From: Lennart Poettering Date: Wed, 24 Jun 2026 09:23:19 +0000 (+0200) Subject: cryptenroll: add an "unlock_password" field to ExecContext X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fd3fb3a85ca3792201c4b85a90a7c2f7e632865e;p=thirdparty%2Fsystemd.git cryptenroll: add an "unlock_password" field to ExecContext This is preparation for the Varlinkification, as then we want to pass the password in via IPC instead of prompting the user. Note that this only adds the field, and applies it, but never actually sets it. That's for the varlinkification later. --- diff --git a/src/cryptenroll/cryptenroll-password.c b/src/cryptenroll/cryptenroll-password.c index 6e78d6ab2fe..0d3da9f2e74 100644 --- a/src/cryptenroll/cryptenroll-password.c +++ b/src/cryptenroll/cryptenroll-password.c @@ -26,6 +26,20 @@ int load_volume_key_password( assert_se(cd); assert_se(ret_vk); + if (c->unlock_password) { + r = sym_crypt_volume_key_get( + cd, + CRYPT_ANY_SLOT, + ret_vk->iov_base, + &ret_vk->iov_len, + c->unlock_password, + strlen(c->unlock_password)); + if (r < 0) + return log_error_errno(r, "Provided unlock password did not work: %m"); + + return r; + } + r = getenv_steal_erase("PASSWORD", &envpw); if (r < 0) return log_error_errno(r, "Failed to acquire password from environment: %m"); diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c index 0099c3c4a5c..c9f17c761fc 100644 --- a/src/cryptenroll/cryptenroll.c +++ b/src/cryptenroll/cryptenroll.c @@ -121,6 +121,7 @@ void enroll_context_done(EnrollContext *c) { c->unlock_keyfile = mfree(c->unlock_keyfile); c->unlock_fido2_device = mfree(c->unlock_fido2_device); c->unlock_tpm2_device = mfree(c->unlock_tpm2_device); + c->unlock_password = erase_and_free(c->unlock_password); c->passphrase = erase_and_free(c->passphrase); c->fido2_device = mfree(c->fido2_device); c->fido2_salt_file = mfree(c->fido2_salt_file); diff --git a/src/cryptenroll/cryptenroll.h b/src/cryptenroll/cryptenroll.h index 3e598487042..b675023ee38 100644 --- a/src/cryptenroll/cryptenroll.h +++ b/src/cryptenroll/cryptenroll.h @@ -48,6 +48,7 @@ typedef struct EnrollContext { char *unlock_keyfile; char *unlock_fido2_device; char *unlock_tpm2_device; + char *unlock_password; /* used by Varlink; NULL on CLI path */ /* New password to enroll (mechanism == password). When NULL the helpers fall back to * $NEWPASSWORD / askpw. */