From 402b5b88962d1055ba955de33fb362993d34da28 Mon Sep 17 00:00:00 2001 From: Sergio Correia Date: Mon, 20 Jan 2020 13:29:15 +0100 Subject: [PATCH] Update to new upstream version, v12 --- .gitignore | 1 + 0001-Backport-upstream-tests-and-fixes.patch | 970 ------------------ 0002-Disabling-LUKS2-tests-for-now.patch | 30 - ...e-we-try-to-use-a-partially-used-luk.patch | 202 ---- ...device-TCTI-library-to-the-initramfs.patch | 34 - ...g-references-to-the-removed-http-pin.patch | 132 --- ...up-and-tpm2_pcrlist-in-the-initramfs.patch | 49 - ...crypt-tpm2-fix-TPM-object-attributes.patch | 57 - ...module-setup.sh-test-for-required-bi.patch | 64 -- clevis.spec | 24 +- ...-tpm2-add-support-for-tpm2-tools-4.X.patch | 236 ----- sources | 2 +- 12 files changed, 10 insertions(+), 1791 deletions(-) delete mode 100644 0001-Backport-upstream-tests-and-fixes.patch delete mode 100644 0002-Disabling-LUKS2-tests-for-now.patch delete mode 100644 0003-Handle-case-where-we-try-to-use-a-partially-used-luk.patch delete mode 100644 Add-device-TCTI-library-to-the-initramfs.patch delete mode 100644 Delete-remaining-references-to-the-removed-http-pin.patch delete mode 100644 Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch delete mode 100644 clevis-encrypt-tpm2-fix-TPM-object-attributes.patch delete mode 100644 clevis-pin-tpm2-module-setup.sh-test-for-required-bi.patch delete mode 100644 pins-tpm2-add-support-for-tpm2-tools-4.X.patch diff --git a/.gitignore b/.gitignore index 850df0e..6ee42b0 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /clevis-11.tar.xz +/clevis-12.tar.xz diff --git a/0001-Backport-upstream-tests-and-fixes.patch b/0001-Backport-upstream-tests-and-fixes.patch deleted file mode 100644 index 5e56da3..0000000 --- a/0001-Backport-upstream-tests-and-fixes.patch +++ /dev/null @@ -1,970 +0,0 @@ -From c6d1b1a3128d29a2d13799cf869602d1afb02d57 Mon Sep 17 00:00:00 2001 -From: Sergio Correia -Date: Wed, 4 Dec 2019 18:11:00 -0300 -Subject: [PATCH] Backport upstream tests and fixes - -Commits backported: - -* Add tests for LUKS binding and unbinding -- https://github.com/latchset/clevis/pull/134/commits/f5d42cb3ba02ff8fcf39cc6c2751d2cd444f5a74 - -* Rework the logic for reading the existing key -- https://github.com/latchset/clevis/pull/141/commits/834eda9db62992fc235ecef41461502fd4084f6e - -* fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 ( -- https://github.com/latchset/clevis/commit/62bd6de0b8c36a238809546273ff08c3f3766564 - -* pins/tang: check that key derivation key is available -- https://github.com/latchset/clevis/pull/119/commits/c231352729223b08ade04e4e46c775bb934c9959 ---- - src/luks/clevis-luks-bind | 53 ++++++++--- - src/luks/meson.build | 5 +- - .../tests/bind-key-file-non-interactive-luks1 | 59 ++++++++++++ - src/luks/tests/bind-luks1 | 57 ++++++++++++ - src/luks/tests/bind-luks2 | 48 ++++++++++ - .../bind-pass-with-newline-keyfile-luks1 | 70 ++++++++++++++ - src/luks/tests/bind-pass-with-newline-luks1 | 67 +++++++++++++ - src/luks/tests/bind-wrong-pass-luks1 | 56 +++++++++++ - src/luks/tests/bind-wrong-pass-luks2 | 47 ++++++++++ - src/luks/tests/meson.build | 27 ++++++ - src/luks/tests/tests-common-functions | 93 +++++++++++++++++++ - src/luks/tests/unbind-luks1 | 74 +++++++++++++++ - src/luks/tests/unbind-luks2 | 51 ++++++++++ - src/luks/tests/unbind-unbound-slot-luks1 | 40 ++++++++ - src/luks/tests/unbind-unbound-slot-luks2 | 41 ++++++++ - src/pins/tang/clevis-encrypt-tang | 6 +- - 16 files changed, 780 insertions(+), 14 deletions(-) - create mode 100755 src/luks/tests/bind-key-file-non-interactive-luks1 - create mode 100755 src/luks/tests/bind-luks1 - create mode 100755 src/luks/tests/bind-luks2 - create mode 100755 src/luks/tests/bind-pass-with-newline-keyfile-luks1 - create mode 100755 src/luks/tests/bind-pass-with-newline-luks1 - create mode 100755 src/luks/tests/bind-wrong-pass-luks1 - create mode 100755 src/luks/tests/bind-wrong-pass-luks2 - create mode 100644 src/luks/tests/meson.build - create mode 100755 src/luks/tests/tests-common-functions - create mode 100755 src/luks/tests/unbind-luks1 - create mode 100755 src/luks/tests/unbind-luks2 - create mode 100755 src/luks/tests/unbind-unbound-slot-luks1 - create mode 100755 src/luks/tests/unbind-unbound-slot-luks2 - -diff --git a/src/luks/clevis-luks-bind b/src/luks/clevis-luks-bind -index 7aae2ea..6edfccd 100755 ---- a/src/luks/clevis-luks-bind -+++ b/src/luks/clevis-luks-bind -@@ -107,26 +107,55 @@ if cryptsetup isLuks --type luks1 "$DEV" && ! luksmeta test -d "$DEV"; then - luksmeta init -d "$DEV" $FRC - fi - --# Get the old key -+# Get the existing key. - case "$KEY" in --"") read -s -p "Enter existing LUKS password: " old; echo;; -- -) old=`/bin/cat`;; -- *) old=`/bin/cat "$KEY"`;; -+"") read -r -s -p "Enter existing LUKS password: " existing_key; echo;; -+ -) existing_key="$(/bin/cat)";; -+ *) ! IFS= read -rd '' existing_key < "$KEY";; - esac - --# Add the new key -+ -+#Add the new key - if [ -n "$SLT" ]; then -- if ! echo -e "$old\n$key" | cryptsetup luksAddKey --key-slot $SLT $DEV; then -- echo "Error while adding new key to LUKS header!" >&2 -- exit 1 -+ cryptsetup luksAddKey --key-slot "$SLT" --key-file \ -+ <(echo -n "$existing_key") "$DEV" -+else -+ if cryptsetup isLuks --type luks2 "${DEV}"; then -+ readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \ -+ | sed -rn 's|^\s+([0-9]+): luks2$|\1|p') -+ else -+ readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \ -+ | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p') - fi --elif ! SLT=`echo -e "$old\n$key" \ -- | cryptsetup luksAddKey -v $DEV \ -- | sed -rn 's|^Key slot ([0-9]+) created\.$|\1|p'`; then -+ cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV" -+fi < <(echo -n "${key}") -+if [ $? -ne 0 ]; then - echo "Error while adding new key to LUKS header!" >&2 - exit 1 - fi - -+#Determine slot used by new key if a desired slot was not specified -+if [ -z "$SLT" ]; then -+ if cryptsetup isLuks --type luks2 "${DEV}"; then -+ readarray -t usedSlotsAfterAddKey < <(cryptsetup luksDump "${DEV}" \ -+ | sed -rn 's|^\s+([0-9]+): luks2$|\1|p') -+ else -+ readarray -t usedSlotsAfterAddKey < <(cryptsetup luksDump "${DEV}" \ -+ | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p') -+ fi -+ for i in "${usedSlotsAfterAddKey[@]}"; do -+ if [[ ! " ${usedSlotsBeforeAddKey[@]} " =~ " ${i} " ]]; then -+ SLT=$i -+ break -+ fi -+ done -+fi -+ -+if [ -z "$SLT" ]; then -+ echo "Error while adding new key to LUKS header! Key slot is undefined." >&2 -+ exit 1 -+fi -+ - if cryptsetup isLuks --type luks1 "$DEV"; then - if ! echo -n $jwe | luksmeta save -d "$DEV" -u "$UUID" -s $SLT 2>/dev/null; then - echo "Error while saving Clevis metadata in LUKSMeta!" >&2 -@@ -142,4 +171,4 @@ else - cryptsetup luksRemoveKey "$DEV" <<<"$key" - exit 1 - fi --fi -\ No newline at end of file -+fi -diff --git a/src/luks/meson.build b/src/luks/meson.build -index 1f64ab0..2935c3f 100644 ---- a/src/luks/meson.build -+++ b/src/luks/meson.build -@@ -18,4 +18,7 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found() - mans += join_paths(meson.current_source_dir(), 'clevis-luks-unlockers.7') - else - warning('Will not install LUKS support due to missing dependencies!') --endif -\ No newline at end of file -+endif -+ -+# Tests. -+subdir('tests') -diff --git a/src/luks/tests/bind-key-file-non-interactive-luks1 b/src/luks/tests/bind-key-file-non-interactive-luks1 -new file mode 100755 -index 0000000..f5b5d03 ---- /dev/null -+++ b/src/luks/tests/bind-key-file-non-interactive-luks1 -@@ -0,0 +1,59 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST="${0}" -+. tests-common-functions -+ -+on_exit() { -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+trap 'exit' ERR -+ -+TMP="$(mktemp -d)" -+ -+ADV="${TMP}/adv.jws" -+create_tang_adv "${ADV}" -+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")" -+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" -+KEYFILE="${TMP}/key" -+PASS=$(openssl rand -hex 8) -+echo -n "${PASS}" > "${KEYFILE}" -+ -+# LUKS1. -+DEV="${TMP}/luks1-device" -+new_device_keyfile "luks1" "${DEV}" "${KEYFILE}" -+if ! clevis luks bind -f -k "${KEYFILE}" -d "${DEV}" tang "${CFG}"; then -+ error "${TEST}: Binding is expected to succeed when given a correct (${KEYFILE})." >&2 -+fi -+ -+SLT=1 -+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then -+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2 -+fi -+ -+if [ "${state}" != "active" ]; then -+ error "${TEST}: state (${state}) is expected to be 'active'." >&2 -+fi -+ -+if [ "${uuid}" != "${UUID}" ]; then -+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2 -+fi -diff --git a/src/luks/tests/bind-luks1 b/src/luks/tests/bind-luks1 -new file mode 100755 -index 0000000..281a328 ---- /dev/null -+++ b/src/luks/tests/bind-luks1 -@@ -0,0 +1,57 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST=$(basename "${0}") -+. tests-common-functions -+ -+on_exit() { -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+trap 'exit' ERR -+ -+TMP="$(mktemp -d)" -+ -+ADV="${TMP}/adv.jws" -+create_tang_adv "${ADV}" -+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")" -+ -+# LUKS1. -+DEV="${TMP}/luks1-device" -+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" -+new_device "luks1" "${DEV}" -+ -+if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then -+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2 -+fi -+ -+SLT=1 -+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then -+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2 -+fi -+ -+if [ "${state}" != "active" ]; then -+ error "${TEST}: state (${state}) is expected to be 'active'." >&2 -+fi -+ -+if [ "${uuid}" != "${UUID}" ]; then -+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2 -+fi -diff --git a/src/luks/tests/bind-luks2 b/src/luks/tests/bind-luks2 -new file mode 100755 -index 0000000..11f988c ---- /dev/null -+++ b/src/luks/tests/bind-luks2 -@@ -0,0 +1,48 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST=$(basename "${0}") -+. tests-common-functions -+ -+on_exit() { -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+trap 'exit' ERR -+ -+if ! luks2_supported; then -+ error "{TEST}: LUKS2 is not supported." -+fi -+ -+TMP="$(mktemp -d)" -+ -+ADV="${TMP}/adv.jws" -+create_tang_adv "${ADV}" -+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")" -+ -+# LUKS2. -+ -+DEV="${TMP}/luks2-device" -+new_device "luks2" "${DEV}" -+ -+if ! clevis luks bind -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then -+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2 -+fi -diff --git a/src/luks/tests/bind-pass-with-newline-keyfile-luks1 b/src/luks/tests/bind-pass-with-newline-keyfile-luks1 -new file mode 100755 -index 0000000..bce584e ---- /dev/null -+++ b/src/luks/tests/bind-pass-with-newline-keyfile-luks1 -@@ -0,0 +1,70 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST="${0}" -+. tests-common-functions -+ -+on_exit() { -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+trap 'exit' ERR -+ -+TMP="$(mktemp -d)" -+ -+ADV="${TMP}/adv.jws" -+create_tang_adv "${ADV}" -+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")" -+ -+# LUKS1. -+DEV="${TMP}/luks1-device" -+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" -+ -+# Using newlines and special chars in the passphrase. -+PASS="foo -+ -+bar -+ -+\\\&#@@&@*!)( -+ -+$$$ -+" -+ -+KEYFILE="${TMP}/key" -+echo -n "${PASS}" > "${KEYFILE}" -+ -+new_device_keyfile "luks1" "${DEV}" "${KEYFILE}" -+if ! clevis luks bind -f -k "${KEYFILE}" -d "${DEV}" tang "${CFG}"; then -+ error "${TEST}: Binding is expected to succeed when given a correct (${KEYFILE}) password." >&2 -+fi -+ -+SLT=1 -+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then -+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2 -+fi -+ -+if [ "${state}" != "active" ]; then -+ error "${TEST}: state (${state}) is expected to be 'active'." >&2 -+fi -+ -+if [ "${uuid}" != "${UUID}" ]; then -+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2 -+fi -diff --git a/src/luks/tests/bind-pass-with-newline-luks1 b/src/luks/tests/bind-pass-with-newline-luks1 -new file mode 100755 -index 0000000..89de082 ---- /dev/null -+++ b/src/luks/tests/bind-pass-with-newline-luks1 -@@ -0,0 +1,67 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST="${0}" -+. tests-common-functions -+ -+on_exit() { -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+trap 'exit' ERR -+ -+TMP="$(mktemp -d)" -+ -+ADV="${TMP}/adv.jws" -+create_tang_adv "${ADV}" -+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")" -+ -+# LUKS1. -+DEV="${TMP}/luks1-device" -+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" -+ -+# Using newlines and special chars in the passphrase. -+PASS="foo -+ -+bar -+ -+\\\&#@@&@*!)( -+ -+$$$ -+" -+new_device "luks1" "${DEV}" "${PASS}" -+ -+if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${PASS}"; then -+ error "${TEST}: Binding is expected to succeed when given a correct (${PASS}) password." >&2 -+fi -+ -+SLT=1 -+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then -+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2 -+fi -+ -+if [ "${state}" != "active" ]; then -+ error "${TEST}: state (${state}) is expected to be 'active'." >&2 -+fi -+ -+if [ "${uuid}" != "${UUID}" ]; then -+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2 -+fi -diff --git a/src/luks/tests/bind-wrong-pass-luks1 b/src/luks/tests/bind-wrong-pass-luks1 -new file mode 100755 -index 0000000..a15945e ---- /dev/null -+++ b/src/luks/tests/bind-wrong-pass-luks1 -@@ -0,0 +1,56 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST=$(basename "${0}") -+. tests-common-functions -+ -+on_exit() { -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+trap 'exit' ERR -+ -+TMP="$(mktemp -d)" -+ -+ADV="${TMP}/adv.jws" -+create_tang_adv "${ADV}" -+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")" -+ -+# LUKS1. -+DEV="${TMP}/luks1-device" -+new_device "luks1" "${DEV}" -+ -+if clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "wrong-passphrase"; then -+ error "${TEST}: Binding is expected to fail when given a wrong password." >&2 -+fi -+ -+SLT=1 -+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then -+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2 -+fi -+ -+if [ "${state}" != "inactive" ]; then -+ error "${TEST}: state (${state}) is expected to be 'inactive'." >&2 -+fi -+ -+if [ "${uuid}" != "empty" ]; then -+ error "${TEST}: UUID ($uuid) is expected to be 'empty'." >&2 -+fi -diff --git a/src/luks/tests/bind-wrong-pass-luks2 b/src/luks/tests/bind-wrong-pass-luks2 -new file mode 100755 -index 0000000..cbbb095 ---- /dev/null -+++ b/src/luks/tests/bind-wrong-pass-luks2 -@@ -0,0 +1,47 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST=$(basename "${0}") -+. tests-common-functions -+ -+on_exit() { -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+trap 'exit' ERR -+ -+if ! luks2_supported; then -+ error "{TEST}: LUKS2 is not supported." -+fi -+ -+TMP="$(mktemp -d)" -+ -+ADV="${TMP}/adv.jws" -+create_tang_adv "${ADV}" -+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")" -+ -+# LUKS2. -+DEV="${TMP}/luks2-device" -+new_device "luks2" "${DEV}" -+ -+if clevis luks bind -d "${DEV}" tang "${CFG}" <<< "wrong-passphrase"; then -+ error "${TEST}: Binding is expected to fail when given a wrong password." >&2 -+fi -diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build -new file mode 100644 -index 0000000..85b8a99 ---- /dev/null -+++ b/src/luks/tests/meson.build -@@ -0,0 +1,27 @@ -+env = environment() -+env.prepend('PATH', -+ join_paths(meson.source_root(), 'src'), -+ join_paths(meson.source_root(), 'src', 'luks'), -+ join_paths(meson.source_root(), 'src', 'pins', 'tang'), -+ join_paths(meson.source_root(), 'src', 'pins', 'tpm2'), -+ meson.current_source_dir(), -+ meson.current_build_dir(), -+ join_paths(meson.build_root(), 'src'), -+ join_paths(meson.build_root(), 'src', 'luks'), -+ separator: ':' -+) -+ -+test('bind-wrong-pass-luks1', find_program('bind-wrong-pass-luks1'), env: env) -+test('bind-luks1', find_program('bind-luks1'), env: env) -+test('unbind-unbound-slot-luks1', find_program('unbind-unbound-slot-luks1'), env: env) -+test('unbind-luks1', find_program('unbind-luks1'), env: env) -+test('bind-key-file-non-interactive', find_program('bind-key-file-non-interactive-luks1'), env: env) -+test('bind-pass-with-newline', find_program('bind-pass-with-newline-luks1'), env: env) -+test('bind-pass-with-newline-keyfile', find_program('bind-pass-with-newline-keyfile-luks1'), env: env) -+ -+# LUKS2 tests go here. -+# Binding LUKS2 takes longer, so timeout is increased for a few tests. -+test('bind-wrong-pass-luks2', find_program('bind-wrong-pass-luks2'), env: env) -+test('bind-luks2', find_program('bind-luks2'), env: env, timeout: 60) -+test('unbind-unbound-slot-luks2', find_program('unbind-unbound-slot-luks2'), env: env) -+test('unbind-luks2', find_program('unbind-luks2'), env: env, timeout: 60) -diff --git a/src/luks/tests/tests-common-functions b/src/luks/tests/tests-common-functions -new file mode 100755 -index 0000000..4befaa9 ---- /dev/null -+++ b/src/luks/tests/tests-common-functions -@@ -0,0 +1,93 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+error() { -+ echo "${1}" >&2 -+ exit 1 -+} -+ -+# We require cryptsetup >= 2.0.4 to fully support LUKSv2. -+# Support is determined at build time. -+luks2_supported() { -+ return 0 -+} -+ -+# Creates a tang adv to be used in the test. -+create_tang_adv() { -+ local adv="${1}" -+ local SIG="${TMP}/sig.jwk" -+ jose jwk gen -i '{"alg":"ES512"}' > "${SIG}" -+ -+ local EXC="${TMP}/exc.jwk" -+ jose jwk gen -i '{"alg":"ECMR"}' > "${EXC}" -+ -+ local TEMPLATE='{"protected":{"cty":"jwk-set+json"}}' -+ jose jwk pub -s -i "${SIG}" -i "${EXC}" \ -+ | jose jws sig -I- -s "${TEMPLATE}" -k "${SIG}" -o "${adv}" -+} -+ -+ -+# Creates a new LUKS1 or LUKS2 device to be used. -+new_device() { -+ local LUKS="${1}" -+ local DEV="${2}" -+ local PASS="${3}" -+ -+ # Using a default password, if none has been provided. -+ if [ -z "${PASS}" ]; then -+ PASS="${DEFAULT_PASS}" -+ fi -+ -+ local DEV_CACHED="${TMP}/${LUKS}.cached" -+ -+ # Let's reuse an existing device, if there is one. -+ if [ -f "${DEV_CACHED}" ]; then -+ echo "Reusing cached ${LUKS} device..." -+ cp -f "${DEV_CACHED}" "${DEV}" -+ return 0 -+ fi -+ -+ fallocate -l16M "${DEV}" -+ local extra_options= -+ if [ "${LUKS}" = "luks2" ]; then -+ extra_options="--pbkdf pbkdf2" -+ fi -+ if ! cryptsetup luksFormat --type "${LUKS}" --batch-mode --force-password "${DEV}" <<< "${PASS}"; then -+ cryptsetup luksFormat --type "${LUKS}" --batch-mode --force-password "${DEV}" --debug 2>&1 <<< "${PASS}" -+ fi -+ # Caching the just-formatted device for possible reuse. -+ cp -f "${DEV}" "${DEV_CACHED}" -+} -+ -+# Creates a new LUKS1 or LUKS2 device to be used, using a keyfile. -+new_device_keyfile() { -+ local LUKS="${1}" -+ local DEV="${2}" -+ local KEYFILE="${3}" -+ -+ if [[ -z "${KEYFILE}" ]] || [[ ! -f "${KEYFILE}" ]]; then -+ error "Invalid keyfile (${KEYFILE})." -+ fi -+ -+ fallocate -l16M "${DEV}" -+ cryptsetup luksFormat --type "${LUKS}" --batch-mode "${DEV}" "${KEYFILE}" -+} -+ -+export DEFAULT_PASS='just-some-test-password-here' -diff --git a/src/luks/tests/unbind-luks1 b/src/luks/tests/unbind-luks1 -new file mode 100755 -index 0000000..56cf8c0 ---- /dev/null -+++ b/src/luks/tests/unbind-luks1 -@@ -0,0 +1,74 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST=$(basename "${0}") -+. tests-common-functions -+ -+on_exit() { -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+trap 'exit' ERR -+ -+TMP="$(mktemp -d)" -+ADV="${TMP}/adv.jws" -+create_tang_adv "${ADV}" -+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")" -+ -+# LUKS1. -+DEV="${TMP}/luks1-device" -+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" -+new_device "luks1" "${DEV}" -+ -+# Bind, initially. -+if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then -+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2 -+fi -+ -+SLT=1 -+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then -+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2 -+fi -+ -+if [ "${state}" != "active" ]; then -+ error "${TEST}: state (${state}) is expected to be 'active'." >&2 -+fi -+ -+if [ "${uuid}" != "${UUID}" ]; then -+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2 -+fi -+ -+# Now unbind. -+if ! clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then -+ error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}" >&2 -+fi -+ -+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then -+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2 -+fi -+ -+if [ "${state}" != "inactive" ]; then -+ error "${TEST}: state (${state}) is expected to be 'inactive'." >&2 -+fi -+ -+if [ "${uuid}" != "empty" ]; then -+ error "${TEST}: UUID ($uuid) is expected to be 'empty'." >&2 -+fi -diff --git a/src/luks/tests/unbind-luks2 b/src/luks/tests/unbind-luks2 -new file mode 100755 -index 0000000..82871be ---- /dev/null -+++ b/src/luks/tests/unbind-luks2 -@@ -0,0 +1,51 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST=$(basename "${0}") -+. tests-common-functions -+ -+on_exit() { -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+trap 'exit' ERR -+ -+if ! luks2_supported; then -+ error "{TEST}: LUKS2 is not supported." -+fi -+ -+TMP="$(mktemp -d)" -+ADV="${TMP}/adv.jws" -+create_tang_adv "${ADV}" -+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")" -+ -+# LUKS2. -+DEV="${TMP}/luks2-device" -+new_device "luks2" "${DEV}" -+# Binding. -+if ! clevis luks bind -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then -+ error "${TEST}: Binding is expected to succeed." >&2 -+fi -+ -+SLT=1 -+if ! clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then -+ error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}" >&2 -+fi -diff --git a/src/luks/tests/unbind-unbound-slot-luks1 b/src/luks/tests/unbind-unbound-slot-luks1 -new file mode 100755 -index 0000000..e562a36 ---- /dev/null -+++ b/src/luks/tests/unbind-unbound-slot-luks1 -@@ -0,0 +1,40 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST=$(basename "${0}") -+. tests-common-functions -+ -+on_exit() { -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+trap 'exit' ERR -+ -+TMP="$(mktemp -d)" -+ -+# LUKS1. -+DEV="${TMP}/luks1-device" -+new_device "luks1" "${DEV}" -+ -+SLT=2 -+if clevis luks unbind -d "${DEV}" -s "${SLT}"; then -+ error "${TEST}: Unbind is expected to fail for device ${DEV} and slot ${SLT}" >&2 -+fi -diff --git a/src/luks/tests/unbind-unbound-slot-luks2 b/src/luks/tests/unbind-unbound-slot-luks2 -new file mode 100755 -index 0000000..6a2aca5 ---- /dev/null -+++ b/src/luks/tests/unbind-unbound-slot-luks2 -@@ -0,0 +1,41 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST=$(basename "${0}") -+. tests-common-functions -+ -+on_exit() { -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+trap 'exit' ERR -+ -+if ! luks2_supported; then -+ error "{TEST}: LUKS2 is not supported." -+fi -+ -+TMP="$(mktemp -d)" -+ -+DEV="${TMP}/luks2-device" -+new_device "luks2" "${DEV}" -+if clevis luks unbind -d "${DEV}" -s "${SLT}"; then -+ error "${TEST}: Unbind is expected to fail for device ${DEV} and slot ${SLT}" >&2 -+fi -diff --git a/src/pins/tang/clevis-encrypt-tang b/src/pins/tang/clevis-encrypt-tang -index e65a7d1..5461b45 100755 ---- a/src/pins/tang/clevis-encrypt-tang -+++ b/src/pins/tang/clevis-encrypt-tang -@@ -114,7 +114,11 @@ elif [ "$thp" != "any" ] && \ - fi - - ### Perform encryption --enc=`jose jwk use -i- -r -u deriveKey -o- <<< "$jwks"` -+if ! enc="$(jose jwk use -i- -r -u deriveKey -o- <<< "$jwks")"; then -+ echo "Key derivation key not available!" >&2 -+ exit 1 -+fi -+ - jose fmt -j "$enc" -Og keys -A || enc="{\"keys\":[$enc]}" - - for jwk in `jose fmt -j- -Og keys -Af- <<< "$enc"`; do --- -2.23.0 - diff --git a/0002-Disabling-LUKS2-tests-for-now.patch b/0002-Disabling-LUKS2-tests-for-now.patch deleted file mode 100644 index bbcc349..0000000 --- a/0002-Disabling-LUKS2-tests-for-now.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 8b52bdf9f3f4c0f36f5afc9158a46471a02e4604 Mon Sep 17 00:00:00 2001 -From: Sergio Correia -Date: Thu, 5 Dec 2019 08:48:14 -0300 -Subject: [PATCH] Disabling LUKS2 tests for now - -As they seem to fail randomly in Koji builders, killing the build. ---- - src/luks/tests/meson.build | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build -index 85b8a99..5059625 100644 ---- a/src/luks/tests/meson.build -+++ b/src/luks/tests/meson.build -@@ -21,7 +21,8 @@ test('bind-pass-with-newline-keyfile', find_program('bind-pass-with-newline-keyf - - # LUKS2 tests go here. - # Binding LUKS2 takes longer, so timeout is increased for a few tests. --test('bind-wrong-pass-luks2', find_program('bind-wrong-pass-luks2'), env: env) --test('bind-luks2', find_program('bind-luks2'), env: env, timeout: 60) --test('unbind-unbound-slot-luks2', find_program('unbind-unbound-slot-luks2'), env: env) --test('unbind-luks2', find_program('unbind-luks2'), env: env, timeout: 60) -+# Currently not including any LUKS2 tests as they fail randomly in Koji builders. -+#test('bind-wrong-pass-luks2', find_program('bind-wrong-pass-luks2'), env: env) -+#test('bind-luks2', find_program('bind-luks2'), env: env, timeout: 60) -+#test('unbind-unbound-slot-luks2', find_program('unbind-unbound-slot-luks2'), env: env) -+#test('unbind-luks2', find_program('unbind-luks2'), env: env, timeout: 60) --- -2.23.0 - diff --git a/0003-Handle-case-where-we-try-to-use-a-partially-used-luk.patch b/0003-Handle-case-where-we-try-to-use-a-partially-used-luk.patch deleted file mode 100644 index 1f65ac5..0000000 --- a/0003-Handle-case-where-we-try-to-use-a-partially-used-luk.patch +++ /dev/null @@ -1,202 +0,0 @@ -From bc4c6374e8bbe49992a545d4b51d2b4f020bae06 Mon Sep 17 00:00:00 2001 -From: Sergio Correia -Date: Thu, 19 Dec 2019 09:27:52 -0300 -Subject: [PATCH] Handle case where we try to use a partially used luksmeta - slot #142 - -In some situations, especially with older versions of clevis, we can end -up with a partially used luksmeta slot. - -We can identify such slots because they will be marked as inactive, yet -they will contain the clevis UUID, "cb6e8904-81ff-40da-a84a-07ab9ab5715e". - -When this situation happens, we have cryptsetup and luksmeta slots "out -of sync", and since we currently have cryptsetup choose the slot, we may -end up trying to use such a partially used slot, which in turn will fail -because luksmeta will not be able to save data to it. - -We handle this case by wiping the partially used slot, if we identify -the situation will arise. - -Tests also added to verify this case is handled properly. - -Fixes: #70 ---- - src/luks/clevis-luks-bind | 30 ++++++ - .../tests/bind-already-used-luksmeta-slot | 102 ++++++++++++++++++ - src/luks/tests/meson.build | 2 + - 3 files changed, 134 insertions(+) - create mode 100755 src/luks/tests/bind-already-used-luksmeta-slot - -diff --git a/src/luks/clevis-luks-bind b/src/luks/clevis-luks-bind -index 6edfccd..7468ed9 100755 ---- a/src/luks/clevis-luks-bind -+++ b/src/luks/clevis-luks-bind -@@ -75,6 +75,18 @@ if ! CFG=${@:$((OPTIND++)):1} || [ -z "$CFG" ]; then - usage - fi - -+if cryptsetup isLuks --type luks1 "$DEV"; then -+ # The first free slot, as per cryptsetup. In connection to bug #70, we may -+ # have to wipe out the LUKSMeta slot priot to adding the new key. -+ first_free_cs_slot=$(cryptsetup luksDump "${DEV}" \ -+ | sed -rn 's|^Key Slot ([0-7]): DISABLED$|\1|p' \ -+ | head -n 1) -+ if [ -z "${first_free_cs_slot}" ]; then -+ echo "There are no more free slots in ${DEV}!" >&2 -+ exit 1 -+ fi -+fi -+ - if [ -n "$KEY" ]; then - if [ "$KEY" == "-" ]; then - if cryptsetup isLuks --type luks1 "$DEV"; then -@@ -114,6 +126,24 @@ case "$KEY" in - *) ! IFS= read -rd '' existing_key < "$KEY";; - esac - -+# Check if the key is valid. -+if ! cryptsetup luksOpen --test-passphrase "${DEV}" \ -+ --key-file <(echo -n "${existing_key}"); then -+ exit 1 -+fi -+ -+if cryptsetup isLuks --type luks1 "${DEV}"; then -+ # In certain circumstances, we may have LUKSMeta slots "not in sync" with -+ # cryptsetup, which means we will try to save LUKSMeta metadata over an -+ # already used or partially used slot -- github issue #70. -+ # If that is the case, let's wipe the LUKSMeta slot here prior to saving. -+ if read -r _ state uuid < <(luksmeta show -d "${DEV}" \ -+ | grep "^${first_free_cs_slot} *"); then -+ if [ "${state}" = "inactive" ] && [ "${uuid}" = "${UUID}" ]; then -+ luksmeta wipe -f -d "${DEV}" -s "${first_free_cs_slot}" -+ fi -+ fi -+fi - - #Add the new key - if [ -n "$SLT" ]; then -diff --git a/src/luks/tests/bind-already-used-luksmeta-slot b/src/luks/tests/bind-already-used-luksmeta-slot -new file mode 100755 -index 0000000..eea3c80 ---- /dev/null -+++ b/src/luks/tests/bind-already-used-luksmeta-slot -@@ -0,0 +1,102 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST="${0}" -+. tests-common-functions -+ -+on_exit() { -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+trap 'exit' ERR -+ -+TMP="$(mktemp -d)" -+ -+ADV="${TMP}/adv.jws" -+create_tang_adv "${ADV}" -+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")" -+ -+# LUKS1. -+DEV="${TMP}/luks1-device" -+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" -+ -+# We can have a "partially" used if it is an inactive slot that has an UUID -+# already: -+# 1 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e -+# We end up in this situation if the cryptsetup step adding the key failed, -+# for instance because we provided a wrong pass phrase, and luksmeta saved -+# data anyway. We used to have an issue with clevis luks bind script, in which -+# we would still run luksmeta save even if the cryptsetup step failed. -+ -+bind_and_verify() { -+ local DEV="${1}" -+ local PASS="${2}" -+ local SLT="${3}" -+ -+ if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${PASS}"; then -+ error "${TEST}: Binding is expected to succeed when given a correct (${PASS}) password." >&2 -+ fi -+ -+ if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then -+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2 -+ fi -+ -+ if [ "${state}" != "active" ]; then -+ error "${TEST}: state (${state}) is expected to be 'active'." >&2 -+ fi -+ -+ if [ "${uuid}" != "${UUID}" ]; then -+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2 -+ fi -+} -+ -+SLT=1 -+NEW_PASS="new-pass" -+PASS="${DEFAULT_PASS}" -+WRONG_PASS="wrong-password-here" -+ -+new_device "luks1" "${DEV}" -+luksmeta init -f -d "${DEV}" -+if cryptsetup luksAddKey "${DEV}" < <(echo "${WRONG_PASS}"; echo -n "${NEW_PASS}"); then -+ error "${TEST}: cryptsetup should not succeed in adding key when given a wrong passphrase." >&2 -+fi -+ -+# Ok, the cryptsetup step failed, since we gave a wrong password. That means -+# that right now the luksmeta slot is inactive. Let's simulate the bad -+# condition by saving the UUID there anyway. -+echo "foo" | luksmeta save -d "${DEV}" -u "${UUID}" -+ -+# Verify we have slot 1 like this: -+# # 1 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e -+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then -+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2 -+fi -+ -+if [ "${state}" != "inactive" ]; then -+ error "${TEST}: state (${state}) is expected to be 'inactive', in case #1." >&2 -+fi -+ -+if [ "${uuid}" != "${UUID}" ]; then -+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}', in case #1." >&2 -+fi -+ -+# Verify if can bind correctly in this situation. -+bind_and_verify "${DEV}" "${PASS}" "1" -diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build -index 5059625..2245a46 100644 ---- a/src/luks/tests/meson.build -+++ b/src/luks/tests/meson.build -@@ -18,6 +18,8 @@ test('unbind-luks1', find_program('unbind-luks1'), env: env) - test('bind-key-file-non-interactive', find_program('bind-key-file-non-interactive-luks1'), env: env) - test('bind-pass-with-newline', find_program('bind-pass-with-newline-luks1'), env: env) - test('bind-pass-with-newline-keyfile', find_program('bind-pass-with-newline-keyfile-luks1'), env: env) -+# Bug #70. -+test('bind-already-used-luksmeta-slot', find_program('bind-already-used-luksmeta-slot'), env: env, timeout: 60) - - # LUKS2 tests go here. - # Binding LUKS2 takes longer, so timeout is increased for a few tests. --- -2.23.0 - diff --git a/Add-device-TCTI-library-to-the-initramfs.patch b/Add-device-TCTI-library-to-the-initramfs.patch deleted file mode 100644 index 6757e60..0000000 --- a/Add-device-TCTI-library-to-the-initramfs.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6826e5d31d6323eac5137404f0194bf2183b561c Mon Sep 17 00:00:00 2001 -From: Javier Martinez Canillas -Date: Wed, 7 Nov 2018 16:48:47 +0100 -Subject: [PATCH 3/3] Add device TCTI library to the initramfs - -The tpm2-tools don't dynamically link against the TCTI libraries anymore, -but instead dlopen() the correct library depending on the TCTI used. - -So dracut isn't able anymore to figure out automatically using ldd what -libraries are needed by the tpm2-tools. Since clevis uses the device TCTI -to access the TPM directly, add the libtss2-tcti-device.so to the initrd. - -Suggested-by: Federico Chiacchiaretta - -Fixes: ##74 ---- - src/luks/systemd/dracut/module-setup.sh.in | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in -index 41e7d6c9b002..990bf4aeed56 100755 ---- a/src/luks/systemd/dracut/module-setup.sh.in -+++ b/src/luks/systemd/dracut/module-setup.sh.in -@@ -65,6 +65,7 @@ install() { - tpm2_pcrlist \ - tpm2_unseal \ - tpm2_load -+ inst_libdir_file "libtss2-tcti-device.so*" - fi - - dracut_need_initqueue --- -2.19.1 - diff --git a/Delete-remaining-references-to-the-removed-http-pin.patch b/Delete-remaining-references-to-the-removed-http-pin.patch deleted file mode 100644 index 36f1361..0000000 --- a/Delete-remaining-references-to-the-removed-http-pin.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 1e344dbf6a60fcd2c60a4b8512be455e112d8398 Mon Sep 17 00:00:00 2001 -From: Javier Martinez Canillas -Date: Wed, 7 Nov 2018 14:53:08 +0100 -Subject: [PATCH 1/3] Delete remaining references to the removed http pin - -Commit 800d73185d7f ("Remove HTTP pin") removed the clevis http pin, but -there are still references of it in the docs and also the dracut module. - -This was causing dracut to fail building the initramfs due the following: - -dracut-install: ERROR: installing 'clevis-decrypt-http' - -Suggested-by: Dominick Grift - -Fixes: #73 ---- - README.md | 21 --------------------- - src/clevis.1.adoc | 21 --------------------- - src/luks/clevis-luks-bind.1.adoc | 1 - - src/luks/systemd/dracut/module-setup.sh.in | 1 - - src/pins/sss/clevis-encrypt-sss.1.adoc | 1 - - 5 files changed, 45 deletions(-) - -diff --git a/README.md b/README.md -index ce8def12ec96..d57339aca5d9 100644 ---- a/README.md -+++ b/README.md -@@ -58,27 +58,6 @@ advertisement is stored, or the JSON contents of the advertisment itself. When - the advertisment is specified manually like this, Clevis presumes that the - advertisement is trusted. - --#### PIN: HTTP -- --Clevis also ships a pin for performing escrow using HTTP. Please note that, --at this time, this pin does not provide HTTPS support and is suitable only --for use over local sockets. This provides integration with services like --[Custodia](http://github.com/latchset/custodia). -- --For example: -- --```bash --$ echo hi | clevis encrypt http '{"url": "http://server.local/key"}' > hi.jwe --``` -- --The HTTP pin generate a new (cryptographically-strong random) key and performs --encryption using it. It then performs a PUT request to the URL specified. It is --understood that the server will securely store this key for later retrieval. --During decryption, the pin will perform a GET request to retrieve the key and --perform decryption. -- --Patches to provide support for HTTPS and authentication are welcome. -- - #### PIN: TPM2 - - Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2) -diff --git a/src/clevis.1.adoc b/src/clevis.1.adoc -index 756aba57a4c8..dea0a696f5f7 100644 ---- a/src/clevis.1.adoc -+++ b/src/clevis.1.adoc -@@ -21,26 +21,6 @@ take a policy as its first argument and plaintext on standard input and to - encrypt the data so that it can be automatically decrypted if the policy is - met. Lets walk through an example. - --== HTTP ESCROW -- --When using the HTTP pin, we create a new, cryptographically-strong, random key. --This key is stored in a remote HTTP escrow server (using a simple PUT or POST). --Then at decryption time, we attempt to fetch the key back again in order to --decrypt our data. So, for our configuration we need to pass the URL to the key --location: -- -- $ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE -- --To decrypt the data, simply provide the ciphertext (JWE): -- -- $ clevis decrypt < JWE > PLAINTEXT -- --Notice that we did not pass any configuration during decryption. The decrypt --command extracted the URL (and possibly other configuration) from the JWE --object, fetched the encryption key from the escrow and performed decryption. -- --For more information, see link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)]. -- - == TANG BINDING - - Clevis provides support for the Tang network binding server. Tang provides -@@ -136,7 +116,6 @@ For more information, see link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)]. - - == SEE ALSO - --link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)], - link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], - link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)], - link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)], -diff --git a/src/luks/clevis-luks-bind.1.adoc b/src/luks/clevis-luks-bind.1.adoc -index 9f3a880cfb0c..0d649e3ec28b 100644 ---- a/src/luks/clevis-luks-bind.1.adoc -+++ b/src/luks/clevis-luks-bind.1.adoc -@@ -61,7 +61,6 @@ The images cannot be shared without also sharing a master key. - == SEE ALSO - - link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)], --link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)], - link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], - link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)], - link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)] -diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in -index 119762e38326..48aea5b3f29a 100755 ---- a/src/luks/systemd/dracut/module-setup.sh.in -+++ b/src/luks/systemd/dracut/module-setup.sh.in -@@ -36,7 +36,6 @@ install() { - inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh" - - inst_multiple /etc/services \ -- clevis-decrypt-http \ - clevis-decrypt-tang \ - clevis-decrypt-sss \ - @libexecdir@/clevis-luks-askpass \ -diff --git a/src/pins/sss/clevis-encrypt-sss.1.adoc b/src/pins/sss/clevis-encrypt-sss.1.adoc -index d46498db328c..7144e7e9ea96 100644 ---- a/src/pins/sss/clevis-encrypt-sss.1.adoc -+++ b/src/pins/sss/clevis-encrypt-sss.1.adoc -@@ -54,6 +54,5 @@ receive key fragments. - - == SEE ALSO - --link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)], - link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], - link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)] --- -2.19.1 - diff --git a/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch b/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch deleted file mode 100644 index 28082b7..0000000 --- a/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 34658590e45ab85f6008379d9433406a5c7fd914 Mon Sep 17 00:00:00 2001 -From: Javier Martinez Canillas -Date: Wed, 7 Nov 2018 15:12:17 +0100 -Subject: [PATCH 2/3] Install cryptsetup and tpm2_pcrlist in the initramfs - -The cryptsetup and tpm2_pcrlist are missing in the initramfs, this makes -automatic LUKS unlocking fail with the following errors: - -dracut-initqueue[382]: /usr/libexec/clevis-luks-askpass: line 52: cryptsetup: command not found -dracut-initqueue[382]: /usr/bin/clevis-decrypt-tpm2: line 40: tpm2_pcrlist: command not found - -Suggested-by: Federico Chiacchiaretta - -Fixes: #74 ---- - src/luks/systemd/dracut/module-setup.sh.in | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in -index 48aea5b3f29a..41e7d6c9b002 100755 ---- a/src/luks/systemd/dracut/module-setup.sh.in -+++ b/src/luks/systemd/dracut/module-setup.sh.in -@@ -40,6 +40,7 @@ install() { - clevis-decrypt-sss \ - @libexecdir@/clevis-luks-askpass \ - clevis-decrypt \ -+ cryptsetup \ - luksmeta \ - clevis \ - mktemp \ -@@ -49,6 +50,7 @@ install() { - - for cmd in clevis-decrypt-tpm2 \ - tpm2_createprimary \ -+ tpm2_pcrlist \ - tpm2_unseal \ - tpm2_load; do - -@@ -60,6 +62,7 @@ install() { - if (($ret == 0)); then - inst_multiple clevis-decrypt-tpm2 \ - tpm2_createprimary \ -+ tpm2_pcrlist \ - tpm2_unseal \ - tpm2_load - fi --- -2.19.1 - diff --git a/clevis-encrypt-tpm2-fix-TPM-object-attributes.patch b/clevis-encrypt-tpm2-fix-TPM-object-attributes.patch deleted file mode 100644 index f8bc914..0000000 --- a/clevis-encrypt-tpm2-fix-TPM-object-attributes.patch +++ /dev/null @@ -1,57 +0,0 @@ -From b48c1096766f8fd1a9edc1ac5c1c0eea16dc2e5b Mon Sep 17 00:00:00 2001 -From: Jonas Witschel -Date: Fri, 6 Sep 2019 15:04:35 +0200 -Subject: [PATCH] clevis-encrypt-tpm2: fix TPM object attributes - -Fix two problems with the current specification of the object -attributes: - -1. According to the Trusted Platform Module Library Family 2.0 -Specification - Part 2: Structures, Revision 1.38, Section 8.3.3.5, -sensitiveDataOrigin shall not be set for data objects: - -NOTE 3 The inSensitive.sensitive.data.size parameter may not be zero for -a data object so sensitiveDataOrigin is required to be CLEAR. A data -object has type = TPM_ALG_KEYEDHASH and its sign and decrypt attributes -are CLEAR. - -tpm2-tools 3.X silently removes the inconsistent 'sensitivedataorigin' -attribute. - -2. If the key is sealed against a certain PCR configuration, -'userwithauth' needs to be clear so that the key cannot be unsealed with -the default empty authorisation password. On the other hand, if the key -is not sealed against a specific PCR configuration, 'userwithauth' must -be set because there is no PCR policy to fulfil. - -tpm2-tools 3.X silently adds 'userwithauth' if no policy is specified -for tpm2_create. ---- - src/pins/tpm2/clevis-encrypt-tpm2 | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2 -index c70187d7f4c..a7f333269bc 100755 ---- a/src/pins/tpm2/clevis-encrypt-tpm2 -+++ b/src/pins/tpm2/clevis-encrypt-tpm2 -@@ -24,7 +24,7 @@ auth="o" - # Algorithm type must be keyedhash for object with user provided sensitive data. - alg_create_key="keyedhash" - # Attributes for the created TPM2 object with the JWK as sensitive data. --obj_attr="fixedtpm|fixedparent|sensitivedataorigin|noda|adminwithpolicy" -+obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy" - - function on_exit() { - if ! rm -rf $TMP; then -@@ -130,6 +130,8 @@ if [ -n "$pcr_ids" ]; then - fi - - policy_options="-L $TMP/pcr.policy" -+else -+ obj_attr="$obj_attr|userwithauth" - fi - - if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \ --- -2.21.0 - diff --git a/clevis-pin-tpm2-module-setup.sh-test-for-required-bi.patch b/clevis-pin-tpm2-module-setup.sh-test-for-required-bi.patch deleted file mode 100644 index 403848d..0000000 --- a/clevis-pin-tpm2-module-setup.sh-test-for-required-bi.patch +++ /dev/null @@ -1,64 +0,0 @@ -From a9177d2dd4deadc3fa65ace235f4b35c43760fa4 Mon Sep 17 00:00:00 2001 -From: Jonas Witschel -Date: Fri, 6 Sep 2019 15:20:08 +0200 -Subject: [PATCH] clevis-pin-tpm2/module-setup.sh: test for required binaries - in check() - -If some of the dependencies are missing, dracut will now fail with a -warning of the form - -dracut: dracut module 'clevis-pin-tpm2' will not be installed, because command '...' could not be found! - -This is much better than silently failing during module installation. ---- - src/luks/systemd/dracut/module-setup.sh.in | 27 ++++++---------------- - 1 file changed, 7 insertions(+), 20 deletions(-) - -diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in -index 399e468e8e0..2dcdb68549d 100755 ---- a/src/luks/systemd/dracut/module-setup.sh.in -+++ b/src/luks/systemd/dracut/module-setup.sh.in -@@ -18,6 +18,11 @@ - # along with this program. If not, see . - # - -+check() { -+ require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_pcrlist tpm2_unseal tpm2_load || return 1 -+ return 0 -+} -+ - depends() { - echo crypt systemd - return 0 -@@ -48,26 +53,8 @@ install() { - jose \ - nc - -- for cmd in clevis-decrypt-tpm2 \ -- tpm2_createprimary \ -- tpm2_pcrlist \ -- tpm2_unseal \ -- tpm2_load; do -- -- if ! find_binary "$cmd" &>/dev/null; then -- ((ret++)) -- fi -- done -- -- if (($ret == 0)); then -- inst_multiple clevis-decrypt-tpm2 \ -- tpm2_createprimary \ -- tpm2_pcrlist \ -- tpm2_unseal \ -- tpm2_load -- inst_libdir_file "libtss2-tcti-device.so*" -- fi -- -+ inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_pcrlist tpm2_unseal tpm2_load -+ inst_libdir_file "libtss2-tcti-device.so*" - dracut_need_initqueue - } - --- -2.21.0 - diff --git a/clevis.spec b/clevis.spec index 0194005..0d04e5d 100644 --- a/clevis.spec +++ b/clevis.spec @@ -1,28 +1,14 @@ %global _hardened_build 1 -%global _default_patch_fuzz 2 Name: clevis -Version: 11 -Release: 11%{?dist} +Version: 12 +Release: 1%{?dist} Summary: Automated decryption framework License: GPLv3+ URL: https://github.com/latchset/%{name} Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz -Patch0: Delete-remaining-references-to-the-removed-http-pin.patch -Patch1: Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch -Patch2: Add-device-TCTI-library-to-the-initramfs.patch -# Support for tpm2-tools 4.0, backported from the following pull-request: -# https://github.com/latchset/clevis/pull/114 -Patch4: clevis-encrypt-tpm2-fix-TPM-object-attributes.patch -Patch5: clevis-pin-tpm2-module-setup.sh-test-for-required-bi.patch -Patch6: pins-tpm2-add-support-for-tpm2-tools-4.X.patch -# Backport of some fixes and also adding tests in the build. -Patch7: 0001-Backport-upstream-tests-and-fixes.patch -Patch8: 0002-Disabling-LUKS2-tests-for-now.patch -Patch9: 0003-Handle-case-where-we-try-to-use-a-partially-used-luk.patch - BuildRequires: gcc BuildRequires: meson BuildRequires: asciidoc @@ -166,12 +152,18 @@ exit 0 %files dracut %{_prefix}/lib/dracut/modules.d/60%{name} +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh %files udisks2 %{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %changelog +* Mon Jan 20 2020 Sergio Correia - 12-1 +- Update to new clevis upstream release, v12. + * Thu Dec 19 2019 Sergio Correia - 11-11 - Backport upstream PR#70 - Handle case where we try to use a partially used luksmeta slot diff --git a/pins-tpm2-add-support-for-tpm2-tools-4.X.patch b/pins-tpm2-add-support-for-tpm2-tools-4.X.patch deleted file mode 100644 index 4e2491b..0000000 --- a/pins-tpm2-add-support-for-tpm2-tools-4.X.patch +++ /dev/null @@ -1,236 +0,0 @@ -From 7d4425dc1b96f4a0efeb4383c6a32ab664d7e3cc Mon Sep 17 00:00:00 2001 -From: Jonas Witschel -Date: Fri, 6 Sep 2019 15:27:14 +0200 -Subject: [PATCH] pins/tpm2: add support for tpm2-tools 4.X - -tpm2-tools renamed tpm2_pcrlist to tpm2_pcrread and changed a lot of -option names. Only the new unified environment variable TPM2TOOLS_TCTI -is supported, TPM2TOOLS_TCTI_NAME and TPM2TOOLS_DEVICE_FILE are no -longer recognised. Determine the tpm2-tools version from the output of -$(tpm2_createprimary -v) and switch accordingly. ---- - src/luks/systemd/dracut/module-setup.sh.in | 6 ++- - src/pins/tpm2/clevis-decrypt-tpm2 | 40 ++++++++++++++---- - src/pins/tpm2/clevis-encrypt-tpm2 | 48 ++++++++++++++++++---- - src/pins/tpm2/meson.build | 5 ++- - 4 files changed, 77 insertions(+), 22 deletions(-) - -diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in -index 2dcdb68549d..89cc42cd226 100755 ---- a/src/luks/systemd/dracut/module-setup.sh.in -+++ b/src/luks/systemd/dracut/module-setup.sh.in -@@ -19,7 +19,8 @@ - # - - check() { -- require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_pcrlist tpm2_unseal tpm2_load || return 1 -+ require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_unseal tpm2_load || return 1 -+ require_any_binary tpm2_pcrread tpm2_pcrlist || return 1 - return 0 - } - -@@ -53,7 +54,8 @@ install() { - jose \ - nc - -- inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_pcrlist tpm2_unseal tpm2_load -+ inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_unseal tpm2_load -+ inst_multiple -o tpm2_pcrread tpm2_pcrlist - inst_libdir_file "libtss2-tcti-device.so*" - dracut_need_initqueue - } -diff --git a/src/pins/tpm2/clevis-decrypt-tpm2 b/src/pins/tpm2/clevis-decrypt-tpm2 -index 4fc1c5858e3..e603e9a7275 100755 ---- a/src/pins/tpm2/clevis-decrypt-tpm2 -+++ b/src/pins/tpm2/clevis-decrypt-tpm2 -@@ -37,16 +37,22 @@ if [ -t 0 ]; then - exit 1 - fi - --TPM2TOOLS_INFO=`tpm2_pcrlist -v` -+TPM2TOOLS_INFO="$(tpm2_createprimary -v)" - --if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then -- echo "The tpm2 pin requires tpm2-tools version 3" >&2 -+match='version="(.)\.' -+[[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}" -+if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then -+ echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2 - exit 1 - fi - -+# Old environment variables for tpm2-tools 3.0 - export TPM2TOOLS_TCTI_NAME=device - export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null` - -+# New environment variable for tpm2-tools >= 3.1 -+export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:${TPM2TOOLS_DEVICE_FILE[0]}" -+ - if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then - echo "A TPM2 device with the in-kernel resource manager is needed!" >&2 - exit 1 -@@ -98,9 +104,10 @@ trap 'on_exit' EXIT - - pcr_ids=`jose fmt -j- -Og clevis -g tpm2 -g pcr_ids -Su- <<< "$jhd"` || true - -+pcr_spec='' - if [ -n "$pcr_ids" ]; then - pcr_bank=`jose fmt -j- -Og clevis -g tpm2 -g pcr_bank -Su- <<< "$jhd"` -- policy_options="-L $pcr_bank:$pcr_ids" -+ pcr_spec="$pcr_bank:$pcr_ids" - fi - - if ! `jose b64 dec -i- -O $TMP/jwk.pub <<< "$jwk_pub"`; then -@@ -113,19 +120,34 @@ if ! `jose b64 dec -i- -O $TMP/jwk.priv <<< "$jwk_priv"`; then - exit 1 - fi - --if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" \ -- -C $TMP/primary.context 2>/dev/null; then -+case "$TPM2TOOLS_VERSION" in -+ 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;; -+ 4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;; -+ *) fail=1;; -+esac -+if [ -n "$fail" ]; then - echo "Creating TPM2 primary key failed!" >&2 - exit 1 - fi - --if ! tpm2_load -Q -c $TMP/primary.context -u $TMP/jwk.pub -r $TMP/jwk.priv \ -- -C $TMP/load.context 2>/dev/null; then -+case "$TPM2TOOLS_VERSION" in -+ 3) tpm2_load -Q -c "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \ -+ -C "$TMP"/load.context || fail=$?;; -+ 4) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \ -+ -c "$TMP"/load.context || fail=$?;; -+ *) fail=1;; -+esac -+if [ -n "$fail" ]; then - echo "Loading jwk to TPM2 failed!" >&2 - exit 1 - fi - --if ! jwk=`tpm2_unseal -c $TMP/load.context $policy_options 2>/dev/null`; then -+case "$TPM2TOOLS_VERSION" in -+ 3) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-L $pcr_spec})" || fail=$?;; -+ 4) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;; -+ *) fail=1;; -+esac -+if [ -n "$fail" ]; then - echo "Unsealing jwk from TPM failed!" >&2 - exit 1 - fi -diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2 -index a7f333269bc..90321963d1e 100755 ---- a/src/pins/tpm2/clevis-encrypt-tpm2 -+++ b/src/pins/tpm2/clevis-encrypt-tpm2 -@@ -59,16 +59,22 @@ if [ -t 0 ]; then - exit 1 - fi - --TPM2TOOLS_INFO=`tpm2_pcrlist -v` -+TPM2TOOLS_INFO="$(tpm2_createprimary -v)" - --if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then -- echo "The tpm2 pin requires tpm2-tools version 3" >&2 -+match='version="(.)\.' -+[[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}" -+if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then -+ echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2 - exit 1 - fi - -+# Old environment variables for tpm2-tools 3.0 - export TPM2TOOLS_TCTI_NAME=device - export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null` - -+# New environment variable for tpm2-tools >= 3.1 -+export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:${TPM2TOOLS_DEVICE_FILE[0]}" -+ - if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then - echo "A TPM2 device with the in-kernel resource manager is needed!" >&2 - exit 1 -@@ -106,14 +112,25 @@ fi - - trap 'on_exit' EXIT - --if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C $TMP/primary.context; then -+case "$TPM2TOOLS_VERSION" in -+ 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;; -+ 4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;; -+ *) fail=1;; -+esac -+if [ -n "$fail" ]; then - echo "Creating TPM2 primary key failed!" >&2 - exit 1 - fi - -+policy_options=() - if [ -n "$pcr_ids" ]; then - if [ -z "$pcr_digest" ]; then -- if ! tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o $TMP/pcr.digest; then -+ case "$TPM2TOOLS_VERSION" in -+ 3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;; -+ 4) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;; -+ *) fail=1;; -+ esac -+ if [ -n "$fail" ]; then - echo "Creating PCR hashes file failed!" >&2 - exit 1 - fi -@@ -124,18 +141,31 @@ if [ -n "$pcr_ids" ]; then - fi - fi - -- if ! tpm2_createpolicy -Q -P -L "$pcr_bank":"$pcr_ids" -F $TMP/pcr.digest -f $TMP/pcr.policy; then -+ case "$TPM2TOOLS_VERSION" in -+ 3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \ -+ -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;; -+ 4) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \ -+ -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;; -+ *) fail=1;; -+ esac -+ if [ -n "$fail" ]; then - echo "create policy fail, please check the environment or parameters!" - exit 1 - fi - -- policy_options="-L $TMP/pcr.policy" -+ policy_options+=(-L "$TMP/pcr.policy") - else - obj_attr="$obj_attr|userwithauth" - fi - --if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \ -- -r $TMP/jwk.priv -A "$obj_attr" $policy_options -I- <<< "$jwk"; then -+case "$TPM2TOOLS_VERSION" in -+ 3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \ -+ -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;; -+ 4) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \ -+ -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;; -+ *) fail=1;; -+esac -+if [ -n "$fail" ]; then - echo "Creating TPM2 object for jwk failed!" >&2 - exit 1 - fi -diff --git a/src/pins/tpm2/meson.build b/src/pins/tpm2/meson.build -index 8121ec49cb3..4041a9a16d4 100644 ---- a/src/pins/tpm2/meson.build -+++ b/src/pins/tpm2/meson.build -@@ -1,8 +1,9 @@ --cmds = ['createprimary', 'pcrlist', 'createpolicy', 'create', 'load', 'unseal'] -+cmds = ['tpm2_createprimary', ['tpm2_pcrread', 'tpm2_pcrlist'], -+ 'tpm2_createpolicy', 'tpm2_create', 'tpm2_load', 'tpm2_unseal'] - - all = true - foreach cmd : cmds -- all = all and find_program('tpm2_' + cmd, required: false).found() -+ all = all and find_program(cmd, required: false).found() - endforeach - - if all --- -2.21.0 - diff --git a/sources b/sources index 13129af..c6b863c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (clevis-11.tar.xz) = f15033a27f662986c48ca36390d3b0f127bc691b3cd7a35d437db2e2b123f8bbebd6385d799620b11f42db0d279a2030d5bf69e55e96a584800393bf47a00368 +SHA512 (clevis-12.tar.xz) = c71144590cf2528d20892d3ef49b2b1ea948286410385b15f6a3eda01539846c7154b6396b78c0ed8a28f3056b4c3f88ff043978e5483b2ac360ee0f156f78e7