cryptsetup: disable activation via token plugin if we shall measure the volume key

if we allow cryptsetup to activate a volume via token plugin we never
get access to the volume key, which we'd like to measure. Hence disable
token plugins in that case.

(I tempted to say we probably should disable them entirely, and only use
them if classic cryptsetup is used, but that's a discussion for another
day.)

Fixes: #29790

diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index dd435b23a248ef06bfffc2ea25b22a4b9d3b741a..204ffa9922fa2e5ef9098454c99daec99a79fbbc 100644 (file)
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -1578,6 +1578,20 @@ static int make_tpm2_device_monitor(
         return 0;
 }
 
+static bool use_token_plugins(void) {
+        int r;
+
+        /* Disable tokens if we shall measure, since we won't get access to the volume key then. */
+        if (arg_tpm2_measure_pcr != UINT_MAX)
+                return false;
+
+        r = getenv_bool("SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE");
+        if (r < 0 && r != -ENXIO)
+                log_debug_errno(r, "Failed to parse $SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE value, ignoring: %m");
+
+        return r != 0;
+}
+
 static int attach_luks2_by_tpm2_via_plugin(
                 struct crypt_device *cd,
                 const char *name,
@@ -2260,7 +2274,7 @@ static int run(int argc, char *argv[]) {
                         }
 
                         /* Tokens are available in LUKS2 only, but it is ok to call (and fail) with LUKS1. */
-                        if (!key_file && !key_data && getenv_bool("SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE") != 0) {
+                        if (!key_file && !key_data && use_token_plugins()) {
                                 r = crypt_activate_by_token_pin_ask_password(
                                                 cd,
                                                 volume,