cryptsetup: add manual TPM2 PIN configuration

Handle the case where TPM2 metadata is not available and explicitly
provided in crypttab. This adds a new "tpm2-pin" option to crypttab
options for this purpose.

diff --git a/man/crypttab.xml b/man/crypttab.xml
index ac5c6ef6664b82139bf1d7ee0a02b5f9ba919d5a..22411166a8dfe31b7b24a684ff944a38b1068dac 100644 (file)
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@@ -677,6 +677,14 @@
         of the current PCR state.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>tpm2-pin=</option></term>
+
+        <listitem><para>Takes a boolean argument, defaults to <literal>false</literal>. Controls whether
+        TPM2 volume unlocking is bound to a PIN in addition to PCRs. Similarly, this option is only useful
+        when TPM2 enrollment metadata is not available.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>token-timeout=</option></term>
 

diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index b03dc1a3ff2adea17bd8f64572a412221dc1115b..c2075f53fd9fc5146b7d0fcb855b8056e266e459 100644 (file)
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -82,6 +82,7 @@ static char *arg_fido2_rp_id = NULL;
 static char *arg_tpm2_device = NULL;
 static bool arg_tpm2_device_auto = false;
 static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
+static bool arg_tpm2_pin = false;
 static bool arg_headless = false;
 static usec_t arg_token_timeout_usec = 30*USEC_PER_SEC;
 
@@ -387,6 +388,16 @@ static int parse_one_option(const char *option) {
                                 arg_tpm2_pcr_mask |= mask;
                 }
 
+        } else if ((val = startswith(option, "tpm2-pin="))) {
+
+                r = parse_boolean(val);
+                if (r < 0) {
+                        log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
+                        return 0;
+                }
+
+                arg_tpm2_pin = r;
+
         } else if ((val = startswith(option, "try-empty-password="))) {
 
                 r = parse_boolean(val);
@@ -1301,7 +1312,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
                                         key_file, arg_keyfile_size, arg_keyfile_offset,
                                         key_data, key_data_size,
                                         NULL, 0, /* we don't know the policy hash */
-                                        0, /* PIN is currently unhandled in this case */
+                                        arg_tpm2_pin,
                                         until,
                                         arg_headless,
                                         arg_ask_password_flags,