From f6c2bc4cdb6f7d2845cec5828f440c364a5d42b2 Mon Sep 17 00:00:00 2001 From: shimun Date: Tue, 28 Dec 2021 13:34:19 +0100 Subject: [PATCH] added --allow-discards flag --- Cargo.lock | 4 +++- src/cli.rs | 5 ++++- src/cli_args/mod.rs | 3 +++ src/luks.rs | 19 ++++++++++--------- 4 files changed, 20 insertions(+), 11 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6c986e4..9c15de8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1,5 +1,7 @@ # This file is automatically @generated by Cargo. # It is not intended for manual editing. +version = 3 + [[package]] name = "addr2line" version = "0.13.0" @@ -404,7 +406,7 @@ dependencies = [ [[package]] name = "fido2luks" -version = "0.3.0" +version = "0.3.0-alpha" dependencies = [ "ctap_hmac", "failure", diff --git a/src/cli.rs b/src/cli.rs index 68b45de..1f5a2b5 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -433,6 +433,8 @@ pub fn run_cli() -> Fido2LuksResult<()> { credentials, retries, dry_run, + allow_discards, + .. } => { let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option, [u8; 32])> { get_input(&secret, &authenticator, args.interactive, q, verify) @@ -469,7 +471,7 @@ pub fn run_cli() -> Fido2LuksResult<()> { }); secret(Cow::Borrowed(&credentials.0)).and_then(|(secret, cred)| { log(&|| format!("credential used: {}", hex::encode(&cred.id))); - luks_dev.activate(&name, &secret, luks.slot, *dry_run) + luks_dev.activate(&name, &secret, luks.slot, *dry_run, *allow_discards) }) } else if luks2 && !luks.disable_token { luks_dev.activate_token( @@ -487,6 +489,7 @@ pub fn run_cli() -> Fido2LuksResult<()> { }), luks.slot, *dry_run, + *allow_discards, ) } else if luks_dev.is_luks2()? && luks.disable_token { // disable-token is mostly cosmetic in this instance diff --git a/src/cli_args/mod.rs b/src/cli_args/mod.rs index 935cc51..b884939 100644 --- a/src/cli_args/mod.rs +++ b/src/cli_args/mod.rs @@ -244,6 +244,9 @@ pub enum Command { /// Perform the whole procedure without mounting the LUKS volume on success #[structopt(long = "dry-run")] dry_run: bool, + /// Pass SSD trim instructions to the underlying block device + #[structopt(long = "allow-discards")] + allow_discards: bool, }, /// Generate a new FIDO credential #[structopt(name = "credential")] diff --git a/src/luks.rs b/src/luks.rs index fc40183..5ad6d5c 100644 --- a/src/luks.rs +++ b/src/luks.rs @@ -1,8 +1,8 @@ use crate::error::*; use libcryptsetup_rs::{ - CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo, - TokenInput, + CryptActivateFlag, CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, + EncryptionFormat, KeyslotInfo, TokenInput, }; use std::collections::{HashMap, HashSet}; use std::path::Path; @@ -238,15 +238,15 @@ impl LuksDevice { secret: &[u8], slot_hint: Option, dry_run: bool, + allow_discard: bool, ) -> Fido2LuksResult { + let mut flags = CryptActivateFlags::empty(); + if allow_discard { + flags = CryptActivateFlags::new(vec![CryptActivateFlag::AllowDiscards]); + } self.device .activate_handle() - .activate_by_passphrase( - Some(name).filter(|_| !dry_run), - slot_hint, - secret, - CryptActivateFlags::empty(), - ) + .activate_by_passphrase(Some(name).filter(|_| !dry_run), slot_hint, secret, flags) .map_err(LuksError::activate) } @@ -256,6 +256,7 @@ impl LuksDevice { secret: impl Fn(Vec) -> Fido2LuksResult<([u8; 32], String)>, slot_hint: Option, dry_run: bool, + allow_discard: bool, ) -> Fido2LuksResult { if !self.is_luks2()? { return Err(LuksError::Luks2Required.into()); @@ -299,7 +300,7 @@ impl LuksDevice { .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort ); for slot in slots { - match self.activate(name, &secret, slot, dry_run) { + match self.activate(name, &secret, slot, dry_run, allow_discard) { Err(Fido2LuksError::WrongSecret) => (), res => return res, }