Merge 5aca393303 into 9bf6ffe166

man: split cryptenroll man page into sections (#35297 )
logind: allow wall messages to be controlled via config file
2024-11-22 13:01:35 +01:00 · 2024-11-22 12:01:07 +00:00 · 2024-11-22 11:10:15 +01:00 · 2024-11-22 10:42:37 +01:00 · 2024-11-22 10:42:37 +01:00 · 2024-11-22 10:38:19 +01:00
5 changed files with 68 additions and 34 deletions
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@ -265,32 +265,11 @@
  </refsect1>
  <refsect1>
-    <title>Options</title>
+    <title>Unlocking</title>
-    <para>The following options are understood:</para>
+    <para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>
    <variablelist>
      <varlistentry>
        <term><option>--password</option></term>
        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
        <command>cryptsetup luksAddKey</command>, however may be combined with
        <option>--wipe-slot=</option> in one call, see below.</para>
        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
      </varlistentry>
      <varlistentry>
        <term><option>--recovery-key</option></term>
        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
        </para>
        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
      </varlistentry>
      <varlistentry>
        <term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>
@ -328,7 +307,45 @@
        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>Simple Enrollment</title>
    <para>The following options are understood that may be used to enroll simple user input based
    unlocking:</para>
    <variablelist>
      <varlistentry>
        <term><option>--password</option></term>
        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
        <command>cryptsetup luksAddKey</command>, however may be combined with
        <option>--wipe-slot=</option> in one call, see below.</para>
        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
      </varlistentry>
      <varlistentry>
        <term><option>--recovery-key</option></term>
        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
        </para>
        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>PKCS#11 Enrollment</title>
    <para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
    <variablelist>
      <varlistentry>
        <term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>
@ -361,7 +378,15 @@
        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FIDO2 Enrollment</title>
    <para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
    <variablelist>
      <varlistentry>
        <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
        <listitem><para>Specify COSE algorithm used in credential generation. The default value is
@ -461,7 +486,15 @@
        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>TPM2 Enrollment</title>
    <para>The following options are understood that may be used to enroll TPM2 devices:</para>
    <variablelist>
      <varlistentry>
        <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
@ -636,7 +669,15 @@
        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>Other Options</title>
    <para>The following additional options are understood:</para>
    <variablelist>
      <varlistentry>
        <term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>
--- a/shell-completion/bash/systemd-cryptenroll
+++ b/shell-completion/bash/systemd-cryptenroll
@ -38,19 +38,12 @@ __get_tpm2_devices() {
    done
 }
 __get_block_devices() {
    local i
    for i in /dev/*; do
        [ -b "$i" ] && printf '%s\n' "$i"
    done
 }
 _systemd_cryptenroll() {
    local comps
    local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
    local -A OPTS=(
        [STANDALONE]='-h --help --version
-                     --password --recovery-key'
+                     --password --recovery-key --list-devices'
        [ARG]='--unlock-key-file
               --unlock-fido2-device
               --unlock-tpm2-device
@ -116,7 +109,7 @@ _systemd_cryptenroll() {
        return 0
    fi
-    comps=$(__get_block_devices)
+    comps=$(systemd-cryptenroll --list-devices)
    COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
    return 0
 }
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@ -193,7 +193,7 @@ static int help(void) {
               "\n%3$sSimple Enrollment:%4$s\n"
               "     --password        Enroll a user-supplied password\n"
               "     --recovery-key    Enroll a recovery key\n"
-               "\n%3$sPKCS11 Enrollment:%4$s\n"
+               "\n%3$sPKCS#11 Enrollment:%4$s\n"
               "     --pkcs11-token-uri=URI\n"
               "                       Specify PKCS#11 security token URI\n"
               "\n%3$sFIDO2 Enrollment:%4$s\n"
--- a/src/login/logind-core.c
+++ b/src/login/logind-core.c
@ -39,6 +39,7 @@ void manager_reset_config(Manager *m) {
        m->remove_ipc = true;
        m->inhibit_delay_max = 5 * USEC_PER_SEC;
        m->user_stop_delay = 10 * USEC_PER_SEC;
        m->enable_wall_messages = true;
        m->handle_action_sleep_mask = HANDLE_ACTION_SLEEP_MASK_DEFAULT;
--- a/src/login/logind.c
+++ b/src/login/logind.c
@ -64,7 +64,6 @@ static int manager_new(Manager **ret) {
        *m = (Manager) {
                .console_active_fd = -EBADF,
                .reserve_vt_fd = -EBADF,
                .enable_wall_messages = true,
                .idle_action_not_before_usec = now(CLOCK_MONOTONIC),
                .scheduled_shutdown_action = _HANDLE_ACTION_INVALID,
Author	SHA1	Message	Date
David Härdeman	0d648191c9	Merge `5aca393303` into `9bf6ffe166`	2024-11-22 13:01:35 +01:00
Luca Boccassi	9bf6ffe166	man: split cryptenroll man page into sections (#35297 )	2024-11-22 12:01:07 +00:00
David Härdeman	5aca393303	logind: allow wall messages to be controlled via config file Right now, the sending of wall messages on reboot/shutdown/etc can be controlled via DBus properties. This patch adds support for changing the default via the logind.conf file as well. Note that the DBus setting is lost if logind is restarted or reloaded, but it was already the case before this patch that the setting is lost upon restart.	2024-11-22 11:10:15 +01:00
Lennart Poettering	cc6baba720	cryptenroll: it's called PKCS#11, not PKCS11 In the --help text we really should use the official spelling, just like in the man page.	2024-11-22 10:42:37 +01:00
Lennart Poettering	3ae48d071c	man: add enrollment type sections to cryptenroll man page We have the same sections in the --help text, hence we even more so should have them in the man page.	2024-11-22 10:42:37 +01:00
Antonio Alvarez Feijoo	2ccacdd57c	bash-completion: add --list-devices to systemd-cryptenroll And also use it to list suitable block devices.	2024-11-22 10:38:19 +01:00