<para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>
<variablelist>
+ <varlistentry>
+ <term><option>--unlock-empty</option></term>
+
+ <listitem><para>Use an empty password/passphrase to unlock the volume, instead of reading one from
+ stdin. This is useful to unlock volumes that are currently protected by an empty password, in order to
+ enroll a different, stronger unlock mechanism.</para>
+
+ <xi:include href="version-info.xml" xpointer="v262"/></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>
#include "string-util.h"
#include "strv.h"
+int load_volume_key_empty(
+ const EnrollContext *c,
+ struct crypt_device *cd,
+ struct iovec *ret_vk) {
+
+ int r;
+
+ assert_se(c);
+ assert_se(cd);
+ assert_se(ret_vk);
+
+ r = sym_crypt_volume_key_get(
+ cd,
+ CRYPT_ANY_SLOT,
+ ret_vk->iov_base,
+ &ret_vk->iov_len,
+ "",
+ 0);
+ if (r < 0)
+ return log_error_errno(r, "Provided empty password did not work: %m");
+
+ return r;
+}
+
int load_volume_key_keyfile(
const EnrollContext *c,
struct crypt_device *cd,
#include "cryptenroll.h"
#include "shared-forward.h"
+int load_volume_key_empty(const EnrollContext *c, struct crypt_device *cd, struct iovec *ret_vk);
int load_volume_key_keyfile(const EnrollContext *c, struct crypt_device *cd, struct iovec *ret_vk);
int load_volume_key_password(const EnrollContext *c, struct crypt_device *cd, struct iovec *ret_vk);
OPTION_GROUP("Unlocking"): {}
+ OPTION_LONG("unlock-empty", NULL, "Use an empty password to unlock the volume"):
+ if (arg_unlock_type != UNLOCK_PASSWORD)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Multiple unlock methods specified at once, refusing.");
+
+ arg_unlock_type = UNLOCK_EMPTY;
+ break;
+
OPTION_LONG("unlock-key-file", "PATH",
"Use a file to unlock the volume"):
if (arg_unlock_type != UNLOCK_PASSWORD)
switch (c->unlock_type) {
+ case UNLOCK_EMPTY:
+ r = load_volume_key_empty(c, cd, &vk);
+ break;
+
case UNLOCK_PASSWORD:
r = load_volume_key_password(c, cd, &vk);
break;
UNLOCK_KEYFILE,
UNLOCK_FIDO2,
UNLOCK_TPM2,
+ UNLOCK_EMPTY,
_UNLOCK_TYPE_MAX,
_UNLOCK_TYPE_INVALID = -EINVAL,
} UnlockType;
projects / thirdparty / systemd.git / commitdiff
