Compare commits

...

6 Commits

Author SHA1 Message Date
Maanya Goenka 185f80387d
Merge f3a9cb423e into 9bf6ffe166 2024-11-22 13:01:34 +01:00
Luca Boccassi 9bf6ffe166
man: split cryptenroll man page into sections (#35297) 2024-11-22 12:01:07 +00:00
Lennart Poettering cc6baba720 cryptenroll: it's called PKCS#11, not PKCS11
In the --help text we really should use the official spelling, just like
in the man page.
2024-11-22 10:42:37 +01:00
Lennart Poettering 3ae48d071c man: add enrollment type sections to cryptenroll man page
We have the same sections in the --help text, hence we even more so
should have them in the man page.
2024-11-22 10:42:37 +01:00
Antonio Alvarez Feijoo 2ccacdd57c bash-completion: add --list-devices to systemd-cryptenroll
And also use it to list suitable block devices.
2024-11-22 10:38:19 +01:00
Maanya Goenka f3a9cb423e Add version as new column in the list command table output
Add a new column in the list command output table that logs the version of the image name of the extension.
'version' of the image should be the part of the image name string that includes the version and the boot counters
at the end of the filename but excludes the .raw type suffix. This commit modifies the table outputted by the list
command to have the version from the absolute filename displayed alongside the shortened image name.
2024-11-21 18:48:57 +00:00
4 changed files with 140 additions and 34 deletions

View File

@ -265,32 +265,11 @@
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>Options</title> <title>Unlocking</title>
<para>The following options are understood:</para> <para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>
<variablelist> <variablelist>
<varlistentry>
<term><option>--password</option></term>
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
<command>cryptsetup luksAddKey</command>, however may be combined with
<option>--wipe-slot=</option> in one call, see below.</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--recovery-key</option></term>
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term> <term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>
@ -328,7 +307,45 @@
<xi:include href="version-info.xml" xpointer="v256"/></listitem> <xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry> </varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Simple Enrollment</title>
<para>The following options are understood that may be used to enroll simple user input based
unlocking:</para>
<variablelist>
<varlistentry>
<term><option>--password</option></term>
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
<command>cryptsetup luksAddKey</command>, however may be combined with
<option>--wipe-slot=</option> in one call, see below.</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--recovery-key</option></term>
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>PKCS#11 Enrollment</title>
<para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
<variablelist>
<varlistentry> <varlistentry>
<term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term> <term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>
@ -361,7 +378,15 @@
<xi:include href="version-info.xml" xpointer="v248"/></listitem> <xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry> </varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FIDO2 Enrollment</title>
<para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
<variablelist>
<varlistentry> <varlistentry>
<term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term> <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
<listitem><para>Specify COSE algorithm used in credential generation. The default value is <listitem><para>Specify COSE algorithm used in credential generation. The default value is
@ -461,7 +486,15 @@
<xi:include href="version-info.xml" xpointer="v249"/></listitem> <xi:include href="version-info.xml" xpointer="v249"/></listitem>
</varlistentry> </varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>TPM2 Enrollment</title>
<para>The following options are understood that may be used to enroll TPM2 devices:</para>
<variablelist>
<varlistentry> <varlistentry>
<term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term> <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
@ -636,7 +669,15 @@
<xi:include href="version-info.xml" xpointer="v255"/></listitem> <xi:include href="version-info.xml" xpointer="v255"/></listitem>
</varlistentry> </varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Other Options</title>
<para>The following additional options are understood:</para>
<variablelist>
<varlistentry> <varlistentry>
<term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term> <term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>

View File

@ -38,19 +38,12 @@ __get_tpm2_devices() {
done done
} }
__get_block_devices() {
local i
for i in /dev/*; do
[ -b "$i" ] && printf '%s\n' "$i"
done
}
_systemd_cryptenroll() { _systemd_cryptenroll() {
local comps local comps
local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
local -A OPTS=( local -A OPTS=(
[STANDALONE]='-h --help --version [STANDALONE]='-h --help --version
--password --recovery-key' --password --recovery-key --list-devices'
[ARG]='--unlock-key-file [ARG]='--unlock-key-file
--unlock-fido2-device --unlock-fido2-device
--unlock-tpm2-device --unlock-tpm2-device
@ -116,7 +109,7 @@ _systemd_cryptenroll() {
return 0 return 0
fi fi
comps=$(__get_block_devices) comps=$(systemd-cryptenroll --list-devices)
COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
return 0 return 0
} }

View File

@ -193,7 +193,7 @@ static int help(void) {
"\n%3$sSimple Enrollment:%4$s\n" "\n%3$sSimple Enrollment:%4$s\n"
" --password Enroll a user-supplied password\n" " --password Enroll a user-supplied password\n"
" --recovery-key Enroll a recovery key\n" " --recovery-key Enroll a recovery key\n"
"\n%3$sPKCS11 Enrollment:%4$s\n" "\n%3$sPKCS#11 Enrollment:%4$s\n"
" --pkcs11-token-uri=URI\n" " --pkcs11-token-uri=URI\n"
" Specify PKCS#11 security token URI\n" " Specify PKCS#11 security token URI\n"
"\n%3$sFIDO2 Enrollment:%4$s\n" "\n%3$sFIDO2 Enrollment:%4$s\n"

View File

@ -1,5 +1,6 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */ /* SPDX-License-Identifier: LGPL-2.1-or-later */
#include <ctype.h>
#include <fcntl.h> #include <fcntl.h>
#include <getopt.h> #include <getopt.h>
#include <linux/loop.h> #include <linux/loop.h>
@ -2208,6 +2209,64 @@ static int vl_method_refresh(sd_varlink *link, sd_json_variant *parameters, sd_v
return sd_varlink_reply(link, NULL); return sd_varlink_reply(link, NULL);
} }
static int parse_version(const char *filename, char **ret) {
const char *start, *last_dot_after_underscore;
char *version = NULL;
assert(filename);
assert(ret);
/* Find the last occurrences of '_'. This will mark the start of the extension version. */
start = strrchr(filename, '_');
if (!start) {
/* If no underscore found, assign "none" and return success.
* This is for cases where there are no versions in the filename like 'image.raw'. */
version = strdup("none");
if (!version)
return -ENOMEM;
*ret = version;
return 0;
}
start ++;
last_dot_after_underscore = strrchr(start, '.');
if (!last_dot_after_underscore || (*(last_dot_after_underscore + 1) == '\0')) {
/* If no dot found or if dot is the last character, treat everything
/ after '_' as the version */
version = strdup(start);
if (!version)
return -ENOMEM;
*ret = version;
return 0;
}
if (last_dot_after_underscore[1] && isdigit(last_dot_after_underscore[1])) {
/* If the last dot is followed by a digit, the version is everything after the underscore
* This is for cases where the extension name is like so: image_0.1 */
version = strdup(start);
if (!version)
return -ENOMEM;
*ret = version;
} else if (last_dot_after_underscore[1] && isalpha(last_dot_after_underscore[1])) {
/* If the last dot is followed by a letter, the version is between the first '_' and the last dot
* This is for cases where the extension name is like so: image_0.1.raw (version is 0.1)
* or image_1.raw (version is 1) */
size_t length = last_dot_after_underscore - start;
version = strndup(start, length);
if (!version)
return -ENOMEM;
*ret = version;
} else {
/* In all other cases assign "n/a" to version */
version = strdup("n/a");
if (!version)
return -ENOMEM;
*ret = version;
}
return 0;
}
static int verb_list(int argc, char **argv, void *userdata) { static int verb_list(int argc, char **argv, void *userdata) {
_cleanup_hashmap_free_ Hashmap *images = NULL; _cleanup_hashmap_free_ Hashmap *images = NULL;
_cleanup_(table_unrefp) Table *t = NULL; _cleanup_(table_unrefp) Table *t = NULL;
@ -2227,14 +2286,27 @@ static int verb_list(int argc, char **argv, void *userdata) {
return 0; return 0;
} }
t = table_new("name", "type", "path", "time"); t = table_new("name", "version", "type", "path", "time");
if (!t) if (!t)
return log_oom(); return log_oom();
HASHMAP_FOREACH(img, images) { HASHMAP_FOREACH(img, images) {
_cleanup_free_ char *image_name = NULL, *version = NULL;
/* Get the absolute file name with version info for logging. */
r = path_extract_filename(img->path, &image_name);
if (r < 0)
return log_error_errno(r, "Failed to extract filename from '%s': %m", img->path);
/* Using the above, extract just the version part from the image name */
r = parse_version(image_name, &version);
if (r < 0)
return log_error_errno(r, "Failed to get version for the extension '%s': %m", image_name);
r = table_add_many( r = table_add_many(
t, t,
TABLE_STRING, img->name, TABLE_STRING, img->name,
TABLE_STRING, version,
TABLE_STRING, image_type_to_string(img->type), TABLE_STRING, image_type_to_string(img->type),
TABLE_PATH, img->path, TABLE_PATH, img->path,
TABLE_TIMESTAMP, img->mtime != 0 ? img->mtime : img->crtime); TABLE_TIMESTAMP, img->mtime != 0 ? img->mtime : img->crtime);