Commit Graph

497 Commits

Author SHA1 Message Date
Daniel Winzen
983028cdc4 cryptsetup: mention correct action in log message 2024-05-27 17:05:23 +01:00
Yu Watanabe
4e494e6aac tree-wise: several cleanups for logging
- drop unnecessary SYNTHETIC_ERRNO() when the logger does not propagate
  error code,
- drop unnecessary '%m' in error message when the error code is
  specified with SYNTHETIC_ERRNO(),
- add missing full stop at the end of log message,
- use RET_GATHER(),
- add missing ", ignoring.",
- upeercase the first letter, etc., etc...
2024-05-01 04:41:06 +09:00
Antonio Alvarez Feijoo
5cef6b5393 cryptsetup-tokens: fix pin asserts
If a user only presses ENTER when the PIN is requested (without actually typing
the PIN), an assertion is reached and no other unlock method is requested.

```
sh-5.2# systemctl status systemd-cryptsetup@cr_root
× systemd-cryptsetup@cr_root.service - Cryptography Setup for cr_root
     Loaded: loaded (/etc/crypttab; generated)
    Drop-In: /etc/systemd/system/systemd-cryptsetup@.service.d
             └─pcr-signature.conf
     Active: failed (Result: core-dump) since Thu 2024-04-25 08:44:30 UTC; 10min ago
       Docs: man:crypttab(5)
             man:systemd-cryptsetup-generator(8)
             man:systemd-cryptsetup@.service(8)
    Process: 559 ExecStartPre=/usr/bin/pcr-signature.sh (code=exited, status=0/SUCCESS)
    Process: 604 ExecStart=/usr/bin/systemd-cryptsetup attach cr_root /dev/disk/by-uuid/a8cbd937-6975-4e61-9120-ce5c03138700 none x-initrd.attach,tpm2-device=auto (code=dumped, signal=ABRT)
   Main PID: 604 (code=dumped, signal=ABRT)
        CPU: 19ms

Apr 25 08:44:29 localhost systemd[1]: Starting Cryptography Setup for cr_root...
Apr 25 08:44:30 localhost systemd-cryptsetup[604]: Assertion '!pin || pin_size > 0' failed at src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c:60, function cryptsetup_token_open_pin(). Aborting.
Apr 25 08:44:30 localhost systemd[1]: systemd-cryptsetup@cr_root.service: Main process exited, code=dumped, status=6/ABRT
Apr 25 08:44:30 localhost systemd[1]: systemd-cryptsetup@cr_root.service: Failed with result 'core-dump'.
Apr 25 08:44:30 localhost systemd[1]: Failed to start Cryptography Setup for cr_root.
```

In this case, `cryptsetup_token_open_pin()` receives an empty (non-NULL) `pin`
with `pin_size` equals to 0.

```
🔐 Please enter LUKS2 token PIN:

Breakpoint 3, cryptsetup_token_open_pin (cd=0x5555555744c0, token=0, pin=0x5555555b3cc0 "", pin_size=0, ret_password=0x7fffffffd380,
    ret_password_len=0x7fffffffd378, usrptr=0x0) at ../src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c:42
42	                void *usrptr /* plugin defined parameter passed to crypt_activate_by_token*() API */) {
(gdb) continue
Assertion '!pin || pin_size > 0' failed at src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c:60, function cryptsetup_token_open_pin(). Aborting.
```
2024-04-25 17:07:11 +02:00
Lennart Poettering
21a3bc6b9f tpm2-util: add generic wrapper tpm2_context_new_or_warn() that wrpas tpm2_context_new and logs about errors
We so far just print a short log message that is not very useful, let's
add some recognizable error codes, and output better log messages if we
can't get TPM stuff to work.

Fixes: #31925
2024-04-22 12:40:09 +02:00
Antonio Alvarez Feijoo
ce18410a54 cryptsetup-tokens: fix argument order mismatch in function
The order of the arguments of the function `acquire_luks2_key()` in
`luks2-tpm2.h` is wrong, `pcrlock_path` and `pin` are swapped.

Fixes 404aea7815
2024-04-05 01:12:42 +08:00
Frantisek Sumsal
a30fdf857b Use IN_SET() more 2024-04-02 18:08:15 +02:00
Antonio Alvarez Feijoo
68ad9e43f6 cryptsetup-tokens: fix typo in comments 2024-02-21 10:23:43 +00:00
Lennart Poettering
b2ac928088 cryptsetup: drop "headless" bool, make it a flag in AskPasswordFlags instead
This bool controls whether we should interactively ask for a password,
which is pretty much what the ask_password-api.c APIs are about. Hence,
just make the bool a flag in AskPasswordFlags enum, and use it
everywhere.

This still catches the flag early in upper levels of the codebase,
exactly as before, but if the flag is still present in the lower layers
it's also handled there and results in ENOEXEC if seen.

This is mostly an excercise in simplifying our ridiculously long
function call parameter lists a bit.
2024-02-20 16:50:04 +01:00
Lennart Poettering
1c12daa46f cryptsetup-pkcs11: also plug credential name to use to credential plugin 2024-02-20 16:50:00 +01:00
Lennart Poettering
b3a635841a cryptenroll,cryptsetup: clean up unlock credential for TPM2 + FIDO2
Let's make sure that when cryptenroll asks for the TPM2 or FIDO2 token
PIN it uses cryptenroll.* credential namespace, and cryptsetup uses
cryptsetup.*.
2024-02-20 16:50:00 +01:00
Lennart Poettering
d08fd4c314 ask-password: rework how we pass request meta info when asking passwords
Rather than adding more and more parameters to ask_password_auto(), let's
pass a structure of the fields that often are constant anyway.

This way, callers can fill in what they need, and we take the filled
structure which we can pass around internally as one.

This is in particular preparation for adding one more field in one of
the next commits.
2024-02-20 16:50:00 +01:00
Daan De Meyer
ea2a57bee3 meson: Start adding devel and rc suffixes to the project version
Let's make sure that versions generated by meson-vcs-tag.sh always
sort higher than official and stable releases. We achieve this by
immediately updating the meson version in meson.build after a new
release. To make sure this version always sorts lower than future
rcs, we suffix it with "~devel" which will sort lower than "~rcX".

The new release workflow is to update the version in meson.build
for each rc and the official release and to also update the version
number after a new release to the next development version.

The full version is exposed as PROJECT_VERSION_FULL and used where
it makes sense over PROJECT_VERSION.

We also switch to reading the version from a meson.version file in
the repo instead of hardcoding it in meson.build. This makes it
easier to access both inside and outside of the project.

The meson-vcs-tag.sh script is rewritten to query the version from
meson.version instead of passing it in via the command line. This
makes it easier to use outside of systemd since users don't have to
query the version themselves first.
2024-02-14 15:36:34 +01:00
Yu Watanabe
a14d3b48f7 cryptsetup: fix typo
Follow-up for c5daf14c88.
2024-02-14 04:01:52 +09:00
Ondrej Kozina
c5daf14c88 cryptsetup: Add optional support for linking volume key in keyring.
cryptsetup 2.7.0 adds feature to link effective volume key in custom
kernel keyring during device activation. It can be used later to pass
linked volume key to other services.

For example: kdump enabled systems installed on LUKS2 device.
This feature allows it to store volume key linked in a kernel keyring
to the kdump reserved memory and reuse it to reactivate LUKS2 device
in case of kernel crash.
2024-02-13 09:45:08 +01:00
Gabríel Arthúr Pétursson
4a67075007 cryptsetup: Fix memory leak when iterating over systemd-tpm2 tokens 2024-02-01 12:20:00 +00:00
Gabríel Arthúr Pétursson
47b425de0c shared: Move cryptsetup-tpm2.[ch] from systemd-cryptsetup 2024-02-01 11:57:52 +00:00
Lennart Poettering
d37c312b87 pcrlock: when unlocking try to pick up pcrlock policy from system credentials 2024-01-22 15:20:22 +01:00
Mike Yuan
bdd2036e81 hexdecoct: make unbase64mem and unhexmem always use SIZE_MAX 2024-01-09 03:59:15 +09:00
Lennart Poettering
8d042bc40a tpm2-util: more iovec'ification
Let's move more code to using struct iovec for passing around binary
chunks of data.

No real changes in behaviour, just refactoring.
2024-01-05 11:34:46 +01:00
Luca Boccassi
c9be8e420e cryptsetup: use WantsMountsFor= for key/header when nofail is set
The header and keyfile are necessary only for opening the device, not
for closing, so it is not necessary to deactivate the generated
cryptsetup unit when the header or keyfile backing store are removed.

This is especially useful in the case of softreboot, when the new
mount root is setup under /run/nextroot/ but we don't want to close
the cryptsetup devices for encrypted /var/ or so, and we simply
mount it directly on /run/nextroot/var/ before the soft-reboot.
2023-11-29 11:04:59 +00:00
Zbigniew Jędrzejewski-Szmek
cee60fc36f tree-wide: use the usual spelling of "cannot"
(There's a bunch more in src/basic/linux/, but those files are copied from the
kernel and should not be modified.)
2023-11-13 13:27:36 +01:00
jjimbo137
b55ca26f5b tcrypt: try all entered passphrases instead of just the first one (#29837)
Previously only the first entered passphrase would be used.  Add the ability to check all the passwords entered by the user.  The total number of passwords entered is still limited by passphrase entry limit.
2023-11-06 16:39:01 +00:00
Antonio Alvarez Feijoo
38cce239c1 cryptsetup: do not print (null) if pkcs11 uri not set
The pkcs11 uri is no set if the smart card is not inserted while using
`pkcs11-uri=auto` with libcryptsetup plugins.

```
> systemd-cryptsetup attach cr_data /dev/sda1 - pkcs11-uri=auto
Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/sda1.
Security token (null) not present for unlocking volume Linux filesystem (cr_data), please plug it in.
```
2023-11-03 19:10:55 +00:00
Luca Boccassi
8d04721507 Merge pull request #28891 from poettering/pcrlock
new pcrlock tool for generating signed PCR policies for PCR 0, 1, 4, …
2023-11-03 16:07:43 +00:00
Lennart Poettering
404aea7815 tree-wide: hook everything up with pcrlock policy
Make sure cryptenroll and repart can enroll TPM2 policies with pcrlock
logic.

Make sure cryptsetup can unlock TPM2 policies with pcrlock in effect.
2023-11-03 11:24:24 +01:00
Lennart Poettering
a434270139 pcrlock: add new pcrlock tool 2023-11-03 11:23:54 +01:00
Lennart Poettering
a758a12870 cryptsetup: pass AskPasswordFlags down into pkcs11 module
The pkcs11 cryptsetup token module is a bit different from the tpm2 +
fido2 ones: it asks for the PIN itself, rather than bubbling up a
request to get a PIN. That's because it might need multiple, and because
we don't want to destroy a the pkcs11 session half-way and thus risk
increasing pin counters.

Hence, we sometimes ask for PINs from our code, rather than let the
libcryptsetup caller do that. So far we didn't pass the AskPasswordFlags
field down into the module though. Fix that.

Fixes: #28665
2023-11-03 09:51:53 +01:00
Lennart Poettering
00392b1437 cryptsetup: disable activation via token plugin if we shall measure the volume key
if we allow cryptsetup to activate a volume via token plugin we never
get access to the volume key, which we'd like to measure. Hence disable
token plugins in that case.

(I tempted to say we probably should disable them entirely, and only use
them if classic cryptsetup is used, but that's a discussion for another
day.)

Fixes: #29790
2023-11-02 22:37:52 +01:00
Lennart Poettering
58925605e7 cryptsetup: honour configured ask password flags also when activating via token
See: #28665 (this is not a fix for that PR though)
2023-11-02 22:37:46 +01:00
Lennart Poettering
c50a7776c1 cryptsetup: rename usrptr to userdata
Across our codebase we call the generic pointer "userdata", not
"userptr". Do so here too.
2023-11-02 22:37:17 +01:00
Lennart Poettering
707de94cbf tree-wide: never link directly against p11kit
We go via dlopen() at most places, but forgot some. Cover the missing
cases too.
2023-11-02 17:26:46 +00:00
Lennart Poettering
a3b46c6bf6 cryptenroll: use erase_and_free() at two more places 2023-11-01 15:19:10 +01:00
Lennart Poettering
3c6439bf2c cryptsetup: remove redundant check
The immediately preceeding check already covered that.

This removes and addition made back in aae6eb9611.

cc @williamcroberts
2023-10-25 13:18:17 +01:00
Lennart Poettering
0ff6ff2b29 tree-wide: port various parsers over to read_stripped_line() 2023-10-17 14:36:54 +02:00
Yu Watanabe
fcdd21ec6a tree-wide: fix typo 2023-10-04 08:58:10 +09:00
Dan Streetman
db7fdf152b tpm2: change tpm2_unseal() to accept Tpm2Context instead of device string
This matches the change to tpm2_seal(), which now accepts a Tpm2Context instead
of a device string.

This also allows using the same TPM context for sealing and unsealing, which
will be required by (future) test code when sealing/unsealing using a transient
key.
2023-10-03 12:56:55 -04:00
Dan Streetman
f9a0ee7554 tpm2: downgrade most log functions from error to debug
Because most TPM2 functions here are 'library-like' functions, they should be
at debug level, not error level.

The only functions not reduced to logging at debug are tpm2_list_devices(),
since it is expected to print output, and the tpm2_parse_pcr_argument_*()
functions, since the system-wide parse_*_argument() functions generally log at
error level.
2023-10-03 17:13:50 +01:00
Lennart Poettering
174e8e9897 Merge pull request #29345 from poettering/measured-uki-condition
pid1: introduce ConditionSecurity=measured-uki
2023-09-27 16:39:46 +02:00
Luca Boccassi
578840bdf9 Merge pull request #29296 from keszybz/make-cryptsetup-offical-and-add-docs
Make cryptsetup offical and add docs
2023-09-27 13:31:11 +01:00
Lennart Poettering
be8f478c0f efi-loader: rename efi_stub_measured() → efi_measured_uki()
Let's say "uki" rather than "stub", since that is just too generic, and
we shouldn't limit us to our own stub anyway, but generally define a
concept of a "measured UKI", which is a UKI that measures its part to
PCR 11.

This is mostly preparation for exposing this check to the user via
ConditionSecurity=.
2023-09-27 11:51:13 +02:00
Jan Janssen
90461ef56f meson: Fix version script handling
Build targets should have a link dependency on the version scripts they
use. This also uses absolute paths in anticipation for meson 1.3
needlessly deprecating file to string conversions.
2023-09-26 19:41:53 +02:00
Zbigniew Jędrzejewski-Szmek
fb8d67cd34 meson: move systemd-cryptsetup to /usr/bin
This was requested, though I think an issue was never filed. If people are
supposed to invoke it, even for testing, then it's reasonable to make it
"public".
2023-09-26 17:03:26 +02:00
Zbigniew Jędrzejewski-Szmek
5bae80bd44 cryptsetup: fail with error if extraneous arguments are specified
So far the program would silently ignore those… I think it's better to fail.
2023-09-26 16:21:31 +02:00
Zbigniew Jędrzejewski-Szmek
166015faf5 cryptsetup: add parse_argv() and implement --version
All public programs are expected to have that. The --help output is adjusted to
follow the usual style (highlighting, listing of options). The OPTIONS
positional argument is renamed to "CONFIG", because we now also have "OPTIONS…"
to describe the non-positional options.
2023-09-26 16:20:29 +02:00
Lennart Poettering
cb19bdaebf tpm2: whenever we measure, also write a tpm log record
Previously we only logged our measurements to the journal. This is not a
great solution though, since regular logs are subject to rotation, which
is something we really cannot have for measurements (as it means we can
never reproduce the PCR values from the data). Hence, let's maintain an
explicit log.

Ideally, we'd just use the TCG Canonical Event Log format 1:1
(https://trustedcomputinggroup.org/resource/canonical-event-log-format/).
However it's not a perfect fit fo us, for various reasons. But let's
follow it (in its JSON incantation) as closely at it makes sense, so
that it can easily be converted to the full format by programs consuming
it.

Code comments explain where we deviate from the TCG CEL-JSON, and what
to do about it when reading the data.
2023-08-30 12:59:34 +02:00
Lennart Poettering
e0e1f4f7a2 fundamental: rename tpm-pcr.h → tpm2-pcr.h
I always found it confusing that most of our TPM related definitions are
in tpm2-util.h, but the PCR names in tpm-pcr.h, without the "2". Let's
fix that and make this systematic, in particular as the definitions in
the file all start with TPM2_ already.

No code flow changes, just some renaming.
2023-08-24 13:40:37 +02:00
Lennart Poettering
2099cd6289 tpm2: unify symbolic name infra for PCRs
We so far maintained two places for symboic names for PCRs. One in
tpm2-util.h and one in tpm-pcr.h.

Let's unify this into one, i.e. move the full list from tpm2-util.h into
tpm-pcr.h, replacing the short list placed so far there.

Systematically prefix the definitions with TPM2_ or tpm2_, to follow how
we do this for all other defines in this context.

No change in behaviour, just unification of tables.
2023-08-24 13:40:37 +02:00
Zbigniew Jędrzejewski-Szmek
bb44fd0734 various: use _NEG_ macros to reduce indentation
No functional change intended.
2023-08-16 12:52:56 +02:00
Dan Streetman
07c0406117 tpm2: change tpm2_parse_pcr_argument() parameters to parse to Tpm2PCRValue array
In order to allow users to specify expected PCR values, change the
tpm2_parse_pcr_argument() to parse the text argument into an array of
Tpm2PCRValue objects, which provide not only the selected PCR indexes, but also
(optionally) the hash algorithm and hash value for each PCR index.
2023-08-04 10:57:07 -04:00
Dan Streetman
323eb4803a tpm2: add Tpm2PCRValue struct and associated functions
Add a new struct that can represent a PCR index, hash, and value all
together. This replaces code (e.g. the tpm2_pcr_read() parameters) that
required using both a TPML_PCR_SELECTION as well as array of TPM2B_DIGEST
entries, which was difficult to correlate the selection hash/index to each
digest.
2023-08-04 10:57:05 -04:00