Compare commits

...

6 Commits

Author SHA1 Message Date
Yu Watanabe 5316c32cde
Merge c5a35d3ea9 into 9bf6ffe166 2024-11-22 13:01:35 +01:00
Luca Boccassi 9bf6ffe166
man: split cryptenroll man page into sections (#35297) 2024-11-22 12:01:07 +00:00
Lennart Poettering cc6baba720 cryptenroll: it's called PKCS#11, not PKCS11
In the --help text we really should use the official spelling, just like
in the man page.
2024-11-22 10:42:37 +01:00
Lennart Poettering 3ae48d071c man: add enrollment type sections to cryptenroll man page
We have the same sections in the --help text, hence we even more so
should have them in the man page.
2024-11-22 10:42:37 +01:00
Antonio Alvarez Feijoo 2ccacdd57c bash-completion: add --list-devices to systemd-cryptenroll
And also use it to list suitable block devices.
2024-11-22 10:38:19 +01:00
Yu Watanabe c5a35d3ea9 journalctl: do not override explicitly specified -b or -n with -e or -k
Fixes #35248.
2024-11-20 23:16:37 +09:00
7 changed files with 89 additions and 58 deletions

View File

@ -474,8 +474,8 @@
<term><option>-k</option></term> <term><option>-k</option></term>
<term><option>--dmesg</option></term> <term><option>--dmesg</option></term>
<listitem><para>Show only kernel messages. This implies <option>-b</option> and adds the match <listitem><para>Show only kernel messages. This adds the match <literal>_TRANSPORT=kernel</literal>.
<literal>_TRANSPORT=kernel</literal>.</para> This implies <option>--boot=0</option> unless explicitly specified otherwise.</para>
<xi:include href="version-info.xml" xpointer="v205"/></listitem> <xi:include href="version-info.xml" xpointer="v205"/></listitem>
</varlistentry> </varlistentry>
@ -809,11 +809,10 @@
<term><option>--pager-end</option></term> <term><option>--pager-end</option></term>
<listitem><para>Immediately jump to the end of the journal inside the implied pager tool. This <listitem><para>Immediately jump to the end of the journal inside the implied pager tool. This
implies <option>-n1000</option> to guarantee that the pager will not buffer logs of unbounded implies <option>--lines=1000</option> and <option>--boot=0</option> unless explicitly specified
size. This may be overridden with an explicit <option>-n</option> with some other numeric value, otherwise, to guarantee that the pager will not buffer logs of unbounded size. Note that this option
while <option>-nall</option> will disable this cap. Note that this option is only supported for is only supported for the
the <citerefentry <citerefentry project='man-pages'><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry>
project='man-pages'><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry>
pager.</para> pager.</para>
<xi:include href="version-info.xml" xpointer="v198"/></listitem> <xi:include href="version-info.xml" xpointer="v198"/></listitem>

View File

@ -265,32 +265,11 @@
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>Options</title> <title>Unlocking</title>
<para>The following options are understood:</para> <para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>
<variablelist> <variablelist>
<varlistentry>
<term><option>--password</option></term>
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
<command>cryptsetup luksAddKey</command>, however may be combined with
<option>--wipe-slot=</option> in one call, see below.</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--recovery-key</option></term>
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term> <term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>
@ -328,7 +307,45 @@
<xi:include href="version-info.xml" xpointer="v256"/></listitem> <xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry> </varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Simple Enrollment</title>
<para>The following options are understood that may be used to enroll simple user input based
unlocking:</para>
<variablelist>
<varlistentry>
<term><option>--password</option></term>
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
<command>cryptsetup luksAddKey</command>, however may be combined with
<option>--wipe-slot=</option> in one call, see below.</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--recovery-key</option></term>
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>PKCS#11 Enrollment</title>
<para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
<variablelist>
<varlistentry> <varlistentry>
<term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term> <term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>
@ -361,7 +378,15 @@
<xi:include href="version-info.xml" xpointer="v248"/></listitem> <xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry> </varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FIDO2 Enrollment</title>
<para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
<variablelist>
<varlistentry> <varlistentry>
<term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term> <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
<listitem><para>Specify COSE algorithm used in credential generation. The default value is <listitem><para>Specify COSE algorithm used in credential generation. The default value is
@ -461,7 +486,15 @@
<xi:include href="version-info.xml" xpointer="v249"/></listitem> <xi:include href="version-info.xml" xpointer="v249"/></listitem>
</varlistentry> </varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>TPM2 Enrollment</title>
<para>The following options are understood that may be used to enroll TPM2 devices:</para>
<variablelist>
<varlistentry> <varlistentry>
<term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term> <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
@ -636,7 +669,15 @@
<xi:include href="version-info.xml" xpointer="v255"/></listitem> <xi:include href="version-info.xml" xpointer="v255"/></listitem>
</varlistentry> </varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Other Options</title>
<para>The following additional options are understood:</para>
<variablelist>
<varlistentry> <varlistentry>
<term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term> <term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>

View File

@ -38,19 +38,12 @@ __get_tpm2_devices() {
done done
} }
__get_block_devices() {
local i
for i in /dev/*; do
[ -b "$i" ] && printf '%s\n' "$i"
done
}
_systemd_cryptenroll() { _systemd_cryptenroll() {
local comps local comps
local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
local -A OPTS=( local -A OPTS=(
[STANDALONE]='-h --help --version [STANDALONE]='-h --help --version
--password --recovery-key' --password --recovery-key --list-devices'
[ARG]='--unlock-key-file [ARG]='--unlock-key-file
--unlock-fido2-device --unlock-fido2-device
--unlock-tpm2-device --unlock-tpm2-device
@ -116,7 +109,7 @@ _systemd_cryptenroll() {
return 0 return 0
fi fi
comps=$(__get_block_devices) comps=$(systemd-cryptenroll --list-devices)
COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
return 0 return 0
} }

View File

@ -193,7 +193,7 @@ static int help(void) {
"\n%3$sSimple Enrollment:%4$s\n" "\n%3$sSimple Enrollment:%4$s\n"
" --password Enroll a user-supplied password\n" " --password Enroll a user-supplied password\n"
" --recovery-key Enroll a recovery key\n" " --recovery-key Enroll a recovery key\n"
"\n%3$sPKCS11 Enrollment:%4$s\n" "\n%3$sPKCS#11 Enrollment:%4$s\n"
" --pkcs11-token-uri=URI\n" " --pkcs11-token-uri=URI\n"
" Specify PKCS#11 security token URI\n" " Specify PKCS#11 security token URI\n"
"\n%3$sFIDO2 Enrollment:%4$s\n" "\n%3$sFIDO2 Enrollment:%4$s\n"

View File

@ -74,12 +74,8 @@ int journal_acquire_boot(sd_journal *j) {
assert(j); assert(j);
if (!arg_boot) { if (!arg_boot)
/* Clear relevant field for safety. */
arg_boot_id = SD_ID128_NULL;
arg_boot_offset = 0;
return 0; return 0;
}
/* Take a shortcut and use the current boot_id, which we can do very quickly. /* Take a shortcut and use the current boot_id, which we can do very quickly.
* We can do this only when the logs are coming from the current machine, * We can do this only when the logs are coming from the current machine,

View File

@ -45,7 +45,7 @@ bool arg_no_tail = false;
bool arg_truncate_newline = false; bool arg_truncate_newline = false;
bool arg_quiet = false; bool arg_quiet = false;
bool arg_merge = false; bool arg_merge = false;
bool arg_boot = false; int arg_boot = -1; /* tristate */
sd_id128_t arg_boot_id = {}; sd_id128_t arg_boot_id = {};
int arg_boot_offset = 0; int arg_boot_offset = 0;
bool arg_dmesg = false; bool arg_dmesg = false;
@ -452,12 +452,6 @@ static int parse_argv(int argc, char *argv[]) {
case 'e': case 'e':
arg_pager_flags |= PAGER_JUMP_TO_END; arg_pager_flags |= PAGER_JUMP_TO_END;
if (arg_lines == ARG_LINES_DEFAULT)
arg_lines = 1000;
arg_boot = true;
break; break;
case 'f': case 'f':
@ -563,7 +557,7 @@ static int parse_argv(int argc, char *argv[]) {
break; break;
case 'k': case 'k':
arg_boot = arg_dmesg = true; arg_dmesg = true;
break; break;
case ARG_SYSTEM: case ARG_SYSTEM:
@ -987,11 +981,19 @@ static int parse_argv(int argc, char *argv[]) {
if (arg_no_tail) if (arg_no_tail)
arg_lines = ARG_LINES_ALL; arg_lines = ARG_LINES_ALL;
if (arg_follow && !arg_since_set && arg_lines == ARG_LINES_DEFAULT) if (arg_lines == ARG_LINES_DEFAULT) {
arg_lines = 10; if (arg_follow && !arg_since_set)
arg_lines = 10;
else if (FLAGS_SET(arg_pager_flags, PAGER_JUMP_TO_END))
arg_lines = 1000;
}
if (arg_follow && !arg_merge && !arg_boot) { if (arg_boot < 0)
arg_boot = true; /* Show the current boot if -f/--follow, -k/--dmesg, or -e/--pager-end is specified unless
* -m/--merge is specified. */
arg_boot = !arg_merge && (arg_follow || arg_dmesg || FLAGS_SET(arg_pager_flags, PAGER_JUMP_TO_END));
if (!arg_boot) {
/* Clear the boot ID and offset if -b/--boot is unspecified for safety. */
arg_boot_id = SD_ID128_NULL; arg_boot_id = SD_ID128_NULL;
arg_boot_offset = 0; arg_boot_offset = 0;
} }

View File

@ -50,7 +50,7 @@ extern bool arg_no_tail;
extern bool arg_truncate_newline; extern bool arg_truncate_newline;
extern bool arg_quiet; extern bool arg_quiet;
extern bool arg_merge; extern bool arg_merge;
extern bool arg_boot; extern int arg_boot;
extern sd_id128_t arg_boot_id; extern sd_id128_t arg_boot_id;
extern int arg_boot_offset; extern int arg_boot_offset;
extern bool arg_dmesg; extern bool arg_dmesg;