diff --git a/.clevis.metadata b/.clevis.metadata index ba8f886..8d0a0c5 100644 --- a/.clevis.metadata +++ b/.clevis.metadata @@ -1 +1 @@ -dc2e95d0c0ce9118bc01b3872869657b0d43f1bc SOURCES/clevis-18.tar.xz +14f8ca6f130651b468c73568e236522839c104a7 SOURCES/clevis-21.tar.xz diff --git a/.gitignore b/.gitignore index f29345d..76ba17b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/clevis-18.tar.xz +SOURCES/clevis-21.tar.xz diff --git a/SOURCES/0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch b/SOURCES/0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch new file mode 100644 index 0000000..a80fe03 --- /dev/null +++ b/SOURCES/0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch @@ -0,0 +1,288 @@ +From 691b4136d6077ed7b079a38459b6844dbc584776 Mon Sep 17 00:00:00 2001 +From: Sergio Arroutbi +Date: Mon, 30 Sep 2024 11:27:57 +0200 +Subject: [PATCH] PKCS#11 pin: fix dracut for unconfigured device + +Signed-off-by: Sergio Arroutbi +--- + .../clevis-pin-pkcs11/module-setup.sh.in | 2 +- + src/luks/systemd/clevis-luks-pkcs11-askpin.in | 72 +++++-------------- + .../clevis-pkcs11-afunix-socket-unlock.c | 9 ++- + src/pins/pkcs11/clevis-pkcs11-common | 52 +++++++++++++- + 4 files changed, 74 insertions(+), 61 deletions(-) + +diff --git a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in +index 39d06a0..a7a6d6b 100755 +--- a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in ++++ b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in +@@ -23,7 +23,7 @@ depends() { + } + + install() { +- inst_hook initqueue 60 "${moddir}/clevis-pkcs11-prehook.sh" ++ inst_hook pre-trigger 60 "${moddir}/clevis-pkcs11-prehook.sh" + inst_hook initqueue/settled 60 "${moddir}/clevis-pkcs11-hook.sh" + inst_hook initqueue/online 60 "${moddir}/clevis-pkcs11-hook.sh" + +diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in +index 8f4092f..b860efa 100755 +--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in ++++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in +@@ -52,6 +52,7 @@ get_pkcs11_error() { + return 0 + } + ++ + if command -v pcscd; then + echo "clevis-pkcs11: starting pcscd if not available ..." + PCSCD_PID=$(ps auxf | grep "[p]cscd") +@@ -72,51 +73,6 @@ if [ "${dracut_mode}" != true ]; then + pkcs11-tool -L + fi + +-if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \ +- awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then +- echo "No PKCS11 device detected (without module option) / pkcs11-tool error" +- exit 1 +-fi +- +-if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then +- pkcs11_device="" +- echo "No objects in PKCS11 device detected" +-fi +- +-while [ -z "${pkcs11_device}" ]; do +- if [ "${dracut_mode}" != true ]; then +- module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab") +- if [ -n "${module_paths}" ]; then +- modules=$(echo ${module_paths} | tr ";" "\n") +- for module in $modules; do +- pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \ +- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g') +- if [ -n "${pkcs11_device}" ]; then +- break; +- fi +- done +- fi +- fi +- if [ -z "${pkcs11_device}" ]; then +- if [ "${retry_mode}" == true ]; then +- option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]") +- if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then +- echo "Won't continue PKCS11 device detection" +- exit 0 +- fi +- pkcs11_device=$(pkcs11-tool -L | grep "Slot" \ +- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g') +- if ! pkcs11-tool -O 2>/dev/null; then +- pkcs11_device="" +- echo "No objects in PKCS11 device detected" +- fi +- else +- exit 0 +- fi +- fi +-done +-echo "Detected PKCS11 device:${pkcs11_device}" +- + devices_array=() + # Let's analyze all entries from /etc/crypttab that contain clevis-pkcs11.sock entries + while read -r line; +@@ -126,6 +82,8 @@ do + next_device=0 + errors=0 + msg="" ++ # Store passphrases to send to control socket ++ systemd_device=$(echo "${line}" | awk '{print $1}') + while [ ${next_device} -ne 1 ]; do + uuid=$(echo "${line}" | awk '{print $2}') + if ! mapped_device=$(clevis_map_device "${uuid}"); then +@@ -141,15 +99,23 @@ do + fi + # If no PKCS#11 configuration, advance to next device + if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then +- echo "Device:${mapped_device} does not contain PKCS#11 configuration" ++ echo "Device:${mapped_device} does not contain PKCS#11 configuration" >&2 ++ # Send a wrong passphrase ++ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock - + next_device=1 + continue + fi ++ if ! pkcs11_device=$(clevis_detect_pkcs11_device "${dracut_mode}" "${retry_mode}"); then ++ echo "No PKCS11 device detected" >&2 ++ exit 0 ++ else ++ echo "Detected PKCS11 device:${pkcs11_device}" >&2 ++ fi + # Get configuration PKCS#11 URI + uri=$(clevis luks list -d "${mapped_device}" | awk -F '"uri":' '{print $2}' | awk -F '"' '{print $2}' | awk -F '"' '{print $1}') + slot_opt="" + if ! slot=$(clevis_get_pkcs11_final_slot_from_uri "${uri}"); then +- echo "Could not find slot for uri:${uri}" ++ echo "Could not find slot for uri:${uri}" >&2 + else + slot_opt="--slot-index ${slot}" + fi +@@ -159,8 +125,9 @@ do + module_opt="--module ${module}" + fi + echo "Device:${mapped_device}, slot_opt:${slot_opt}, module_opt:${module_opt}" +- if ! pkcs11-tool -O ${module_opt} ${slot_opt}; then +- echo "No objects on slot:${slot}, module_opt:${module_opt}" ++ if ! pkcs11-tool -O ${module_opt} ${slot_opt} 2>/dev/null 1>/dev/null; then ++ echo "No objects on slot:${slot}, module_opt:${module_opt}" >&2 ++ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock - + next_device=1 + continue + fi +@@ -175,22 +142,21 @@ do + # Get key from PKCS11 pin here and feed AF_UNIX socket program + echo "${pin}" > /run/systemd/clevis-pkcs11.pin + if ! passphrase=$(clevis_luks_unlock_device "${mapped_device}") || [ -z "${passphrase}" ]; then +- echo "Could not unlock device:${mapped_device}" ++ echo "Could not unlock device:${mapped_device}" >&2 + msg="$(get_pkcs11_error)" + ((errors++)) + if [ ${errors} -eq ${too_many_errors} ]; then +- echo "Too many errors !!!" 1>&2 ++ echo "Too many errors !!!" >&2 + next_device=1 + fi + continue + fi + next_device=1 +- echo "Device:${mapped_device} unlocked successfully by clevis" ++ echo "Device:${mapped_device} unlocked successfully by clevis" >&2 + if [ "${dracut_mode}" == true ]; then + echo "${mapped_device}" >> /run/systemd/clevis-pkcs11-dracut.devices + fi + # Store passphrases to send to control socket +- systemd_device=$(echo "${line}" | awk '{print $1}') + devices_array+=("${systemd_device},${passphrase}") + done + fi +diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c +index a6ecc63..24bad83 100644 +--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c ++++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c +@@ -146,7 +146,6 @@ static void* control_thread(void *targ) { + } + char* t = control_msg; + int is_device = 1; +- fprintf(logfile, "Received control message:[%s]\n", t); + while((t = strtok(t, ","))) { + if (is_device) { + fprintf(logfile, "Adding device:%s\n", t); +@@ -185,7 +184,7 @@ static void dump_wide_version(void) { + + static void int_handler(int s) { + if(logfile) { +- fprintf(logfile, "Closing, signal:[%d]\n", s); ++ fprintf(logfile, "Closing, received signal:[%d]\n", s); + fclose(logfile); + } + exit(EXIT_FAILURE); +@@ -222,6 +221,7 @@ int main(int argc, char* argv[]) { + break; + case 'f': + strncpy(sock_file, optarg, MAX_PATH - 1); ++ unlink(sock_file); + break; + case 'k': + strncpy(key, optarg, MAX_KEY - 1); +@@ -275,7 +275,6 @@ int main(int argc, char* argv[]) { + memset(&sock_addr, 0, sizeof(sock_addr)); + sock_addr.sun_family = AF_UNIX; + strncpy(sock_addr.sun_path, sock_file, sizeof(sock_addr.sun_path)-1); +- unlink(sock_file); + s = socket(AF_UNIX, SOCK_STREAM, 0); + if (s == -1) { + perror("socket"); +@@ -346,8 +345,8 @@ int main(int argc, char* argv[]) { + perror("key entry send error"); + goto efailure; + } +- fprintf(logfile, "Sending:[%s] to device:[%s]\n", +- entry_key, unlocking_device); ++ fprintf(logfile, "Sending passphrase to device:[%s]\n", ++ unlocking_device); + } else { + fprintf(logfile, "Device not found: [%s]\n", unlocking_device); + } +diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common +index 4c0629c..571a2be 100755 +--- a/src/pins/pkcs11/clevis-pkcs11-common ++++ b/src/pins/pkcs11/clevis-pkcs11-common +@@ -27,6 +27,56 @@ serial_devices_array="" + URI_EXPECTED_FORMAT="pkcs11:" + DEFAULT_CRYPTTAB_FILE="/etc/crypttab" + ++clevis_detect_pkcs11_device() { ++ dracut_mode="${1:false}" ++ retry_mode="${2:false}" ++ if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \ ++ awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then ++ echo "" ++ return 1 ++ fi ++ ++ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then ++ pkcs11_device="" ++ echo "No objects in PKCS11 device detected" >&2 ++ fi ++ ++ while [ -z "${pkcs11_device}" ]; do ++ if [ "${dracut_mode}" != true ]; then ++ module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab") ++ if [ -n "${module_paths}" ]; then ++ modules=$(echo ${module_paths} | tr ";" "\n") ++ for module in $modules; do ++ pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \ ++ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g') ++ if [ -n "${pkcs11_device}" ]; then ++ break; ++ fi ++ done ++ fi ++ fi ++ if [ -z "${pkcs11_device}" ]; then ++ if [ "${retry_mode}" == true ]; then ++ option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]") ++ if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then ++ echo "" ++ # Straight Forward Mode ++ return 0 ++ fi ++ pkcs11_device=$(pkcs11-tool -L | grep "Slot" \ ++ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g') ++ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then ++ pkcs11_device="" ++ echo "No objects in PKCS11 device detected" >&2 ++ fi ++ else ++ echo "${pkcs11_device}" ++ return 0 ++ fi ++ fi ++ done ++} ++ + clevis_parse_devices_array() { + INPUT_ARRAY=$(pkcs11-tool -L | grep Slot) + counter=0 +@@ -64,12 +114,10 @@ clevis_get_module_path_from_pkcs11_config() { + while read -r line; do + uuid=$(echo "${line}" | awk '{print $2}') + if ! mapped_device=$(clevis_map_device "${uuid}"); then +- echo "Could not check mapped device for UID:${uuid}" + continue + fi + # If no PKCS#11 configuration, advance to next device + if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then +- echo "Device:${mapped_device} does not contain PKCS#11 configuration" + continue + fi + # Get configuration PKCS#11 URI +-- +2.46.2 + diff --git a/SOURCES/0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch b/SOURCES/0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch deleted file mode 100644 index 6c865e2..0000000 --- a/SOURCES/0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 95f25c355fc13727410ccacaa618caf6af5d5eba Mon Sep 17 00:00:00 2001 -From: Sergio Correia -Date: Mon, 3 May 2021 22:36:36 -0300 -Subject: [PATCH] sss: use BN_set_word(x, 0) instead of BN_zero() - -Different OpenSSL versions define BN_zero() differently -- sometimes -returning an integer, sometimes as void --, so let's use instead -BN_set_word() instead, not to have issues when building with these -different versions. ---- - src/pins/sss/sss.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/pins/sss/sss.c b/src/pins/sss/sss.c -index a37215d..7486d6c 100644 ---- a/src/pins/sss/sss.c -+++ b/src/pins/sss/sss.c -@@ -214,7 +214,7 @@ sss_point(const json_t *sss, size_t *len) - if (BN_rand_range(xx, pp) <= 0) - return NULL; - -- if (BN_zero(yy) <= 0) -+ if (BN_set_word(yy, 0) <= 0) - return NULL; - - for (size_t i = 0; i < json_array_size(e); i++) { -@@ -272,7 +272,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[]) - if (!ctx || !pp || !acc || !tmp || !k) - return NULL; - -- if (BN_zero(k) <= 0) -+ if (BN_set_word(k, 0) <= 0) - return NULL; - - len = jose_b64_dec(p, NULL, 0); -@@ -303,7 +303,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[]) - - /* acc *= (0 - xi) / (xo - xi) */ - -- if (BN_zero(tmp) <= 0) -+ if (BN_set_word(tmp, 0) <= 0) - return NULL; - - if (BN_mod_sub(tmp, tmp, xi, pp, ctx) <= 0) --- -2.31.1 - diff --git a/SOURCES/0002-Fix-potential-race-condition.patch b/SOURCES/0002-Fix-potential-race-condition.patch new file mode 100644 index 0000000..029ea36 --- /dev/null +++ b/SOURCES/0002-Fix-potential-race-condition.patch @@ -0,0 +1,49 @@ +From 5feea5da42b98302006f2c82ab9c22d43779e0c8 Mon Sep 17 00:00:00 2001 +From: Sergio Arroutbi +Date: Fri, 27 Sep 2024 12:12:48 +0200 +Subject: [PATCH] Fix potential race condition + +Guard the modification of "entry_counter" and the read +used to decide whether to modify "entry_counter" with the +same set of locks + +Resolves: #478 + +Signed-off-by: Sergio Arroutbi +--- + src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c +index a6ecc63..b1e2004 100644 +--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c ++++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c +@@ -70,21 +70,23 @@ get_control_socket_name(const char* file_sock, char* control_sock, uint32_t cont + } + + static void insert_device(const char* dev) { ++ pthread_mutex_lock(&mutex); + if(MAX_ENTRIES == entry_counter) { ++ pthread_mutex_unlock(&mutex); + perror("No more entries accepted\n"); + return; + } +- pthread_mutex_lock(&mutex); + strncpy(keys[entry_counter].dev, dev, MAX_DEVICE); + pthread_mutex_unlock(&mutex); + } + + static void insert_key(const char* key) { ++ pthread_mutex_lock(&mutex); + if(MAX_ENTRIES == entry_counter) { ++ pthread_mutex_unlock(&mutex); + perror("No more entries accepted\n"); + return; + } +- pthread_mutex_lock(&mutex); + strncpy(keys[entry_counter++].key, key, MAX_KEY); + pthread_mutex_unlock(&mutex); + } +-- +2.46.2 + diff --git a/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch b/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch deleted file mode 100644 index 1fc7016..0000000 --- a/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch +++ /dev/null @@ -1,41 +0,0 @@ -From d3010c89a8f516a0c9695a939a8cccca0918da2b Mon Sep 17 00:00:00 2001 -From: Sergio Correia -Date: Fri, 29 Oct 2021 12:04:46 -0300 -Subject: [PATCH 2/2] systemd: account for unlocking failures in - clevis-luks-askpass (#343) - -As unlock may fail for some reason, e.g. the network is not up yet, -one way cause problems would be to add extra `rd.luks.uuid' params -to the cmdline, which would then cause such devices to be unlocked -in early boot. If the unlocking fail, those devices might not be -accounted for in the clevis_devices_to_unlock() check, as it is -based on crypttab. - -Let's make sure there are no pending ask.* sockets waiting to be -answered, before exiting. - -Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892 ---- - src/luks/systemd/clevis-luks-askpass.in | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in -index 8f54859..a6699c9 100755 ---- a/src/luks/systemd/clevis-luks-askpass.in -+++ b/src/luks/systemd/clevis-luks-askpass.in -@@ -67,8 +67,11 @@ while true; do - done - - [ "${loop}" != true ] && break -+ - # Checking for pending devices to be unlocked. -- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then -+ remaining_crypttab=$(clevis_devices_to_unlock) ||: -+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||: -+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then - break; - fi - --- -2.33.1 - diff --git a/SOURCES/0003-Fix-to-start-pcscd-appropriately.patch b/SOURCES/0003-Fix-to-start-pcscd-appropriately.patch new file mode 100644 index 0000000..19cd4be --- /dev/null +++ b/SOURCES/0003-Fix-to-start-pcscd-appropriately.patch @@ -0,0 +1,106 @@ +diff --git a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh +index 01a3062..9922bbc 100755 +--- a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh ++++ b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh +@@ -16,9 +16,11 @@ + # You should have received a copy of the GNU General Public License + # along with this program. If not, see . + # ++. /usr/bin/clevis-pkcs11-common ++ + if [ ! -f /run/systemd/clevis-pkcs11.run ] && [ -d /run/systemd ]; + then +- pcscd --disable-polkit +- echo "" > /run/systemd/clevis-pkcs11.run +- /usr/libexec/clevis-luks-pkcs11-askpin -d -r ++ clevis_start_pcscd_server ++ echo "" > /run/systemd/clevis-pkcs11.run ++ /usr/libexec/clevis-luks-pkcs11-askpin -d -r + fi +diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in +index b860efa..468ca3c 100755 +--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in ++++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in +@@ -52,22 +52,7 @@ get_pkcs11_error() { + return 0 + } + +- +-if command -v pcscd; then +- echo "clevis-pkcs11: starting pcscd if not available ..." +- PCSCD_PID=$(ps auxf | grep "[p]cscd") +- echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n" +- if ! ps auxf | grep "[p]cscd"; +- then +- if pcscd pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then +- echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..." +- pcscd --disable-polkit +- else +- echo "clevis-pkcs11: starting pcscd ..." +- pcscd +- fi +- fi +-fi ++clevis_start_pcscd_server + + if [ "${dracut_mode}" != true ]; then + pkcs11-tool -L +diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common +index 571a2be..b6328f5 100755 +--- a/src/pins/pkcs11/clevis-pkcs11-common ++++ b/src/pins/pkcs11/clevis-pkcs11-common +@@ -27,6 +27,25 @@ serial_devices_array="" + URI_EXPECTED_FORMAT="pkcs11:" + DEFAULT_CRYPTTAB_FILE="/etc/crypttab" + ++ ++clevis_start_pcscd_server() { ++ if command -v pcscd; then ++ echo "clevis-pkcs11: starting pcscd if not available ..." ++ PCSCD_PID=$(ps auxf | grep "[p]cscd") ++ echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n" ++ if ! ps auxf | grep "[p]cscd"; ++ then ++ if pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then ++ echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..." ++ pcscd --disable-polkit ++ else ++ echo "clevis-pkcs11: starting pcscd ..." ++ pcscd ++ fi ++ fi ++ fi ++} ++ + clevis_detect_pkcs11_device() { + dracut_mode="${1:false}" + retry_mode="${2:false}" +diff --git a/src/pins/pkcs11/tests/pin-pkcs11 b/src/pins/pkcs11/tests/pin-pkcs11 +index 94e1548..c876ca4 100755 +--- a/src/pins/pkcs11/tests/pin-pkcs11 ++++ b/src/pins/pkcs11/tests/pin-pkcs11 +@@ -20,6 +20,7 @@ + . pkcs11-common-tests + . tests-common-functions + . clevis-luks-common-functions ++. clevis-pkcs11-common + + on_exit() { + exit_status=$? +@@ -150,5 +151,16 @@ then + (${WRONGCFG})" + fi + ++if command -v ps && command -v killall; then ++ if ! clevis_start_pcscd_server; ++ then ++ error "${TEST}: Could not start pcscd server" ++ fi ++ if ! killall -9 pcscd; ++ then ++ error "${TEST}: Could not kill pcscd server" ++ fi ++fi ++ + softhsm_lib_cleanup + test "$?" == 0 diff --git a/SOURCES/0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch b/SOURCES/0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch deleted file mode 100644 index be4608c..0000000 --- a/SOURCES/0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 76ad9b21b61627a728bc9499821cf8e09446725d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Renaud=20M=C3=A9trich?= -Date: Thu, 21 Oct 2021 13:58:52 +0200 -Subject: [PATCH 4/4] luks: explicitly specify pbkdf iterations to cryptsetup - -This fixes an Out of memory error when the system has not much memory, -such as a VM configured with 2GB currently being installed through the -network (hence having ~1GB free memory only). -See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256). ---- - src/luks/clevis-luks-common-functions.in | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in -index d53d2ab..360eb7e 100644 ---- a/src/luks/clevis-luks-common-functions.in -+++ b/src/luks/clevis-luks-common-functions.in -@@ -760,10 +760,12 @@ clevis_luks_add_key() { - extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" - input="$(printf '%s' "${NEWKEY}")" - fi -+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" - - printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ - --key-slot "${SLT}" \ - "${DEV}" \ -+ ${pbkdf_args} \ - ${extra_args} - } - -@@ -792,11 +794,14 @@ clevis_luks_update_key() { - extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" - input="$(printf '%s' "${NEWKEY}")" - fi -+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" - - if [ -n "${in_place}" ]; then - printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \ - --key-slot "${SLT}" \ -- --batch-mode ${extra_args} -+ --batch-mode \ -+ ${pbkdf_args} \ -+ ${extra_args} - return - fi - --- -2.33.1 - diff --git a/SOURCES/0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch b/SOURCES/0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch new file mode 100644 index 0000000..5b0df2b --- /dev/null +++ b/SOURCES/0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch @@ -0,0 +1,65 @@ +--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2 2024-09-24 10:27:06.000000000 +0200 ++++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2 2024-11-05 15:54:16.209993587 +0100 +@@ -58,7 +58,7 @@ + echo + echo " key: Algorithm type for the generated key (default: ecc)" + echo +- echo " pcr_bank: PCR algorithm bank to use for policy (default: sha1)" ++ echo " pcr_bank: PCR algorithm bank to use for policy (default: first supported by TPM)" + echo + echo " pcr_ids: PCR list used for policy. If not present, no policy is used" + echo +@@ -130,7 +130,15 @@ + + key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc" + +-pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1" ++pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || { ++ if ! pcr_bank=$(tpm2_getcap pcrs | ++ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \ ++ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit} ++ END {exit !found}'); then ++ echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2 ++ exit 1 ++ fi ++} + + # Trim the spaces from the config, so that we will not have issues parsing + # the PCR IDs. +--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-09-24 10:27:06.000000000 +0200 ++++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-11-05 15:54:16.209993587 +0100 +@@ -91,13 +91,17 @@ + - *symcipher* + + * *pcr_bank* (string) : +- PCR algorithm bank to use for policy (default: sha1) ++ PCR algorithm bank to use for policy (default: first supported by TPM) + +- It must be one of the following: ++ Examples of PCR algorithm banks, support depends on TPM chip: + + - *sha1* + - *sha256* + ++ For the full list of algorithms supported by the TPM chip check output of ++ `tpm2_getcap pcrs` and use the algorithm which shows non-empty list of PCR ++ numbers. ++ + * *pcr_ids* (string) : + Comma separated list of PCR used for policy. If not present, no policy is used + +--- clevis-21.old/src/pins/tpm2/pin-tpm2 2024-09-24 10:27:06.000000000 +0200 ++++ clevis-21/src/pins/tpm2/pin-tpm2 2024-11-05 15:54:16.209993587 +0100 +@@ -142,8 +142,10 @@ + # arrays and check if we get the expected pcr_ids. + + # Let's first make sure this would be a valid configuration. +-_default_pcr_bank="sha1" +-if validate_pcrs "${_default_pcr_bank}" "4,16"; then ++_default_pcr_bank=$(tpm2_getcap pcrs | ++ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \ ++ {split($0, m, /[-:[:space:]]+/); print m[2]; exit}') ++if [ -n "$_default_pcr_bank" ] && validate_pcrs "${_default_pcr_bank}" "4,16"; then + test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1 + test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16" || exit 1 + test_pcr_ids "${orig}" '{"pcr_ids": "4, 16"}' "4,16" || exit 1 diff --git a/SOURCES/0005-Include-tpm2_getcap-as-dracut-required-binary.patch b/SOURCES/0005-Include-tpm2_getcap-as-dracut-required-binary.patch new file mode 100644 index 0000000..69d248b --- /dev/null +++ b/SOURCES/0005-Include-tpm2_getcap-as-dracut-required-binary.patch @@ -0,0 +1,36 @@ +From fc371d25a72806109e9a5c0205d67ba2232a6f17 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 20 Nov 2024 18:45:56 +0100 +Subject: [PATCH] Include tpm2_getcap as dracut required binary + +--- + src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in b/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in +index 5ff0640..723df7a 100755 +--- a/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in ++++ b/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in +@@ -19,7 +19,8 @@ + # + + check() { +- require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext tpm2_load tpm2_unseal || return 1 ++ require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext \ ++ tpm2_load tpm2_unseal tpm2_pcrread tpm2_getcap || return 1 + require_any_binary tpm2_pcrread tpm2_pcrlist || return 1 + return 0 + } +@@ -30,7 +31,8 @@ depends() { + } + + install() { +- inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext tpm2_load tpm2_unseal ++ inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext \ ++ tpm2_load tpm2_unseal tpm2_getcap + inst_multiple -o tpm2_pcrread tpm2_pcrlist + inst_libdir_file "libtss2-tcti-device.so*" + } +-- +2.47.0 + diff --git a/SOURCES/0005-tang-dump-url-on-error-communication.patch b/SOURCES/0005-tang-dump-url-on-error-communication.patch deleted file mode 100644 index c8224bb..0000000 --- a/SOURCES/0005-tang-dump-url-on-error-communication.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- clevis-18.ori/src/pins/tang/clevis-decrypt-tang 2021-04-15 13:00:19.969067600 +0200 -+++ clevis-18/src/pins/tang/clevis-decrypt-tang 2022-01-20 17:29:21.859897964 +0100 -@@ -99,10 +99,10 @@ - - xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")" - --url="$url/rec/$kid" -+rec_url="$url/rec/$kid" - ct="Content-Type: application/jwk+json" --if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then -- echo "Error communicating with the server!" >&2 -+if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then -+ echo "Error communicating with the server $url" >&2 - exit 1 - fi - diff --git a/SOURCES/0006-feat-rename-the-test-pin-to-null-pin.patch b/SOURCES/0006-feat-rename-the-test-pin-to-null-pin.patch deleted file mode 100644 index 811006f..0000000 --- a/SOURCES/0006-feat-rename-the-test-pin-to-null-pin.patch +++ /dev/null @@ -1,213 +0,0 @@ -From f668840e22e45ac8b16d770072b4395a155d089c Mon Sep 17 00:00:00 2001 -From: Antonio Murdaca -Date: Wed, 1 Dec 2021 14:17:53 +0100 -Subject: [PATCH 6/6] feat: rename the test pin to null pin - -Signed-off-by: Antonio Murdaca ---- - src/initramfs-tools/hooks/clevis.in | 1 + - .../dracut/clevis-pin-null/meson.build | 14 ++++++++++ - .../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++ - src/luks/systemd/dracut/meson.build | 1 + - ...levis-decrypt-test => clevis-decrypt-null} | 4 +-- - ...levis-encrypt-test => clevis-encrypt-null} | 4 +-- - src/pins/sss/meson.build | 5 +++- - src/pins/sss/{pin-test => pin-null} | 4 +-- - src/pins/sss/pin-sss | 12 ++++---- - 9 files changed, 60 insertions(+), 13 deletions(-) - create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build - create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in - rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%) - rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%) - rename src/pins/sss/{pin-test => pin-null} (53%) - -diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in -index 7e6d2b3..8d60d05 100755 ---- a/src/initramfs-tools/hooks/clevis.in -+++ b/src/initramfs-tools/hooks/clevis.in -@@ -58,6 +58,7 @@ fi - - copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found" - copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found" -+copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found" - copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found" - copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found" - copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found" -diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build -new file mode 100644 -index 0000000..107e3ba ---- /dev/null -+++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build -@@ -0,0 +1,14 @@ -+dracut = dependency('dracut', required: false) -+ -+if dracut.found() -+ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null' -+ -+ configure_file( -+ input: 'module-setup.sh.in', -+ output: 'module-setup.sh', -+ install_dir: dracutdir, -+ configuration: data, -+ ) -+else -+ warning('Will not install dracut module clevis-pin-null due to missing dependencies!') -+endif -diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in -new file mode 100755 -index 0000000..6a16078 ---- /dev/null -+++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in -@@ -0,0 +1,28 @@ -+#!/bin/bash -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2016 Red Hat, Inc. -+# Author: Nathaniel McCallum -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+depends() { -+ echo clevis -+ return 0 -+} -+ -+install() { -+ inst clevis-decrypt-null -+} -diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build -index fdb264b..7ad5b14 100644 ---- a/src/luks/systemd/dracut/meson.build -+++ b/src/luks/systemd/dracut/meson.build -@@ -2,3 +2,4 @@ subdir('clevis') - subdir('clevis-pin-tang') - subdir('clevis-pin-tpm2') - subdir('clevis-pin-sss') -+subdir('clevis-pin-null') -diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null -similarity index 88% -rename from src/pins/sss/clevis-decrypt-test -rename to src/pins/sss/clevis-decrypt-null -index f0e9249..a6217ed 100755 ---- a/src/pins/sss/clevis-decrypt-test -+++ b/src/pins/sss/clevis-decrypt-null -@@ -22,11 +22,11 @@ - - read -r -d . hdr - --if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then -+if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then - echo "JWE pin mismatch!" >&2 - exit 1 - fi - --jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1 -+jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1 - - exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat) -diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null -similarity index 90% -rename from src/pins/sss/clevis-encrypt-test -rename to src/pins/sss/clevis-encrypt-null -index bd2d6ec..af182a5 100755 ---- a/src/pins/sss/clevis-encrypt-test -+++ b/src/pins/sss/clevis-encrypt-null -@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then - fi - - jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')" --jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}' -+jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}' - - if ! jose fmt -j "$cfg" -g fail -T; then -- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)" -+ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)" - fi - - exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat) -diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build -index 7f20eea..2a5295a 100644 ---- a/src/pins/sss/meson.build -+++ b/src/pins/sss/meson.build -@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found() - separator: ':' - ) - -+ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null') -+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null') -+ - test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env) -- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env) -+ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env) - else - warning('Will not install sss pin due to missing dependencies!') - endif -diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null -similarity index 53% -rename from src/pins/sss/pin-test -rename to src/pins/sss/pin-null -index 50c8c67..b14ac63 100755 ---- a/src/pins/sss/pin-test -+++ b/src/pins/sss/pin-null -@@ -2,9 +2,9 @@ - - trap 'exit' ERR - --e="$(echo -n hi | clevis encrypt test '{}')" -+e="$(echo -n hi | clevis encrypt null '{}')" - d="$(echo -n "$e" | clevis decrypt)" - test "$d" == "hi" - --e="$(echo -n hi | clevis encrypt test '{"fail":true}')" -+e="$(echo -n hi | clevis encrypt null '{"fail":true}')" - ! echo "$e" | clevis decrypt -diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss -index 5c0b8cf..24da052 100755 ---- a/src/pins/sss/pin-sss -+++ b/src/pins/sss/pin-sss -@@ -1,24 +1,24 @@ - #!/bin/bash -ex - --e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')" -+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')" - d="$(echo "$e" | clevis decrypt)" - test "$d" == "hi" - --e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')" -+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')" - d="$(echo "$e" | clevis decrypt)" - test "$d" == "hi" - --e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')" -+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')" - ! echo "$e" | clevis decrypt - --e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')" -+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')" - d="$(echo "$e" | clevis decrypt)" - test "$d" == "hi" - --e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')" -+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')" - ! echo "$e" | clevis decrypt - --e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')" -+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')" - ! echo "$e" | clevis decrypt - - ! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')" --- -2.33.1 - diff --git a/SOURCES/0007-avoid-clevis-invalid-msg.patch b/SOURCES/0007-avoid-clevis-invalid-msg.patch deleted file mode 100644 index 3740d2b..0000000 --- a/SOURCES/0007-avoid-clevis-invalid-msg.patch +++ /dev/null @@ -1,25 +0,0 @@ ---- clevis-18.ori/src/clevis 2021-04-15 13:00:19.965065700 +0200 -+++ clevis-18/src/clevis 2022-06-20 14:29:50.148261656 +0200 -@@ -27,6 +27,8 @@ - } - - cmd=clevis -+input_commands="$cmd $@" -+ - while [ $# -gt 0 ]; do - [[ "$1" =~ ^- ]] && break - cmd="$cmd-$1" -@@ -36,8 +38,11 @@ - done - - exec >&2 --echo --echo "Command '$cmd' is invalid" -+if [ "$cmd" != "clevis" ]; -+then -+ echo -+ echo "Command '$input_commands' is invalid" -+fi - echo - echo "Usage: clevis COMMAND [OPTIONS]" - echo diff --git a/SOURCES/0008-Improve-boot-performance-by-removing-key-check.patch b/SOURCES/0008-Improve-boot-performance-by-removing-key-check.patch deleted file mode 100644 index 325be7a..0000000 --- a/SOURCES/0008-Improve-boot-performance-by-removing-key-check.patch +++ /dev/null @@ -1,54 +0,0 @@ -From da988dee93fd3171d41248fe884c627cdafa563e Mon Sep 17 00:00:00 2001 -From: Sergio Arroutbi -Date: Tue, 2 Aug 2022 09:25:54 -0300 -Subject: [PATCH] Improve boot performance by removing key check - ---- - src/luks/clevis-luks-common-functions.in | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in -index f018340..d059aae 100644 ---- a/src/luks/clevis-luks-common-functions.in -+++ b/src/luks/clevis-luks-common-functions.in -@@ -313,6 +313,7 @@ clevis_luks_check_valid_key_or_keyfile() { - clevis_luks_unlock_device_by_slot() { - local DEV="${1}" - local SLT="${2}" -+ local SKIP_CHECK="${3}" - - [ -z "${DEV}" ] && return 1 - [ -z "${SLT}" ] && return 1 -@@ -327,8 +328,9 @@ clevis_luks_unlock_device_by_slot() { - || [ -z "${passphrase}" ]; then - return 1 - fi -- -- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1 -+ if [ -z "${SKIP_CHECK}" ]; then -+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1 -+ fi - printf '%s' "${passphrase}" - } - -@@ -336,6 +338,8 @@ clevis_luks_unlock_device_by_slot() { - # parameter and returns the decoded passphrase. - clevis_luks_unlock_device() { - local DEV="${1}" -+ local SKIP_CHECK="YES" -+ - [ -z "${DEV}" ] && return 1 - - local used_slots -@@ -346,7 +350,7 @@ clevis_luks_unlock_device() { - - local slt pt - for slt in ${used_slots}; do -- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \ -+ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \ - || [ -z "${pt}" ]; then - continue - fi --- -2.35.1 - diff --git a/SOURCES/0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch b/SOURCES/0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch deleted file mode 100644 index 0be4271..0000000 --- a/SOURCES/0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0654fd3f3fd1ebc080cb1140774120d8f392137b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Renaud=20M=C3=A9trich?= - <1163635+rmetrich@users.noreply.github.com> -Date: Wed, 1 Dec 2021 09:37:35 -0300 -Subject: [PATCH] luks: enable debugging in clevis scripts when rd.debug is set - (#340) - -On Fedora/RHEL, the rd.debug kernel command line parameter controls -debugging. -By implementing the functionality inside clevis, troubleshooting will be -greatly eased. -See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742). ---- - src/luks/clevis-luks-common-functions.in | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in -index d059aae..87b370f 100644 ---- a/src/luks/clevis-luks-common-functions.in -+++ b/src/luks/clevis-luks-common-functions.in -@@ -20,6 +20,21 @@ - - CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" - -+enable_debugging() { -+ # Automatically enable debugging if in initramfs phase and rd.debug -+ if [ -e /usr/lib/dracut-lib.sh ]; then -+ local bashopts=$- -+ # Because dracut is loosely written, disable hardening options temporarily -+ [[ $bashopts != *u* ]] || set +u -+ [[ $bashopts != *e* ]] || set +e -+ . /usr/lib/dracut-lib.sh -+ [[ $bashopts != *u* ]] || set -u -+ [[ $bashopts != *e* ]] || set -e -+ fi -+} -+ -+enable_debugging -+ - # valid_slot() will check whether a given slot is possibly valid, i.e., if it - # is a numeric value within the specified range. - valid_slot() { --- -2.35.1 - diff --git a/SOURCES/0010-existing-luks2-token-id.patch b/SOURCES/0010-existing-luks2-token-id.patch deleted file mode 100644 index d257177..0000000 --- a/SOURCES/0010-existing-luks2-token-id.patch +++ /dev/null @@ -1,385 +0,0 @@ ---- clevis-18.ori/src/luks/clevis-luks-bind 2021-04-15 13:00:19.965065700 +0200 -+++ clevis-18/src/luks/clevis-luks-bind 2022-11-24 12:53:59.613676320 +0100 -@@ -25,7 +25,7 @@ - usage() { - exec >&2 - echo -- echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] -d DEV PIN CFG" -+ echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] [-e EXISTING_TOKEN_ID] -d DEV PIN CFG" - echo - echo "$SUMMARY": - echo -@@ -42,6 +42,8 @@ - echo " -k KEY Non-interactively read LUKS password from KEY file" - echo " -k - Non-interactively read LUKS password from standard input" - echo -+ echo " -e E_TKN_ID Existing LUKS token ID for existing passphrase; only available for LUKS2" -+ echo - exit 2 - } - -@@ -52,13 +54,14 @@ - - FRC= - YES= --while getopts ":hfyd:s:k:t:" o; do -+while getopts ":hfyd:s:k:t:e:" o; do - case "$o" in - f) FRC='-f';; - d) DEV="$OPTARG";; - s) SLT="$OPTARG";; - k) KEY="$OPTARG";; - t) TOKEN_ID="$OPTARG";; -+ e) EXISTING_TOKEN_ID="$OPTARG";; - y) FRC='-f' - YES='-y';; - *) usage;; -@@ -99,11 +102,20 @@ - exit 1 - fi - -+if [ -n "${EXISTING_TOKEN_ID}" ] && ! clevis_luks_luks2_existing_token_id_supported; then -+ echo "Existing token ID not supported in this cryptsetup version" >&2 -+ exit 1 -+fi -+ - # Get the existing passphrase/keyfile. - existing_key= - keyfile= - case "${KEY}" in --"") IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2;; -+ "") -+ if [ -z "${EXISTING_TOKEN_ID}" ] ; then -+ IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2 -+ fi -+ ;; - -) IFS= read -r -s -p "" existing_key ||: - if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}" \ - && [ -z "${FRC}" ]; then -@@ -119,6 +131,13 @@ - ;; - esac - -+# Check if existing token id for keyring read is provided -+# If so, keyfile is not allowed -+if [ -n "${EXISTING_TOKEN_ID}" ] && [ -n "${keyfile}" ] ; then -+ echo "Cannot specify kernel keyring description together with key file" >&2 -+ exit 1 -+fi -+ - # If necessary, initialize the LUKS volume. - if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}"; then - luksmeta init -d "${DEV}" ${FRC} -@@ -127,7 +146,7 @@ - if ! clevis_luks_do_bind "${DEV}" "${SLT}" "${TOKEN_ID}" \ - "${PIN}" "${CFG}" \ - "${YES}" "" \ -- "${existing_key}" "${keyfile}"; then -+ "${existing_key}" "${keyfile}" "${EXISTING_TOKEN_ID}"; then - echo "Error adding new binding to ${DEV}" >&2 - exit 1 - fi ---- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2021-04-15 13:00:19.965065700 +0200 -+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2022-11-24 12:54:48.476829197 +0100 -@@ -9,7 +9,7 @@ - - == SYNOPSIS - --*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] PIN CFG -+*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] [-e EXISTING_TOKEN_ID] PIN CFG - - == OVERVIEW - -@@ -54,6 +54,12 @@ - * *-k* - : - Non-interactively read LUKS password from standard input - -+* *-e* _E_TKN_ID_ : -+ LUKS token ID for existing passphrase; only available for LUKS2. -+ This parameter allows providing a configured token ID in LUKS2 -+ containing the existing passphrase for this device, so that -+ existing passphrase is not prompted by clevis -+ - == CAVEATS - - This command does not change the LUKS master key. This implies that if you ---- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2022-11-24 12:46:09.130204312 +0100 -+++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-11-24 13:01:57.087170193 +0100 -@@ -307,9 +307,10 @@ - local KEY="${2:-}" - local KEYFILE="${3:-}" - local SLT="${4:-}" -+ local EXISTING_TOKEN_ID="${5:-}" - - [ -z "${DEV}" ] && return 1 -- [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1 -+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1 - - local extra_args - extra_args="$([ -n "${SLT}" ] && printf -- '--key-slot %s' "${SLT}")" -@@ -318,6 +319,11 @@ - ${extra_args} - return - fi -+ if [ -n "${EXISTING_TOKEN_ID}" ]; then -+ cryptsetup open --test-passphrase "${DEV}" --token-id "${EXISTING_TOKEN_ID}" \ -+ ${extra_args} -+ return -+ fi - - printf '%s' "${KEY}" | cryptsetup open --test-passphrase "${DEV}" \ - ${extra_args} -@@ -753,10 +759,11 @@ - local NEWKEY="${3}" - local KEY="${4}" - local KEYFILE="${5:-}" -+ local EXISTING_TOKEN_ID="${6:-}" - - [ -z "${DEV}" ] && return 1 - [ -z "${NEWKEY}" ] && return 1 -- [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1 -+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1 - - local extra_args='' input - input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")" -@@ -764,6 +771,10 @@ - extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" - input="$(printf '%s' "${NEWKEY}")" - fi -+ if [ -n "${EXISTING_TOKEN_ID}" ]; then -+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")" -+ input="$(printf '%s' "${NEWKEY}")" -+ fi - local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" - - printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ -@@ -780,6 +791,7 @@ - local NEWKEY="${3}" - local KEY="${4}" - local KEYFILE="${5:-}" -+ local EXISTING_TOKEN_ID="${6:-}" - - [ -z "${DEV}" ] && return 1 - [ -z "${NEWKEY}" ] && return 1 -@@ -789,7 +801,7 @@ - local in_place - clevis_luks_check_valid_key_or_keyfile "${DEV}" \ - "${KEY}" "${KEYFILE}" \ -- "${SLT}" 2>/dev/null \ -+ "${SLT}" "${EXISTING_TOKEN_ID}" 2>/dev/null \ - && in_place=true - - local input extra_args= -@@ -798,6 +810,10 @@ - extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" - input="$(printf '%s' "${NEWKEY}")" - fi -+ if [ -n "${EXISTING_TOKEN_ID}" ]; then -+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")" -+ input="$(printf '%s' "${NEWKEY}")" -+ fi - local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" - - if [ -n "${in_place}" ]; then -@@ -844,13 +860,13 @@ - [ -n "${OVERWRITE}" ] || return 1 - - clevis_luks_update_key "${DEV}" "${SLT}" \ -- "${NEWKEY}" "${KEY}" "${KEYFILE}" -+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}" - return - fi - - # Add a new key. - clevis_luks_add_key "${DEV}" "${SLT}" \ -- "${NEWKEY}" "${KEY}" "${KEYFILE}" -+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}" - } - - # clevis_luks_generate_key() generates a new key for use with clevis. -@@ -942,6 +958,7 @@ - local OVERWRITE="${7:-}" - local KEY="${8:-}" - local KEYFILE="${9:-}" -+ local EXISTING_TOKEN_ID="${10:-}" - - [ -z "${DEV}" ] && return 1 - [ -z "${PIN}" ] && return 1 -@@ -951,6 +968,8 @@ - if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" \ - "${KEY}" \ - "${KEYFILE}" \ -+ "" \ -+ "${EXISTING_TOKEN_ID}" \ - && ! KEY="$(clevis_luks_get_existing_key "${DEV}" \ - "Enter existing LUKS password: " \ - "recover")"; then -@@ -995,7 +1014,7 @@ - - if ! clevis_luks_save_key_to_slot "${DEV}" "${SLT}" \ - "${newkey}" "${KEY}" "${KEYFILE}" \ -- "${OVERWRITE}"; then -+ "${OVERWRITE}" "${EXISTING_TOKEN_ID}"; then - echo "Unable to save/update key slot; operation cancelled" >&2 - clevis_luks_restore_dev "${CLEVIS_TMP_DIR}" || : - rm -rf "${CLEVIS_TMP_DIR}" -@@ -1016,12 +1035,19 @@ - } - - # clevis_luks_luks2_supported() indicates whether we support LUKS2 devices. --# Suppor is determined at build time. -+# Support is determined at build time. - function clevis_luks_luks2_supported() { - # We require cryptsetup >= 2.0.4 to fully support LUKSv2. - return @OLD_CRYPTSETUP@ - } - -+# clevis_luks_luks2_existing_token_id_supported() indicates whether -+# cryptsetup allows token id for passphrase providing -+function clevis_luks_luks2_existing_token_id_supported() { -+ # We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID -+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@ -+} -+ - # clevis_luks_type() returns the LUKS type of a device, e.g. "luks1". - clevis_luks_type() { - local DEV="${1}" ---- clevis-18.ori/src/luks/meson.build 2021-04-15 13:00:19.965065700 +0200 -+++ clevis-18/src/luks/meson.build 2022-11-24 13:02:39.118301695 +0100 -@@ -14,6 +14,15 @@ - endif - endif - -+libcryptsetup_ext_token_id = dependency('libcryptsetup', version: '>=2.6.0', required: false) -+if libcryptsetup_ext_token_id.found() -+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '0') -+ message('cryptsetup version supports existing token id') -+else -+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '1') -+ warning('cryptsetup version does not support existing token id') -+endif -+ - clevis_luks_common_functions = configure_file( - input: 'clevis-luks-common-functions.in', - output: 'clevis-luks-common-functions', ---- clevis-18.ori/src/luks/tests/bind-luks2-ext-token 1970-01-01 01:00:00.000000000 +0100 -+++ clevis-18/src/luks/tests/bind-luks2-ext-token 2022-11-24 13:04:30.742650939 +0100 -@@ -0,0 +1,74 @@ -+#!/bin/bash -ex -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2022 Red Hat, Inc. -+# Author: Sergio Arroutbi -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST=$(basename "${0}") -+. tests-common-functions -+ -+on_exit() { -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+} -+ -+create_existing_token_id_from_keyring() { -+ local DEV="${1}" -+ local KEYDESC="${2}" -+ local TOKEN_ID="${3}" -+ local PASS="${4}" -+ if [[ -z "${DEV}" ]] || [[ -z "${KEYDESC}" ]] || [[ -z "${TOKEN_ID}" ]]; then -+ return 1 -+ fi -+ KEYRING_ID=$(keyctl add user "${KEYDESC}" "${PASS}" @s) -+ keyctl print "${KEYRING_ID}" 2>/dev/null 1>/dev/null -+ cryptsetup token add --token-id "${TOKEN_ID}" --key-description "${KEYDESC}" "${DEV}" -+} -+ -+if ! luks2_supported; then -+ skip_test "${TEST}: LUKS2 is not supported." -+fi -+ -+if ! luks2_existing_token_id_supported; then -+ skip_test "${TEST}: Existing token ID not supported" -+fi -+ -+trap 'on_exit' EXIT -+trap 'exit' ERR -+ -+TMP="$(mktemp -d)" -+ -+ADV="${TMP}/adv.jws" -+tang_create_adv "${TMP}" "${ADV}" -+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")" -+ -+EXISTING_TOKEN_ID=5 -+KEYDESC="testkey" -+PASS="123exttokenid_" -+DEV="${TMP}/luks2-device-ext-token" -+new_device "luks2" "${DEV}" "${PASS}" -+ -+create_existing_token_id_from_keyring "${DEV}" "${KEYDESC}" "${EXISTING_TOKEN_ID}" "${PASS}" -+ -+if ! clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" tang "${CFG}"; then -+ error "${TEST}: Binding expected to succeed with existing token id:${EXISTING_TOKEN_ID}" >&2 -+fi -+ -+KEYFILE="${TMP}/keyfile.txt" -+touch "${KEYFILE}" -+if clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" -k "${KEYFILE}" tang "${CFG}"; then -+ error "${TEST}: Using existing token id and keyfile should dump an error" >&2 -+fi ---- clevis-18.ori/src/luks/tests/meson.build 2021-04-15 13:00:19.967066500 +0200 -+++ clevis-18/src/luks/tests/meson.build 2022-11-24 13:06:36.096043131 +0100 -@@ -5,6 +5,15 @@ - # given token slot. - cryptsetup = find_program('cryptsetup', required: true) - -+# Use keyctl to check an existing token id can be created from -+# kernel keyring password -+keyutils = find_program('keyctl', required: false) -+if keyutils.found() -+ message('keyutils installed') -+else -+ warning('keyutils not installed, unable to test existing token id binding') -+endif -+ - common_functions = configure_file(input: 'tests-common-functions.in', - output: 'tests-common-functions', - configuration: luksmeta_data, -@@ -69,6 +78,10 @@ - test('unbind-unbound-slot-luks2', find_program('unbind-unbound-slot-luks2'), env: env) - test('unbind-luks2', find_program('unbind-luks2'), env: env, timeout: 60) - -+ if keyutils.found() and luksmeta_data.get('OLD_CRYPTSETUP_EXISTING_TOKEN_ID') == '0' -+ test('bind-luks2-ext-token', find_program('bind-luks2-ext-token'), env: env, timeout: 60) -+ endif -+ - if jq.found() - test('list-recursive-luks2', find_program('list-recursive-luks2'), env: env, timeout: 60) - test('list-tang-luks2', find_program('list-tang-luks2'), env: env, timeout: 60) ---- clevis-18.ori/src/luks/tests/tests-common-functions.in 2021-04-15 13:00:19.967066500 +0200 -+++ clevis-18/src/luks/tests/tests-common-functions.in 2022-11-24 13:06:24.376006462 +0100 -@@ -36,6 +36,12 @@ - return @OLD_CRYPTSETUP@ - } - -+# We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID -+# Support is determined at build time. -+luks2_existing_token_id_supported() { -+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@ -+} -+ - # Creates a new LUKS1 or LUKS2 device to be used. - new_device() { - local LUKS="${1}" diff --git a/SOURCES/0011-ignore-empty-and-comment-lines-in-crypttab.patch b/SOURCES/0011-ignore-empty-and-comment-lines-in-crypttab.patch deleted file mode 100644 index a92cb31..0000000 --- a/SOURCES/0011-ignore-empty-and-comment-lines-in-crypttab.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-12 11:00:00.927790464 +0100 -+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-12 11:05:53.528590215 +0100 -@@ -418,7 +418,12 @@ - clevis_devices= - - # Build list of devices to unlock. -- while read -r _ crypt_device _; do -+ while read -r _volname_ crypt_device _; do -+ # skip empty lines and lines which begin with the '#' char, per -+ # crypttab(5) -+ case $_volname_ in -+ ''|\#*) continue ;; -+ esac - if ! dev=$(clevis_map_device "${crypt_device}") \ - || [ -z "${dev}" ]; then - # Unable to get the device - maybe it's not available, e.g. a diff --git a/SOURCES/0012-luks-define-max-entropy-bits-for-pwmake.patch b/SOURCES/0012-luks-define-max-entropy-bits-for-pwmake.patch deleted file mode 100644 index 68dc097..0000000 --- a/SOURCES/0012-luks-define-max-entropy-bits-for-pwmake.patch +++ /dev/null @@ -1,42 +0,0 @@ ---- clevis-18.ori/src/clevis.1.adoc 2021-04-15 13:00:19.965065700 +0200 -+++ clevis-18/src/clevis.1.adoc 2023-01-13 12:08:31.162012856 +0100 -@@ -101,7 +101,7 @@ - - This command performs four steps: - --1. Creates a new key with the same entropy as the LUKS master key. -+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256. - 2. Encrypts the new key with Clevis. - 3. Stores the Clevis JWE in the LUKS header. - 4. Enables the new key for use with LUKS. ---- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:02:52.005243591 +0100 -+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:08:05.873955501 +0100 -@@ -20,7 +20,7 @@ - - This command performs four steps: - --1. Creates a new key with the same entropy as the LUKS master key. -+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256. - 2. Encrypts the new key with Clevis. - 3. Stores the Clevis JWE in the LUKS header. - 4. Enables the new key for use with LUKS. ---- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-13 12:02:52.005243591 +0100 -+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-13 12:06:29.233736316 +0100 -@@ -875,6 +875,7 @@ - [ -z "${DEV}" ] && return 1 - - local dump filter bits -+ local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake. - dump=$(cryptsetup luksDump "${DEV}") - if cryptsetup isLuks --type luks1 "${DEV}"; then - filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')" -@@ -886,6 +887,9 @@ - fi - - bits="$(echo -n "${filter}" | sort -n | tail -n 1)" -+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then -+ bits="${MAX_ENTROPY_BITS}" -+ fi - pwmake "${bits}" - } - diff --git a/SOURCES/0013-luks-edit-remove-unnecessary-redirection.patch b/SOURCES/0013-luks-edit-remove-unnecessary-redirection.patch deleted file mode 100644 index ae1f82c..0000000 --- a/SOURCES/0013-luks-edit-remove-unnecessary-redirection.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- clevis-18.ori/src/luks/clevis-luks-edit 2021-04-15 13:00:19.965065700 +0200 -+++ clevis-18/src/luks/clevis-luks-edit 2023-01-16 10:24:18.555971552 +0100 -@@ -173,7 +173,7 @@ - - echo "Updating binding..." - if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \ -- "-y" "overwrite" 2>/dev/null; then -+ "-y" "overwrite"; then - echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2 - exit 1 - fi diff --git a/SOURCES/0014-remove-pwmake-for-password-generation.patch b/SOURCES/0014-remove-pwmake-for-password-generation.patch deleted file mode 100644 index bb66aaa..0000000 --- a/SOURCES/0014-remove-pwmake-for-password-generation.patch +++ /dev/null @@ -1,98 +0,0 @@ ---- clevis-18.ori/src/luks/meson.build 2023-06-01 15:28:51.615436832 +0200 -+++ clevis-18/src/luks/meson.build 2023-06-01 15:31:02.420366592 +0200 -@@ -1,7 +1,6 @@ - - luksmeta_data = configuration_data() - luksmeta = dependency('luksmeta', version: '>=8', required: false) --pwmake = find_program('pwmake', required: false) - - libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false) - if libcryptsetup.found() -@@ -33,7 +32,7 @@ - output: 'clevis-luks-unbind', - configuration: luksmeta_data) - --if libcryptsetup.found() and luksmeta.found() and pwmake.found() -+if libcryptsetup.found() and luksmeta.found() - subdir('systemd') - subdir('udisks2') - ---- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-06-01 15:28:51.656437123 +0200 -+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-06-02 17:31:52.430534483 +0200 -@@ -20,6 +20,11 @@ - - CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" - -+# Length, in bytes, used for password generated for LUKS key -+# This value corresponds to an entropy of 256 bits if the password -+# was generated by pwmake or similar tool -+JOSE_PASSWORD_LENGTH=40 -+ - enable_debugging() { - # Automatically enable debugging if in initramfs phase and rd.debug - if [ -e /usr/lib/dracut-lib.sh ]; then -@@ -782,7 +787,7 @@ - fi - local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" - -- printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ -+ printf '%s' "${input}" | cryptsetup luksAddKey --force-password --batch-mode \ - --key-slot "${SLT}" \ - "${DEV}" \ - ${pbkdf_args} \ -@@ -812,11 +817,11 @@ - local input extra_args= - input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")" - if [ -n "${KEYFILE}" ]; then -- extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" -+ extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")" - input="$(printf '%s' "${NEWKEY}")" - fi - if [ -n "${EXISTING_TOKEN_ID}" ]; then -- extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")" -+ extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")" - input="$(printf '%s' "${NEWKEY}")" - fi - local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" -@@ -876,26 +881,10 @@ - - # clevis_luks_generate_key() generates a new key for use with clevis. - clevis_luks_generate_key() { -- local DEV="${1}" -- [ -z "${DEV}" ] && return 1 -- -- local dump filter bits -- local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake. -- dump=$(cryptsetup luksDump "${DEV}") -- if cryptsetup isLuks --type luks1 "${DEV}"; then -- filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')" -- elif cryptsetup isLuks --type luks2 "${DEV}"; then -- filter="$(echo -n "${dump}" | \ -- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p')" -- else -- return 1 -- fi -- -- bits="$(echo -n "${filter}" | sort -n | tail -n 1)" -- if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then -- bits="${MAX_ENTROPY_BITS}" -- fi -- pwmake "${bits}" -+ local input -+ input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}") -+ jose jwk gen --input="${input}" --output=- \ -+ | jose fmt --json=- --object --get k --unquote=- - } - - # clevis_luks_token_id_by_slot() returns the token ID linked to a -@@ -986,8 +975,8 @@ - fi - - local newkey jwe -- if ! newkey="$(clevis_luks_generate_key "${DEV}")" \ -- || [ -z "${newkey}" ]; then -+ -+ if ! newkey="$(clevis_luks_generate_key)" || [ -z "${newkey}" ]; then - echo "Unable to generate a new key" >&2 - return 1 - fi diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec index b33b6ab..14654d6 100644 --- a/SPECS/clevis.spec +++ b/SPECS/clevis.spec @@ -1,6 +1,6 @@ Name: clevis -Version: 18 -Release: 112%{?dist} +Version: 21 +Release: 208%{?dist} Summary: Automated decryption framework License: GPLv3+ @@ -8,19 +8,11 @@ URL: https://github.com/latchset/%{name} Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz Source1: clevis.sysusers -Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch -Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch -Patch0004: 0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch -Patch0005: 0005-tang-dump-url-on-error-communication.patch -Patch0006: 0006-feat-rename-the-test-pin-to-null-pin.patch -Patch0007: 0007-avoid-clevis-invalid-msg.patch -Patch0008: 0008-Improve-boot-performance-by-removing-key-check.patch -Patch0009: 0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch -Patch0010: 0010-existing-luks2-token-id.patch -Patch0011: 0011-ignore-empty-and-comment-lines-in-crypttab.patch -Patch0012: 0012-luks-define-max-entropy-bits-for-pwmake.patch -Patch0013: 0013-luks-edit-remove-unnecessary-redirection.patch -Patch0014: 0014-remove-pwmake-for-password-generation.patch +Patch0: 0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch +Patch1: 0002-Fix-potential-race-condition.patch +Patch2: 0003-Fix-to-start-pcscd-appropriately.patch +Patch3: 0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch +Patch4: 0005-Include-tpm2_getcap-as-dracut-required-binary.patch BuildRequires: git-core BuildRequires: gcc @@ -28,6 +20,8 @@ BuildRequires: meson BuildRequires: asciidoc BuildRequires: ninja-build BuildRequires: bash-completion +BuildRequires: pcsc-lite +BuildRequires: opensc BuildRequires: libjose-devel >= 8 BuildRequires: libluksmeta-devel >= 8 @@ -115,6 +109,20 @@ Requires: %{name}-luks%{?_isa} = %{version}-%{release} Automatically unlocks LUKS block devices in desktop environments that use UDisks2 or storaged (like GNOME). +%package pin-pkcs11 +Summary: PKCS#11 for clevis +Requires: %{name}-systemd%{?_isa} = %{version}-%{release} +Requires: %{name}-luks%{?_isa} = %{version}-%{release} +Requires: %{name}-dracut%{?_isa} = %{version}-%{release} +Requires: pcsc-lite +Requires: opensc +Requires: socat +Requires: openssl + + +%description pin-pkcs11 +Automatically unlocks LUKS block devices through a PKCS#11 device. + %prep %autosetup -S git @@ -184,6 +192,7 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : %files systemd %{_libexecdir}/%{name}-luks-askpass +%{_libexecdir}/%{name}-luks-unlocker %{_unitdir}/%{name}-luks-askpass.path %{_unitdir}/%{name}-luks-askpass.service @@ -194,11 +203,62 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh +%files pin-pkcs11 +%{_libexecdir}/%{name}-luks-pkcs11-askpass +%{_libexecdir}/%{name}-luks-pkcs11-askpin +%{_bindir}/%{name}-decrypt-pkcs11 +%{_bindir}/%{name}-encrypt-pkcs11 +%{_bindir}/%{name}-pkcs11-afunix-socket-unlock +%{_bindir}/%{name}-pkcs11-common +%{_unitdir}/%{name}-luks-pkcs11-askpass.service +%{_unitdir}/%{name}-luks-pkcs11-askpass.socket +%{_mandir}/man1/%{name}-encrypt-pkcs11.1* +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-hook.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-prehook.sh + %files udisks2 %{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %changelog + +* Thu Jan 9 2025 Sergio Arroutbi - 21-208 +- Include socat, openssl as PKCS#11 pin requirements + Resolves: #RHEL-72982 + +* Fri Nov 22 2024 Sergio Arroutbi - 21-207 +- Include tpm2_getcap as dracut required binary + Resolves: #RHEL-68638 + +* Tue Nov 5 2024 Sergio Arroutbi - 21-206 +- TPM2: use first PCR algorithm bank supported by TPM as default + Resolves: #RHEL-65468 + +* Thu Oct 31 2024 Sergio Arroutbi - 21-205 +- Groom clevis.spec + Resolves: #RHEL-65458 + +* Fri Oct 11 2024 Sergio Arroutbi - 21-204 +- Split PKCS#11 files into clevis-pin-pkcs11 package + Resolves: #RHEL-61941 + +* Mon Oct 7 2024 Sergio Arroutbi - 21-203 +- Fix to start pcscd appropriately + Resolves: #RHEL-61612 + +* Tue Oct 01 2024 Sergio Arroutbi - 21-202 +- Fix dracut startup issue + Resolves: #RHEL-61184 + +* Thu Sep 26 2024 Sergio Arroutbi - 21-201 +- Rebase to clevis-21 + Resolves: #RHEL-60257 + +* Tue May 21 2024 Sergio Arroutbi - 20-200 +- Rebase to clevis-20 + Resolves: #RHEL-29282 + * Thu Jun 1 2023 Sergio Arroutbi - 18-112 - Remove pwmake for password generation Resolves: rhbz#2207488