From d2cba923be4c661975f2cbfe3b303aa3f106c679 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 14 Apr 2022 23:18:49 +0200 Subject: [PATCH 1/2] creds-util: also warn about unencrypted creds host key if we are creating it Previously we'd only warn when we consume it, but it's even more relevant to warn if we save it to an unencrypted storage location. --- src/shared/creds-util.c | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index 95540979ad..7691f36089 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -94,9 +94,30 @@ struct credential_host_secret_format { uint8_t data[CREDENTIAL_HOST_SECRET_SIZE]; } _packed_; +static void warn_not_encrypted(int fd, CredentialSecretFlags flags, const char *dirname, const char *filename) { + int r; + + assert(fd >= 0); + assert(dirname); + assert(filename); + + if (!FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED)) + return; + + r = fd_is_encrypted(fd); + if (r < 0) + log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.", + dirname, filename); + else if (r == 0) + log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.", + dirname, filename); +} + static int make_credential_host_secret( int dfd, const sd_id128_t machine_id, + CredentialSecretFlags flags, + const char *dirname, const char *fn, void **ret_data, size_t *ret_size) { @@ -142,6 +163,8 @@ static int make_credential_host_secret( goto finish; } + warn_not_encrypted(fd, flags, dirname, fn); + if (t) { r = rename_noreplace(dfd, t, dfd, fn); if (r < 0) @@ -248,7 +271,7 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * "Failed to open %s/%s: %m", dirname, filename); - r = make_credential_host_secret(dfd, machine_id, filename, ret, ret_size); + r = make_credential_host_secret(dfd, machine_id, flags, dirname, filename, ret, ret_size); if (r == -EEXIST) { log_debug_errno(r, "Credential secret %s/%s appeared while we were creating it, rereading.", dirname, filename); @@ -257,7 +280,6 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * if (r < 0) return log_debug_errno(r, "Failed to create credential secret %s/%s: %m", dirname, filename); - return 0; } @@ -302,15 +324,7 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * if (sd_id128_equal(machine_id, f->machine_id)) { size_t sz; - if (FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED)) { - r = fd_is_encrypted(fd); - if (r < 0) - log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.", - dirname, filename); - else if (r == 0) - log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.", - dirname, filename); - } + warn_not_encrypted(fd, flags, dirname, filename); sz = l - offsetof(struct credential_host_secret_format, data); assert(sz > 0); From fa998da2df66c16b3b24cc8a8fdcb23506faecdd Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 14 Apr 2022 23:19:02 +0200 Subject: [PATCH 2/2] creds-util: upgrade message about TPM2 not working --- src/shared/creds-util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index 7691f36089..ac53693eb0 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -584,7 +584,7 @@ int encrypt_credential_and_warn( else if (!sd_id128_equal(with_key, _CRED_AUTO)) return r; - log_debug_errno(r, "TPM2 sealing didn't work, not using: %m"); + log_notice_errno(r, "TPM2 sealing didn't work, continuing without TPM2: %m"); } assert(tpm2_blob_size <= CREDENTIAL_FIELD_SIZE_MAX);