systemd/0297-cryptsetup-add-keyfile-timeout-to-allow-a-keydev-tim.patch

274 lines
11 KiB
Diff
Raw Normal View History

From 0f7a4f49a7ce95e87061afe03ac40662a1eb0e2d Mon Sep 17 00:00:00 2001
From: shinygold <10763595+shinygold@users.noreply.github.com>
Date: Tue, 16 Jul 2019 13:06:16 +0200
Subject: [PATCH] cryptsetup: add keyfile-timeout to allow a keydev timeout and
allow to fallback to a password if it fails.
(cherry picked from commit 50d2eba27b9bfc77ef6b40e5721713846815418b)
Resolves: #1763155
---
src/cryptsetup/cryptsetup-generator.c | 119 ++++++++++++++++++--------
src/cryptsetup/cryptsetup.c | 5 +-
2 files changed, 89 insertions(+), 35 deletions(-)
diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
index 52c1262728..1e8e3ba00d 100644
--- a/src/cryptsetup/cryptsetup-generator.c
+++ b/src/cryptsetup/cryptsetup-generator.c
@@ -40,10 +40,39 @@ static Hashmap *arg_disks = NULL;
static char *arg_default_options = NULL;
static char *arg_default_keyfile = NULL;
-static int generate_keydev_mount(const char *name, const char *keydev, char **unit, char **mount) {
- _cleanup_free_ char *u = NULL, *what = NULL, *where = NULL, *name_escaped = NULL;
+static int split_keyspec(const char *keyspec, char **keyfile, char **keydev) {
+ _cleanup_free_ char *kfile = NULL, *kdev = NULL;
+ char *c;
+
+ assert(keyspec);
+ assert(keyfile);
+ assert(keydev);
+
+ c = strrchr(keyspec, ':');
+ if (c) {
+ kfile = strndup(keyspec, c-keyspec);
+ kdev = strdup(c + 1);
+ if (!*kfile || !*kdev)
+ return log_oom();
+ } else {
+ /* No keydev specified */
+ kfile = strdup(keyspec);
+ kdev = NULL;
+ if (!*kfile)
+ return log_oom();
+ }
+
+ *keyfile = TAKE_PTR(kfile);
+ *keydev = TAKE_PTR(kdev);
+
+ return 0;
+}
+
+static int generate_keydev_mount(const char *name, const char *keydev, const char *keydev_timeout, bool canfail, char **unit, char **mount) {
+ _cleanup_free_ char *u = NULL, *what = NULL, *where = NULL, *name_escaped = NULL, *device_unit = NULL;
_cleanup_fclose_ FILE *f = NULL;
int r;
+ usec_t timeout_us;
assert(name);
assert(keydev);
@@ -88,7 +117,25 @@ static int generate_keydev_mount(const char *name, const char *keydev, char **un
"[Mount]\n"
"What=%s\n"
"Where=%s\n"
- "Options=ro\n", what, where);
+ "Options=ro%s\n", what, where, canfail ? ",nofail" : "");
+
+ if (keydev_timeout) {
+ r = parse_sec_fix_0(keydev_timeout, &timeout_us);
+ if (r >= 0) {
+ r = unit_name_from_path(what, ".device", &device_unit);
+ if (r < 0)
+ return log_error_errno(r, "Failed to generate unit name: %m");
+
+ r = write_drop_in_format(arg_dest, device_unit, 90, "device-timeout",
+ "# Automatically generated by systemd-cryptsetup-generator \n\n"
+ "[Unit]\nJobRunningTimeoutSec=%s", keydev_timeout);
+ if (r < 0)
+ return log_error_errno(r, "Failed to write device drop-in: %m");
+
+ } else
+ log_warning_errno(r, "Failed to parse %s, ignoring: %m", keydev_timeout);
+
+ }
r = fflush_and_check(f);
if (r < 0)
@@ -103,16 +150,17 @@ static int generate_keydev_mount(const char *name, const char *keydev, char **un
static int create_disk(
const char *name,
const char *device,
- const char *keydev,
const char *password,
+ const char *keydev,
const char *options) {
_cleanup_free_ char *n = NULL, *d = NULL, *u = NULL, *e = NULL,
- *filtered = NULL, *u_escaped = NULL, *password_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL, *keydev_mount = NULL;
+ *keydev_mount = NULL, *keyfile_timeout_value = NULL, *password_escaped = NULL,
+ *filtered = NULL, *u_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL;
_cleanup_fclose_ FILE *f = NULL;
const char *dmname;
bool noauto, nofail, tmp, swap, netdev;
- int r;
+ int r, keyfile_can_timeout;
assert(name);
assert(device);
@@ -123,6 +171,10 @@ static int create_disk(
swap = fstab_test_option(options, "swap\0");
netdev = fstab_test_option(options, "_netdev\0");
+ keyfile_can_timeout = fstab_filter_options(options, "keyfile-timeout\0", NULL, &keyfile_timeout_value, NULL);
+ if (keyfile_can_timeout < 0)
+ return log_error_errno(keyfile_can_timeout, "Failed to parse keyfile-timeout= option value: %m");
+
if (tmp && swap) {
log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);
return -EINVAL;
@@ -152,12 +204,6 @@ static int create_disk(
if (r < 0)
return log_error_errno(r, "Failed to generate unit name: %m");
- if (password) {
- password_escaped = specifier_escape(password);
- if (!password_escaped)
- return log_oom();
- }
-
if (keydev && !password) {
log_error("Key device is specified, but path to the password file is missing.");
return -EINVAL;
@@ -178,10 +224,16 @@ static int create_disk(
"After=%s\n",
netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");
+ if (password) {
+ password_escaped = specifier_escape(password);
+ if (!password_escaped)
+ return log_oom();
+ }
+
if (keydev) {
_cleanup_free_ char *unit = NULL, *p = NULL;
- r = generate_keydev_mount(name, keydev, &unit, &keydev_mount);
+ r = generate_keydev_mount(name, keydev, keyfile_timeout_value, keyfile_can_timeout > 0, &unit, &keydev_mount);
if (r < 0)
return log_error_errno(r, "Failed to generate keydev mount unit: %m");
@@ -190,6 +242,12 @@ static int create_disk(
return log_oom();
free_and_replace(password_escaped, p);
+
+ fprintf(f, "After=%s\n", unit);
+ if (keyfile_can_timeout > 0)
+ fprintf(f, "Wants=%s\n", unit);
+ else
+ fprintf(f, "Requires=%s\n", unit);
}
if (!nofail)
@@ -197,7 +255,7 @@ static int create_disk(
"Before=%s\n",
netdev ? "remote-cryptsetup.target" : "cryptsetup.target");
- if (password) {
+ if (password && !keydev) {
if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
fputs("After=systemd-random-seed.service\n", f);
else if (!STR_IN_SET(password, "-", "none")) {
@@ -271,7 +329,7 @@ static int create_disk(
if (keydev)
fprintf(f,
- "ExecStartPost=" UMOUNT_PATH " %s\n\n",
+ "ExecStartPost=-" UMOUNT_PATH " %s\n\n",
keydev_mount);
r = fflush_and_check(f);
@@ -394,7 +452,6 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
} else if (streq(key, "luks.key")) {
size_t n;
_cleanup_free_ char *keyfile = NULL, *keydev = NULL;
- char *c;
const char *keyspec;
if (proc_cmdline_value_missing(key, value))
@@ -421,23 +478,13 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
return log_oom();
keyspec = value + n + 1;
- c = strrchr(keyspec, ':');
- if (c) {
- *c = '\0';
- keyfile = strdup(keyspec);
- keydev = strdup(c + 1);
-
- if (!keyfile || !keydev)
- return log_oom();
- } else {
- /* No keydev specified */
- keyfile = strdup(keyspec);
- if (!keyfile)
- return log_oom();
- }
+ r = split_keyspec(keyspec, &keyfile, &keydev);
+ if (r < 0)
+ return r;
free_and_replace(d->keyfile, keyfile);
free_and_replace(d->keydev, keydev);
+
} else if (streq(key, "luks.name")) {
if (proc_cmdline_value_missing(key, value))
@@ -485,7 +532,7 @@ static int add_crypttab_devices(void) {
int r, k;
char line[LINE_MAX], *l, *uuid;
crypto_device *d = NULL;
- _cleanup_free_ char *name = NULL, *device = NULL, *keyfile = NULL, *options = NULL;
+ _cleanup_free_ char *name = NULL, *device = NULL, *keydev = NULL, *keyfile = NULL, *keyspec = NULL, *options = NULL;
if (!fgets(line, sizeof(line), f))
break;
@@ -496,7 +543,7 @@ static int add_crypttab_devices(void) {
if (IN_SET(*l, 0, '#'))
continue;
- k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyfile, &options);
+ k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyspec, &options);
if (k < 2 || k > 4) {
log_error("Failed to parse /etc/crypttab:%u, ignoring.", crypttab_line);
continue;
@@ -515,7 +562,11 @@ static int add_crypttab_devices(void) {
continue;
}
- r = create_disk(name, device, NULL, keyfile, (d && d->options) ? d->options : options);
+ r = split_keyspec(keyspec, &keyfile, &keydev);
+ if (r < 0)
+ return r;
+
+ r = create_disk(name, device, keyfile, keydev, (d && d->options) ? d->options : options);
if (r < 0)
return r;
@@ -555,7 +606,7 @@ static int add_proc_cmdline_devices(void) {
else
options = "timeout=0";
- r = create_disk(d->name, device, d->keydev, d->keyfile ?: arg_default_keyfile, options);
+ r = create_disk(d->name, device, d->keyfile ?: arg_default_keyfile, d->keydev, options);
if (r < 0)
return r;
}
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 9071126c2e..0881aea915 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -69,7 +69,10 @@ static int parse_one_option(const char *option) {
assert(option);
/* Handled outside of this tool */
- if (STR_IN_SET(option, "noauto", "auto", "nofail", "fail", "_netdev"))
+ if (STR_IN_SET(option, "noauto", "auto", "nofail", "fail", "_netdev", "keyfile-timeout"))
+ return 0;
+
+ if (startswith(option, "keyfile-timeout="))
return 0;
if ((val = startswith(option, "cipher="))) {