summaryrefslogtreecommitdiffstats
path: root/src/cryptsetup (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* tree-wide: never link directly against p11kitLennart Poettering2023-11-023-3/+3
| | | | | We go via dlopen() at most places, but forgot some. Cover the missing cases too.
* cryptenroll: use erase_and_free() at two more placesLennart Poettering2023-11-011-1/+1
|
* cryptsetup: remove redundant checkLennart Poettering2023-10-251-4/+0
| | | | | | | | The immediately preceeding check already covered that. This removes and addition made back in aae6eb96117acd54ce5ac572aac6a11b34c4ad99. cc @williamcroberts
* tree-wide: port various parsers over to read_stripped_line()Lennart Poettering2023-10-171-5/+4
|
* tree-wide: fix typoYu Watanabe2023-10-041-1/+1
|
* tpm2: change tpm2_unseal() to accept Tpm2Context instead of device stringDan Streetman2023-10-032-3/+13
| | | | | | | | | This matches the change to tpm2_seal(), which now accepts a Tpm2Context instead of a device string. This also allows using the same TPM context for sealing and unsealing, which will be required by (future) test code when sealing/unsealing using a transient key.
* tpm2: downgrade most log functions from error to debugDan Streetman2023-10-033-20/+29
| | | | | | | | | | Because most TPM2 functions here are 'library-like' functions, they should be at debug level, not error level. The only functions not reduced to logging at debug are tpm2_list_devices(), since it is expected to print output, and the tpm2_parse_pcr_argument_*() functions, since the system-wide parse_*_argument() functions generally log at error level.
* Merge pull request #29345 from poettering/measured-uki-conditionLennart Poettering2023-09-271-1/+1
|\ | | | | pid1: introduce ConditionSecurity=measured-uki
| * efi-loader: rename efi_stub_measured() → efi_measured_uki()Lennart Poettering2023-09-271-1/+1
| | | | | | | | | | | | | | | | | | | | Let's say "uki" rather than "stub", since that is just too generic, and we shouldn't limit us to our own stub anyway, but generally define a concept of a "measured UKI", which is a UKI that measures its part to PCR 11. This is mostly preparation for exposing this check to the user via ConditionSecurity=.
* | Merge pull request #29296 from keszybz/make-cryptsetup-offical-and-add-docsLuca Boccassi2023-09-272-29/+81
|\ \ | |/ |/| Make cryptsetup offical and add docs
| * meson: move systemd-cryptsetup to /usr/binZbigniew Jędrzejewski-Szmek2023-09-261-1/+9
| | | | | | | | | | | | This was requested, though I think an issue was never filed. If people are supposed to invoke it, even for testing, then it's reasonable to make it "public".
| * cryptsetup: fail with error if extraneous arguments are specifiedZbigniew Jędrzejewski-Szmek2023-09-261-0/+5
| | | | | | | | So far the program would silently ignore those… I think it's better to fail.
| * cryptsetup: add parse_argv() and implement --versionZbigniew Jędrzejewski-Szmek2023-09-261-29/+68
| | | | | | | | | | | | | | All public programs are expected to have that. The --help output is adjusted to follow the usual style (highlighting, listing of options). The OPTIONS positional argument is renamed to "CONFIG", because we now also have "OPTIONS…" to describe the non-positional options.
* | meson: Fix version script handlingJan Janssen2023-09-261-1/+1
|/ | | | | | Build targets should have a link dependency on the version scripts they use. This also uses absolute paths in anticipation for meson 1.3 needlessly deprecating file to string conversions.
* tpm2: whenever we measure, also write a tpm log recordLennart Poettering2023-08-301-1/+1
| | | | | | | | | | | | | | | | | | Previously we only logged our measurements to the journal. This is not a great solution though, since regular logs are subject to rotation, which is something we really cannot have for measurements (as it means we can never reproduce the PCR values from the data). Hence, let's maintain an explicit log. Ideally, we'd just use the TCG Canonical Event Log format 1:1 (https://trustedcomputinggroup.org/resource/canonical-event-log-format/). However it's not a perfect fit fo us, for various reasons. But let's follow it (in its JSON incantation) as closely at it makes sense, so that it can easily be converted to the full format by programs consuming it. Code comments explain where we deviate from the TCG CEL-JSON, and what to do about it when reading the data.
* fundamental: rename tpm-pcr.h → tpm2-pcr.hLennart Poettering2023-08-241-1/+1
| | | | | | | | | I always found it confusing that most of our TPM related definitions are in tpm2-util.h, but the PCR names in tpm-pcr.h, without the "2". Let's fix that and make this systematic, in particular as the definitions in the file all start with TPM2_ already. No code flow changes, just some renaming.
* tpm2: unify symbolic name infra for PCRsLennart Poettering2023-08-241-1/+1
| | | | | | | | | | | | | We so far maintained two places for symboic names for PCRs. One in tpm2-util.h and one in tpm-pcr.h. Let's unify this into one, i.e. move the full list from tpm2-util.h into tpm-pcr.h, replacing the short list placed so far there. Systematically prefix the definitions with TPM2_ or tpm2_, to follow how we do this for all other defines in this context. No change in behaviour, just unification of tables.
* various: use _NEG_ macros to reduce indentationZbigniew Jędrzejewski-Szmek2023-08-161-4/+5
| | | | No functional change intended.
* tpm2: change tpm2_parse_pcr_argument() parameters to parse to Tpm2PCRValue arrayDan Streetman2023-08-041-1/+1
| | | | | | | In order to allow users to specify expected PCR values, change the tpm2_parse_pcr_argument() to parse the text argument into an array of Tpm2PCRValue objects, which provide not only the selected PCR indexes, but also (optionally) the hash algorithm and hash value for each PCR index.
* tpm2: add Tpm2PCRValue struct and associated functionsDan Streetman2023-08-042-2/+2
| | | | | | | | Add a new struct that can represent a PCR index, hash, and value all together. This replaces code (e.g. the tpm2_pcr_read() parameters) that required using both a TPML_PCR_SELECTION as well as array of TPM2B_DIGEST entries, which was difficult to correlate the selection hash/index to each digest.
* meson: move declarations of cryptsetup and friendsYu Watanabe2023-07-311-0/+18
|
* meson: move declaration of cryptsetup token modulesYu Watanabe2023-07-312-3/+53
|
* Merge pull request #28428 from ldv-alt/ERRNO_ISLuca Boccassi2023-07-301-3/+4
|\ | | | | treewide: cleanup use of ERRNO_IS_*(r)
| * cryptsetup: cleanup use of ERRNO_IS_NOT_SUPPORTED()Dmitry V. Levin2023-07-281-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | Given that ERRNO_IS_NOT_SUPPORTED() also matches positive values, make sure this macro is not called with arguments that do not have errno semantics. In this case the argument passed to ERRNO_IS_NOT_SUPPORTED() is the value returned by find_tpm2_auto_data() which is not expected to return any positive values, but let's be consistent anyway and move the ERRNO_IS_NOT_SUPPORTED() invocation to the branch where the return value is known to be negative.
* | Drop split-usr and unmerged-usr supportLuca Boccassi2023-07-281-2/+2
|/ | | | | | | | | | As previously announced, execute order 66: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html The meson options split-usr, rootlibdir and rootprefix become no-ops that print a warning if they are set to anything other than the default values. We can remove them in a future release.
* tpm2: replace _cleanup_tpm2_* macros with _cleanup_()Dan Streetman2023-06-081-1/+1
| | | | | | Remove _cleanup_tpm2_context_ and _cleanup_tpm2_handle_ macros, replacing their use with _cleanup_(tpm2_context_unrefp) and _cleanup_(tpm2_handle_freep), respectively.
* generators: change TimeoutSec=0 to TimeoutSec=infinityLennart Poettering2023-06-061-1/+2
| | | | | | | | | | | | | | | With these settings we intend to turn off timeouts for possibly interactive/slow commands. The officially documented way to turn off the time-outs is to setting them to infinity. So far we set them to zero here though. This lead to some confusiong, for example #18224. Let's fix this by uniformly spelling out TimeoutSec=infinity. This doesn't change behaviour. It just makes our generated files match what we document, without relying on historic compat support. Fixes: #18224
* cryptsetup: avoid calling strv_find() on a NULL pointerFrantisek Sumsal2023-06-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | When the header= option comes before any other type= defining one, we trip over an assertion: Jun 04 15:45:33 H testsuite-24.sh[752]: + systemctl start systemd-cryptsetup@detached.service Jun 04 15:45:33 H systemd[1]: Starting systemd-cryptsetup@detached.service... Jun 04 15:45:33 H systemd-cryptsetup[4641]: Assertion 'name' failed at src/basic/strv.c:21, function strv_find(). Aborting. ... Jun 04 15:45:33 H systemd-coredump[4643]: Process 4641 (systemd-cryptse) of user 0 dumped core. ... Stack trace of thread 4641: #0 0x00007ff9256afe5c __pthread_kill_implementation (libc.so.6 + 0x8ce5c) #1 0x00007ff92565fa76 raise (libc.so.6 + 0x3ca76) #2 0x00007ff9256497fc abort (libc.so.6 + 0x267fc) #3 0x00007ff926076047 log_assert_failed (libsystemd-shared-253.so + 0x276047) #4 0x00007ff9260ab317 strv_find (libsystemd-shared-253.so + 0x2ab317) #5 0x0000000000405927 parse_one_option (systemd-cryptsetup + 0x5927) #6 0x0000000000407793 parse_options (systemd-cryptsetup + 0x7793) #7 0x000000000040fa0c run (systemd-cryptsetup + 0xfa0c) #8 0x000000000041137f main (systemd-cryptsetup + 0x1137f) #9 0x00007ff92564a510 __libc_start_call_main (libc.so.6 + 0x27510) #10 0x00007ff92564a5c9 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x275c9) #11 0x0000000000403915 _start (systemd-cryptsetup + 0x3915) ELF object binary architecture: AMD x86-64
* {crypt|verity}setup: mention volume name in some error messagesLennart Poettering2023-06-011-2/+2
|
* {crypt|verity}setup: replace dep on systemd-tmpfiles-setup-dev.service by ↵Lennart Poettering2023-06-011-5/+5
| | | | | | | | | | | | modprobe@loop.service Both should have the same effect: the /dev/loop-control devices should become available. systemd-tmpfiles-setup-dev.service creates the device node "dry" based on modalias data, while modprobe@loop.service creates it fully, because the module backing it is loaded properly. This should shorten the deps chain a bit, simplify things and allows us to focus on the stuff we actually need (i.e. the loopback infra) instead of all entrypoints anyone might possibly need (i.e. the device nodes)
* cryptsetup-generator: imply x-initrd.attach for "usr" and "root" volumesLennart Poettering2023-06-011-6/+18
| | | | | | | | | | | | | | | | | | | | | | | | | Let's imply "x-initrd.attach" for "usr" and "root" volumes, so that we do not attempt to umount them anymore during shutdown. The names of these volumes have been mandated by the Discoverable Partition Spec: https://uapi-group.org/specifications/specs/discoverable_partitions_specification/#suggested-mode-of-operation Hence it appears reasonably safe to special case these volume names. Note that a similar logic is implemented in fstab-generator and in fact PID 1 to treat the root mount and /usr/ mount specially too, to avoid trying to umount it at shutdown. (This is what fstab_is_extrinsic() checks). This should ensure that if /usr/ or / is for some reason a LUKS medium we won't try to detach it during runtime, which likely fails, since we run off it. Note this also moves an ordering dep towards umount.target under the x-initrd.attach check, becasue that's where the crucial conflicts dep is placed too.
* cryptsetup: fix whitespace issueLennart Poettering2023-06-011-1/+1
|
* tpm: remove external calls to dlopen_tpm2()Dan Streetman2023-05-311-4/+0
| | | | | The calls outside tpm2-util.c are redundant, as tpm2_context_new() is always called immediately after, which then calls dlopen_tpm2().
* crypttab: Support for VeraCrypt PIM and detached headers for ↵Klaus Zipfel2023-05-061-3/+20
| | | | | TrueCrypt/VeraCrypt (#27548) * Added veracrypt-pim=<PIM> LUKS option for crypttab
* cryptsetup: downgrade a bunch of log messages that to LOG_WARNINGLennart Poettering2023-05-031-38/+24
| | | | | In all these cases we ignore the failure, hence per our rule the log level should be below LOG_ERR. Fix that.
* cryptsetup: fix build without TPM2Luca Boccassi2023-04-041-0/+4
| | | | Follow-up for acbb504eaf1be51572b1c0d0d490ac478bc41c64
* tpm2: add support for a trusted SRKWilliam Roberts2023-04-036-8/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevent attackers from spoofing the tpmKey portion of the AuthSession by adding a trusted key to the LUKS header metadata. Also, use a persistent object rather than a transient object. This provides the following benifits: 1. No way to MITM the tpmKey portion of the session, see [1] for details. 2. Strengthens the encrypted sessions, note that the bindKey could be dropped now. 3. Speed, once it's created we just use it. 4. Owner Auth is needed to call create primary, so using the SRK creates a scratch space for normal users. This is a "first to set" model, in where the first person to set the key in the LUKS header wins. Thus, setup should be done in a known good state. If an SRK, which is a primary key at a special persistent address, is found, it will use whatever is there. If not, it creates an SRK. The SRK follows the convetions used through the tpm2-software organization code on GitHub [2], however, a split has occured between Windows and Linux with respect to SRK templates. The Linux SRK is generated with the unique field size set to 0, in Windows, it properly sets the size to key size in bytes and the unique data to all 0's of that size. Note the proper templates for SRKs is covered in spec [3]. However, the most important thing, is that both SRKs are passwordless, and thus they should be interchangable. If Windows is the first to make the SRK, systemd will gladly accept it and vice-versa. 1. Without the bindKey being utilized, an attacker was able to intercept this and fake a key, thus being able to decrypt and encrypt traffic as needed. Introduction of the bindKey strengthened this, but allows for the attacker to brute force AES128CFB using pin guesses. Introduction of the salt increases the difficulty of this attack as well as DA attacks on the TPM objects itself. 2. https://github.com/tpm2-software 3. https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf Fixes: #20668 Fixes: #22637 Signed-off-by: William Roberts <william.c.roberts@intel.com>
* meson: Introduce userspace depJan Janssen2023-03-101-0/+1
| | | | This will help in a later commit to separate userspace from EFI builds.
* tpm2: add/rename functions to manage pcr selectionsDan Streetman2023-03-091-6/+6
| | | | | | This renames some functions to match other to/from_string() naming, and allows better management of TPML_PCR_SELECTION and TPMS_PCR_SELECTION structs.
* tpm2: add TPM2_PCR_VALID()Dan Streetman2023-03-092-2/+2
|
* cryptsetup: check the existence of salt by salt_size > 0Yu Watanabe2023-02-171-1/+1
| | | | | | Follow-up for 504d0acf61c8472bc93c2a927e858074873b2eaf. The function may be called with non-NULL salt and salt_size == 0.
* cryptsetup: do not assert when unsealing token without saltLuca Boccassi2023-02-152-2/+5
| | | | | | | | Salt was added in v253. We are not checking whether it was actually found (non-zero size), so when an old tpm+pin enrollment is opened things go boom. For good measure, check both the buffer and the size in both places. Assertion 'saltlen > 0' failed at src/shared/tpm2-util.c:2490, function tpm2_util_pbkdf2_hmac_sha256(). Aborting.
* tpm2: use Tpm2Context* instead of ESYS_CONTEXT*Dan Streetman2023-02-011-2/+2
| | | | | This is needed for later patches that use Tpm2Handle, which requires access to the Tpm2Context.
* tpm2: use ref counter for Tpm2ContextDan Streetman2023-02-011-4/+4
| | | | | | | This will be used by Tpm2Handle instances, which is added in later patches. The refcounting allows the context to be retained until all Tpm2Handles have been cleaned up, and the initial ref is released, before cleaning the context.
* tpm2: rename struct tpm2_context to Tpm2ContextDan Streetman2023-02-011-1/+1
| | | | This aligns with systemd coding guidelines for struct naming
* tpm2: rename tpm2 alg id<->string functionsDan Streetman2023-02-011-4/+4
| | | | | | The 'pcr_bank' functions operate on hash algs, and are not specific to the PCR banks, while the 'primary_alg' functions operate on asymmetric algs, and are not specific to primary keys.
* shared/efi-loader: fix compilation with !ENABLE_EFI, improve messagesZbigniew Jędrzejewski-Szmek2023-01-251-2/+2
| | | | | | | | | | | | When compiled without ENABLE_EFI, efi_stub_measured() was not defined, so compilation would fail. But it's not enough to add a stub that returns -EOPNOTSUPP. We call this function in various places and usually print the error at warning or error level, so we'd print a confusing message. We also can't add a stub that always returns 0, because then we'd print a message like "Kernel stub did not measure", which would be confusing too. Adding special handling for -EOPNOTSUPP in every caller is also unattractive. So instead efi_stub_measured() is reworked to log the warning or error internally, and such logging is removed from the callers, and a stub is added that logs a custom message.
* meson: Do not include headers in source listsJan Janssen2023-01-242-9/+5
| | | | | | Meson+ninja+compiler do this for us and are better at it. https://mesonbuild.com/FAQ.html#do-i-need-to-add-my-headers-to-the-sources-list-like-in-autotools
* string-util: add common implementation of function that converts sized ↵Lennart Poettering2023-01-211-17/+3
| | | | character buffers to NUL terminated C strings
* tree-wide: fix typoYu Watanabe2023-01-201-1/+1
|
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-04 15:39:11 +0100