system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-22 02:34:54 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

crypttab: Support for VeraCrypt PIM and detached headers for TrueCrypt/VeraCrypt (#27548)

Browse source 
* Added veracrypt-pim=<PIM> LUKS option for crypttab
This commit is contained in:
Klaus Zipfel 2023-05-06 22:55:05 +02:00 committed by GitHub
parent 3be6943e07
commit 703902400d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 43 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
man/crypttab.xml
View file

@ -172,12 +172,11 @@
<varlistentry> <varlistentry>
<term><option>header=</option></term> <term><option>header=</option></term>
<listitem><para>Use a detached (separated) metadata device or <listitem><para>Use a detached (separated) metadata device or file
file where the LUKS header is stored. This option is only where the header containing the master key(s) is stored. This
relevant for LUKS devices. See option is only relevant for LUKS and TrueCrypt/VeraCrypt devices. See
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for possible values and the default value of this for possible values and the default value of this option.</para>
option.</para>
<para>Optionally, the path may be followed by <literal>:</literal> and an <para>Optionally, the path may be followed by <literal>:</literal> and an
<filename>/etc/fstab</filename> device specification (e.g. starting with <literal>UUID=</literal> or <filename>/etc/fstab</filename> device specification (e.g. starting with <literal>UUID=</literal> or
@ -483,6 +482,25 @@
option implies <option>tcrypt</option>.</para></listitem> option implies <option>tcrypt</option>.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><option>veracrypt-pim=</option></term>
<listitem><para>Specifies a custom Personal Iteration Multiplier (PIM)
value, which can range from 0..2147468 for standard veracrypt volumes
and 0..65535 for veracrypt system volumes. A value of 0 will imply the
VeraCrypt default.
This option is only effective when <option>tcrypt-veracrypt</option> is
set.</para>
<para>Note that VeraCrypt enforces a minimal allowed PIM value depending on the
password strength and the hash algorithm used for key derivation, however
<option>veracrypt-pim=</option> is not checked against these bounds.
<ulink url="https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20%28PIM%29.html">See
documentation</ulink> for more information.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><option>timeout=</option></term> <term><option>timeout=</option></term>

23
src/cryptsetup/cryptsetup.c
View file

@ -81,6 +81,7 @@ static bool arg_no_write_workqueue = false;
static bool arg_tcrypt_hidden = false; static bool arg_tcrypt_hidden = false;
static bool arg_tcrypt_system = false; static bool arg_tcrypt_system = false;
static bool arg_tcrypt_veracrypt = false; static bool arg_tcrypt_veracrypt = false;
static uint32_t arg_tcrypt_veracrypt_pim = 0;
static char **arg_tcrypt_keyfiles = NULL; static char **arg_tcrypt_keyfiles = NULL;
static uint64_t arg_offset = 0; static uint64_t arg_offset = 0;
static uint64_t arg_skip = 0; static uint64_t arg_skip = 0;
@ -233,7 +234,8 @@ static int parse_one_option(const char *option) {
return log_oom(); return log_oom();
} else if ((val = startswith(option, "header="))) { } else if ((val = startswith(option, "header="))) {
arg_type = ANY_LUKS; if (!STR_IN_SET(arg_type, ANY_LUKS, CRYPT_LUKS1, CRYPT_LUKS2, CRYPT_TCRYPT))
arg_type = ANY_LUKS;
if (!path_is_absolute(val)) if (!path_is_absolute(val))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
@ -298,6 +300,13 @@ static int parse_one_option(const char *option) {
} else if (STR_IN_SET(option, "tcrypt-veracrypt", "veracrypt")) { } else if (STR_IN_SET(option, "tcrypt-veracrypt", "veracrypt")) {
arg_type = CRYPT_TCRYPT; arg_type = CRYPT_TCRYPT;
arg_tcrypt_veracrypt = true; arg_tcrypt_veracrypt = true;
} else if ((val = startswith(option, "veracrypt-pim="))) {
r = safe_atou32(val, &arg_tcrypt_veracrypt_pim);
if (r < 0) {
log_warning_errno(r, "Failed to parse %s, ignoring: %m", option);
return 0;
}
} else if (STR_IN_SET(option, "plain", "swap", "tmp") || } else if (STR_IN_SET(option, "plain", "swap", "tmp") ||
startswith(option, "tmp=")) startswith(option, "tmp="))
arg_type = CRYPT_PLAIN; arg_type = CRYPT_PLAIN;
@ -981,6 +990,9 @@ static int attach_tcrypt(
if (arg_tcrypt_veracrypt) if (arg_tcrypt_veracrypt)
params.flags |= CRYPT_TCRYPT_VERA_MODES; params.flags |= CRYPT_TCRYPT_VERA_MODES;
if (arg_tcrypt_veracrypt && arg_tcrypt_veracrypt_pim != 0)
params.veracrypt_pim = arg_tcrypt_veracrypt_pim;
if (key_data) { if (key_data) {
params.passphrase = key_data; params.passphrase = key_data;
@ -2157,8 +2169,13 @@ static int run(int argc, char *argv[]) {
destroy_key_file = key_file; /* let's get this baby erased when we leave */ destroy_key_file = key_file; /* let's get this baby erased when we leave */
if (arg_header) { if (arg_header) {
log_debug("LUKS header: %s", arg_header); if (streq_ptr(arg_type, CRYPT_TCRYPT)){
r = crypt_init(&cd, arg_header); log_debug("tcrypt header: %s", arg_header);
r = crypt_init_data_device(&cd, arg_header, source);
} else {
log_debug("LUKS header: %s", arg_header);
r = crypt_init(&cd, arg_header);
}
} else } else
r = crypt_init(&cd, source); r = crypt_init(&cd, source);
if (r < 0) if (r < 0)