From ee6c66acc5a61cb56f9b1d6e3132728c4d1ce66d Mon Sep 17 00:00:00 2001 From: Jonas Witschel Date: Wed, 25 May 2022 14:06:12 +0200 Subject: cryptsetup: ask for PIN when trying to activate using a LUKS2 token plugin crypt_activate_by_token() fails with ENOANO if the token is protected with a PIN, in this case we need to call crypt_activate_by_token_pin() with a PIN. This logic is already implemented in crypt_activate_by_token_pin_ask_password(). This code path is relevant when using systemd-gpt-auto-generator because there is no a priory information about the type of the used security device, so systemd-cryptsetup tries to unlock the volume using the corresponding cryptsetup plugin. --- src/cryptsetup/cryptsetup.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'src/cryptsetup') diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 7a9878e689..c8e71c43de 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -1886,7 +1886,17 @@ static int run(int argc, char *argv[]) { /* Tokens are available in LUKS2 only, but it is ok to call (and fail) with LUKS1. */ if (!key_file && !key_data) { - r = crypt_activate_by_token(cd, volume, CRYPT_ANY_TOKEN, NULL, flags); + r = crypt_activate_by_token_pin_ask_password( + cd, + volume, + NULL, + until, + arg_headless, + NULL, + flags, + "Please enter LUKS2 token PIN:", + "luks2-pin", + "cryptsetup.luks2-pin"); if (r >= 0) { log_debug("Volume %s activated with LUKS token id %i.", volume, r); return 0; -- cgit v1.2.1