Commit Graph

11 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
880e1e0729 man: minor grammar fixups in systemd-cryptenroll 2021-09-27 09:19:02 +02:00
Lennart Poettering
9a89ab26d6 man: extend documentation about TPM2 PCRs
This is an effort to compile a somewhat complete list how PCRs are
actually used on Linux systems these days. It contains data from: the
UEFI PC spec, the shim, the IMA, grub documentation.

I validated these PCRs to some level in the sources.

The grub specific stuff I only added in comments, since I was too lazy
too validate it (also, meh, grub).

It also gives people a hint on which PCR to bind to (and maybe kind of
an explanation of our default choice).
2021-09-14 17:37:06 +02:00
Zbigniew Jędrzejewski-Szmek
be0d27ee0c man: fix assorted issues reported by the manpage-l10n project
Fixes #20297.
2021-07-27 09:43:29 +02:00
Lennart Poettering
72c1542267 man: document that FIDO2 uv/up/clientPin feature support is now handled gracefully 2021-05-28 16:45:12 +02:00
Lennart Poettering
a1788a69b2 tpm2: support "+" as separator for TPM PCR lists
Previously, we supported only "," as separator. This adds support for
"+" and makes it the documented choice.

This is to make specifying PCRs in crypttab easier, since commas are
already used there for separating volume options, and needless escaping
sucks.

"," continues to be supported, but in order to keep things minimal not
documented.

Fixe: #19205
2021-05-25 23:28:54 +02:00
Luca Boccassi
896cc0da98 FIDO2: ask and record whether user verification was used to lock the volume
Some tokens support authorization via fingerprint or other biometric
ID. Add support for "user verification" to cryptenroll and cryptsetup.
Disable by default, as it is still quite uncommon.
2021-05-07 21:36:27 +01:00
Luca Boccassi
06f087192d FIDO2: ask and record whether user presence was used to lock the volume
In some cases user presence might not be required to get _a_
secret out of a FIDO2 device, but it might be required to
the get actual secret that was used to lock the volume.
Record whether we used it in the LUKS header JSON metadata.
Let the cryptenroll user ask for the feature, but bail out if it is
required by the token and the user disabled it.
Enabled by default.
2021-05-07 21:36:27 +01:00
Luca Boccassi
cde2f8605e FIDO2: support pin-less LUKS enroll/unlock
Closes: https://github.com/systemd/systemd/issues/19246

Some FIDO2 devices allow the user to choose whether to use a PIN or not
and will HMAC with a different secret depending on the choice.
Some other devices (or some device-specific configuration) can instead
make it mandatory.
Allow the cryptenroll user to choose whether to use a PIN or not, but
fail immediately if it is a hard requirement.
Record the choice in the JSON-encoded LUKS header metadata so that the
right set of options can be used on unlock.
2021-05-07 21:36:27 +01:00
Morten Linderud
29d898cc7b man/systemd-cryptenroll: Fix sd-boot manvolnum from 8 to 7
Off-by-one error in the documentation index. The volume number for
systemd-boot/sd-boot is 7.

Signed-off-by: Morten Linderud <morten@linderud.pw>
2021-04-07 13:57:33 +02:00
Yu Watanabe
458610429f tree-wide: fix typo 2020-12-18 12:59:29 +09:00
Lennart Poettering
cf1e172d58 man: document new features 2020-12-17 20:02:32 +01:00