Compare commits
6 Commits
61364ee647
...
185f80387d
Author | SHA1 | Date |
---|---|---|
Maanya Goenka | 185f80387d | |
Luca Boccassi | 9bf6ffe166 | |
Lennart Poettering | cc6baba720 | |
Lennart Poettering | 3ae48d071c | |
Antonio Alvarez Feijoo | 2ccacdd57c | |
Maanya Goenka | f3a9cb423e |
|
@ -265,32 +265,11 @@
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Options</title>
|
<title>Unlocking</title>
|
||||||
|
|
||||||
<para>The following options are understood:</para>
|
<para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
|
||||||
<term><option>--password</option></term>
|
|
||||||
|
|
||||||
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
|
|
||||||
<command>cryptsetup luksAddKey</command>, however may be combined with
|
|
||||||
<option>--wipe-slot=</option> in one call, see below.</para>
|
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><option>--recovery-key</option></term>
|
|
||||||
|
|
||||||
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
|
|
||||||
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
|
|
||||||
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
|
|
||||||
</para>
|
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>
|
<term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>
|
||||||
|
|
||||||
|
@ -328,7 +307,45 @@
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1>
|
||||||
|
<title>Simple Enrollment</title>
|
||||||
|
|
||||||
|
<para>The following options are understood that may be used to enroll simple user input based
|
||||||
|
unlocking:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>--password</option></term>
|
||||||
|
|
||||||
|
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
|
||||||
|
<command>cryptsetup luksAddKey</command>, however may be combined with
|
||||||
|
<option>--wipe-slot=</option> in one call, see below.</para>
|
||||||
|
|
||||||
|
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>--recovery-key</option></term>
|
||||||
|
|
||||||
|
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
|
||||||
|
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
|
||||||
|
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1>
|
||||||
|
<title>PKCS#11 Enrollment</title>
|
||||||
|
|
||||||
|
<para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>
|
<term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>
|
||||||
|
|
||||||
|
@ -361,7 +378,15 @@
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1>
|
||||||
|
<title>FIDO2 Enrollment</title>
|
||||||
|
|
||||||
|
<para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
|
<term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
|
||||||
<listitem><para>Specify COSE algorithm used in credential generation. The default value is
|
<listitem><para>Specify COSE algorithm used in credential generation. The default value is
|
||||||
|
@ -461,7 +486,15 @@
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1>
|
||||||
|
<title>TPM2 Enrollment</title>
|
||||||
|
|
||||||
|
<para>The following options are understood that may be used to enroll TPM2 devices:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
|
<term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
|
||||||
|
|
||||||
|
@ -636,7 +669,15 @@
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1>
|
||||||
|
<title>Other Options</title>
|
||||||
|
|
||||||
|
<para>The following additional options are understood:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>
|
<term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>
|
||||||
|
|
||||||
|
|
|
@ -38,19 +38,12 @@ __get_tpm2_devices() {
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
__get_block_devices() {
|
|
||||||
local i
|
|
||||||
for i in /dev/*; do
|
|
||||||
[ -b "$i" ] && printf '%s\n' "$i"
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
_systemd_cryptenroll() {
|
_systemd_cryptenroll() {
|
||||||
local comps
|
local comps
|
||||||
local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
|
local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
|
||||||
local -A OPTS=(
|
local -A OPTS=(
|
||||||
[STANDALONE]='-h --help --version
|
[STANDALONE]='-h --help --version
|
||||||
--password --recovery-key'
|
--password --recovery-key --list-devices'
|
||||||
[ARG]='--unlock-key-file
|
[ARG]='--unlock-key-file
|
||||||
--unlock-fido2-device
|
--unlock-fido2-device
|
||||||
--unlock-tpm2-device
|
--unlock-tpm2-device
|
||||||
|
@ -116,7 +109,7 @@ _systemd_cryptenroll() {
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
comps=$(__get_block_devices)
|
comps=$(systemd-cryptenroll --list-devices)
|
||||||
COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
|
COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
|
@ -193,7 +193,7 @@ static int help(void) {
|
||||||
"\n%3$sSimple Enrollment:%4$s\n"
|
"\n%3$sSimple Enrollment:%4$s\n"
|
||||||
" --password Enroll a user-supplied password\n"
|
" --password Enroll a user-supplied password\n"
|
||||||
" --recovery-key Enroll a recovery key\n"
|
" --recovery-key Enroll a recovery key\n"
|
||||||
"\n%3$sPKCS11 Enrollment:%4$s\n"
|
"\n%3$sPKCS#11 Enrollment:%4$s\n"
|
||||||
" --pkcs11-token-uri=URI\n"
|
" --pkcs11-token-uri=URI\n"
|
||||||
" Specify PKCS#11 security token URI\n"
|
" Specify PKCS#11 security token URI\n"
|
||||||
"\n%3$sFIDO2 Enrollment:%4$s\n"
|
"\n%3$sFIDO2 Enrollment:%4$s\n"
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||||
|
|
||||||
|
#include <ctype.h>
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
#include <getopt.h>
|
#include <getopt.h>
|
||||||
#include <linux/loop.h>
|
#include <linux/loop.h>
|
||||||
|
@ -2208,6 +2209,64 @@ static int vl_method_refresh(sd_varlink *link, sd_json_variant *parameters, sd_v
|
||||||
return sd_varlink_reply(link, NULL);
|
return sd_varlink_reply(link, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int parse_version(const char *filename, char **ret) {
|
||||||
|
const char *start, *last_dot_after_underscore;
|
||||||
|
char *version = NULL;
|
||||||
|
|
||||||
|
assert(filename);
|
||||||
|
assert(ret);
|
||||||
|
|
||||||
|
/* Find the last occurrences of '_'. This will mark the start of the extension version. */
|
||||||
|
start = strrchr(filename, '_');
|
||||||
|
if (!start) {
|
||||||
|
/* If no underscore found, assign "none" and return success.
|
||||||
|
* This is for cases where there are no versions in the filename like 'image.raw'. */
|
||||||
|
version = strdup("none");
|
||||||
|
if (!version)
|
||||||
|
return -ENOMEM;
|
||||||
|
*ret = version;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
start ++;
|
||||||
|
|
||||||
|
last_dot_after_underscore = strrchr(start, '.');
|
||||||
|
if (!last_dot_after_underscore || (*(last_dot_after_underscore + 1) == '\0')) {
|
||||||
|
/* If no dot found or if dot is the last character, treat everything
|
||||||
|
/ after '_' as the version */
|
||||||
|
version = strdup(start);
|
||||||
|
if (!version)
|
||||||
|
return -ENOMEM;
|
||||||
|
*ret = version;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (last_dot_after_underscore[1] && isdigit(last_dot_after_underscore[1])) {
|
||||||
|
/* If the last dot is followed by a digit, the version is everything after the underscore
|
||||||
|
* This is for cases where the extension name is like so: image_0.1 */
|
||||||
|
version = strdup(start);
|
||||||
|
if (!version)
|
||||||
|
return -ENOMEM;
|
||||||
|
*ret = version;
|
||||||
|
} else if (last_dot_after_underscore[1] && isalpha(last_dot_after_underscore[1])) {
|
||||||
|
/* If the last dot is followed by a letter, the version is between the first '_' and the last dot
|
||||||
|
* This is for cases where the extension name is like so: image_0.1.raw (version is 0.1)
|
||||||
|
* or image_1.raw (version is 1) */
|
||||||
|
size_t length = last_dot_after_underscore - start;
|
||||||
|
version = strndup(start, length);
|
||||||
|
if (!version)
|
||||||
|
return -ENOMEM;
|
||||||
|
*ret = version;
|
||||||
|
} else {
|
||||||
|
/* In all other cases assign "n/a" to version */
|
||||||
|
version = strdup("n/a");
|
||||||
|
if (!version)
|
||||||
|
return -ENOMEM;
|
||||||
|
*ret = version;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int verb_list(int argc, char **argv, void *userdata) {
|
static int verb_list(int argc, char **argv, void *userdata) {
|
||||||
_cleanup_hashmap_free_ Hashmap *images = NULL;
|
_cleanup_hashmap_free_ Hashmap *images = NULL;
|
||||||
_cleanup_(table_unrefp) Table *t = NULL;
|
_cleanup_(table_unrefp) Table *t = NULL;
|
||||||
|
@ -2227,14 +2286,27 @@ static int verb_list(int argc, char **argv, void *userdata) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
t = table_new("name", "type", "path", "time");
|
t = table_new("name", "version", "type", "path", "time");
|
||||||
if (!t)
|
if (!t)
|
||||||
return log_oom();
|
return log_oom();
|
||||||
|
|
||||||
HASHMAP_FOREACH(img, images) {
|
HASHMAP_FOREACH(img, images) {
|
||||||
|
_cleanup_free_ char *image_name = NULL, *version = NULL;
|
||||||
|
|
||||||
|
/* Get the absolute file name with version info for logging. */
|
||||||
|
r = path_extract_filename(img->path, &image_name);
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to extract filename from '%s': %m", img->path);
|
||||||
|
|
||||||
|
/* Using the above, extract just the version part from the image name */
|
||||||
|
r = parse_version(image_name, &version);
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to get version for the extension '%s': %m", image_name);
|
||||||
|
|
||||||
r = table_add_many(
|
r = table_add_many(
|
||||||
t,
|
t,
|
||||||
TABLE_STRING, img->name,
|
TABLE_STRING, img->name,
|
||||||
|
TABLE_STRING, version,
|
||||||
TABLE_STRING, image_type_to_string(img->type),
|
TABLE_STRING, image_type_to_string(img->type),
|
||||||
TABLE_PATH, img->path,
|
TABLE_PATH, img->path,
|
||||||
TABLE_TIMESTAMP, img->mtime != 0 ? img->mtime : img->crtime);
|
TABLE_TIMESTAMP, img->mtime != 0 ? img->mtime : img->crtime);
|
||||||
|
|
Loading…
Reference in New Issue