rpms/clevis
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS clevis-20-200.el9

Browse Source
This commit is contained in:
eabdullin 2024-09-30 15:13:42 +00:00
parent fb933faba1
commit 16dd671a9a
17 changed files with 66 additions and 1059 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.clevis.metadata
View File

@ -1 +1 @@
dc2e95d0c0ce9118bc01b3872869657b0d43f1bc SOURCES/clevis-18.tar.xz
905a3b7a326dfc8e84a0b09d3246bea3d048fa78 SOURCES/clevis-20.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/clevis-18.tar.xz
SOURCES/clevis-20.tar.xz

56
SOURCES/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch Normal file
View File

@ -0,0 +1,56 @@
--- clevis-20.old/src/luks/udisks2/clevis-luks-udisks2.c 2024-03-08 09:35:37.000000000 +0100
+++ clevis-20/src/luks/udisks2/clevis-luks-udisks2.c 2024-05-21 10:04:15.301469592 +0200
@@ -264,8 +264,10 @@
error:
g_list_free_full(ctx.lst, g_free);
- g_main_loop_unref(ctx.loop);
- g_object_unref(ctx.clt);
+ if (ctx.loop)
+ g_main_loop_unref(ctx.loop);
+ if (ctx.clt)
+ g_object_unref(ctx.clt);
close(sock);
return exit_status;
}
@@ -299,12 +301,12 @@
safeclose(&pair[0]);
}
-static ssize_t
-recover_key(const pkt_t *jwe, char *out, size_t max, uid_t uid, gid_t gid)
+static uint32_t
+recover_key(const pkt_t *jwe, char *out, int32_t max, uid_t uid, gid_t gid)
{
int push[2] = { -1, -1 };
int pull[2] = { -1, -1 };
- ssize_t bytes = 0;
+ int32_t bytes = 0;
pid_t chld = 0;
if (pipe(push) != 0)
@@ -379,12 +381,18 @@
}
bytes = 0;
- for (ssize_t block = 1; block > 0; bytes += block) {
- block = read(pull[PIPE_RD], &out[bytes], max - bytes);
- if (block < 0) {
- kill(chld, SIGTERM);
- goto error;
- }
+ ssize_t block = 0;
+ while (max > 0 && max > bytes) {
+ do {
+ block = read(pull[PIPE_RD], &out[bytes], max - bytes);
+ } while (block < 0 && errno == EINTR);
+ if (block < 0 || block < INT32_MIN || block > INT32_MAX) {
+ kill(chld, SIGTERM);
+ goto error;
+ }
+ if (block == 0)
+ break;
+ bytes += block;
}
safeclose(&pull[PIPE_RD]);

47
SOURCES/0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
View File

@ -1,47 +0,0 @@
From 95f25c355fc13727410ccacaa618caf6af5d5eba Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Mon, 3 May 2021 22:36:36 -0300
Subject: [PATCH] sss: use BN_set_word(x, 0) instead of BN_zero()
Different OpenSSL versions define BN_zero() differently -- sometimes
returning an integer, sometimes as void --, so let's use instead
BN_set_word() instead, not to have issues when building with these
different versions.
---
src/pins/sss/sss.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/pins/sss/sss.c b/src/pins/sss/sss.c
index a37215d..7486d6c 100644
--- a/src/pins/sss/sss.c
+++ b/src/pins/sss/sss.c
@@ -214,7 +214,7 @@ sss_point(const json_t *sss, size_t *len)
if (BN_rand_range(xx, pp) <= 0)
return NULL;
- if (BN_zero(yy) <= 0)
+ if (BN_set_word(yy, 0) <= 0)
return NULL;
for (size_t i = 0; i < json_array_size(e); i++) {
@@ -272,7 +272,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
if (!ctx || !pp || !acc || !tmp || !k)
return NULL;
- if (BN_zero(k) <= 0)
+ if (BN_set_word(k, 0) <= 0)
return NULL;
len = jose_b64_dec(p, NULL, 0);
@@ -303,7 +303,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
/* acc *= (0 - xi) / (xo - xi) */
- if (BN_zero(tmp) <= 0)
+ if (BN_set_word(tmp, 0) <= 0)
return NULL;
if (BN_mod_sub(tmp, tmp, xi, pp, ctx) <= 0)
--
2.31.1

41
SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
View File

@ -1,41 +0,0 @@
From d3010c89a8f516a0c9695a939a8cccca0918da2b Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Fri, 29 Oct 2021 12:04:46 -0300
Subject: [PATCH 2/2] systemd: account for unlocking failures in
clevis-luks-askpass (#343)
As unlock may fail for some reason, e.g. the network is not up yet,
one way cause problems would be to add extra `rd.luks.uuid' params
to the cmdline, which would then cause such devices to be unlocked
in early boot. If the unlocking fail, those devices might not be
accounted for in the clevis_devices_to_unlock() check, as it is
based on crypttab.
Let's make sure there are no pending ask.* sockets waiting to be
answered, before exiting.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
---
src/luks/systemd/clevis-luks-askpass.in | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in
index 8f54859..a6699c9 100755
--- a/src/luks/systemd/clevis-luks-askpass.in
+++ b/src/luks/systemd/clevis-luks-askpass.in
@@ -67,8 +67,11 @@ while true; do
done
[ "${loop}" != true ] && break
+
# Checking for pending devices to be unlocked.
- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
+ remaining_crypttab=$(clevis_devices_to_unlock) ||:
+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
break;
fi
--
2.33.1

49
SOURCES/0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
View File

@ -1,49 +0,0 @@
From 76ad9b21b61627a728bc9499821cf8e09446725d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Thu, 21 Oct 2021 13:58:52 +0200
Subject: [PATCH 4/4] luks: explicitly specify pbkdf iterations to cryptsetup
This fixes an Out of memory error when the system has not much memory,
such as a VM configured with 2GB currently being installed through the
network (hence having ~1GB free memory only).
See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
---
src/luks/clevis-luks-common-functions.in | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
index d53d2ab..360eb7e 100644
--- a/src/luks/clevis-luks-common-functions.in
+++ b/src/luks/clevis-luks-common-functions.in
@@ -760,10 +760,12 @@ clevis_luks_add_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
--key-slot "${SLT}" \
"${DEV}" \
+ ${pbkdf_args} \
${extra_args}
}
@@ -792,11 +794,14 @@ clevis_luks_update_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ -n "${in_place}" ]; then
printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
--key-slot "${SLT}" \
- --batch-mode ${extra_args}
+ --batch-mode \
+ ${pbkdf_args} \
+ ${extra_args}
return
fi
--
2.33.1

16
SOURCES/0005-tang-dump-url-on-error-communication.patch
View File

@ -1,16 +0,0 @@
--- clevis-18.ori/src/pins/tang/clevis-decrypt-tang 2021-04-15 13:00:19.969067600 +0200
+++ clevis-18/src/pins/tang/clevis-decrypt-tang 2022-01-20 17:29:21.859897964 +0100
@@ -99,10 +99,10 @@
xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"
-url="$url/rec/$kid"
+rec_url="$url/rec/$kid"
ct="Content-Type: application/jwk+json"
-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then
- echo "Error communicating with the server!" >&2
+if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then
+ echo "Error communicating with the server $url" >&2
exit 1
fi

213
SOURCES/0006-feat-rename-the-test-pin-to-null-pin.patch
View File

@ -1,213 +0,0 @@
From f668840e22e45ac8b16d770072b4395a155d089c Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@linux.com>
Date: Wed, 1 Dec 2021 14:17:53 +0100
Subject: [PATCH 6/6] feat: rename the test pin to null pin
Signed-off-by: Antonio Murdaca <runcom@linux.com>
---
src/initramfs-tools/hooks/clevis.in | 1 +
.../dracut/clevis-pin-null/meson.build | 14 ++++++++++
.../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++
src/luks/systemd/dracut/meson.build | 1 +
...levis-decrypt-test => clevis-decrypt-null} | 4 +--
...levis-encrypt-test => clevis-encrypt-null} | 4 +--
src/pins/sss/meson.build | 5 +++-
src/pins/sss/{pin-test => pin-null} | 4 +--
src/pins/sss/pin-sss | 12 ++++----
9 files changed, 60 insertions(+), 13 deletions(-)
create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build
create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%)
rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%)
rename src/pins/sss/{pin-test => pin-null} (53%)
diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
index 7e6d2b3..8d60d05 100755
--- a/src/initramfs-tools/hooks/clevis.in
+++ b/src/initramfs-tools/hooks/clevis.in
@@ -58,6 +58,7 @@ fi
copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
+copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found"
copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"
diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build
new file mode 100644
index 0000000..107e3ba
--- /dev/null
+++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build
@@ -0,0 +1,14 @@
+dracut = dependency('dracut', required: false)
+
+if dracut.found()
+ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null'
+
+ configure_file(
+ input: 'module-setup.sh.in',
+ output: 'module-setup.sh',
+ install_dir: dracutdir,
+ configuration: data,
+ )
+else
+ warning('Will not install dracut module clevis-pin-null due to missing dependencies!')
+endif
diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
new file mode 100755
index 0000000..6a16078
--- /dev/null
+++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
@@ -0,0 +1,28 @@
+#!/bin/bash
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Nathaniel McCallum <npmccallum@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+depends() {
+ echo clevis
+ return 0
+}
+
+install() {
+ inst clevis-decrypt-null
+}
diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build
index fdb264b..7ad5b14 100644
--- a/src/luks/systemd/dracut/meson.build
+++ b/src/luks/systemd/dracut/meson.build
@@ -2,3 +2,4 @@ subdir('clevis')
subdir('clevis-pin-tang')
subdir('clevis-pin-tpm2')
subdir('clevis-pin-sss')
+subdir('clevis-pin-null')
diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null
similarity index 88%
rename from src/pins/sss/clevis-decrypt-test
rename to src/pins/sss/clevis-decrypt-null
index f0e9249..a6217ed 100755
--- a/src/pins/sss/clevis-decrypt-test
+++ b/src/pins/sss/clevis-decrypt-null
@@ -22,11 +22,11 @@
read -r -d . hdr
-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then
+if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then
echo "JWE pin mismatch!" >&2
exit 1
fi
-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1
+jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1
exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null
similarity index 90%
rename from src/pins/sss/clevis-encrypt-test
rename to src/pins/sss/clevis-encrypt-null
index bd2d6ec..af182a5 100755
--- a/src/pins/sss/clevis-encrypt-test
+++ b/src/pins/sss/clevis-encrypt-null
@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
fi
jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"
-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}'
+jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}'
if ! jose fmt -j "$cfg" -g fail -T; then
- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)"
+ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)"
fi
exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build
index 7f20eea..2a5295a 100644
--- a/src/pins/sss/meson.build
+++ b/src/pins/sss/meson.build
@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found()
separator: ':'
)
+ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null')
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null')
+
test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env)
- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env)
+ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env)
else
warning('Will not install sss pin due to missing dependencies!')
endif
diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null
similarity index 53%
rename from src/pins/sss/pin-test
rename to src/pins/sss/pin-null
index 50c8c67..b14ac63 100755
--- a/src/pins/sss/pin-test
+++ b/src/pins/sss/pin-null
@@ -2,9 +2,9 @@
trap 'exit' ERR
-e="$(echo -n hi | clevis encrypt test '{}')"
+e="$(echo -n hi | clevis encrypt null '{}')"
d="$(echo -n "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo -n hi | clevis encrypt test '{"fail":true}')"
+e="$(echo -n hi | clevis encrypt null '{"fail":true}')"
! echo "$e" | clevis decrypt
diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss
index 5c0b8cf..24da052 100755
--- a/src/pins/sss/pin-sss
+++ b/src/pins/sss/pin-sss
@@ -1,24 +1,24 @@
#!/bin/bash -ex
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')"
--
2.33.1

25
SOURCES/0007-avoid-clevis-invalid-msg.patch
View File

@ -1,25 +0,0 @@
--- clevis-18.ori/src/clevis 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/clevis 2022-06-20 14:29:50.148261656 +0200
@@ -27,6 +27,8 @@
}
cmd=clevis
+input_commands="$cmd $@"
+
while [ $# -gt 0 ]; do
[[ "$1" =~ ^- ]] && break
cmd="$cmd-$1"
@@ -36,8 +38,11 @@
done
exec >&2
-echo
-echo "Command '$cmd' is invalid"
+if [ "$cmd" != "clevis" ];
+then
+ echo
+ echo "Command '$input_commands' is invalid"
+fi
echo
echo "Usage: clevis COMMAND [OPTIONS]"
echo

54
SOURCES/0008-Improve-boot-performance-by-removing-key-check.patch
View File

@ -1,54 +0,0 @@
From da988dee93fd3171d41248fe884c627cdafa563e Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Tue, 2 Aug 2022 09:25:54 -0300
Subject: [PATCH] Improve boot performance by removing key check
---
src/luks/clevis-luks-common-functions.in | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
index f018340..d059aae 100644
--- a/src/luks/clevis-luks-common-functions.in
+++ b/src/luks/clevis-luks-common-functions.in
@@ -313,6 +313,7 @@ clevis_luks_check_valid_key_or_keyfile() {
clevis_luks_unlock_device_by_slot() {
local DEV="${1}"
local SLT="${2}"
+ local SKIP_CHECK="${3}"
[ -z "${DEV}" ] && return 1
[ -z "${SLT}" ] && return 1
@@ -327,8 +328,9 @@ clevis_luks_unlock_device_by_slot() {
|| [ -z "${passphrase}" ]; then
return 1
fi
-
- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ if [ -z "${SKIP_CHECK}" ]; then
+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ fi
printf '%s' "${passphrase}"
}
@@ -336,6 +338,8 @@ clevis_luks_unlock_device_by_slot() {
# parameter and returns the decoded passphrase.
clevis_luks_unlock_device() {
local DEV="${1}"
+ local SKIP_CHECK="YES"
+
[ -z "${DEV}" ] && return 1
local used_slots
@@ -346,7 +350,7 @@ clevis_luks_unlock_device() {
local slt pt
for slt in ${used_slots}; do
- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \
+ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \
|| [ -z "${pt}" ]; then
continue
fi
--
2.35.1

45
SOURCES/0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
View File

@ -1,45 +0,0 @@
From 0654fd3f3fd1ebc080cb1140774120d8f392137b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?=
<1163635+rmetrich@users.noreply.github.com>
Date: Wed, 1 Dec 2021 09:37:35 -0300
Subject: [PATCH] luks: enable debugging in clevis scripts when rd.debug is set
(#340)
On Fedora/RHEL, the rd.debug kernel command line parameter controls
debugging.
By implementing the functionality inside clevis, troubleshooting will be
greatly eased.
See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742).
---
src/luks/clevis-luks-common-functions.in | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
index d059aae..87b370f 100644
--- a/src/luks/clevis-luks-common-functions.in
+++ b/src/luks/clevis-luks-common-functions.in
@@ -20,6 +20,21 @@
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+enable_debugging() {
+ # Automatically enable debugging if in initramfs phase and rd.debug
+ if [ -e /usr/lib/dracut-lib.sh ]; then
+ local bashopts=$-
+ # Because dracut is loosely written, disable hardening options temporarily
+ [[ $bashopts != *u* ]] || set +u
+ [[ $bashopts != *e* ]] || set +e
+ . /usr/lib/dracut-lib.sh
+ [[ $bashopts != *u* ]] || set -u
+ [[ $bashopts != *e* ]] || set -e
+ fi
+}
+
+enable_debugging
+
# valid_slot() will check whether a given slot is possibly valid, i.e., if it
# is a numeric value within the specified range.
valid_slot() {
--
2.35.1

385
SOURCES/0010-existing-luks2-token-id.patch
View File

@ -1,385 +0,0 @@
--- clevis-18.ori/src/luks/clevis-luks-bind 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/clevis-luks-bind 2022-11-24 12:53:59.613676320 +0100
@@ -25,7 +25,7 @@
usage() {
exec >&2
echo
- echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] -d DEV PIN CFG"
+ echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] [-e EXISTING_TOKEN_ID] -d DEV PIN CFG"
echo
echo "$SUMMARY":
echo
@@ -42,6 +42,8 @@
echo " -k KEY Non-interactively read LUKS password from KEY file"
echo " -k - Non-interactively read LUKS password from standard input"
echo
+ echo " -e E_TKN_ID Existing LUKS token ID for existing passphrase; only available for LUKS2"
+ echo
exit 2
}
@@ -52,13 +54,14 @@
FRC=
YES=
-while getopts ":hfyd:s:k:t:" o; do
+while getopts ":hfyd:s:k:t:e:" o; do
case "$o" in
f) FRC='-f';;
d) DEV="$OPTARG";;
s) SLT="$OPTARG";;
k) KEY="$OPTARG";;
t) TOKEN_ID="$OPTARG";;
+ e) EXISTING_TOKEN_ID="$OPTARG";;
y) FRC='-f'
YES='-y';;
*) usage;;
@@ -99,11 +102,20 @@
exit 1
fi
+if [ -n "${EXISTING_TOKEN_ID}" ] && ! clevis_luks_luks2_existing_token_id_supported; then
+ echo "Existing token ID not supported in this cryptsetup version" >&2
+ exit 1
+fi
+
# Get the existing passphrase/keyfile.
existing_key=
keyfile=
case "${KEY}" in
-"") IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2;;
+ "")
+ if [ -z "${EXISTING_TOKEN_ID}" ] ; then
+ IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2
+ fi
+ ;;
-) IFS= read -r -s -p "" existing_key ||:
if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}" \
&& [ -z "${FRC}" ]; then
@@ -119,6 +131,13 @@
;;
esac
+# Check if existing token id for keyring read is provided
+# If so, keyfile is not allowed
+if [ -n "${EXISTING_TOKEN_ID}" ] && [ -n "${keyfile}" ] ; then
+ echo "Cannot specify kernel keyring description together with key file" >&2
+ exit 1
+fi
+
# If necessary, initialize the LUKS volume.
if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}"; then
luksmeta init -d "${DEV}" ${FRC}
@@ -127,7 +146,7 @@
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "${TOKEN_ID}" \
"${PIN}" "${CFG}" \
"${YES}" "" \
- "${existing_key}" "${keyfile}"; then
+ "${existing_key}" "${keyfile}" "${EXISTING_TOKEN_ID}"; then
echo "Error adding new binding to ${DEV}" >&2
exit 1
fi
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2022-11-24 12:54:48.476829197 +0100
@@ -9,7 +9,7 @@
== SYNOPSIS
-*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] PIN CFG
+*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] [-e EXISTING_TOKEN_ID] PIN CFG
== OVERVIEW
@@ -54,6 +54,12 @@
* *-k* - :
Non-interactively read LUKS password from standard input
+* *-e* _E_TKN_ID_ :
+ LUKS token ID for existing passphrase; only available for LUKS2.
+ This parameter allows providing a configured token ID in LUKS2
+ containing the existing passphrase for this device, so that
+ existing passphrase is not prompted by clevis
+
== CAVEATS
This command does not change the LUKS master key. This implies that if you
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2022-11-24 12:46:09.130204312 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-11-24 13:01:57.087170193 +0100
@@ -307,9 +307,10 @@
local KEY="${2:-}"
local KEYFILE="${3:-}"
local SLT="${4:-}"
+ local EXISTING_TOKEN_ID="${5:-}"
[ -z "${DEV}" ] && return 1
- [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
local extra_args
extra_args="$([ -n "${SLT}" ] && printf -- '--key-slot %s' "${SLT}")"
@@ -318,6 +319,11 @@
${extra_args}
return
fi
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
+ cryptsetup open --test-passphrase "${DEV}" --token-id "${EXISTING_TOKEN_ID}" \
+ ${extra_args}
+ return
+ fi
printf '%s' "${KEY}" | cryptsetup open --test-passphrase "${DEV}" \
${extra_args}
@@ -753,10 +759,11 @@
local NEWKEY="${3}"
local KEY="${4}"
local KEYFILE="${5:-}"
+ local EXISTING_TOKEN_ID="${6:-}"
[ -z "${DEV}" ] && return 1
[ -z "${NEWKEY}" ] && return 1
- [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1
+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1
local extra_args='' input
input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
@@ -764,6 +771,10 @@
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
+ input="$(printf '%s' "${NEWKEY}")"
+ fi
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
@@ -780,6 +791,7 @@
local NEWKEY="${3}"
local KEY="${4}"
local KEYFILE="${5:-}"
+ local EXISTING_TOKEN_ID="${6:-}"
[ -z "${DEV}" ] && return 1
[ -z "${NEWKEY}" ] && return 1
@@ -789,7 +801,7 @@
local in_place
clevis_luks_check_valid_key_or_keyfile "${DEV}" \
"${KEY}" "${KEYFILE}" \
- "${SLT}" 2>/dev/null \
+ "${SLT}" "${EXISTING_TOKEN_ID}" 2>/dev/null \
&& in_place=true
local input extra_args=
@@ -798,6 +810,10 @@
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
+ input="$(printf '%s' "${NEWKEY}")"
+ fi
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ -n "${in_place}" ]; then
@@ -844,13 +860,13 @@
[ -n "${OVERWRITE}" ] || return 1
clevis_luks_update_key "${DEV}" "${SLT}" \
- "${NEWKEY}" "${KEY}" "${KEYFILE}"
+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}"
return
fi
# Add a new key.
clevis_luks_add_key "${DEV}" "${SLT}" \
- "${NEWKEY}" "${KEY}" "${KEYFILE}"
+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}"
}
# clevis_luks_generate_key() generates a new key for use with clevis.
@@ -942,6 +958,7 @@
local OVERWRITE="${7:-}"
local KEY="${8:-}"
local KEYFILE="${9:-}"
+ local EXISTING_TOKEN_ID="${10:-}"
[ -z "${DEV}" ] && return 1
[ -z "${PIN}" ] && return 1
@@ -951,6 +968,8 @@
if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" \
"${KEY}" \
"${KEYFILE}" \
+ "" \
+ "${EXISTING_TOKEN_ID}" \
&& ! KEY="$(clevis_luks_get_existing_key "${DEV}" \
"Enter existing LUKS password: " \
"recover")"; then
@@ -995,7 +1014,7 @@
if ! clevis_luks_save_key_to_slot "${DEV}" "${SLT}" \
"${newkey}" "${KEY}" "${KEYFILE}" \
- "${OVERWRITE}"; then
+ "${OVERWRITE}" "${EXISTING_TOKEN_ID}"; then
echo "Unable to save/update key slot; operation cancelled" >&2
clevis_luks_restore_dev "${CLEVIS_TMP_DIR}" || :
rm -rf "${CLEVIS_TMP_DIR}"
@@ -1016,12 +1035,19 @@
}
# clevis_luks_luks2_supported() indicates whether we support LUKS2 devices.
-# Suppor is determined at build time.
+# Support is determined at build time.
function clevis_luks_luks2_supported() {
# We require cryptsetup >= 2.0.4 to fully support LUKSv2.
return @OLD_CRYPTSETUP@
}
+# clevis_luks_luks2_existing_token_id_supported() indicates whether
+# cryptsetup allows token id for passphrase providing
+function clevis_luks_luks2_existing_token_id_supported() {
+ # We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID
+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@
+}
+
# clevis_luks_type() returns the LUKS type of a device, e.g. "luks1".
clevis_luks_type() {
local DEV="${1}"
--- clevis-18.ori/src/luks/meson.build 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/meson.build 2022-11-24 13:02:39.118301695 +0100
@@ -14,6 +14,15 @@
endif
endif
+libcryptsetup_ext_token_id = dependency('libcryptsetup', version: '>=2.6.0', required: false)
+if libcryptsetup_ext_token_id.found()
+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '0')
+ message('cryptsetup version supports existing token id')
+else
+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '1')
+ warning('cryptsetup version does not support existing token id')
+endif
+
clevis_luks_common_functions = configure_file(
input: 'clevis-luks-common-functions.in',
output: 'clevis-luks-common-functions',
--- clevis-18.ori/src/luks/tests/bind-luks2-ext-token 1970-01-01 01:00:00.000000000 +0100
+++ clevis-18/src/luks/tests/bind-luks2-ext-token 2022-11-24 13:04:30.742650939 +0100
@@ -0,0 +1,74 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2022 Red Hat, Inc.
+# Author: Sergio Arroutbi <sarroutb@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+create_existing_token_id_from_keyring() {
+ local DEV="${1}"
+ local KEYDESC="${2}"
+ local TOKEN_ID="${3}"
+ local PASS="${4}"
+ if [[ -z "${DEV}" ]] || [[ -z "${KEYDESC}" ]] || [[ -z "${TOKEN_ID}" ]]; then
+ return 1
+ fi
+ KEYRING_ID=$(keyctl add user "${KEYDESC}" "${PASS}" @s)
+ keyctl print "${KEYRING_ID}" 2>/dev/null 1>/dev/null
+ cryptsetup token add --token-id "${TOKEN_ID}" --key-description "${KEYDESC}" "${DEV}"
+}
+
+if ! luks2_supported; then
+ skip_test "${TEST}: LUKS2 is not supported."
+fi
+
+if ! luks2_existing_token_id_supported; then
+ skip_test "${TEST}: Existing token ID not supported"
+fi
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+tang_create_adv "${TMP}" "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+
+EXISTING_TOKEN_ID=5
+KEYDESC="testkey"
+PASS="123exttokenid_"
+DEV="${TMP}/luks2-device-ext-token"
+new_device "luks2" "${DEV}" "${PASS}"
+
+create_existing_token_id_from_keyring "${DEV}" "${KEYDESC}" "${EXISTING_TOKEN_ID}" "${PASS}"
+
+if ! clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" tang "${CFG}"; then
+ error "${TEST}: Binding expected to succeed with existing token id:${EXISTING_TOKEN_ID}" >&2
+fi
+
+KEYFILE="${TMP}/keyfile.txt"
+touch "${KEYFILE}"
+if clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" -k "${KEYFILE}" tang "${CFG}"; then
+ error "${TEST}: Using existing token id and keyfile should dump an error" >&2
+fi
--- clevis-18.ori/src/luks/tests/meson.build 2021-04-15 13:00:19.967066500 +0200
+++ clevis-18/src/luks/tests/meson.build 2022-11-24 13:06:36.096043131 +0100
@@ -5,6 +5,15 @@
# given token slot.
cryptsetup = find_program('cryptsetup', required: true)
+# Use keyctl to check an existing token id can be created from
+# kernel keyring password
+keyutils = find_program('keyctl', required: false)
+if keyutils.found()
+ message('keyutils installed')
+else
+ warning('keyutils not installed, unable to test existing token id binding')
+endif
+
common_functions = configure_file(input: 'tests-common-functions.in',
output: 'tests-common-functions',
configuration: luksmeta_data,
@@ -69,6 +78,10 @@
test('unbind-unbound-slot-luks2', find_program('unbind-unbound-slot-luks2'), env: env)
test('unbind-luks2', find_program('unbind-luks2'), env: env, timeout: 60)
+ if keyutils.found() and luksmeta_data.get('OLD_CRYPTSETUP_EXISTING_TOKEN_ID') == '0'
+ test('bind-luks2-ext-token', find_program('bind-luks2-ext-token'), env: env, timeout: 60)
+ endif
+
if jq.found()
test('list-recursive-luks2', find_program('list-recursive-luks2'), env: env, timeout: 60)
test('list-tang-luks2', find_program('list-tang-luks2'), env: env, timeout: 60)
--- clevis-18.ori/src/luks/tests/tests-common-functions.in 2021-04-15 13:00:19.967066500 +0200
+++ clevis-18/src/luks/tests/tests-common-functions.in 2022-11-24 13:06:24.376006462 +0100
@@ -36,6 +36,12 @@
return @OLD_CRYPTSETUP@
}
+# We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID
+# Support is determined at build time.
+luks2_existing_token_id_supported() {
+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@
+}
+
# Creates a new LUKS1 or LUKS2 device to be used.
new_device() {
local LUKS="${1}"

16
SOURCES/0011-ignore-empty-and-comment-lines-in-crypttab.patch
View File

@ -1,16 +0,0 @@
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-12 11:00:00.927790464 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-12 11:05:53.528590215 +0100
@@ -418,7 +418,12 @@
clevis_devices=
# Build list of devices to unlock.
- while read -r _ crypt_device _; do
+ while read -r _volname_ crypt_device _; do
+ # skip empty lines and lines which begin with the '#' char, per
+ # crypttab(5)
+ case $_volname_ in
+ ''|\#*) continue ;;
+ esac
if ! dev=$(clevis_map_device "${crypt_device}") \
|| [ -z "${dev}" ]; then
# Unable to get the device - maybe it's not available, e.g. a

42
SOURCES/0012-luks-define-max-entropy-bits-for-pwmake.patch
View File

@ -1,42 +0,0 @@
--- clevis-18.ori/src/clevis.1.adoc 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/clevis.1.adoc 2023-01-13 12:08:31.162012856 +0100
@@ -101,7 +101,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:02:52.005243591 +0100
+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:08:05.873955501 +0100
@@ -20,7 +20,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-13 12:02:52.005243591 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-13 12:06:29.233736316 +0100
@@ -875,6 +875,7 @@
[ -z "${DEV}" ] && return 1
local dump filter bits
+ local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
dump=$(cryptsetup luksDump "${DEV}")
if cryptsetup isLuks --type luks1 "${DEV}"; then
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
@@ -886,6 +887,9 @@
fi
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
+ bits="${MAX_ENTROPY_BITS}"
+ fi
pwmake "${bits}"
}

11
SOURCES/0013-luks-edit-remove-unnecessary-redirection.patch
View File

@ -1,11 +0,0 @@
--- clevis-18.ori/src/luks/clevis-luks-edit 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/clevis-luks-edit 2023-01-16 10:24:18.555971552 +0100
@@ -173,7 +173,7 @@
echo "Updating binding..."
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
- "-y" "overwrite" 2>/dev/null; then
+ "-y" "overwrite"; then
echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
exit 1
fi

98
SOURCES/0014-remove-pwmake-for-password-generation.patch
View File

@ -1,98 +0,0 @@
--- clevis-18.ori/src/luks/meson.build 2023-06-01 15:28:51.615436832 +0200
+++ clevis-18/src/luks/meson.build 2023-06-01 15:31:02.420366592 +0200
@@ -1,7 +1,6 @@
luksmeta_data = configuration_data()
luksmeta = dependency('luksmeta', version: '>=8', required: false)
-pwmake = find_program('pwmake', required: false)
libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false)
if libcryptsetup.found()
@@ -33,7 +32,7 @@
output: 'clevis-luks-unbind',
configuration: luksmeta_data)
-if libcryptsetup.found() and luksmeta.found() and pwmake.found()
+if libcryptsetup.found() and luksmeta.found()
subdir('systemd')
subdir('udisks2')
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-06-01 15:28:51.656437123 +0200
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-06-02 17:31:52.430534483 +0200
@@ -20,6 +20,11 @@
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+# Length, in bytes, used for password generated for LUKS key
+# This value corresponds to an entropy of 256 bits if the password
+# was generated by pwmake or similar tool
+JOSE_PASSWORD_LENGTH=40
+
enable_debugging() {
# Automatically enable debugging if in initramfs phase and rd.debug
if [ -e /usr/lib/dracut-lib.sh ]; then
@@ -782,7 +787,7 @@
fi
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
- printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
+ printf '%s' "${input}" | cryptsetup luksAddKey --force-password --batch-mode \
--key-slot "${SLT}" \
"${DEV}" \
${pbkdf_args} \
@@ -812,11 +817,11 @@
local input extra_args=
input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
if [ -n "${KEYFILE}" ]; then
- extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
+ extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
if [ -n "${EXISTING_TOKEN_ID}" ]; then
- extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
+ extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")"
input="$(printf '%s' "${NEWKEY}")"
fi
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
@@ -876,26 +881,10 @@
# clevis_luks_generate_key() generates a new key for use with clevis.
clevis_luks_generate_key() {
- local DEV="${1}"
- [ -z "${DEV}" ] && return 1
-
- local dump filter bits
- local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
- dump=$(cryptsetup luksDump "${DEV}")
- if cryptsetup isLuks --type luks1 "${DEV}"; then
- filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
- elif cryptsetup isLuks --type luks2 "${DEV}"; then
- filter="$(echo -n "${dump}" | \
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p')"
- else
- return 1
- fi
-
- bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
- if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
- bits="${MAX_ENTROPY_BITS}"
- fi
- pwmake "${bits}"
+ local input
+ input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}")
+ jose jwk gen --input="${input}" --output=- \
+ | jose fmt --json=- --object --get k --unquote=-
}
# clevis_luks_token_id_by_slot() returns the token ID linked to a
@@ -986,8 +975,8 @@
fi
local newkey jwe
- if ! newkey="$(clevis_luks_generate_key "${DEV}")" \
- || [ -z "${newkey}" ]; then
+
+ if ! newkey="$(clevis_luks_generate_key)" || [ -z "${newkey}" ]; then
echo "Unable to generate a new key" >&2
return 1
fi

23
SPECS/clevis.spec
View File

@ -1,26 +1,14 @@
Name: clevis
Version: 18
Release: 112%{?dist}
Version: 20
Release: 200%{?dist}
Summary: Automated decryption framework
License: GPLv3+
URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Source1: clevis.sysusers
Patch1: 0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch
Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
Patch0004: 0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
Patch0005: 0005-tang-dump-url-on-error-communication.patch
Patch0006: 0006-feat-rename-the-test-pin-to-null-pin.patch
Patch0007: 0007-avoid-clevis-invalid-msg.patch
Patch0008: 0008-Improve-boot-performance-by-removing-key-check.patch
Patch0009: 0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
Patch0010: 0010-existing-luks2-token-id.patch
Patch0011: 0011-ignore-empty-and-comment-lines-in-crypttab.patch
Patch0012: 0012-luks-define-max-entropy-bits-for-pwmake.patch
Patch0013: 0013-luks-edit-remove-unnecessary-redirection.patch
Patch0014: 0014-remove-pwmake-for-password-generation.patch
BuildRequires: git-core
BuildRequires: gcc
@ -184,6 +172,7 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%files systemd
%{_libexecdir}/%{name}-luks-askpass
%{_libexecdir}/%{name}-luks-unlocker
%{_unitdir}/%{name}-luks-askpass.path
%{_unitdir}/%{name}-luks-askpass.service
@ -199,6 +188,10 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog
* Tue May 21 2024 Sergio Arroutbi <sarroutb@redhat.com> - 20-200
- Rebase to clevis-20
Resolves: #RHEL-29282
* Thu Jun 1 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-112
- Remove pwmake for password generation
Resolves: rhbz#2207488