PKCS#11 pin: fix dracut for unconfigured device

Signed-off-by: Sergio Arroutbi <[email protected]>
latchset · Sep 30, 2024 · cf8d732 · cf8d732
1 parent 29debf6
commit cf8d732
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 46 deletions.
diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
@@ -52,6 +52,54 @@ get_pkcs11_error() {
     return 0
 }
 
+clevis_detect_pkcs11_device() {
+    if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \
+                         awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then
+        echo ""
+        return 1
+    fi
+
+    if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
+        pkcs11_device=""
+        echo "No objects in PKCS11 device detected"
+    fi
+
+    while [ -z "${pkcs11_device}" ]; do
+        if [ "${dracut_mode}" != true ]; then
+            module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab")
+            if [ -n "${module_paths}" ]; then
+                modules=$(echo ${module_paths} | tr ";" "\n")
+                for module in $modules; do
+                    pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \
+                                    | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
+                    if [ -n "${pkcs11_device}" ]; then
+                        break;
+                    fi
+                done
+            fi
+        fi
+        if [ -z "${pkcs11_device}" ]; then
+            if [ "${retry_mode}" == true ]; then
+                option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]")
+                if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then
+                    echo ""
+		    # Straight Forward Mode
+                    return 0
+                fi
+                pkcs11_device=$(pkcs11-tool -L | grep "Slot" \
+                                    | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
+                if ! pkcs11-tool -O 2>/dev/null; then
+                    pkcs11_device=""
+                    echo "No objects in PKCS11 device detected"
+                fi
+            else
+		echo "${pkcs11_device}"
+                return 0
+            fi
+        fi
+    done
+}
+
 if command -v pcscd; then
     echo "clevis-pkcs11: starting pcscd if not available ..."
     PCSCD_PID=$(ps auxf | grep "[p]cscd")
@@ -72,57 +120,19 @@ if [ "${dracut_mode}" != true ]; then
     pkcs11-tool -L
 fi
 
-if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \
-	                 awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then
-    echo "No PKCS11 device detected (without module option) / pkcs11-tool error"
-    exit 1
-fi
-
-if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
-    pkcs11_device=""
-    echo "No objects in PKCS11 device detected"
-fi
-
-while [ -z "${pkcs11_device}" ]; do
-    if [ "${dracut_mode}" != true ]; then
-        module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab")
-        if [ -n "${module_paths}" ]; then
-            modules=$(echo ${module_paths} | tr ";" "\n")
-            for module in $modules; do
-                pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \
-                                | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
-                if [ -n "${pkcs11_device}" ]; then
-                    break;
-                fi
-            done
-        fi
-    fi
-    if [ -z "${pkcs11_device}" ]; then
-        if [ "${retry_mode}" == true ]; then
-            option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]")
-            if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then
-                echo "Won't continue PKCS11 device detection"
-                exit 0
-            fi
-            pkcs11_device=$(pkcs11-tool -L | grep "Slot" \
-                                | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
-            if ! pkcs11-tool -O 2>/dev/null; then
-                pkcs11_device=""
-                echo "No objects in PKCS11 device detected"
-            fi
-        else
-            exit 0
-        fi
-    fi
-done
-echo "Detected PKCS11 device:${pkcs11_device}"
 
 devices_array=()
 # Let's analyze all entries from /etc/crypttab that contain clevis-pkcs11.sock entries
 while read -r line;
 do
     if echo "${line}" | grep -E "clevis-pkcs11.sock" 1>/dev/null;
     then
+        if ! pkcs11_device=$(clevis_detect_pkcs11_device); then
+            echo "No PKCS11 device detected"
+            exit 0
+        else
+            echo "Detected PKCS11 device:${pkcs11_device}"
+        fi
         next_device=0
         errors=0
         msg=""

diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common
@@ -64,12 +64,10 @@ clevis_get_module_path_from_pkcs11_config() {
     while read -r line; do
         uuid=$(echo "${line}" | awk '{print $2}')
         if ! mapped_device=$(clevis_map_device "${uuid}"); then
-            echo "Could not check mapped device for UID:${uuid}"
             continue
         fi
         # If no PKCS#11 configuration, advance to next device
         if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then
-            echo "Device:${mapped_device} does not contain PKCS#11 configuration"
             continue
         fi
         # Get configuration PKCS#11 URI