diff options
author | Grigori Goronzy <greg@chown.ath.cx> | 2022-02-18 11:51:25 +0100 |
---|---|---|
committer | Grigori Goronzy <greg@chown.ath.cx> | 2022-03-15 21:17:00 +0100 |
commit | 6c7a1681052c37ef354a000355c4c0d676113a1a (patch) | |
tree | 7aed1aa383eee6f56037b782048d0909638b19c5 /src/cryptenroll/cryptenroll.c | |
parent | 2f5a892aa0d70aa4f1f10c8dba495ad52bc02bc3 (diff) | |
download | systemd-6c7a1681052c37ef354a000355c4c0d676113a1a.tar.gz |
cryptenroll: add support for TPM2 pin
Add support for PIN enrollment with TPM2. A new "tpm2-pin" field is
introduced into metadata to signal that the policy needs to include a
PIN.
v2: fix tpm2_make_luks2_json in sd-repart
Diffstat (limited to 'src/cryptenroll/cryptenroll.c')
-rw-r--r-- | src/cryptenroll/cryptenroll.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c index e13f5b7ac8..2fd6d9080e 100644 --- a/src/cryptenroll/cryptenroll.c +++ b/src/cryptenroll/cryptenroll.c @@ -32,6 +32,7 @@ static char *arg_pkcs11_token_uri = NULL; static char *arg_fido2_device = NULL; static char *arg_tpm2_device = NULL; static uint32_t arg_tpm2_pcr_mask = UINT32_MAX; +static bool arg_tpm2_pin = false; static char *arg_node = NULL; static int *arg_wipe_slots = NULL; static size_t arg_n_wipe_slots = 0; @@ -100,6 +101,8 @@ static int help(void) { " Enroll a TPM2 device\n" " --tpm2-pcrs=PCR1+PCR2+PCR3+…\n" " Specify TPM2 PCRs to seal against\n" + " --tpm2-with-pin=BOOL\n" + " Whether to require entering a PIN to unlock the volume\n" " --wipe-slot=SLOT1,SLOT2,…\n" " Wipe specified slots\n" "\nSee the %s for details.\n", @@ -121,6 +124,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_FIDO2_DEVICE, ARG_TPM2_DEVICE, ARG_TPM2_PCRS, + ARG_TPM2_PIN, ARG_WIPE_SLOT, ARG_FIDO2_WITH_PIN, ARG_FIDO2_WITH_UP, @@ -139,6 +143,7 @@ static int parse_argv(int argc, char *argv[]) { { "fido2-with-user-verification", required_argument, NULL, ARG_FIDO2_WITH_UV }, { "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE }, { "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS }, + { "tpm2-with-pin", required_argument, NULL, ARG_TPM2_PIN }, { "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT }, {} }; @@ -301,6 +306,14 @@ static int parse_argv(int argc, char *argv[]) { break; } + case ARG_TPM2_PIN: { + r = parse_boolean_argument("--tpm2-with-pin=", optarg, &arg_tpm2_pin); + if (r < 0) + return r; + + break; + } + case ARG_WIPE_SLOT: { const char *p = optarg; @@ -558,7 +571,7 @@ static int run(int argc, char *argv[]) { break; case ENROLL_TPM2: - slot = enroll_tpm2(cd, vk, vks, arg_tpm2_device, arg_tpm2_pcr_mask); + slot = enroll_tpm2(cd, vk, vks, arg_tpm2_device, arg_tpm2_pcr_mask, arg_tpm2_pin); break; case _ENROLL_TYPE_INVALID: |