allow tokens to be replaced

Currently, token import and token add actions will fail if you use the --token-id option to specify a token ID that is already in use, but there are scenarios where you might genuinely want to replace an existing token in a single atomic operation. A use case for this might be for a keyslot that is protected by a TPM, where you store the TPM sealed key and associated metadata as a token and you want to update the PCR policy associated with the sealed object or make other changes to it. Currently this requires importing a new token and then removing the old token. Instead, add a --token-replace option to allow token import and token add to replace an existing token if you try to add or import one with an ID that is already in use.
2025-12-19 14:50:09 +01:00 · 2021-08-27 21:17:09 +01:00
parent a9bf78adc3
commit 98cd52c8d7
5 changed files with 16 additions and 3 deletions
--- a/man/cryptsetup.8
+++ b/man/cryptsetup.8
@@ -570,8 +570,12 @@ successfully imported token is also assigned to the key slot.
 Action \fIexport\fR writes requested token json to a file passed with \-\-json\-file or
 to standard output.

+If \-\-token\-id is used with action \fIadd\fR or action \fIimport\fR and a token with
+that ID already exists, option \-\-token\-replace can be used to replace the existing token.
+
 \fB<options>\fR can be [\-\-header, \-\-token\-id, \-\-key\-slot, \-\-key\-description,
-\-\-disable\-external\-tokens, \-\-disable\-locks, \-\-disable\-keyring, \-\-json\-file].
+\-\-disable\-external\-tokens, \-\-disable\-locks, \-\-disable\-keyring, \-\-json\-file,
+\-\-token\-replace].
 .PP
 \fIconvert\fR <device> \-\-type <format>
 .IP
@@ -997,6 +1001,11 @@ Read token json from a file or write token to it. See \fItoken\fR action for mor
 information. \-\-json\-file=- reads json from standard input or writes it to
 standard output respectively.
 .TP
+.TP
+.B "\-\-token\-replace"
+Replace an existing token when adding or importing a token with the \-\-token\-id
+option.
+.TP
 .B "\-\-use\-random"
 .TP
 .B "\-\-use\-urandom"
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -2622,7 +2622,7 @@ static int _token_add(struct crypt_device *cd)
 		if (token_info < CRYPT_TOKEN_INACTIVE) {
 			log_err(_("Token %d is invalid."), ARG_INT32(OPT_TOKEN_ID_ID));
 			return -EINVAL;
-		} else if (token_info > CRYPT_TOKEN_INACTIVE) {
+		} else if (token_info > CRYPT_TOKEN_INACTIVE && !ARG_SET(OPT_TOKEN_REPLACE_ID)) {
 			log_err(_("Token %d in use."), ARG_INT32(OPT_TOKEN_ID_ID));
 			return -EINVAL;
 		}
@@ -2679,7 +2679,7 @@ static int _token_import(struct crypt_device *cd)
 		if (token_info < CRYPT_TOKEN_INACTIVE) {
 			log_err(_("Token %d is invalid."), ARG_INT32(OPT_TOKEN_ID_ID));
 			return -EINVAL;
-		} else if (token_info > CRYPT_TOKEN_INACTIVE) {
+		} else if (token_info > CRYPT_TOKEN_INACTIVE && !ARG_SET(OPT_TOKEN_REPLACE_ID)) {
 			log_err(_("Token %d in use."), ARG_INT32(OPT_TOKEN_ID_ID));
 			return -EINVAL;
 		}
--- a/src/cryptsetup_arg_list.h
+++ b/src/cryptsetup_arg_list.h
@@ -175,6 +175,8 @@ ARG(OPT_TOKEN_ID, '\0', POPT_ARG_STRING, N_("Token number (default: any)"), "INT

 ARG(OPT_TOKEN_ONLY, '\0', POPT_ARG_NONE, N_("Do not ask for passphrase if activation by token fails"), NULL, CRYPT_ARG_BOOL, {}, {})

+ARG(OPT_TOKEN_REPLACE, '\0', POPT_ARG_NONE, N_("Replace the current token"), NULL, CRYPT_ARG_BOOL, {}, OPT_TOKEN_REPLACE_ACTIONS)
+
 ARG(OPT_TOKEN_TYPE, '\0', POPT_ARG_STRING, N_("Restrict allowed token types used to retrieve LUKS2 key"), NULL, CRYPT_ARG_STRING, {}, {})

 ARG(OPT_TRIES, 'T', POPT_ARG_STRING, N_("How often the input of the passphrase can be retried"), "INT", CRYPT_ARG_UINT32, { .u32_value = 3 }, {})
--- a/src/cryptsetup_args.h
+++ b/src/cryptsetup_args.h
@@ -75,6 +75,7 @@
 #define OPT_TCRYPT_HIDDEN_ACTIONS		{ OPEN_ACTION, TCRYPTDUMP_ACTION }
 #define OPT_TCRYPT_SYSTEM_ACTIONS		{ OPEN_ACTION, TCRYPTDUMP_ACTION }
 #define OPT_TEST_PASSPHRASE_ACTIONS		{ OPEN_ACTION }
+#define OPT_TOKEN_REPLACE_ACTIONS		{ TOKEN_ACTION }
 #define OPT_UNBOUND_ACTIONS			{ ADDKEY_ACTION, LUKSDUMP_ACTION }
 #define OPT_USE_RANDOM_ACTIONS			{ FORMAT_ACTION }
 #define OPT_USE_URANDOM_ACTIONS			{ FORMAT_ACTION }
--- a/src/utils_arg_names.h
+++ b/src/utils_arg_names.h
@@ -144,6 +144,7 @@
 #define OPT_TIMEOUT			"timeout"
 #define OPT_TOKEN_ID			"token-id"
 #define OPT_TOKEN_ONLY			"token-only"
+#define OPT_TOKEN_REPLACE		"token-replace"
 #define OPT_TOKEN_TYPE			"token-type"
 #define OPT_TRIES			"tries"
 #define OPT_TYPE			"type"