<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="systemd-cryptenroll" xmlns:xi="http://www.w3.org/2001/XInclude" conditional='HAVE_LIBCRYPTSETUP'>
<varlistentry>
<term><option>--pkcs11-token-uri=</option><replaceable>URI</replaceable></term>
- <listitem><para>Enroll a PKCS#11 security token or smartcard (e.g. a YubiKey). Expects a PKCS#11
- smartcard URI referring to the token. Alternatively the special value <literal>auto</literal> may
- be specified, in order to automatically determine the URI of a currently plugged in security token
- (of which there must be exactly one). The special value <literal>list</literal> may be used to
- enumerate all suitable PKCS#11 tokens currently plugged in.</para>
+ <listitem><para>Enroll a PKCS#11 security token or smartcard (e.g. a YubiKey). Expects a PKCS#11 URI
+ that allows to find an X.509 certificate on the token. The URI must also be suitable to find
+ a related private key after changing the type of object in it. Alternatively the special value
+ <literal>auto</literal> may be specified, in order to automatically determine the suitable URI if
+ a single security token containing a single key pair is plugged in. The special value
+ <literal>list</literal> may be used to enumerate all suitable PKCS#11 tokens currently plugged in.
+ </para>
<para>The PKCS#11 token must contain an RSA or EC key pair which will be used to unlock a LUKS2 volume.
For RSA, a randomly generated volume key is encrypted with a public key in the token, and stored in
</varlistentry>
<varlistentry>
- <term><option>--tpm2-pcrs=</option><arg rep="repeat">PCR</arg></term>
+ <term><option>--tpm2-pcrs=</option><replaceable>PCR<optional>+PCR...</optional></replaceable></term>
<listitem><para>Configures the TPM2 PCRs (Platform Configuration Registers) to bind to when
enrollment is requested via <option>--tpm2-device=</option>. Takes a list of PCR entries, where each
</varlistentry>
<varlistentry>
- <term><option>--tpm2-public-key=</option><arg>PATH</arg></term>
- <term><option>--tpm2-public-key-pcrs=</option><arg rep="repeat">PCR</arg></term>
- <term><option>--tpm2-signature=</option><arg>PATH</arg></term>
+ <term><option>--tpm2-public-key=</option><replaceable>PATH</replaceable></term>
+ <term><option>--tpm2-public-key-pcrs=</option><replaceable>PCR<optional>+PCR...</optional></replaceable></term>
+ <term><option>--tpm2-signature=</option><replaceable>PATH</replaceable></term>
<listitem><para>Configures a TPM2 signed PCR policy to bind encryption to. The
<option>--tpm2-public-key=</option> option accepts a path to a PEM encoded RSA public key, to bind
</varlistentry>
<varlistentry>
- <term><option>--tpm2-pcrlock=</option><arg>PATH</arg></term>
+ <term><option>--tpm2-pcrlock=</option><replaceable>PATH</replaceable></term>
<listitem><para>Configures a TPM2 pcrlock policy to bind encryption to. Expects a path to a pcrlock
policy file as generated by the
</varlistentry>
<varlistentry>
- <term><option>--wipe-slot=</option><arg rep="repeat">SLOT</arg></term>
+ <term><option>--wipe-slot=</option><replaceable>SLOT<optional>,SLOT...</optional></replaceable></term>
<listitem><para>Wipes one or more LUKS2 key slots. Takes a comma separated list of numeric slot
indexes, or the special strings <literal>all</literal> (for wiping all key slots),
int (*sym_p11_kit_uri_format)(P11KitUri *uri, P11KitUriType uri_type, char **string);
void (*sym_p11_kit_uri_free)(P11KitUri *uri);
CK_ATTRIBUTE_PTR (*sym_p11_kit_uri_get_attributes)(P11KitUri *uri, CK_ULONG *n_attrs);
+ CK_ATTRIBUTE_PTR (*sym_p11_kit_uri_get_attribute)(P11KitUri *uri, CK_ATTRIBUTE_TYPE attr_type);
+ int (*sym_p11_kit_uri_set_attribute)(P11KitUri *uri, CK_ATTRIBUTE_PTR attr);
CK_INFO_PTR (*sym_p11_kit_uri_get_module_info)(P11KitUri *uri);
CK_SLOT_INFO_PTR (*sym_p11_kit_uri_get_slot_info)(P11KitUri *uri);
CK_TOKEN_INFO_PTR (*sym_p11_kit_uri_get_token_info)(P11KitUri *uri);
DLSYM_ARG(p11_kit_uri_format),
DLSYM_ARG(p11_kit_uri_free),
DLSYM_ARG(p11_kit_uri_get_attributes),
+ DLSYM_ARG(p11_kit_uri_get_attribute),
+ DLSYM_ARG(p11_kit_uri_set_attribute),
DLSYM_ARG(p11_kit_uri_get_module_info),
DLSYM_ARG(p11_kit_uri_get_slot_info),
DLSYM_ARG(p11_kit_uri_get_token_info),
optional_attributes[1].ulValueLen = sizeof(derive_value);
rv = m->C_GetAttributeValue(session, candidate, optional_attributes, ELEMENTSOF(optional_attributes));
- if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID)
+ if (!IN_SET(rv, CKR_OK, CKR_ATTRIBUTE_TYPE_INVALID))
return log_error_errno(SYNTHETIC_ERRNO(EIO),
"Failed to get attributes of a selected private key: %s", sym_p11_kit_strerror(rv));
CK_RV rv;
rv = m->C_GetAttributeValue(session, prototype, attributes, ELEMENTSOF(attributes));
- if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID)
+ if (!IN_SET(rv, CKR_OK, CKR_ATTRIBUTE_TYPE_INVALID))
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve length of attributes: %s", sym_p11_kit_strerror(rv));
if (attributes[0].ulValueLen != CK_UNAVAILABLE_INFORMATION) {
int r;
rv = m->C_GetAttributeValue(session, object, &ec_params_attr, 1);
- if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID)
+ if (!IN_SET(rv, CKR_OK, CKR_ATTRIBUTE_TYPE_INVALID))
return log_error_errno(SYNTHETIC_ERRNO(EIO),
"Failed to retrieve length of CKA_EC_PARAMS: %s", sym_p11_kit_strerror(rv));
ec_params_attr.ulValueLen = 0;
rv = m->C_GetAttributeValue(session, public_key, &ec_params_attr, 1);
- if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID)
+ if (!IN_SET(rv, CKR_OK, CKR_ATTRIBUTE_TYPE_INVALID))
return log_error_errno(SYNTHETIC_ERRNO(EIO),
"Failed to retrieve length of CKA_EC_PARAMS: %s", sym_p11_kit_strerror(rv));
if (mechanism_info.flags & CKF_EC_COMPRESS) {
#if HAVE_OPENSSL
log_debug("CKM_ECDH1_DERIVE accepts compressed EC points only, trying to convert.");
- size_t compressed_point_size;
+ size_t compressed_point_size = 0; /* Explicit initialization to appease gcc */
r = ecc_convert_to_compressed(m, session, object, encrypted_data, encrypted_data_size, &compressed_point, &compressed_point_size);
if (r < 0)
return r;
if (r < 0 && r != -EAGAIN)
return r;
- if (table_get_rows(t) <= 1) {
+ if (table_isempty(t)) {
log_info("No suitable PKCS#11 tokens found.");
return 0;
}