cryptenroll: show which devices support "hmac secret"

We'd silently skip devices which don't have the feature in the list.
This looked wrong esp. if no devices were suitable. Instead, list them
and show which ones are usable.

$ build/systemd-cryptenroll --fido2-device=list
PATH          MANUFACTURER PRODUCT                HMAC SECRET
/dev/hidraw7  Yubico       YubiKey OTP+FIDO+CCID  ✓
/dev/hidraw10 Yubico       Security Key by Yubico ✗
/dev/hidraw5  Yubico       Security Key by Yubico ✗
/dev/hidraw9  Yubico       Yubikey 4 OTP+U2F+CCID ✗

man/systemd-cryptenroll.xml

@@ -720,8 +720,9 @@
         <term><option>--list-devices</option></term>
 
         <listitem><para>Show a list of candidate block devices this command may operate on. Specifically,
-        this enumerates block devices currently present that contain a LUKS superblock, and shows their device
-        node paths along with any of their symlinks.</para>
+        this enumerates block devices currently present that contain a LUKS superblock, and shows their
+        device node paths along with any of their symlinks. The devices must implement the
+        <option>hmac-secret</option> extension to be useable.</para>
 
         <xi:include href="version-info.xml" xpointer="v257"/></listitem>
       </varlistentry>

src/shared/libfido2-util.c

@@ -1124,7 +1124,7 @@ int fido2_list_devices(void) {
                 goto finish;
         }
 
-        t = table_new("path", "manufacturer", "product");
+        t = table_new("path", "manufacturer", "product", "compatible");
         if (!t) {
                 r = log_oom();
                 goto finish;
@@ -1143,14 +1143,14 @@ int fido2_list_devices(void) {
                 r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry));
                 if (r < 0)
                         goto finish;
-                if (!r)
-                        continue;
+                bool compatible = r > 0;
 
                 r = table_add_many(
                                 t,
                                 TABLE_PATH, sym_fido_dev_info_path(entry),
                                 TABLE_STRING, sym_fido_dev_info_manufacturer_string(entry),
-                                TABLE_STRING, sym_fido_dev_info_product_string(entry));
+                                TABLE_STRING, sym_fido_dev_info_product_string(entry),
+                                TABLE_BOOLEAN_CHECKMARK, compatible);
                 if (r < 0) {
                         table_log_add_error(r);
                         goto finish;