Introduce CRYPT_SLOT_UNBOUND keyslot status for LUKS2.

A keyslot not bound to any segment can store any key for any purpose. To easily check slot status, new enum value is introduced. This status is valid only for LUKS2, so the functions are backward compatible with LUKS1.
2025-12-11 02:40:01 +01:00 · 2018-04-19 15:22:28 +02:00
parent 879403a172
commit aa1551c6e8
12 changed files with 145 additions and 54 deletions
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -2916,6 +2916,9 @@ static int _activate_by_passphrase(struct crypt_device *cd,
 	if ((flags & CRYPT_ACTIVATE_KEYRING_KEY) && !crypt_use_keyring_for_vk(cd))
 		return -EINVAL;

+	if ((flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) && name)
+		return -EINVAL;
+
 	/* plain, use hashed passphrase */
 	if (isPLAIN(cd->type)) {
 		if (!name)
@@ -2939,7 +2942,8 @@ static int _activate_by_passphrase(struct crypt_device *cd,
 		}
 	} else if (isLUKS2(cd->type)) {
 		r = LUKS2_keyslot_open(cd, keyslot,
-				       name ? CRYPT_DEFAULT_SEGMENT : CRYPT_ANY_SEGMENT,
+				       (flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) ?
+				       CRYPT_ANY_SEGMENT : CRYPT_DEFAULT_SEGMENT,
 				       passphrase, passphrase_size, &vk);
 		if (r >= 0) {
 			keyslot = r;
@@ -4025,6 +4029,9 @@ int crypt_activate_by_token(struct crypt_device *cd,
 	if ((flags & CRYPT_ACTIVATE_KEYRING_KEY) && !crypt_use_keyring_for_vk(cd))
 		return -EINVAL;

+	if ((flags & CRYPT_ACTIVATE_ALLOW_UNBOUND_KEY) && name)
+		return -EINVAL;
+
 	if (token == CRYPT_ANY_TOKEN)
 		return LUKS2_token_open_and_activate_any(cd, &cd->u.luks2.hdr, name, flags);