Account for unlocking failures in clevis-luks-askpass

Resolves: rhbz#2022421
This commit is contained in:
Sergio Correia 2021-11-17 06:47:07 -03:00
parent d873f97451
commit 17b3f6deaf
2 changed files with 47 additions and 1 deletions

View File

@ -0,0 +1,41 @@
From d3010c89a8f516a0c9695a939a8cccca0918da2b Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Fri, 29 Oct 2021 12:04:46 -0300
Subject: [PATCH 2/2] systemd: account for unlocking failures in
clevis-luks-askpass (#343)
As unlock may fail for some reason, e.g. the network is not up yet,
one way cause problems would be to add extra `rd.luks.uuid' params
to the cmdline, which would then cause such devices to be unlocked
in early boot. If the unlocking fail, those devices might not be
accounted for in the clevis_devices_to_unlock() check, as it is
based on crypttab.
Let's make sure there are no pending ask.* sockets waiting to be
answered, before exiting.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
---
src/luks/systemd/clevis-luks-askpass.in | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in
index 8f54859..a6699c9 100755
--- a/src/luks/systemd/clevis-luks-askpass.in
+++ b/src/luks/systemd/clevis-luks-askpass.in
@@ -67,8 +67,11 @@ while true; do
done
[ "${loop}" != true ] && break
+
# Checking for pending devices to be unlocked.
- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
+ remaining_crypttab=$(clevis_devices_to_unlock) ||:
+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
break;
fi
--
2.33.1

View File

@ -1,6 +1,6 @@
Name: clevis Name: clevis
Version: 18 Version: 18
Release: 4%{?dist} Release: 5%{?dist}
Summary: Automated decryption framework Summary: Automated decryption framework
License: GPLv3+ License: GPLv3+
@ -9,6 +9,7 @@ Source0: https://github.com/latchset/%{name}/releases/download/v%{version
Source1: clevis.sysusers Source1: clevis.sysusers
Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
BuildRequires: git-core BuildRequires: git-core
BuildRequires: gcc BuildRequires: gcc
@ -193,6 +194,10 @@ exit 0
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog %changelog
* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 18-5
- Account for unlocking failures in clevis-luks-askpass
Resolves: rhbz#2022421
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 18-4 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 18-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688