From dcbc38c916ebc6f024870c888536e55fc38b353c Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 31 Mar 2022 10:47:24 +0200 Subject: cryptsetup: rename functions that try to do FIDO2/TPM2/PKCS#11 via cryptsetup plugins to say so The are so many different flavours of functions that attach volumes, hence say explicitly that these are about libcryptsetup plugins, and nothing else. Just some renaming, no code changes beyond that. --- src/cryptsetup/cryptsetup.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'src/cryptsetup') diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 6c7b74037f..9db3f6f098 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -850,7 +850,7 @@ static int acquire_pins_from_env_variable(char ***ret_pins) { } #endif -static int attach_luks2_by_fido2( +static int attach_luks2_by_fido2_via_plugin( struct crypt_device *cd, const char *name, usec_t until, @@ -980,7 +980,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2( for (;;) { if (use_libcryptsetup_plugin && !arg_fido2_cid) { - r = attach_luks2_by_fido2(cd, name, until, arg_headless, arg_fido2_device, flags); + r = attach_luks2_by_fido2_via_plugin(cd, name, until, arg_headless, arg_fido2_device, flags); if (IN_SET(r, -ENOTUNIQ, -ENXIO, -ENOENT)) return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), "Automatic FIDO2 metadata discovery was not possible because missing or not unique, falling back to traditional unlocking."); @@ -1053,7 +1053,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2( return 0; } -static int attach_luks2_by_pkcs11( +static int attach_luks2_by_pkcs11_via_plugin( struct crypt_device *cd, const char *name, const char *friendly_name, @@ -1133,7 +1133,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11( for (;;) { if (use_libcryptsetup_plugin && arg_pkcs11_uri_auto) - r = attach_luks2_by_pkcs11(cd, name, friendly, until, arg_headless, flags); + r = attach_luks2_by_pkcs11_via_plugin(cd, name, friendly, until, arg_headless, flags); else { r = decrypt_pkcs11_key( name, @@ -1246,7 +1246,7 @@ static int make_tpm2_device_monitor( return 0; } -static int attach_luks2_by_tpm2( +static int attach_luks2_by_tpm2_via_plugin( struct crypt_device *cd, const char *name, uint32_t flags) { @@ -1325,7 +1325,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( if (r != -EAGAIN) /* EAGAIN means: no tpm2 chip found */ return r; } else { - r = attach_luks2_by_tpm2(cd, name, flags); + r = attach_luks2_by_tpm2_via_plugin(cd, name, flags); /* EAGAIN means: no tpm2 chip found * EOPNOTSUPP means: no libcryptsetup plugins support */ if (r == -ENXIO) @@ -1338,7 +1338,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( return r; } - if (r == -EOPNOTSUPP) { + if (r == -EOPNOTSUPP) { /* Plugin not available, let's process TPM2 stuff right here instead */ _cleanup_free_ void *blob = NULL, *policy_hash = NULL; size_t blob_size, policy_hash_size; bool found_some = false; -- cgit v1.2.1 From 2fabbad8983bf012e73479b73ecd390794080c3d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 31 Mar 2022 10:48:37 +0200 Subject: cryptsetup: add helper for mangling "none" option strings let's unify some code here, and let's do so in cryptsetup-util.h so that we can later reuse this in integritysetup/veritysetup --- src/cryptsetup/cryptsetup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/cryptsetup') diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 9db3f6f098..137e7ee95d 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -1750,8 +1750,8 @@ static int run(int argc, char *argv[]) { volume = argv[2]; source = argv[3]; - key_file = argc >= 5 && !STR_IN_SET(argv[4], "", "-", "none") ? argv[4] : NULL; - options = argc >= 6 && !STR_IN_SET(argv[5], "", "-", "none") ? argv[5] : NULL; + key_file = mangle_none(argc >= 5 ? argv[4] : NULL); + options = mangle_none(argc >= 6 ? argv[5] : NULL); if (!filename_is_valid(volume)) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Volume name '%s' is not valid.", volume); -- cgit v1.2.1 From 2e4aae981e5860a830293d16bf28cc658d89110d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 31 Mar 2022 10:49:30 +0200 Subject: cryptsetup: adjust some log levels Let's upgrade log levels of some noteworthy messages from LOG_DEBUG to LOG_NOTICE. These messages contain information that previous log messages in the error path didn't say, namely that we'll now fall back to traditional unlocking. Note that this leaves similar log messages for cases where TPM2/PKCS#11/FIDO2 support is disabled at build at LOG_DEBUG, since in that case nothing really failed, we just systematically can't do TPM2/PKCS#11/FIDO2 and hence it is pointless and not actionable for users to do anything about it... --- src/cryptsetup/cryptsetup.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'src/cryptsetup') diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 137e7ee95d..21430d4256 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -1329,8 +1329,8 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( /* EAGAIN means: no tpm2 chip found * EOPNOTSUPP means: no libcryptsetup plugins support */ if (r == -ENXIO) - return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), - "No TPM2 metadata matching the current system state found in LUKS2 header, falling back to traditional unlocking."); + return log_notice_errno(SYNTHETIC_ERRNO(EAGAIN), + "No TPM2 metadata matching the current system state found in LUKS2 header, falling back to traditional unlocking."); if (r == -ENOENT) return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), "No TPM2 metadata enrolled in LUKS2 header or TPM2 support not available, falling back to traditional unlocking."); @@ -1367,10 +1367,11 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( &tpm2_flags); if (r == -ENXIO) /* No further TPM2 tokens found in the LUKS2 header. */ - return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), - found_some - ? "No TPM2 metadata matching the current system state found in LUKS2 header, falling back to traditional unlocking." - : "No TPM2 metadata enrolled in LUKS2 header, falling back to traditional unlocking."); + return log_full_errno(found_some ? LOG_NOTICE : LOG_DEBUG, + SYNTHETIC_ERRNO(EAGAIN), + found_some + ? "No TPM2 metadata matching the current system state found in LUKS2 header, falling back to traditional unlocking." + : "No TPM2 metadata enrolled in LUKS2 header, falling back to traditional unlocking."); if (ERRNO_IS_NOT_SUPPORTED(r)) /* TPM2 support not compiled in? */ return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 support not available, falling back to traditional unlocking."); if (r < 0) @@ -1393,7 +1394,7 @@ static int attach_luks_or_plain_or_bitlk_by_tpm2( arg_ask_password_flags, &decrypted_key, &decrypted_key_size); if (IN_SET(r, -EACCES, -ENOLCK)) - return log_error_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 PIN unlock failed, falling back to traditional unlocking."); + return log_notice_errno(SYNTHETIC_ERRNO(EAGAIN), "TPM2 PIN unlock failed, falling back to traditional unlocking."); if (r != -EPERM) break; -- cgit v1.2.1 From 542bb9be7cd0c05e3fb1beb849b70d79fec42189 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 31 Mar 2022 11:09:48 +0200 Subject: tree-wide: unify some code that looks for --help in the command line --- src/cryptsetup/cryptsetup.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/cryptsetup') diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 21430d4256..408d7511bf 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -34,6 +34,7 @@ #include "path-util.h" #include "pkcs11-util.h" #include "pretty-print.h" +#include "process-util.h" #include "random-util.h" #include "string-util.h" #include "strv.h" @@ -1719,7 +1720,7 @@ static int run(int argc, char *argv[]) { const char *verb; int r; - if (argc <= 1) + if (argv_looks_like_help(argc, argv)) return help(); if (argc < 3) -- cgit v1.2.1