Merge da80af70d2 into 9bf6ffe166

man: split cryptenroll man page into sections (#35297 )
cryptenroll: it's called PKCS#11, not PKCS11
2024-11-22 13:01:34 +01:00 · 2024-11-22 12:01:07 +00:00 · 2024-11-22 10:42:37 +01:00 · 2024-11-22 10:42:37 +01:00 · 2024-11-22 10:38:19 +01:00 · 2024-11-21 17:02:15 +01:00
6 changed files with 92 additions and 58 deletions
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@ -265,32 +265,11 @@
  </refsect1>

  <refsect1>
-    <title>Options</title>
+    <title>Unlocking</title>

-    <para>The following options are understood:</para>
+    <para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>

    <variablelist>
-      <varlistentry>
-        <term><option>--password</option></term>
-
-        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
-        <command>cryptsetup luksAddKey</command>, however may be combined with
-        <option>--wipe-slot=</option> in one call, see below.</para>
-
-        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><option>--recovery-key</option></term>
-
-        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
-        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
-        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
-        </para>
-
-        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>

@ -328,7 +307,45 @@

        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
      </varlistentry>
+    </variablelist>
+  </refsect1>

+  <refsect1>
+    <title>Simple Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll simple user input based
+    unlocking:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><option>--password</option></term>
+
+        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
+        <command>cryptsetup luksAddKey</command>, however may be combined with
+        <option>--wipe-slot=</option> in one call, see below.</para>
+
+        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--recovery-key</option></term>
+
+        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
+        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
+        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
+        </para>
+
+        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>PKCS#11 Enrollment</title>
+
+    <para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
+
+    <variablelist>
      <varlistentry>
        <term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>

@ -361,7 +378,15 @@

        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
      </varlistentry>
+    </variablelist>
+  </refsect1>

+  <refsect1>
+    <title>FIDO2 Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
+
+    <variablelist>
      <varlistentry>
        <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
        <listitem><para>Specify COSE algorithm used in credential generation. The default value is
@ -461,7 +486,15 @@

        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
      </varlistentry>
+    </variablelist>
+  </refsect1>

+  <refsect1>
+    <title>TPM2 Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll TPM2 devices:</para>
+
+    <variablelist>
      <varlistentry>
        <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>

@ -636,7 +669,15 @@

        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
      </varlistentry>
+    </variablelist>
+  </refsect1>

+  <refsect1>
+    <title>Other Options</title>
+
+    <para>The following additional options are understood:</para>
+
+    <variablelist>
      <varlistentry>
        <term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>

--- a/shell-completion/bash/systemd-cryptenroll
+++ b/shell-completion/bash/systemd-cryptenroll
@ -38,19 +38,12 @@ __get_tpm2_devices() {
    done
 }

-__get_block_devices() {
-    local i
-    for i in /dev/*; do
-        [ -b "$i" ] && printf '%s\n' "$i"
-    done
-}
-
 _systemd_cryptenroll() {
    local comps
    local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
    local -A OPTS=(
        [STANDALONE]='-h --help --version
-                     --password --recovery-key'
+                     --password --recovery-key --list-devices'
        [ARG]='--unlock-key-file
               --unlock-fido2-device
               --unlock-tpm2-device
@ -116,7 +109,7 @@ _systemd_cryptenroll() {
        return 0
    fi

-    comps=$(__get_block_devices)
+    comps=$(systemd-cryptenroll --list-devices)
    COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
    return 0
 }
--- a/src/basic/user-util.c
+++ b/src/basic/user-util.c
@ -467,9 +467,12 @@ char* gid_to_name(gid_t gid) {
 }

 static bool gid_list_has(const gid_t *list, size_t size, gid_t val) {
-        for (size_t i = 0; i < size; i++)
-                if (list[i] == val)
+        assert(list || size == 0);
+
+        FOREACH_ARRAY(i, list, size)
+                if (*i == val)
                        return true;
+
        return false;
 }

@ -526,20 +529,24 @@ int merge_gid_lists(const gid_t *list1, size_t size1, const gid_t *list2, size_t
        return (int)nresult;
 }

-int getgroups_alloc(gid_t** gids) {
-        gid_t *allocated;
-        _cleanup_free_  gid_t *p = NULL;
+int getgroups_alloc(gid_t **ret) {
        int ngroups = 8;
-        unsigned attempt = 0;

-        allocated = new(gid_t, ngroups);
-        if (!allocated)
+        assert(ret);
+
+        for (unsigned attempt = 0;;) {
+                _cleanup_free_ gid_t *p = NULL;
+
+                p = new(gid_t, ngroups);
+                if (!p)
                        return -ENOMEM;
-        p = allocated;

-        for (;;) {
                ngroups = getgroups(ngroups, p);
-                if (ngroups >= 0)
+                if (ngroups > 0) {
+                        *ret = TAKE_PTR(p);
+                        return ngroups;
+                }
+                if (ngroups == 0)
                        break;
                if (errno != EINVAL)
                        return -errno;
@ -554,17 +561,11 @@ int getgroups_alloc(gid_t** gids) {
                if (ngroups < 0)
                        return -errno;
                if (ngroups == 0)
-                        return false;
-
-                free(allocated);
-
-                p = allocated = new(gid_t, ngroups);
-                if (!allocated)
-                        return -ENOMEM;
+                        break;
        }

-        *gids = TAKE_PTR(p);
-        return ngroups;
+        *ret = NULL;
+        return 0;
 }

 int get_home_dir(char **ret) {
--- a/src/basic/user-util.h
+++ b/src/basic/user-util.h
@ -64,7 +64,7 @@ int in_gid(gid_t gid);
 int in_group(const char *name);

 int merge_gid_lists(const gid_t *list1, size_t size1, const gid_t *list2, size_t size2, gid_t **result);
-int getgroups_alloc(gid_t** gids);
+int getgroups_alloc(gid_t **ret);

 int get_home_dir(char **ret);
 int get_shell(char **ret);
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@ -193,7 +193,7 @@ static int help(void) {
               "\n%3$sSimple Enrollment:%4$s\n"
               "     --password        Enroll a user-supplied password\n"
               "     --recovery-key    Enroll a recovery key\n"
-               "\n%3$sPKCS11 Enrollment:%4$s\n"
+               "\n%3$sPKCS#11 Enrollment:%4$s\n"
               "     --pkcs11-token-uri=URI\n"
               "                       Specify PKCS#11 security token URI\n"
               "\n%3$sFIDO2 Enrollment:%4$s\n"
--- a/src/test/test-user-util.c
+++ b/src/test/test-user-util.c
@ -444,9 +444,8 @@ TEST(gid_lists_ops) {
        assert_se(nresult >= 0);
        assert_se(memcmp_nn(result2, ELEMENTSOF(result2), res4, nresult) == 0);

-        nresult = getgroups_alloc(&gids);
-        assert_se(nresult >= 0 || nresult == -EINVAL || nresult == -ENOMEM);
-        assert_se(gids);
+        ASSERT_OK(nresult = getgroups_alloc(&gids));
+        assert_se(gids || nresult == 0);
 }

 TEST(parse_uid_range) {
Author	SHA1	Message	Date
Mike Yuan	e7a250eba4	Merge `da80af70d2` into `9bf6ffe166`	2024-11-22 13:01:34 +01:00
Luca Boccassi	9bf6ffe166	man: split cryptenroll man page into sections (#35297 )	2024-11-22 12:01:07 +00:00
Lennart Poettering	cc6baba720	cryptenroll: it's called PKCS#11, not PKCS11 In the --help text we really should use the official spelling, just like in the man page.	2024-11-22 10:42:37 +01:00
Lennart Poettering	3ae48d071c	man: add enrollment type sections to cryptenroll man page We have the same sections in the --help text, hence we even more so should have them in the man page.	2024-11-22 10:42:37 +01:00
Antonio Alvarez Feijoo	2ccacdd57c	bash-completion: add --list-devices to systemd-cryptenroll And also use it to list suitable block devices.	2024-11-22 10:38:19 +01:00
Mike Yuan	da80af70d2	basic/user-util: modernize getgroups_alloc() a bit - Make sure ret is initialized if we return >= 0 - Reduce variable scope	2024-11-21 17:02:15 +01:00
Mike Yuan	62d6972874	basic/user-util: use FOREACH_ARRAY at one more place	2024-11-21 15:23:26 +01:00