eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-19 06:40:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow --link-vk-to-keyring with --test-passphrase option.

Browse Source 
To make it possible to upload volume key in user specified kernel
keyring without need to (re)activate the device.
This commit is contained in:
Ondrej Kozina
2024-02-29 14:16:43 +01:00
parent db635c428b
commit 5a0208cd06
4 changed files with 61 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
man/common_options.adoc
View File

@@ -590,7 +590,8 @@ endif::[]
ifdef::ACTION_OPEN,ACTION_LUKSRESUME[] ifdef::ACTION_OPEN,ACTION_LUKSRESUME[]
*--link-vk-to-keyring* _<keyring_description>::<key_description>_:: *--link-vk-to-keyring* _<keyring_description>::<key_description>_::
Link volume key in a keyring with specified key name. The volume key is linked only Link volume key in a keyring with specified key name. The volume key is linked only
if requested action is successfully finished. if requested action is successfully finished (with --test-passphrase the verified
volume key is linked in a keyring without taking further action).
+ +
_<keyring_description>_ string has to contain existing kernel keyring _<keyring_description>_ string has to contain existing kernel keyring
description. The keyring name may be optionally prefixed with "%:" or "%keyring:" type descriptions. description. The keyring name may be optionally prefixed with "%:" or "%keyring:" type descriptions.

3
src/utils_luks.c
View File

@@ -104,6 +104,9 @@ void set_activation_flags(uint32_t *flags)
(ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID))) (ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID)))
*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY; *flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
if (ARG_SET(OPT_LINK_VK_TO_KEYRING_ID))
*flags |= CRYPT_ACTIVATE_KEYRING_KEY;
if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID)) if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID))
*flags |= CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF; *flags |= CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF;

28
tests/compat-test-opal
View File

@@ -231,6 +231,30 @@ function setup_luks2_env() {
$CRYPTSETUP close $DEV_NAME || fail $CRYPTSETUP close $DEV_NAME || fail
} }
# $1 key name
# $2 keyring to link VK to
# $3 key type (optional)
test_vk_link_with_passphrase_check() {
KEY_TYPE=${3:-user}
if [ -z "$3" ]; then
KEY_DESC=$1
else
KEY_DESC="%$3:$1"
fi
KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
echo $PWD1 | $CRYPTSETUP open --test-passphrase $OPAL2_DEV --link-vk-to-keyring "$2"::"$KEY_DESC" || fail
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after --test-passphrase."
if [ $KEY_TYPE = "user" ]; then
$CRYPTSETUP open $OPAL2_DEV --test-passphrase --volume-key-keyring $KEY_DESC <&-|| fail "Failed to check volume passed via kernel keyring."
fi
keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail
echo $PWD1 | $CRYPTSETUP open --test-passphrase $OPAL2_DEV || fail
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 && fail "VK is unexpectedly linked to the specified keyring."
}
# $1 key name # $1 key name
# $2 keyring to link VK to # $2 keyring to link VK to
# $3 key type (optional) # $3 key type (optional)
@@ -1234,6 +1258,10 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
# explicitly specify keyring key type # explicitly specify keyring key type
test_vk_link $KEY_NAME "%keyring:$TEST_KEYRING_NAME" test_vk_link $KEY_NAME "%keyring:$TEST_KEYRING_NAME"
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME"
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "user"
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "logon"
test_vk_link_and_reactivate $KEY_NAME "@u" "user" test_vk_link_and_reactivate $KEY_NAME "@u" "user"
test_vk_link_and_reactivate $KEY_NAME "@u" test_vk_link_and_reactivate $KEY_NAME "@u"
[[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link_and_reactivate $KEY_NAME "@s" "user" [[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link_and_reactivate $KEY_NAME "@s" "user"

28
tests/compat-test2
View File

@@ -297,6 +297,30 @@ function add_scsi_device() {
[ -b $DEV ] || fail "Cannot find $DEV." [ -b $DEV ] || fail "Cannot find $DEV."
} }
# $1 key name
# $2 keyring to link VK to
# $3 key type (optional)
test_vk_link_with_passphrase_check() {
KEY_TYPE=${3:-user}
if [ -z "$3" ]; then
KEY_DESC=$1
else
KEY_DESC="%$3:$1"
fi
KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
echo $PWD1 | $CRYPTSETUP open --test-passphrase $LOOPDEV --link-vk-to-keyring "$2"::"$KEY_DESC" || fail
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after --test-passphrase."
if [ $KEY_TYPE = "user" ]; then
$CRYPTSETUP open $LOOPDEV --test-passphrase --volume-key-keyring $KEY_DESC <&-|| fail "Failed to check volume passed via kernel keyring."
fi
keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail
echo $PWD1 | $CRYPTSETUP open --test-passphrase $LOOPDEV || fail
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 && fail "VK is unexpectedly linked to the specified keyring."
}
# $1 key name # $1 key name
# $2 keyring to link VK to # $2 keyring to link VK to
# $3 key type (optional) # $3 key type (optional)
@@ -1474,6 +1498,10 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME" "user" test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME" "user"
test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME" test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME"
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME"
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "user"
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "logon"
# test numeric keyring name -5 is user session (@us) keyring # test numeric keyring name -5 is user session (@us) keyring
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring -5::%logon:$KEY_NAME || fail echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring -5::%logon:$KEY_NAME || fail
keyctl search @us logon $KEY_NAME > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation." keyctl search @us logon $KEY_NAME > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."