eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-19 14:50:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add cryptsetup --token-type parameter.

Browse Source 
It restricts token type to parameter value in
case no specific token-id is selected.
This commit is contained in:
Ondrej Kozina
2021-07-27 14:25:23 +02:00
committed by Milan Broz
parent 46afee6299
commit 9ee74f59d7
5 changed files with 26 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
man/cryptsetup.8
View File

@@ -129,8 +129,8 @@ to unlock a keyslot (LUKS) or to derive a volume key again (plain mode).
The kernel keyring is used by default for LUKS2 devices. The kernel keyring is used by default for LUKS2 devices.
With LUKS2 device additional \fB<options>\fR can be [\-\-token\-id, \-\-token\-only, With LUKS2 device additional \fB<options>\fR can be [\-\-token\-id, \-\-token\-only,
\-\-key\-slot, \-\-key\-file, \-\-keyfile\-size, \-\-keyfile\-offset, \-\-timeout, \-\-token-type, \-\-key\-slot, \-\-key\-file, \-\-keyfile\-size, \-\-keyfile\-offset,
\-\-disable\-external\-tokens, \-\-disable\-locks, \-\-disable\-keyring]. \-\-timeout, \-\-disable\-external\-tokens, \-\-disable\-locks, \-\-disable\-keyring].
.PP .PP
\fIrefresh\fR <name> \fIrefresh\fR <name>
@@ -320,8 +320,8 @@ the command prompts for it interactively.
\fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset, \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
\-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase, \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
\-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id, \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
\-\-token\-only, \-\-disable\-external\-tokens, \-\-disable\-keyring, \-\-disable\-locks, \-\-token\-only, \-\-token-type, \-\-disable\-external\-tokens, \-\-disable\-keyring,
\-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf]. \-\-disable\-locks, \-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf].
.PP .PP
\fIluksSuspend\fR <name> \fIluksSuspend\fR <name>
.IP .IP
@@ -1349,6 +1349,10 @@ Do not proceed further with action (any of \fItoken\fR, \fIopen\fR or
\fIresize\fR) if token activation failed. Without the option, \fIresize\fR) if token activation failed. Without the option,
action asks for passphrase to proceed further. action asks for passphrase to proceed further.
.TP .TP
.B "\-\-token\-type"
Restrict tokens eligible for operation to specific token type (name). Mostly
useful when no \-\-token\-id is specified.
.TP
.B "\-\-sector\-size <bytes>" .B "\-\-sector\-size <bytes>"
Set sector size for use with disk encryption. It must be power of two Set sector size for use with disk encryption. It must be power of two
and in range 512 - 4096 bytes. This option is available only in the LUKS2 and in range 512 - 4096 bytes. This option is available only in the LUKS2

12
src/cryptsetup.c
View File

@@ -792,13 +792,14 @@ static int action_resize(void)
} }
/* try load VK in kernel keyring using token */ /* try load VK in kernel keyring using token */
r = crypt_activate_by_token(cd, NULL, ARG_INT32(OPT_TOKEN_ID_ID), NULL, r = crypt_activate_by_token_pin(cd, NULL, ARG_STR(OPT_TOKEN_TYPE_ID),
CRYPT_ACTIVATE_KEYRING_KEY); ARG_INT32(OPT_TOKEN_ID_ID), NULL, 0, NULL,
CRYPT_ACTIVATE_KEYRING_KEY);
tools_keyslot_msg(r, UNLOCKED); tools_keyslot_msg(r, UNLOCKED);
/* Token requires PIN, but ask only if there is no password query later */ /* Token requires PIN, but ask only if there is no password query later */
if (ARG_SET(OPT_TOKEN_ONLY_ID) && r == -ENOANO) if (ARG_SET(OPT_TOKEN_ONLY_ID) && r == -ENOANO)
r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), NULL, NULL, CRYPT_ACTIVATE_KEYRING_KEY, 1); r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), NULL, ARG_STR(OPT_TOKEN_TYPE_ID), CRYPT_ACTIVATE_KEYRING_KEY, 1);
if (r >= 0 || ARG_SET(OPT_TOKEN_ONLY_ID)) if (r >= 0 || ARG_SET(OPT_TOKEN_ONLY_ID))
goto out; goto out;
@@ -1576,12 +1577,13 @@ static int action_open_luks(void)
r = crypt_activate_by_volume_key(cd, activated_name, r = crypt_activate_by_volume_key(cd, activated_name,
key, keysize, activate_flags); key, keysize, activate_flags);
} else { } else {
r = crypt_activate_by_token(cd, activated_name, ARG_INT32(OPT_TOKEN_ID_ID), NULL, activate_flags); r = crypt_activate_by_token_pin(cd, activated_name, ARG_STR(OPT_TOKEN_TYPE_ID),
ARG_INT32(OPT_TOKEN_ID_ID), NULL, 0, NULL, activate_flags);
tools_keyslot_msg(r, UNLOCKED); tools_keyslot_msg(r, UNLOCKED);
/* Token requires PIN, but ask only if there is no password query later */ /* Token requires PIN, but ask only if there is no password query later */
if (ARG_SET(OPT_TOKEN_ONLY_ID) && r == -ENOANO) if (ARG_SET(OPT_TOKEN_ONLY_ID) && r == -ENOANO)
r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), activated_name, NULL, activate_flags, _set_tries_tty()); r = _try_token_pin_unlock(cd, ARG_INT32(OPT_TOKEN_ID_ID), activated_name, ARG_STR(OPT_TOKEN_TYPE_ID), activate_flags, _set_tries_tty());
if (r >= 0 || ARG_SET(OPT_TOKEN_ONLY_ID)) if (r >= 0 || ARG_SET(OPT_TOKEN_ONLY_ID))
goto out; goto out;

2
src/cryptsetup_arg_list.h
View File

@@ -175,6 +175,8 @@ ARG(OPT_TOKEN_ID, '\0', POPT_ARG_STRING, N_("Token number (default: any)"), "INT
ARG(OPT_TOKEN_ONLY, '\0', POPT_ARG_NONE, N_("Do not ask for passphrase if activation by token fails"), NULL, CRYPT_ARG_BOOL, {}, {}) ARG(OPT_TOKEN_ONLY, '\0', POPT_ARG_NONE, N_("Do not ask for passphrase if activation by token fails"), NULL, CRYPT_ARG_BOOL, {}, {})
ARG(OPT_TOKEN_TYPE, '\0', POPT_ARG_STRING, N_("Restrict allowed token types used to retrieve LUKS2 key"), NULL, CRYPT_ARG_STRING, {}, {})
ARG(OPT_TRIES, 'T', POPT_ARG_STRING, N_("How often the input of the passphrase can be retried"), "INT", CRYPT_ARG_UINT32, { .u32_value = 3 }, {}) ARG(OPT_TRIES, 'T', POPT_ARG_STRING, N_("How often the input of the passphrase can be retried"), "INT", CRYPT_ARG_UINT32, { .u32_value = 3 }, {})
ARG(OPT_TYPE, 'M', POPT_ARG_STRING, N_("Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"), NULL, CRYPT_ARG_STRING, {}, {}) ARG(OPT_TYPE, 'M', POPT_ARG_STRING, N_("Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk"), NULL, CRYPT_ARG_STRING, {}, {})

1
src/utils_arg_names.h
View File

@@ -144,6 +144,7 @@
#define OPT_TIMEOUT "timeout" #define OPT_TIMEOUT "timeout"
#define OPT_TOKEN_ID "token-id" #define OPT_TOKEN_ID "token-id"
#define OPT_TOKEN_ONLY "token-only" #define OPT_TOKEN_ONLY "token-only"
#define OPT_TOKEN_TYPE "token-type"
#define OPT_TRIES "tries" #define OPT_TRIES "tries"
#define OPT_TYPE "type" #define OPT_TYPE "type"
#define OPT_UNBOUND "unbound" #define OPT_UNBOUND "unbound"

8
tests/compat-test2
View File

@@ -851,6 +851,14 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
$CRYPTSETUP open --token-only $LOOPDEV $DEV_NAME || fail $CRYPTSETUP open --token-only $LOOPDEV $DEV_NAME || fail
$CRYPTSETUP status $DEV_NAME > /dev/null || fail $CRYPTSETUP status $DEV_NAME > /dev/null || fail
$CRYPTSETUP close $DEV_NAME || fail $CRYPTSETUP close $DEV_NAME || fail
# check --token-type sort of works (TODO: extend tests when native systemd tokens are available)
echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 22 || fail
# this excludes keyring tokens from unlocking device
$CRYPTSETUP open --token-only --token-type some_type $LOOPDEV --test-passphrase && fail
$CRYPTSETUP open --token-only --token-type some_type $LOOPDEV $DEV_NAME && fail
$CRYPTSETUP status $DEV_NAME > /dev/null && fail
$CRYPTSETUP token remove --token-id 3 $LOOPDEV || fail $CRYPTSETUP token remove --token-id 3 $LOOPDEV || fail
$CRYPTSETUP luksDump $LOOPDEV | grep -q -e "3: luks2-keyring" && fail $CRYPTSETUP luksDump $LOOPDEV | grep -q -e "3: luks2-keyring" && fail