ПОМОГИТЕ ОТЛАДИТЬ ПРОГУ

#include <getopt.h> #include "ask-password-api.h" #include "build.h" #include "cryptenroll-fido2.h" #include "cryptenroll-list.h" #include "cryptenroll-password.h" #include "cryptenroll-pkcs11.h" #include "cryptenroll-recovery.h" #include "cryptenroll-tpm2.h" #include "cryptenroll-wipe.h" #include "cryptenroll.h" #include "cryptsetup-util.h" #include "env-util.h" #include "escape.h" #include "fileio.h" #include "libfido2-util.h" #include "main-func.h" #include "memory-util.h" #include "parse-argument.h" #include "parse-util.h" #include "path-util.h" #include "pkcs11-util.h" #include "pretty-print.h" #include "string-table.h" #include "strv.h" #include "terminal-util.h" #include "tpm-pcr.h" #include "tpm2-util.h" static EnrollType arg_enroll_type = _ENROLL_TYPE_INVALID; static char *arg_unlock_keyfile = NULL; static UnlockType arg_unlock_type = UNLOCK_PASSWORD; static char *arg_unlock_fido2_device = NULL; static char *arg_pkcs11_token_uri = NULL; static char *arg_fido2_device = NULL; static char *arg_tpm2_device = NULL; static uint32_t arg_tpm2_pcr_mask = UINT32_MAX; static bool arg_tpm2_pin = false; static char *arg_tpm2_public_key = NULL; static uint32_t arg_tpm2_public_key_pcr_mask = UINT32_MAX; static char *arg_tpm2_signature = NULL; static char *arg_node = NULL; static int *arg_wipe_slots = NULL; static size_t arg_n_wipe_slots = 0; static WipeScope arg_wipe_slots_scope = WIPE_EXPLICIT; static unsigned arg_wipe_slots_mask = 0; /* Bitmask of (1U << EnrollType), for wiping all slots of specific types */ static Fido2EnrollFlags arg_fido2_lock_with = FIDO2ENROLL_PIN | FIDO2ENROLL_UP; #if HAVE_LIBFIDO2 static int arg_fido2_cred_alg = COSE_ES256; #else static int arg_fido2_cred_alg = 0; #endif assert_cc(sizeof(arg_wipe_slots_mask) * 8 >= _ENROLL_TYPE_MAX); STATIC_DESTRUCTOR_REGISTER(arg_unlock_keyfile, freep); STATIC_DESTRUCTOR_REGISTER(arg_unlock_fido2_device, freep); STATIC_DESTRUCTOR_REGISTER(arg_pkcs11_token_uri, freep); STATIC_DESTRUCTOR_REGISTER(arg_fido2_device, freep); STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device, freep); STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep); STATIC_DESTRUCTOR_REGISTER(arg_tpm2_signature, freep); STATIC_DESTRUCTOR_REGISTER(arg_node, freep); STATIC_DESTRUCTOR_REGISTER(arg_wipe_slots, freep); static bool wipe_requested(void) { return arg_n_wipe_slots > 0 || arg_wipe_slots_scope != WIPE_EXPLICIT || arg_wipe_slots_mask != 0; } static const char* const enroll_type_table[_ENROLL_TYPE_MAX] = { [ENROLL_PASSWORD] = "password", [ENROLL_RECOVERY] = "recovery", [ENROLL_PKCS11] = "pkcs11", [ENROLL_FIDO2] = "fido2", [ENROLL_TPM2] = "tpm2", }; DEFINE_STRING_TABLE_LOOKUP(enroll_type, EnrollType); static const char *const luks2_token_type_table[_ENROLL_TYPE_MAX] = { /* ENROLL_PASSWORD has no entry here, as slots of this type do not have a token in the LUKS2 header */ [ENROLL_RECOVERY] = "systemd-recovery", [ENROLL_PKCS11] = "systemd-pkcs11", [ENROLL_FIDO2] = "systemd-fido2", [ENROLL_TPM2] = "systemd-tpm2", }; DEFINE_STRING_TABLE_LOOKUP(luks2_token_type, EnrollType); static int check_for_homed(struct crypt_device *cd) { int r; assert_se(cd); /* Politely refuse operating on homed volumes. The enrolled tokens for the user record and the LUKS2 * volume should not get out of sync. */ for (int token = 0; token < crypt_token_max(CRYPT_LUKS2); token ++) { r = cryptsetup_get_token_as_json(cd, token, "systemd-homed", NULL); if (IN_SET(r, -ENOENT, -EINVAL, -EMEDIUMTYPE)) continue; if (r < 0) return log_error_errno(r, "Failed to read JSON token data off disk: %m"); return log_error_errno(SYNTHETIC_ERRNO(EHOSTDOWN), "LUKS2 volume is managed by systemd-homed, please use homectl to enroll tokens."); } return 0; } static int prepare_luks( struct crypt_device **ret_cd, void **ret_volume_key, size_t *ret_volume_key_size) { _cleanup_(crypt_freep) struct crypt_device *cd = NULL; _cleanup_(erase_and_freep) void *vk = NULL; size_t vks; int r; assert(ret_cd); assert(!ret_volume_key == !ret_volume_key_size); r = crypt_init(&cd, arg_node); if (r < 0) return log_error_errno(r, "Failed to allocate libcryptsetup context: %m"); cryptsetup_enable_logging(cd); r = crypt_load(cd, CRYPT_LUKS2, NULL); if (r < 0) return log_error_errno(r, "Failed to load LUKS2 superblock: %m"); r = check_for_homed(cd); if (r < 0) return r; if (!ret_volume_key) { *ret_cd = TAKE_PTR(cd); return 0; } r = crypt_get_volume_key_size(cd); if (r <= 0) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine LUKS volume key size"); vks = (size_t) r; vk = malloc(vks); if (r < 0) return r; *ret_cd = TAKE_PTR(cd); *ret_volume_key = TAKE_PTR(vk); *ret_volume_key_size = vks; return 0; } static int run(int argc, char *argv[]) { _cleanup_(crypt_freep) struct crypt_device *cd = NULL; _cleanup_(erase_and_freep) void *vk = NULL; size_t vks; int slot, r; log_show_color(true); log_parse_environment(); log_open(); r = parse_argv(argc, argv); if (r <= 0) return r; cryptsetup_enable_logging(NULL); if (arg_enroll_type < 0) r = prepare_luks(&cd, NULL, NULL); /* No need to unlock device if we don't need the volume key because we don't need to enroll anything */ else r = prepare_luks(&cd, &vk, &vks); if (r < 0) return r; switch (arg_enroll_type) { case ENROLL_PASSWORD: slot = enroll_password(cd, vk, vks); break; case ENROLL_RECOVERY: slot = enroll_recovery(cd, vk, vks); break; case ENROLL_PKCS11: slot = enroll_pkcs11(cd, vk, vks, arg_pkcs11_token_uri); break; case ENROLL_FIDO2: slot = enroll_fido2(cd, vk, vks, arg_fido2_device, arg_fido2_lock_with, arg_fido2_cred_alg); break; case ENROLL_TPM2: slot = enroll_tpm2(cd, vk, vks, arg_tpm2_device, arg_tpm2_pcr_mask, arg_tpm2_public_key, arg_tpm2_public_key_pcr_mask, arg_tpm2_signature, arg_tpm2_pin); break; case _ENROLL_TYPE_INVALID: /* List enrolled slots if we are called without anything to enroll or wipe */ if (!wipe_requested()) return list_enrolled(cd); /* Only slot wiping selected */ return wipe_slots(cd, arg_wipe_slots, arg_n_wipe_slots, arg_wipe_slots_scope, arg_wipe_slots_mask, -1); default: return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Operation not implemented yet."); } if (slot < 0) return slot; /* After we completed enrolling, remove user selected slots */ r = wipe_slots(cd, arg_wipe_slots, arg_n_wipe_slots, arg_wipe_slots_scope, arg_wipe_slots_mask, slot); if (r < 0) return r; return 0; } DEFINE_MAIN_FUNCTION(run);