1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

Cryptenroll pager and tweaks (#35517)

This commit is contained in:
Luca Boccassi 2024-12-10 14:07:26 +00:00 committed by GitHub
commit 18d2d10c17
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 29 additions and 15 deletions

View File

@ -720,14 +720,16 @@
<term><option>--list-devices</option></term>
<listitem><para>Show a list of candidate block devices this command may operate on. Specifically,
this enumerates block devices currently present that contain a LUKS superblock, and shows their device
node paths along with any of their symlinks.</para>
this enumerates block devices currently present that contain a LUKS superblock, and shows their
device node paths along with any of their symlinks. The devices must implement the
<option>hmac-secret</option> extension to be useable.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
<xi:include href="standard-options.xml" xpointer="help" />
<xi:include href="standard-options.xml" xpointer="version" />
<xi:include href="standard-options.xml" xpointer="no-pager" />
</variablelist>
</refsect1>

View File

@ -23,6 +23,7 @@
#include "libfido2-util.h"
#include "main-func.h"
#include "memory-util.h"
#include "pager.h"
#include "parse-argument.h"
#include "parse-util.h"
#include "path-util.h"
@ -54,6 +55,7 @@ static uint32_t arg_tpm2_public_key_pcr_mask = 0;
static char *arg_tpm2_signature = NULL;
static char *arg_tpm2_pcrlock = NULL;
static char *arg_node = NULL;
PagerFlags arg_pager_flags = 0;
static int *arg_wipe_slots = NULL;
static size_t arg_n_wipe_slots = 0;
static WipeScope arg_wipe_slots_scope = WIPE_EXPLICIT;
@ -172,6 +174,8 @@ static int help(void) {
_cleanup_free_ char *link = NULL;
int r;
pager_open(arg_pager_flags);
r = terminal_urlify_man("systemd-cryptenroll", "1", &link);
if (r < 0)
return log_oom();
@ -180,6 +184,7 @@ static int help(void) {
"%5$sEnroll a security token or authentication credential to a LUKS volume.%6$s\n\n"
" -h --help Show this help\n"
" --version Show package version\n"
" --no-pager Do not spawn a pager\n"
" --list-devices List candidate block devices to operate on\n"
" --wipe-slot=SLOT1,SLOT2,…\n"
" Wipe specified slots\n"
@ -194,11 +199,11 @@ static int help(void) {
" --password Enroll a user-supplied password\n"
" --recovery-key Enroll a recovery key\n"
"\n%3$sPKCS#11 Enrollment:%4$s\n"
" --pkcs11-token-uri=URI\n"
" Specify PKCS#11 security token URI\n"
" --pkcs11-token-uri=URI|auto|list\n"
" Enroll a PKCS#11 security token or list them\n"
"\n%3$sFIDO2 Enrollment:%4$s\n"
" --fido2-device=PATH\n"
" Enroll a FIDO2-HMAC security token\n"
" --fido2-device=PATH|auto|list\n"
" Enroll a FIDO2-HMAC security token or list them\n"
" --fido2-salt-file=PATH\n"
" Use salt from a file instead of generating one\n"
" --fido2-parameters-in-header=BOOL\n"
@ -212,8 +217,8 @@ static int help(void) {
" --fido2-with-user-verification=BOOL\n"
" Whether to require user verification to unlock the volume\n"
"\n%3$sTPM2 Enrollment:%4$s\n"
" --tpm2-device=PATH\n"
" Enroll a TPM2 device\n"
" --tpm2-device=PATH|auto|list\n"
" Enroll a TPM2 device or list them\n"
" --tpm2-device-key=PATH\n"
" Enroll a TPM2 device using its public key\n"
" --tpm2-seal-key-handle=HANDLE\n"
@ -245,6 +250,7 @@ static int help(void) {
static int parse_argv(int argc, char *argv[]) {
enum {
ARG_VERSION = 0x100,
ARG_NO_PAGER,
ARG_PASSWORD,
ARG_RECOVERY_KEY,
ARG_UNLOCK_KEYFILE,
@ -274,6 +280,7 @@ static int parse_argv(int argc, char *argv[]) {
static const struct option options[] = {
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, ARG_VERSION },
{ "no-pager", no_argument, NULL, ARG_NO_PAGER },
{ "password", no_argument, NULL, ARG_PASSWORD },
{ "recovery-key", no_argument, NULL, ARG_RECOVERY_KEY },
{ "unlock-key-file", required_argument, NULL, ARG_UNLOCK_KEYFILE },
@ -307,7 +314,7 @@ static int parse_argv(int argc, char *argv[]) {
assert(argc >= 0);
assert(argv);
while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0) {
while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
switch (c) {
@ -317,6 +324,10 @@ static int parse_argv(int argc, char *argv[]) {
case ARG_VERSION:
return version();
case ARG_NO_PAGER:
arg_pager_flags |= PAGER_DISABLE;
break;
case ARG_FIDO2_WITH_PIN:
r = parse_boolean_argument("--fido2-with-client-pin=", optarg, NULL);
if (r < 0)
@ -634,7 +645,6 @@ static int parse_argv(int argc, char *argv[]) {
default:
assert_not_reached();
}
}
if (argc > optind+1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),

View File

@ -1253,6 +1253,8 @@ static int make_security_device_monitor(
assert(ret_monitor);
/* Waits for a device with "security-device" tag to show up in udev */
log_debug("Creating device monitor for tag 'security-device' with timeout %s",
FORMAT_TIMESPAN(arg_token_timeout_usec, 1*USEC_PER_SEC));
r = sd_event_default(&event);
if (r < 0)
@ -2600,7 +2602,7 @@ static int run(int argc, char *argv[]) {
return r;
/* Key not correct? Let's try again, but let's invalidate one of the passed fields,
* so that we fallback to the next best thing. */
* so that we fall back to the next best thing. */
if (token_type == TOKEN_TPM2) {
arg_tpm2_device = mfree(arg_tpm2_device);

View File

@ -1124,7 +1124,7 @@ int fido2_list_devices(void) {
goto finish;
}
t = table_new("path", "manufacturer", "product");
t = table_new("path", "manufacturer", "product", "compatible");
if (!t) {
r = log_oom();
goto finish;
@ -1143,14 +1143,14 @@ int fido2_list_devices(void) {
r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry));
if (r < 0)
goto finish;
if (!r)
continue;
bool compatible = r > 0;
r = table_add_many(
t,
TABLE_PATH, sym_fido_dev_info_path(entry),
TABLE_STRING, sym_fido_dev_info_manufacturer_string(entry),
TABLE_STRING, sym_fido_dev_info_product_string(entry));
TABLE_STRING, sym_fido_dev_info_product_string(entry),
TABLE_BOOLEAN_CHECKMARK, compatible);
if (r < 0) {
table_log_add_error(r);
goto finish;