gpt-auto-generator: Pass cryptsetup credentials to cryptsetup

cryptsetup reads a bunch of credentials now but we don't pass import
those in any service units yet. Let's pass through all cryptsetup
prefixed credentials to the systemd-cryptsetup@root instance.

diff --git a/man/systemd-cryptsetup.xml b/man/systemd-cryptsetup.xml
index 1d3a3135f30ff19724dbdd88e2dec6fdea26e662..8191fdda4e4f9c9e7480585ac0e0b11a336250c7 100644 (file)
--- a/man/systemd-cryptsetup.xml
+++ b/man/systemd-cryptsetup.xml
@@ -3,7 +3,7 @@
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
-<refentry id="systemd-cryptsetup" conditional='HAVE_LIBCRYPTSETUP'>
+<refentry id="systemd-cryptsetup" conditional='HAVE_LIBCRYPTSETUP' xmlns:xi="http://www.w3.org/2001/XInclude">
 
   <refentryinfo>
     <title>systemd-cryptsetup</title>
@@ -104,6 +104,58 @@
     <para>If no suitable key may be acquired via any of the mechanisms describes above, volume activation fails.</para>
   </refsect1>
 
+  <refsect1>
+    <title>System Credentials</title>
+
+    <para><command>systemd-cryptsetup</command> supports the service credentials logic as implemented by
+    <varname>ImportCredential=</varname>/<varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
+    (see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
+    details). The following credentials are used by <literal>systemd-crypsetup@root.service</literal>
+    (generated by <command>systemd-gpt-auto-generator</command>) when passed in:</para>
+
+    <variablelist class='system-credentials'>
+      <varlistentry>
+        <term><varname>cryptsetup.passphrase</varname></term>
+
+        <listitem><para>This credential specifies the passphrase of the LUKS volume.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>cryptsetup.fido2-pin</varname></term>
+
+        <listitem><para>This credential specifies the FIDO2 token pin.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>cryptsetup.tpm2-pin</varname></term>
+
+        <listitem><para>This credential specifies the TPM pin.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>cryptsetup.luks2-pin</varname></term>
+
+        <listitem><para>This credential specifies the LUKS2 token pin.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>cryptsetup.pkcs11-pin</varname></term>
+
+        <listitem><para>This credential specifies the PKCS11 token pin.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
   <refsect1>
     <title>See Also</title>
     <para>

diff --git a/src/shared/generator.c b/src/shared/generator.c
index 562658726912201d7148d53e4769bce9941c7626..fe58021f000d9c4cebc2bff798b4c7d63697d778 100644 (file)
--- a/src/shared/generator.c
+++ b/src/shared/generator.c
@@ -790,6 +790,7 @@ int generator_write_cryptsetup_service_section(
                 "TimeoutSec=infinity\n"   /* The binary handles timeouts on its own */
                 "KeyringMode=shared\n"    /* Make sure we can share cached keys among instances */
                 "OOMScoreAdjust=500\n"    /* Unlocking can allocate a lot of memory if Argon2 is used */
+                "ImportCredential=cryptsetup.*\n"
                 "ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n"
                 "ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n",
                 name_escaped, what_escaped, strempty(key_file_escaped), strempty(options_escaped),