From: Lennart Poettering Date: Mon, 19 Feb 2024 17:06:34 +0000 (+0100) Subject: cryptenroll,cryptsetup: clean up unlock credential for TPM2 + FIDO2 X-Git-Tag: v256-rc1~797^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b3a635841aaf5a6d3f5985dfd2082f7a22ca74d1;p=thirdparty%2Fsystemd.git cryptenroll,cryptsetup: clean up unlock credential for TPM2 + FIDO2 Let's make sure that when cryptenroll asks for the TPM2 or FIDO2 token PIN it uses cryptenroll.* credential namespace, and cryptsetup uses cryptsetup.*. --- diff --git a/src/cryptenroll/cryptenroll-fido2.c b/src/cryptenroll/cryptenroll-fido2.c index 7e35dca9c50..194771d54eb 100644 --- a/src/cryptenroll/cryptenroll-fido2.c +++ b/src/cryptenroll/cryptenroll-fido2.c @@ -34,9 +34,10 @@ int load_volume_key_fido2( device, /* until= */ 0, /* headless= */ false, + "cryptenroll.fido2-pin", + ASK_PASSWORD_PUSH_CACHE|ASK_PASSWORD_ACCEPT_CACHED, &decrypted_key, - &decrypted_key_size, - ASK_PASSWORD_PUSH_CACHE|ASK_PASSWORD_ACCEPT_CACHED); + &decrypted_key_size); if (r == -EAGAIN) return log_error_errno(r, "FIDO2 token does not exist, or UV is blocked. Please try again."); if (r < 0) diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c index d7497c756b4..5359c9f8d56 100644 --- a/src/cryptenroll/cryptenroll-tpm2.c +++ b/src/cryptenroll/cryptenroll-tpm2.c @@ -211,7 +211,8 @@ int load_volume_key_tpm2( tpm2_flags, /* until= */ 0, /* headless= */ false, - /* ask_password_flags= */ 0, + "cryptenroll.tpm2-pin", + /* askpw_flags= */ 0, &decrypted_key); if (IN_SET(r, -EACCES, -ENOLCK)) return log_notice_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 PIN unlock failed"); diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 06fc32ea270..e96686cff32 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -1415,8 +1415,10 @@ static int attach_luks_or_plain_or_bitlk_by_fido2( until, arg_headless, required, - &decrypted_key, &decrypted_key_size, - arg_ask_password_flags); + "cryptsetup.fido2-pin", + arg_ask_password_flags, + &decrypted_key, + &decrypted_key_size); else r = acquire_fido2_key_auto( cd, @@ -1425,8 +1427,10 @@ static int attach_luks_or_plain_or_bitlk_by_fido2( arg_fido2_device, until, arg_headless, - &decrypted_key, &decrypted_key_size, - arg_ask_password_flags); + "cryptsetup.fido2-pin", + arg_ask_password_flags, + &decrypted_key, + &decrypted_key_size); if (r >= 0) break; } @@ -1774,6 +1778,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( arg_tpm2_pin ? TPM2_FLAGS_USE_PIN : 0, until, arg_headless, + "cryptsetup.tpm2-pin", arg_ask_password_flags, &decrypted_key); if (r >= 0) @@ -1872,6 +1877,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( tpm2_flags, until, arg_headless, + "cryptsetup.tpm2-pin", arg_ask_password_flags, &decrypted_key); if (IN_SET(r, -EACCES, -ENOLCK)) diff --git a/src/shared/cryptsetup-fido2.c b/src/shared/cryptsetup-fido2.c index 9771726da4c..d22c1059e6b 100644 --- a/src/shared/cryptsetup-fido2.c +++ b/src/shared/cryptsetup-fido2.c @@ -26,9 +26,10 @@ int acquire_fido2_key( usec_t until, bool headless, Fido2EnrollFlags required, + const char *askpw_credential, + AskPasswordFlags askpw_flags, void **ret_decrypted_key, - size_t *ret_decrypted_key_size, - AskPasswordFlags ask_password_flags) { + size_t *ret_decrypted_key_size) { _cleanup_(erase_and_freep) char *envpw = NULL; _cleanup_strv_free_erase_ char **pins = NULL; @@ -42,7 +43,7 @@ int acquire_fido2_key( return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "Local verification is required to unlock this volume, but the 'headless' parameter was set."); - ask_password_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED; + askpw_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED; assert(cid); assert(key_file || key_data); @@ -126,11 +127,11 @@ int acquire_fido2_key( }; pins = strv_free_erase(pins); - r = ask_password_auto(&req, until, ask_password_flags, &pins); + r = ask_password_auto(&req, until, askpw_flags, &pins); if (r < 0) return log_error_errno(r, "Failed to ask for user password: %m"); - ask_password_flags &= ~ASK_PASSWORD_ACCEPT_CACHED; + askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED; } } @@ -141,9 +142,10 @@ int acquire_fido2_key_auto( const char *fido2_device, usec_t until, bool headless, + const char *askpw_credential, + AskPasswordFlags askpw_flags, void **ret_decrypted_key, - size_t *ret_decrypted_key_size, - AskPasswordFlags ask_password_flags) { + size_t *ret_decrypted_key_size) { _cleanup_free_ void *cid = NULL; size_t cid_size = 0; @@ -263,8 +265,10 @@ int acquire_fido2_key_auto( until, headless, required, - ret_decrypted_key, ret_decrypted_key_size, - ask_password_flags); + "cryptsetup.fido2-pin", + askpw_flags, + ret_decrypted_key, + ret_decrypted_key_size); if (ret == 0) break; } diff --git a/src/shared/cryptsetup-fido2.h b/src/shared/cryptsetup-fido2.h index d96bb403ff7..d99ad05725a 100644 --- a/src/shared/cryptsetup-fido2.h +++ b/src/shared/cryptsetup-fido2.h @@ -25,9 +25,10 @@ int acquire_fido2_key( usec_t until, bool headless, Fido2EnrollFlags required, + const char *askpw_credential, + AskPasswordFlags askpw_flags, void **ret_decrypted_key, - size_t *ret_decrypted_key_size, - AskPasswordFlags ask_password_flags); + size_t *ret_decrypted_key_size); int acquire_fido2_key_auto( struct crypt_device *cd, @@ -36,9 +37,10 @@ int acquire_fido2_key_auto( const char *fido2_device, usec_t until, bool headless, + const char *askpw_credential, + AskPasswordFlags askpw_flags, void **ret_decrypted_key, - size_t *ret_decrypted_key_size, - AskPasswordFlags ask_password_flags); + size_t *ret_decrypted_key_size); #else @@ -57,9 +59,10 @@ static inline int acquire_fido2_key( usec_t until, bool headless, Fido2EnrollFlags required, + const char *askpw_credential, + AskPasswordFlags askpw_flags, void **ret_decrypted_key, - size_t *ret_decrypted_key_size, - AskPasswordFlags ask_password_flags) { + size_t *ret_decrypted_key_size) { return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "FIDO2 token support not available."); @@ -72,9 +75,10 @@ static inline int acquire_fido2_key_auto( const char *fido2_device, usec_t until, bool headless, + const char *askpw_credential, + AskPasswordFlags askpw_flags, void **ret_decrypted_key, - size_t *ret_decrypted_key_size, - AskPasswordFlags ask_password_flags) { + size_t *ret_decrypted_key_size) { return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "FIDO2 token support not available."); diff --git a/src/shared/cryptsetup-tpm2.c b/src/shared/cryptsetup-tpm2.c index d120e4e1fb8..85bc42aef00 100644 --- a/src/shared/cryptsetup-tpm2.c +++ b/src/shared/cryptsetup-tpm2.c @@ -12,7 +12,12 @@ #include "sha256.h" #include "tpm2-util.h" -static int get_pin(usec_t until, AskPasswordFlags ask_password_flags, bool headless, char **ret_pin_str) { +static int get_pin( + usec_t until, + bool headless, + const char *askpw_credential, + AskPasswordFlags askpw_flags, + char **ret_pin_str) { _cleanup_(erase_and_freep) char *pin_str = NULL; _cleanup_strv_free_erase_ char **pin = NULL; int r; @@ -29,18 +34,18 @@ static int get_pin(usec_t until, AskPasswordFlags ask_password_flags, bool headl "PIN querying disabled via 'headless' option. " "Use the '$PIN' environment variable."); - static const AskPasswordRequest req = { + AskPasswordRequest req = { .message = "Please enter TPM2 PIN:", .icon = "drive-harddisk", .keyring = "tpm2-pin", - .credential = "cryptsetup.tpm2-pin", + .credential = askpw_credential, }; pin = strv_free_erase(pin); r = ask_password_auto( &req, until, - ask_password_flags, + askpw_flags, &pin); if (r < 0) return log_error_errno(r, "Failed to ask for user pin: %m"); @@ -77,7 +82,8 @@ int acquire_tpm2_key( TPM2Flags flags, usec_t until, bool headless, - AskPasswordFlags ask_password_flags, + const char *askpw_credential, + AskPasswordFlags askpw_flags, struct iovec *ret_decrypted_key) { _cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL; @@ -173,7 +179,7 @@ int acquire_tpm2_key( if (i <= 0) return -EACCES; - r = get_pin(until, ask_password_flags, headless, &pin_str); + r = get_pin(until, headless, askpw_credential, askpw_flags, &pin_str); if (r < 0) return r; diff --git a/src/shared/cryptsetup-tpm2.h b/src/shared/cryptsetup-tpm2.h index 0eaf9280ef4..5809655c151 100644 --- a/src/shared/cryptsetup-tpm2.h +++ b/src/shared/cryptsetup-tpm2.h @@ -32,7 +32,8 @@ int acquire_tpm2_key( TPM2Flags flags, usec_t until, bool headless, - AskPasswordFlags ask_password_flags, + const char *askpw_credential, + AskPasswordFlags askpw_flags, struct iovec *ret_decrypted_key); int find_tpm2_auto_data( @@ -76,7 +77,8 @@ static inline int acquire_tpm2_key( TPM2Flags flags, usec_t until, bool headless, - AskPasswordFlags ask_password_flags, + const char *askpw_credential, + AskPasswordFlags askpw_flags, struct iovec *ret_decrypted_key) { return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),