diff options
author | Ondrej Kozina <okozina@redhat.com> | 2023-11-10 11:59:07 +0100 |
---|---|---|
committer | Ondrej Kozina <okozina@redhat.com> | 2023-11-16 17:49:09 +0100 |
commit | 836e5e453903b88c04e8b98b573e761bcf75b09c (patch) | |
tree | 8159fe7d77e32461fa7e3237679611848c6a5823 | |
parent | 0328d61f29ba9559949af2905be75bbd61f18c7d (diff) | |
download | cryptsetup-836e5e453903b88c04e8b98b573e761bcf75b09c.tar.gz |
Add --external-tokens-path parameter in cryptsetup.
-rw-r--r-- | man/common_options.adoc | 6 | ||||
-rw-r--r-- | man/cryptsetup-luksAddKey.8.adoc | 2 | ||||
-rw-r--r-- | man/cryptsetup-luksDump.8.adoc | 2 | ||||
-rw-r--r-- | man/cryptsetup-luksResume.8.adoc | 3 | ||||
-rw-r--r-- | man/cryptsetup-open.8.adoc | 3 | ||||
-rw-r--r-- | man/cryptsetup-resize.8.adoc | 2 | ||||
-rw-r--r-- | man/cryptsetup-token.8.adoc | 2 | ||||
-rw-r--r-- | src/cryptsetup.c | 64 | ||||
-rw-r--r-- | src/cryptsetup_arg_list.h | 2 | ||||
-rw-r--r-- | src/cryptsetup_args.h | 1 | ||||
-rw-r--r-- | src/utils_arg_names.h | 1 |
11 files changed, 82 insertions, 6 deletions
diff --git a/man/common_options.adoc b/man/common_options.adoc index 25a8dd6c..bc6fb57f 100644 --- a/man/common_options.adoc +++ b/man/common_options.adoc @@ -1234,6 +1234,12 @@ Enlarge data offset to specified value by shrinking device size. You cannot shrink device more than by 64 MiB (131072 sectors). endif::[] +ifdef::ACTION_RESIZE,ACTION_OPEN,ACTION_LUKSADDKEY,ACTION_LUKSDUMP,ACTION_LUKSRESUME,ACTION_TOKEN[] +*--external-tokens-path* _absolute_path_:: +Override system directory path where cryptsetup searches for external token +handlers (or token plugins). It must be absolute path (starting with '/' character). +endif::[] + ifdef::COMMON_OPTIONS[] *--batch-mode, -q*:: Suppresses all confirmation questions. Use with care! diff --git a/man/cryptsetup-luksAddKey.8.adoc b/man/cryptsetup-luksAddKey.8.adoc index 82884922..306ef643 100644 --- a/man/cryptsetup-luksAddKey.8.adoc +++ b/man/cryptsetup-luksAddKey.8.adoc @@ -38,7 +38,7 @@ algorithm is always the same for all keyslots. --hash, --header, --disable-locks, --iter-time, --pbkdf, --pbkdf-force-iterations, --pbkdf-memory, --pbkdf-parallel, --unbound, --type, --keyslot-cipher, --keyslot-key-size, --key-size, --timeout, --token-id, ---token-type, --token-only, --new-token-id, --verify-passphrase]. +--token-type, --token-only, --new-token-id, --verify-passphrase, --external-tokens-path]. include::man/common_options.adoc[] diff --git a/man/cryptsetup-luksDump.8.adoc b/man/cryptsetup-luksDump.8.adoc index f9f3910e..b1b3907b 100644 --- a/man/cryptsetup-luksDump.8.adoc +++ b/man/cryptsetup-luksDump.8.adoc @@ -40,7 +40,7 @@ use --dump-json-metadata option. *<options>* can be [--dump-volume-key, --dump-json-metadata, --key-file, --keyfile-offset, --keyfile-size, --header, --disable-locks, ---volume-key-file, --type, --unbound, --key-slot, --timeout]. +--volume-key-file, --type, --unbound, --key-slot, --timeout, --external-tokens-path]. *WARNING:* If --dump-volume-key is used with --key-file and the argument to --key-file is '-', no validation question will be asked and no diff --git a/man/cryptsetup-luksResume.8.adoc b/man/cryptsetup-luksResume.8.adoc index 98285dba..ba9f690e 100644 --- a/man/cryptsetup-luksResume.8.adoc +++ b/man/cryptsetup-luksResume.8.adoc @@ -23,7 +23,8 @@ interactively for a passphrase if no token is usable (LUKS2 only) or *<options>* can be [--key-file, --keyfile-size, --keyfile-offset, --key-slot, --header, --disable-keyring, --disable-locks, --token-id, --token-only, --token-type, --disable-external-tokens, --type, --tries, ---timeout, --verify-passphrase, --volume-key-keyring, --link-vk-to-keyring]. +--timeout, --verify-passphrase, --volume-key-keyring, --link-vk-to-keyring, +--external-tokens-path]. include::man/common_options.adoc[] include::man/common_footer.adoc[] diff --git a/man/cryptsetup-open.8.adoc b/man/cryptsetup-open.8.adoc index b3e6741b..73a5dc56 100644 --- a/man/cryptsetup-open.8.adoc +++ b/man/cryptsetup-open.8.adoc @@ -78,7 +78,8 @@ matching PIN protected token. --volume-key-file, --token-id, --token-only, --token-type, --disable-external-tokens, --disable-keyring, --disable-locks, --type, --refresh, --serialize-memory-hard-pbkdf, --unbound, --tries, --timeout, ---verify-passphrase, --persistent, --volume-key-keyring, --link-vk-to-keyring]. +--verify-passphrase, --persistent, --volume-key-keyring, --link-vk-to-keyring, +--external-tokens-path]. === loopAES *open --type loopaes <device> <name> --key-file <keyfile>* + diff --git a/man/cryptsetup-resize.8.adoc b/man/cryptsetup-resize.8.adoc index 4cff4826..b9a55022 100644 --- a/man/cryptsetup-resize.8.adoc +++ b/man/cryptsetup-resize.8.adoc @@ -36,7 +36,7 @@ keyring is used by default for LUKS2 devices. *<options>* can be [--size, --device-size, --token-id, --token-only, --token-type, --key-slot, --key-file, --keyfile-size, --keyfile-offset, --timeout, --disable-external-tokens, --disable-locks, --disable-keyring, ---verify-passphrase, --timeout]. +--verify-passphrase, --timeout, --external-tokens-path]. include::man/common_options.adoc[] include::man/common_footer.adoc[] diff --git a/man/cryptsetup-token.8.adoc b/man/cryptsetup-token.8.adoc index 7a3a0694..5fa6af8b 100644 --- a/man/cryptsetup-token.8.adoc +++ b/man/cryptsetup-token.8.adoc @@ -49,7 +49,7 @@ replace the existing token. *<options>* can be [--header, --token-id, --key-slot, --key-description, --disable-external-tokens, --disable-locks, --disable-keyring, ---json-file, --token-replace, --unbound]. +--json-file, --token-replace, --unbound, --external-tokens-path]. include::man/common_options.adoc[] include::man/common_footer.adoc[] diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 44003eba..3624c569 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -878,6 +878,15 @@ static int action_resize(void) else if (ARG_SET(OPT_SIZE_ID)) dev_size = ARG_UINT64(OPT_SIZE_ID); + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + goto out; + } + } + if (cad.flags & CRYPT_ACTIVATE_KEYRING_KEY) { if (ARG_SET(OPT_DISABLE_KEYRING_ID)) { r = -EINVAL; @@ -1809,6 +1818,15 @@ static int action_open_luks(void) set_activation_flags(&activate_flags); + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + goto out; + } + } + if (ARG_SET(OPT_LINK_VK_TO_KEYRING_ID)) { r = parse_vk_and_keyring_description(cd, ARG_STR(OPT_LINK_VK_TO_KEYRING_ID)); if (r < 0) @@ -2056,6 +2074,15 @@ static int luksAddUnboundKey(void) goto out; } + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + goto out; + } + } + r = _set_keyslot_encryption_params(cd); if (r < 0) goto out; @@ -2201,6 +2228,15 @@ static int action_luksAddKey(void) if (r < 0) goto out; + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + goto out; + } + } + /* Never call pwquality if using null cipher */ if (crypt_is_cipher_null(crypt_get_cipher(cd))) ARG_SET_TRUE(OPT_FORCE_PASSWORD_ID); @@ -2639,6 +2675,15 @@ static int action_luksDump(void) goto out; } + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + goto out; + } + } + if (ARG_SET(OPT_DUMP_VOLUME_KEY_ID)) r = luksDump_with_volume_key(cd); else if (ARG_SET(OPT_UNBOUND_ID)) @@ -2712,6 +2757,15 @@ static int action_luksResume(void) goto out; } + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + goto out; + } + } + /* try to resume LUKS2 device by token first */ r = _try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_TOKEN_ID_ID), action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), 0, @@ -3230,6 +3284,16 @@ static int action_token(void) return r; } + if (ARG_SET(OPT_EXTERNAL_TOKENS_PATH_ID)) { + r = crypt_token_set_external_path(ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + if (r < 0) { + log_err(_("Failed to set external tokens path %s."), + ARG_STR(OPT_EXTERNAL_TOKENS_PATH_ID)); + crypt_free(cd); + return r; + } + } + r = -EINVAL; if (!strcmp(action_argv[0], "add")) { diff --git a/src/cryptsetup_arg_list.h b/src/cryptsetup_arg_list.h index 00a7563a..b5e44d8b 100644 --- a/src/cryptsetup_arg_list.h +++ b/src/cryptsetup_arg_list.h @@ -59,6 +59,8 @@ ARG(OPT_DUMP_VOLUME_KEY, '\0', POPT_ARG_NONE, N_("Dump volume key instead of key ARG(OPT_ENCRYPT, '\0', POPT_ARG_NONE, N_("Encrypt LUKS2 device (in-place encryption)"), NULL, CRYPT_ARG_BOOL, {}, {}) +ARG(OPT_EXTERNAL_TOKENS_PATH, '\0', POPT_ARG_STRING, N_("Path to directory with external token handlers (plugins)."), NULL, CRYPT_ARG_STRING, {}, OPT_EXTERNAL_TOKENS_PATH_ACTIONS) + ARG(OPT_FORCE_PASSWORD, '\0', POPT_ARG_NONE, N_("Disable password quality check (if enabled)"), NULL, CRYPT_ARG_BOOL, {}, {}) ARG(OPT_FORCE_OFFLINE_REENCRYPT, '\0', POPT_ARG_NONE, N_("Force offline LUKS2 reencryption and bypass active device detection"), NULL, CRYPT_ARG_BOOL, {}, OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS) diff --git a/src/cryptsetup_args.h b/src/cryptsetup_args.h index 7aaa025d..d9b8edd5 100644 --- a/src/cryptsetup_args.h +++ b/src/cryptsetup_args.h @@ -61,6 +61,7 @@ #define OPT_DISABLE_BLKID_ACTIONS { FORMAT_ACTION, REENCRYPT_ACTION } #define OPT_DISABLE_VERACRYPT_ACTIONS { OPEN_ACTION, TCRYPTDUMP_ACTION } #define OPT_ERASE_ACTIONS { ERASE_ACTION } +#define OPT_EXTERNAL_TOKENS_PATH_ACTIONS { RESIZE_ACTION, OPEN_ACTION, ADDKEY_ACTION, LUKSDUMP_ACTION, RESUME_ACTION, TOKEN_ACTION } #define OPT_FORCE_OFFLINE_REENCRYPT_ACTIONS { REENCRYPT_ACTION } #define OPT_HOTZONE_SIZE_ACTIONS { REENCRYPT_ACTION } #define OPT_HW_OPAL_ACTIONS { FORMAT_ACTION } diff --git a/src/utils_arg_names.h b/src/utils_arg_names.h index bbac47ee..56d8affd 100644 --- a/src/utils_arg_names.h +++ b/src/utils_arg_names.h @@ -50,6 +50,7 @@ #define OPT_DUMP_MASTER_KEY "dump-master-key" #define OPT_DUMP_VOLUME_KEY "dump-volume-key" #define OPT_ENCRYPT "encrypt" +#define OPT_EXTERNAL_TOKENS_PATH "external-tokens-path" #define OPT_FEC_DEVICE "fec-device" #define OPT_FEC_OFFSET "fec-offset" #define OPT_FEC_ROOTS "fec-roots" |