PIN Unlock with autosubmit for Plasma Screenlocker

I’m trying to bring native PIN unlock with auto-submit support to the Plasma Screenlocker, mimicking the experience found on Windows.

The Objective

The goal is to allow users to set a numeric PIN in the “Users” KCM, which can then be used to quickly unlock the desktop using a short PIN but still keeping your strong password as a fallback.

This includes:

1. Auto-submit: The lockscreen automatically attempts to unlock once the entered PIN length matches the configured length.
2. Numeric Keypad: A dedicated keypad UI on the lockscreen for touch and mouse friendliness.
3. TPM 2.0 Integration: If TPM 2.0 is available PINs can be saved using the pinpam PAM module that interacts with the TPM.

Technical Implementation

The feature consists of multiple components:

• Users KCM (plasma-workspace): A new section to set/change/remove the PIN.
• Screenlocker (kscreenlocker): New configuration entries for PinEnabled and PinLength.
• Lockscreen UI (plasma-desktop): Porting the Plasma Mobile numeric keypad to the desktop Breeze theme and adding the auto-submit logic.

Backend with pinpam (hardware based)

The backend uses pinpam, a PAM module written in Rust that leverages TPM 2.0 for secret storage and lockout management. Since no official Fedora packages are available, I’ve created a COPR repository for it.

Backend using pam_pinlock (software based)

For systems without a TPM, I’m looking at pam_pinlock. I’ve also made a COPR repository available for Fedora users.

Security & Development Status

[!WARNING] Both of these PAM modules are currently in the early stages of development and may not yet meet the security standards required. There is a strong possibility that we will need to invest more into developing a dedicated, robust PAM module.