<para>The tool supports only LUKS2 volumes, as it stores token meta-information in the LUKS2 JSON token
area, which is not available in other encryption formats.</para>
+ <para><command>systemd-cryptsetup</command> operates on the device backing <filename>/</filename> if no
+ device is specified explicitly and no wipe operation is requested</para>
+
<refsect2>
<title>TPM2 PCRs and policies</title>
token, or a TPM2 key is always enrolled.</para>
<para>Also note that support for enrolling multiple FIDO2 tokens is currently limited. When multiple FIDO2
- tokens are enrolled, <command>systemd-cryptseup</command> will perform pre-flight requests to attempt to
+ tokens are enrolled, <command>systemd-cryptsetup</command> will perform pre-flight requests to attempt to
identify which of the enrolled tokens are currently plugged in. However, this is not possible for FIDO2
tokens with user verification (UV, usually via biometrics), in which case it will fall back to attempting
each enrolled token one by one. This will result in multiple prompts for PIN and user verification. This
#include "ask-password-api.h"
#include "build.h"
+#include "blockdev-util.h"
#include "cryptenroll-fido2.h"
#include "cryptenroll-list.h"
#include "cryptenroll-password.h"
#include "cryptenroll-wipe.h"
#include "cryptenroll.h"
#include "cryptsetup-util.h"
+#include "devnum-util.h"
#include "env-util.h"
#include "escape.h"
#include "fileio.h"
}
}
- if (optind >= argc)
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
- "No block device node specified, refusing.");
-
if (argc > optind+1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Too many arguments, refusing.");
- r = parse_path_argument(argv[optind], false, &arg_node);
- if (r < 0)
- return r;
+ if (optind < argc) {
+ r = parse_path_argument(argv[optind], false, &arg_node);
+ if (r < 0)
+ return r;
+ } else if (!wipe_requested()) {
+ dev_t devno;
+
+ r = blockdev_get_root(LOG_ERR, &devno);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ return log_error_errno(SYNTHETIC_ERRNO(ENXIO),
+ "Root file system not backed by a (single) whole block device.");
+
+ r = device_path_make_canonical(S_IFBLK, devno, &arg_node);
+ if (r < 0)
+ return log_error_errno(r,
+ "Failed to format canonical device path for devno '" DEVNUM_FORMAT_STR "': %m",
+ DEVNUM_FORMAT_VAL(devno));
+ } else
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "No block device node specified, refusing.");
if (arg_enroll_type == ENROLL_FIDO2) {
r = crypt_load(cd, CRYPT_LUKS2, NULL);
if (r < 0)
- return log_error_errno(r, "Failed to load LUKS2 superblock: %m");
+ return log_error_errno(r, "Failed to load LUKS2 superblock of %s: %m", arg_node);
r = check_for_homed(cd);
if (r < 0)
projects / thirdparty / systemd.git / commitdiff
