[thirdparty/systemd.git] / src / cryptenroll / cryptenroll.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <getopt.h>

#include "ask-password-api.h"
#include "cryptenroll-fido2.h"
#include "cryptenroll-list.h"
#include "cryptenroll-password.h"
#include "cryptenroll-pkcs11.h"
#include "cryptenroll-recovery.h"
#include "cryptenroll-tpm2.h"
#include "cryptenroll-wipe.h"
#include "cryptenroll.h"
#include "cryptsetup-util.h"
#include "env-util.h"
#include "escape.h"
#include "libfido2-util.h"
#include "main-func.h"
#include "memory-util.h"
#include "parse-argument.h"
#include "parse-util.h"
#include "path-util.h"
#include "pkcs11-util.h"
#include "pretty-print.h"
#include "string-table.h"
#include "strv.h"
#include "terminal-util.h"
#include "tpm2-util.h"

static EnrollType arg_enroll_type = _ENROLL_TYPE_INVALID;
static char *arg_pkcs11_token_uri = NULL;
static char *arg_fido2_device = NULL;
static char *arg_tpm2_device = NULL;
static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
static bool arg_tpm2_pin = false;
static char *arg_node = NULL;
static int *arg_wipe_slots = NULL;
static size_t arg_n_wipe_slots = 0;
static WipeScope arg_wipe_slots_scope = WIPE_EXPLICIT;
static unsigned arg_wipe_slots_mask = 0; /* Bitmask of (1U << EnrollType), for wiping all slots of specific types */
static Fido2EnrollFlags arg_fido2_lock_with = FIDO2ENROLL_PIN | FIDO2ENROLL_UP;

assert_cc(sizeof(arg_wipe_slots_mask) * 8 >= _ENROLL_TYPE_MAX);

STATIC_DESTRUCTOR_REGISTER(arg_pkcs11_token_uri, freep);
STATIC_DESTRUCTOR_REGISTER(arg_fido2_device, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device, freep);
STATIC_DESTRUCTOR_REGISTER(arg_node, freep);

static bool wipe_requested(void) {
        return arg_n_wipe_slots > 0 ||
                arg_wipe_slots_scope != WIPE_EXPLICIT ||
                arg_wipe_slots_mask != 0;
}

static const char* const enroll_type_table[_ENROLL_TYPE_MAX] = {
        [ENROLL_PASSWORD] = "password",
        [ENROLL_RECOVERY] = "recovery",
        [ENROLL_PKCS11] = "pkcs11",
        [ENROLL_FIDO2] = "fido2",
        [ENROLL_TPM2] = "tpm2",
};

DEFINE_STRING_TABLE_LOOKUP(enroll_type, EnrollType);

static const char *const luks2_token_type_table[_ENROLL_TYPE_MAX] = {
        /* ENROLL_PASSWORD has no entry here, as slots of this type do not have a token in the LUKS2 header */
        [ENROLL_RECOVERY] = "systemd-recovery",
        [ENROLL_PKCS11] = "systemd-pkcs11",
        [ENROLL_FIDO2] = "systemd-fido2",
        [ENROLL_TPM2] = "systemd-tpm2",
};

DEFINE_STRING_TABLE_LOOKUP(luks2_token_type, EnrollType);

static int help(void) {
        _cleanup_free_ char *link = NULL;
        int r;

        r = terminal_urlify_man("systemd-cryptenroll", "1", &link);
        if (r < 0)
                return log_oom();

        printf("%s [OPTIONS...] BLOCK-DEVICE\n"
               "\n%sEnroll a security token or authentication credential to a LUKS volume.%s\n\n"
               "  -h --help            Show this help\n"
               "     --version         Show package version\n"
               "     --password        Enroll a user-supplied password\n"
               "     --recovery-key    Enroll a recovery key\n"
               "     --pkcs11-token-uri=URI\n"
               "                       Specify PKCS#11 security token URI\n"
               "     --fido2-device=PATH\n"
               "                       Enroll a FIDO2-HMAC security token\n"
               "     --fido2-with-client-pin=BOOL\n"
               "                       Whether to require entering a PIN to unlock the volume\n"
               "     --fido2-with-user-presence=BOOL\n"
               "                       Whether to require user presence to unlock the volume\n"
               "     --fido2-with-user-verification=BOOL\n"
               "                       Whether to require user verification to unlock the volume\n"
               "     --tpm2-device=PATH\n"
               "                       Enroll a TPM2 device\n"
               "     --tpm2-pcrs=PCR1+PCR2+PCR3+…\n"
               "                       Specify TPM2 PCRs to seal against\n"
               "     --tpm2-with-pin=BOOL\n"
               "                       Whether to require entering a PIN to unlock the volume\n"
               "     --wipe-slot=SLOT1,SLOT2,…\n"
               "                       Wipe specified slots\n"
               "\nSee the %s for details.\n",
               program_invocation_short_name,
               ansi_highlight(),
               ansi_normal(),
               link);

        return 0;
}

static int parse_argv(int argc, char *argv[]) {

        enum {
                ARG_VERSION = 0x100,
                ARG_PASSWORD,
                ARG_RECOVERY_KEY,
                ARG_PKCS11_TOKEN_URI,
                ARG_FIDO2_DEVICE,
                ARG_TPM2_DEVICE,
                ARG_TPM2_PCRS,
                ARG_TPM2_PIN,
                ARG_WIPE_SLOT,
                ARG_FIDO2_WITH_PIN,
                ARG_FIDO2_WITH_UP,
                ARG_FIDO2_WITH_UV,
        };

        static const struct option options[] = {
                { "help",                         no_argument,       NULL, 'h'                  },
                { "version",                      no_argument,       NULL, ARG_VERSION          },
                { "password",                     no_argument,       NULL, ARG_PASSWORD         },
                { "recovery-key",                 no_argument,       NULL, ARG_RECOVERY_KEY     },
                { "pkcs11-token-uri",             required_argument, NULL, ARG_PKCS11_TOKEN_URI },
                { "fido2-device",                 required_argument, NULL, ARG_FIDO2_DEVICE     },
                { "fido2-with-client-pin",        required_argument, NULL, ARG_FIDO2_WITH_PIN   },
                { "fido2-with-user-presence",     required_argument, NULL, ARG_FIDO2_WITH_UP    },
                { "fido2-with-user-verification", required_argument, NULL, ARG_FIDO2_WITH_UV    },
                { "tpm2-device",                  required_argument, NULL, ARG_TPM2_DEVICE      },
                { "tpm2-pcrs",                    required_argument, NULL, ARG_TPM2_PCRS        },
                { "tpm2-with-pin",                required_argument, NULL, ARG_TPM2_PIN         },
                { "wipe-slot",                    required_argument, NULL, ARG_WIPE_SLOT        },
                {}
        };

        int c, r;

        assert(argc >= 0);
        assert(argv);

        while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0) {

                switch (c) {

                case 'h':
                        return help();

                case ARG_VERSION:
                        return version();

                case ARG_FIDO2_WITH_PIN: {
                        bool lock_with_pin;

                        r = parse_boolean_argument("--fido2-with-client-pin=", optarg, &lock_with_pin);
                        if (r < 0)
                                return r;

                        SET_FLAG(arg_fido2_lock_with, FIDO2ENROLL_PIN, lock_with_pin);
                        break;
                }

                case ARG_FIDO2_WITH_UP: {
                        bool lock_with_up;

                        r = parse_boolean_argument("--fido2-with-user-presence=", optarg, &lock_with_up);
                        if (r < 0)
                                return r;

                        SET_FLAG(arg_fido2_lock_with, FIDO2ENROLL_UP, lock_with_up);
                        break;
                }

                case ARG_FIDO2_WITH_UV: {
                        bool lock_with_uv;

                        r = parse_boolean_argument("--fido2-with-user-verification=", optarg, &lock_with_uv);
                        if (r < 0)
                                return r;

                        SET_FLAG(arg_fido2_lock_with, FIDO2ENROLL_UV, lock_with_uv);
                        break;
                }

                case ARG_PASSWORD:
                        if (arg_enroll_type >= 0)
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                       "Multiple operations specified at once, refusing.");

                        arg_enroll_type = ENROLL_PASSWORD;
                        break;

                case ARG_RECOVERY_KEY:
                        if (arg_enroll_type >= 0)
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                       "Multiple operations specified at once, refusing.");

                        arg_enroll_type = ENROLL_RECOVERY;
                        break;

                case ARG_PKCS11_TOKEN_URI: {
                        _cleanup_free_ char *uri = NULL;

                        if (streq(optarg, "list"))
                                return pkcs11_list_tokens();

                        if (arg_enroll_type >= 0 || arg_pkcs11_token_uri)
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                       "Multiple operations specified at once, refusing.");

                        if (streq(optarg, "auto")) {
                                r = pkcs11_find_token_auto(&uri);
                                if (r < 0)
                                        return r;
                        } else {
                                if (!pkcs11_uri_valid(optarg))
                                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Not a valid PKCS#11 URI: %s", optarg);

                                uri = strdup(optarg);
                                if (!uri)
                                        return log_oom();
                        }

                        arg_enroll_type = ENROLL_PKCS11;
                        arg_pkcs11_token_uri = TAKE_PTR(uri);
                        break;
                }

                case ARG_FIDO2_DEVICE: {
                        _cleanup_free_ char *device = NULL;

                        if (streq(optarg, "list"))
                                return fido2_list_devices();

                        if (arg_enroll_type >= 0 || arg_fido2_device)
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                       "Multiple operations specified at once, refusing.");

                        if (streq(optarg, "auto")) {
                                r = fido2_find_device_auto(&device);
                                if (r < 0)
                                        return r;
                        } else {
                                device = strdup(optarg);
                                if (!device)
                                        return log_oom();
                        }

                        arg_enroll_type = ENROLL_FIDO2;
                        arg_fido2_device = TAKE_PTR(device);
                        break;
                }

                case ARG_TPM2_DEVICE: {
                        _cleanup_free_ char *device = NULL;

                        if (streq(optarg, "list"))
                                return tpm2_list_devices();

                        if (arg_enroll_type >= 0 || arg_tpm2_device)
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                       "Multiple operations specified at once, refusing.");

                        if (!streq(optarg, "auto")) {
                                device = strdup(optarg);
                                if (!device)
                                        return log_oom();
                        }

                        arg_enroll_type = ENROLL_TPM2;
                        arg_tpm2_device = TAKE_PTR(device);
                        break;
                }

                case ARG_TPM2_PCRS: {
                        uint32_t mask;

                        if (isempty(optarg)) {
                                arg_tpm2_pcr_mask = 0;
                                break;
                        }

                        r = tpm2_parse_pcrs(optarg, &mask);
                        if (r < 0)
                                return r;

                        if (arg_tpm2_pcr_mask == UINT32_MAX)
                                arg_tpm2_pcr_mask = mask;
                        else
                                arg_tpm2_pcr_mask |= mask;

                        break;
                }

                case ARG_TPM2_PIN: {
                        r = parse_boolean_argument("--tpm2-with-pin=", optarg, &arg_tpm2_pin);
                        if (r < 0)
                                return r;

                        break;
                }

                case ARG_WIPE_SLOT: {
                        const char *p = optarg;

                        if (isempty(optarg)) {
                                arg_wipe_slots_mask = 0;
                                arg_wipe_slots_scope = WIPE_EXPLICIT;
                                break;
                        }

                        for (;;) {
                                _cleanup_free_ char *slot = NULL;
                                unsigned n;

                                r = extract_first_word(&p, &slot, ",", EXTRACT_DONT_COALESCE_SEPARATORS);
                                if (r == 0)
                                        break;
                                if (r < 0)
                                        return log_error_errno(r, "Failed to parse slot list: %s", optarg);

                                if (streq(slot, "all"))
                                        arg_wipe_slots_scope = WIPE_ALL;
                                else if (streq(slot, "empty")) {
                                        if (arg_wipe_slots_scope != WIPE_ALL) /* if "all" was specified before, that wins */
                                                arg_wipe_slots_scope = WIPE_EMPTY_PASSPHRASE;
                                } else if (streq(slot, "password"))
                                        arg_wipe_slots_mask = 1U << ENROLL_PASSWORD;
                                else if (streq(slot, "recovery"))
                                        arg_wipe_slots_mask = 1U << ENROLL_RECOVERY;
                                else if (streq(slot, "pkcs11"))
                                        arg_wipe_slots_mask = 1U << ENROLL_PKCS11;
                                else if (streq(slot, "fido2"))
                                        arg_wipe_slots_mask = 1U << ENROLL_FIDO2;
                                else if (streq(slot, "tpm2"))
                                        arg_wipe_slots_mask = 1U << ENROLL_TPM2;
                                else {
                                        int *a;

                                        r = safe_atou(slot, &n);
                                        if (r < 0)
                                                return log_error_errno(r, "Failed to parse slot index: %s", slot);
                                        if (n > INT_MAX)
                                                return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "Slot index out of range: %u", n);

                                        a = reallocarray(arg_wipe_slots, sizeof(int), arg_n_wipe_slots + 1);
                                        if (!a)
                                                return log_oom();

                                        arg_wipe_slots = a;
                                        arg_wipe_slots[arg_n_wipe_slots++] = (int) n;
                                }
                        }
                        break;
                }

                case '?':
                        return -EINVAL;

                default:
                        assert_not_reached();
                }
        }

        if (optind >= argc)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "No block device node specified, refusing.");

        if (argc > optind+1)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "Too many arguments, refusing.");

        r = parse_path_argument(argv[optind], false, &arg_node);
        if (r < 0)
                return r;

        if (arg_tpm2_pcr_mask == UINT32_MAX)
                arg_tpm2_pcr_mask = TPM2_PCR_MASK_DEFAULT;

        return 1;
}

static int check_for_homed(struct crypt_device *cd) {
        int r;

        assert_se(cd);

        /* Politely refuse operating on homed volumes. The enrolled tokens for the user record and the LUKS2
         * volume should not get out of sync. */

        for (int token = 0; token < crypt_token_max(CRYPT_LUKS2); token ++) {
                r = cryptsetup_get_token_as_json(cd, token, "systemd-homed", NULL);
                if (IN_SET(r, -ENOENT, -EINVAL, -EMEDIUMTYPE))
                        continue;
                if (r < 0)
                        return log_error_errno(r, "Failed to read JSON token data off disk: %m");

                return log_error_errno(SYNTHETIC_ERRNO(EHOSTDOWN),
                                       "LUKS2 volume is managed by systemd-homed, please use homectl to enroll tokens.");
        }

        return 0;
}

static int prepare_luks(
                struct crypt_device **ret_cd,
                void **ret_volume_key,
                size_t *ret_volume_key_size) {

        _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
        _cleanup_(erase_and_freep) char *envpw = NULL;
        _cleanup_(erase_and_freep) void *vk = NULL;
        size_t vks;
        int r;

        assert(ret_cd);
        assert(!ret_volume_key == !ret_volume_key_size);

        r = crypt_init(&cd, arg_node);
        if (r < 0)
                return log_error_errno(r, "Failed to allocate libcryptsetup context: %m");

        cryptsetup_enable_logging(cd);

        r = crypt_load(cd, CRYPT_LUKS2, NULL);
        if (r < 0)
                return log_error_errno(r, "Failed to load LUKS2 superblock: %m");

        r = check_for_homed(cd);
        if (r < 0)
                return r;

        if (!ret_volume_key) {
                *ret_cd = TAKE_PTR(cd);
                return 0;
        }

        r = crypt_get_volume_key_size(cd);
        if (r <= 0)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine LUKS volume key size");
        vks = (size_t) r;

        vk = malloc(vks);
        if (!vk)
                return log_oom();

        r = getenv_steal_erase("PASSWORD", &envpw);
        if (r < 0)
                return log_error_errno(r, "Failed to acquire password from environment: %m");
        if (r > 0) {
                r = crypt_volume_key_get(
                                cd,
                                CRYPT_ANY_SLOT,
                                vk,
                                &vks,
                                envpw,
                                strlen(envpw));
                if (r < 0)
                        return log_error_errno(r, "Password from environment variable $PASSWORD did not work.");
        } else {
                AskPasswordFlags ask_password_flags = ASK_PASSWORD_PUSH_CACHE|ASK_PASSWORD_ACCEPT_CACHED;
                _cleanup_free_ char *question = NULL, *disk_path = NULL;
                unsigned i = 5;
                const char *id;

                question = strjoin("Please enter current passphrase for disk ", arg_node, ":");
                if (!question)
                        return log_oom();

                disk_path = cescape(arg_node);
                if (!disk_path)
                        return log_oom();

                id = strjoina("cryptsetup:", disk_path);

                for (;;) {
                        _cleanup_strv_free_erase_ char **passwords = NULL;

                        if (--i == 0)
                                return log_error_errno(SYNTHETIC_ERRNO(ENOKEY),
                                                       "Too many attempts, giving up:");

                        r = ask_password_auto(
                                        question, "drive-harddisk", id, "cryptenroll", "cryptenroll.passphrase", USEC_INFINITY,
                                        ask_password_flags,
                                        &passwords);
                        if (r < 0)
                                return log_error_errno(r, "Failed to query password: %m");

                        r = -EPERM;
                        STRV_FOREACH(p, passwords) {
                                r = crypt_volume_key_get(
                                                cd,
                                                CRYPT_ANY_SLOT,
                                                vk,
                                                &vks,
                                                *p,
                                                strlen(*p));
                                if (r >= 0)
                                        break;
                        }
                        if (r >= 0)
                                break;

                        log_error_errno(r, "Password not correct, please try again.");
                        ask_password_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
                }
        }

        *ret_cd = TAKE_PTR(cd);
        *ret_volume_key = TAKE_PTR(vk);
        *ret_volume_key_size = vks;

        return 0;
}

static int run(int argc, char *argv[]) {
        _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
        _cleanup_(erase_and_freep) void *vk = NULL;
        size_t vks;
        int slot, r;

        log_show_color(true);
        log_parse_environment();
        log_open();

        r = parse_argv(argc, argv);
        if (r <= 0)
                return r;

        cryptsetup_enable_logging(NULL);

        if (arg_enroll_type < 0)
                r = prepare_luks(&cd, NULL, NULL); /* No need to unlock device if we don't need the volume key because we don't need to enroll anything */
        else
                r = prepare_luks(&cd, &vk, &vks);
        if (r < 0)
                return r;

        switch (arg_enroll_type) {

        case ENROLL_PASSWORD:
                slot = enroll_password(cd, vk, vks);
                break;

        case ENROLL_RECOVERY:
                slot = enroll_recovery(cd, vk, vks);
                break;

        case ENROLL_PKCS11:
                slot = enroll_pkcs11(cd, vk, vks, arg_pkcs11_token_uri);
                break;

        case ENROLL_FIDO2:
                slot = enroll_fido2(cd, vk, vks, arg_fido2_device, arg_fido2_lock_with);
                break;

        case ENROLL_TPM2:
                slot = enroll_tpm2(cd, vk, vks, arg_tpm2_device, arg_tpm2_pcr_mask, arg_tpm2_pin);
                break;

        case _ENROLL_TYPE_INVALID:
                /* List enrolled slots if we are called without anything to enroll or wipe */
                if (!wipe_requested())
                        return list_enrolled(cd);

                /* Only slot wiping selected */
                return wipe_slots(cd, arg_wipe_slots, arg_n_wipe_slots, arg_wipe_slots_scope, arg_wipe_slots_mask, -1);

        default:
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Operation not implemented yet.");
        }
        if (slot < 0)
                return slot;

        /* After we completed enrolling, remove user selected slots */
        r = wipe_slots(cd, arg_wipe_slots, arg_n_wipe_slots, arg_wipe_slots_scope, arg_wipe_slots_mask, slot);
        if (r < 0)
                return r;

        return 0;
}

DEFINE_MAIN_FUNCTION(run);
Commit	Line	Data
8710a681 LP	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
	2
	3	#include <getopt.h>
	4
	5	#include "ask-password-api.h"
	6	#include "cryptenroll-fido2.h"
d2fafc42	7	#include "cryptenroll-list.h"
8710a681 LP	8	#include "cryptenroll-password.h"
	9	#include "cryptenroll-pkcs11.h"
	10	#include "cryptenroll-recovery.h"
5e521624	11	#include "cryptenroll-tpm2.h"
d2fafc42 LP	12	#include "cryptenroll-wipe.h"
d2fafc42 LP	13	#include "cryptenroll.h"
8710a681	14	#include "cryptsetup-util.h"
7a6abbe9	15	#include "env-util.h"
8710a681 LP	16	#include "escape.h"
	17	#include "libfido2-util.h"
	18	#include "main-func.h"
	19	#include "memory-util.h"
614b022c	20	#include "parse-argument.h"
5e521624	21	#include "parse-util.h"
8710a681 LP	22	#include "path-util.h"
	23	#include "pkcs11-util.h"
	24	#include "pretty-print.h"
d2fafc42	25	#include "string-table.h"
8710a681 LP	26	#include "strv.h"
8710a681 LP	27	#include "terminal-util.h"
5e521624	28	#include "tpm2-util.h"
8710a681	29
8710a681 LP	30	static EnrollType arg_enroll_type = _ENROLL_TYPE_INVALID;
	31	static char *arg_pkcs11_token_uri = NULL;
	32	static char *arg_fido2_device = NULL;
	33	static char *arg_tpm2_device = NULL;
5e521624	34	static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
6c7a1681	35	static bool arg_tpm2_pin = false;
8710a681	36	static char *arg_node = NULL;
d2fafc42 LP	37	static int *arg_wipe_slots = NULL;
	38	static size_t arg_n_wipe_slots = 0;
	39	static WipeScope arg_wipe_slots_scope = WIPE_EXPLICIT;
	40	static unsigned arg_wipe_slots_mask = 0; /* Bitmask of (1U << EnrollType), for wiping all slots of specific types */
06f08719	41	static Fido2EnrollFlags arg_fido2_lock_with = FIDO2ENROLL_PIN \| FIDO2ENROLL_UP;
d2fafc42 LP	42
d2fafc42 LP	43	assert_cc(sizeof(arg_wipe_slots_mask) * 8 >= _ENROLL_TYPE_MAX);
8710a681 LP	44
	45	STATIC_DESTRUCTOR_REGISTER(arg_pkcs11_token_uri, freep);
	46	STATIC_DESTRUCTOR_REGISTER(arg_fido2_device, freep);
	47	STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device, freep);
	48	STATIC_DESTRUCTOR_REGISTER(arg_node, freep);
	49
d2fafc42 LP	50	static bool wipe_requested(void) {
	51	return arg_n_wipe_slots > 0 \|\|
	52	arg_wipe_slots_scope != WIPE_EXPLICIT \|\|
	53	arg_wipe_slots_mask != 0;
	54	}
	55
	56	static const char* const enroll_type_table[_ENROLL_TYPE_MAX] = {
	57	[ENROLL_PASSWORD] = "password",
	58	[ENROLL_RECOVERY] = "recovery",
	59	[ENROLL_PKCS11] = "pkcs11",
	60	[ENROLL_FIDO2] = "fido2",
	61	[ENROLL_TPM2] = "tpm2",
	62	};
	63
	64	DEFINE_STRING_TABLE_LOOKUP(enroll_type, EnrollType);
	65
	66	static const char *const luks2_token_type_table[_ENROLL_TYPE_MAX] = {
	67	/* ENROLL_PASSWORD has no entry here, as slots of this type do not have a token in the LUKS2 header */
	68	[ENROLL_RECOVERY] = "systemd-recovery",
	69	[ENROLL_PKCS11] = "systemd-pkcs11",
	70	[ENROLL_FIDO2] = "systemd-fido2",
	71	[ENROLL_TPM2] = "systemd-tpm2",
	72	};
	73
	74	DEFINE_STRING_TABLE_LOOKUP(luks2_token_type, EnrollType);
	75
8710a681 LP	76	static int help(void) {
	77	_cleanup_free_ char *link = NULL;
	78	int r;
	79
	80	r = terminal_urlify_man("systemd-cryptenroll", "1", &link);
	81	if (r < 0)
	82	return log_oom();
	83
	84	printf("%s [OPTIONS...] BLOCK-DEVICE\n"
	85	"\n%sEnroll a security token or authentication credential to a LUKS volume.%s\n\n"
	86	" -h --help Show this help\n"
	87	" --version Show package version\n"
	88	" --password Enroll a user-supplied password\n"
	89	" --recovery-key Enroll a recovery key\n"
	90	" --pkcs11-token-uri=URI\n"
	91	" Specify PKCS#11 security token URI\n"
	92	" --fido2-device=PATH\n"
	93	" Enroll a FIDO2-HMAC security token\n"
cde2f860 LB	94	" --fido2-with-client-pin=BOOL\n"
cde2f860 LB	95	" Whether to require entering a PIN to unlock the volume\n"
06f08719 LB	96	" --fido2-with-user-presence=BOOL\n"
06f08719 LB	97	" Whether to require user presence to unlock the volume\n"
896cc0da LB	98	" --fido2-with-user-verification=BOOL\n"
896cc0da LB	99	" Whether to require user verification to unlock the volume\n"
5e521624 LP	100	" --tpm2-device=PATH\n"
5e521624 LP	101	" Enroll a TPM2 device\n"
6e766d98	102	" --tpm2-pcrs=PCR1+PCR2+PCR3+…\n"
45861042	103	" Specify TPM2 PCRs to seal against\n"
6c7a1681 GG	104	" --tpm2-with-pin=BOOL\n"
6c7a1681 GG	105	" Whether to require entering a PIN to unlock the volume\n"
d2fafc42 LP	106	" --wipe-slot=SLOT1,SLOT2,…\n"
d2fafc42 LP	107	" Wipe specified slots\n"
bc556335 DDM	108	"\nSee the %s for details.\n",
	109	program_invocation_short_name,
	110	ansi_highlight(),
	111	ansi_normal(),
	112	link);
8710a681 LP	113
	114	return 0;
	115	}
	116
	117	static int parse_argv(int argc, char *argv[]) {
	118
	119	enum {
	120	ARG_VERSION = 0x100,
	121	ARG_PASSWORD,
	122	ARG_RECOVERY_KEY,
	123	ARG_PKCS11_TOKEN_URI,
	124	ARG_FIDO2_DEVICE,
5e521624 LP	125	ARG_TPM2_DEVICE,
5e521624 LP	126	ARG_TPM2_PCRS,
6c7a1681	127	ARG_TPM2_PIN,
d2fafc42	128	ARG_WIPE_SLOT,
cde2f860	129	ARG_FIDO2_WITH_PIN,
06f08719	130	ARG_FIDO2_WITH_UP,
896cc0da	131	ARG_FIDO2_WITH_UV,
8710a681 LP	132	};
	133
	134	static const struct option options[] = {
cde2f860 LB	135	{ "help", no_argument, NULL, 'h' },
	136	{ "version", no_argument, NULL, ARG_VERSION },
	137	{ "password", no_argument, NULL, ARG_PASSWORD },
	138	{ "recovery-key", no_argument, NULL, ARG_RECOVERY_KEY },
	139	{ "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI },
	140	{ "fido2-device", required_argument, NULL, ARG_FIDO2_DEVICE },
	141	{ "fido2-with-client-pin", required_argument, NULL, ARG_FIDO2_WITH_PIN },
06f08719	142	{ "fido2-with-user-presence", required_argument, NULL, ARG_FIDO2_WITH_UP },
896cc0da	143	{ "fido2-with-user-verification", required_argument, NULL, ARG_FIDO2_WITH_UV },
cde2f860 LB	144	{ "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
cde2f860 LB	145	{ "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS },
6c7a1681	146	{ "tpm2-with-pin", required_argument, NULL, ARG_TPM2_PIN },
cde2f860	147	{ "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT },
8710a681 LP	148	{}
	149	};
	150
	151	int c, r;
	152
	153	assert(argc >= 0);
	154	assert(argv);
	155
	156	while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0) {
	157
	158	switch (c) {
	159
	160	case 'h':
	161	return help();
	162
	163	case ARG_VERSION:
	164	return version();
	165
cde2f860 LB	166	case ARG_FIDO2_WITH_PIN: {
	167	bool lock_with_pin;
	168
	169	r = parse_boolean_argument("--fido2-with-client-pin=", optarg, &lock_with_pin);
	170	if (r < 0)
	171	return r;
	172
	173	SET_FLAG(arg_fido2_lock_with, FIDO2ENROLL_PIN, lock_with_pin);
cde2f860 LB	174	break;
	175	}
	176
06f08719 LB	177	case ARG_FIDO2_WITH_UP: {
	178	bool lock_with_up;
	179
	180	r = parse_boolean_argument("--fido2-with-user-presence=", optarg, &lock_with_up);
	181	if (r < 0)
	182	return r;
	183
	184	SET_FLAG(arg_fido2_lock_with, FIDO2ENROLL_UP, lock_with_up);
06f08719 LB	185	break;
	186	}
	187
896cc0da LB	188	case ARG_FIDO2_WITH_UV: {
	189	bool lock_with_uv;
	190
	191	r = parse_boolean_argument("--fido2-with-user-verification=", optarg, &lock_with_uv);
	192	if (r < 0)
	193	return r;
	194
	195	SET_FLAG(arg_fido2_lock_with, FIDO2ENROLL_UV, lock_with_uv);
896cc0da LB	196	break;
	197	}
	198
8710a681 LP	199	case ARG_PASSWORD:
	200	if (arg_enroll_type >= 0)
	201	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	202	"Multiple operations specified at once, refusing.");
	203
	204	arg_enroll_type = ENROLL_PASSWORD;
	205	break;
	206
	207	case ARG_RECOVERY_KEY:
	208	if (arg_enroll_type >= 0)
	209	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	210	"Multiple operations specified at once, refusing.");
	211
	212	arg_enroll_type = ENROLL_RECOVERY;
	213	break;
	214
	215	case ARG_PKCS11_TOKEN_URI: {
	216	_cleanup_free_ char *uri = NULL;
	217
	218	if (streq(optarg, "list"))
	219	return pkcs11_list_tokens();
	220
	221	if (arg_enroll_type >= 0 \|\| arg_pkcs11_token_uri)
	222	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	223	"Multiple operations specified at once, refusing.");
	224
	225	if (streq(optarg, "auto")) {
	226	r = pkcs11_find_token_auto(&uri);
	227	if (r < 0)
	228	return r;
	229	} else {
	230	if (!pkcs11_uri_valid(optarg))
	231	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Not a valid PKCS#11 URI: %s", optarg);
	232
	233	uri = strdup(optarg);
	234	if (!uri)
	235	return log_oom();
	236	}
	237
	238	arg_enroll_type = ENROLL_PKCS11;
	239	arg_pkcs11_token_uri = TAKE_PTR(uri);
	240	break;
	241	}
	242
	243	case ARG_FIDO2_DEVICE: {
	244	_cleanup_free_ char *device = NULL;
	245
	246	if (streq(optarg, "list"))
	247	return fido2_list_devices();
	248
	249	if (arg_enroll_type >= 0 \|\| arg_fido2_device)
	250	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	251	"Multiple operations specified at once, refusing.");
	252
	253	if (streq(optarg, "auto")) {
	254	r = fido2_find_device_auto(&device);
	255	if (r < 0)
	256	return r;
	257	} else {
	258	device = strdup(optarg);
	259	if (!device)
	260	return log_oom();
	261	}
	262
263	arg_enroll_type = ENROLL_FIDO2;
264	arg_fido2_device = TAKE_PTR(device);
265	break;
266	}
267
5e521624 LP	268	case ARG_TPM2_DEVICE: {
	269	_cleanup_free_ char *device = NULL;
	270
	271	if (streq(optarg, "list"))
	272	return tpm2_list_devices();
	273
	274	if (arg_enroll_type >= 0 \|\| arg_tpm2_device)
	275	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	276	"Multiple operations specified at once, refusing.");
	277
	278	if (!streq(optarg, "auto")) {
	279	device = strdup(optarg);
	280	if (!device)
	281	return log_oom();
	282	}
	283
	284	arg_enroll_type = ENROLL_TPM2;
	285	arg_tpm2_device = TAKE_PTR(device);
	286	break;
	287	}
	288
	289	case ARG_TPM2_PCRS: {
	290	uint32_t mask;
	291
	292	if (isempty(optarg)) {
	293	arg_tpm2_pcr_mask = 0;
	294	break;
	295	}
	296
	297	r = tpm2_parse_pcrs(optarg, &mask);
	298	if (r < 0)
	299	return r;
	300
	301	if (arg_tpm2_pcr_mask == UINT32_MAX)
	302	arg_tpm2_pcr_mask = mask;
	303	else
	304	arg_tpm2_pcr_mask \|= mask;
	305
	306	break;
	307	}
	308
6c7a1681 GG	309	case ARG_TPM2_PIN: {
	310	r = parse_boolean_argument("--tpm2-with-pin=", optarg, &arg_tpm2_pin);
	311	if (r < 0)
	312	return r;
	313
	314	break;
	315	}
	316
d2fafc42 LP	317	case ARG_WIPE_SLOT: {
	318	const char *p = optarg;
	319
	320	if (isempty(optarg)) {
	321	arg_wipe_slots_mask = 0;
	322	arg_wipe_slots_scope = WIPE_EXPLICIT;
	323	break;
	324	}
	325
	326	for (;;) {
	327	_cleanup_free_ char *slot = NULL;
	328	unsigned n;
	329
	330	r = extract_first_word(&p, &slot, ",", EXTRACT_DONT_COALESCE_SEPARATORS);
	331	if (r == 0)
	332	break;
	333	if (r < 0)
	334	return log_error_errno(r, "Failed to parse slot list: %s", optarg);
	335
	336	if (streq(slot, "all"))
	337	arg_wipe_slots_scope = WIPE_ALL;
	338	else if (streq(slot, "empty")) {
	339	if (arg_wipe_slots_scope != WIPE_ALL) /* if "all" was specified before, that wins */
	340	arg_wipe_slots_scope = WIPE_EMPTY_PASSPHRASE;
	341	} else if (streq(slot, "password"))
	342	arg_wipe_slots_mask = 1U << ENROLL_PASSWORD;
	343	else if (streq(slot, "recovery"))
	344	arg_wipe_slots_mask = 1U << ENROLL_RECOVERY;
	345	else if (streq(slot, "pkcs11"))
	346	arg_wipe_slots_mask = 1U << ENROLL_PKCS11;
	347	else if (streq(slot, "fido2"))
	348	arg_wipe_slots_mask = 1U << ENROLL_FIDO2;
	349	else if (streq(slot, "tpm2"))
	350	arg_wipe_slots_mask = 1U << ENROLL_TPM2;
	351	else {
	352	int *a;
	353
	354	r = safe_atou(slot, &n);
	355	if (r < 0)
	356	return log_error_errno(r, "Failed to parse slot index: %s", slot);
	357	if (n > INT_MAX)
	358	return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "Slot index out of range: %u", n);
	359
	360	a = reallocarray(arg_wipe_slots, sizeof(int), arg_n_wipe_slots + 1);
	361	if (!a)
	362	return log_oom();
	363
	364	arg_wipe_slots = a;
	365	arg_wipe_slots[arg_n_wipe_slots++] = (int) n;
	366	}
	367	}
	368	break;
	369	}
	370
8710a681 LP	371	case '?':
	372	return -EINVAL;
	373
	374	default:
04499a70	375	assert_not_reached();
8710a681 LP	376	}
	377	}
	378
8710a681 LP	379	if (optind >= argc)
	380	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	381	"No block device node specified, refusing.");
	382
	383	if (argc > optind+1)
	384	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	385	"Too many arguments, refusing.");
	386
614b022c	387	r = parse_path_argument(argv[optind], false, &arg_node);
8710a681 LP	388	if (r < 0)
	389	return r;
	390
5e521624 LP	391	if (arg_tpm2_pcr_mask == UINT32_MAX)
	392	arg_tpm2_pcr_mask = TPM2_PCR_MASK_DEFAULT;
	393
8710a681 LP	394	return 1;
	395	}
	396
e0142d4f LP	397	static int check_for_homed(struct crypt_device *cd) {
	398	int r;
	399
	400	assert_se(cd);
	401
	402	/* Politely refuse operating on homed volumes. The enrolled tokens for the user record and the LUKS2
	403	* volume should not get out of sync. */
	404
	405	for (int token = 0; token < crypt_token_max(CRYPT_LUKS2); token ++) {
	406	r = cryptsetup_get_token_as_json(cd, token, "systemd-homed", NULL);
	407	if (IN_SET(r, -ENOENT, -EINVAL, -EMEDIUMTYPE))
	408	continue;
	409	if (r < 0)
	410	return log_error_errno(r, "Failed to read JSON token data off disk: %m");
	411
	412	return log_error_errno(SYNTHETIC_ERRNO(EHOSTDOWN),
	413	"LUKS2 volume is managed by systemd-homed, please use homectl to enroll tokens.");
	414	}
	415
	416	return 0;
	417	}
	418
8710a681 LP	419	static int prepare_luks(
	420	struct crypt_device **ret_cd,
	421	void **ret_volume_key,
	422	size_t *ret_volume_key_size) {
	423
	424	_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
e99ca147	425	_cleanup_(erase_and_freep) char *envpw = NULL;
8710a681	426	_cleanup_(erase_and_freep) void *vk = NULL;
8710a681 LP	427	size_t vks;
	428	int r;
	429
	430	assert(ret_cd);
	431	assert(!ret_volume_key == !ret_volume_key_size);
	432
	433	r = crypt_init(&cd, arg_node);
	434	if (r < 0)
	435	return log_error_errno(r, "Failed to allocate libcryptsetup context: %m");
	436
	437	cryptsetup_enable_logging(cd);
	438
	439	r = crypt_load(cd, CRYPT_LUKS2, NULL);
	440	if (r < 0)
	441	return log_error_errno(r, "Failed to load LUKS2 superblock: %m");
	442
e0142d4f LP	443	r = check_for_homed(cd);
	444	if (r < 0)
	445	return r;
	446
8710a681 LP	447	if (!ret_volume_key) {
	448	*ret_cd = TAKE_PTR(cd);
	449	return 0;
	450	}
	451
	452	r = crypt_get_volume_key_size(cd);
	453	if (r <= 0)
	454	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine LUKS volume key size");
	455	vks = (size_t) r;
	456
	457	vk = malloc(vks);
	458	if (!vk)
	459	return log_oom();
	460
e99ca147 LP	461	r = getenv_steal_erase("PASSWORD", &envpw);
	462	if (r < 0)
	463	return log_error_errno(r, "Failed to acquire password from environment: %m");
	464	if (r > 0) {
8710a681 LP	465	r = crypt_volume_key_get(
	466	cd,
	467	CRYPT_ANY_SLOT,
	468	vk,
	469	&vks,
e99ca147 LP	470	envpw,
e99ca147 LP	471	strlen(envpw));
8710a681	472	if (r < 0)
45861042	473	return log_error_errno(r, "Password from environment variable $PASSWORD did not work.");
8710a681 LP	474	} else {
	475	AskPasswordFlags ask_password_flags = ASK_PASSWORD_PUSH_CACHE\|ASK_PASSWORD_ACCEPT_CACHED;
	476	_cleanup_free_ char question = NULL, disk_path = NULL;
	477	unsigned i = 5;
	478	const char *id;
	479
	480	question = strjoin("Please enter current passphrase for disk ", arg_node, ":");
	481	if (!question)
	482	return log_oom();
	483
	484	disk_path = cescape(arg_node);
	485	if (!disk_path)
	486	return log_oom();
	487
	488	id = strjoina("cryptsetup:", disk_path);
	489
	490	for (;;) {
	491	_cleanup_strv_free_erase_ char **passwords = NULL;
8710a681 LP	492
	493	if (--i == 0)
	494	return log_error_errno(SYNTHETIC_ERRNO(ENOKEY),
	495	"Too many attempts, giving up:");
	496
	497	r = ask_password_auto(
8806bb4b	498	question, "drive-harddisk", id, "cryptenroll", "cryptenroll.passphrase", USEC_INFINITY,
8710a681 LP	499	ask_password_flags,
	500	&passwords);
	501	if (r < 0)
	502	return log_error_errno(r, "Failed to query password: %m");
	503
	504	r = -EPERM;
	505	STRV_FOREACH(p, passwords) {
	506	r = crypt_volume_key_get(
	507	cd,
	508	CRYPT_ANY_SLOT,
	509	vk,
	510	&vks,
	511	*p,
	512	strlen(*p));
	513	if (r >= 0)
	514	break;
	515	}
	516	if (r >= 0)
	517	break;
	518
	519	log_error_errno(r, "Password not correct, please try again.");
	520	ask_password_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
	521	}
	522	}
	523
	524	*ret_cd = TAKE_PTR(cd);
	525	*ret_volume_key = TAKE_PTR(vk);
	526	*ret_volume_key_size = vks;
	527
	528	return 0;
	529	}
	530
	531	static int run(int argc, char *argv[]) {
	532	_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
	533	_cleanup_(erase_and_freep) void *vk = NULL;
	534	size_t vks;
d2fafc42	535	int slot, r;
8710a681 LP	536
	537	log_show_color(true);
	538	log_parse_environment();
	539	log_open();
	540
	541	r = parse_argv(argc, argv);
	542	if (r <= 0)
	543	return r;
	544
2f678640 LP	545	cryptsetup_enable_logging(NULL);
2f678640 LP	546
d2fafc42 LP	547	if (arg_enroll_type < 0)
	548	r = prepare_luks(&cd, NULL, NULL); /* No need to unlock device if we don't need the volume key because we don't need to enroll anything */
	549	else
	550	r = prepare_luks(&cd, &vk, &vks);
8710a681 LP	551	if (r < 0)
	552	return r;
	553
	554	switch (arg_enroll_type) {
	555
	556	case ENROLL_PASSWORD:
d2fafc42	557	slot = enroll_password(cd, vk, vks);
8710a681 LP	558	break;
	559
	560	case ENROLL_RECOVERY:
d2fafc42	561	slot = enroll_recovery(cd, vk, vks);
8710a681 LP	562	break;
	563
	564	case ENROLL_PKCS11:
d2fafc42	565	slot = enroll_pkcs11(cd, vk, vks, arg_pkcs11_token_uri);
8710a681 LP	566	break;
	567
	568	case ENROLL_FIDO2:
cde2f860	569	slot = enroll_fido2(cd, vk, vks, arg_fido2_device, arg_fido2_lock_with);
8710a681 LP	570	break;
8710a681 LP	571
5e521624	572	case ENROLL_TPM2:
6c7a1681	573	slot = enroll_tpm2(cd, vk, vks, arg_tpm2_device, arg_tpm2_pcr_mask, arg_tpm2_pin);
5e521624 LP	574	break;
5e521624 LP	575
d2fafc42 LP	576	case _ENROLL_TYPE_INVALID:
	577	/* List enrolled slots if we are called without anything to enroll or wipe */
	578	if (!wipe_requested())
	579	return list_enrolled(cd);
	580
	581	/* Only slot wiping selected */
	582	return wipe_slots(cd, arg_wipe_slots, arg_n_wipe_slots, arg_wipe_slots_scope, arg_wipe_slots_mask, -1);
	583
8710a681 LP	584	default:
	585	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Operation not implemented yet.");
	586	}
d2fafc42 LP	587	if (slot < 0)
d2fafc42 LP	588	return slot;
8710a681	589
d2fafc42 LP	590	/* After we completed enrolling, remove user selected slots */
	591	r = wipe_slots(cd, arg_wipe_slots, arg_n_wipe_slots, arg_wipe_slots_scope, arg_wipe_slots_mask, slot);
	592	if (r < 0)
	593	return r;
	594
	595	return 0;
8710a681 LP	596	}
	597
	598	DEFINE_MAIN_FUNCTION(run);