So if I understand this correctly, your objective here is to add a second factor to the android unlock verification.
Now Android already has a pretty decent authentication system in place, so as @danielt suggested, it may be a better idea to extend that than to try to being in PAM. For one, you will end up having to use the Android mechanism anyway, to bind to the PAM module.
In addition, I’d be quite hesitant to use any proprietary (closed source) application or 3rd party account integrations to manage secure systems. Closed source is the opposite of secure since by definition, you forfeit control of it. You would be better off trying to find something open source without the dependency on google services, and if there isn’t something like that, write it.
If it were me, I’d aim for the NFC route; https://www.seeedstudio.com/Grove-NFC-p-1804.html
Just modify the keyguard code to add a stage to the password authentication type to get a code via NFC and send it to a server to ask if its good or not.
Now keep in mind the following;
- The phone needs to communicate with the server to GENERATE the code. So the server needs to authenticate the phone, then the server can send the phone an access token that is valid for a short time limit, say 5 seconds. You can make the token something simple to generate, like “sha2(salt+user+time)”.
- The hikey960 needs to authenticate the SERVER as well as ask it if the code is secure. Pre-shared key authentication is probably a good way to go on this.
Honestly, I think that building the 2nd factor authentication mechanism would be a heck of a lot easier than trying to integrate PAM into Android.
For the rest of your questions, look into this;
This allows you to do things like force password authentication, force password complexity, and force storage encryption.
Now you have a choice regarding storage encryption… you can maintain single-factor storage decryption, or make this into a really big job by tying the second factor into storage decryption. Nice thing about newer versions of Android is that the device boots up into a mostly functional state before asking for the key. Older versions paused the boot early on to prompt for the key, which really limited what you could do.
Snort shouldn’t be too big of a deal. The hard part there will be just getting it to cross compile. Its a daemon, so you just start it from an init script.