Unlock Xscreensaver with fingerprint

fpruser · December 17, 2022, 11:34am

I have a laptop with built-in fingerprint scanner that I would like to use to unlock Xscreensaver (and possibly lightdm too).

The problem is that it’s attached to one of the usb controllers as it doesn’t appear individually with qvm-pci or lspci in dom0. Instead, it’s listed in the Qubes device manager under sys-usb.

Can it be done? I don’t care if I have to install software in dom0, I know the risks, I just want to unlock the laptop with a fingerprint. I’d be okay with changing screensaver entirely if it can achieve my goal. Thank you.

balko · December 20, 2022, 7:15am

First thing you should check - if it works in GNU/Linux. Boot from usb flash drive to something like latest Kubuntu or Fedora and check it. If it does not work out of the box there - there is a chance it will never work in Qubes OS too, further internet search is advised.

If it does work - you have to see it in sys-usb or other usb qube that has the USB controller (dom0 does not allows usb device except keyboard, mouse, touch, block storage or something like that). You can connect the device from this usb qube to other qube that should have scripts to check for fingerprint.

Dom0 should check in some way the status of fingerprint being logged in and close xscreensaver if it’s allowed by fingerprint qubes. Can be done for sure and not that difficult even with a bash script.

=> So, it can be doable, can be not, but will definitely require additional scripts in dom0 and qube with fingerprint device.

fpruser · December 20, 2022, 8:11am

Hello, thanks for answering!
Everything works in a Fedora VM, so the question is: is there a policy that allows checking for fingerprint? Or at least a policy that allows connecting the fingerprint reader to dom0, as it’s allowed with the mouse.

balko · December 20, 2022, 9:41am

I don’t know such policy. Check the docs, but I doubt it exists.

What I would do: check the fingerprint device inside qube and signal to dom0 that it’s activated and authorization was passed.

enmus · December 21, 2022, 4:05pm

But do you know about the risks to have USB controller left in dom0, which is exactly what you would need as you asked (excluding @balko’s ideas, which I’m not aware if it’s possible)?

anonDoveee · December 21, 2022, 5:05pm

If you are able to do this, could you make a post explaining step by step on how you did it? I’m sure it’s valuable information a lot of people would be interesting in knowing.

johndi89 · March 21, 2023, 6:41pm

I guess you could do something similar to what is done with a Yubikey : YubiKey | Qubes OS

My understanding (but I haven’t tried it yet) is that you connect the yubikey to sys-usb and allow it to call a dedicated service on dom0.

Perhaps, the same principle could be applied with a fingerprint reader.