1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
Commit Graph

98 Commits

Author SHA1 Message Date
Štěpán Němec
a07693cda5 man: fix incorrect volume numbers in internal man page references
Some ambiguity (e.g., same-named man pages in multiple volumes)
makes it impossible to fully automate this, but the following
Python snippet (run inside the man/ directory of the systemd repo)
helped to generate the sed command lines (which were subsequently
manually reviewed, run and the false positives reverted):

from pathlib import Path

import lxml
from lxml import etree as ET

man2vol: dict[str, str] = {}
man2citerefs: dict[str, list] = {}

for file in Path(".").glob("*.xml"):
    tree = ET.parse(file, lxml.etree.XMLParser(recover=True))
    meta = tree.find("refmeta")
    if meta is not None:
        title = meta.findtext("refentrytitle")
        if title is not None:
            vol = meta.findtext("manvolnum")
            if vol is not None:
                man2vol[title] = vol
            citerefs = list(tree.iter("citerefentry"))
            if citerefs:
                man2citerefs[title] = citerefs

for man, refs in man2citerefs.items():
    for ref in refs:
        title = ref.findtext("refentrytitle")
        if title is not None:
            has = ref.findtext("manvolnum")
            try:
                should_have = man2vol[title]
            except KeyError:  # Non-systemd man page reference?  Ignore.
                continue
            if has != should_have:
                print(
                    f"sed -i '\\|<citerefentry><refentrytitle>{title}"
                    f"</refentrytitle><manvolnum>{has}</manvolnum>"
                    f"</citerefentry>|s|<manvolnum>{has}</manvolnum>|"
                    f"<manvolnum>{should_have}</manvolnum>|' {man}.xml"
                )

(cherry picked from commit 597c6cc119)
2024-11-13 19:48:10 +00:00
Matthias Lisin
245bd4af99 man: fix minor issues 2024-03-21 02:49:38 +01:00
Ondrej Kozina
c5daf14c88 cryptsetup: Add optional support for linking volume key in keyring.
cryptsetup 2.7.0 adds feature to link effective volume key in custom
kernel keyring during device activation. It can be used later to pass
linked volume key to other services.

For example: kdump enabled systems installed on LUKS2 device.
This feature allows it to store volume key linked in a kernel keyring
to the kdump reserved memory and reuse it to reactivate LUKS2 device
in case of kernel crash.
2024-02-13 09:45:08 +01:00
David Tardon
eea10b26f7 man: use same version in public and system ident. 2023-12-25 15:51:47 +01:00
David Tardon
617b85d10e man: use <warning> for warnings 2023-12-25 10:00:43 +01:00
David Tardon
13a69c120b man: use <simplelist> for 'See also' sections
This is just a slight markup improvement; there should be no difference
in rendering.
2023-12-23 08:28:57 +01:00
Vladimir Stoiakin
3d05c05873 cryptsetup: Add support for EC keys in PKCS#11 tokens
Since EC keys doesn't support encryption directly, we use ECDH protocol.
We generate a pair of EC keys in the same EC group, then derive a shared secret using the generated private key and the public key in the token.
The derived shared secret is used as a volume key. The generated public key is stored in the LUKS2 JSON token header area. The generated private key is erased.
To unlock a volume, we derive the shared secret with the stored public key and a private key in the token.

Co-authored-by: MkfsSion <mkfssion@mkfssion.com>
2023-12-19 13:14:16 +03:00
Luca Boccassi
c9be8e420e cryptsetup: use WantsMountsFor= for key/header when nofail is set
The header and keyfile are necessary only for opening the device, not
for closing, so it is not necessary to deactivate the generated
cryptsetup unit when the header or keyfile backing store are removed.

This is especially useful in the case of softreboot, when the new
mount root is setup under /run/nextroot/ but we don't want to close
the cryptsetup devices for encrypted /var/ or so, and we simply
mount it directly on /run/nextroot/var/ before the soft-reboot.
2023-11-29 11:04:59 +00:00
Zbigniew Jędrzejewski-Szmek
c8cd6d7bab man: use meaningful titles for <ulink>s
As pointed out in https://github.com/systemd/systemd/issues/29814, we need to
use phrases are are meaningful on their own, because the man page formatter
creates a list at the bottom. With <ulink>see docs</ulink>, we end up with:
  NOTES:
    1. see docs
       https://some.url/page
    2. see docs
       https://some.url/page2
which is not very useful :(

Also, the text inside the tag should not include punctuation.

Python helper:
  from xml_helper import xml_parse
  for p in glob.glob('../man/*.xml'):
       t = xml_parse(p)
       ulinks = t.iterfind('.//ulink')
       for ulink in ulinks:
           if ulink.text is None: continue
           text = ' '.join(ulink.text.split())
           print(f'{p}: {text}')
2023-11-06 20:16:34 +01:00
Lennart Poettering
e206210909 man: document pcrlock 2023-11-03 11:24:58 +01:00
Zbigniew Jędrzejewski-Szmek
5f5f1ba169 man/crypttab: fix indentation 2023-09-26 15:35:06 +02:00
Abderrahim Kitouni
aefdc1124f man: update version information
As I noticed a lot of missing information when trying to implement checking
for missing info. I reimplemented the version information script to be more
robust, and here is the result.

Follow up to ec07c3c80b
2023-09-19 00:37:37 +01:00
Abderrahim Kitouni
ec07c3c80b man: add version info
This tries to add information about when each option was added. It goes
back to version 183.

The version info is included from a separate file to allow generating it,
which would allow more control on the formatting of the final output.
2023-08-29 14:07:24 +01:00
Klaus Zipfel
703902400d
crypttab: Support for VeraCrypt PIM and detached headers for TrueCrypt/VeraCrypt (#27548)
* Added veracrypt-pim=<PIM> LUKS option for crypttab
2023-05-06 21:55:05 +01:00
Lennart Poettering
572f78767f man: document the new crypttab measurement options 2023-01-17 09:42:16 +01:00
Yu Watanabe
6c2d70ce9f tree-wide: fix typo 2022-12-02 13:27:08 +09:00
Zbigniew Jędrzejewski-Szmek
0923b4253c tree-wide: replace "plural(s)" by "plurals"
(s) is just ugly with a vibe of DOS. In most cases just using the normal plural
form is more natural and gramatically correct.

There are some log_debug() statements left, and texts in foreign licenses or
headers. Those are not touched on purpose.
2022-10-17 15:10:53 +02:00
Lennart Poettering
32e2767080 tree-wide: use the term "initrd" at most places we so far used "initramfs"
In most cases we refernced the concept as "initrd". Let's convert most
remaining uses of "initramfs" to "initrd" too, to stay internally
consistent.

This leaves "initramfs" only where it's relevant to explain historical
concepts or where "initramfs" is part of the API (i.e. in
/run/initramfs).

Follow-up for: b66a6e1a58
2022-09-23 15:10:53 +02:00
Lennart Poettering
dc63b2c909 cryptsetup: hook up signed PCR policies 2022-09-08 16:34:27 +02:00
Zbigniew Jędrzejewski-Szmek
6163dac48f man/crypttab: rework formatting in "key acquisition section"
<example> without <title> was rendered as "Example 1.", which did not
look good. While at it, the text is rewored to be, I hope, a bit easier to
read.
2022-08-23 12:32:17 +02:00
Chih-Hsuan Yen
7aa0b0121e cryptsetup: support keyfile-timeout for using a device as the key file
Closes https://github.com/systemd/systemd/issues/21993
2022-08-08 17:03:28 +01:00
Grigori Goronzy
4005d41ef0 cryptsetup: add manual TPM2 PIN configuration
Handle the case where TPM2 metadata is not available and explicitly
provided in crypttab. This adds a new "tpm2-pin" option to crypttab
options for this purpose.
2022-03-15 21:17:00 +01:00
Lennart Poettering
2c7ec8203e man: document new token-timeout= setting 2021-10-11 11:12:29 +02:00
Yu Watanabe
3d62af7d23 tree-wide: fix "the the" and "a a" 2021-06-30 23:32:43 +09:00
Sebastian Blunt
2cbca51a71 Rename crypttab opt silent to password-echo
Use the option name 'password-echo' instead of the generic term
'silent'.

Make the option take an argument for better control over echoing
behavior.

Related discussion in https://github.com/systemd/systemd/pull/19619
2021-06-07 10:35:28 +02:00
Sebastian Blunt
4858bc0d84 Respect option 'silent' on cryptsetup FIDO2 pin entry
Makes the silent flags behavior consistent between regular password
entry and FIDO2 pin entry.
2021-05-31 17:57:44 +02:00
Lennart Poettering
a1788a69b2 tpm2: support "+" as separator for TPM PCR lists
Previously, we supported only "," as separator. This adds support for
"+" and makes it the documented choice.

This is to make specifying PCRs in crypttab easier, since commas are
already used there for separating volume options, and needless escaping
sucks.

"," continues to be supported, but in order to keep things minimal not
documented.

Fixe: #19205
2021-05-25 23:28:54 +02:00
Sebastian Blunt
1fa94a3124 Add crypttab option silent
Adds a crypttab option 'silent' that enables the AskPasswordFlag
ASK_PASSWORD_SILENT. This allows usage of systemd-cryptsetup to default
to silent mode, rather than requiring the user to press tab every time.
2021-05-15 16:23:56 +02:00
Luca Boccassi
cd5f57bda7 cryptsetup: add 'headless' parameter to skip password/pin query
On headless setups, in case other methods fail, asking for a password/pin
is not useful as there are no users on the terminal, and generates
unwanted noise. Add a parameter to /etc/crypttab to skip it.
2021-05-07 21:36:27 +01:00
Jonathan G. Underwood
227acf0009 cryptsetup: add support for workqueue options
This commit adds support for disabling the read and write
workqueues with the new crypttab options no-read-workqueue
and no-write-workqueue. These correspond to the cryptsetup
options --perf-no_read_workqueue and --perf-no_write_workqueue
respectively.
2020-12-23 11:07:48 +00:00
Lennart Poettering
cf1e172d58 man: document new features 2020-12-17 20:02:32 +01:00
Yu Watanabe
da115b935a tree-wide: fix typos 2020-12-02 10:53:33 +01:00
Lennart Poettering
59d6f7b097 man: drop comment about ECC vs. RSA and Yubikey
The comment is pointless, ECC systematically doesn't allow
encryption/decryption directly, only RSA does that. If you want to use
ECC for asymmetric encryption/decryption you have to combine it with key
exchange scheme and symmetric scheme. This all is not a limitation of
the Yubikey, hence don't claim so. It's just how ECC is.
2020-12-01 14:27:33 +01:00
Lennart Poettering
96e9a9a4e6 man: document how cryptsetup keys may be acquired via AF_UNIX sockets 2020-12-01 14:27:12 +01:00
Yu Watanabe
db9ecf0501 license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
Lennart Poettering
aa5502bb33
Merge pull request #16444 from oniko/luks-detached-header
Add support for detached LUKS header on kernel cmd line
2020-10-21 10:41:11 +02:00
Ondrej Kozina
13445d9775 cryptsetup-generator: Add support for header device in crypttab 2020-09-25 17:01:36 +02:00
Zbigniew Jędrzejewski-Szmek
b12bd993c8 man: describe comma escaping in crypttab(5) 2020-09-25 13:36:34 +02:00
Zbigniew Jędrzejewski-Szmek
e9dd698407 tree-wide: fixes for assorted grammar and spelling issues
Fixes #16363. Also includes some changes where I generalized the pattern.
2020-07-06 11:29:05 +02:00
Vladimir Panteleev
f1a20afacd man: Document the crypttab keyfile syntax specifying a device
Feature introduced in 50d2eba27b. Also documented
as part of the kernel parameter syntax in systemd-cryptsetup-generator(8), but
should also be documented here as part of the overall file syntax.
2020-06-14 10:46:41 +02:00
Maxim Fomin
6cc27c29ad Add 'bitlk' option to mount Bitlocker drives with cryptsetup. 2020-06-09 08:12:55 +02:00
Lennart Poettering
53ac130b51 cryptsetup: support tmp= file system argument
Let's catch up with Debian a bit more.

This also changes the default from ext2 to ext4.

Fixes: #952
2020-05-26 17:11:34 +02:00
Lennart Poettering
6e41f4dd91 man: document the newly acquired cryptsetup features 2020-05-19 17:28:47 +02:00
Lennart Poettering
2ccf0ff6e8 man: tweaks to the crypttab(5) man page 2019-12-17 18:53:45 +01:00
Lennart Poettering
c2d54475c4 man: document pkcs#11 hookup in /etc/crypttab 2019-12-09 19:25:25 +01:00
Franck Bui
1dc85eff1d crypsetup: introduce x-initrd.attach option
This option is an indication for PID1 that the entry in crypttab is handled by
initrd only and therefore it shouldn't interfer during the usual start-up and
shutdown process.

It should be primarily used with the encrypted device containing the root FS as
we want to keep it (and thus its encrypted device) until the very end of the
shutdown process, i.e. when initrd takes over.

This option is the counterpart of "x-initrd.mount" used in fstab.

Note that the slice containing the cryptsetup services also needs to drop the
usual shutdown dependencies as it's required by the cryptsetup services.

Fixes: #14224
2019-12-05 11:43:02 +01:00
Anita Zhang
7792d9cdd4 man: small grammatical/word choice fixes to crypttab man page
Closes #13608
2019-11-06 10:38:53 +09:00
shinygold
4e1334512d cryptsetup: add documentation for keyfile-timeout 2019-07-17 13:53:55 +02:00
Zbigniew Jędrzejewski-Szmek
3a54a15760 man: use same header for all files
The "include" files had type "book" for some raeason. I don't think this
is meaningful. Let's just use the same everywhere.

$ perl -i -0pe 's^..DOCTYPE (book|refentry) PUBLIC "-//OASIS//DTD DocBook XML V4.[25]//EN"\s+"http^<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"\n  "http^gms' man/*.xml
2019-03-14 14:42:05 +01:00
Yu Watanabe
2c65512ee7 cryptsetup: add same-cpu-crypt and submit-from-crypt-cpus options
Closes #11946.
2019-03-13 09:48:50 +01:00