summaryrefslogtreecommitdiffstats
path: root/src/shared
diff options
context:
space:
mode:
authorKamil Szczęk <kamil@szczek.dev>2024-05-11 10:42:14 +0200
committerLuca Boccassi <luca.boccassi@gmail.com>2024-06-27 13:00:49 +0200
commitfd8ed7f26b5e365c27599bb6b223caaaa20dd2ca (patch)
tree63418a8ef13502d79d9e1627d52231b52c7d082b /src/shared
parentcryptsetup: make key discovery more robust (diff)
downloadsystemd-fd8ed7f26b5e365c27599bb6b223caaaa20dd2ca.tar.xz
systemd-fd8ed7f26b5e365c27599bb6b223caaaa20dd2ca.zip
cryptsetup: allow customizing cache behavior
The new "password-cache" option allows customizing behavior of the ask-password module in regards to caching credentials in the kernel keyring. There are 3 possible values for this option: * read-only - look for credentials in kernel keyring before asking * on - same as read-only, but also save credentials input by user * off - disable keyring credential cache Currently the cache is forced upon the user and this can cause issues. For example, if user wants to attach two volumes with two different FIDO2 tokens in a quick succession, the attachment operation for the second volume will use the PIN cached from the first FIDO2 token, which of course will fail and since tokens are only attempted once, this will cause fallback to a password prompt.
Diffstat (limited to 'src/shared')
-rw-r--r--src/shared/cryptsetup-fido2.c2
-rw-r--r--src/shared/cryptsetup-tpm2.c2
2 files changed, 2 insertions, 2 deletions
diff --git a/src/shared/cryptsetup-fido2.c b/src/shared/cryptsetup-fido2.c
index 001285efd1..8a5d42baba 100644
--- a/src/shared/cryptsetup-fido2.c
+++ b/src/shared/cryptsetup-fido2.c
@@ -44,8 +44,6 @@ int acquire_fido2_key(
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG),
"Local verification is required to unlock this volume, but the 'headless' parameter was set.");
- askpw_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED;
-
assert(cid);
assert(key_file || key_data);
diff --git a/src/shared/cryptsetup-tpm2.c b/src/shared/cryptsetup-tpm2.c
index d029f101ad..95c01678aa 100644
--- a/src/shared/cryptsetup-tpm2.c
+++ b/src/shared/cryptsetup-tpm2.c
@@ -178,6 +178,8 @@ int acquire_tpm2_key(
if (r < 0)
return r;
+ askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
+
if (iovec_is_set(salt)) {
uint8_t salted_pin[SHA256_DIGEST_SIZE] = {};
CLEANUP_ERASE(salted_pin);