Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cryptsetup: allow customizing cache behavior #32761

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

cryptsetup: allow customizing cache behavior #32761

wants to merge 1 commit into from

Conversation

kszczek
Copy link
Contributor

@kszczek kszczek commented May 11, 2024
edited by github-actions bot

The new "password-cache" option allows customizing behavior of the ask-password module in regards to caching credentials in the kernel keyring. There are 3 possible values for this option:

  • read-only - look for credentials in kernel keyring before asking
  • on - same as read-only, but also save credentials input by user
  • off - disable keyring credential cache

Currently the cache is forced upon the user and this can cause issues. For example, if user wants to attach two volumes with two different FIDO2 tokens in a quick succession, the attachment operation for the second volume will use the PIN cached from the first FIDO2 token, which of course will fail and since tokens are only attempted once, this will cause fallback to a password prompt.

@github-actions github-actions bot added documentation util-lib tpm2 please-review PR is ready for (re-)review by a maintainer labels May 11, 2024
@github-actions GitHub Actions
Copy link

Important

An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released.

@kszczek kszczek force-pushed the cryptsetup-password-cache-control branch from b9e4424 to 6f6f0a2 Compare May 11, 2024 09:12
@kszczek
Copy link
Contributor Author

kszczek commented May 11, 2024

Overlooked an issue with the default value for PKCS#11 tokens, fixed it. Sorry for the noise.

yuwata
yuwata requested changes May 12, 2024
View reviewed changes
Copy link
Member

@yuwata yuwata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Several superficial comments.

man/crypttab.xml Outdated Show resolved Hide resolved
man/crypttab.xml Outdated Show resolved Hide resolved
man/systemd-cryptsetup.xml Outdated Show resolved Hide resolved
man/systemd-cryptsetup.xml Outdated Show resolved Hide resolved
src/cryptsetup/cryptsetup.c Outdated Show resolved Hide resolved
@yuwata yuwata added reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks and removed please-review PR is ready for (re-)review by a maintainer labels May 12, 2024
@kszczek
cryptsetup: allow customizing cache behavior
b4312d1 
The new "password-cache" option allows customizing behavior of the
ask-password module in regards to caching credentials in the kernel
keyring. There are 3 possible values for this option:
  * read-only - look for credentials in kernel keyring before asking
  * on - same as read-only, but also save credentials input by user
  * off - disable keyring credential cache

Currently the cache is forced upon the user and this can cause issues.
For example, if user wants to attach two volumes with two different
FIDO2 tokens in a quick succession, the attachment operation for the
second volume will use the PIN cached from the first FIDO2 token, which
of course will fail and since tokens are only attempted once, this will
cause fallback to a password prompt.
@kszczek kszczek force-pushed the cryptsetup-password-cache-control branch from 6f6f0a2 to b4312d1 Compare May 12, 2024 08:31
@github-actions github-actions bot added please-review PR is ready for (re-)review by a maintainer and removed reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks labels May 12, 2024
@yuwata yuwata mentioned this pull request May 13, 2024
Merged
@kszczek
Copy link
Contributor Author

kszczek commented May 13, 2024

After performing some additional tests with strace -e add_key,request_key,keyctl I've discovered that currently the cache behavior is somewhat inconsistent. When attempting to unlock with a TPM2 device via token plugin (the prioritized execution path), the cache is checked for the PIN, but when running with SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=no set, thus skipping the plugins, the cache is not checked for the PIN.

This PR makes the behavior consistent in both execution paths, but in doing so it breaks backward compatibility in this (probably very uncommon) edge case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuwata yuwata yuwata requested changes

Assignees
No one assigned
Labels
cryptsetup documentation please-review PR is ready for (re-)review by a maintainer tpm2 util-lib
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kszczek @yuwata @YHNdnzj