You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
75 lines
2.9 KiB
75 lines
2.9 KiB
From d3615420322bf3c9666fe5580317ed0aec20fe62 Mon Sep 17 00:00:00 2001
|
|
From: Grigori Goronzy <greg@chown.ath.cx>
|
|
Date: Fri, 18 Feb 2022 21:13:41 +0100
|
|
Subject: [PATCH] cryptsetup: add manual TPM2 PIN configuration
|
|
|
|
Handle the case where TPM2 metadata is not available and explicitly
|
|
provided in crypttab. This adds a new "tpm2-pin" option to crypttab
|
|
options for this purpose.
|
|
|
|
(cherry picked from commit 4005d41ef0d007021deb0536800fc782ff670420)
|
|
|
|
Related: #2087652
|
|
---
|
|
man/crypttab.xml | 8 ++++++++
|
|
src/cryptsetup/cryptsetup.c | 13 ++++++++++++-
|
|
2 files changed, 20 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/man/crypttab.xml b/man/crypttab.xml
|
|
index ac5c6ef666..22411166a8 100644
|
|
--- a/man/crypttab.xml
|
|
+++ b/man/crypttab.xml
|
|
@@ -677,6 +677,14 @@
|
|
of the current PCR state.</para></listitem>
|
|
</varlistentry>
|
|
|
|
+ <varlistentry>
|
|
+ <term><option>tpm2-pin=</option></term>
|
|
+
|
|
+ <listitem><para>Takes a boolean argument, defaults to <literal>false</literal>. Controls whether
|
|
+ TPM2 volume unlocking is bound to a PIN in addition to PCRs. Similarly, this option is only useful
|
|
+ when TPM2 enrollment metadata is not available.</para></listitem>
|
|
+ </varlistentry>
|
|
+
|
|
<varlistentry>
|
|
<term><option>token-timeout=</option></term>
|
|
|
|
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
|
|
index ede0f7ed0b..fc1f37730f 100644
|
|
--- a/src/cryptsetup/cryptsetup.c
|
|
+++ b/src/cryptsetup/cryptsetup.c
|
|
@@ -82,6 +82,7 @@ static char *arg_fido2_rp_id = NULL;
|
|
static char *arg_tpm2_device = NULL;
|
|
static bool arg_tpm2_device_auto = false;
|
|
static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
|
|
+static bool arg_tpm2_pin = false;
|
|
static bool arg_headless = false;
|
|
static usec_t arg_token_timeout_usec = 30*USEC_PER_SEC;
|
|
|
|
@@ -387,6 +388,16 @@ static int parse_one_option(const char *option) {
|
|
arg_tpm2_pcr_mask |= mask;
|
|
}
|
|
|
|
+ } else if ((val = startswith(option, "tpm2-pin="))) {
|
|
+
|
|
+ r = parse_boolean(val);
|
|
+ if (r < 0) {
|
|
+ log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ arg_tpm2_pin = r;
|
|
+
|
|
} else if ((val = startswith(option, "try-empty-password="))) {
|
|
|
|
r = parse_boolean(val);
|
|
@@ -1301,7 +1312,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2(
|
|
key_file, arg_keyfile_size, arg_keyfile_offset,
|
|
key_data, key_data_size,
|
|
NULL, 0, /* we don't know the policy hash */
|
|
- 0, /* PIN is currently unhandled in this case */
|
|
+ arg_tpm2_pin,
|
|
until,
|
|
arg_headless,
|
|
arg_ask_password_flags,
|