summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuca Boccassi <luca.boccassi@microsoft.com>2021-04-09 20:43:10 +0100
committerLuca Boccassi <bluca@debian.org>2021-05-07 21:36:27 +0100
commitcd5f57bda71dc9485d7eddf6cfcbfba843f5126c (patch)
tree8fdfbc64975b71d08f36fb8b3c33679013545739
parent0cd70d43a36d94b578004dfbf176007de3fd1f8a (diff)
downloadsystemd-cd5f57bda71dc9485d7eddf6cfcbfba843f5126c.tar.gz
cryptsetup: add 'headless' parameter to skip password/pin query
On headless setups, in case other methods fail, asking for a password/pin is not useful as there are no users on the terminal, and generates unwanted noise. Add a parameter to /etc/crypttab to skip it.
Diffstat
-rw-r--r--man/crypttab.xml7
-rw-r--r--man/systemd-cryptsetup@.service.xml3
-rw-r--r--src/cryptsetup/cryptsetup-fido2.c4
-rw-r--r--src/cryptsetup/cryptsetup-fido2.h2
-rw-r--r--src/cryptsetup/cryptsetup-pkcs11.c4
-rw-r--r--src/cryptsetup/cryptsetup-pkcs11.h2
-rw-r--r--src/cryptsetup/cryptsetup.c17
-rw-r--r--src/shared/pkcs11-util.c7
-rw-r--r--src/shared/pkcs11-util.h2
9 files changed, 44 insertions, 4 deletions
diff --git a/man/crypttab.xml b/man/crypttab.xml
index 72fe2e692d..d3aa3b8fc1 100644
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@@ -515,6 +515,13 @@
</varlistentry>
<varlistentry>
+ <term><option>headless=</option></term>
+
+ <listitem><para>Takes a boolean argument, defaults to false. If true, never query interactively
+ for the password/PIN. Useful for headless systems.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>verify</option></term>
<listitem><para>If the encryption password is read from console, it has to be entered twice to
diff --git a/man/systemd-cryptsetup@.service.xml b/man/systemd-cryptsetup@.service.xml
index 668208a01d..1697ccc0f3 100644
--- a/man/systemd-cryptsetup@.service.xml
+++ b/man/systemd-cryptsetup@.service.xml
@@ -73,7 +73,8 @@
<listitem><para>The kernel keyring is then checked for a suitable cached password from previous
attempts.</para></listitem>
- <listitem><para>Finally, the user is queried for a password, possibly multiple times.</para></listitem>
+ <listitem><para>Finally, the user is queried for a password, possibly multiple times, unless
+ the <varname>headless</varname> option is set.</para></listitem>
</orderedlist>
<para>If no suitable key may be acquired via any of the mechanisms describes above, volume activation fails.</para>
diff --git a/src/cryptsetup/cryptsetup-fido2.c b/src/cryptsetup/cryptsetup-fido2.c
index 82b83ee477..8238e823cd 100644
--- a/src/cryptsetup/cryptsetup-fido2.c
+++ b/src/cryptsetup/cryptsetup-fido2.c
@@ -23,6 +23,7 @@ int acquire_fido2_key(
const void *key_data,
size_t key_data_size,
usec_t until,
+ bool headless,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size) {
@@ -88,6 +89,9 @@ int acquire_fido2_key(
pins = strv_free_erase(pins);
+ if (headless)
+ return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
+
r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, flags, &pins);
if (r < 0)
return log_error_errno(r, "Failed to ask for user password: %m");
diff --git a/src/cryptsetup/cryptsetup-fido2.h b/src/cryptsetup/cryptsetup-fido2.h
index 92093ba38b..d5c5ce5926 100644
--- a/src/cryptsetup/cryptsetup-fido2.h
+++ b/src/cryptsetup/cryptsetup-fido2.h
@@ -22,6 +22,7 @@ int acquire_fido2_key(
const void *key_data,
size_t key_data_size,
usec_t until,
+ bool headless,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size);
@@ -49,6 +50,7 @@ static inline int acquire_fido2_key(
const void *key_data,
size_t key_data_size,
usec_t until,
+ bool headless,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size) {
diff --git a/src/cryptsetup/cryptsetup-pkcs11.c b/src/cryptsetup/cryptsetup-pkcs11.c
index 6d7b01176c..67adf923cc 100644
--- a/src/cryptsetup/cryptsetup-pkcs11.c
+++ b/src/cryptsetup/cryptsetup-pkcs11.c
@@ -32,6 +32,7 @@ struct pkcs11_callback_data {
void *decrypted_key;
size_t decrypted_key_size;
bool free_encrypted_key;
+ bool headless;
};
static void pkcs11_callback_data_release(struct pkcs11_callback_data *data) {
@@ -72,6 +73,7 @@ static int pkcs11_callback(
"pkcs11-pin",
"cryptsetup.pkcs11-pin",
data->until,
+ data->headless,
NULL);
if (r < 0)
return r;
@@ -109,12 +111,14 @@ int decrypt_pkcs11_key(
const void *key_data, /* … or key_data and key_data_size (for literal keys) */
size_t key_data_size,
usec_t until,
+ bool headless,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size) {
_cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = {
.friendly_name = friendly_name,
.until = until,
+ .headless = headless,
};
int r;
diff --git a/src/cryptsetup/cryptsetup-pkcs11.h b/src/cryptsetup/cryptsetup-pkcs11.h
index 4cd82e0215..256c09a9b6 100644
--- a/src/cryptsetup/cryptsetup-pkcs11.h
+++ b/src/cryptsetup/cryptsetup-pkcs11.h
@@ -19,6 +19,7 @@ int decrypt_pkcs11_key(
const void *key_data,
size_t key_data_size,
usec_t until,
+ bool headless,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size);
@@ -41,6 +42,7 @@ static inline int decrypt_pkcs11_key(
const void *key_data,
size_t key_data_size,
usec_t until,
+ bool headless,
void **ret_decrypted_key,
size_t *ret_decrypted_key_size) {
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index c9cebb4637..7902377a25 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -79,6 +79,7 @@ static char *arg_fido2_rp_id = NULL;
static char *arg_tpm2_device = NULL;
static bool arg_tpm2_device_auto = false;
static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
+static bool arg_headless = false;
STATIC_DESTRUCTOR_REGISTER(arg_cipher, freep);
STATIC_DESTRUCTOR_REGISTER(arg_hash, freep);
@@ -381,6 +382,17 @@ static int parse_one_option(const char *option) {
} else if (streq(option, "try-empty-password"))
arg_try_empty_password = true;
+ else if ((val = startswith(option, "headless="))) {
+
+ r = parse_boolean(val);
+ if (r < 0) {
+ log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
+ return 0;
+ }
+
+ arg_headless = r;
+ } else if (streq(option, "headless"))
+ arg_headless = true;
else if (!streq(option, "x-initrd.attach"))
log_warning("Encountered unknown /etc/crypttab option '%s', ignoring.", option);
@@ -532,6 +544,9 @@ static int get_password(
assert(src);
assert(ret);
+ if (arg_headless)
+ return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "Password querying disabled via 'headless' option.");
+
friendly = friendly_disk_name(src, vol);
if (!friendly)
return log_oom();
@@ -775,6 +790,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
key_file, arg_keyfile_size, arg_keyfile_offset,
key_data, key_data_size,
until,
+ arg_headless,
&decrypted_key, &decrypted_key_size);
if (r >= 0)
break;
@@ -895,6 +911,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
key_file, arg_keyfile_size, arg_keyfile_offset,
key_data, key_data_size,
until,
+ arg_headless,
&decrypted_key, &decrypted_key_size);
if (r >= 0)
break;
diff --git a/src/shared/pkcs11-util.c b/src/shared/pkcs11-util.c
index aff45ed868..9fc577ca3c 100644
--- a/src/shared/pkcs11-util.c
+++ b/src/shared/pkcs11-util.c
@@ -184,6 +184,7 @@ int pkcs11_token_login(
const char *key_name,
const char *credential_name,
usec_t until,
+ bool headless,
char **ret_used_pin) {
_cleanup_free_ char *token_uri_string = NULL, *token_uri_escaped = NULL, *id = NULL, *token_label = NULL;
@@ -247,7 +248,9 @@ int pkcs11_token_login(
string_erase(e);
if (unsetenv("PIN") < 0)
return log_error_errno(errno, "Failed to unset $PIN: %m");
- } else {
+ } else if (headless)
+ return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the 'PIN' environment variable.");
+ else {
_cleanup_free_ char *text = NULL;
if (FLAGS_SET(token_info->flags, CKF_USER_PIN_FINAL_TRY))
@@ -960,7 +963,7 @@ static int pkcs11_acquire_certificate_callback(
/* Called for every token matching our URI */
- r = pkcs11_token_login(m, session, slot_id, token_info, data->askpw_friendly_name, data->askpw_icon_name, "pkcs11-pin", "pkcs11-pin", UINT64_MAX, &pin_used);
+ r = pkcs11_token_login(m, session, slot_id, token_info, data->askpw_friendly_name, data->askpw_icon_name, "pkcs11-pin", "pkcs11-pin", UINT64_MAX, false, &pin_used);
if (r < 0)
return r;
diff --git a/src/shared/pkcs11-util.h b/src/shared/pkcs11-util.h
index c2c852f0eb..f7f32d34d7 100644
--- a/src/shared/pkcs11-util.h
+++ b/src/shared/pkcs11-util.h
@@ -30,7 +30,7 @@ char *pkcs11_token_label(const CK_TOKEN_INFO *token_info);
char *pkcs11_token_manufacturer_id(const CK_TOKEN_INFO *token_info);
char *pkcs11_token_model(const CK_TOKEN_INFO *token_info);
-int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, char **ret_used_pin);
+int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, bool headless, char **ret_used_pin);
int pkcs11_token_find_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object);
#if HAVE_OPENSSL
View Lorry Controller Status