mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-19 14:50:09 +01:00
Allow --link-vk-to-keyring with --test-passphrase option.
To make it possible to upload volume key in user specified kernel keyring without need to (re)activate the device.
This commit is contained in:
Ondrej Kozina
@@ -590,7 +590,8 @@ endif::[]
|
||||
ifdef::ACTION_OPEN,ACTION_LUKSRESUME[]
|
||||
*--link-vk-to-keyring* _<keyring_description>::<key_description>_::
|
||||
Link volume key in a keyring with specified key name. The volume key is linked only
|
||||
if requested action is successfully finished.
|
||||
if requested action is successfully finished (with --test-passphrase the verified
|
||||
volume key is linked in a keyring without taking further action).
|
||||
+
|
||||
_<keyring_description>_ string has to contain existing kernel keyring
|
||||
description. The keyring name may be optionally prefixed with "%:" or "%keyring:" type descriptions.
|
||||
|
||||
@@ -104,6 +104,9 @@ void set_activation_flags(uint32_t *flags)
|
||||
(ARG_SET(OPT_KEY_SLOT_ID) || ARG_SET(OPT_UNBOUND_ID)))
|
||||
*flags |= CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY;
|
||||
|
||||
if (ARG_SET(OPT_LINK_VK_TO_KEYRING_ID))
|
||||
*flags |= CRYPT_ACTIVATE_KEYRING_KEY;
|
||||
|
||||
if (ARG_SET(OPT_SERIALIZE_MEMORY_HARD_PBKDF_ID))
|
||||
*flags |= CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF;
|
||||
|
||||
|
||||
@@ -231,6 +231,30 @@ function setup_luks2_env() {
|
||||
$CRYPTSETUP close $DEV_NAME || fail
|
||||
}
|
||||
|
||||
# $1 key name
|
||||
# $2 keyring to link VK to
|
||||
# $3 key type (optional)
|
||||
test_vk_link_with_passphrase_check() {
|
||||
KEY_TYPE=${3:-user}
|
||||
if [ -z "$3" ]; then
|
||||
KEY_DESC=$1
|
||||
else
|
||||
KEY_DESC="%$3:$1"
|
||||
fi
|
||||
|
||||
KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
|
||||
|
||||
echo $PWD1 | $CRYPTSETUP open --test-passphrase $OPAL2_DEV --link-vk-to-keyring "$2"::"$KEY_DESC" || fail
|
||||
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after --test-passphrase."
|
||||
if [ $KEY_TYPE = "user" ]; then
|
||||
$CRYPTSETUP open $OPAL2_DEV --test-passphrase --volume-key-keyring $KEY_DESC <&-|| fail "Failed to check volume passed via kernel keyring."
|
||||
fi
|
||||
keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail
|
||||
|
||||
echo $PWD1 | $CRYPTSETUP open --test-passphrase $OPAL2_DEV || fail
|
||||
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 && fail "VK is unexpectedly linked to the specified keyring."
|
||||
}
|
||||
|
||||
# $1 key name
|
||||
# $2 keyring to link VK to
|
||||
# $3 key type (optional)
|
||||
@@ -1234,6 +1258,10 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
|
||||
# explicitly specify keyring key type
|
||||
test_vk_link $KEY_NAME "%keyring:$TEST_KEYRING_NAME"
|
||||
|
||||
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME"
|
||||
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "user"
|
||||
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "logon"
|
||||
|
||||
test_vk_link_and_reactivate $KEY_NAME "@u" "user"
|
||||
test_vk_link_and_reactivate $KEY_NAME "@u"
|
||||
[[ ! -z "$SESSION_KEYRING_WORKS" ]] && test_vk_link_and_reactivate $KEY_NAME "@s" "user"
|
||||
|
||||
@@ -297,6 +297,30 @@ function add_scsi_device() {
|
||||
[ -b $DEV ] || fail "Cannot find $DEV."
|
||||
}
|
||||
|
||||
# $1 key name
|
||||
# $2 keyring to link VK to
|
||||
# $3 key type (optional)
|
||||
test_vk_link_with_passphrase_check() {
|
||||
KEY_TYPE=${3:-user}
|
||||
if [ -z "$3" ]; then
|
||||
KEY_DESC=$1
|
||||
else
|
||||
KEY_DESC="%$3:$1"
|
||||
fi
|
||||
|
||||
KEYCTL_KEY_NAME="%$KEY_TYPE:$1"
|
||||
|
||||
echo $PWD1 | $CRYPTSETUP open --test-passphrase $LOOPDEV --link-vk-to-keyring "$2"::"$KEY_DESC" || fail
|
||||
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after --test-passphrase."
|
||||
if [ $KEY_TYPE = "user" ]; then
|
||||
$CRYPTSETUP open $LOOPDEV --test-passphrase --volume-key-keyring $KEY_DESC <&-|| fail "Failed to check volume passed via kernel keyring."
|
||||
fi
|
||||
keyctl unlink "$KEYCTL_KEY_NAME" "$2" || fail
|
||||
|
||||
echo $PWD1 | $CRYPTSETUP open --test-passphrase $LOOPDEV || fail
|
||||
keyctl search "$2" $KEY_TYPE $1 > /dev/null 2>&1 && fail "VK is unexpectedly linked to the specified keyring."
|
||||
}
|
||||
|
||||
# $1 key name
|
||||
# $2 keyring to link VK to
|
||||
# $3 key type (optional)
|
||||
@@ -1474,6 +1498,10 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
|
||||
test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME" "user"
|
||||
test_vk_link_and_reactivate $KEY_NAME "%keyring:$TEST_KEYRING_NAME"
|
||||
|
||||
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME"
|
||||
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "user"
|
||||
test_vk_link_with_passphrase_check $KEY_NAME "%:$TEST_KEYRING_NAME" "logon"
|
||||
|
||||
# test numeric keyring name -5 is user session (@us) keyring
|
||||
echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --link-vk-to-keyring -5::%logon:$KEY_NAME || fail
|
||||
keyctl search @us logon $KEY_NAME > /dev/null 2>&1 || fail "VK is not linked to the specified keyring after activation."
|
||||
|
||||
Reference in New Issue
Block a user