From 41ad3f90fc372c0d63a42e02db476c3225643c01 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Fri, 9 Nov 2018 11:52:31 +0100
Subject: [PATCH] A couple of fixes for v11

- Delete remaining references to the removed http pin
- Install cryptsetup and tpm2_pcrlist in the initramfs
- Add device TCTI library to the initramfs

Resolves: rhbz#1644876

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
 ...device-TCTI-library-to-the-initramfs.patch |  34 +++++
 ...g-references-to-the-removed-http-pin.patch | 132 ++++++++++++++++++
 ...up-and-tpm2_pcrlist-in-the-initramfs.patch |  49 +++++++
 clevis.spec                                   |  16 ++-
 4 files changed, 228 insertions(+), 3 deletions(-)
 create mode 100644 Add-device-TCTI-library-to-the-initramfs.patch
 create mode 100644 Delete-remaining-references-to-the-removed-http-pin.patch
 create mode 100644 Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch

diff --git a/Add-device-TCTI-library-to-the-initramfs.patch b/Add-device-TCTI-library-to-the-initramfs.patch
new file mode 100644
index 0000000..6757e60
--- /dev/null
+++ b/Add-device-TCTI-library-to-the-initramfs.patch
@@ -0,0 +1,34 @@
+From 6826e5d31d6323eac5137404f0194bf2183b561c Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 7 Nov 2018 16:48:47 +0100
+Subject: [PATCH 3/3] Add device TCTI library to the initramfs
+
+The tpm2-tools don't dynamically link against the TCTI libraries anymore,
+but instead dlopen() the correct library depending on the TCTI used.
+
+So dracut isn't able anymore to figure out automatically using ldd what
+libraries are needed by the tpm2-tools. Since clevis uses the device TCTI
+to access the TPM directly, add the libtss2-tcti-device.so to the initrd.
+
+Suggested-by: Federico Chiacchiaretta <federico.chia@gmail.com>
+
+Fixes: ##74
+---
+ src/luks/systemd/dracut/module-setup.sh.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
+index 41e7d6c9b002..990bf4aeed56 100755
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -65,6 +65,7 @@ install() {
+ 	    tpm2_pcrlist \
+ 	    tpm2_unseal \
+ 	    tpm2_load
++	inst_libdir_file "libtss2-tcti-device.so*"
+     fi
+ 
+     dracut_need_initqueue
+-- 
+2.19.1
+
diff --git a/Delete-remaining-references-to-the-removed-http-pin.patch b/Delete-remaining-references-to-the-removed-http-pin.patch
new file mode 100644
index 0000000..36f1361
--- /dev/null
+++ b/Delete-remaining-references-to-the-removed-http-pin.patch
@@ -0,0 +1,132 @@
+From 1e344dbf6a60fcd2c60a4b8512be455e112d8398 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 7 Nov 2018 14:53:08 +0100
+Subject: [PATCH 1/3] Delete remaining references to the removed http pin
+
+Commit 800d73185d7f ("Remove HTTP pin") removed the clevis http pin, but
+there are still references of it in the docs and also the dracut module.
+
+This was causing dracut to fail building the initramfs due the following:
+
+dracut-install: ERROR: installing 'clevis-decrypt-http'
+
+Suggested-by: Dominick Grift <dac.override@gmail.com>
+
+Fixes: #73
+---
+ README.md                                  | 21 ---------------------
+ src/clevis.1.adoc                          | 21 ---------------------
+ src/luks/clevis-luks-bind.1.adoc           |  1 -
+ src/luks/systemd/dracut/module-setup.sh.in |  1 -
+ src/pins/sss/clevis-encrypt-sss.1.adoc     |  1 -
+ 5 files changed, 45 deletions(-)
+
+diff --git a/README.md b/README.md
+index ce8def12ec96..d57339aca5d9 100644
+--- a/README.md
++++ b/README.md
+@@ -58,27 +58,6 @@ advertisement is stored, or the JSON contents of the advertisment itself. When
+ the advertisment is specified manually like this, Clevis presumes that the
+ advertisement is trusted.
+ 
+-#### PIN: HTTP
+-
+-Clevis also ships a pin for performing escrow using HTTP. Please note that,
+-at this time, this pin does not provide HTTPS support and is suitable only
+-for use over local sockets. This provides integration with services like
+-[Custodia](http://github.com/latchset/custodia).
+-
+-For example:
+-
+-```bash
+-$ echo hi | clevis encrypt http '{"url": "http://server.local/key"}' > hi.jwe
+-```
+-
+-The HTTP pin generate a new (cryptographically-strong random) key and performs
+-encryption using it. It then performs a PUT request to the URL specified. It is
+-understood that the server will securely store this key for later retrieval.
+-During decryption, the pin will perform a GET request to retrieve the key and
+-perform decryption.
+-
+-Patches to provide support for HTTPS and authentication are welcome.
+-
+ #### PIN: TPM2
+ 
+ Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2)
+diff --git a/src/clevis.1.adoc b/src/clevis.1.adoc
+index 756aba57a4c8..dea0a696f5f7 100644
+--- a/src/clevis.1.adoc
++++ b/src/clevis.1.adoc
+@@ -21,26 +21,6 @@ take a policy as its first argument and plaintext on standard input and to
+ encrypt the data so that it can be automatically decrypted if the policy is
+ met. Lets walk through an example.
+ 
+-== HTTP ESCROW
+-
+-When using the HTTP pin, we create a new, cryptographically-strong, random key.
+-This key is stored in a remote HTTP escrow server (using a simple PUT or POST).
+-Then at decryption time, we attempt to fetch the key back again in order to
+-decrypt our data. So, for our configuration we need to pass the URL to the key
+-location:
+-
+-    $ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE
+-
+-To decrypt the data, simply provide the ciphertext (JWE):
+-
+-    $ clevis decrypt < JWE > PLAINTEXT
+-
+-Notice that we did not pass any configuration during decryption. The decrypt
+-command extracted the URL (and possibly other configuration) from the JWE
+-object, fetched the encryption key from the escrow and performed decryption.
+-
+-For more information, see link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)].
+-
+ == TANG BINDING
+ 
+ Clevis provides support for the Tang network binding server. Tang provides
+@@ -136,7 +116,6 @@ For more information, see link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)].
+ 
+ == SEE ALSO
+ 
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)],
+ link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
+diff --git a/src/luks/clevis-luks-bind.1.adoc b/src/luks/clevis-luks-bind.1.adoc
+index 9f3a880cfb0c..0d649e3ec28b 100644
+--- a/src/luks/clevis-luks-bind.1.adoc
++++ b/src/luks/clevis-luks-bind.1.adoc
+@@ -61,7 +61,6 @@ The images cannot be shared without also sharing a master key.
+ == SEE ALSO
+ 
+ link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)],
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
+ link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
+diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
+index 119762e38326..48aea5b3f29a 100755
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -36,7 +36,6 @@ install() {
+     inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
+ 
+     inst_multiple /etc/services \
+-        clevis-decrypt-http \
+         clevis-decrypt-tang \
+         clevis-decrypt-sss \
+         @libexecdir@/clevis-luks-askpass \
+diff --git a/src/pins/sss/clevis-encrypt-sss.1.adoc b/src/pins/sss/clevis-encrypt-sss.1.adoc
+index d46498db328c..7144e7e9ea96 100644
+--- a/src/pins/sss/clevis-encrypt-sss.1.adoc
++++ b/src/pins/sss/clevis-encrypt-sss.1.adoc
+@@ -54,6 +54,5 @@ receive key fragments.
+ 
+ == SEE ALSO
+ 
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
+-- 
+2.19.1
+
diff --git a/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch b/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch
new file mode 100644
index 0000000..28082b7
--- /dev/null
+++ b/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch
@@ -0,0 +1,49 @@
+From 34658590e45ab85f6008379d9433406a5c7fd914 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 7 Nov 2018 15:12:17 +0100
+Subject: [PATCH 2/3] Install cryptsetup and tpm2_pcrlist in the initramfs
+
+The cryptsetup and tpm2_pcrlist are missing in the initramfs, this makes
+automatic LUKS unlocking fail with the following errors:
+
+dracut-initqueue[382]: /usr/libexec/clevis-luks-askpass: line 52: cryptsetup: command not found
+dracut-initqueue[382]: /usr/bin/clevis-decrypt-tpm2: line 40: tpm2_pcrlist: command not found
+
+Suggested-by: Federico Chiacchiaretta <federico.chia@gmail.com>
+
+Fixes: #74
+---
+ src/luks/systemd/dracut/module-setup.sh.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
+index 48aea5b3f29a..41e7d6c9b002 100755
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -40,6 +40,7 @@ install() {
+         clevis-decrypt-sss \
+         @libexecdir@/clevis-luks-askpass \
+         clevis-decrypt \
++        cryptsetup \
+         luksmeta \
+         clevis \
+         mktemp \
+@@ -49,6 +50,7 @@ install() {
+ 
+     for cmd in clevis-decrypt-tpm2 \
+ 	tpm2_createprimary \
++	tpm2_pcrlist \
+ 	tpm2_unseal \
+ 	tpm2_load; do
+ 
+@@ -60,6 +62,7 @@ install() {
+     if (($ret == 0)); then
+ 	inst_multiple clevis-decrypt-tpm2 \
+ 	    tpm2_createprimary \
++	    tpm2_pcrlist \
+ 	    tpm2_unseal \
+ 	    tpm2_load
+     fi
+-- 
+2.19.1
+
diff --git a/clevis.spec b/clevis.spec
index 6766d98..046c42a 100644
--- a/clevis.spec
+++ b/clevis.spec
@@ -2,13 +2,17 @@
 
 Name:           clevis
 Version:        11
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Automated decryption framework
 
 License:        GPLv3+
 URL:            https://github.com/latchset/%{name}
 Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
 
+Patch0: Delete-remaining-references-to-the-removed-http-pin.patch
+Patch1: Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch
+Patch2: Add-device-TCTI-library-to-the-initramfs.patch
+
 BuildRequires:  gcc
 BuildRequires:  meson
 BuildRequires:  asciidoc
@@ -95,7 +99,7 @@ Automatically unlocks LUKSv1 block devices in desktop environments that
 use UDisks2 or storaged (like GNOME).
 
 %prep
-%autosetup
+%autosetup -p1
 
 %build
 %meson -Duser=clevis -Dgroup=clevis
@@ -155,7 +159,13 @@ exit 0
 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
 
 %changelog
-* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-2
+* Fri Nov 09 2018 Javier Martinez Canillas <javierm@redhat.com> - 11-2
+- Delete remaining references to the removed http pin
+- Install cryptsetup and tpm2_pcrlist in the initramfs
+- Add device TCTI library to the initramfs
+  Resolves: rhbz#1644876
+
+* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
 - Update to v11
 
 * Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 10-2