rpms/clevis
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to new upstream version, v12

Browse Source
This commit is contained in:
Sergio Correia 2020-01-20 13:29:15 +01:00
parent e9acb551d3
commit 402b5b8896
No known key found for this signature in database
GPG Key ID: D0D219ED1F7E762C
12 changed files with 10 additions and 1791 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1 +1,2 @@
/clevis-11.tar.xz
/clevis-12.tar.xz

970
0001-Backport-upstream-tests-and-fixes.patch
View File

@ -1,970 +0,0 @@
From c6d1b1a3128d29a2d13799cf869602d1afb02d57 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Wed, 4 Dec 2019 18:11:00 -0300
Subject: [PATCH] Backport upstream tests and fixes
Commits backported:
* Add tests for LUKS binding and unbinding
- https://github.com/latchset/clevis/pull/134/commits/f5d42cb3ba02ff8fcf39cc6c2751d2cd444f5a74
* Rework the logic for reading the existing key
- https://github.com/latchset/clevis/pull/141/commits/834eda9db62992fc235ecef41461502fd4084f6e
* fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 (
- https://github.com/latchset/clevis/commit/62bd6de0b8c36a238809546273ff08c3f3766564
* pins/tang: check that key derivation key is available
- https://github.com/latchset/clevis/pull/119/commits/c231352729223b08ade04e4e46c775bb934c9959
---
src/luks/clevis-luks-bind | 53 ++++++++---
src/luks/meson.build | 5 +-
.../tests/bind-key-file-non-interactive-luks1 | 59 ++++++++++++
src/luks/tests/bind-luks1 | 57 ++++++++++++
src/luks/tests/bind-luks2 | 48 ++++++++++
.../bind-pass-with-newline-keyfile-luks1 | 70 ++++++++++++++
src/luks/tests/bind-pass-with-newline-luks1 | 67 +++++++++++++
src/luks/tests/bind-wrong-pass-luks1 | 56 +++++++++++
src/luks/tests/bind-wrong-pass-luks2 | 47 ++++++++++
src/luks/tests/meson.build | 27 ++++++
src/luks/tests/tests-common-functions | 93 +++++++++++++++++++
src/luks/tests/unbind-luks1 | 74 +++++++++++++++
src/luks/tests/unbind-luks2 | 51 ++++++++++
src/luks/tests/unbind-unbound-slot-luks1 | 40 ++++++++
src/luks/tests/unbind-unbound-slot-luks2 | 41 ++++++++
src/pins/tang/clevis-encrypt-tang | 6 +-
16 files changed, 780 insertions(+), 14 deletions(-)
create mode 100755 src/luks/tests/bind-key-file-non-interactive-luks1
create mode 100755 src/luks/tests/bind-luks1
create mode 100755 src/luks/tests/bind-luks2
create mode 100755 src/luks/tests/bind-pass-with-newline-keyfile-luks1
create mode 100755 src/luks/tests/bind-pass-with-newline-luks1
create mode 100755 src/luks/tests/bind-wrong-pass-luks1
create mode 100755 src/luks/tests/bind-wrong-pass-luks2
create mode 100644 src/luks/tests/meson.build
create mode 100755 src/luks/tests/tests-common-functions
create mode 100755 src/luks/tests/unbind-luks1
create mode 100755 src/luks/tests/unbind-luks2
create mode 100755 src/luks/tests/unbind-unbound-slot-luks1
create mode 100755 src/luks/tests/unbind-unbound-slot-luks2
diff --git a/src/luks/clevis-luks-bind b/src/luks/clevis-luks-bind
index 7aae2ea..6edfccd 100755
--- a/src/luks/clevis-luks-bind
+++ b/src/luks/clevis-luks-bind
@@ -107,26 +107,55 @@ if cryptsetup isLuks --type luks1 "$DEV" && ! luksmeta test -d "$DEV"; then
luksmeta init -d "$DEV" $FRC
fi
-# Get the old key
+# Get the existing key.
case "$KEY" in
-"") read -s -p "Enter existing LUKS password: " old; echo;;
- -) old=`/bin/cat`;;
- *) old=`/bin/cat "$KEY"`;;
+"") read -r -s -p "Enter existing LUKS password: " existing_key; echo;;
+ -) existing_key="$(/bin/cat)";;
+ *) ! IFS= read -rd '' existing_key < "$KEY";;
esac
-# Add the new key
+
+#Add the new key
if [ -n "$SLT" ]; then
- if ! echo -e "$old\n$key" | cryptsetup luksAddKey --key-slot $SLT $DEV; then
- echo "Error while adding new key to LUKS header!" >&2
- exit 1
+ cryptsetup luksAddKey --key-slot "$SLT" --key-file \
+ <(echo -n "$existing_key") "$DEV"
+else
+ if cryptsetup isLuks --type luks2 "${DEV}"; then
+ readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
+ | sed -rn 's|^\s+([0-9]+): luks2$|\1|p')
+ else
+ readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
+ | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
fi
-elif ! SLT=`echo -e "$old\n$key" \
- | cryptsetup luksAddKey -v $DEV \
- | sed -rn 's|^Key slot ([0-9]+) created\.$|\1|p'`; then
+ cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV"
+fi < <(echo -n "${key}")
+if [ $? -ne 0 ]; then
echo "Error while adding new key to LUKS header!" >&2
exit 1
fi
+#Determine slot used by new key if a desired slot was not specified
+if [ -z "$SLT" ]; then
+ if cryptsetup isLuks --type luks2 "${DEV}"; then
+ readarray -t usedSlotsAfterAddKey < <(cryptsetup luksDump "${DEV}" \
+ | sed -rn 's|^\s+([0-9]+): luks2$|\1|p')
+ else
+ readarray -t usedSlotsAfterAddKey < <(cryptsetup luksDump "${DEV}" \
+ | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
+ fi
+ for i in "${usedSlotsAfterAddKey[@]}"; do
+ if [[ ! " ${usedSlotsBeforeAddKey[@]} " =~ " ${i} " ]]; then
+ SLT=$i
+ break
+ fi
+ done
+fi
+
+if [ -z "$SLT" ]; then
+ echo "Error while adding new key to LUKS header! Key slot is undefined." >&2
+ exit 1
+fi
+
if cryptsetup isLuks --type luks1 "$DEV"; then
if ! echo -n $jwe | luksmeta save -d "$DEV" -u "$UUID" -s $SLT 2>/dev/null; then
echo "Error while saving Clevis metadata in LUKSMeta!" >&2
@@ -142,4 +171,4 @@ else
cryptsetup luksRemoveKey "$DEV" <<<"$key"
exit 1
fi
-fi
\ No newline at end of file
+fi
diff --git a/src/luks/meson.build b/src/luks/meson.build
index 1f64ab0..2935c3f 100644
--- a/src/luks/meson.build
+++ b/src/luks/meson.build
@@ -18,4 +18,7 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
mans += join_paths(meson.current_source_dir(), 'clevis-luks-unlockers.7')
else
warning('Will not install LUKS support due to missing dependencies!')
-endif
\ No newline at end of file
+endif
+
+# Tests.
+subdir('tests')
diff --git a/src/luks/tests/bind-key-file-non-interactive-luks1 b/src/luks/tests/bind-key-file-non-interactive-luks1
new file mode 100755
index 0000000..f5b5d03
--- /dev/null
+++ b/src/luks/tests/bind-key-file-non-interactive-luks1
@@ -0,0 +1,59 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST="${0}"
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+KEYFILE="${TMP}/key"
+PASS=$(openssl rand -hex 8)
+echo -n "${PASS}" > "${KEYFILE}"
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+new_device_keyfile "luks1" "${DEV}" "${KEYFILE}"
+if ! clevis luks bind -f -k "${KEYFILE}" -d "${DEV}" tang "${CFG}"; then
+ error "${TEST}: Binding is expected to succeed when given a correct (${KEYFILE})." >&2
+fi
+
+SLT=1
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
+fi
+
+if [ "${state}" != "active" ]; then
+ error "${TEST}: state (${state}) is expected to be 'active'." >&2
+fi
+
+if [ "${uuid}" != "${UUID}" ]; then
+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
+fi
diff --git a/src/luks/tests/bind-luks1 b/src/luks/tests/bind-luks1
new file mode 100755
index 0000000..281a328
--- /dev/null
+++ b/src/luks/tests/bind-luks1
@@ -0,0 +1,57 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+new_device "luks1" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2
+fi
+
+SLT=1
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
+fi
+
+if [ "${state}" != "active" ]; then
+ error "${TEST}: state (${state}) is expected to be 'active'." >&2
+fi
+
+if [ "${uuid}" != "${UUID}" ]; then
+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
+fi
diff --git a/src/luks/tests/bind-luks2 b/src/luks/tests/bind-luks2
new file mode 100755
index 0000000..11f988c
--- /dev/null
+++ b/src/luks/tests/bind-luks2
@@ -0,0 +1,48 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+if ! luks2_supported; then
+ error "{TEST}: LUKS2 is not supported."
+fi
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+
+# LUKS2.
+
+DEV="${TMP}/luks2-device"
+new_device "luks2" "${DEV}"
+
+if ! clevis luks bind -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2
+fi
diff --git a/src/luks/tests/bind-pass-with-newline-keyfile-luks1 b/src/luks/tests/bind-pass-with-newline-keyfile-luks1
new file mode 100755
index 0000000..bce584e
--- /dev/null
+++ b/src/luks/tests/bind-pass-with-newline-keyfile-luks1
@@ -0,0 +1,70 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST="${0}"
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+
+# Using newlines and special chars in the passphrase.
+PASS="foo
+
+bar
+
+\\\&#@@&@*!)(
+
+$$$
+"
+
+KEYFILE="${TMP}/key"
+echo -n "${PASS}" > "${KEYFILE}"
+
+new_device_keyfile "luks1" "${DEV}" "${KEYFILE}"
+if ! clevis luks bind -f -k "${KEYFILE}" -d "${DEV}" tang "${CFG}"; then
+ error "${TEST}: Binding is expected to succeed when given a correct (${KEYFILE}) password." >&2
+fi
+
+SLT=1
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
+fi
+
+if [ "${state}" != "active" ]; then
+ error "${TEST}: state (${state}) is expected to be 'active'." >&2
+fi
+
+if [ "${uuid}" != "${UUID}" ]; then
+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
+fi
diff --git a/src/luks/tests/bind-pass-with-newline-luks1 b/src/luks/tests/bind-pass-with-newline-luks1
new file mode 100755
index 0000000..89de082
--- /dev/null
+++ b/src/luks/tests/bind-pass-with-newline-luks1
@@ -0,0 +1,67 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST="${0}"
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+
+# Using newlines and special chars in the passphrase.
+PASS="foo
+
+bar
+
+\\\&#@@&@*!)(
+
+$$$
+"
+new_device "luks1" "${DEV}" "${PASS}"
+
+if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${PASS}"; then
+ error "${TEST}: Binding is expected to succeed when given a correct (${PASS}) password." >&2
+fi
+
+SLT=1
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
+fi
+
+if [ "${state}" != "active" ]; then
+ error "${TEST}: state (${state}) is expected to be 'active'." >&2
+fi
+
+if [ "${uuid}" != "${UUID}" ]; then
+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
+fi
diff --git a/src/luks/tests/bind-wrong-pass-luks1 b/src/luks/tests/bind-wrong-pass-luks1
new file mode 100755
index 0000000..a15945e
--- /dev/null
+++ b/src/luks/tests/bind-wrong-pass-luks1
@@ -0,0 +1,56 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+new_device "luks1" "${DEV}"
+
+if clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "wrong-passphrase"; then
+ error "${TEST}: Binding is expected to fail when given a wrong password." >&2
+fi
+
+SLT=1
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
+fi
+
+if [ "${state}" != "inactive" ]; then
+ error "${TEST}: state (${state}) is expected to be 'inactive'." >&2
+fi
+
+if [ "${uuid}" != "empty" ]; then
+ error "${TEST}: UUID ($uuid) is expected to be 'empty'." >&2
+fi
diff --git a/src/luks/tests/bind-wrong-pass-luks2 b/src/luks/tests/bind-wrong-pass-luks2
new file mode 100755
index 0000000..cbbb095
--- /dev/null
+++ b/src/luks/tests/bind-wrong-pass-luks2
@@ -0,0 +1,47 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+if ! luks2_supported; then
+ error "{TEST}: LUKS2 is not supported."
+fi
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+
+# LUKS2.
+DEV="${TMP}/luks2-device"
+new_device "luks2" "${DEV}"
+
+if clevis luks bind -d "${DEV}" tang "${CFG}" <<< "wrong-passphrase"; then
+ error "${TEST}: Binding is expected to fail when given a wrong password." >&2
+fi
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
new file mode 100644
index 0000000..85b8a99
--- /dev/null
+++ b/src/luks/tests/meson.build
@@ -0,0 +1,27 @@
+env = environment()
+env.prepend('PATH',
+ join_paths(meson.source_root(), 'src'),
+ join_paths(meson.source_root(), 'src', 'luks'),
+ join_paths(meson.source_root(), 'src', 'pins', 'tang'),
+ join_paths(meson.source_root(), 'src', 'pins', 'tpm2'),
+ meson.current_source_dir(),
+ meson.current_build_dir(),
+ join_paths(meson.build_root(), 'src'),
+ join_paths(meson.build_root(), 'src', 'luks'),
+ separator: ':'
+)
+
+test('bind-wrong-pass-luks1', find_program('bind-wrong-pass-luks1'), env: env)
+test('bind-luks1', find_program('bind-luks1'), env: env)
+test('unbind-unbound-slot-luks1', find_program('unbind-unbound-slot-luks1'), env: env)
+test('unbind-luks1', find_program('unbind-luks1'), env: env)
+test('bind-key-file-non-interactive', find_program('bind-key-file-non-interactive-luks1'), env: env)
+test('bind-pass-with-newline', find_program('bind-pass-with-newline-luks1'), env: env)
+test('bind-pass-with-newline-keyfile', find_program('bind-pass-with-newline-keyfile-luks1'), env: env)
+
+# LUKS2 tests go here.
+# Binding LUKS2 takes longer, so timeout is increased for a few tests.
+test('bind-wrong-pass-luks2', find_program('bind-wrong-pass-luks2'), env: env)
+test('bind-luks2', find_program('bind-luks2'), env: env, timeout: 60)
+test('unbind-unbound-slot-luks2', find_program('unbind-unbound-slot-luks2'), env: env)
+test('unbind-luks2', find_program('unbind-luks2'), env: env, timeout: 60)
diff --git a/src/luks/tests/tests-common-functions b/src/luks/tests/tests-common-functions
new file mode 100755
index 0000000..4befaa9
--- /dev/null
+++ b/src/luks/tests/tests-common-functions
@@ -0,0 +1,93 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+error() {
+ echo "${1}" >&2
+ exit 1
+}
+
+# We require cryptsetup >= 2.0.4 to fully support LUKSv2.
+# Support is determined at build time.
+luks2_supported() {
+ return 0
+}
+
+# Creates a tang adv to be used in the test.
+create_tang_adv() {
+ local adv="${1}"
+ local SIG="${TMP}/sig.jwk"
+ jose jwk gen -i '{"alg":"ES512"}' > "${SIG}"
+
+ local EXC="${TMP}/exc.jwk"
+ jose jwk gen -i '{"alg":"ECMR"}' > "${EXC}"
+
+ local TEMPLATE='{"protected":{"cty":"jwk-set+json"}}'
+ jose jwk pub -s -i "${SIG}" -i "${EXC}" \
+ | jose jws sig -I- -s "${TEMPLATE}" -k "${SIG}" -o "${adv}"
+}
+
+
+# Creates a new LUKS1 or LUKS2 device to be used.
+new_device() {
+ local LUKS="${1}"
+ local DEV="${2}"
+ local PASS="${3}"
+
+ # Using a default password, if none has been provided.
+ if [ -z "${PASS}" ]; then
+ PASS="${DEFAULT_PASS}"
+ fi
+
+ local DEV_CACHED="${TMP}/${LUKS}.cached"
+
+ # Let's reuse an existing device, if there is one.
+ if [ -f "${DEV_CACHED}" ]; then
+ echo "Reusing cached ${LUKS} device..."
+ cp -f "${DEV_CACHED}" "${DEV}"
+ return 0
+ fi
+
+ fallocate -l16M "${DEV}"
+ local extra_options=
+ if [ "${LUKS}" = "luks2" ]; then
+ extra_options="--pbkdf pbkdf2"
+ fi
+ if ! cryptsetup luksFormat --type "${LUKS}" --batch-mode --force-password "${DEV}" <<< "${PASS}"; then
+ cryptsetup luksFormat --type "${LUKS}" --batch-mode --force-password "${DEV}" --debug 2>&1 <<< "${PASS}"
+ fi
+ # Caching the just-formatted device for possible reuse.
+ cp -f "${DEV}" "${DEV_CACHED}"
+}
+
+# Creates a new LUKS1 or LUKS2 device to be used, using a keyfile.
+new_device_keyfile() {
+ local LUKS="${1}"
+ local DEV="${2}"
+ local KEYFILE="${3}"
+
+ if [[ -z "${KEYFILE}" ]] || [[ ! -f "${KEYFILE}" ]]; then
+ error "Invalid keyfile (${KEYFILE})."
+ fi
+
+ fallocate -l16M "${DEV}"
+ cryptsetup luksFormat --type "${LUKS}" --batch-mode "${DEV}" "${KEYFILE}"
+}
+
+export DEFAULT_PASS='just-some-test-password-here'
diff --git a/src/luks/tests/unbind-luks1 b/src/luks/tests/unbind-luks1
new file mode 100755
index 0000000..56cf8c0
--- /dev/null
+++ b/src/luks/tests/unbind-luks1
@@ -0,0 +1,74 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+new_device "luks1" "${DEV}"
+
+# Bind, initially.
+if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2
+fi
+
+SLT=1
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
+fi
+
+if [ "${state}" != "active" ]; then
+ error "${TEST}: state (${state}) is expected to be 'active'." >&2
+fi
+
+if [ "${uuid}" != "${UUID}" ]; then
+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
+fi
+
+# Now unbind.
+if ! clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then
+ error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}" >&2
+fi
+
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
+fi
+
+if [ "${state}" != "inactive" ]; then
+ error "${TEST}: state (${state}) is expected to be 'inactive'." >&2
+fi
+
+if [ "${uuid}" != "empty" ]; then
+ error "${TEST}: UUID ($uuid) is expected to be 'empty'." >&2
+fi
diff --git a/src/luks/tests/unbind-luks2 b/src/luks/tests/unbind-luks2
new file mode 100755
index 0000000..82871be
--- /dev/null
+++ b/src/luks/tests/unbind-luks2
@@ -0,0 +1,51 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+if ! luks2_supported; then
+ error "{TEST}: LUKS2 is not supported."
+fi
+
+TMP="$(mktemp -d)"
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+
+# LUKS2.
+DEV="${TMP}/luks2-device"
+new_device "luks2" "${DEV}"
+# Binding.
+if ! clevis luks bind -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Binding is expected to succeed." >&2
+fi
+
+SLT=1
+if ! clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then
+ error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}" >&2
+fi
diff --git a/src/luks/tests/unbind-unbound-slot-luks1 b/src/luks/tests/unbind-unbound-slot-luks1
new file mode 100755
index 0000000..e562a36
--- /dev/null
+++ b/src/luks/tests/unbind-unbound-slot-luks1
@@ -0,0 +1,40 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+new_device "luks1" "${DEV}"
+
+SLT=2
+if clevis luks unbind -d "${DEV}" -s "${SLT}"; then
+ error "${TEST}: Unbind is expected to fail for device ${DEV} and slot ${SLT}" >&2
+fi
diff --git a/src/luks/tests/unbind-unbound-slot-luks2 b/src/luks/tests/unbind-unbound-slot-luks2
new file mode 100755
index 0000000..6a2aca5
--- /dev/null
+++ b/src/luks/tests/unbind-unbound-slot-luks2
@@ -0,0 +1,41 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+if ! luks2_supported; then
+ error "{TEST}: LUKS2 is not supported."
+fi
+
+TMP="$(mktemp -d)"
+
+DEV="${TMP}/luks2-device"
+new_device "luks2" "${DEV}"
+if clevis luks unbind -d "${DEV}" -s "${SLT}"; then
+ error "${TEST}: Unbind is expected to fail for device ${DEV} and slot ${SLT}" >&2
+fi
diff --git a/src/pins/tang/clevis-encrypt-tang b/src/pins/tang/clevis-encrypt-tang
index e65a7d1..5461b45 100755
--- a/src/pins/tang/clevis-encrypt-tang
+++ b/src/pins/tang/clevis-encrypt-tang
@@ -114,7 +114,11 @@ elif [ "$thp" != "any" ] && \
fi
### Perform encryption
-enc=`jose jwk use -i- -r -u deriveKey -o- <<< "$jwks"`
+if ! enc="$(jose jwk use -i- -r -u deriveKey -o- <<< "$jwks")"; then
+ echo "Key derivation key not available!" >&2
+ exit 1
+fi
+
jose fmt -j "$enc" -Og keys -A || enc="{\"keys\":[$enc]}"
for jwk in `jose fmt -j- -Og keys -Af- <<< "$enc"`; do
--
2.23.0

30
0002-Disabling-LUKS2-tests-for-now.patch
View File

@ -1,30 +0,0 @@
From 8b52bdf9f3f4c0f36f5afc9158a46471a02e4604 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Thu, 5 Dec 2019 08:48:14 -0300
Subject: [PATCH] Disabling LUKS2 tests for now
As they seem to fail randomly in Koji builders, killing the build.
---
src/luks/tests/meson.build | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
index 85b8a99..5059625 100644
--- a/src/luks/tests/meson.build
+++ b/src/luks/tests/meson.build
@@ -21,7 +21,8 @@ test('bind-pass-with-newline-keyfile', find_program('bind-pass-with-newline-keyf
# LUKS2 tests go here.
# Binding LUKS2 takes longer, so timeout is increased for a few tests.
-test('bind-wrong-pass-luks2', find_program('bind-wrong-pass-luks2'), env: env)
-test('bind-luks2', find_program('bind-luks2'), env: env, timeout: 60)
-test('unbind-unbound-slot-luks2', find_program('unbind-unbound-slot-luks2'), env: env)
-test('unbind-luks2', find_program('unbind-luks2'), env: env, timeout: 60)
+# Currently not including any LUKS2 tests as they fail randomly in Koji builders.
+#test('bind-wrong-pass-luks2', find_program('bind-wrong-pass-luks2'), env: env)
+#test('bind-luks2', find_program('bind-luks2'), env: env, timeout: 60)
+#test('unbind-unbound-slot-luks2', find_program('unbind-unbound-slot-luks2'), env: env)
+#test('unbind-luks2', find_program('unbind-luks2'), env: env, timeout: 60)
--
2.23.0

202
0003-Handle-case-where-we-try-to-use-a-partially-used-luk.patch
View File

@ -1,202 +0,0 @@
From bc4c6374e8bbe49992a545d4b51d2b4f020bae06 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Thu, 19 Dec 2019 09:27:52 -0300
Subject: [PATCH] Handle case where we try to use a partially used luksmeta
slot #142
In some situations, especially with older versions of clevis, we can end
up with a partially used luksmeta slot.
We can identify such slots because they will be marked as inactive, yet
they will contain the clevis UUID, "cb6e8904-81ff-40da-a84a-07ab9ab5715e".
When this situation happens, we have cryptsetup and luksmeta slots "out
of sync", and since we currently have cryptsetup choose the slot, we may
end up trying to use such a partially used slot, which in turn will fail
because luksmeta will not be able to save data to it.
We handle this case by wiping the partially used slot, if we identify
the situation will arise.
Tests also added to verify this case is handled properly.
Fixes: #70
---
src/luks/clevis-luks-bind | 30 ++++++
.../tests/bind-already-used-luksmeta-slot | 102 ++++++++++++++++++
src/luks/tests/meson.build | 2 +
3 files changed, 134 insertions(+)
create mode 100755 src/luks/tests/bind-already-used-luksmeta-slot
diff --git a/src/luks/clevis-luks-bind b/src/luks/clevis-luks-bind
index 6edfccd..7468ed9 100755
--- a/src/luks/clevis-luks-bind
+++ b/src/luks/clevis-luks-bind
@@ -75,6 +75,18 @@ if ! CFG=${@:$((OPTIND++)):1} || [ -z "$CFG" ]; then
usage
fi
+if cryptsetup isLuks --type luks1 "$DEV"; then
+ # The first free slot, as per cryptsetup. In connection to bug #70, we may
+ # have to wipe out the LUKSMeta slot priot to adding the new key.
+ first_free_cs_slot=$(cryptsetup luksDump "${DEV}" \
+ | sed -rn 's|^Key Slot ([0-7]): DISABLED$|\1|p' \
+ | head -n 1)
+ if [ -z "${first_free_cs_slot}" ]; then
+ echo "There are no more free slots in ${DEV}!" >&2
+ exit 1
+ fi
+fi
+
if [ -n "$KEY" ]; then
if [ "$KEY" == "-" ]; then
if cryptsetup isLuks --type luks1 "$DEV"; then
@@ -114,6 +126,24 @@ case "$KEY" in
*) ! IFS= read -rd '' existing_key < "$KEY";;
esac
+# Check if the key is valid.
+if ! cryptsetup luksOpen --test-passphrase "${DEV}" \
+ --key-file <(echo -n "${existing_key}"); then
+ exit 1
+fi
+
+if cryptsetup isLuks --type luks1 "${DEV}"; then
+ # In certain circumstances, we may have LUKSMeta slots "not in sync" with
+ # cryptsetup, which means we will try to save LUKSMeta metadata over an
+ # already used or partially used slot -- github issue #70.
+ # If that is the case, let's wipe the LUKSMeta slot here prior to saving.
+ if read -r _ state uuid < <(luksmeta show -d "${DEV}" \
+ | grep "^${first_free_cs_slot} *"); then
+ if [ "${state}" = "inactive" ] && [ "${uuid}" = "${UUID}" ]; then
+ luksmeta wipe -f -d "${DEV}" -s "${first_free_cs_slot}"
+ fi
+ fi
+fi
#Add the new key
if [ -n "$SLT" ]; then
diff --git a/src/luks/tests/bind-already-used-luksmeta-slot b/src/luks/tests/bind-already-used-luksmeta-slot
new file mode 100755
index 0000000..eea3c80
--- /dev/null
+++ b/src/luks/tests/bind-already-used-luksmeta-slot
@@ -0,0 +1,102 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST="${0}"
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+
+# We can have a "partially" used if it is an inactive slot that has an UUID
+# already:
+# 1 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e
+# We end up in this situation if the cryptsetup step adding the key failed,
+# for instance because we provided a wrong pass phrase, and luksmeta saved
+# data anyway. We used to have an issue with clevis luks bind script, in which
+# we would still run luksmeta save even if the cryptsetup step failed.
+
+bind_and_verify() {
+ local DEV="${1}"
+ local PASS="${2}"
+ local SLT="${3}"
+
+ if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${PASS}"; then
+ error "${TEST}: Binding is expected to succeed when given a correct (${PASS}) password." >&2
+ fi
+
+ if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
+ fi
+
+ if [ "${state}" != "active" ]; then
+ error "${TEST}: state (${state}) is expected to be 'active'." >&2
+ fi
+
+ if [ "${uuid}" != "${UUID}" ]; then
+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
+ fi
+}
+
+SLT=1
+NEW_PASS="new-pass"
+PASS="${DEFAULT_PASS}"
+WRONG_PASS="wrong-password-here"
+
+new_device "luks1" "${DEV}"
+luksmeta init -f -d "${DEV}"
+if cryptsetup luksAddKey "${DEV}" < <(echo "${WRONG_PASS}"; echo -n "${NEW_PASS}"); then
+ error "${TEST}: cryptsetup should not succeed in adding key when given a wrong passphrase." >&2
+fi
+
+# Ok, the cryptsetup step failed, since we gave a wrong password. That means
+# that right now the luksmeta slot is inactive. Let's simulate the bad
+# condition by saving the UUID there anyway.
+echo "foo" | luksmeta save -d "${DEV}" -u "${UUID}"
+
+# Verify we have slot 1 like this:
+# # 1 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e
+if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
+ error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
+fi
+
+if [ "${state}" != "inactive" ]; then
+ error "${TEST}: state (${state}) is expected to be 'inactive', in case #1." >&2
+fi
+
+if [ "${uuid}" != "${UUID}" ]; then
+ error "${TEST}: UUID ($uuid) is expected to be '${UUID}', in case #1." >&2
+fi
+
+# Verify if can bind correctly in this situation.
+bind_and_verify "${DEV}" "${PASS}" "1"
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
index 5059625..2245a46 100644
--- a/src/luks/tests/meson.build
+++ b/src/luks/tests/meson.build
@@ -18,6 +18,8 @@ test('unbind-luks1', find_program('unbind-luks1'), env: env)
test('bind-key-file-non-interactive', find_program('bind-key-file-non-interactive-luks1'), env: env)
test('bind-pass-with-newline', find_program('bind-pass-with-newline-luks1'), env: env)
test('bind-pass-with-newline-keyfile', find_program('bind-pass-with-newline-keyfile-luks1'), env: env)
+# Bug #70.
+test('bind-already-used-luksmeta-slot', find_program('bind-already-used-luksmeta-slot'), env: env, timeout: 60)
# LUKS2 tests go here.
# Binding LUKS2 takes longer, so timeout is increased for a few tests.
--
2.23.0

34
Add-device-TCTI-library-to-the-initramfs.patch
View File

@ -1,34 +0,0 @@
From 6826e5d31d6323eac5137404f0194bf2183b561c Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 7 Nov 2018 16:48:47 +0100
Subject: [PATCH 3/3] Add device TCTI library to the initramfs
The tpm2-tools don't dynamically link against the TCTI libraries anymore,
but instead dlopen() the correct library depending on the TCTI used.
So dracut isn't able anymore to figure out automatically using ldd what
libraries are needed by the tpm2-tools. Since clevis uses the device TCTI
to access the TPM directly, add the libtss2-tcti-device.so to the initrd.
Suggested-by: Federico Chiacchiaretta <federico.chia@gmail.com>
Fixes: ##74
---
src/luks/systemd/dracut/module-setup.sh.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
index 41e7d6c9b002..990bf4aeed56 100755
--- a/src/luks/systemd/dracut/module-setup.sh.in
+++ b/src/luks/systemd/dracut/module-setup.sh.in
@@ -65,6 +65,7 @@ install() {
tpm2_pcrlist \
tpm2_unseal \
tpm2_load
+ inst_libdir_file "libtss2-tcti-device.so*"
fi
dracut_need_initqueue
--
2.19.1

132
Delete-remaining-references-to-the-removed-http-pin.patch
View File

@ -1,132 +0,0 @@
From 1e344dbf6a60fcd2c60a4b8512be455e112d8398 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 7 Nov 2018 14:53:08 +0100
Subject: [PATCH 1/3] Delete remaining references to the removed http pin
Commit 800d73185d7f ("Remove HTTP pin") removed the clevis http pin, but
there are still references of it in the docs and also the dracut module.
This was causing dracut to fail building the initramfs due the following:
dracut-install: ERROR: installing 'clevis-decrypt-http'
Suggested-by: Dominick Grift <dac.override@gmail.com>
Fixes: #73
---
README.md | 21 ---------------------
src/clevis.1.adoc | 21 ---------------------
src/luks/clevis-luks-bind.1.adoc | 1 -
src/luks/systemd/dracut/module-setup.sh.in | 1 -
src/pins/sss/clevis-encrypt-sss.1.adoc | 1 -
5 files changed, 45 deletions(-)
diff --git a/README.md b/README.md
index ce8def12ec96..d57339aca5d9 100644
--- a/README.md
+++ b/README.md
@@ -58,27 +58,6 @@ advertisement is stored, or the JSON contents of the advertisment itself. When
the advertisment is specified manually like this, Clevis presumes that the
advertisement is trusted.
-#### PIN: HTTP
-
-Clevis also ships a pin for performing escrow using HTTP. Please note that,
-at this time, this pin does not provide HTTPS support and is suitable only
-for use over local sockets. This provides integration with services like
-[Custodia](http://github.com/latchset/custodia).
-
-For example:
-
-```bash
-$ echo hi | clevis encrypt http '{"url": "http://server.local/key"}' > hi.jwe
-```
-
-The HTTP pin generate a new (cryptographically-strong random) key and performs
-encryption using it. It then performs a PUT request to the URL specified. It is
-understood that the server will securely store this key for later retrieval.
-During decryption, the pin will perform a GET request to retrieve the key and
-perform decryption.
-
-Patches to provide support for HTTPS and authentication are welcome.
-
#### PIN: TPM2
Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2)
diff --git a/src/clevis.1.adoc b/src/clevis.1.adoc
index 756aba57a4c8..dea0a696f5f7 100644
--- a/src/clevis.1.adoc
+++ b/src/clevis.1.adoc
@@ -21,26 +21,6 @@ take a policy as its first argument and plaintext on standard input and to
encrypt the data so that it can be automatically decrypted if the policy is
met. Lets walk through an example.
-== HTTP ESCROW
-
-When using the HTTP pin, we create a new, cryptographically-strong, random key.
-This key is stored in a remote HTTP escrow server (using a simple PUT or POST).
-Then at decryption time, we attempt to fetch the key back again in order to
-decrypt our data. So, for our configuration we need to pass the URL to the key
-location:
-
- $ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE
-
-To decrypt the data, simply provide the ciphertext (JWE):
-
- $ clevis decrypt < JWE > PLAINTEXT
-
-Notice that we did not pass any configuration during decryption. The decrypt
-command extracted the URL (and possibly other configuration) from the JWE
-object, fetched the encryption key from the escrow and performed decryption.
-
-For more information, see link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)].
-
== TANG BINDING
Clevis provides support for the Tang network binding server. Tang provides
@@ -136,7 +116,6 @@ For more information, see link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)].
== SEE ALSO
-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)],
link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
diff --git a/src/luks/clevis-luks-bind.1.adoc b/src/luks/clevis-luks-bind.1.adoc
index 9f3a880cfb0c..0d649e3ec28b 100644
--- a/src/luks/clevis-luks-bind.1.adoc
+++ b/src/luks/clevis-luks-bind.1.adoc
@@ -61,7 +61,6 @@ The images cannot be shared without also sharing a master key.
== SEE ALSO
link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)],
-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
index 119762e38326..48aea5b3f29a 100755
--- a/src/luks/systemd/dracut/module-setup.sh.in
+++ b/src/luks/systemd/dracut/module-setup.sh.in
@@ -36,7 +36,6 @@ install() {
inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
inst_multiple /etc/services \
- clevis-decrypt-http \
clevis-decrypt-tang \
clevis-decrypt-sss \
@libexecdir@/clevis-luks-askpass \
diff --git a/src/pins/sss/clevis-encrypt-sss.1.adoc b/src/pins/sss/clevis-encrypt-sss.1.adoc
index d46498db328c..7144e7e9ea96 100644
--- a/src/pins/sss/clevis-encrypt-sss.1.adoc
+++ b/src/pins/sss/clevis-encrypt-sss.1.adoc
@@ -54,6 +54,5 @@ receive key fragments.
== SEE ALSO
-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
--
2.19.1

49
Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch
View File

@ -1,49 +0,0 @@
From 34658590e45ab85f6008379d9433406a5c7fd914 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 7 Nov 2018 15:12:17 +0100
Subject: [PATCH 2/3] Install cryptsetup and tpm2_pcrlist in the initramfs
The cryptsetup and tpm2_pcrlist are missing in the initramfs, this makes
automatic LUKS unlocking fail with the following errors:
dracut-initqueue[382]: /usr/libexec/clevis-luks-askpass: line 52: cryptsetup: command not found
dracut-initqueue[382]: /usr/bin/clevis-decrypt-tpm2: line 40: tpm2_pcrlist: command not found
Suggested-by: Federico Chiacchiaretta <federico.chia@gmail.com>
Fixes: #74
---
src/luks/systemd/dracut/module-setup.sh.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
index 48aea5b3f29a..41e7d6c9b002 100755
--- a/src/luks/systemd/dracut/module-setup.sh.in
+++ b/src/luks/systemd/dracut/module-setup.sh.in
@@ -40,6 +40,7 @@ install() {
clevis-decrypt-sss \
@libexecdir@/clevis-luks-askpass \
clevis-decrypt \
+ cryptsetup \
luksmeta \
clevis \
mktemp \
@@ -49,6 +50,7 @@ install() {
for cmd in clevis-decrypt-tpm2 \
tpm2_createprimary \
+ tpm2_pcrlist \
tpm2_unseal \
tpm2_load; do
@@ -60,6 +62,7 @@ install() {
if (($ret == 0)); then
inst_multiple clevis-decrypt-tpm2 \
tpm2_createprimary \
+ tpm2_pcrlist \
tpm2_unseal \
tpm2_load
fi
--
2.19.1

57
clevis-encrypt-tpm2-fix-TPM-object-attributes.patch
View File

@ -1,57 +0,0 @@
From b48c1096766f8fd1a9edc1ac5c1c0eea16dc2e5b Mon Sep 17 00:00:00 2001
From: Jonas Witschel <diabonas@gmx.de>
Date: Fri, 6 Sep 2019 15:04:35 +0200
Subject: [PATCH] clevis-encrypt-tpm2: fix TPM object attributes
Fix two problems with the current specification of the object
attributes:
1. According to the Trusted Platform Module Library Family 2.0
Specification - Part 2: Structures, Revision 1.38, Section 8.3.3.5,
sensitiveDataOrigin shall not be set for data objects:
NOTE 3 The inSensitive.sensitive.data.size parameter may not be zero for
a data object so sensitiveDataOrigin is required to be CLEAR. A data
object has type = TPM_ALG_KEYEDHASH and its sign and decrypt attributes
are CLEAR.
tpm2-tools 3.X silently removes the inconsistent 'sensitivedataorigin'
attribute.
2. If the key is sealed against a certain PCR configuration,
'userwithauth' needs to be clear so that the key cannot be unsealed with
the default empty authorisation password. On the other hand, if the key
is not sealed against a specific PCR configuration, 'userwithauth' must
be set because there is no PCR policy to fulfil.
tpm2-tools 3.X silently adds 'userwithauth' if no policy is specified
for tpm2_create.
---
src/pins/tpm2/clevis-encrypt-tpm2 | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2
index c70187d7f4c..a7f333269bc 100755
--- a/src/pins/tpm2/clevis-encrypt-tpm2
+++ b/src/pins/tpm2/clevis-encrypt-tpm2
@@ -24,7 +24,7 @@ auth="o"
# Algorithm type must be keyedhash for object with user provided sensitive data.
alg_create_key="keyedhash"
# Attributes for the created TPM2 object with the JWK as sensitive data.
-obj_attr="fixedtpm|fixedparent|sensitivedataorigin|noda|adminwithpolicy"
+obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy"
function on_exit() {
if ! rm -rf $TMP; then
@@ -130,6 +130,8 @@ if [ -n "$pcr_ids" ]; then
fi
policy_options="-L $TMP/pcr.policy"
+else
+ obj_attr="$obj_attr|userwithauth"
fi
if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \
--
2.21.0

64
clevis-pin-tpm2-module-setup.sh-test-for-required-bi.patch
View File

@ -1,64 +0,0 @@
From a9177d2dd4deadc3fa65ace235f4b35c43760fa4 Mon Sep 17 00:00:00 2001
From: Jonas Witschel <diabonas@gmx.de>
Date: Fri, 6 Sep 2019 15:20:08 +0200
Subject: [PATCH] clevis-pin-tpm2/module-setup.sh: test for required binaries
in check()
If some of the dependencies are missing, dracut will now fail with a
warning of the form
dracut: dracut module 'clevis-pin-tpm2' will not be installed, because command '...' could not be found!
This is much better than silently failing during module installation.
---
src/luks/systemd/dracut/module-setup.sh.in | 27 ++++++----------------
1 file changed, 7 insertions(+), 20 deletions(-)
diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
index 399e468e8e0..2dcdb68549d 100755
--- a/src/luks/systemd/dracut/module-setup.sh.in
+++ b/src/luks/systemd/dracut/module-setup.sh.in
@@ -18,6 +18,11 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+check() {
+ require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_pcrlist tpm2_unseal tpm2_load || return 1
+ return 0
+}
+
depends() {
echo crypt systemd
return 0
@@ -48,26 +53,8 @@ install() {
jose \
nc
- for cmd in clevis-decrypt-tpm2 \
- tpm2_createprimary \
- tpm2_pcrlist \
- tpm2_unseal \
- tpm2_load; do
-
- if ! find_binary "$cmd" &>/dev/null; then
- ((ret++))
- fi
- done
-
- if (($ret == 0)); then
- inst_multiple clevis-decrypt-tpm2 \
- tpm2_createprimary \
- tpm2_pcrlist \
- tpm2_unseal \
- tpm2_load
- inst_libdir_file "libtss2-tcti-device.so*"
- fi
-
+ inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_pcrlist tpm2_unseal tpm2_load
+ inst_libdir_file "libtss2-tcti-device.so*"
dracut_need_initqueue
}
--
2.21.0

24
clevis.spec
View File

@ -1,28 +1,14 @@
%global _hardened_build 1
%global _default_patch_fuzz 2
Name: clevis
Version: 11
Release: 11%{?dist}
Version: 12
Release: 1%{?dist}
Summary: Automated decryption framework
License: GPLv3+
URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Patch0: Delete-remaining-references-to-the-removed-http-pin.patch
Patch1: Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch
Patch2: Add-device-TCTI-library-to-the-initramfs.patch
# Support for tpm2-tools 4.0, backported from the following pull-request:
# https://github.com/latchset/clevis/pull/114
Patch4: clevis-encrypt-tpm2-fix-TPM-object-attributes.patch
Patch5: clevis-pin-tpm2-module-setup.sh-test-for-required-bi.patch
Patch6: pins-tpm2-add-support-for-tpm2-tools-4.X.patch
# Backport of some fixes and also adding tests in the build.
Patch7: 0001-Backport-upstream-tests-and-fixes.patch
Patch8: 0002-Disabling-LUKS2-tests-for-now.patch
Patch9: 0003-Handle-case-where-we-try-to-use-a-partially-used-luk.patch
BuildRequires: gcc
BuildRequires: meson
BuildRequires: asciidoc
@ -166,12 +152,18 @@ exit 0
%files dracut
%{_prefix}/lib/dracut/modules.d/60%{name}
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh
%files udisks2
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog
* Mon Jan 20 2020 Sergio Correia <scorreia@redhat.com> - 12-1
- Update to new clevis upstream release, v12.
* Thu Dec 19 2019 Sergio Correia <scorreia@redhat.com> - 11-11
- Backport upstream PR#70 - Handle case where we try to use a partially
used luksmeta slot

236
pins-tpm2-add-support-for-tpm2-tools-4.X.patch
View File

@ -1,236 +0,0 @@
From 7d4425dc1b96f4a0efeb4383c6a32ab664d7e3cc Mon Sep 17 00:00:00 2001
From: Jonas Witschel <diabonas@gmx.de>
Date: Fri, 6 Sep 2019 15:27:14 +0200
Subject: [PATCH] pins/tpm2: add support for tpm2-tools 4.X
tpm2-tools renamed tpm2_pcrlist to tpm2_pcrread and changed a lot of
option names. Only the new unified environment variable TPM2TOOLS_TCTI
is supported, TPM2TOOLS_TCTI_NAME and TPM2TOOLS_DEVICE_FILE are no
longer recognised. Determine the tpm2-tools version from the output of
$(tpm2_createprimary -v) and switch accordingly.
---
src/luks/systemd/dracut/module-setup.sh.in | 6 ++-
src/pins/tpm2/clevis-decrypt-tpm2 | 40 ++++++++++++++----
src/pins/tpm2/clevis-encrypt-tpm2 | 48 ++++++++++++++++++----
src/pins/tpm2/meson.build | 5 ++-
4 files changed, 77 insertions(+), 22 deletions(-)
diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
index 2dcdb68549d..89cc42cd226 100755
--- a/src/luks/systemd/dracut/module-setup.sh.in
+++ b/src/luks/systemd/dracut/module-setup.sh.in
@@ -19,7 +19,8 @@
#
check() {
- require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_pcrlist tpm2_unseal tpm2_load || return 1
+ require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_unseal tpm2_load || return 1
+ require_any_binary tpm2_pcrread tpm2_pcrlist || return 1
return 0
}
@@ -53,7 +54,8 @@ install() {
jose \
nc
- inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_pcrlist tpm2_unseal tpm2_load
+ inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_unseal tpm2_load
+ inst_multiple -o tpm2_pcrread tpm2_pcrlist
inst_libdir_file "libtss2-tcti-device.so*"
dracut_need_initqueue
}
diff --git a/src/pins/tpm2/clevis-decrypt-tpm2 b/src/pins/tpm2/clevis-decrypt-tpm2
index 4fc1c5858e3..e603e9a7275 100755
--- a/src/pins/tpm2/clevis-decrypt-tpm2
+++ b/src/pins/tpm2/clevis-decrypt-tpm2
@@ -37,16 +37,22 @@ if [ -t 0 ]; then
exit 1
fi
-TPM2TOOLS_INFO=`tpm2_pcrlist -v`
+TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
-if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then
- echo "The tpm2 pin requires tpm2-tools version 3" >&2
+match='version="(.)\.'
+[[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
+if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
+ echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
exit 1
fi
+# Old environment variables for tpm2-tools 3.0
export TPM2TOOLS_TCTI_NAME=device
export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null`
+# New environment variable for tpm2-tools >= 3.1
+export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:${TPM2TOOLS_DEVICE_FILE[0]}"
+
if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then
echo "A TPM2 device with the in-kernel resource manager is needed!" >&2
exit 1
@@ -98,9 +104,10 @@ trap 'on_exit' EXIT
pcr_ids=`jose fmt -j- -Og clevis -g tpm2 -g pcr_ids -Su- <<< "$jhd"` || true
+pcr_spec=''
if [ -n "$pcr_ids" ]; then
pcr_bank=`jose fmt -j- -Og clevis -g tpm2 -g pcr_bank -Su- <<< "$jhd"`
- policy_options="-L $pcr_bank:$pcr_ids"
+ pcr_spec="$pcr_bank:$pcr_ids"
fi
if ! `jose b64 dec -i- -O $TMP/jwk.pub <<< "$jwk_pub"`; then
@@ -113,19 +120,34 @@ if ! `jose b64 dec -i- -O $TMP/jwk.priv <<< "$jwk_priv"`; then
exit 1
fi
-if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" \
- -C $TMP/primary.context 2>/dev/null; then
+case "$TPM2TOOLS_VERSION" in
+ 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
+ 4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
+ *) fail=1;;
+esac
+if [ -n "$fail" ]; then
echo "Creating TPM2 primary key failed!" >&2
exit 1
fi
-if ! tpm2_load -Q -c $TMP/primary.context -u $TMP/jwk.pub -r $TMP/jwk.priv \
- -C $TMP/load.context 2>/dev/null; then
+case "$TPM2TOOLS_VERSION" in
+ 3) tpm2_load -Q -c "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
+ -C "$TMP"/load.context || fail=$?;;
+ 4) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
+ -c "$TMP"/load.context || fail=$?;;
+ *) fail=1;;
+esac
+if [ -n "$fail" ]; then
echo "Loading jwk to TPM2 failed!" >&2
exit 1
fi
-if ! jwk=`tpm2_unseal -c $TMP/load.context $policy_options 2>/dev/null`; then
+case "$TPM2TOOLS_VERSION" in
+ 3) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-L $pcr_spec})" || fail=$?;;
+ 4) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
+ *) fail=1;;
+esac
+if [ -n "$fail" ]; then
echo "Unsealing jwk from TPM failed!" >&2
exit 1
fi
diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2
index a7f333269bc..90321963d1e 100755
--- a/src/pins/tpm2/clevis-encrypt-tpm2
+++ b/src/pins/tpm2/clevis-encrypt-tpm2
@@ -59,16 +59,22 @@ if [ -t 0 ]; then
exit 1
fi
-TPM2TOOLS_INFO=`tpm2_pcrlist -v`
+TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
-if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then
- echo "The tpm2 pin requires tpm2-tools version 3" >&2
+match='version="(.)\.'
+[[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
+if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
+ echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
exit 1
fi
+# Old environment variables for tpm2-tools 3.0
export TPM2TOOLS_TCTI_NAME=device
export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null`
+# New environment variable for tpm2-tools >= 3.1
+export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:${TPM2TOOLS_DEVICE_FILE[0]}"
+
if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then
echo "A TPM2 device with the in-kernel resource manager is needed!" >&2
exit 1
@@ -106,14 +112,25 @@ fi
trap 'on_exit' EXIT
-if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C $TMP/primary.context; then
+case "$TPM2TOOLS_VERSION" in
+ 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
+ 4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
+ *) fail=1;;
+esac
+if [ -n "$fail" ]; then
echo "Creating TPM2 primary key failed!" >&2
exit 1
fi
+policy_options=()
if [ -n "$pcr_ids" ]; then
if [ -z "$pcr_digest" ]; then
- if ! tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o $TMP/pcr.digest; then
+ case "$TPM2TOOLS_VERSION" in
+ 3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
+ 4) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
+ *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
echo "Creating PCR hashes file failed!" >&2
exit 1
fi
@@ -124,18 +141,31 @@ if [ -n "$pcr_ids" ]; then
fi
fi
- if ! tpm2_createpolicy -Q -P -L "$pcr_bank":"$pcr_ids" -F $TMP/pcr.digest -f $TMP/pcr.policy; then
+ case "$TPM2TOOLS_VERSION" in
+ 3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \
+ -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;;
+ 4) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
+ -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
+ *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
echo "create policy fail, please check the environment or parameters!"
exit 1
fi
- policy_options="-L $TMP/pcr.policy"
+ policy_options+=(-L "$TMP/pcr.policy")
else
obj_attr="$obj_attr|userwithauth"
fi
-if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \
- -r $TMP/jwk.priv -A "$obj_attr" $policy_options -I- <<< "$jwk"; then
+case "$TPM2TOOLS_VERSION" in
+ 3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \
+ -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;;
+ 4) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
+ -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
+ *) fail=1;;
+esac
+if [ -n "$fail" ]; then
echo "Creating TPM2 object for jwk failed!" >&2
exit 1
fi
diff --git a/src/pins/tpm2/meson.build b/src/pins/tpm2/meson.build
index 8121ec49cb3..4041a9a16d4 100644
--- a/src/pins/tpm2/meson.build
+++ b/src/pins/tpm2/meson.build
@@ -1,8 +1,9 @@
-cmds = ['createprimary', 'pcrlist', 'createpolicy', 'create', 'load', 'unseal']
+cmds = ['tpm2_createprimary', ['tpm2_pcrread', 'tpm2_pcrlist'],
+ 'tpm2_createpolicy', 'tpm2_create', 'tpm2_load', 'tpm2_unseal']
all = true
foreach cmd : cmds
- all = all and find_program('tpm2_' + cmd, required: false).found()
+ all = all and find_program(cmd, required: false).found()
endforeach
if all
--
2.21.0

2
sources
View File

@ -1 +1 @@
SHA512 (clevis-11.tar.xz) = f15033a27f662986c48ca36390d3b0f127bc691b3cd7a35d437db2e2b123f8bbebd6385d799620b11f42db0d279a2030d5bf69e55e96a584800393bf47a00368
SHA512 (clevis-12.tar.xz) = c71144590cf2528d20892d3ef49b2b1ea948286410385b15f6a3eda01539846c7154b6396b78c0ed8a28f3056b4c3f88ff043978e5483b2ac360ee0f156f78e7