You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
74 lines
2.9 KiB
74 lines
2.9 KiB
From d3615420322bf3c9666fe5580317ed0aec20fe62 Mon Sep 17 00:00:00 2001 |
|
From: Grigori Goronzy <greg@chown.ath.cx> |
|
Date: Fri, 18 Feb 2022 21:13:41 +0100 |
|
Subject: [PATCH] cryptsetup: add manual TPM2 PIN configuration |
|
|
|
Handle the case where TPM2 metadata is not available and explicitly |
|
provided in crypttab. This adds a new "tpm2-pin" option to crypttab |
|
options for this purpose. |
|
|
|
(cherry picked from commit 4005d41ef0d007021deb0536800fc782ff670420) |
|
|
|
Related: #2087652 |
|
--- |
|
man/crypttab.xml | 8 ++++++++ |
|
src/cryptsetup/cryptsetup.c | 13 ++++++++++++- |
|
2 files changed, 20 insertions(+), 1 deletion(-) |
|
|
|
diff --git a/man/crypttab.xml b/man/crypttab.xml |
|
index ac5c6ef666..22411166a8 100644 |
|
--- a/man/crypttab.xml |
|
+++ b/man/crypttab.xml |
|
@@ -677,6 +677,14 @@ |
|
of the current PCR state.</para></listitem> |
|
</varlistentry> |
|
|
|
+ <varlistentry> |
|
+ <term><option>tpm2-pin=</option></term> |
|
+ |
|
+ <listitem><para>Takes a boolean argument, defaults to <literal>false</literal>. Controls whether |
|
+ TPM2 volume unlocking is bound to a PIN in addition to PCRs. Similarly, this option is only useful |
|
+ when TPM2 enrollment metadata is not available.</para></listitem> |
|
+ </varlistentry> |
|
+ |
|
<varlistentry> |
|
<term><option>token-timeout=</option></term> |
|
|
|
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c |
|
index ede0f7ed0b..fc1f37730f 100644 |
|
--- a/src/cryptsetup/cryptsetup.c |
|
+++ b/src/cryptsetup/cryptsetup.c |
|
@@ -82,6 +82,7 @@ static char *arg_fido2_rp_id = NULL; |
|
static char *arg_tpm2_device = NULL; |
|
static bool arg_tpm2_device_auto = false; |
|
static uint32_t arg_tpm2_pcr_mask = UINT32_MAX; |
|
+static bool arg_tpm2_pin = false; |
|
static bool arg_headless = false; |
|
static usec_t arg_token_timeout_usec = 30*USEC_PER_SEC; |
|
|
|
@@ -387,6 +388,16 @@ static int parse_one_option(const char *option) { |
|
arg_tpm2_pcr_mask |= mask; |
|
} |
|
|
|
+ } else if ((val = startswith(option, "tpm2-pin="))) { |
|
+ |
|
+ r = parse_boolean(val); |
|
+ if (r < 0) { |
|
+ log_error_errno(r, "Failed to parse %s, ignoring: %m", option); |
|
+ return 0; |
|
+ } |
|
+ |
|
+ arg_tpm2_pin = r; |
|
+ |
|
} else if ((val = startswith(option, "try-empty-password="))) { |
|
|
|
r = parse_boolean(val); |
|
@@ -1301,7 +1312,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( |
|
key_file, arg_keyfile_size, arg_keyfile_offset, |
|
key_data, key_data_size, |
|
NULL, 0, /* we don't know the policy hash */ |
|
- 0, /* PIN is currently unhandled in this case */ |
|
+ arg_tpm2_pin, |
|
until, |
|
arg_headless, |
|
arg_ask_password_flags,
|
|
|