diff options
author | Kamil Szczęk <kamil@szczek.dev> | 2024-05-11 10:42:14 +0200 |
---|---|---|
committer | Luca Boccassi <luca.boccassi@gmail.com> | 2024-06-27 13:00:49 +0200 |
commit | fd8ed7f26b5e365c27599bb6b223caaaa20dd2ca (patch) | |
tree | 63418a8ef13502d79d9e1627d52231b52c7d082b /src/shared | |
parent | cryptsetup: make key discovery more robust (diff) | |
download | systemd-fd8ed7f26b5e365c27599bb6b223caaaa20dd2ca.tar.xz systemd-fd8ed7f26b5e365c27599bb6b223caaaa20dd2ca.zip |
cryptsetup: allow customizing cache behavior
The new "password-cache" option allows customizing behavior of the
ask-password module in regards to caching credentials in the kernel
keyring. There are 3 possible values for this option:
* read-only - look for credentials in kernel keyring before asking
* on - same as read-only, but also save credentials input by user
* off - disable keyring credential cache
Currently the cache is forced upon the user and this can cause issues.
For example, if user wants to attach two volumes with two different
FIDO2 tokens in a quick succession, the attachment operation for the
second volume will use the PIN cached from the first FIDO2 token, which
of course will fail and since tokens are only attempted once, this will
cause fallback to a password prompt.
Diffstat (limited to 'src/shared')
-rw-r--r-- | src/shared/cryptsetup-fido2.c | 2 | ||||
-rw-r--r-- | src/shared/cryptsetup-tpm2.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/src/shared/cryptsetup-fido2.c b/src/shared/cryptsetup-fido2.c index 001285efd1..8a5d42baba 100644 --- a/src/shared/cryptsetup-fido2.c +++ b/src/shared/cryptsetup-fido2.c @@ -44,8 +44,6 @@ int acquire_fido2_key( return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "Local verification is required to unlock this volume, but the 'headless' parameter was set."); - askpw_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED; - assert(cid); assert(key_file || key_data); diff --git a/src/shared/cryptsetup-tpm2.c b/src/shared/cryptsetup-tpm2.c index d029f101ad..95c01678aa 100644 --- a/src/shared/cryptsetup-tpm2.c +++ b/src/shared/cryptsetup-tpm2.c @@ -178,6 +178,8 @@ int acquire_tpm2_key( if (r < 0) return r; + askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED; + if (iovec_is_set(salt)) { uint8_t salted_pin[SHA256_DIGEST_SIZE] = {}; CLEANUP_ERASE(salted_pin); |