eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-11 19:00:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add --external-tokens-path parameter in cryptsetup.

Browse Source
This commit is contained in:
Ondrej Kozina
2023-11-10 11:59:07 +01:00
parent 0328d61f29
commit 836e5e4539
11 changed files with 82 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
man/common_options.adoc
View File

@@ -1234,6 +1234,12 @@ Enlarge data offset to specified value by shrinking device size.
You cannot shrink device more than by 64 MiB (131072 sectors). You cannot shrink device more than by 64 MiB (131072 sectors).
endif::[] endif::[]
ifdef::ACTION_RESIZE,ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_LUKSRESUME,ACTION_TOKEN[]
*--external-tokens-path* _absolute_path_::
Override system directory path where cryptsetup searches for external token
handlers (or token plugins). It must be absolute path (starting with '/' character).
endif::[]
ifdef::COMMON_OPTIONS[] ifdef::COMMON_OPTIONS[]
*--batch-mode, -q*:: *--batch-mode, -q*::
Suppresses all confirmation questions. Use with care! Suppresses all confirmation questions. Use with care!

2
man/cryptsetup-luksAddKey.8.adoc
View File

@@ -38,7 +38,7 @@ algorithm is always the same for all keyslots.
--hash, --header, --disable-locks, --iter-time, --pbkdf, --hash, --header, --disable-locks, --iter-time, --pbkdf,
--pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --unbound, --type, --pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --unbound, --type,
--keyslot-cipher, --keyslot-key-size, --key-size, --timeout, --token-id, --keyslot-cipher, --keyslot-key-size, --key-size, --timeout, --token-id,
--token-type, --token-only, --new-token-id, --verify-passphrase]. --token-type, --token-only, --new-token-id, --verify-passphrase, --external-tokens-path].
include::man/common_options.adoc[] include::man/common_options.adoc[]

2
man/cryptsetup-luksDump.8.adoc
View File

@@ -40,7 +40,7 @@ use --dump-json-metadata option.
*<options>* can be [--dump-volume-key, --dump-json-metadata, --key-file, *<options>* can be [--dump-volume-key, --dump-json-metadata, --key-file,
--keyfile-offset, --keyfile-size, --header, --disable-locks, --keyfile-offset, --keyfile-size, --header, --disable-locks,
--volume-key-file, --type, --unbound, --key-slot, --timeout]. --volume-key-file, --type, --unbound, --key-slot, --timeout, --external-tokens-path].
*WARNING:* If --dump-volume-key is used with --key-file and the argument *WARNING:* If --dump-volume-key is used with --key-file and the argument
to --key-file is '-', no validation question will be asked and no to --key-file is '-', no validation question will be asked and no

3
man/cryptsetup-luksResume.8.adoc
View File

@@ -23,7 +23,8 @@ interactively for a passphrase if no token is usable (LUKS2 only) or
*<options>* can be [--key-file, --keyfile-size, --keyfile-offset, *<options>* can be [--key-file, --keyfile-size, --keyfile-offset,
--key-slot, --header, --disable-keyring, --disable-locks, --token-id, --key-slot, --header, --disable-keyring, --disable-locks, --token-id,
--token-only, --token-type, --disable-external-tokens, --type, --tries, --token-only, --token-type, --disable-external-tokens, --type, --tries,
--timeout, --verify-passphrase, --volume-key-keyring, --link-vk-to-keyring]. --timeout, --verify-passphrase, --volume-key-keyring, --link-vk-to-keyring,
--external-tokens-path].
include::man/common_options.adoc[] include::man/common_options.adoc[]
include::man/common_footer.adoc[] include::man/common_footer.adoc[]

3
man/cryptsetup-open.8.adoc
View File

@@ -78,7 +78,8 @@ matching PIN protected token.
--volume-key-file, --token-id, --token-only, --token-type, --volume-key-file, --token-id, --token-only, --token-type,
--disable-external-tokens, --disable-keyring, --disable-locks, --type, --disable-external-tokens, --disable-keyring, --disable-locks, --type,
--refresh, --serialize-memory-hard-pbkdf, --unbound, --tries, --timeout, --refresh, --serialize-memory-hard-pbkdf, --unbound, --tries, --timeout,
--verify-passphrase, --persistent, --volume-key-keyring, --link-vk-to-keyring]. --verify-passphrase, --persistent, --volume-key-keyring, --link-vk-to-keyring,
--external-tokens-path].
=== loopAES === loopAES
*open --type loopaes <device> <name> --key-file <keyfile>* + *open --type loopaes <device> <name> --key-file <keyfile>* +

2
man/cryptsetup-resize.8.adoc
View File

@@ -36,7 +36,7 @@ keyring is used by default for LUKS2 devices.
*<options>* can be [--size, --device-size, --token-id, --token-only, *<options>* can be [--size, --device-size, --token-id, --token-only,
--token-type, --key-slot, --key-file, --keyfile-size, --keyfile-offset, --token-type, --key-slot, --key-file, --keyfile-size, --keyfile-offset,
--timeout, --disable-external-tokens, --disable-locks, --disable-keyring, --timeout, --disable-external-tokens, --disable-locks, --disable-keyring,
--verify-passphrase, --timeout]. --verify-passphrase, --timeout, --external-tokens-path].
include::man/common_options.adoc[] include::man/common_options.adoc[]
include::man/common_footer.adoc[] include::man/common_footer.adoc[]

2
man/cryptsetup-token.8.adoc
View File

@@ -49,7 +49,7 @@ replace the existing token.
*<options>* can be [--header, --token-id, --key-slot, --key-description, *<options>* can be [--header, --token-id, --key-slot, --key-description,
--disable-external-tokens, --disable-locks, --disable-keyring, --disable-external-tokens, --disable-locks, --disable-keyring,
--json-file, --token-replace, --unbound]. --json-file, --token-replace, --unbound, --external-tokens-path].
include::man/common_options.adoc[] include::man/common_options.adoc[]
include::man/common_footer.adoc[] include::man/common_footer.adoc[]

64
src/cryptsetup.c
View File

@@ -878,6 +878,15 @@ static int action_resize(void)
else if (ARG_SET(OPT_SIZE_ID)) else if (ARG_SET(OPT_SIZE_ID))
dev_size = ARG_UINT64(OPT_SIZE_ID); dev_size = ARG_UINT64(OPT_SIZE_ID);
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
if (r < 0) {
log_err(_("Failed to set external tokens path %s."),
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
goto out;
}
}
if (cad.flags & CRYPT_ACTIVATE_KEYRING_KEY) { if (cad.flags & CRYPT_ACTIVATE_KEYRING_KEY) {
if (ARG_SET(OPT_DISABLE_KEYRING_ID)) { if (ARG_SET(OPT_DISABLE_KEYRING_ID)) {
r = -EINVAL; r = -EINVAL;
@@ -1809,6 +1818,15 @@ static int action_open_luks(void)
set_activation_flags(&activate_flags); set_activation_flags(&activate_flags);
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
if (r < 0) {
log_err(_("Failed to set external tokens path %s."),
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
goto out;
}
}
if (ARG_SET(OPT_LINK_VK_TO_KEYRING_ID)) { if (ARG_SET(OPT_LINK_VK_TO_KEYRING_ID)) {
r = parse_vk_and_keyring_description(cd, ARG_STR(OPT_LINK_VK_TO_KEYRING_ID)); r = parse_vk_and_keyring_description(cd, ARG_STR(OPT_LINK_VK_TO_KEYRING_ID));
if (r < 0) if (r < 0)
@@ -2056,6 +2074,15 @@ static int luksAddUnboundKey(void)
goto out; goto out;
} }
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
if (r < 0) {
log_err(_("Failed to set external tokens path %s."),
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
goto out;
}
}
r = _set_keyslot_encryption_params(cd); r = _set_keyslot_encryption_params(cd);
if (r < 0) if (r < 0)
goto out; goto out;
@@ -2201,6 +2228,15 @@ static int action_luksAddKey(void)
if (r < 0) if (r < 0)
goto out; goto out;
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
if (r < 0) {
log_err(_("Failed to set external tokens path %s."),
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
goto out;
}
}
/* Never call pwquality if using null cipher */ /* Never call pwquality if using null cipher */
if (crypt_is_cipher_null(crypt_get_cipher(cd))) if (crypt_is_cipher_null(crypt_get_cipher(cd)))
ARG_SET_TRUE(OPT_FORCE_PASSWORD_ID); ARG_SET_TRUE(OPT_FORCE_PASSWORD_ID);
@@ -2639,6 +2675,15 @@ static int action_luksDump(void)
goto out; goto out;
} }
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
if (r < 0) {
log_err(_("Failed to set external tokens path %s."),
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
goto out;
}
}
if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID)) if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID))
r = luksDump_with_volume_key(cd); r = luksDump_with_volume_key(cd);
else if (ARG_SET(OPT_UNBOUND_ID)) else if (ARG_SET(OPT_UNBOUND_ID))
@@ -2712,6 +2757,15 @@ static int action_luksResume(void)
goto out; goto out;
} }
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
if (r < 0) {
log_err(_("Failed to set external tokens path %s."),
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
goto out;
}
}
/* try to resume LUKS2 device by token first */ /* try to resume LUKS2 device by token first */
r = _try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_TOKEN_ID_ID), r = _try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_TOKEN_ID_ID),
action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), 0, action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), 0,
@@ -3230,6 +3284,16 @@ static int action_token(void)
return r; return r;
} }
if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) {
r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
if (r < 0) {
log_err(_("Failed to set external tokens path %s."),
ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID));
crypt_free(cd);
return r;
}
}
r = -EINVAL; r = -EINVAL;
if (!strcmp(action_argv[0], "add")) { if (!strcmp(action_argv[0], "add")) {

2
src/cryptsetup_arg_list.h
View File

@@ -59,6 +59,8 @@ ARG(OPT_DUMP_VOLUME_KEY, '\0', POPT_ARG_NONE, N_("Dump volume key instead of key
ARG(OPT_ENCRYPT, '\0', POPT_ARG_NONE, N_("Encrypt LUKS2 device (in-place encryption)"), NULL, CRYPT_ARG_BOOL, {}, {}) ARG(OPT_ENCRYPT, '\0', POPT_ARG_NONE, N_("Encrypt LUKS2 device (in-place encryption)"), NULL, CRYPT_ARG_BOOL, {}, {})
ARG(OPT_EXTERNAL_TOKENS_PATH, '\0', POPT_ARG_STRING, N_("Path to directory with external token handlers (plugins)."), NULL, CRYPT_ARG_STRING, {}, OPT_EXTERNAL_TOKENS_PATH_ACTIONS)
ARG(OPT_FORCE_PASSWORD, '\0', POPT_ARG_NONE, N_("Disable password quality check (if enabled)"), NULL, CRYPT_ARG_BOOL, {}, {}) ARG(OPT_FORCE_PASSWORD, '\0', POPT_ARG_NONE, N_("Disable password quality check (if enabled)"), NULL, CRYPT_ARG_BOOL, {}, {})
ARG(OPT_FORCE_OFFLINE_REENCRYPT, '\0', POPT_ARG_NONE, N_("Force offline LUKS2 reencryption and bypass active device detection"), NULL, CRYPT_ARG_BOOL, {}, OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS) ARG(OPT_FORCE_OFFLINE_REENCRYPT, '\0', POPT_ARG_NONE, N_("Force offline LUKS2 reencryption and bypass active device detection"), NULL, CRYPT_ARG_BOOL, {}, OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS)

1
src/cryptsetup_args.h
View File

@@ -61,6 +61,7 @@
#define OPT_DISABLE_BLKID_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } #define OPT_DISABLE_BLKID_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION }
#define OPT_DISABLE_VERACRYPT_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } #define OPT_DISABLE_VERACRYPT_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION }
#define OPT_ERASE_ACTIONS { ERASE_ACTION } #define OPT_ERASE_ACTIONS { ERASE_ACTION }
#define OPT_EXTERNAL_TOKENS_PATH_ACTIONS { RESIZE_ACTION, OPEN_ACTION, ADDKEY_ACTION, LUKSDUMP_ACTION, RESUME_ACTION, TOKEN_ACTION }
#define OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS { REENCRYPT_ACTION } #define OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS { REENCRYPT_ACTION }
#define OPT_HOTZONE_SIZE_ACTIONS { REENCRYPT_ACTION } #define OPT_HOTZONE_SIZE_ACTIONS { REENCRYPT_ACTION }
#define OPT_HW_OPAL_ACTIONS { FORMAT_ACTION } #define OPT_HW_OPAL_ACTIONS { FORMAT_ACTION }

1
src/utils_arg_names.h
View File

@@ -50,6 +50,7 @@
#define OPT_DUMP_MASTER_KEY "dump-master-key" #define OPT_DUMP_MASTER_KEY "dump-master-key"
#define OPT_DUMP_VOLUME_KEY "dump-volume-key" #define OPT_DUMP_VOLUME_KEY "dump-volume-key"
#define OPT_ENCRYPT "encrypt" #define OPT_ENCRYPT "encrypt"
#define OPT_EXTERNAL_TOKENS_PATH "external-tokens-path"
#define OPT_FEC_DEVICE "fec-device" #define OPT_FEC_DEVICE "fec-device"
#define OPT_FEC_OFFSET "fec-offset" #define OPT_FEC_OFFSET "fec-offset"
#define OPT_FEC_ROOTS "fec-roots" #define OPT_FEC_ROOTS "fec-roots"