Enable adding unassigned luks2-keyring token in cryptsetup.

There was no easy way to add unassigned luks2-keyring token. Reuse --unbound parameter for it.
2025-12-17 05:40:13 +01:00 · 2022-09-16 12:30:17 +02:00
parent 0d61e4c20f
commit 033ff34109
6 changed files with 23 additions and 5 deletions
--- a/man/common_options.adoc
+++ b/man/common_options.adoc
@@ -933,7 +933,7 @@ aligned to page size and page-cache initiates read of a sector with
 invalid integrity tag.
 endif::[]

-ifdef::ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP[]
+ifdef::ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_TOKEN[]
 *--unbound*::
 ifdef::ACTION_LUKSADDKEY[]
 Creates new LUKS2 unbound keyslot.
@@ -946,6 +946,9 @@ Allowed only together with --test-passphrase parameter, it allows one to test
 passphrase for unbound LUKS2 keyslot. Otherwise, unbound keyslot passphrase
 can be tested only when specific keyslot is selected via --key-slot parameter.
 endif::[]
+ifdef::ACTION_TOKEN[]
+Creates new LUKS2 keyring token assigned to no keyslot. Usable only with _add_ action.
+endif::[]
 endif::[]

 ifdef::ACTION_OPEN,ACTION_TCRYPTDUMP[]
--- a/man/cryptsetup-token.8.adoc
+++ b/man/cryptsetup-token.8.adoc
@@ -46,7 +46,7 @@ replace the existing token.

 *<options>* can be [--header, --token-id, --key-slot, --key-description,
 --disable-external-tokens, --disable-locks, --disable-keyring,
--json-file, --token-replace].
+--json-file, --token-replace, --unbound].

 include::man/common_options.adoc[]
 include::man/common_footer.adoc[]
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -2549,6 +2549,9 @@ static int _token_add(struct crypt_device *cd)

 	token = r;

+	if (ARG_SET(OPT_UNBOUND_ID))
+		return token;
+
 	r = crypt_token_assign_keyslot(cd, token, ARG_INT32(OPT_KEY_SLOT_ID));
 	if (r < 0) {
 		log_err(_("Failed to assign token %d to keyslot %d."), token, ARG_INT32(OPT_KEY_SLOT_ID));
@@ -2825,6 +2828,13 @@ static const char *verify_token(void)
 	    (!strcmp(action_argv[0], "remove") || !strcmp(action_argv[0], "export")))
 		return _("Action requires specific token. Use --token-id parameter.");

+	if (ARG_SET(OPT_UNBOUND_ID)) {
+		if (strcmp(action_argv[0], "add"))
+			return _("Option --unbound is valid only with token add action.");
+		if (ARG_SET(OPT_KEY_SLOT_ID))
+			return _("Options --key-slot and --unbound cannot be combined.");
+	}
+
 	return NULL;
 }

--- a/src/cryptsetup_arg_list.h
+++ b/src/cryptsetup_arg_list.h
@@ -189,7 +189,7 @@ ARG(OPT_TRIES, 'T', POPT_ARG_STRING, N_("How often the input of the passphrase c

 ARG(OPT_TYPE, 'M', POPT_ARG_STRING, N_("Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"), NULL, CRYPT_ARG_STRING, {}, {})

-ARG(OPT_UNBOUND, '\0', POPT_ARG_NONE, N_("Create or dump unbound (no assigned data segment) LUKS2 keyslot"), NULL, CRYPT_ARG_BOOL, {}, OPT_UNBOUND_ACTIONS)
+ARG(OPT_UNBOUND, '\0', POPT_ARG_NONE, N_("Create or dump unbound LUKS2 keyslot (unassigned to data segment) or LUKS2 token (unassigned to keyslot)"), NULL, CRYPT_ARG_BOOL, {}, OPT_UNBOUND_ACTIONS)

 ARG(OPT_USE_RANDOM, '\0', POPT_ARG_NONE, N_("Use /dev/random for generating volume key"), NULL, CRYPT_ARG_BOOL, {}, OPT_USE_RANDOM_ACTIONS)

--- a/src/cryptsetup_args.h
+++ b/src/cryptsetup_args.h
@@ -90,7 +90,7 @@
 #define OPT_TCRYPT_SYSTEM_ACTIONS		{ OPEN_ACTION, TCRYPTDUMP_ACTION }
 #define OPT_TEST_PASSPHRASE_ACTIONS		{ OPEN_ACTION }
 #define OPT_TOKEN_REPLACE_ACTIONS		{ TOKEN_ACTION }
-#define OPT_UNBOUND_ACTIONS			{ ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION }
+#define OPT_UNBOUND_ACTIONS			{ ADDKEY_ACTION, LUKSDUMP_ACTION, OPEN_ACTION, TOKEN_ACTION }
 #define OPT_USE_RANDOM_ACTIONS			{ FORMAT_ACTION, REENCRYPT_ACTION }
 #define OPT_USE_URANDOM_ACTIONS			{ FORMAT_ACTION, REENCRYPT_ACTION }
 #define OPT_UUID_ACTIONS			{ FORMAT_ACTION, UUID_ACTION, REENCRYPT_ACTION }
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -901,8 +901,13 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then

 	# test we can remove keyslot with token
 	echo -e "$PWD1\n$PWD2" | $CRYPTSETUP luksAddKey -S4 $FAST_PBKDF_OPT $LOOPDEV || fail
-	$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 4 || fail
+	$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN1 --key-slot 4 --token-id 0 || fail
 	$CRYPTSETUP -q luksKillSlot $LOOPDEV 4 || fail
+	$CRYPTSETUP token remove --token-id 0 $LOOPDEV || fail
+
+	# test we can add unassigned token
+	$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail
+	$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV && fail
 fi
 echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 10 || fail
 echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 11 --json-file - || fail