diff --git a/man/common_options.adoc b/man/common_options.adoc index fad0873b..bfcf8ee0 100644 --- a/man/common_options.adoc +++ b/man/common_options.adoc @@ -933,7 +933,7 @@ aligned to page size and page-cache initiates read of a sector with invalid integrity tag. endif::[] -ifdef::ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP[] +ifdef::ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_TOKEN[] *--unbound*:: ifdef::ACTION_LUKSADDKEY[] Creates new LUKS2 unbound keyslot. @@ -946,6 +946,9 @@ Allowed only together with --test-passphrase parameter, it allows one to test passphrase for unbound LUKS2 keyslot. Otherwise, unbound keyslot passphrase can be tested only when specific keyslot is selected via --key-slot parameter. endif::[] +ifdef::ACTION_TOKEN[] +Creates new LUKS2 keyring token assigned to no keyslot. Usable only with _add_ action. +endif::[] endif::[] ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[] diff --git a/man/cryptsetup-token.8.adoc b/man/cryptsetup-token.8.adoc index 55042e24..663418f9 100644 --- a/man/cryptsetup-token.8.adoc +++ b/man/cryptsetup-token.8.adoc @@ -46,7 +46,7 @@ replace the existing token. ** can be [--header, --token-id, --key-slot, --key-description, --disable-external-tokens, --disable-locks, --disable-keyring, ---json-file, --token-replace]. +--json-file, --token-replace, --unbound]. include::man/common_options.adoc[] include::man/common_footer.adoc[] diff --git a/src/cryptsetup.c b/src/cryptsetup.c index f0b08679..743d03f2 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -2549,6 +2549,9 @@ static int _token_add(struct crypt_device *cd) token = r; + if (ARG_SET(OPT_UNBOUND_ID)) + return token; + r = crypt_token_assign_keyslot(cd, token, ARG_INT32(OPT_KEY_SLOT_ID)); if (r < 0) { log_err(_("Failed to assign token %d to keyslot %d."), token, ARG_INT32(OPT_KEY_SLOT_ID)); @@ -2825,6 +2828,13 @@ static const char *verify_token(void) (!strcmp(action_argv[0], "remove") || !strcmp(action_argv[0], "export"))) return _("Action requires specific token. Use --token-id parameter."); + if (ARG_SET(OPT_UNBOUND_ID)) { + if (strcmp(action_argv[0], "add")) + return _("Option --unbound is valid only with token add action."); + if (ARG_SET(OPT_KEY_SLOT_ID)) + return _("Options --key-slot and --unbound cannot be combined."); + } + return NULL; } diff --git a/src/cryptsetup_arg_list.h b/src/cryptsetup_arg_list.h index b0b8e50d..ae4df2c2 100644 --- a/src/cryptsetup_arg_list.h +++ b/src/cryptsetup_arg_list.h @@ -189,7 +189,7 @@ ARG(OPT_TRIES, 'T', POPT_ARG_STRING, N_("How often the input of the passphrase c ARG(OPT_TYPE, 'M', POPT_ARG_STRING, N_("Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"), NULL, CRYPT_ARG_STRING, {}, {}) -ARG(OPT_UNBOUND, '\0', POPT_ARG_NONE, N_("Create or dump unbound (no assigned data segment) LUKS2 keyslot"), NULL, CRYPT_ARG_BOOL, {}, OPT_UNBOUND_ACTIONS) +ARG(OPT_UNBOUND, '\0', POPT_ARG_NONE, N_("Create or dump unbound LUKS2 keyslot (unassigned to data segment) or LUKS2 token (unassigned to keyslot)"), NULL, CRYPT_ARG_BOOL, {}, OPT_UNBOUND_ACTIONS) ARG(OPT_USE_RANDOM, '\0', POPT_ARG_NONE, N_("Use /dev/random for generating volume key"), NULL, CRYPT_ARG_BOOL, {}, OPT_USE_RANDOM_ACTIONS) diff --git a/src/cryptsetup_args.h b/src/cryptsetup_args.h index 724d731c..aff6597f 100644 --- a/src/cryptsetup_args.h +++ b/src/cryptsetup_args.h @@ -90,7 +90,7 @@ #define OPT_TCRYPT_SYSTEM_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } #define OPT_TEST_PASSPHRASE_ACTIONS { OPEN_ACTION } #define OPT_TOKEN_REPLACE_ACTIONS { TOKEN_ACTION } -#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION } +#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION, TOKEN_ACTION } #define OPT_USE_RANDOM_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } #define OPT_USE_URANDOM_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } #define OPT_UUID_ACTIONS { FORMAT_ACTION, UUID_ACTION, REENCRYPT_ACTION } diff --git a/tests/compat-test2 b/tests/compat-test2 index 21b31199..f187fd72 100755 --- a/tests/compat-test2 +++ b/tests/compat-test2 @@ -901,8 +901,13 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then # test we can remove keyslot with token echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -S4 $FAST_PBKDF_OPT $LOOPDEV || fail - $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 4 || fail + $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 4 --token-id 0 || fail $CRYPTSETUP -q luksKillSlot $LOOPDEV 4 || fail + $CRYPTSETUP token remove --token-id 0 $LOOPDEV || fail + + # test we can add unassigned token + $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail + $CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV && fail fi echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 10 || fail echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 11 --json-file - || fail