518 lines
20 KiB
C
518 lines
20 KiB
C
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
|
|
|
#include <getopt.h>
|
|
|
|
#include "ask-password-api.h"
|
|
#include "cryptenroll-fido2.h"
|
|
#include "cryptenroll-list.h"
|
|
#include "cryptenroll-password.h"
|
|
#include "cryptenroll-pkcs11.h"
|
|
#include "cryptenroll-recovery.h"
|
|
#include "cryptenroll-tpm2.h"
|
|
#include "cryptenroll-wipe.h"
|
|
#include "cryptenroll.h"
|
|
#include "cryptsetup-util.h"
|
|
#include "escape.h"
|
|
#include "libfido2-util.h"
|
|
#include "main-func.h"
|
|
#include "memory-util.h"
|
|
#include "parse-util.h"
|
|
#include "path-util.h"
|
|
#include "pkcs11-util.h"
|
|
#include "pretty-print.h"
|
|
#include "string-table.h"
|
|
#include "strv.h"
|
|
#include "terminal-util.h"
|
|
#include "tpm2-util.h"
|
|
|
|
static EnrollType arg_enroll_type = _ENROLL_TYPE_INVALID;
|
|
static char *arg_pkcs11_token_uri = NULL;
|
|
static char *arg_fido2_device = NULL;
|
|
static char *arg_tpm2_device = NULL;
|
|
static uint32_t arg_tpm2_pcr_mask = UINT32_MAX;
|
|
static char *arg_node = NULL;
|
|
static int *arg_wipe_slots = NULL;
|
|
static size_t arg_n_wipe_slots = 0;
|
|
static WipeScope arg_wipe_slots_scope = WIPE_EXPLICIT;
|
|
static unsigned arg_wipe_slots_mask = 0; /* Bitmask of (1U << EnrollType), for wiping all slots of specific types */
|
|
|
|
assert_cc(sizeof(arg_wipe_slots_mask) * 8 >= _ENROLL_TYPE_MAX);
|
|
|
|
STATIC_DESTRUCTOR_REGISTER(arg_pkcs11_token_uri, freep);
|
|
STATIC_DESTRUCTOR_REGISTER(arg_fido2_device, freep);
|
|
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device, freep);
|
|
STATIC_DESTRUCTOR_REGISTER(arg_node, freep);
|
|
|
|
static bool wipe_requested(void) {
|
|
return arg_n_wipe_slots > 0 ||
|
|
arg_wipe_slots_scope != WIPE_EXPLICIT ||
|
|
arg_wipe_slots_mask != 0;
|
|
}
|
|
|
|
static const char* const enroll_type_table[_ENROLL_TYPE_MAX] = {
|
|
[ENROLL_PASSWORD] = "password",
|
|
[ENROLL_RECOVERY] = "recovery",
|
|
[ENROLL_PKCS11] = "pkcs11",
|
|
[ENROLL_FIDO2] = "fido2",
|
|
[ENROLL_TPM2] = "tpm2",
|
|
};
|
|
|
|
DEFINE_STRING_TABLE_LOOKUP(enroll_type, EnrollType);
|
|
|
|
static const char *const luks2_token_type_table[_ENROLL_TYPE_MAX] = {
|
|
/* ENROLL_PASSWORD has no entry here, as slots of this type do not have a token in the LUKS2 header */
|
|
[ENROLL_RECOVERY] = "systemd-recovery",
|
|
[ENROLL_PKCS11] = "systemd-pkcs11",
|
|
[ENROLL_FIDO2] = "systemd-fido2",
|
|
[ENROLL_TPM2] = "systemd-tpm2",
|
|
};
|
|
|
|
DEFINE_STRING_TABLE_LOOKUP(luks2_token_type, EnrollType);
|
|
|
|
static int help(void) {
|
|
_cleanup_free_ char *link = NULL;
|
|
int r;
|
|
|
|
r = terminal_urlify_man("systemd-cryptenroll", "1", &link);
|
|
if (r < 0)
|
|
return log_oom();
|
|
|
|
printf("%s [OPTIONS...] BLOCK-DEVICE\n"
|
|
"\n%sEnroll a security token or authentication credential to a LUKS volume.%s\n\n"
|
|
" -h --help Show this help\n"
|
|
" --version Show package version\n"
|
|
" --password Enroll a user-supplied password\n"
|
|
" --recovery-key Enroll a recovery key\n"
|
|
" --pkcs11-token-uri=URI\n"
|
|
" Specify PKCS#11 security token URI\n"
|
|
" --fido2-device=PATH\n"
|
|
" Enroll a FIDO2-HMAC security token\n"
|
|
" --tpm2-device=PATH\n"
|
|
" Enroll a TPM2 device\n"
|
|
" --tpm2-pcrs=PCR1,PCR2,PCR3,…\n"
|
|
" Specify TPM2 PCRs to seal against\n"
|
|
" --wipe-slot=SLOT1,SLOT2,…\n"
|
|
" Wipe specified slots\n"
|
|
"\nSee the %s for details.\n"
|
|
, program_invocation_short_name
|
|
, ansi_highlight(), ansi_normal()
|
|
, link
|
|
);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int parse_argv(int argc, char *argv[]) {
|
|
|
|
enum {
|
|
ARG_VERSION = 0x100,
|
|
ARG_PASSWORD,
|
|
ARG_RECOVERY_KEY,
|
|
ARG_PKCS11_TOKEN_URI,
|
|
ARG_FIDO2_DEVICE,
|
|
ARG_TPM2_DEVICE,
|
|
ARG_TPM2_PCRS,
|
|
ARG_WIPE_SLOT,
|
|
};
|
|
|
|
static const struct option options[] = {
|
|
{ "help", no_argument, NULL, 'h' },
|
|
{ "version", no_argument, NULL, ARG_VERSION },
|
|
{ "password", no_argument, NULL, ARG_PASSWORD },
|
|
{ "recovery-key", no_argument, NULL, ARG_RECOVERY_KEY },
|
|
{ "pkcs11-token-uri", required_argument, NULL, ARG_PKCS11_TOKEN_URI },
|
|
{ "fido2-device", required_argument, NULL, ARG_FIDO2_DEVICE },
|
|
{ "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
|
|
{ "tpm2-pcrs", required_argument, NULL, ARG_TPM2_PCRS },
|
|
{ "wipe-slot", required_argument, NULL, ARG_WIPE_SLOT },
|
|
{}
|
|
};
|
|
|
|
int c, r;
|
|
|
|
assert(argc >= 0);
|
|
assert(argv);
|
|
|
|
while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0) {
|
|
|
|
switch (c) {
|
|
|
|
case 'h':
|
|
return help();
|
|
|
|
case ARG_VERSION:
|
|
return version();
|
|
|
|
case ARG_PASSWORD:
|
|
if (arg_enroll_type >= 0)
|
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
"Multiple operations specified at once, refusing.");
|
|
|
|
arg_enroll_type = ENROLL_PASSWORD;
|
|
break;
|
|
|
|
case ARG_RECOVERY_KEY:
|
|
if (arg_enroll_type >= 0)
|
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
"Multiple operations specified at once, refusing.");
|
|
|
|
arg_enroll_type = ENROLL_RECOVERY;
|
|
break;
|
|
|
|
case ARG_PKCS11_TOKEN_URI: {
|
|
_cleanup_free_ char *uri = NULL;
|
|
|
|
if (streq(optarg, "list"))
|
|
return pkcs11_list_tokens();
|
|
|
|
if (arg_enroll_type >= 0 || arg_pkcs11_token_uri)
|
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
"Multiple operations specified at once, refusing.");
|
|
|
|
if (streq(optarg, "auto")) {
|
|
r = pkcs11_find_token_auto(&uri);
|
|
if (r < 0)
|
|
return r;
|
|
} else {
|
|
if (!pkcs11_uri_valid(optarg))
|
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Not a valid PKCS#11 URI: %s", optarg);
|
|
|
|
uri = strdup(optarg);
|
|
if (!uri)
|
|
return log_oom();
|
|
}
|
|
|
|
arg_enroll_type = ENROLL_PKCS11;
|
|
arg_pkcs11_token_uri = TAKE_PTR(uri);
|
|
break;
|
|
}
|
|
|
|
case ARG_FIDO2_DEVICE: {
|
|
_cleanup_free_ char *device = NULL;
|
|
|
|
if (streq(optarg, "list"))
|
|
return fido2_list_devices();
|
|
|
|
if (arg_enroll_type >= 0 || arg_fido2_device)
|
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
"Multiple operations specified at once, refusing.");
|
|
|
|
if (streq(optarg, "auto")) {
|
|
r = fido2_find_device_auto(&device);
|
|
if (r < 0)
|
|
return r;
|
|
} else {
|
|
device = strdup(optarg);
|
|
if (!device)
|
|
return log_oom();
|
|
}
|
|
|
|
arg_enroll_type = ENROLL_FIDO2;
|
|
arg_fido2_device = TAKE_PTR(device);
|
|
break;
|
|
}
|
|
|
|
case ARG_TPM2_DEVICE: {
|
|
_cleanup_free_ char *device = NULL;
|
|
|
|
if (streq(optarg, "list"))
|
|
return tpm2_list_devices();
|
|
|
|
if (arg_enroll_type >= 0 || arg_tpm2_device)
|
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
"Multiple operations specified at once, refusing.");
|
|
|
|
if (!streq(optarg, "auto")) {
|
|
device = strdup(optarg);
|
|
if (!device)
|
|
return log_oom();
|
|
}
|
|
|
|
arg_enroll_type = ENROLL_TPM2;
|
|
arg_tpm2_device = TAKE_PTR(device);
|
|
break;
|
|
}
|
|
|
|
case ARG_TPM2_PCRS: {
|
|
uint32_t mask;
|
|
|
|
if (isempty(optarg)) {
|
|
arg_tpm2_pcr_mask = 0;
|
|
break;
|
|
}
|
|
|
|
r = tpm2_parse_pcrs(optarg, &mask);
|
|
if (r < 0)
|
|
return r;
|
|
|
|
if (arg_tpm2_pcr_mask == UINT32_MAX)
|
|
arg_tpm2_pcr_mask = mask;
|
|
else
|
|
arg_tpm2_pcr_mask |= mask;
|
|
|
|
break;
|
|
}
|
|
|
|
case ARG_WIPE_SLOT: {
|
|
const char *p = optarg;
|
|
|
|
if (isempty(optarg)) {
|
|
arg_wipe_slots_mask = 0;
|
|
arg_wipe_slots_scope = WIPE_EXPLICIT;
|
|
break;
|
|
}
|
|
|
|
for (;;) {
|
|
_cleanup_free_ char *slot = NULL;
|
|
unsigned n;
|
|
|
|
r = extract_first_word(&p, &slot, ",", EXTRACT_DONT_COALESCE_SEPARATORS);
|
|
if (r == 0)
|
|
break;
|
|
if (r < 0)
|
|
return log_error_errno(r, "Failed to parse slot list: %s", optarg);
|
|
|
|
if (streq(slot, "all"))
|
|
arg_wipe_slots_scope = WIPE_ALL;
|
|
else if (streq(slot, "empty")) {
|
|
if (arg_wipe_slots_scope != WIPE_ALL) /* if "all" was specified before, that wins */
|
|
arg_wipe_slots_scope = WIPE_EMPTY_PASSPHRASE;
|
|
} else if (streq(slot, "password"))
|
|
arg_wipe_slots_mask = 1U << ENROLL_PASSWORD;
|
|
else if (streq(slot, "recovery"))
|
|
arg_wipe_slots_mask = 1U << ENROLL_RECOVERY;
|
|
else if (streq(slot, "pkcs11"))
|
|
arg_wipe_slots_mask = 1U << ENROLL_PKCS11;
|
|
else if (streq(slot, "fido2"))
|
|
arg_wipe_slots_mask = 1U << ENROLL_FIDO2;
|
|
else if (streq(slot, "tpm2"))
|
|
arg_wipe_slots_mask = 1U << ENROLL_TPM2;
|
|
else {
|
|
int *a;
|
|
|
|
r = safe_atou(slot, &n);
|
|
if (r < 0)
|
|
return log_error_errno(r, "Failed to parse slot index: %s", slot);
|
|
if (n > INT_MAX)
|
|
return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "Slot index out of range: %u", n);
|
|
|
|
a = reallocarray(arg_wipe_slots, sizeof(int), arg_n_wipe_slots + 1);
|
|
if (!a)
|
|
return log_oom();
|
|
|
|
arg_wipe_slots = a;
|
|
arg_wipe_slots[arg_n_wipe_slots++] = (int) n;
|
|
}
|
|
}
|
|
break;
|
|
}
|
|
|
|
case '?':
|
|
return -EINVAL;
|
|
|
|
default:
|
|
assert_not_reached("Unhandled option");
|
|
}
|
|
}
|
|
|
|
if (optind >= argc)
|
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
"No block device node specified, refusing.");
|
|
|
|
if (argc > optind+1)
|
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
"Too many arguments, refusing.");
|
|
|
|
r = parse_path_argument_and_warn(argv[optind], false, &arg_node);
|
|
if (r < 0)
|
|
return r;
|
|
|
|
if (arg_tpm2_pcr_mask == UINT32_MAX)
|
|
arg_tpm2_pcr_mask = TPM2_PCR_MASK_DEFAULT;
|
|
|
|
return 1;
|
|
}
|
|
|
|
static int prepare_luks(
|
|
struct crypt_device **ret_cd,
|
|
void **ret_volume_key,
|
|
size_t *ret_volume_key_size) {
|
|
|
|
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
|
|
_cleanup_(erase_and_freep) void *vk = NULL;
|
|
char *e = NULL;
|
|
size_t vks;
|
|
int r;
|
|
|
|
assert(ret_cd);
|
|
assert(!ret_volume_key == !ret_volume_key_size);
|
|
|
|
r = crypt_init(&cd, arg_node);
|
|
if (r < 0)
|
|
return log_error_errno(r, "Failed to allocate libcryptsetup context: %m");
|
|
|
|
cryptsetup_enable_logging(cd);
|
|
|
|
r = crypt_load(cd, CRYPT_LUKS2, NULL);
|
|
if (r < 0)
|
|
return log_error_errno(r, "Failed to load LUKS2 superblock: %m");
|
|
|
|
if (!ret_volume_key) {
|
|
*ret_cd = TAKE_PTR(cd);
|
|
return 0;
|
|
}
|
|
|
|
r = crypt_get_volume_key_size(cd);
|
|
if (r <= 0)
|
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine LUKS volume key size");
|
|
vks = (size_t) r;
|
|
|
|
vk = malloc(vks);
|
|
if (!vk)
|
|
return log_oom();
|
|
|
|
e = getenv("PASSWORD");
|
|
if (e) {
|
|
_cleanup_(erase_and_freep) char *password = NULL;
|
|
|
|
password = strdup(e);
|
|
if (!password)
|
|
return log_oom();
|
|
|
|
string_erase(e);
|
|
assert_se(unsetenv("PASSWORD") >= 0);
|
|
|
|
r = crypt_volume_key_get(
|
|
cd,
|
|
CRYPT_ANY_SLOT,
|
|
vk,
|
|
&vks,
|
|
password,
|
|
strlen(password));
|
|
if (r < 0)
|
|
return log_error_errno(r, "Password from environment variable $PASSWORD did not work.");
|
|
} else {
|
|
AskPasswordFlags ask_password_flags = ASK_PASSWORD_PUSH_CACHE|ASK_PASSWORD_ACCEPT_CACHED;
|
|
_cleanup_free_ char *question = NULL, *disk_path = NULL;
|
|
unsigned i = 5;
|
|
const char *id;
|
|
|
|
question = strjoin("Please enter current passphrase for disk ", arg_node, ":");
|
|
if (!question)
|
|
return log_oom();
|
|
|
|
disk_path = cescape(arg_node);
|
|
if (!disk_path)
|
|
return log_oom();
|
|
|
|
id = strjoina("cryptsetup:", disk_path);
|
|
|
|
for (;;) {
|
|
_cleanup_strv_free_erase_ char **passwords = NULL;
|
|
char **p;
|
|
|
|
if (--i == 0)
|
|
return log_error_errno(SYNTHETIC_ERRNO(ENOKEY),
|
|
"Too many attempts, giving up:");
|
|
|
|
r = ask_password_auto(
|
|
question, "drive-harddisk", id, "cryptenroll", USEC_INFINITY,
|
|
ask_password_flags,
|
|
&passwords);
|
|
if (r < 0)
|
|
return log_error_errno(r, "Failed to query password: %m");
|
|
|
|
r = -EPERM;
|
|
STRV_FOREACH(p, passwords) {
|
|
r = crypt_volume_key_get(
|
|
cd,
|
|
CRYPT_ANY_SLOT,
|
|
vk,
|
|
&vks,
|
|
*p,
|
|
strlen(*p));
|
|
if (r >= 0)
|
|
break;
|
|
}
|
|
if (r >= 0)
|
|
break;
|
|
|
|
log_error_errno(r, "Password not correct, please try again.");
|
|
ask_password_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
|
|
}
|
|
}
|
|
|
|
*ret_cd = TAKE_PTR(cd);
|
|
*ret_volume_key = TAKE_PTR(vk);
|
|
*ret_volume_key_size = vks;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int run(int argc, char *argv[]) {
|
|
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
|
|
_cleanup_(erase_and_freep) void *vk = NULL;
|
|
size_t vks;
|
|
int slot, r;
|
|
|
|
log_show_color(true);
|
|
log_parse_environment();
|
|
log_open();
|
|
|
|
r = parse_argv(argc, argv);
|
|
if (r <= 0)
|
|
return r;
|
|
|
|
if (arg_enroll_type < 0)
|
|
r = prepare_luks(&cd, NULL, NULL); /* No need to unlock device if we don't need the volume key because we don't need to enroll anything */
|
|
else
|
|
r = prepare_luks(&cd, &vk, &vks);
|
|
if (r < 0)
|
|
return r;
|
|
|
|
switch (arg_enroll_type) {
|
|
|
|
case ENROLL_PASSWORD:
|
|
slot = enroll_password(cd, vk, vks);
|
|
break;
|
|
|
|
case ENROLL_RECOVERY:
|
|
slot = enroll_recovery(cd, vk, vks);
|
|
break;
|
|
|
|
case ENROLL_PKCS11:
|
|
slot = enroll_pkcs11(cd, vk, vks, arg_pkcs11_token_uri);
|
|
break;
|
|
|
|
case ENROLL_FIDO2:
|
|
slot = enroll_fido2(cd, vk, vks, arg_fido2_device);
|
|
break;
|
|
|
|
case ENROLL_TPM2:
|
|
slot = enroll_tpm2(cd, vk, vks, arg_tpm2_device, arg_tpm2_pcr_mask);
|
|
break;
|
|
|
|
case _ENROLL_TYPE_INVALID:
|
|
/* List enrolled slots if we are called without anything to enroll or wipe */
|
|
if (!wipe_requested())
|
|
return list_enrolled(cd);
|
|
|
|
/* Only slot wiping selected */
|
|
return wipe_slots(cd, arg_wipe_slots, arg_n_wipe_slots, arg_wipe_slots_scope, arg_wipe_slots_mask, -1);
|
|
|
|
default:
|
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Operation not implemented yet.");
|
|
}
|
|
if (slot < 0)
|
|
return slot;
|
|
|
|
/* After we completed enrolling, remove user selected slots */
|
|
r = wipe_slots(cd, arg_wipe_slots, arg_n_wipe_slots, arg_wipe_slots_scope, arg_wipe_slots_mask, slot);
|
|
if (r < 0)
|
|
return r;
|
|
|
|
return 0;
|
|
}
|
|
|
|
DEFINE_MAIN_FUNCTION(run);
|