Compare commits
6 Commits
61364ee647
...
185f80387d
| Author | SHA1 | Date |
|---|---|---|
Maanya Goenka
|
185f80387d | |
|
Luca Boccassi
|
9bf6ffe166 | |
|
Lennart Poettering
|
cc6baba720 | |
|
Lennart Poettering
|
3ae48d071c | |
|
Antonio Alvarez Feijoo
|
2ccacdd57c | |
|
Maanya Goenka
|
f3a9cb423e |
|
|
@ -265,32 +265,11 @@
|
|||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Options</title>
|
||||
<title>Unlocking</title>
|
||||
|
||||
<para>The following options are understood:</para>
|
||||
<para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--password</option></term>
|
||||
|
||||
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
|
||||
<command>cryptsetup luksAddKey</command>, however may be combined with
|
||||
<option>--wipe-slot=</option> in one call, see below.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--recovery-key</option></term>
|
||||
|
||||
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
|
||||
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
|
||||
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
|
||||
</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>
|
||||
|
||||
|
|
@ -328,7 +307,45 @@
|
|||
|
||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Simple Enrollment</title>
|
||||
|
||||
<para>The following options are understood that may be used to enroll simple user input based
|
||||
unlocking:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--password</option></term>
|
||||
|
||||
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
|
||||
<command>cryptsetup luksAddKey</command>, however may be combined with
|
||||
<option>--wipe-slot=</option> in one call, see below.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--recovery-key</option></term>
|
||||
|
||||
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
|
||||
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
|
||||
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
|
||||
</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>PKCS#11 Enrollment</title>
|
||||
|
||||
<para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>
|
||||
|
||||
|
|
@ -361,7 +378,15 @@
|
|||
|
||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FIDO2 Enrollment</title>
|
||||
|
||||
<para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
|
||||
<listitem><para>Specify COSE algorithm used in credential generation. The default value is
|
||||
|
|
@ -461,7 +486,15 @@
|
|||
|
||||
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>TPM2 Enrollment</title>
|
||||
|
||||
<para>The following options are understood that may be used to enroll TPM2 devices:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
|
||||
|
||||
|
|
@ -636,7 +669,15 @@
|
|||
|
||||
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Other Options</title>
|
||||
|
||||
<para>The following additional options are understood:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>
|
||||
|
||||
|
|
|
|||
|
|
@ -38,19 +38,12 @@ __get_tpm2_devices() {
|
|||
done
|
||||
}
|
||||
|
||||
__get_block_devices() {
|
||||
local i
|
||||
for i in /dev/*; do
|
||||
[ -b "$i" ] && printf '%s\n' "$i"
|
||||
done
|
||||
}
|
||||
|
||||
_systemd_cryptenroll() {
|
||||
local comps
|
||||
local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
|
||||
local -A OPTS=(
|
||||
[STANDALONE]='-h --help --version
|
||||
--password --recovery-key'
|
||||
--password --recovery-key --list-devices'
|
||||
[ARG]='--unlock-key-file
|
||||
--unlock-fido2-device
|
||||
--unlock-tpm2-device
|
||||
|
|
@ -116,7 +109,7 @@ _systemd_cryptenroll() {
|
|||
return 0
|
||||
fi
|
||||
|
||||
comps=$(__get_block_devices)
|
||||
comps=$(systemd-cryptenroll --list-devices)
|
||||
COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
|
||||
return 0
|
||||
}
|
||||
|
|
|
|||
|
|
@ -193,7 +193,7 @@ static int help(void) {
|
|||
"\n%3$sSimple Enrollment:%4$s\n"
|
||||
" --password Enroll a user-supplied password\n"
|
||||
" --recovery-key Enroll a recovery key\n"
|
||||
"\n%3$sPKCS11 Enrollment:%4$s\n"
|
||||
"\n%3$sPKCS#11 Enrollment:%4$s\n"
|
||||
" --pkcs11-token-uri=URI\n"
|
||||
" Specify PKCS#11 security token URI\n"
|
||||
"\n%3$sFIDO2 Enrollment:%4$s\n"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include <ctype.h>
|
||||
#include <fcntl.h>
|
||||
#include <getopt.h>
|
||||
#include <linux/loop.h>
|
||||
|
|
@ -2208,6 +2209,64 @@ static int vl_method_refresh(sd_varlink *link, sd_json_variant *parameters, sd_v
|
|||
return sd_varlink_reply(link, NULL);
|
||||
}
|
||||
|
||||
static int parse_version(const char *filename, char **ret) {
|
||||
const char *start, *last_dot_after_underscore;
|
||||
char *version = NULL;
|
||||
|
||||
assert(filename);
|
||||
assert(ret);
|
||||
|
||||
/* Find the last occurrences of '_'. This will mark the start of the extension version. */
|
||||
start = strrchr(filename, '_');
|
||||
if (!start) {
|
||||
/* If no underscore found, assign "none" and return success.
|
||||
* This is for cases where there are no versions in the filename like 'image.raw'. */
|
||||
version = strdup("none");
|
||||
if (!version)
|
||||
return -ENOMEM;
|
||||
*ret = version;
|
||||
return 0;
|
||||
}
|
||||
start ++;
|
||||
|
||||
last_dot_after_underscore = strrchr(start, '.');
|
||||
if (!last_dot_after_underscore || (*(last_dot_after_underscore + 1) == '\0')) {
|
||||
/* If no dot found or if dot is the last character, treat everything
|
||||
/ after '_' as the version */
|
||||
version = strdup(start);
|
||||
if (!version)
|
||||
return -ENOMEM;
|
||||
*ret = version;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (last_dot_after_underscore[1] && isdigit(last_dot_after_underscore[1])) {
|
||||
/* If the last dot is followed by a digit, the version is everything after the underscore
|
||||
* This is for cases where the extension name is like so: image_0.1 */
|
||||
version = strdup(start);
|
||||
if (!version)
|
||||
return -ENOMEM;
|
||||
*ret = version;
|
||||
} else if (last_dot_after_underscore[1] && isalpha(last_dot_after_underscore[1])) {
|
||||
/* If the last dot is followed by a letter, the version is between the first '_' and the last dot
|
||||
* This is for cases where the extension name is like so: image_0.1.raw (version is 0.1)
|
||||
* or image_1.raw (version is 1) */
|
||||
size_t length = last_dot_after_underscore - start;
|
||||
version = strndup(start, length);
|
||||
if (!version)
|
||||
return -ENOMEM;
|
||||
*ret = version;
|
||||
} else {
|
||||
/* In all other cases assign "n/a" to version */
|
||||
version = strdup("n/a");
|
||||
if (!version)
|
||||
return -ENOMEM;
|
||||
*ret = version;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int verb_list(int argc, char **argv, void *userdata) {
|
||||
_cleanup_hashmap_free_ Hashmap *images = NULL;
|
||||
_cleanup_(table_unrefp) Table *t = NULL;
|
||||
|
|
@ -2227,14 +2286,27 @@ static int verb_list(int argc, char **argv, void *userdata) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
t = table_new("name", "type", "path", "time");
|
||||
t = table_new("name", "version", "type", "path", "time");
|
||||
if (!t)
|
||||
return log_oom();
|
||||
|
||||
HASHMAP_FOREACH(img, images) {
|
||||
_cleanup_free_ char *image_name = NULL, *version = NULL;
|
||||
|
||||
/* Get the absolute file name with version info for logging. */
|
||||
r = path_extract_filename(img->path, &image_name);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to extract filename from '%s': %m", img->path);
|
||||
|
||||
/* Using the above, extract just the version part from the image name */
|
||||
r = parse_version(image_name, &version);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to get version for the extension '%s': %m", image_name);
|
||||
|
||||
r = table_add_many(
|
||||
t,
|
||||
TABLE_STRING, img->name,
|
||||
TABLE_STRING, version,
|
||||
TABLE_STRING, image_type_to_string(img->type),
|
||||
TABLE_PATH, img->path,
|
||||
TABLE_TIMESTAMP, img->mtime != 0 ? img->mtime : img->crtime);
|
||||
|
|
|
|||
Loading…
Reference in New Issue