From d3615420322bf3c9666fe5580317ed0aec20fe62 Mon Sep 17 00:00:00 2001
From: Grigori Goronzy <greg@chown.ath.cx>
Date: Fri, 18 Feb 2022 21:13:41 +0100
Subject: [PATCH] cryptsetup: add manual TPM2 PIN configuration

Handle the case where TPM2 metadata is not available and explicitly
provided in crypttab. This adds a new "tpm2-pin" option to crypttab
options for this purpose.

(cherry picked from commit 4005d41ef0d007021deb0536800fc782ff670420)

Related: #2087652
---
 man/crypttab.xml            |  8 ++++++++
 src/cryptsetup/cryptsetup.c | 13 ++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/man/crypttab.xml b/man/crypttab.xml
index ac5c6ef666..22411166a8 100644
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@@ -677,6 +677,14 @@
         of the current PCR state.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>tpm2-pin=</option></term>
+
+        <listitem><para>Takes a boolean argument, defaults to <literal>false</literal>. Controls whether
+        TPM2 volume unlocking is bound to a PIN in addition to PCRs. Similarly, this option is only useful
+        when TPM2 enrollment metadata is not available.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>token-timeout=</option></term>
 
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index ede0f7ed0b..fc1f37730f 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -82,6 +82,7 @@ static char *arg_fido2_rp_id = NULL;
 static char *arg_tpm2_device = NULL;
 static bool arg_tpm2_device_auto = false;
 static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
+static bool arg_tpm2_pin = false;
 static bool arg_headless = false;
 static usec_t arg_token_timeout_usec = 30*USEC_PER_SEC;
 
@@ -387,6 +388,16 @@ static int parse_one_option(const char *option) {
                                 arg_tpm2_pcr_mask |= mask;
                 }
 
+        } else if ((val = startswith(option, "tpm2-pin="))) {
+
+                r = parse_boolean(val);
+                if (r < 0) {
+                        log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
+                        return 0;
+                }
+
+                arg_tpm2_pin = r;
+
         } else if ((val = startswith(option, "try-empty-password="))) {
 
                 r = parse_boolean(val);
@@ -1301,7 +1312,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
                                         key_file, arg_keyfile_size, arg_keyfile_offset,
                                         key_data, key_data_size,
                                         NULL, 0, /* we don't know the policy hash */
-                                        0, /* PIN is currently unhandled in this case */
+                                        arg_tpm2_pin,
                                         until,
                                         arg_headless,
                                         arg_ask_password_flags,