlockDevice:
 		count = 0
 		while count < 5:
 			for partition_uuid, partition in self.partitions.items():
-				if partition.uuid.lower() == uuid.lower():
+				if partition.part_uuid.lower() == uuid.lower():
 					return partition
 			else:
 				log(f"uuid {uuid} not found. Waiting for {count +1} time",level=logging.DEBUG)
diff --git a/archinstall/lib/disk/filesystem.py b/archinstall/lib/disk/filesystem.py
index db97924f..31929b63 100644
--- a/archinstall/lib/disk/filesystem.py
+++ b/archinstall/lib/disk/filesystem.py
@@ -150,7 +150,7 @@ class Filesystem:
 
 			if partition.get('boot', False):
 				log(f"Marking partition {partition['device_instance']} as bootable.")
-				self.set(self.partuuid_to_index(partition['device_instance'].uuid), 'boot on')
+				self.set(self.partuuid_to_index(partition['device_instance'].part_uuid), 'boot on')
 
 			prev_partition = partition
 
@@ -193,7 +193,7 @@ class Filesystem:
 	def add_partition(self, partition_type :str, start :str, end :str, partition_format :Optional[str] = None) -> Partition:
 		log(f'Adding partition to {self.blockdevice}, {start}->{end}', level=logging.INFO)
 
-		previous_partition_uuids = {partition.uuid for partition in self.blockdevice.partitions.values()}
+		previous_partition_uuids = {partition.part_uuid for partition in self.blockdevice.partitions.values()}
 
 		if self.mode == MBR:
 			if len(self.blockdevice.partitions) > 3:
@@ -210,7 +210,7 @@ class Filesystem:
 			count = 0
 			while count < 10:
 				new_uuid = None
-				new_uuid_set = (previous_partition_uuids ^ {partition.uuid for partition in self.blockdevice.partitions.values()})
+				new_uuid_set = (previous_partition_uuids ^ {partition.part_uuid for partition in self.blockdevice.partitions.values()})
 
 				if len(new_uuid_set) > 0:
 					new_uuid = new_uuid_set.pop()
@@ -236,7 +236,7 @@ class Filesystem:
 		# TODO: This should never be able to happen
 		log(f"Could not find the new PARTUUID after adding the partition.", level=logging.ERROR, fg="red")
 		log(f"Previous partitions: {previous_partition_uuids}", level=logging.ERROR, fg="red")
-		log(f"New partitions: {(previous_partition_uuids ^ {partition.uuid for partition in self.blockdevice.partitions.values()})}", level=logging.ERROR, fg="red")
+		log(f"New partitions: {(previous_partition_uuids ^ {partition.part_uuid for partition in self.blockdevice.partitions.values()})}", level=logging.ERROR, fg="red")
 		raise DiskError(f"Could not add partition using: {parted_string}")
 
 	def set_name(self, partition: int, name: str) -> bool:
diff --git a/archinstall/lib/disk/partition.py b/archinstall/lib/disk/partition.py
index e7568258..c52ca434 100644
--- a/archinstall/lib/disk/partition.py
+++ b/archinstall/lib/disk/partition.py
@@ -184,7 +184,7 @@ class Partition:
 			return device['pttype']
 
 	@property
-	def uuid(self) -> Optional[str]:
+	def part_uuid(self) -> Optional[str]:
 		"""
 		Returns the PARTUUID as returned by lsblk.
 		This is more reliable than relying on /dev/disk/by-partuuid as
@@ -197,6 +197,26 @@ class Partition:
 				
 			time.sleep(max(0.1, storage['DISK_TIMEOUTS'] * i))
 
+			partuuid = self._safe_part_uuid
+			if partuuid:
+				return partuuid
+
+		raise DiskError(f"Could not get PARTUUID for {self.path} using 'blkid -s PARTUUID -o value {self.path}'")
+
+	@property
+	def uuid(self) -> Optional[str]:
+		"""
+		Returns the UUID as returned by lsblk for the **partition**.
+		This is more reliable than relying on /dev/disk/by-uuid as
+		it doesn't seam to be able to detect md raid partitions.
+		For bind mounts all the subvolumes share the same uuid
+		"""
+		for i in range(storage['DISK_RETRY_ATTEMPTS']):
+			if not self.partprobe():
+				raise DiskError(f"Could not perform partprobe on {self.device_path}")
+
+			time.sleep(max(0.1, storage['DISK_TIMEOUTS'] * i))
+
 			partuuid = self._safe_uuid
 			if partuuid:
 				return partuuid
@@ -217,6 +237,28 @@ class Partition:
 			log(f"Could not reliably refresh PARTUUID of partition {self.device_path} due to partprobe error.", level=logging.DEBUG)
 
 		try:
+			return SysCommand(f'blkid -s UUID -o value {self.device_path}').decode('UTF-8').strip()
+		except SysCallError as error:
+			if self.block_device.info.get('TYPE') == 'iso9660':
+				# Parent device is a Optical Disk (.iso dd'ed onto a device for instance)
+				return None
+
+			log(f"Could not get PARTUUID of partition using 'blkid -s UUID -o value {self.device_path}': {error}")
+
+	@property
+	def _safe_part_uuid(self) -> Optional[str]:
+		"""
+		A near copy of self.uuid but without any delays.
+		This function should only be used where uuid is not crucial.
+		For instance when you want to get a __repr__ of the class.
+		"""
+		if not self.partprobe():
+			if self.block_device.info.get('TYPE') == 'iso9660':
+				return None
+
+			log(f"Could not reliably refresh PARTUUID of partition {self.device_path} due to partprobe error.", level=logging.DEBUG)
+
+		try:
 			return SysCommand(f'blkid -s PARTUUID -o value {self.device_path}').decode('UTF-8').strip()
 		except SysCallError as error:
 			if self.block_device.info.get('TYPE') == 'iso9660':