shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-02-01 05:47:04 +03:00
Code

cryptsetup: add 'headless' parameter to skip password/pin query

Browse Source 
On headless setups, in case other methods fail, asking for a password/pin
is not useful as there are no users on the terminal, and generates
unwanted noise. Add a parameter to /etc/crypttab to skip it.
This commit is contained in:
Luca Boccassi 2021-04-09 20:43:10 +01:00 committed by Luca Boccassi
parent 0cd70d43a3
commit cd5f57bda7
9 changed files with 44 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
man/crypttab.xml
View File

@ -514,6 +514,13 @@
user is queried for a password indefinitely.</para></listitem> user is queried for a password indefinitely.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><option>headless=</option></term>
<listitem><para>Takes a boolean argument, defaults to false. If true, never query interactively
for the password/PIN. Useful for headless systems.</para></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><option>verify</option></term> <term><option>verify</option></term>

3
man/systemd-cryptsetup@.service.xml
View File

@ -73,7 +73,8 @@
<listitem><para>The kernel keyring is then checked for a suitable cached password from previous <listitem><para>The kernel keyring is then checked for a suitable cached password from previous
attempts.</para></listitem> attempts.</para></listitem>
<listitem><para>Finally, the user is queried for a password, possibly multiple times.</para></listitem> <listitem><para>Finally, the user is queried for a password, possibly multiple times, unless
the <varname>headless</varname> option is set.</para></listitem>
</orderedlist> </orderedlist>
<para>If no suitable key may be acquired via any of the mechanisms describes above, volume activation fails.</para> <para>If no suitable key may be acquired via any of the mechanisms describes above, volume activation fails.</para>

4
src/cryptsetup/cryptsetup-fido2.c
View File

@ -23,6 +23,7 @@ int acquire_fido2_key(
const void *key_data, const void *key_data,
size_t key_data_size, size_t key_data_size,
usec_t until, usec_t until,
bool headless,
void **ret_decrypted_key, void **ret_decrypted_key,
size_t *ret_decrypted_key_size) { size_t *ret_decrypted_key_size) {
@ -88,6 +89,9 @@ int acquire_fido2_key(
pins = strv_free_erase(pins); pins = strv_free_erase(pins);
if (headless)
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, flags, &pins); r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, flags, &pins);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to ask for user password: %m"); return log_error_errno(r, "Failed to ask for user password: %m");

2
src/cryptsetup/cryptsetup-fido2.h
View File

@ -22,6 +22,7 @@ int acquire_fido2_key(
const void *key_data, const void *key_data,
size_t key_data_size, size_t key_data_size,
usec_t until, usec_t until,
bool headless,
void **ret_decrypted_key, void **ret_decrypted_key,
size_t *ret_decrypted_key_size); size_t *ret_decrypted_key_size);
@ -49,6 +50,7 @@ static inline int acquire_fido2_key(
const void *key_data, const void *key_data,
size_t key_data_size, size_t key_data_size,
usec_t until, usec_t until,
bool headless,
void **ret_decrypted_key, void **ret_decrypted_key,
size_t *ret_decrypted_key_size) { size_t *ret_decrypted_key_size) {

4
src/cryptsetup/cryptsetup-pkcs11.c
View File

@ -32,6 +32,7 @@ struct pkcs11_callback_data {
void *decrypted_key; void *decrypted_key;
size_t decrypted_key_size; size_t decrypted_key_size;
bool free_encrypted_key; bool free_encrypted_key;
bool headless;
}; };
static void pkcs11_callback_data_release(struct pkcs11_callback_data *data) { static void pkcs11_callback_data_release(struct pkcs11_callback_data *data) {
@ -72,6 +73,7 @@ static int pkcs11_callback(
"pkcs11-pin", "pkcs11-pin",
"cryptsetup.pkcs11-pin", "cryptsetup.pkcs11-pin",
data->until, data->until,
data->headless,
NULL); NULL);
if (r < 0) if (r < 0)
return r; return r;
@ -109,12 +111,14 @@ int decrypt_pkcs11_key(
const void *key_data, /* … or key_data and key_data_size (for literal keys) */ const void *key_data, /* … or key_data and key_data_size (for literal keys) */
size_t key_data_size, size_t key_data_size,
usec_t until, usec_t until,
bool headless,
void **ret_decrypted_key, void **ret_decrypted_key,
size_t *ret_decrypted_key_size) { size_t *ret_decrypted_key_size) {
_cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = { _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = {
.friendly_name = friendly_name, .friendly_name = friendly_name,
.until = until, .until = until,
.headless = headless,
}; };
int r; int r;

2
src/cryptsetup/cryptsetup-pkcs11.h
View File

@ -19,6 +19,7 @@ int decrypt_pkcs11_key(
const void *key_data, const void *key_data,
size_t key_data_size, size_t key_data_size,
usec_t until, usec_t until,
bool headless,
void **ret_decrypted_key, void **ret_decrypted_key,
size_t *ret_decrypted_key_size); size_t *ret_decrypted_key_size);
@ -41,6 +42,7 @@ static inline int decrypt_pkcs11_key(
const void *key_data, const void *key_data,
size_t key_data_size, size_t key_data_size,
usec_t until, usec_t until,
bool headless,
void **ret_decrypted_key, void **ret_decrypted_key,
size_t *ret_decrypted_key_size) { size_t *ret_decrypted_key_size) {

17
src/cryptsetup/cryptsetup.c
View File

@ -79,6 +79,7 @@ static char *arg_fido2_rp_id = NULL;
static char *arg_tpm2_device = NULL; static char *arg_tpm2_device = NULL;
static bool arg_tpm2_device_auto = false; static bool arg_tpm2_device_auto = false;
static uint32_t arg_tpm2_pcr_mask = UINT32_MAX; static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
static bool arg_headless = false;
STATIC_DESTRUCTOR_REGISTER(arg_cipher, freep); STATIC_DESTRUCTOR_REGISTER(arg_cipher, freep);
STATIC_DESTRUCTOR_REGISTER(arg_hash, freep); STATIC_DESTRUCTOR_REGISTER(arg_hash, freep);
@ -381,6 +382,17 @@ static int parse_one_option(const char *option) {
} else if (streq(option, "try-empty-password")) } else if (streq(option, "try-empty-password"))
arg_try_empty_password = true; arg_try_empty_password = true;
else if ((val = startswith(option, "headless="))) {
r = parse_boolean(val);
if (r < 0) {
log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
return 0;
}
arg_headless = r;
} else if (streq(option, "headless"))
arg_headless = true;
else if (!streq(option, "x-initrd.attach")) else if (!streq(option, "x-initrd.attach"))
log_warning("Encountered unknown /etc/crypttab option '%s', ignoring.", option); log_warning("Encountered unknown /etc/crypttab option '%s', ignoring.", option);
@ -532,6 +544,9 @@ static int get_password(
assert(src); assert(src);
assert(ret); assert(ret);
if (arg_headless)
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "Password querying disabled via 'headless' option.");
friendly = friendly_disk_name(src, vol); friendly = friendly_disk_name(src, vol);
if (!friendly) if (!friendly)
return log_oom(); return log_oom();
@ -775,6 +790,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
key_file, arg_keyfile_size, arg_keyfile_offset, key_file, arg_keyfile_size, arg_keyfile_offset,
key_data, key_data_size, key_data, key_data_size,
until, until,
arg_headless,
&decrypted_key, &decrypted_key_size); &decrypted_key, &decrypted_key_size);
if (r >= 0) if (r >= 0)
break; break;
@ -895,6 +911,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
key_file, arg_keyfile_size, arg_keyfile_offset, key_file, arg_keyfile_size, arg_keyfile_offset,
key_data, key_data_size, key_data, key_data_size,
until, until,
arg_headless,
&decrypted_key, &decrypted_key_size); &decrypted_key, &decrypted_key_size);
if (r >= 0) if (r >= 0)
break; break;

7
src/shared/pkcs11-util.c
View File

@ -184,6 +184,7 @@ int pkcs11_token_login(
const char *key_name, const char *key_name,
const char *credential_name, const char *credential_name,
usec_t until, usec_t until,
bool headless,
char **ret_used_pin) { char **ret_used_pin) {
_cleanup_free_ char *token_uri_string = NULL, *token_uri_escaped = NULL, *id = NULL, *token_label = NULL; _cleanup_free_ char *token_uri_string = NULL, *token_uri_escaped = NULL, *id = NULL, *token_label = NULL;
@ -247,7 +248,9 @@ int pkcs11_token_login(
string_erase(e); string_erase(e);
if (unsetenv("PIN") < 0) if (unsetenv("PIN") < 0)
return log_error_errno(errno, "Failed to unset $PIN: %m"); return log_error_errno(errno, "Failed to unset $PIN: %m");
} else { } else if (headless)
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the 'PIN' environment variable.");
else {
_cleanup_free_ char *text = NULL; _cleanup_free_ char *text = NULL;
if (FLAGS_SET(token_info->flags, CKF_USER_PIN_FINAL_TRY)) if (FLAGS_SET(token_info->flags, CKF_USER_PIN_FINAL_TRY))
@ -960,7 +963,7 @@ static int pkcs11_acquire_certificate_callback(
/* Called for every token matching our URI */ /* Called for every token matching our URI */
r = pkcs11_token_login(m, session, slot_id, token_info, data->askpw_friendly_name, data->askpw_icon_name, "pkcs11-pin", "pkcs11-pin", UINT64_MAX, &pin_used); r = pkcs11_token_login(m, session, slot_id, token_info, data->askpw_friendly_name, data->askpw_icon_name, "pkcs11-pin", "pkcs11-pin", UINT64_MAX, false, &pin_used);
if (r < 0) if (r < 0)
return r; return r;

2
src/shared/pkcs11-util.h
View File

@ -30,7 +30,7 @@ char *pkcs11_token_label(const CK_TOKEN_INFO *token_info);
char *pkcs11_token_manufacturer_id(const CK_TOKEN_INFO *token_info); char *pkcs11_token_manufacturer_id(const CK_TOKEN_INFO *token_info);
char *pkcs11_token_model(const CK_TOKEN_INFO *token_info); char *pkcs11_token_model(const CK_TOKEN_INFO *token_info);
int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, char **ret_used_pin); int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, bool headless, char **ret_used_pin);
int pkcs11_token_find_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object); int pkcs11_token_find_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object);
#if HAVE_OPENSSL #if HAVE_OPENSSL