310 lines
9.6 KiB
Diff
310 lines
9.6 KiB
Diff
|
From aa52396c35e76aabd085a819b08167d559042a20 Mon Sep 17 00:00:00 2001
|
||
|
From: rpm-build <rpm-build>
|
||
|
Date: Tue, 3 Nov 2020 08:42:48 -0300
|
||
|
Subject: [PATCH 2/2] Add the option to extract luks passphrase used for
|
||
|
binding
|
||
|
|
||
|
Usage:
|
||
|
|
||
|
clevis luks pass -d /dev/sda1 -s 1
|
||
|
<passphrase here>
|
||
|
---
|
||
|
src/luks/clevis-luks-pass | 64 ++++++++++++++++++++++++++++++++
|
||
|
src/luks/clevis-luks-pass.1.adoc | 43 +++++++++++++++++++++
|
||
|
src/luks/meson.build | 3 ++
|
||
|
src/luks/tests/meson.build | 2 +
|
||
|
src/luks/tests/pass-tang-luks1 | 59 +++++++++++++++++++++++++++++
|
||
|
src/luks/tests/pass-tang-luks2 | 59 +++++++++++++++++++++++++++++
|
||
|
6 files changed, 230 insertions(+)
|
||
|
create mode 100755 src/luks/clevis-luks-pass
|
||
|
create mode 100644 src/luks/clevis-luks-pass.1.adoc
|
||
|
create mode 100755 src/luks/tests/pass-tang-luks1
|
||
|
create mode 100755 src/luks/tests/pass-tang-luks2
|
||
|
|
||
|
diff --git a/src/luks/clevis-luks-pass b/src/luks/clevis-luks-pass
|
||
|
new file mode 100755
|
||
|
index 0000000..1f59b39
|
||
|
--- /dev/null
|
||
|
+++ b/src/luks/clevis-luks-pass
|
||
|
@@ -0,0 +1,64 @@
|
||
|
+#!/bin/bash -e
|
||
|
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||
|
+#
|
||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||
|
+# Author: Sergio Correia <scorreia@redhat.com> - LUKS2 support.
|
||
|
+#
|
||
|
+# This program is free software: you can redistribute it and/or modify
|
||
|
+# it under the terms of the GNU General Public License as published by
|
||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||
|
+# (at your option) any later version.
|
||
|
+#
|
||
|
+# This program is distributed in the hope that it will be useful,
|
||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
+# GNU General Public License for more details.
|
||
|
+#
|
||
|
+# You should have received a copy of the GNU General Public License
|
||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||
|
+#
|
||
|
+
|
||
|
+. clevis-luks-common-functions
|
||
|
+
|
||
|
+SUMMARY="Returns the LUKS passphrase used for binding a particular slot."
|
||
|
+
|
||
|
+usage() {
|
||
|
+ exec >&2
|
||
|
+ echo "Usage: clevis luks pass -d DEV -s SLT"
|
||
|
+ echo
|
||
|
+ echo "$SUMMARY"
|
||
|
+ echo
|
||
|
+ echo " -d DEV The LUKS device to extract the LUKS passphrase used for binding"
|
||
|
+ echo
|
||
|
+ echo " -s SLOT The slot number to extract the LUKS passphrase"
|
||
|
+ echo
|
||
|
+ exit 1
|
||
|
+}
|
||
|
+
|
||
|
+if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then
|
||
|
+ echo "${SUMMARY}"
|
||
|
+ exit 0
|
||
|
+fi
|
||
|
+
|
||
|
+while getopts ":d:s:" o; do
|
||
|
+ case "$o" in
|
||
|
+ d) DEV=${OPTARG};;
|
||
|
+ s) SLT=${OPTARG};;
|
||
|
+ *) usage;;
|
||
|
+ esac
|
||
|
+done
|
||
|
+
|
||
|
+if [ -z "${DEV}" ]; then
|
||
|
+ echo "Did not specify a device!" >&2
|
||
|
+ usage
|
||
|
+fi
|
||
|
+
|
||
|
+if [ -z "${SLT}" ]; then
|
||
|
+ echo "Did not specify a slot!" >&2
|
||
|
+ usage
|
||
|
+fi
|
||
|
+
|
||
|
+if ! clevis_luks_unlock_device_by_slot "${DEV}" "${SLT}"; then
|
||
|
+ echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in ${DEV}!" >&2
|
||
|
+ exit 1
|
||
|
+fi
|
||
|
diff --git a/src/luks/clevis-luks-pass.1.adoc b/src/luks/clevis-luks-pass.1.adoc
|
||
|
new file mode 100644
|
||
|
index 0000000..fa9526a
|
||
|
--- /dev/null
|
||
|
+++ b/src/luks/clevis-luks-pass.1.adoc
|
||
|
@@ -0,0 +1,43 @@
|
||
|
+CLEVIS-LUKS-PASS(1)
|
||
|
+===================
|
||
|
+:doctype: manpage
|
||
|
+
|
||
|
+
|
||
|
+== NAME
|
||
|
+
|
||
|
+clevis-luks-pass - Extracts the passphrase used for binding a particular slot in a LUKS device
|
||
|
+
|
||
|
+== SYNOPSIS
|
||
|
+
|
||
|
+*clevis luks pass* -d DEV -s SLT
|
||
|
+
|
||
|
+== OVERVIEW
|
||
|
+
|
||
|
+The *clevis luks pass* command extracts the passphrase used for binding a particular slot in a LUKS device.
|
||
|
+For example:
|
||
|
+
|
||
|
+ clevis luks pass -d /dev/sda1 -s 1
|
||
|
+
|
||
|
+== OPTIONS
|
||
|
+
|
||
|
+* *-d* _DEV_ :
|
||
|
+ The LUKS device on which to extract a passphrase from
|
||
|
+
|
||
|
+* *-s* _SLT_ :
|
||
|
+ The slot to use for extracting the passphrase
|
||
|
+
|
||
|
+== EXAMPLE
|
||
|
+
|
||
|
+ clevis luks pass -d /dev/sda1 -s 1
|
||
|
+ <passphrase here>
|
||
|
+
|
||
|
+Note that the output of *clevis luks pass* might be non-printable, in which case it would be better to redirect its output to a file and use it as a key
|
||
|
+file together with cryptsetup. For instance:
|
||
|
+
|
||
|
+ clevis luks pass -d /dev/sda1 -s 1 > slot1-passphrase
|
||
|
+
|
||
|
+And the file slot1-passphrase will contain the passphrase associated with slot #1 in /dev/sda1.
|
||
|
+
|
||
|
+== SEE ALSO
|
||
|
+
|
||
|
+link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)],
|
||
|
diff --git a/src/luks/meson.build b/src/luks/meson.build
|
||
|
index 12f5a0d..008736e 100644
|
||
|
--- a/src/luks/meson.build
|
||
|
+++ b/src/luks/meson.build
|
||
|
@@ -50,6 +50,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
|
||
|
|
||
|
bins += join_paths(meson.current_source_dir(), 'clevis-luks-edit')
|
||
|
mans += join_paths(meson.current_source_dir(), 'clevis-luks-edit.1')
|
||
|
+
|
||
|
+ bins += join_paths(meson.current_source_dir(), 'clevis-luks-pass')
|
||
|
+ mans += join_paths(meson.current_source_dir(), 'clevis-luks-pass.1')
|
||
|
else
|
||
|
warning('Will not install LUKS support due to missing dependencies!')
|
||
|
endif
|
||
|
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
|
||
|
index c22a069..f4584aa 100644
|
||
|
--- a/src/luks/tests/meson.build
|
||
|
+++ b/src/luks/tests/meson.build
|
||
|
@@ -84,6 +84,7 @@ if has_tang
|
||
|
test('report-tang-luks1', find_program('report-tang-luks1'), env: env, timeout: 90)
|
||
|
test('report-sss-luks1', find_program('report-sss-luks1'), env: env, timeout: 90)
|
||
|
test('edit-tang-luks1', find_program('edit-tang-luks1'), env: env, timeout: 150)
|
||
|
+ test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60)
|
||
|
endif
|
||
|
|
||
|
test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60)
|
||
|
@@ -111,6 +112,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
|
||
|
test('report-tang-luks2', find_program('report-tang-luks2'), env: env, timeout: 120)
|
||
|
test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
|
||
|
test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
|
||
|
+ test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
|
||
|
endif
|
||
|
|
||
|
test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
|
||
|
diff --git a/src/luks/tests/pass-tang-luks1 b/src/luks/tests/pass-tang-luks1
|
||
|
new file mode 100755
|
||
|
index 0000000..0d91e6c
|
||
|
--- /dev/null
|
||
|
+++ b/src/luks/tests/pass-tang-luks1
|
||
|
@@ -0,0 +1,59 @@
|
||
|
+#!/bin/bash -x
|
||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||
|
+#
|
||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||
|
+#
|
||
|
+# This program is free software: you can redistribute it and/or modify
|
||
|
+# it under the terms of the GNU General Public License as published by
|
||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||
|
+# (at your option) any later version.
|
||
|
+#
|
||
|
+# This program is distributed in the hope that it will be useful,
|
||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
+# GNU General Public License for more details.
|
||
|
+#
|
||
|
+# You should have received a copy of the GNU General Public License
|
||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||
|
+#
|
||
|
+
|
||
|
+TEST="${0}"
|
||
|
+. tests-common-functions
|
||
|
+. clevis-luks-common-functions
|
||
|
+
|
||
|
+function on_exit() {
|
||
|
+ [ ! -d "${TMP}" ] && return 0
|
||
|
+ tang_stop "${TMP}"
|
||
|
+ rm -rf "${TMP}"
|
||
|
+}
|
||
|
+
|
||
|
+trap 'on_exit' EXIT
|
||
|
+
|
||
|
+TMP=$(mktemp -d)
|
||
|
+
|
||
|
+port=$(get_random_port)
|
||
|
+tang_run "${TMP}" "${port}" &
|
||
|
+tang_wait_until_ready "${port}"
|
||
|
+
|
||
|
+url="http://localhost:${port}"
|
||
|
+adv="${TMP}/adv"
|
||
|
+tang_get_adv "${port}" "${adv}"
|
||
|
+
|
||
|
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
|
||
|
+
|
||
|
+# LUKS1.
|
||
|
+DEV="${TMP}/luks1-device"
|
||
|
+new_device "luks1" "${DEV}"
|
||
|
+
|
||
|
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
|
||
|
+ error "${TEST}: Bind should have succeeded."
|
||
|
+fi
|
||
|
+
|
||
|
+# Now let's test the passphrase.
|
||
|
+SLT=1
|
||
|
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
|
||
|
+echo $PASS >&2
|
||
|
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
|
||
|
+ error "Passphrase obtained from clevis luks pass failed."
|
||
|
+fi
|
||
|
diff --git a/src/luks/tests/pass-tang-luks2 b/src/luks/tests/pass-tang-luks2
|
||
|
new file mode 100755
|
||
|
index 0000000..2d50413
|
||
|
--- /dev/null
|
||
|
+++ b/src/luks/tests/pass-tang-luks2
|
||
|
@@ -0,0 +1,59 @@
|
||
|
+#!/bin/bash -x
|
||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||
|
+#
|
||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||
|
+#
|
||
|
+# This program is free software: you can redistribute it and/or modify
|
||
|
+# it under the terms of the GNU General Public License as published by
|
||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||
|
+# (at your option) any later version.
|
||
|
+#
|
||
|
+# This program is distributed in the hope that it will be useful,
|
||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
+# GNU General Public License for more details.
|
||
|
+#
|
||
|
+# You should have received a copy of the GNU General Public License
|
||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||
|
+#
|
||
|
+
|
||
|
+TEST="${0}"
|
||
|
+. tests-common-functions
|
||
|
+. clevis-luks-common-functions
|
||
|
+
|
||
|
+function on_exit() {
|
||
|
+ [ ! -d "${TMP}" ] && return 0
|
||
|
+ tang_stop "${TMP}"
|
||
|
+ rm -rf "${TMP}"
|
||
|
+}
|
||
|
+
|
||
|
+trap 'on_exit' EXIT
|
||
|
+
|
||
|
+TMP=$(mktemp -d)
|
||
|
+
|
||
|
+port=$(get_random_port)
|
||
|
+tang_run "${TMP}" "${port}" &
|
||
|
+tang_wait_until_ready "${port}"
|
||
|
+
|
||
|
+url="http://localhost:${port}"
|
||
|
+adv="${TMP}/adv"
|
||
|
+tang_get_adv "${port}" "${adv}"
|
||
|
+
|
||
|
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
|
||
|
+
|
||
|
+# LUKS2.
|
||
|
+DEV="${TMP}/luks2-device"
|
||
|
+new_device "luks2" "${DEV}"
|
||
|
+
|
||
|
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
|
||
|
+ error "${TEST}: Bind should have succeeded."
|
||
|
+fi
|
||
|
+
|
||
|
+# Now let's test the passphrase.
|
||
|
+SLT=1
|
||
|
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
|
||
|
+echo $PASS >&2
|
||
|
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
|
||
|
+ error "Passphrase obtained from clevis luks pass failed."
|
||
|
+fi
|
||
|
--
|
||
|
2.29.2
|
||
|
|