Thinkpad x270 fingerprint reader support

NicolasHo · December 21, 2022, 4:47pm

Hello everyone,

TL;DR The built-in fingerprint reader of the ThinkPad x270 seems to works with the driver python-validity package, but it’s not available in nixpkgs yet.
I’m new in Nix/NixOS, so I would be glad if a soul out there could give me a hand finding it or writing it

Here’s my steps:

I tried to list my devices with:

nicolas@nixos ~ % lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 013: ID 138a:0097 Validity Sensors, Inc. 
Bus 001 Device 003: ID 04f2:b5ab Chicony Electronics Co., Ltd Integrated Camera
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

I understand that the fingerprint reader is Bus 001 Device 013: ID 138a:0097 Validity Sensors, Inc.

And when running fprint-enroll it fails with:

Impossible to enroll: GDBus.Error:net.reactivated.Fprint.Error.NoSuchDevice: No devices available

I tried different options but get the same result:

I read this thread: How to use fingerprint unlocking - How to set up Fprintd (English) - #2 by tejing
and enabled fprint in my configuration.nix file then tried vfs0090 driver followed by goodix driver but without success in both cases:

services.fprintd.enable = true;
services.fprintd.tod.enable = true;
services.fprintd.tod.driver = pkgs.libfprint-2-tod1-vfs0090;

I read this other thread (for ThinkPad T480): Thinkpad T480 fingerprint reader support - #3 by faultymuse which confirms me that there were no python-validity package for NixOS yet.
I then tried to write a Nix script for python-validity to add to my configuration:
{ lib, python3Packages }: with python3Packages; buildPythonApplication { pname = "python-validity"; version = "0.12"; propagatedBuildInputs = [ cryptography pyusb pyyaml ]; driverPath = /usr/share/python-validity/6_07f_lenovo_mis_qm.xpfwext; src = ./.; }

but got the same error as before.

I also looked on Validity official support, where someone already asked about a Nix driver in 2019 for my device: https://gitter.im/Validity90/Lobby?at=5caf58edf851ee043d9d85d3

Thanks if you have any idea to help me

NB: I opened a few issues on the different repositories hoping to have more answers, you can check them there:
https://github.com/NixOS/nixos-hardware/issues/521
https://github.com/NixOS/nixpkgs/issues/207116
https://github.com/uunicorn/python-validity/issues/150

NicolasHo · January 4, 2023, 12:28pm

EDIT : I finally managed the first step to enroll my fingerprint thanks to ahbnr who answered my issue and created a first version of some nix packages based on the AUR packages, see here: GitHub - ahbnr/nixos-06cb-009a-fingerprint-sensor: Nix flake for driving the 06cb:009a fingerprint sensor on NixOS

BUT I can’t use it properly because the management of account, authentication, password or session must be adapted in Nix:

 # enable fingerprint scanning for sudo
  security.pam.services.sudo.text = ''
    # Account management.
    account required pam_unix.so
    
    # Authentication management.
    auth sufficient pam_unix.so   likeauth try_first_pass nullok
    auth sufficient ${fprintd-clients}/lib/security/pam_fprintd.so
    auth required pam_deny.so
    
    # Password management.
    password sufficient pam_unix.so nullok sha512
    
    # Session management.
    session required pam_env.so conffile=/etc/pam/environment readenv=0
    session required pam_unix.so
  '';

I am not familiar with Arch Linux so thanks again if you have any idea to help me

Also, it would be great to add those python packages to nixpkgs after that to make them available to the community !

ahaubner · January 18, 2023, 5:33pm

Hi @NicolasHo

The solution I described in the GitHub issue that you mentioned ([ThinkPad x270] Fingerprint reader does not work · Issue #521 · NixOS/nixos-hardware · GitHub) has been working well for me with that exact PAM configuration.
What errors do you get?

In any case, I’ve rewritten my repository with the custom packages into a proper Nix flake (GitHub - ahbnr/nixos-06cb-009a-fingerprint-sensor: Nix flake for driving the 06cb:009a fingerprint sensor on NixOS). Furthermore, since open-fprintd has some security issues (no authentication for finger enrolling), I’m now using a fork of the vfs0090 driver with the regular fprintd service.
This also automatically integrates with the default PAM configuration supplied by NixOS, so fingerprint authentication for sudo works out of the box, as well as integration of fingerprint authentication with GNOME.

I’ve described everything in the README.md file of the repository. Since you do not have the same fp sensor as me (138a:0097 instead of 06cb:009a), some of the steps might be different for you. I added some notes about that in the README.

InfoSec812 · March 10, 2024, 5:46pm

@ahaubner 's solution on GitHub works for enabling fprint-enroll and fprint-verify, but I cannot seem to get my display manager and VTY auth to use the fingerprint. I have tried to modify the pam.d/login and pam.d/sudo as has been described elsewhere and there is never a prompt to use my fingerprint, only a password prompt. Any idea?

System: Lenovo X1 Extreme (2nd Gen)
Fingerprint Device: 06cb:009a Synaptics, Inc. Metallica MIS Touch Fingerprint Reader