eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-17 05:40:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enable adding unassigned luks2-keyring token in cryptsetup.

Browse Source 
There was no easy way to add unassigned luks2-keyring token.
Reuse --unbound parameter for it.
This commit is contained in:
Ondrej Kozina
2022-09-16 12:30:17 +02:00
parent 0d61e4c20f
commit 033ff34109
6 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
man/common_options.adoc
View File

@@ -933,7 +933,7 @@ aligned to page size and page-cache initiates read of a sector with
invalid integrity tag. invalid integrity tag.
endif::[] endif::[]
ifdef::ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP[] ifdef::ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_TOKEN[]
*--unbound*:: *--unbound*::
ifdef::ACTION_LUKSADDKEY[] ifdef::ACTION_LUKSADDKEY[]
Creates new LUKS2 unbound keyslot. Creates new LUKS2 unbound keyslot.
@@ -946,6 +946,9 @@ Allowed only together with --test-passphrase parameter, it allows one to test
passphrase for unbound LUKS2 keyslot. Otherwise, unbound keyslot passphrase passphrase for unbound LUKS2 keyslot. Otherwise, unbound keyslot passphrase
can be tested only when specific keyslot is selected via --key-slot parameter. can be tested only when specific keyslot is selected via --key-slot parameter.
endif::[] endif::[]
ifdef::ACTION_TOKEN[]
Creates new LUKS2 keyring token assigned to no keyslot. Usable only with _add_ action.
endif::[]
endif::[] endif::[]
ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[] ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[]

2
man/cryptsetup-token.8.adoc
View File

@@ -46,7 +46,7 @@ replace the existing token.
*<options>* can be [--header, --token-id, --key-slot, --key-description, *<options>* can be [--header, --token-id, --key-slot, --key-description,
--disable-external-tokens, --disable-locks, --disable-keyring, --disable-external-tokens, --disable-locks, --disable-keyring,
--json-file, --token-replace]. --json-file, --token-replace, --unbound].
include::man/common_options.adoc[] include::man/common_options.adoc[]
include::man/common_footer.adoc[] include::man/common_footer.adoc[]

10
src/cryptsetup.c
View File

@@ -2549,6 +2549,9 @@ static int _token_add(struct crypt_device *cd)
token = r; token = r;
if (ARG_SET(OPT_UNBOUND_ID))
return token;
r = crypt_token_assign_keyslot(cd, token, ARG_INT32(OPT_KEY_SLOT_ID)); r = crypt_token_assign_keyslot(cd, token, ARG_INT32(OPT_KEY_SLOT_ID));
if (r < 0) { if (r < 0) {
log_err(_("Failed to assign token %d to keyslot %d."), token, ARG_INT32(OPT_KEY_SLOT_ID)); log_err(_("Failed to assign token %d to keyslot %d."), token, ARG_INT32(OPT_KEY_SLOT_ID));
@@ -2825,6 +2828,13 @@ static const char *verify_token(void)
(!strcmp(action_argv[0], "remove") || !strcmp(action_argv[0], "export"))) (!strcmp(action_argv[0], "remove") || !strcmp(action_argv[0], "export")))
return _("Action requires specific token. Use --token-id parameter."); return _("Action requires specific token. Use --token-id parameter.");
if (ARG_SET(OPT_UNBOUND_ID)) {
if (strcmp(action_argv[0], "add"))
return _("Option --unbound is valid only with token add action.");
if (ARG_SET(OPT_KEY_SLOT_ID))
return _("Options --key-slot and --unbound cannot be combined.");
}
return NULL; return NULL;
} }

2
src/cryptsetup_arg_list.h
View File

@@ -189,7 +189,7 @@ ARG(OPT_TRIES, 'T', POPT_ARG_STRING, N_("How often the input of the passphrase c
ARG(OPT_TYPE, 'M', POPT_ARG_STRING, N_("Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"), NULL, CRYPT_ARG_STRING, {}, {}) ARG(OPT_TYPE, 'M', POPT_ARG_STRING, N_("Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"), NULL, CRYPT_ARG_STRING, {}, {})
ARG(OPT_UNBOUND, '\0', POPT_ARG_NONE, N_("Create or dump unbound (no assigned data segment) LUKS2 keyslot"), NULL, CRYPT_ARG_BOOL, {}, OPT_UNBOUND_ACTIONS) ARG(OPT_UNBOUND, '\0', POPT_ARG_NONE, N_("Create or dump unbound LUKS2 keyslot (unassigned to data segment) or LUKS2 token (unassigned to keyslot)"), NULL, CRYPT_ARG_BOOL, {}, OPT_UNBOUND_ACTIONS)
ARG(OPT_USE_RANDOM, '\0', POPT_ARG_NONE, N_("Use /dev/random for generating volume key"), NULL, CRYPT_ARG_BOOL, {}, OPT_USE_RANDOM_ACTIONS) ARG(OPT_USE_RANDOM, '\0', POPT_ARG_NONE, N_("Use /dev/random for generating volume key"), NULL, CRYPT_ARG_BOOL, {}, OPT_USE_RANDOM_ACTIONS)

2
src/cryptsetup_args.h
View File

@@ -90,7 +90,7 @@
#define OPT_TCRYPT_SYSTEM_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } #define OPT_TCRYPT_SYSTEM_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION }
#define OPT_TEST_PASSPHRASE_ACTIONS { OPEN_ACTION } #define OPT_TEST_PASSPHRASE_ACTIONS { OPEN_ACTION }
#define OPT_TOKEN_REPLACE_ACTIONS { TOKEN_ACTION } #define OPT_TOKEN_REPLACE_ACTIONS { TOKEN_ACTION }
#define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION } #define OPT_UNBOUND_ACTIONS { ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION, TOKEN_ACTION }
#define OPT_USE_RANDOM_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } #define OPT_USE_RANDOM_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION }
#define OPT_USE_URANDOM_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } #define OPT_USE_URANDOM_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION }
#define OPT_UUID_ACTIONS { FORMAT_ACTION, UUID_ACTION, REENCRYPT_ACTION } #define OPT_UUID_ACTIONS { FORMAT_ACTION, UUID_ACTION, REENCRYPT_ACTION }

7
tests/compat-test2
View File

@@ -901,8 +901,13 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
# test we can remove keyslot with token # test we can remove keyslot with token
echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -S4 $FAST_PBKDF_OPT $LOOPDEV || fail echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -S4 $FAST_PBKDF_OPT $LOOPDEV || fail
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 4 || fail $CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 4 --token-id 0 || fail
$CRYPTSETUP -q luksKillSlot $LOOPDEV 4 || fail $CRYPTSETUP -q luksKillSlot $LOOPDEV 4 || fail
$CRYPTSETUP token remove --token-id 0 $LOOPDEV || fail
# test we can add unassigned token
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail
$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV && fail
fi fi
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 10 || fail echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 10 || fail
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 11 --json-file - || fail echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 11 --json-file - || fail