diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
index 05d0f04f7f5..83f8b2d8a18 100644
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@@ -720,14 +720,16 @@
Show a list of candidate block devices this command may operate on. Specifically,
- this enumerates block devices currently present that contain a LUKS superblock, and shows their device
- node paths along with any of their symlinks.
+ this enumerates block devices currently present that contain a LUKS superblock, and shows their
+ device node paths along with any of their symlinks. The devices must implement the
+ extension to be useable.
+
diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c
index dccb320c5dc..3fb58c2874b 100644
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@@ -23,6 +23,7 @@
#include "libfido2-util.h"
#include "main-func.h"
#include "memory-util.h"
+#include "pager.h"
#include "parse-argument.h"
#include "parse-util.h"
#include "path-util.h"
@@ -54,6 +55,7 @@ static uint32_t arg_tpm2_public_key_pcr_mask = 0;
static char *arg_tpm2_signature = NULL;
static char *arg_tpm2_pcrlock = NULL;
static char *arg_node = NULL;
+PagerFlags arg_pager_flags = 0;
static int *arg_wipe_slots = NULL;
static size_t arg_n_wipe_slots = 0;
static WipeScope arg_wipe_slots_scope = WIPE_EXPLICIT;
@@ -172,6 +174,8 @@ static int help(void) {
_cleanup_free_ char *link = NULL;
int r;
+ pager_open(arg_pager_flags);
+
r = terminal_urlify_man("systemd-cryptenroll", "1", &link);
if (r < 0)
return log_oom();
@@ -180,6 +184,7 @@ static int help(void) {
"%5$sEnroll a security token or authentication credential to a LUKS volume.%6$s\n\n"
" -h --help Show this help\n"
" --version Show package version\n"
+ " --no-pager Do not spawn a pager\n"
" --list-devices List candidate block devices to operate on\n"
" --wipe-slot=SLOT1,SLOT2,…\n"
" Wipe specified slots\n"
@@ -194,11 +199,11 @@ static int help(void) {
" --password Enroll a user-supplied password\n"
" --recovery-key Enroll a recovery key\n"
"\n%3$sPKCS#11 Enrollment:%4$s\n"
- " --pkcs11-token-uri=URI\n"
- " Specify PKCS#11 security token URI\n"
+ " --pkcs11-token-uri=URI|auto|list\n"
+ " Enroll a PKCS#11 security token or list them\n"
"\n%3$sFIDO2 Enrollment:%4$s\n"
- " --fido2-device=PATH\n"
- " Enroll a FIDO2-HMAC security token\n"
+ " --fido2-device=PATH|auto|list\n"
+ " Enroll a FIDO2-HMAC security token or list them\n"
" --fido2-salt-file=PATH\n"
" Use salt from a file instead of generating one\n"
" --fido2-parameters-in-header=BOOL\n"
@@ -212,8 +217,8 @@ static int help(void) {
" --fido2-with-user-verification=BOOL\n"
" Whether to require user verification to unlock the volume\n"
"\n%3$sTPM2 Enrollment:%4$s\n"
- " --tpm2-device=PATH\n"
- " Enroll a TPM2 device\n"
+ " --tpm2-device=PATH|auto|list\n"
+ " Enroll a TPM2 device or list them\n"
" --tpm2-device-key=PATH\n"
" Enroll a TPM2 device using its public key\n"
" --tpm2-seal-key-handle=HANDLE\n"
@@ -245,6 +250,7 @@ static int help(void) {
static int parse_argv(int argc, char *argv[]) {
enum {
ARG_VERSION = 0x100,
+ ARG_NO_PAGER,
ARG_PASSWORD,
ARG_RECOVERY_KEY,
ARG_UNLOCK_KEYFILE,
@@ -274,6 +280,7 @@ static int parse_argv(int argc, char *argv[]) {
static const struct option options[] = {
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, ARG_VERSION },
+ { "no-pager", no_argument, NULL, ARG_NO_PAGER },
{ "password", no_argument, NULL, ARG_PASSWORD },
{ "recovery-key", no_argument, NULL, ARG_RECOVERY_KEY },
{ "unlock-key-file", required_argument, NULL, ARG_UNLOCK_KEYFILE },
@@ -307,7 +314,7 @@ static int parse_argv(int argc, char *argv[]) {
assert(argc >= 0);
assert(argv);
- while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0) {
+ while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
switch (c) {
@@ -317,6 +324,10 @@ static int parse_argv(int argc, char *argv[]) {
case ARG_VERSION:
return version();
+ case ARG_NO_PAGER:
+ arg_pager_flags |= PAGER_DISABLE;
+ break;
+
case ARG_FIDO2_WITH_PIN:
r = parse_boolean_argument("--fido2-with-client-pin=", optarg, NULL);
if (r < 0)
@@ -634,7 +645,6 @@ static int parse_argv(int argc, char *argv[]) {
default:
assert_not_reached();
}
- }
if (argc > optind+1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index ee93fd3dca0..1da9e21d8e2 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -1253,6 +1253,8 @@ static int make_security_device_monitor(
assert(ret_monitor);
/* Waits for a device with "security-device" tag to show up in udev */
+ log_debug("Creating device monitor for tag 'security-device' with timeout %s",
+ FORMAT_TIMESPAN(arg_token_timeout_usec, 1*USEC_PER_SEC));
r = sd_event_default(&event);
if (r < 0)
@@ -2600,7 +2602,7 @@ static int run(int argc, char *argv[]) {
return r;
/* Key not correct? Let's try again, but let's invalidate one of the passed fields,
- * so that we fallback to the next best thing. */
+ * so that we fall back to the next best thing. */
if (token_type == TOKEN_TPM2) {
arg_tpm2_device = mfree(arg_tpm2_device);
diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index d19018b331b..ec5235860c2 100644
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -1124,7 +1124,7 @@ int fido2_list_devices(void) {
goto finish;
}
- t = table_new("path", "manufacturer", "product");
+ t = table_new("path", "manufacturer", "product", "compatible");
if (!t) {
r = log_oom();
goto finish;
@@ -1143,14 +1143,14 @@ int fido2_list_devices(void) {
r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry));
if (r < 0)
goto finish;
- if (!r)
- continue;
+ bool compatible = r > 0;
r = table_add_many(
t,
TABLE_PATH, sym_fido_dev_info_path(entry),
TABLE_STRING, sym_fido_dev_info_manufacturer_string(entry),
- TABLE_STRING, sym_fido_dev_info_product_string(entry));
+ TABLE_STRING, sym_fido_dev_info_product_string(entry),
+ TABLE_BOOLEAN_CHECKMARK, compatible);
if (r < 0) {
table_log_add_error(r);
goto finish;