mirror of
https://github.com/systemd/systemd
synced 2024-07-21 18:24:38 +00:00
cryptenroll: use root device by default
This commit is contained in:
parent
b954d22e60
commit
1df4b21abd
|
@ -61,6 +61,9 @@
|
|||
<para>The tool supports only LUKS2 volumes, as it stores token meta-information in the LUKS2 JSON token
|
||||
area, which is not available in other encryption formats.</para>
|
||||
|
||||
<para><command>systemd-cryptsetup</command> operates on the device backing <filename>/</filename> if no
|
||||
device is specified explicitly and no wipe operation is requested</para>
|
||||
|
||||
<refsect2>
|
||||
<title>TPM2 PCRs and policies</title>
|
||||
|
||||
|
@ -228,7 +231,7 @@
|
|||
token, or a TPM2 key is always enrolled.</para>
|
||||
|
||||
<para>Also note that support for enrolling multiple FIDO2 tokens is currently limited. When multiple FIDO2
|
||||
tokens are enrolled, <command>systemd-cryptseup</command> will perform pre-flight requests to attempt to
|
||||
tokens are enrolled, <command>systemd-cryptsetup</command> will perform pre-flight requests to attempt to
|
||||
identify which of the enrolled tokens are currently plugged in. However, this is not possible for FIDO2
|
||||
tokens with user verification (UV, usually via biometrics), in which case it will fall back to attempting
|
||||
each enrolled token one by one. This will result in multiple prompts for PIN and user verification. This
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
|
||||
#include "ask-password-api.h"
|
||||
#include "build.h"
|
||||
#include "blockdev-util.h"
|
||||
#include "cryptenroll-fido2.h"
|
||||
#include "cryptenroll-list.h"
|
||||
#include "cryptenroll-password.h"
|
||||
|
@ -14,6 +15,7 @@
|
|||
#include "cryptenroll-wipe.h"
|
||||
#include "cryptenroll.h"
|
||||
#include "cryptsetup-util.h"
|
||||
#include "devnum-util.h"
|
||||
#include "env-util.h"
|
||||
#include "escape.h"
|
||||
#include "fileio.h"
|
||||
|
@ -534,17 +536,32 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
}
|
||||
}
|
||||
|
||||
if (optind >= argc)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"No block device node specified, refusing.");
|
||||
|
||||
if (argc > optind+1)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"Too many arguments, refusing.");
|
||||
|
||||
r = parse_path_argument(argv[optind], false, &arg_node);
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (optind < argc) {
|
||||
r = parse_path_argument(argv[optind], false, &arg_node);
|
||||
if (r < 0)
|
||||
return r;
|
||||
} else if (!wipe_requested()) {
|
||||
dev_t devno;
|
||||
|
||||
r = blockdev_get_root(LOG_ERR, &devno);
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r == 0)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(ENXIO),
|
||||
"Root file system not backed by a (single) whole block device.");
|
||||
|
||||
r = device_path_make_canonical(S_IFBLK, devno, &arg_node);
|
||||
if (r < 0)
|
||||
return log_error_errno(r,
|
||||
"Failed to format canonical device path for devno '" DEVNUM_FORMAT_STR "': %m",
|
||||
DEVNUM_FORMAT_VAL(devno));
|
||||
} else
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"No block device node specified, refusing.");
|
||||
|
||||
if (arg_enroll_type == ENROLL_FIDO2) {
|
||||
|
||||
|
@ -671,7 +688,7 @@ static int prepare_luks(
|
|||
|
||||
r = crypt_load(cd, CRYPT_LUKS2, NULL);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to load LUKS2 superblock: %m");
|
||||
return log_error_errno(r, "Failed to load LUKS2 superblock of %s: %m", arg_node);
|
||||
|
||||
r = check_for_homed(cd);
|
||||
if (r < 0)
|
||||
|
|
Loading…
Reference in a new issue