Skip to content

Commit 490c1b6

Browse files
jbaublitzjbaublitz
authored
Add test option for clevis luks unlock (#296)
* Add test option for clevis luks unlock
1 parent ea0d0c2 commit 490c1b6

File tree

2 files changed

+22
-8
lines changed

2 files changed

+22
-8
lines changed

src/luks/clevis-luks-unlock

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -24,14 +24,17 @@ SUMMARY="Unlocks a LUKS volume"
2424
function usage() {
2525
exec >&2
2626
echo
27-
echo "Usage: clevis luks unlock -d DEV [-n NAME]"
27+
echo "Usage: clevis luks unlock -d DEV [-n NAME] [-t SLT]"
2828
echo
2929
echo "$SUMMARY":
3030
echo
3131
echo " -d DEV The LUKS device on which to perform unlocking"
3232
echo
3333
echo " -n NAME The name of the unlocked device node"
3434
echo
35+
echo " -t SLT Test the passphrase for the given slot without unlocking"
36+
echo " the device"
37+
echo
3538
exit 2
3639
}
3740

@@ -40,10 +43,11 @@ if [ $# -eq 1 ] && [ "$1" == "--summary" ]; then
4043
exit 0
4144
fi
4245

43-
while getopts ":d:n:" o; do
46+
while getopts ":d:n:t:" o; do
4447
case "$o" in
4548
d) DEV="$OPTARG";;
4649
n) NAME="$OPTARG";;
50+
t) SLT="$OPTARG";;
4751
*) usage;;
4852
esac
4953
done
@@ -60,9 +64,16 @@ fi
6064

6165
NAME="${NAME:-luks-"$(cryptsetup luksUUID "$DEV")"}"
6266

63-
if ! pt=$(clevis_luks_unlock_device "${DEV}"); then
64-
echo "${DEV} could not be opened." >&2
65-
exit 1
66-
fi
67+
if [ -n "$SLT" ]; then
68+
if ! clevis_luks_unlock_device_by_slot "${DEV}" "${SLT}" >/dev/null; then
69+
echo "Test for token slot ${SLT} on device ${DEV} failed." >&2
70+
exit 1
71+
fi
72+
else
73+
if ! pt=$(clevis_luks_unlock_device "${DEV}"); then
74+
echo "${DEV} could not be opened." >&2
75+
exit 1
76+
fi
6777

68-
echo -n "${pt}" | cryptsetup open -d- "${DEV}" "${NAME}"
78+
echo -n "${pt}" | cryptsetup open -d- "${DEV}" "${NAME}"
79+
fi

src/luks/clevis-luks-unlock.1.adoc

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ clevis-luks-unlock - Unlocks a LUKS device bound with a Clevis policy
99

1010
== SYNOPSIS
1111

12-
*clevis luks unlock* -d DEV [-n NAME]
12+
*clevis luks unlock* -d DEV [-n NAME] [-t SLT]
1313

1414
== OVERVIEW
1515

@@ -26,6 +26,9 @@ provisioned Clevis policy. For example:
2626
* *-n* _NAME_ :
2727
The name to give the unlocked device node
2828

29+
* *-t* _SLT_ :
30+
Test the passphrase for the given slot without unlocking the device
31+
2932
== SEE ALSO
3033

3134
link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)]

0 commit comments

Comments
 (0)