cryptenroll: add support for TPM2 pin

Add support for PIN enrollment with TPM2. A new "tpm2-pin" field is introduced into metadata to signal that the policy needs to include a PIN. v2: fix tpm2_make_luks2_json in sd-repart
author: Grigori Goronzy <greg@chown.ath.cx> 2022-02-18 11:51:25 +0100
committer: Grigori Goronzy <greg@chown.ath.cx> 2022-03-15 21:17:00 +0100
commit: 6c7a1681052c37ef354a000355c4c0d676113a1a (patch)
tree: 7aed1aa383eee6f56037b782048d0909638b19c5 /src/cryptenroll/cryptenroll.c
parent: 2f5a892aa0d70aa4f1f10c8dba495ad52bc02bc3 (diff)
download: systemd-6c7a1681052c37ef354a000355c4c0d676113a1a.tar.gz
1 files changed, 14 insertions, 1 deletions
diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c
index e13f5b7ac8..2fd6d9080e 100644
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@@ -32,6 +32,7 @@ static char *arg_pkcs11_token_uri = NULL;
 static char *arg_fido2_device = NULL;
 static char *arg_tpm2_device = NULL;
 static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
+static bool arg_tpm2_pin = false;
 static char *arg_node = NULL;
 static int *arg_wipe_slots = NULL;
 static size_t arg_n_wipe_slots = 0;
@@ -100,6 +101,8 @@ static int help(void) {
                "                       Enroll a TPM2 device\n"
                "     --tpm2-pcrs=PCR1+PCR2+PCR3+…\n"
                "                       Specify TPM2 PCRs to seal against\n"
+               "     --tpm2-with-pin=BOOL\n"
+               "                       Whether to require entering a PIN to unlock the volume\n"
                "     --wipe-slot=SLOT1,SLOT2,…\n"
                "                       Wipe specified slots\n"
                "\nSee the %s for details.\n",
@@ -121,6 +124,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_FIDO2_DEVICE,
                 ARG_TPM2_DEVICE,
                 ARG_TPM2_PCRS,
+                ARG_TPM2_PIN,
                 ARG_WIPE_SLOT,
                 ARG_FIDO2_WITH_PIN,
                 ARG_FIDO2_WITH_UP,
@@ -139,6 +143,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "fido2-with-user-verification", required_argument, NULL, ARG_FIDO2_WITH_UV    },
                 { "tpm2-device",                  required_argument, NULL, ARG_TPM2_DEVICE      },
                 { "tpm2-pcrs",                    required_argument, NULL, ARG_TPM2_PCRS        },
+                { "tpm2-with-pin",                required_argument, NULL, ARG_TPM2_PIN         },
                 { "wipe-slot",                    required_argument, NULL, ARG_WIPE_SLOT        },
                 {}
         };
@@ -301,6 +306,14 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
                 }
 
+                case ARG_TPM2_PIN: {
+                        r = parse_boolean_argument("--tpm2-with-pin=", optarg, &arg_tpm2_pin);
+                        if (r < 0)
+                                return r;
+
+                        break;
+                }
+
                 case ARG_WIPE_SLOT: {
                         const char *p = optarg;
 
@@ -558,7 +571,7 @@ static int run(int argc, char *argv[]) {
                 break;
 
         case ENROLL_TPM2:
-                slot = enroll_tpm2(cd, vk, vks, arg_tpm2_device, arg_tpm2_pcr_mask);
+                slot = enroll_tpm2(cd, vk, vks, arg_tpm2_device, arg_tpm2_pcr_mask, arg_tpm2_pin);
                 break;
 
         case _ENROLL_TYPE_INVALID:
author	Grigori Goronzy <greg@chown.ath.cx>	2022-02-18 11:51:25 +0100
committer	Grigori Goronzy <greg@chown.ath.cx>	2022-03-15 21:17:00 +0100
commit	6c7a1681052c37ef354a000355c4c0d676113a1a (patch)
tree	7aed1aa383eee6f56037b782048d0909638b19c5 /src/cryptenroll/cryptenroll.c
parent	2f5a892aa0d70aa4f1f10c8dba495ad52bc02bc3 (diff)
download	systemd-6c7a1681052c37ef354a000355c4c0d676113a1a.tar.gz