bitlk: Add Smart Card protected VMKs

Test image protected with smart card is included.
2025-12-07 00:40:01 +01:00 · 2019-12-15 17:07:36 +01:00
parent 420387a7a5
commit fd5ab0edf7
4 changed files with 15 additions and 4 deletions
--- a/lib/bitlk/bitlk.c
+++ b/lib/bitlk/bitlk.c
@@ -160,6 +160,8 @@ static BITLKVMKProtection get_vmk_protection(uint16_t protection)
 		return BITLK_PROTECTION_TPM_PIN;
 	case 0x0800:
 		return BITLK_PROTECTION_RECOVERY_PASSPHRASE;
+	case 0x1000:
+		return BITLK_PROTECTION_SMART_CARD;
 	case 0x2000:
 		return BITLK_PROTECTION_PASSPHRASE;
 	default:
@@ -182,6 +184,8 @@ static const char* get_vmk_protection_string(BITLKVMKProtection protection)
 		return "VMK protected with passphrase";
 	case BITLK_PROTECTION_RECOVERY_PASSPHRASE:
 		return "VMK protected with recovery passphrase";
+	case BITLK_PROTECTION_SMART_CARD:
+		return "VMK protected with smart card";
 	default:
 		return "VMK with unknown protection";
 	}
--- a/lib/bitlk/bitlk.h
+++ b/lib/bitlk/bitlk.h
@@ -43,6 +43,7 @@ typedef enum {
 	BITLK_PROTECTION_TPM_PIN,
 	BITLK_PROTECTION_RECOVERY_PASSPHRASE,
 	BITLK_PROTECTION_PASSPHRASE,
+	BITLK_PROTECTION_SMART_CARD,
 	BITLK_PROTECTION_UNKNOWN,
 } BITLKVMKProtection;

--- a/tests/bitlk-compat-test
+++ b/tests/bitlk-compat-test
@@ -65,11 +65,17 @@ function check_dump()
        cipher=$(echo "$dump_cipher-$dump_mode")
        [ ! -z "$CIPHER" -a "$cipher" = "$CIPHER" ] || fail " cipher check from dump failed."

-        # password protected VMK GUID
-        dump_pw_vmk=$(echo "$dump" | grep "VMK protected with passphrase" -B 1 | head -1 | cut -d: -f2 | tr -d "\t ")
-        [ ! -z "$PW_VMK_GUID" -a "$dump_pw_vmk" = "$PW_VMK_GUID" ] || fail " password protected VMK GUID check from dump failed."
+        if echo "$file" | grep -q -e "smart-card"; then
+                # smart card protected VMK GUID
+                dump_sc_vmk=$(echo "$dump" | grep "VMK protected with smart card" -B 1 | head -1 | cut -d: -f2 | tr -d "\t ")
+                [ ! -z "$SC_VMK_GUID" -a "$dump_sc_vmk" = "$SC_VMK_GUID" ] || fail " smart card protected VMK GUID check from dump failed."
+        else
+                # password protected VMK GUID
+                dump_pw_vmk=$(echo "$dump" | grep "VMK protected with passphrase" -B 1 | head -1 | cut -d: -f2 | tr -d "\t ")
+                [ ! -z "$PW_VMK_GUID" -a "$dump_pw_vmk" = "$PW_VMK_GUID" ] || fail " password protected VMK GUID check from dump failed."
+        fi

-         # recovery password protected VMK GUID
+        # recovery password protected VMK GUID
        dump_rp_vmk=$(echo "$dump" | grep "VMK protected with recovery passphrase" -B 1 | head -1 | cut -d: -f2 | tr -d "\t ")
        [ ! -z "$RP_VMK_GUID" -a "$dump_rp_vmk" = "$RP_VMK_GUID" ] || fail " recovery password protected VMK GUID check from dump failed."

--- a/tests/bitlk-images.tar.xz
+++ b/tests/bitlk-images.tar.xz