fix boot devices steamdeck, add ykfde

utils/overlays/packages.nix

@@ -1,5 +1,6 @@
 self: super: {
   bento = (super.callPackage ../pkgs/bento { });
+  ykfde = (super.callPackage ../pkgs/ykfde { });
   howdy = (super.callPackage ../pkgs/howdy { });
   linux-enable-ir-emitter = (super.callPackage ../pkgs/linux-enable-ir-emitter { });
 }

utils/pkgs/ykfde/default.nix

@@ -0,0 +1,11 @@
+{ pkgs, lib, stdenv }:
+
+stdenv.mkDerivation {
+  name = "ykfde";
+  src = ./scripts;
+  nativeBuildInputs = [ makeWrapper ];
+  installPhase = ''
+    mkdir -p $out/bin
+    install -D --target $out/bin *
+  '';
+}

utils/pkgs/ykfde/scripts/ykfde_enroll

@@ -0,0 +1,37 @@
+#!/bin/bash -p
+
+set -euo pipefail
+
+nix-shell https://github.com/sgillespie/nixos-yubikey-luks/archive/master.tar.gz
+
+# sanitize environment
+YKFDE_SLOT=2
+YKFDE_SALT_LENGTH=16
+YKFDE_SALT=""
+YKFDE_CHALLENGE=""
+YKFDE_RESPONSE=""
+YKFDE_SLOT_CHECK=""
+YKFDE_KEY_LENGTH=512
+YKFDE_ITERATIONS=1000000
+YKFDE_STORAGE=/boot/crypt-storage/default
+
+
+YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")"
+[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK"
+
+if [ "$YKFDE_SLOT_CHECK" != 1 ]; then
+  printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'"
+  exit 1
+fi
+
+YKFDE_SALT="$(dd if=/dev/random bs=1 count=$YKFDE_SALT_LENGTH 2>/dev/null | rbtohex)"
+YKFDE_CHALLENGE="$(echo -n $salt | openssl dgst -binary -sha512 | rbtohex)"
+YKFDE_RESPONSE="$(ykchalresp -2 -x $YKFDE_CHALLANGE 2>/dev/null)"
+YKFDE_K_LUKS ="$(echo | pbkdf2-sha512 $(($YKFDE_KEY_LENGTH / 8)) $YKFDE_ITERATIONS $YKFDE_RESPONSE | rbtohex)"
+mkdir -p "$(dirname $YKFDE_STORAGE)"
+echo -ne "$YKFDE_SALT\n$YKFDE_ITERATIONS" > $YKFDE_STORAGE
+echo $YKFDE_K_LUKS > luks.key
+cryptsetup luksAddKey /dev/nvme0n1p2 luks.key
+rm luks.key
+
+exit 0