Thinkpad x270 fingerprint reader support

Hello everyone,

TL;DR The built-in fingerprint reader of the ThinkPad x270 seems to works with the driver python-validity package, but it’s not available in nixpkgs yet.
I’m new in Nix/NixOS, so I would be glad if a soul out there could give me a hand finding it or writing it :slight_smile:

Here’s my steps:

I tried to list my devices with:

nicolas@nixos ~ % lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 013: ID 138a:0097 Validity Sensors, Inc. 
Bus 001 Device 003: ID 04f2:b5ab Chicony Electronics Co., Ltd Integrated Camera
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

I understand that the fingerprint reader is Bus 001 Device 013: ID 138a:0097 Validity Sensors, Inc.

And when running fprint-enroll it fails with:

Impossible to enroll: GDBus.Error:net.reactivated.Fprint.Error.NoSuchDevice: No devices available

I tried different options but get the same result:

services.fprintd.enable = true;
services.fprintd.tod.enable = true;
services.fprintd.tod.driver = pkgs.libfprint-2-tod1-vfs0090;
  • I read this other thread (for ThinkPad T480): Thinkpad T480 fingerprint reader support - #3 by faultymuse which confirms me that there were no python-validity package for NixOS yet.

  • I then tried to write a Nix script for python-validity to add to my configuration:
    { lib, python3Packages }: with python3Packages; buildPythonApplication { pname = "python-validity"; version = "0.12"; propagatedBuildInputs = [ cryptography pyusb pyyaml ]; driverPath = /usr/share/python-validity/6_07f_lenovo_mis_qm.xpfwext; src = ./.; }

but got the same error as before.

Thanks if you have any idea to help me :slight_smile:

NB: I opened a few issues on the different repositories hoping to have more answers, you can check them there:
https://github.com/NixOS/nixos-hardware/issues/521
https://github.com/NixOS/nixpkgs/issues/207116
https://github.com/uunicorn/python-validity/issues/150

1 Like

EDIT : I finally managed the first step to enroll my fingerprint thanks to ahbnr who answered my issue and created a first version of some nix packages based on the AUR packages, see here: GitHub - ahbnr/nixos-06cb-009a-fingerprint-sensor: Nix flake for driving the 06cb:009a fingerprint sensor on NixOS

BUT I can’t use it properly because the management of account, authentication, password or session must be adapted in Nix:

 # enable fingerprint scanning for sudo
  security.pam.services.sudo.text = ''
    # Account management.
    account required pam_unix.so
    
    # Authentication management.
    auth sufficient pam_unix.so   likeauth try_first_pass nullok
    auth sufficient ${fprintd-clients}/lib/security/pam_fprintd.so
    auth required pam_deny.so
    
    # Password management.
    password sufficient pam_unix.so nullok sha512
    
    # Session management.
    session required pam_env.so conffile=/etc/pam/environment readenv=0
    session required pam_unix.so
  '';

I am not familiar with Arch Linux so thanks again if you have any idea to help me :slight_smile:

Also, it would be great to add those python packages to nixpkgs after that to make them available to the community !

Hi @NicolasHo

The solution I described in the GitHub issue that you mentioned ([ThinkPad x270] Fingerprint reader does not work · Issue #521 · NixOS/nixos-hardware · GitHub) has been working well for me with that exact PAM configuration.
What errors do you get?

In any case, I’ve rewritten my repository with the custom packages into a proper Nix flake (GitHub - ahbnr/nixos-06cb-009a-fingerprint-sensor: Nix flake for driving the 06cb:009a fingerprint sensor on NixOS). Furthermore, since open-fprintd has some security issues (no authentication for finger enrolling), I’m now using a fork of the vfs0090 driver with the regular fprintd service.
This also automatically integrates with the default PAM configuration supplied by NixOS, so fingerprint authentication for sudo works out of the box, as well as integration of fingerprint authentication with GNOME.

I’ve described everything in the README.md file of the repository. Since you do not have the same fp sensor as me (138a:0097 instead of 06cb:009a), some of the steps might be different for you. I added some notes about that in the README.

1 Like

@ahaubner 's solution on GitHub works for enabling fprint-enroll and fprint-verify, but I cannot seem to get my display manager and VTY auth to use the fingerprint. I have tried to modify the pam.d/login and pam.d/sudo as has been described elsewhere and there is never a prompt to use my fingerprint, only a password prompt. Any idea?

System: Lenovo X1 Extreme (2nd Gen)
Fingerprint Device: 06cb:009a Synaptics, Inc. Metallica MIS Touch Fingerprint Reader