From: Ludwig Nussel Date: Wed, 28 Feb 2024 13:46:05 +0000 (+0100) Subject: cryptenroll: use root device by default X-Git-Tag: v256-rc1~46 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1df4b21abdb9e562805a7b006d179507182f845e;p=thirdparty%2Fsystemd.git cryptenroll: use root device by default --- diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index a3a2c610eeb..9287d835de8 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -61,6 +61,9 @@ The tool supports only LUKS2 volumes, as it stores token meta-information in the LUKS2 JSON token area, which is not available in other encryption formats. + systemd-cryptsetup operates on the device backing / if no + device is specified explicitly and no wipe operation is requested + TPM2 PCRs and policies @@ -228,7 +231,7 @@ token, or a TPM2 key is always enrolled. Also note that support for enrolling multiple FIDO2 tokens is currently limited. When multiple FIDO2 - tokens are enrolled, systemd-cryptseup will perform pre-flight requests to attempt to + tokens are enrolled, systemd-cryptsetup will perform pre-flight requests to attempt to identify which of the enrolled tokens are currently plugged in. However, this is not possible for FIDO2 tokens with user verification (UV, usually via biometrics), in which case it will fall back to attempting each enrolled token one by one. This will result in multiple prompts for PIN and user verification. This diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c index 5b9fc15dd83..e30cba9fd44 100644 --- a/src/cryptenroll/cryptenroll.c +++ b/src/cryptenroll/cryptenroll.c @@ -5,6 +5,7 @@ #include "ask-password-api.h" #include "build.h" +#include "blockdev-util.h" #include "cryptenroll-fido2.h" #include "cryptenroll-list.h" #include "cryptenroll-password.h" @@ -14,6 +15,7 @@ #include "cryptenroll-wipe.h" #include "cryptenroll.h" #include "cryptsetup-util.h" +#include "devnum-util.h" #include "env-util.h" #include "escape.h" #include "fileio.h" @@ -534,17 +536,32 @@ static int parse_argv(int argc, char *argv[]) { } } - if (optind >= argc) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "No block device node specified, refusing."); - if (argc > optind+1) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Too many arguments, refusing."); - r = parse_path_argument(argv[optind], false, &arg_node); - if (r < 0) - return r; + if (optind < argc) { + r = parse_path_argument(argv[optind], false, &arg_node); + if (r < 0) + return r; + } else if (!wipe_requested()) { + dev_t devno; + + r = blockdev_get_root(LOG_ERR, &devno); + if (r < 0) + return r; + if (r == 0) + return log_error_errno(SYNTHETIC_ERRNO(ENXIO), + "Root file system not backed by a (single) whole block device."); + + r = device_path_make_canonical(S_IFBLK, devno, &arg_node); + if (r < 0) + return log_error_errno(r, + "Failed to format canonical device path for devno '" DEVNUM_FORMAT_STR "': %m", + DEVNUM_FORMAT_VAL(devno)); + } else + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "No block device node specified, refusing."); if (arg_enroll_type == ENROLL_FIDO2) { @@ -671,7 +688,7 @@ static int prepare_luks( r = crypt_load(cd, CRYPT_LUKS2, NULL); if (r < 0) - return log_error_errno(r, "Failed to load LUKS2 superblock: %m"); + return log_error_errno(r, "Failed to load LUKS2 superblock of %s: %m", arg_node); r = check_for_homed(cd); if (r < 0)