shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-21 02:50:18 +03:00
Code

cryptenroll: accept cached TPM2 pin

Browse Source 
get_pin() sets req->keyring to "tpm2-pin" when calling ask_password_auto(),
suggesting that a key by this name can be read from the kernel keyring. But the
keyring is never opened because the ASK_PASSWORD_ACCEPT_CACHED flag is not set.

Set ASK_PASSWORD_ACCEPT_CACHED to allow automated / scripted setup of encrypted
volumes with FIDO2. If the PIN turns out to be invalid, clear
ASK_PASSWORD_ACCEPT_CACHED to avoid retrying and possible lockout.
This commit is contained in:
Martin Wilck 2025-02-27 21:49:28 +01:00
parent 78f2c17454
commit faf9efa22e
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/cryptenroll/cryptenroll-tpm2.c
View File

@ -111,6 +111,8 @@ static int get_pin(char **ret_pin_str, TPM2Flags *ret_flags) {
if (r > 0)
flags |= TPM2_FLAGS_USE_PIN;
else {
AskPasswordFlags askpw_flags = ASK_PASSWORD_ACCEPT_CACHED;
for (size_t i = 5;; i--) {
_cleanup_strv_free_erase_ char **pin = NULL, **pin2 = NULL;
@ -131,17 +133,19 @@ static int get_pin(char **ret_pin_str, TPM2Flags *ret_flags) {
pin = strv_free_erase(pin);
r = ask_password_auto(
&req,
/* flags= */ 0,
askpw_flags,
&pin);
if (r < 0)
return log_error_errno(r, "Failed to ask for user pin: %m");
assert(strv_length(pin) == 1);
req.message = "Please enter TPM2 PIN (repeat):";
/* If the PIN was obtained from the keyring, it will match the 2nd time */
r = ask_password_auto(
&req,
/* flags= */ 0,
askpw_flags,
&pin2);
if (r < 0)
return log_error_errno(r, "Failed to ask for user pin: %m");
@ -155,6 +159,7 @@ static int get_pin(char **ret_pin_str, TPM2Flags *ret_flags) {
break;
}
askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
log_error("PINs didn't match, please try again!");
}
}