git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
clevis
1
0
Fork 0
Files Pull Requests 0
Branch: master
Branches Tags
clevis
/
src
/
luks
/
clevis-luks-bind

clevis-luks-bind 4.5 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152 
  1. #!/bin/bash -e
    2. 

  2. # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
    3. 

  3. #
    4. 

  4. # Copyright (c) 2016 Red Hat, Inc.
    5. 

  5. # Author: Harald Hoyer <harald@redhat.com>
    6. 

  6. # Author: Nathaniel McCallum <npmccallum@redhat.com>
    7. 

  7. #
    8. 

  8. # This program is free software: you can redistribute it and/or modify
    9. 

  9. # it under the terms of the GNU General Public License as published by
    10. 

  10. # the Free Software Foundation, either version 3 of the License, or
    11. 

  11. # (at your option) any later version.
    12. 

  12. #
    13. 

  13. # This program is distributed in the hope that it will be useful,
    14. 

  14. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    15. 

  15. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    16. 

  16. # GNU General Public License for more details.
    17. 

  17. #
    18. 

  18. # You should have received a copy of the GNU General Public License
    19. 

  19. # along with this program.  If not, see <http://www.gnu.org/licenses/>.
    20. 

  20. #
    21. 

  21. . clevis-luks-common-functions
    22. 

  22. 

  23. SUMMARY="Binds a LUKS device using the specified policy"
    24. 

  24. 

  25. usage() {
    26. 

  26.     exec >&2
    27. 

  27.     echo
    28. 

  28.     echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] [-e EXISTING_TOKEN_ID] -d DEV PIN CFG"
    29. 

  29.     echo
    30. 

  30.     echo "$SUMMARY":
    31. 

  31.     echo
    32. 

  32.     echo "  -f           Do not prompt for LUKSMeta initialization"
    33. 

  33.     echo
    34. 

  34.     echo "  -d DEV       The LUKS device on which to perform binding"
    35. 

  35.     echo
    36. 

  36.     echo "  -y           Automatically answer yes for all questions"
    37. 

  37.     echo
    38. 

  38.     echo "  -s SLT       The LUKS slot to use"
    39. 

  39.     echo
    40. 

  40.     echo "  -t TKN_ID    The LUKS token ID to use; only available for LUKS2"
    41. 

  41.     echo
    42. 

  42.     echo "  -k KEY       Non-interactively read LUKS password from KEY file"
    43. 

  43.     echo "  -k -         Non-interactively read LUKS password from standard input"
    44. 

  44.     echo
    45. 

  45.     echo "  -e E_TKN_ID  Existing LUKS token ID for existing passphrase; only available for LUKS2"
    46. 

  46.     echo
    47. 

  47.     exit 2
    48. 

  48. }
    49. 

  49. 

  50. if [ $# -eq 1 ] && [ "$1" = "--summary" ]; then
    51. 

  51.     echo "$SUMMARY"
    52. 

  52.     exit 0
    53. 

  53. fi
    54. 

  54. 

  55. FRC=
    56. 

  56. YES=
    57. 

  57. while getopts ":hfyd:s:k:t:e:" o; do
    58. 

  58.     case "$o" in
    59. 

  59.     f) FRC='-f';;
    60. 

  60.     d) DEV="$OPTARG";;
    61. 

  61.     s) SLT="$OPTARG";;
    62. 

  62.     k) KEY="$OPTARG";;
    63. 

  63.     t) TOKEN_ID="$OPTARG";;
    64. 

  64.     e) EXISTING_TOKEN_ID="$OPTARG";;
    65. 

  65.     y) FRC='-f'
    66. 

  66.        YES='-y';;
    67. 

  67.     *) usage;;
    68. 

  68.     esac
    69. 

  69. done
    70. 

  70. 

  71. if [ -z "$DEV" ]; then
    72. 

  72.     echo "Did not specify a device!" >&2
    73. 

  73.     usage
    74. 

  74. fi
    75. 

  75. 

  76. if ! luks_type="$(clevis_luks_type "${DEV}")"; then
    77. 

  77.     echo "${DEV} is not a supported LUKS device" >&2
    78. 

  78.     exit 1
    79. 

  79. fi
    80. 

  80. 

  81. if ! PIN="${@:$((OPTIND++)):1}" || [ -z "$PIN" ]; then
    82. 

  82.     echo "Did not specify a pin!" >&2
    83. 

  83.     usage
    84. 

  84. elif ! EXE=$(command -v clevis-encrypt-"${PIN}") || [ -z "${EXE}" ]; then
    85. 

  85.     echo "'${PIN}' is not a valid pin!" >&2
    86. 

  86.     usage
    87. 

  87. fi
    88. 

  88. 

  89. if ! CFG="${@:$((OPTIND++)):1}" || [ -z "$CFG" ]; then
    90. 

  90.     echo "Did not specify a pin config!" >&2
    91. 

  91.     usage
    92. 

  92. fi
    93. 

  93. 

  94. # Check whether the config is valid JSON.
    95. 

  95. if ! jose fmt --json="${CFG}" --object 2>/dev/null; then
    96. 

  96.     echo "Configuration is malformed; it should be valid JSON" >&2
    97. 

  97.     exit 1
    98. 

  98. fi
    99. 

  99. 

  100. if [ "${luks_type}" = "luks1" ] && [ -n "${TOKEN_ID}" ]; then
    101. 

  101.     echo "${DEV} is a LUKS1 device; -t is only supported in LUKS2" >&2
    102. 

  102.     exit 1
    103. 

  103. fi
    104. 

  104. 

  105. if [ -n "${EXISTING_TOKEN_ID}" ] && ! clevis_luks_luks2_existing_token_id_supported; then
    106. 

  106.     echo "Existing token ID not supported in this cryptsetup version" >&2
    107. 

  107.     exit 1
    108. 

  108. fi
    109. 

  109. 

  110. # Get the existing passphrase/keyfile.
    111. 

  111. existing_key=
    112. 

  112. keyfile=
    113. 

  113. case "${KEY}" in
    114. 

  114.  "")
    115. 

  115.     if [ -z "${EXISTING_TOKEN_ID}" ] ; then
    116. 

  116.         IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2
    117. 

  117.     fi
    118. 

  118.     ;;
    119. 

  119.  -) IFS= read -r -s -p "" existing_key ||:
    120. 

  120.     if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}" \
    121. 

  121.                                     && [ -z "${FRC}" ]; then
    122. 

  122.         echo "Cannot use '-k-' without '-f' or '-y' unless already initialized!" >&2
    123. 

  123.         usage
    124. 

  124.     fi
    125. 

  125.     ;;
    126. 

  126.  *) keyfile="${KEY}"
    127. 

  127.     if [ ! -r "${keyfile}" ]; then
    128. 

  128.         echo "Cannot read key file '${keyfile}'" >&2
    129. 

  129.         exit 1
    130. 

  130.     fi
    131. 

  131.     ;;
    132. 

  132. esac
    133. 

  133. 

  134. # Check if existing token id for keyring read is provided
    135. 

  135. # If so, keyfile is not allowed
    136. 

  136. if [ -n "${EXISTING_TOKEN_ID}" ] && [ -n "${keyfile}" ] ; then
    137. 

  137.     echo "Cannot specify kernel keyring description together with key file" >&2
    138. 

  138.     exit 1
    139. 

  139. fi
    140. 

  140. 

  141. # If necessary, initialize the LUKS volume.
    142. 

  142. if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}"; then
    143. 

  143.     luksmeta init -d "${DEV}" ${FRC}
    144. 

  144. fi
    145. 

  145. 

  146. if ! clevis_luks_do_bind "${DEV}" "${SLT}" "${TOKEN_ID}" \
    147. 

  147.                          "${PIN}" "${CFG}" \
    148. 

  148.                          "${YES}" "" \
    149. 

  149.                          "${existing_key}" "${keyfile}" "${EXISTING_TOKEN_ID}"; then
    150. 

  150.     echo "Error adding new binding to ${DEV}" >&2
    151. 

  151.     exit 1
    152. 

  152. fi
    153.