mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-05 16:00:05 +01:00
Add cryptsetup token unassign action.
Allows removing token binding on specific keyslot.
This commit is contained in:
Ondrej Kozina
@@ -755,9 +755,15 @@ endif::[]
|
||||
|
||||
ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_TOKEN[]
|
||||
*--token-id*::
|
||||
ifndef::ACTION_TOKEN[]
|
||||
Specify what token to use. If omitted, all available tokens will be checked
|
||||
before proceeding further with passphrase prompt.
|
||||
endif::[]
|
||||
ifdef::ACTION_TOKEN[]
|
||||
Specify token number. If omitted, first unused token id is used when adding or importing
|
||||
new token.
|
||||
endif::[]
|
||||
endif::[]
|
||||
|
||||
ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME[]
|
||||
*--token-only*::
|
||||
|
||||
@@ -12,7 +12,7 @@ cryptsetup-token - manage LUKS2 tokens
|
||||
|
||||
== SYNOPSIS
|
||||
|
||||
*cryptsetup _token_ <add|remove|import|export> [<options>] <device>*
|
||||
*cryptsetup _token_ <add|remove|import|export|unassign> [<options>] <device>*
|
||||
|
||||
== DESCRIPTION
|
||||
|
||||
@@ -40,6 +40,9 @@ also assigned to the key slot.
|
||||
Action _export_ writes requested token JSON to a file passed with
|
||||
--json-file or to standard output.
|
||||
|
||||
Action _unassign_ removes token binding to specified keyslot. Both token
|
||||
and keyslot must be specified by --token-id and --key-slot parameters.
|
||||
|
||||
If --token-id is used with action _add_ or action _import_ and a token
|
||||
with that ID already exists, option --token-replace can be used to
|
||||
replace the existing token.
|
||||
|
||||
@@ -2640,6 +2640,26 @@ static int _token_export(struct crypt_device *cd)
|
||||
return tools_write_json_file(ARG_STR(OPT_JSON_FILE_ID), json);
|
||||
}
|
||||
|
||||
static int _token_unassign(struct crypt_device *cd)
|
||||
{
|
||||
int r = crypt_token_is_assigned(cd, ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
|
||||
|
||||
if (r < 0) {
|
||||
if (r == -ENOENT)
|
||||
log_err(_("Token %d is not assigned to keyslot %d."), ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
|
||||
else
|
||||
log_err(_("Failed to unassign token %d from keyslot %d."), ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
r = crypt_token_unassign_keyslot(cd, ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
|
||||
if (r < 0)
|
||||
log_err(_("Failed to unassign token %d from keyslot %d."), ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
static int action_token(void)
|
||||
{
|
||||
int r;
|
||||
@@ -2668,6 +2688,8 @@ static int action_token(void)
|
||||
tools_token_msg(r, CREATED);
|
||||
} else if (!strcmp(action_argv[0], "export"))
|
||||
r = _token_export(cd);
|
||||
else if (!strcmp(action_argv[0], "unassign"))
|
||||
r = _token_unassign(cd);
|
||||
|
||||
crypt_free(cd);
|
||||
|
||||
@@ -2818,7 +2840,8 @@ static const char *verify_token(void)
|
||||
if (strcmp(action_argv[0], "add") &&
|
||||
strcmp(action_argv[0], "remove") &&
|
||||
strcmp(action_argv[0], "import") &&
|
||||
strcmp(action_argv[0], "export"))
|
||||
strcmp(action_argv[0], "export") &&
|
||||
strcmp(action_argv[0], "unassign"))
|
||||
return _("Invalid token action.");
|
||||
|
||||
if (!ARG_SET(OPT_KEY_DESCRIPTION_ID) && !strcmp(action_argv[0], "add"))
|
||||
@@ -2835,6 +2858,13 @@ static const char *verify_token(void)
|
||||
return _("Options --key-slot and --unbound cannot be combined.");
|
||||
}
|
||||
|
||||
if (!strcmp(action_argv[0], "unassign")) {
|
||||
if (!ARG_SET(OPT_KEY_SLOT_ID))
|
||||
return _("Action requires specific keyslot. Use --key-slot parameter.");
|
||||
if (!ARG_SET(OPT_TOKEN_ID_ID))
|
||||
return _("Action requires specific token. Use --token-id parameter.");
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
@@ -908,6 +908,18 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
|
||||
# test we can add unassigned token
|
||||
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail
|
||||
$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV && fail
|
||||
$CRYPTSETUP token remove --token-id 0 $LOOPDEV || fail
|
||||
|
||||
# test token unassign works
|
||||
$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail
|
||||
$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV || fail
|
||||
$CRYPTSETUP token unassign --token-id 0 $LOOPDEV 2>/dev/null && fail
|
||||
$CRYPTSETUP token unassign -S0 $LOOPDEV 2>/dev/null && fail
|
||||
$CRYPTSETUP token unassign --token-id 0 -S0 $LOOPDEV || fail
|
||||
$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV && fail
|
||||
$CRYPTSETUP token unassign --token-id 0 -S0 $LOOPDEV 2>/dev/null && fail
|
||||
$CRYPTSETUP token unassign --token-id 0 -S44 $LOOPDEV 2>/dev/null && fail
|
||||
$CRYPTSETUP token unassign --token-id 44 -S0 $LOOPDEV 2>/dev/null && fail
|
||||
fi
|
||||
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 10 || fail
|
||||
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 11 --json-file - || fail
|
||||
|
||||
Reference in New Issue
Block a user