rpms/clevis
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import clevis-15-3.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-11-27 04:22:20 +00:00 committed by Stepan Oksanichenko
parent b8e022f575
commit 39e2a94e49
2 changed files with 107 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
SOURCES/0004-systemd-drop-ncat-dependency.patch Normal file
View File

@ -0,0 +1,101 @@
From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Thu, 18 Nov 2021 16:45:58 -0300
Subject: [PATCH 4/4] systemd: drop ncat dependency
When using systemd, i.e., clevis-luks-askpass, we use ncat to send
the decrypted password to the systemd socket as per systemd's password
agents specification [1].
However, systemd itself has a utility that does exactly that,
systemd-reply-password.
In this commit we drop the ncat dependency and instead use
systemd-reply-password in clevis-luks-askpass.
[1] https://systemd.io/PASSWORD_AGENTS/
---
...is-luks-askpass => clevis-luks-askpass.in} | 2 +-
.../systemd/dracut/clevis/module-setup.sh.in | 4 ++--
src/luks/systemd/meson.build | 19 +++++++++++++++++--
3 files changed, 20 insertions(+), 5 deletions(-)
rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%)
diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in
similarity index 97%
rename from src/luks/systemd/clevis-luks-askpass
rename to src/luks/systemd/clevis-luks-askpass.in
index f19671f..a6699c9 100755
--- a/src/luks/systemd/clevis-luks-askpass
+++ b/src/luks/systemd/clevis-luks-askpass.in
@@ -58,7 +58,7 @@ while true; do
fi
uuid="$(cryptsetup luksUUID "${d}")"
- if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
+ if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
continue
fi
diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in
index ebf969f..d46c6e2 100755
--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
+++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
@@ -36,6 +36,7 @@ install() {
inst_multiple \
/etc/services \
+ @SYSTEMD_REPLY_PASS@ \
@libexecdir@/clevis-luks-askpass \
clevis-luks-common-functions \
grep sed cut \
@@ -45,8 +46,7 @@ install() {
luksmeta \
clevis \
mktemp \
- jose \
- ncat
+ jose
dracut_need_initqueue
}
diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
index 369e7f7..e3b3d91 100644
--- a/src/luks/systemd/meson.build
+++ b/src/luks/systemd/meson.build
@@ -1,6 +1,15 @@
systemd = dependency('systemd', required: false)
-if systemd.found()
+sd_reply_pass = find_program(
+ join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
+ join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
+ join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
+ join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
+ required: false
+)
+
+if systemd.found() and sd_reply_pass.found()
+ data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
subdir('dracut')
unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
@@ -12,8 +21,14 @@ if systemd.found()
configuration: data,
)
+ configure_file(
+ input: 'clevis-luks-askpass.in',
+ output: 'clevis-luks-askpass',
+ install_dir: libexecdir,
+ configuration: data
+ )
+
install_data('clevis-luks-askpass.path', install_dir: unitdir)
- install_data('clevis-luks-askpass', install_dir: libexecdir)
else
warning('Will not install systemd support due to missing dependencies!')
endif
--
2.33.1

8
SPECS/clevis.spec
View File

@ -2,7 +2,7 @@
Name: clevis Name: clevis
Version: 15 Version: 15
Release: 2%{?dist} Release: 3%{?dist}
Summary: Automated decryption framework Summary: Automated decryption framework
License: GPLv3+ License: GPLv3+
@ -12,6 +12,7 @@ Source0: https://github.com/latchset/%{name}/releases/download/v%{version
Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch
Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch
Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
Patch0004: 0004-systemd-drop-ncat-dependency.patch
BuildRequires: git BuildRequires: git
BuildRequires: gcc BuildRequires: gcc
@ -86,7 +87,6 @@ Requires: systemd%{?_isa} >= 236
%endif %endif
%endif %endif
%endif %endif
Requires: nc
%description systemd %description systemd
Automatically unlocks clevis-bound LUKS block devices during boot. Automatically unlocks clevis-bound LUKS block devices during boot.
@ -197,6 +197,10 @@ exit 0
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog %changelog
* Thu Nov 18 2021 Sergio Correia <scorreia@redhat.com> - 15-3
- Drop ncat dependency
Resolves: rhbz#1949289
* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 15-2 * Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 15-2
- Account for unlocking failures in clevis-luks-askpass - Account for unlocking failures in clevis-luks-askpass
Resolves: rhbz#2018292 Resolves: rhbz#2018292