cryptenroll: politely refuse enrolling keys into homed volumes

People should use homectl to enroll tokens into home directories, hence point them there. Otherwise the auth data for the account and for the LUKS volume will end up being different.
2025-03-19 22:50:17 +03:00 · 2021-10-08 17:26:19 +02:00 · 2021-10-08 17:26:19 +02:00 · e0142d4ff8
commit e0142d4ff8
parent d71059072a
1 changed files with 26 additions and 0 deletions
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@ -381,6 +381,28 @@ static int parse_argv(int argc, char *argv[]) {
        return 1;
 }

+static int check_for_homed(struct crypt_device *cd) {
+        int r;
+
+        assert_se(cd);
+
+        /* Politely refuse operating on homed volumes. The enrolled tokens for the user record and the LUKS2
+         * volume should not get out of sync. */
+
+        for (int token = 0; token < crypt_token_max(CRYPT_LUKS2); token ++) {
+                r = cryptsetup_get_token_as_json(cd, token, "systemd-homed", NULL);
+                if (IN_SET(r, -ENOENT, -EINVAL, -EMEDIUMTYPE))
+                        continue;
+                if (r < 0)
+                        return log_error_errno(r, "Failed to read JSON token data off disk: %m");
+
+                return log_error_errno(SYNTHETIC_ERRNO(EHOSTDOWN),
+                                       "LUKS2 volume is managed by systemd-homed, please use homectl to enroll tokens.");
+        }
+
+        return 0;
+}
+
 static int prepare_luks(
                struct crypt_device **ret_cd,
                void **ret_volume_key,
@ -405,6 +427,10 @@ static int prepare_luks(
        if (r < 0)
                return log_error_errno(r, "Failed to load LUKS2 superblock: %m");

+        r = check_for_homed(cd);
+        if (r < 0)
+                return r;
+
        if (!ret_volume_key) {
                *ret_cd = TAKE_PTR(cd);
                return 0;