Add API and CLI option to disable token plugins.

This could be useful for debugging external plugins
or ot intentionally disable loading of a token library.

lib/libcryptsetup.h

@@ -2256,11 +2256,17 @@ int crypt_token_register(const crypt_token_handler *handler);
 
 /**
  * Report external token handlers (plugins) support
- 
+ * 
  * @return @e 0 when enabled or negative errno value otherwise.
  */
 int crypt_token_external_support(void);
 
+/**
+ * Disable external token handlers (plugins) support
+ * If disabled, it cannot be enabled again.
+ */
+void crypt_token_external_disable(void);
+
 /** ABI version for external token in libcryptsetup-token-<name>.so */
 #define CRYPT_TOKEN_ABI_VERSION1    "CRYPTSETUP_TOKEN_1.0"
 

lib/libcryptsetup.sym

@@ -143,4 +143,5 @@ CRYPTSETUP_2.4 {
 		crypt_dump_json;
 		crypt_format;
 		crypt_token_external_support;
+		crypt_token_external_disable;
 } CRYPTSETUP_2.0;

lib/luks2/luks2_token.c

@@ -25,6 +25,12 @@
 
 #include "luks2_internal.h"
 
+#if USE_EXTERNAL_TOKENS
+static bool external_tokens_enabled = true;
+#else
+static bool external_tokens_enabled = false;
+#endif
+
 static struct crypt_token_handler_internal token_handlers[LUKS2_TOKENS_MAX] = {
 	/* keyring builtin token */
 	{
@@ -38,13 +44,14 @@ static struct crypt_token_handler_internal token_handlers[LUKS2_TOKENS_MAX] = {
 	}
 };
 
+void crypt_token_external_disable(void)
+{
+	external_tokens_enabled = false;
+}
+
 int crypt_token_external_support(void)
 {
-#if USE_EXTERNAL_TOKENS
-	return 0;
-#else
-	return -ENOTSUP;
-#endif
+	return external_tokens_enabled ? 0 : -ENOTSUP;
 }
 
 #if USE_EXTERNAL_TOKENS
@@ -127,6 +134,9 @@ crypt_token_load_external(struct crypt_device *cd, const char *name, struct cryp
 	char buf[512];
 	int r;
 
+	if (!external_tokens_enabled)
+		return -ENOTSUP;
+
 	if (!ret || !name)
 		return -EINVAL;
 

man/cryptsetup.8

@@ -130,7 +130,7 @@ The kernel keyring is used by default for LUKS2 devices.
 
 With LUKS2 device additional \fB<options>\fR can be [\-\-token\-id, \-\-token\-only,
 \-\-key\-slot, \-\-key\-file, \-\-keyfile\-size, \-\-keyfile\-offset, \-\-timeout,
-\-\-disable\-locks, \-\-disable\-keyring].
+\-\-disable\-external\-tokens, \-\-disable\-locks, \-\-disable\-keyring].
 
 .PP
 \fIrefresh\fR <name>
@@ -320,8 +320,8 @@ the command prompts for it interactively.
 \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
 \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
 \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
-\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type, \-\-refresh,
-\-\-serialize\-memory\-hard\-pbkdf].
+\-\-token\-only, \-\-disable\-external\-tokens, \-\-disable\-keyring, \-\-disable\-locks,
+\-\-type, \-\-refresh, \-\-serialize\-memory\-hard\-pbkdf].
 .PP
 \fIluksSuspend\fR <name>
 .IP
@@ -571,7 +571,7 @@ Action \fIexport\fR writes requested token json to a file passed with \-\-json\-
 to standard output.
 
 \fB<options>\fR can be [\-\-header, \-\-token\-id, \-\-key\-slot, \-\-key\-description,
-\-\-disable\-locks, \-\-disable\-keyring, \-\-json\-file].
+\-\-disable\-external\-tokens, \-\-disable\-locks, \-\-disable\-keyring, \-\-json\-file].
 .PP
 \fIconvert\fR <device> \-\-type <format>
 .IP
@@ -1298,6 +1298,9 @@ Defers device removal in \fIclose\fR command until the last user closes it.
 .B "\-\-cancel\-deferred"
 Removes a previously configured deferred device removal in \fIclose\fR command.
 .TP
+.B "\-\-disable\-external\-tokens"
+Disable loading of plugins for external LUKS2 tokens.
+.TP
 .B "\-\-disable\-locks"
 Disable lock protection for metadata on disk.
 This option is valid only for LUKS2 and ignored for other formats.

src/cryptsetup.c

@@ -3503,6 +3503,9 @@ static void help(poptContext popt_context,
 		log_std(_("\nDefault compiled-in metadata format is %s (for luksFormat action).\n"),
 			  crypt_get_default_type());
 
+		log_std(_("\nLUKS2 external token plugin support is %s.\n"),
+			  crypt_token_external_support() ? _("disabled") : _("compiled-in"));
+
 		pbkdf_luks1 = crypt_get_pbkdf_default(CRYPT_LUKS1);
 		pbkdf_luks2 = crypt_get_pbkdf_default(CRYPT_LUKS2);
 		log_std(_("\nDefault compiled-in key and passphrase parameters:\n"
@@ -3991,6 +3994,9 @@ int main(int argc, const char **argv)
 	if (ARG_SET(OPT_DISABLE_KEYRING_ID))
 		(void) crypt_volume_key_keyring(NULL, 0);
 
+	if (ARG_SET(OPT_DISABLE_EXTERNAL_TOKENS_ID))
+		(void) crypt_token_external_disable();
+
 	if (ARG_SET(OPT_DISABLE_LOCKS_ID) && crypt_metadata_locking(NULL, 0)) {
 		log_std(_("Cannot disable metadata locking."));
 		r = EXIT_FAILURE;

src/cryptsetup_arg_list.h

@@ -43,6 +43,8 @@ ARG(OPT_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Use only specified device size (
 
 ARG(OPT_DECRYPT, '\0', POPT_ARG_NONE, N_("Decrypt LUKS2 device (remove encryption)."), NULL, CRYPT_ARG_BOOL, {}, {})
 
+ARG(OPT_DISABLE_EXTERNAL_TOKENS, '\0', POPT_ARG_NONE, N_("Disable loading of external LUKS2 token plugins"), NULL, CRYPT_ARG_BOOL, {}, {})
+
 ARG(OPT_DISABLE_KEYRING, '\0', POPT_ARG_NONE, N_("Disable loading volume keys via kernel keyring"), NULL, CRYPT_ARG_BOOL, {}, {})
 
 ARG(OPT_DISABLE_LOCKS, '\0', POPT_ARG_NONE, N_("Disable locking of on-disk metadata"), NULL, CRYPT_ARG_BOOL, {}, {})

src/utils_arg_names.h

@@ -41,6 +41,7 @@
 #define OPT_DEFERRED			"deferred"
 #define OPT_DEVICE_SIZE			"device-size"
 #define OPT_DECRYPT			"decrypt"
+#define OPT_DISABLE_EXTERNAL_TOKENS	"disable-external-tokens"
 #define OPT_DISABLE_KEYRING		"disable-keyring"
 #define OPT_DISABLE_LOCKS		"disable-locks"
 #define OPT_DUMP_JSON			"dump-json-metadata"

tests/ssh-plugin-test

@@ -138,6 +138,7 @@ ssh_check
 create_user
 ssh_setup
 
+$CRYPTSETUP luksOpen --token-only --disable-external-tokens -r $LOOPDEV $MAP && fail "Tokens should be disabled"
 $CRYPTSETUP luksOpen -r $LOOPDEV $MAP -q >/dev/null 2>&1 <&-
 [ $? -ne 0 ] && fail "Failed to open $LOOPDEV using SSH token"
 echo "[OK]"