cryptenroll: use root device by default

2024-07-21 18:24:38 +00:00 · 2024-02-28 14:46:05 +01:00 · 2024-02-28 14:46:05 +01:00 · 1df4b21abd
parent b954d22e60
commit 1df4b21abd
2 changed files with 29 additions and 9 deletions
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@ -61,6 +61,9 @@
    <para>The tool supports only LUKS2 volumes, as it stores token meta-information in the LUKS2 JSON token
    area, which is not available in other encryption formats.</para>

+    <para><command>systemd-cryptsetup</command> operates on the device backing <filename>/</filename> if no
+    device is specified explicitly and no wipe operation is requested</para>
+
    <refsect2>
      <title>TPM2 PCRs and policies</title>

@ -228,7 +231,7 @@
    token, or a TPM2 key is always enrolled.</para>

    <para>Also note that support for enrolling multiple FIDO2 tokens is currently limited. When multiple FIDO2
-    tokens are enrolled, <command>systemd-cryptseup</command> will perform pre-flight requests to attempt to
+    tokens are enrolled, <command>systemd-cryptsetup</command> will perform pre-flight requests to attempt to
    identify which of the enrolled tokens are currently plugged in. However, this is not possible for FIDO2
    tokens with user verification (UV, usually via biometrics), in which case it will fall back to attempting
    each enrolled token one by one. This will result in multiple prompts for PIN and user verification. This
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@ -5,6 +5,7 @@

 #include "ask-password-api.h"
 #include "build.h"
+#include "blockdev-util.h"
 #include "cryptenroll-fido2.h"
 #include "cryptenroll-list.h"
 #include "cryptenroll-password.h"
@ -14,6 +15,7 @@
 #include "cryptenroll-wipe.h"
 #include "cryptenroll.h"
 #include "cryptsetup-util.h"
+#include "devnum-util.h"
 #include "env-util.h"
 #include "escape.h"
 #include "fileio.h"
@ -534,17 +536,32 @@ static int parse_argv(int argc, char *argv[]) {
                }
        }

-        if (optind >= argc)
-                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
-                                       "No block device node specified, refusing.");
-
        if (argc > optind+1)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "Too many arguments, refusing.");

-        r = parse_path_argument(argv[optind], false, &arg_node);
-        if (r < 0)
-                return r;
+        if (optind < argc) {
+                r = parse_path_argument(argv[optind], false, &arg_node);
+                if (r < 0)
+                        return r;
+        } else if (!wipe_requested()) {
+                dev_t devno;
+
+                r = blockdev_get_root(LOG_ERR, &devno);
+                if (r < 0)
+                        return r;
+                if (r == 0)
+                        return log_error_errno(SYNTHETIC_ERRNO(ENXIO),
+                                        "Root file system not backed by a (single) whole block device.");
+
+                r = device_path_make_canonical(S_IFBLK, devno, &arg_node);
+                if (r < 0)
+                        return log_error_errno(r,
+                                               "Failed to format canonical device path for devno '" DEVNUM_FORMAT_STR "': %m",
+                                               DEVNUM_FORMAT_VAL(devno));
+        } else
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                       "No block device node specified, refusing.");

        if (arg_enroll_type == ENROLL_FIDO2) {

@ -671,7 +688,7 @@ static int prepare_luks(

        r = crypt_load(cd, CRYPT_LUKS2, NULL);
        if (r < 0)
-                return log_error_errno(r, "Failed to load LUKS2 superblock: %m");
+                return log_error_errno(r, "Failed to load LUKS2 superblock of %s: %m", arg_node);

        r = check_for_homed(cd);
        if (r < 0)