cryptsetup: support keyfile-timeout for using a device as the key file

Closes https://github.com/systemd/systemd/issues/21993
2024-07-22 02:34:54 +00:00 · 2022-08-05 00:45:33 +08:00 · 2022-08-05 00:45:33 +08:00 · 7aa0b0121e
parent 57a0e3f503
commit 7aa0b0121e
2 changed files with 21 additions and 8 deletions
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@ -232,8 +232,8 @@
        <term><option>keyfile-timeout=</option></term>

        <listitem><para> Specifies the timeout for the device on
-        which the key file resides and falls back to a password if
-        it could not be mounted. See
+        which the key file resides or the device used as the key file,
+        and falls back to a password if it could not be accessed. See
        <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        for key files on external devices.
        </para></listitem>
--- a/src/cryptsetup/cryptsetup-generator.c
+++ b/src/cryptsetup/cryptsetup-generator.c
@ -227,9 +227,11 @@ static int generate_device_umount(const char *name,
        return 0;
 }

-static int print_dependencies(FILE *f, const char* device_path) {
+static int print_dependencies(FILE *f, const char* device_path, const char* timeout_value, bool canfail) {
        int r;

+        assert(!canfail || timeout_value);
+
        if (STR_IN_SET(device_path, "-", "none"))
                /* None, nothing to do */
                return 0;
@ -259,9 +261,16 @@ static int print_dependencies(FILE *f, const char* device_path) {
                if (r < 0)
                        return log_error_errno(r, "Failed to generate unit name: %m");

-                fprintf(f,
-                        "After=%1$s\n"
-                        "Requires=%1$s\n", unit);
+                fprintf(f, "After=%1$s\n", unit);
+                if (canfail) {
+                        fprintf(f, "Wants=%1$s\n", unit);
+                        r = write_drop_in_format(arg_dest, unit, 90, "device-timeout",
+                                "# Automatically generated by systemd-cryptsetup-generator \n\n"
+                                "[Unit]\nJobRunningTimeoutSec=%s", timeout_value);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to write device drop-in: %m");
+                } else
+                        fprintf(f, "Requires=%1$s\n", unit);
        } else {
                /* Regular file, add mount dependency */
                _cleanup_free_ char *escaped_path = specifier_escape(device_path);
@ -463,14 +472,18 @@ static int create_disk(
                        netdev ? "remote-cryptsetup.target" : "cryptsetup.target");

        if (key_file && !keydev) {
-                r = print_dependencies(f, key_file);
+                r = print_dependencies(f, key_file,
+                        keyfile_timeout_value,
+                        /* canfail= */ keyfile_can_timeout > 0);
                if (r < 0)
                        return r;
        }

        /* Check if a header option was specified */
        if (detached_header > 0 && !headerdev) {
-                r = print_dependencies(f, header_path);
+                r = print_dependencies(f, header_path,
+                        NULL,
+                        /* canfail= */ false); /* header is always necessary */
                if (r < 0)
                        return r;
        }