cryptsetup: add manual TPM2 PIN configuration

Handle the case where TPM2 metadata is not available and explicitly provided in crypttab. This adds a new "tpm2-pin" option to crypttab options for this purpose.
2025-03-31 14:50:15 +03:00 · 2022-02-18 21:13:41 +01:00 · 2022-02-18 21:13:41 +01:00 · 4005d41ef0
commit 4005d41ef0
parent caeb5604f9
2 changed files with 20 additions and 1 deletions
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@ -677,6 +677,14 @@
        of the current PCR state.</para></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><option>tpm2-pin=</option></term>
+
+        <listitem><para>Takes a boolean argument, defaults to <literal>false</literal>. Controls whether
+        TPM2 volume unlocking is bound to a PIN in addition to PCRs. Similarly, this option is only useful
+        when TPM2 enrollment metadata is not available.</para></listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><option>token-timeout=</option></term>

--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@ -82,6 +82,7 @@ static char *arg_fido2_rp_id = NULL;
 static char *arg_tpm2_device = NULL;
 static bool arg_tpm2_device_auto = false;
 static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
+static bool arg_tpm2_pin = false;
 static bool arg_headless = false;
 static usec_t arg_token_timeout_usec = 30*USEC_PER_SEC;

@ -387,6 +388,16 @@ static int parse_one_option(const char *option) {
                                arg_tpm2_pcr_mask |= mask;
                }

+        } else if ((val = startswith(option, "tpm2-pin="))) {
+
+                r = parse_boolean(val);
+                if (r < 0) {
+                        log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
+                        return 0;
+                }
+
+                arg_tpm2_pin = r;
+
        } else if ((val = startswith(option, "try-empty-password="))) {

                r = parse_boolean(val);
@ -1301,7 +1312,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
                                        key_file, arg_keyfile_size, arg_keyfile_offset,
                                        key_data, key_data_size,
                                        NULL, 0, /* we don't know the policy hash */
-                                        0, /* PIN is currently unhandled in this case */
+                                        arg_tpm2_pin,
                                        until,
                                        arg_headless,
                                        arg_ask_password_flags,