"ID_MODEL\0";
_cleanup_(sd_device_unrefp) sd_device *device = NULL;
- const char *i, *name;
+ const char *name;
struct stat st;
assert(path);
if (r < 0)
return log_error_errno(r, "Failed to allocate device monitor: %m");
+ (void) sd_device_monitor_set_description(monitor, "security-device");
+
r = sd_device_monitor_filter_add_match_tag(monitor, "security-device");
if (r < 0)
return log_error_errno(r, "Failed to configure device monitor: %m");
_cleanup_(sd_device_monitor_unrefp) sd_device_monitor *monitor = NULL;
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
_cleanup_(sd_event_unrefp) sd_event *event = NULL;
- _cleanup_free_ void *discovered_salt = NULL, *discovered_cid = NULL;
- size_t discovered_salt_size, discovered_cid_size, decrypted_key_size, cid_size = 0;
- _cleanup_free_ char *friendly = NULL, *discovered_rp_id = NULL;
+ size_t decrypted_key_size, cid_size = 0;
+ _cleanup_free_ char *friendly = NULL;
int keyslot = arg_key_slot, r;
const char *rp_id = NULL;
const void *cid = NULL;
* use PIN + UP when needed, and do not configure UV at all. Eventually, we should make this
* explicitly configurable. */
required = FIDO2ENROLL_PIN_IF_NEEDED | FIDO2ENROLL_UP_IF_NEEDED | FIDO2ENROLL_UV_OMIT;
- } else if (!use_libcryptsetup_plugin) {
- r = find_fido2_auto_data(
- cd,
- &discovered_rp_id,
- &discovered_salt,
- &discovered_salt_size,
- &discovered_cid,
- &discovered_cid_size,
- &keyslot,
- &required);
-
- if (IN_SET(r, -ENOTUNIQ, -ENXIO))
- return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
- "Automatic FIDO2 metadata discovery was not possible because missing or not unique, falling back to traditional unlocking.");
- if (r < 0)
- return r;
-
- if ((required & (FIDO2ENROLL_PIN | FIDO2ENROLL_UP | FIDO2ENROLL_UV)) && arg_headless)
- return log_error_errno(SYNTHETIC_ERRNO(ENOPKG),
- "Local verification is required to unlock this volume, but the 'headless' parameter was set.");
-
- rp_id = discovered_rp_id;
- key_data = discovered_salt;
- key_data_size = discovered_salt_size;
- cid = discovered_cid;
- cid_size = discovered_cid_size;
}
friendly = friendly_disk_name(crypt_get_device_name(cd), name);
"Automatic FIDO2 metadata discovery was not possible because missing or not unique, falling back to traditional unlocking.");
} else {
- r = acquire_fido2_key(
- name,
- friendly,
- arg_fido2_device,
- rp_id,
- cid, cid_size,
- key_file, arg_keyfile_size, arg_keyfile_offset,
- key_data, key_data_size,
- until,
- arg_headless,
- required,
- &decrypted_key, &decrypted_key_size,
- arg_ask_password_flags);
+ if (cid)
+ r = acquire_fido2_key(
+ name,
+ friendly,
+ arg_fido2_device,
+ rp_id,
+ cid, cid_size,
+ key_file, arg_keyfile_size, arg_keyfile_offset,
+ key_data, key_data_size,
+ until,
+ arg_headless,
+ required,
+ &decrypted_key, &decrypted_key_size,
+ arg_ask_password_flags);
+ else
+ r = acquire_fido2_key_auto(
+ cd,
+ name,
+ friendly,
+ arg_fido2_device,
+ until,
+ arg_headless,
+ &decrypted_key, &decrypted_key_size,
+ arg_ask_password_flags);
if (r >= 0)
break;
}
r = crypt_activate_by_volume_key(cd, name, decrypted_key, decrypted_key_size, flags);
else {
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
+ ssize_t base64_encoded_size;
/* Before using this key as passphrase we base64 encode it, for compat with homed */
- r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
- if (r < 0)
+ base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
+ if (base64_encoded_size < 0)
return log_oom();
- r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, strlen(base64_encoded), flags);
+ r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, base64_encoded_size, flags);
}
if (r == -EPERM) {
log_error_errno(r, "Failed to activate with FIDO2 decrypted key. (Key incorrect?)");
r = crypt_activate_by_volume_key(cd, name, decrypted_key, decrypted_key_size, flags);
else {
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
+ ssize_t base64_encoded_size;
/* Before using this key as passphrase we base64 encode it. Why? For compatibility
* with homed's PKCS#11 hookup: there we want to use the key we acquired through
* without embedded NUL here too, and that's easiest to generate from a binary blob
* via base64 encoding. */
- r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
- if (r < 0)
+ base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
+ if (base64_encoded_size < 0)
return log_oom();
- r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, strlen(base64_encoded), flags);
+ r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, base64_encoded_size, flags);
}
if (r == -EPERM) {
log_error_errno(r, "Failed to activate with PKCS#11 decrypted key. (Key incorrect?)");
if (r < 0)
return log_error_errno(r, "Failed to allocate device monitor: %m");
+ (void) sd_device_monitor_set_description(monitor, "tpmrm");
+
r = sd_device_monitor_filter_add_match_subsystem_devtype(monitor, "tpmrm", NULL);
if (r < 0)
return log_error_errno(r, "Failed to configure device monitor: %m");
#if HAVE_LIBCRYPTSETUP_PLUGINS
systemd_tpm2_plugin_params params = {
.search_pcr_mask = arg_tpm2_pcr_mask,
- .device = arg_tpm2_device
+ .device = arg_tpm2_device,
+ .signature_path = arg_tpm2_signature,
};
if (!libcryptsetup_plugins_support())
key_file, arg_keyfile_size, arg_keyfile_offset,
key_data, key_data_size,
/* policy_hash= */ NULL, /* policy_hash_size= */ 0, /* we don't know the policy hash */
- arg_tpm2_pin,
+ arg_tpm2_pin ? TPM2_FLAGS_USE_PIN : 0,
until,
arg_headless,
arg_ask_password_flags,
r = crypt_activate_by_volume_key(cd, name, decrypted_key, decrypted_key_size, flags);
else {
_cleanup_(erase_and_freep) char *base64_encoded = NULL;
+ ssize_t base64_encoded_size;
/* Before using this key as passphrase we base64 encode it, for compat with homed */
- r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
- if (r < 0)
+ base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
+ if (base64_encoded_size < 0)
return log_oom();
- r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, strlen(base64_encoded), flags);
+ r = crypt_activate_by_passphrase(cd, name, keyslot, base64_encoded, base64_encoded_size, flags);
}
if (r == -EPERM) {
log_error_errno(r, "Failed to activate with TPM2 decrypted key. (Key incorrect?)");
if (until == USEC_INFINITY)
until = 0;
- arg_key_size = (arg_key_size > 0 ? arg_key_size : (256 / 8));
+ if (arg_key_size == 0)
+ arg_key_size = 256U / 8U;
if (key_file) {
struct stat st;