From 79c181529bcc0fc1857778bdf25795b3a9eb480d Mon Sep 17 00:00:00 2001 From: James Antill Date: Thu, 26 May 2022 01:09:01 -0400 Subject: [PATCH] Auto sync2gitlab import of clevis-15-8.el8.src.rpm --- .gitignore | 1 + ...g-with-newer-tang-without-tangd-upda.patch | 176 +++++++++ ...o-extract-luks-passphrase-used-for-b.patch | 309 ++++++++++++++++ ...for-unlocking-failures-in-clevis-luk.patch | 41 +++ 0004-systemd-drop-ncat-dependency.patch | 101 +++++ ...err-to-the-void-when-decryption-does.patch | 26 ++ ...gging-in-clevis-scripts-when-rd.debu.patch | 45 +++ ...specify-pbkdf-iterations-to-cryptset.patch | 83 +++++ ...tang-dump-url-on-error-communication.patch | 16 + ...feat-rename-the-test-pin-to-null-pin.patch | 213 +++++++++++ EMPTY | 1 - clevis.spec | 348 ++++++++++++++++++ sources | 1 + 13 files changed, 1360 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100644 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch create mode 100644 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch create mode 100644 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch create mode 100644 0004-systemd-drop-ncat-dependency.patch create mode 100644 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch create mode 100644 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch create mode 100644 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch create mode 100644 0008-tang-dump-url-on-error-communication.patch create mode 100644 0009-feat-rename-the-test-pin-to-null-pin.patch delete mode 100644 EMPTY create mode 100644 clevis.spec create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a10bb38 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/clevis-15.tar.xz diff --git a/0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch b/0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch new file mode 100644 index 0000000..23679bc --- /dev/null +++ b/0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch @@ -0,0 +1,176 @@ +From 16f667d9f3d649e33ca762afa1a8a7f909b953a8 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Sun, 25 Oct 2020 11:15:46 -0300 +Subject: [PATCH] Fixes for dealing with newer tang without tangd-update + +--- + src/luks/tests/meson.build | 11 +---------- + src/luks/tests/tests-common-functions.in | 19 +++++++++++-------- + src/pins/tang/meson.build | 11 +---------- + src/pins/tang/pin-tang | 11 ++++++++--- + 4 files changed, 21 insertions(+), 31 deletions(-) + +diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build +index ba5f6a2..c0f9dc3 100644 +--- a/src/luks/tests/meson.build ++++ b/src/luks/tests/meson.build +@@ -17,14 +17,6 @@ kgen = find_program( + join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'), + required: false + ) +-updt = find_program( +- join_paths(libexecdir, 'tangd-update'), +- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'), +- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'), +- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'), +- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'), +- required: false +-) + tang = find_program( + join_paths(libexecdir, 'tangd'), + join_paths(get_option('prefix'), get_option('libdir'), 'tangd'), +@@ -58,11 +50,10 @@ env.prepend('PATH', + ) + + has_tang = false +-if actv.found() and kgen.found() and updt.found() and tang.found() ++if actv.found() and kgen.found() and tang.found() + has_tang = true + env.set('SD_ACTIVATE', actv.path()) + env.set('TANGD_KEYGEN', kgen.path()) +- env.set('TANGD_UPDATE', updt.path()) + env.set('TANGD', tang.path()) + endif + +diff --git a/src/luks/tests/tests-common-functions.in b/src/luks/tests/tests-common-functions.in +index 8520715..318d007 100755 +--- a/src/luks/tests/tests-common-functions.in ++++ b/src/luks/tests/tests-common-functions.in +@@ -251,18 +251,19 @@ tang_remove_rotated_keys() { + return 1 + fi + +- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined." +- + local db="${basedir}/db" +- local cache="${basedir}/cache" + mkdir -p "${db}" +- mkdir -p "${cache}" ++ ++ if [ -n "${TANGD_UPDATE}" ]; then ++ local cache="${basedir}/cache" ++ mkdir -p "${cache}" ++ fi + + pushd "${db}" + find . -name ".*.jwk" -exec rm -f {} \; + popd + +- "${TANGD_UPDATE}" "${db}" "${cache}" ++ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}" + return 0 + } + +@@ -277,12 +278,12 @@ tang_new_keys() { + fi + + [ -z "${TANGD_KEYGEN}" ] && skip_test "WARNING: TANGD_KEYGEN is not defined." +- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined." + + local db="${basedir}/db" +- local cache="${basedir}/cache" + mkdir -p "${db}" + ++ [ -n "${TANGD_UPDATE}" ] && local cache="${basedir}/cache" ++ + if [ -n "${rotate}" ]; then + pushd "${db}" + local k +@@ -296,7 +297,7 @@ tang_new_keys() { + fi + + "${TANGD_KEYGEN}" "${db}" +- "${TANGD_UPDATE}" "${db}" "${cache}" ++ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}" + + return 0 + } +@@ -322,6 +323,8 @@ tang_run() { + fi + + local KEYS="${basedir}/cache" ++ [ -z "${TANGD_UPDATE}" ] && KEYS="${basedir}/db" ++ + local inetd='--inetd' + [ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd= + +diff --git a/src/pins/tang/meson.build b/src/pins/tang/meson.build +index f7d8226..ebcdd4a 100644 +--- a/src/pins/tang/meson.build ++++ b/src/pins/tang/meson.build +@@ -12,14 +12,6 @@ kgen = find_program( + join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'), + required: false + ) +-updt = find_program( +- join_paths(libexecdir, 'tangd-update'), +- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'), +- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'), +- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'), +- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'), +- required: false +-) + tang = find_program( + join_paths(libexecdir, 'tangd'), + join_paths(get_option('prefix'), get_option('libdir'), 'tangd'), +@@ -35,11 +27,10 @@ if curl.found() + bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang') + mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1') + +- if actv.found() and kgen.found() and updt.found() and tang.found() ++ if actv.found() and kgen.found() and tang.found() + env = environment() + env.set('SD_ACTIVATE', actv.path()) + env.set('TANGD_KEYGEN', kgen.path()) +- env.set('TANGD_UPDATE', updt.path()) + env.set('TANGD', tang.path()) + env.prepend('PATH', + join_paths(meson.source_root(), 'src'), +diff --git a/src/pins/tang/pin-tang b/src/pins/tang/pin-tang +index 98e5e4d..a63d0a2 100755 +--- a/src/pins/tang/pin-tang ++++ b/src/pins/tang/pin-tang +@@ -31,8 +31,12 @@ mkdir -p "$TMP"/db + mkdir -p "$TMP"/cache + + # Generate the server keys ++KEYS="$TMP"/db + "${TANGD_KEYGEN}" "$TMP"/db sig exc +-"${TANGD_UPDATE}" "$TMP"/db "$TMP"/cache ++if which tangd-update; then ++ tangd-update "$TMP"/db "$TMP"/cache ++ KEYS="$TMP"/cache ++fi + + # Start the server + port="$(shuf -i 1024-65536 -n 1)" +@@ -40,13 +44,14 @@ port="$(shuf -i 1024-65536 -n 1)" + inetd='--inetd' + [ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd= + +-"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$TMP"/cache & ++"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$KEYS" & + PID=$! + sleep 0.25 + + thp="$(jose jwk thp -i "$TMP/db/sig.jwk")" +-adv="$TMP/cache/default.jws" + url="http://localhost:${port}" ++adv="$TMP/adv" ++curl "$url/adv" -o "$adv" + + cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")" + enc="$(echo -n "hi" | clevis encrypt tang "$cfg")" +-- +2.18.4 + diff --git a/0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch b/0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch new file mode 100644 index 0000000..103911c --- /dev/null +++ b/0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch @@ -0,0 +1,309 @@ +From aa52396c35e76aabd085a819b08167d559042a20 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 3 Nov 2020 08:42:48 -0300 +Subject: [PATCH 2/2] Add the option to extract luks passphrase used for + binding + +Usage: + +clevis luks pass -d /dev/sda1 -s 1 + +--- + src/luks/clevis-luks-pass | 64 ++++++++++++++++++++++++++++++++ + src/luks/clevis-luks-pass.1.adoc | 43 +++++++++++++++++++++ + src/luks/meson.build | 3 ++ + src/luks/tests/meson.build | 2 + + src/luks/tests/pass-tang-luks1 | 59 +++++++++++++++++++++++++++++ + src/luks/tests/pass-tang-luks2 | 59 +++++++++++++++++++++++++++++ + 6 files changed, 230 insertions(+) + create mode 100755 src/luks/clevis-luks-pass + create mode 100644 src/luks/clevis-luks-pass.1.adoc + create mode 100755 src/luks/tests/pass-tang-luks1 + create mode 100755 src/luks/tests/pass-tang-luks2 + +diff --git a/src/luks/clevis-luks-pass b/src/luks/clevis-luks-pass +new file mode 100755 +index 0000000..1f59b39 +--- /dev/null ++++ b/src/luks/clevis-luks-pass +@@ -0,0 +1,64 @@ ++#!/bin/bash -e ++# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2019 Red Hat, Inc. ++# Author: Sergio Correia - LUKS2 support. ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++. clevis-luks-common-functions ++ ++SUMMARY="Returns the LUKS passphrase used for binding a particular slot." ++ ++usage() { ++ exec >&2 ++ echo "Usage: clevis luks pass -d DEV -s SLT" ++ echo ++ echo "$SUMMARY" ++ echo ++ echo " -d DEV The LUKS device to extract the LUKS passphrase used for binding" ++ echo ++ echo " -s SLOT The slot number to extract the LUKS passphrase" ++ echo ++ exit 1 ++} ++ ++if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then ++ echo "${SUMMARY}" ++ exit 0 ++fi ++ ++while getopts ":d:s:" o; do ++ case "$o" in ++ d) DEV=${OPTARG};; ++ s) SLT=${OPTARG};; ++ *) usage;; ++ esac ++done ++ ++if [ -z "${DEV}" ]; then ++ echo "Did not specify a device!" >&2 ++ usage ++fi ++ ++if [ -z "${SLT}" ]; then ++ echo "Did not specify a slot!" >&2 ++ usage ++fi ++ ++if ! clevis_luks_unlock_device_by_slot "${DEV}" "${SLT}"; then ++ echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in ${DEV}!" >&2 ++ exit 1 ++fi +diff --git a/src/luks/clevis-luks-pass.1.adoc b/src/luks/clevis-luks-pass.1.adoc +new file mode 100644 +index 0000000..fa9526a +--- /dev/null ++++ b/src/luks/clevis-luks-pass.1.adoc +@@ -0,0 +1,43 @@ ++CLEVIS-LUKS-PASS(1) ++=================== ++:doctype: manpage ++ ++ ++== NAME ++ ++clevis-luks-pass - Extracts the passphrase used for binding a particular slot in a LUKS device ++ ++== SYNOPSIS ++ ++*clevis luks pass* -d DEV -s SLT ++ ++== OVERVIEW ++ ++The *clevis luks pass* command extracts the passphrase used for binding a particular slot in a LUKS device. ++For example: ++ ++ clevis luks pass -d /dev/sda1 -s 1 ++ ++== OPTIONS ++ ++* *-d* _DEV_ : ++ The LUKS device on which to extract a passphrase from ++ ++* *-s* _SLT_ : ++ The slot to use for extracting the passphrase ++ ++== EXAMPLE ++ ++ clevis luks pass -d /dev/sda1 -s 1 ++ ++ ++Note that the output of *clevis luks pass* might be non-printable, in which case it would be better to redirect its output to a file and use it as a key ++file together with cryptsetup. For instance: ++ ++ clevis luks pass -d /dev/sda1 -s 1 > slot1-passphrase ++ ++And the file slot1-passphrase will contain the passphrase associated with slot #1 in /dev/sda1. ++ ++== SEE ALSO ++ ++link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)], +diff --git a/src/luks/meson.build b/src/luks/meson.build +index 12f5a0d..008736e 100644 +--- a/src/luks/meson.build ++++ b/src/luks/meson.build +@@ -50,6 +50,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found() + + bins += join_paths(meson.current_source_dir(), 'clevis-luks-edit') + mans += join_paths(meson.current_source_dir(), 'clevis-luks-edit.1') ++ ++ bins += join_paths(meson.current_source_dir(), 'clevis-luks-pass') ++ mans += join_paths(meson.current_source_dir(), 'clevis-luks-pass.1') + else + warning('Will not install LUKS support due to missing dependencies!') + endif +diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build +index c22a069..f4584aa 100644 +--- a/src/luks/tests/meson.build ++++ b/src/luks/tests/meson.build +@@ -84,6 +84,7 @@ if has_tang + test('report-tang-luks1', find_program('report-tang-luks1'), env: env, timeout: 90) + test('report-sss-luks1', find_program('report-sss-luks1'), env: env, timeout: 90) + test('edit-tang-luks1', find_program('edit-tang-luks1'), env: env, timeout: 150) ++ test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60) + endif + + test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60) +@@ -111,6 +112,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0' + test('report-tang-luks2', find_program('report-tang-luks2'), env: env, timeout: 120) + test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120) + test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210) ++ test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60) + endif + + test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120) +diff --git a/src/luks/tests/pass-tang-luks1 b/src/luks/tests/pass-tang-luks1 +new file mode 100755 +index 0000000..0d91e6c +--- /dev/null ++++ b/src/luks/tests/pass-tang-luks1 +@@ -0,0 +1,59 @@ ++#!/bin/bash -x ++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2019 Red Hat, Inc. ++# Author: Sergio Correia ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++TEST="${0}" ++. tests-common-functions ++. clevis-luks-common-functions ++ ++function on_exit() { ++ [ ! -d "${TMP}" ] && return 0 ++ tang_stop "${TMP}" ++ rm -rf "${TMP}" ++} ++ ++trap 'on_exit' EXIT ++ ++TMP=$(mktemp -d) ++ ++port=$(get_random_port) ++tang_run "${TMP}" "${port}" & ++tang_wait_until_ready "${port}" ++ ++url="http://localhost:${port}" ++adv="${TMP}/adv" ++tang_get_adv "${port}" "${adv}" ++ ++cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv") ++ ++# LUKS1. ++DEV="${TMP}/luks1-device" ++new_device "luks1" "${DEV}" ++ ++if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then ++ error "${TEST}: Bind should have succeeded." ++fi ++ ++# Now let's test the passphrase. ++SLT=1 ++PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}") ++echo $PASS >&2 ++if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then ++ error "Passphrase obtained from clevis luks pass failed." ++fi +diff --git a/src/luks/tests/pass-tang-luks2 b/src/luks/tests/pass-tang-luks2 +new file mode 100755 +index 0000000..2d50413 +--- /dev/null ++++ b/src/luks/tests/pass-tang-luks2 +@@ -0,0 +1,59 @@ ++#!/bin/bash -x ++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2019 Red Hat, Inc. ++# Author: Sergio Correia ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++TEST="${0}" ++. tests-common-functions ++. clevis-luks-common-functions ++ ++function on_exit() { ++ [ ! -d "${TMP}" ] && return 0 ++ tang_stop "${TMP}" ++ rm -rf "${TMP}" ++} ++ ++trap 'on_exit' EXIT ++ ++TMP=$(mktemp -d) ++ ++port=$(get_random_port) ++tang_run "${TMP}" "${port}" & ++tang_wait_until_ready "${port}" ++ ++url="http://localhost:${port}" ++adv="${TMP}/adv" ++tang_get_adv "${port}" "${adv}" ++ ++cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv") ++ ++# LUKS2. ++DEV="${TMP}/luks2-device" ++new_device "luks2" "${DEV}" ++ ++if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then ++ error "${TEST}: Bind should have succeeded." ++fi ++ ++# Now let's test the passphrase. ++SLT=1 ++PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}") ++echo $PASS >&2 ++if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then ++ error "Passphrase obtained from clevis luks pass failed." ++fi +-- +2.29.2 + diff --git a/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch b/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch new file mode 100644 index 0000000..35738b5 --- /dev/null +++ b/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch @@ -0,0 +1,41 @@ +From 678ef82dd5608439c9a4222c594ab66d69009f06 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Fri, 29 Oct 2021 12:04:46 -0300 +Subject: [PATCH 3/3] systemd: account for unlocking failures in + clevis-luks-askpass (#343) + +As unlock may fail for some reason, e.g. the network is not up yet, +one way cause problems would be to add extra `rd.luks.uuid' params +to the cmdline, which would then cause such devices to be unlocked +in early boot. If the unlocking fail, those devices might not be +accounted for in the clevis_devices_to_unlock() check, as it is +based on crypttab. + +Let's make sure there are no pending ask.* sockets waiting to be +answered, before exiting. + +Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892 +--- + src/luks/systemd/clevis-luks-askpass | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass +index 285bba4..f19671f 100755 +--- a/src/luks/systemd/clevis-luks-askpass ++++ b/src/luks/systemd/clevis-luks-askpass +@@ -67,8 +67,11 @@ while true; do + done + + [ "${loop}" != true ] && break ++ + # Checking for pending devices to be unlocked. +- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then ++ remaining_crypttab=$(clevis_devices_to_unlock) ||: ++ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||: ++ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then + break; + fi + +-- +2.33.1 + diff --git a/0004-systemd-drop-ncat-dependency.patch b/0004-systemd-drop-ncat-dependency.patch new file mode 100644 index 0000000..fbd22de --- /dev/null +++ b/0004-systemd-drop-ncat-dependency.patch @@ -0,0 +1,101 @@ +From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Thu, 18 Nov 2021 16:45:58 -0300 +Subject: [PATCH 4/4] systemd: drop ncat dependency + +When using systemd, i.e., clevis-luks-askpass, we use ncat to send +the decrypted password to the systemd socket as per systemd's password +agents specification [1]. + +However, systemd itself has a utility that does exactly that, +systemd-reply-password. + +In this commit we drop the ncat dependency and instead use +systemd-reply-password in clevis-luks-askpass. + +[1] https://systemd.io/PASSWORD_AGENTS/ +--- + ...is-luks-askpass => clevis-luks-askpass.in} | 2 +- + .../systemd/dracut/clevis/module-setup.sh.in | 4 ++-- + src/luks/systemd/meson.build | 19 +++++++++++++++++-- + 3 files changed, 20 insertions(+), 5 deletions(-) + rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%) + +diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in +similarity index 97% +rename from src/luks/systemd/clevis-luks-askpass +rename to src/luks/systemd/clevis-luks-askpass.in +index f19671f..a6699c9 100755 +--- a/src/luks/systemd/clevis-luks-askpass ++++ b/src/luks/systemd/clevis-luks-askpass.in +@@ -58,7 +58,7 @@ while true; do + fi + + uuid="$(cryptsetup luksUUID "${d}")" +- if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then ++ if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then + echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2 + continue + fi +diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in +index ebf969f..d46c6e2 100755 +--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in ++++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in +@@ -36,6 +36,7 @@ install() { + + inst_multiple \ + /etc/services \ ++ @SYSTEMD_REPLY_PASS@ \ + @libexecdir@/clevis-luks-askpass \ + clevis-luks-common-functions \ + grep sed cut \ +@@ -45,8 +46,7 @@ install() { + luksmeta \ + clevis \ + mktemp \ +- jose \ +- ncat ++ jose + + dracut_need_initqueue + } +diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build +index 369e7f7..e3b3d91 100644 +--- a/src/luks/systemd/meson.build ++++ b/src/luks/systemd/meson.build +@@ -1,6 +1,15 @@ + systemd = dependency('systemd', required: false) + +-if systemd.found() ++sd_reply_pass = find_program( ++ join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'), ++ join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'), ++ join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'), ++ join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'), ++ required: false ++) ++ ++if systemd.found() and sd_reply_pass.found() ++ data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path()) + subdir('dracut') + + unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir') +@@ -12,8 +21,14 @@ if systemd.found() + configuration: data, + ) + ++ configure_file( ++ input: 'clevis-luks-askpass.in', ++ output: 'clevis-luks-askpass', ++ install_dir: libexecdir, ++ configuration: data ++ ) ++ + install_data('clevis-luks-askpass.path', install_dir: unitdir) +- install_data('clevis-luks-askpass', install_dir: libexecdir) + else + warning('Will not install systemd support due to missing dependencies!') + endif +-- +2.33.1 + diff --git a/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch b/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch new file mode 100644 index 0000000..e20b68b --- /dev/null +++ b/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch @@ -0,0 +1,26 @@ +From da17589f0706b27690a11484165fd58dea1a5eb1 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Thu, 25 Nov 2021 19:18:03 -0300 +Subject: [PATCH 5/5] Stop sending stderr to the void when decryption doesn't + happen + +--- + src/luks/clevis-luks-common-functions | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions +index 879ca4c..df8e16d 100644 +--- a/src/luks/clevis-luks-common-functions ++++ b/src/luks/clevis-luks-common-functions +@@ -323,7 +323,7 @@ clevis_luks_unlock_device_by_slot() { + return 1 + fi + +- if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt 2>/dev/null)" \ ++ if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt)" \ + || [ -z "${passphrase}" ]; then + return 1 + fi +-- +2.33.1 + diff --git a/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch b/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch new file mode 100644 index 0000000..e7df18a --- /dev/null +++ b/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch @@ -0,0 +1,45 @@ +From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= + <1163635+rmetrich@users.noreply.github.com> +Date: Wed, 1 Dec 2021 09:37:35 -0300 +Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is + set (#340) + +On Fedora/RHEL, the rd.debug kernel command line parameter controls +debugging. +By implementing the functionality inside clevis, troubleshooting will be +greatly eased. +See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742). +--- + src/luks/clevis-luks-common-functions | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions +index df8e16d..67ece72 100644 +--- a/src/luks/clevis-luks-common-functions ++++ b/src/luks/clevis-luks-common-functions +@@ -20,6 +20,21 @@ + + CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" + ++enable_debugging() { ++ # Automatically enable debugging if in initramfs phase and rd.debug ++ if [ -e /usr/lib/dracut-lib.sh ]; then ++ local bashopts=$- ++ # Because dracut is loosely written, disable hardening options temporarily ++ [[ $bashopts != *u* ]] || set +u ++ [[ $bashopts != *e* ]] || set +e ++ . /usr/lib/dracut-lib.sh ++ [[ $bashopts != *u* ]] || set -u ++ [[ $bashopts != *e* ]] || set -e ++ fi ++} ++ ++enable_debugging ++ + # valid_slot() will check whether a given slot is possibly valid, i.e., if it + # is a numeric value within the specified range. + valid_slot() { +-- +2.33.1 + diff --git a/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch b/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch new file mode 100644 index 0000000..18cee3b --- /dev/null +++ b/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch @@ -0,0 +1,83 @@ +From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001 +From: Renaud Metrich +Date: Fri, 7 Jan 2022 12:13:03 -0300 +Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup + +This fixes an Out of memory error when the system has not much memory, +such as a VM configured with 2GB currently being installed through the +network (hence having ~1GB free memory only). +See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256). +--- + src/luks/clevis-luks-bind.in | 7 +++++-- + src/luks/clevis-luks-common-functions | 7 ++++++- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in +index 4748c08..017f762 100755 +--- a/src/luks/clevis-luks-bind.in ++++ b/src/luks/clevis-luks-bind.in +@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \ + exit 1 + fi + ++pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + if [ "$luks_type" == "luks1" ]; then ++ pbkdf_args= + # In certain circumstances, we may have LUKSMeta slots "not in sync" with + # cryptsetup, which means we will try to save LUKSMeta metadata over an + # already used or partially used slot -- github issue #70. +@@ -184,7 +186,7 @@ fi + + # Add the new key. + if [ -n "$SLT" ]; then +- cryptsetup luksAddKey --key-slot "$SLT" --key-file \ ++ cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \ + <(echo -n "$existing_key") "$DEV" + else + if [ $luks_type == "luks2" ]; then +@@ -194,7 +196,8 @@ else + readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \ + | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p') + fi +- cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV" ++ cryptsetup luksAddKey ${pbkdf_args} \ ++ --key-file <(echo -n "${existing_key}") "$DEV" + fi < <(echo -n "${key}") + if [ $? -ne 0 ]; then + echo "Error while adding new key to LUKS header!" >&2 +diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions +index 67ece72..038cc37 100644 +--- a/src/luks/clevis-luks-common-functions ++++ b/src/luks/clevis-luks-common-functions +@@ -760,10 +760,12 @@ clevis_luks_add_key() { + extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi ++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + + printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ + --key-slot "${SLT}" \ + "${DEV}" \ ++ ${pbkdf_args} \ + ${extra_args} + } + +@@ -792,11 +794,14 @@ clevis_luks_update_key() { + extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi ++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + + if [ -n "${in_place}" ]; then + printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \ + --key-slot "${SLT}" \ +- --batch-mode ${extra_args} ++ --batch-mode \ ++ ${pbkdf_args} \ ++ ${extra_args} + return + fi + +-- +2.33.1 + diff --git a/0008-tang-dump-url-on-error-communication.patch b/0008-tang-dump-url-on-error-communication.patch new file mode 100644 index 0000000..e907694 --- /dev/null +++ b/0008-tang-dump-url-on-error-communication.patch @@ -0,0 +1,16 @@ +--- clevis-15-ori/src/pins/tang/clevis-decrypt-tang 2020-10-28 19:55:47.673228700 +0100 ++++ clevis-15/src/pins/tang/clevis-decrypt-tang 2022-01-21 10:37:40.327825491 +0100 +@@ -73,10 +73,10 @@ + + xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")" + +-url="$url/rec/$kid" ++rec_url="$url/rec/$kid" + ct="Content-Type: application/jwk+json" +-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then +- echo "Error communicating with the server!" >&2 ++if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then ++ echo "Error communicating with the server $url" >&2 + exit 1 + fi + diff --git a/0009-feat-rename-the-test-pin-to-null-pin.patch b/0009-feat-rename-the-test-pin-to-null-pin.patch new file mode 100644 index 0000000..deb5ad3 --- /dev/null +++ b/0009-feat-rename-the-test-pin-to-null-pin.patch @@ -0,0 +1,213 @@ +From 87d690e41621878f70a3f6f3305dd23746d1b857 Mon Sep 17 00:00:00 2001 +From: Antonio Murdaca +Date: Wed, 1 Dec 2021 14:17:53 +0100 +Subject: [PATCH 9/9] feat: rename the test pin to null pin + +Signed-off-by: Antonio Murdaca +--- + src/initramfs-tools/hooks/clevis.in | 1 + + .../dracut/clevis-pin-null/meson.build | 14 ++++++++++ + .../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++ + src/luks/systemd/dracut/meson.build | 1 + + ...levis-decrypt-test => clevis-decrypt-null} | 4 +-- + ...levis-encrypt-test => clevis-encrypt-null} | 4 +-- + src/pins/sss/meson.build | 5 +++- + src/pins/sss/{pin-test => pin-null} | 4 +-- + src/pins/sss/pin-sss | 12 ++++---- + 9 files changed, 60 insertions(+), 13 deletions(-) + create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build + create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in + rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%) + rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%) + rename src/pins/sss/{pin-test => pin-null} (53%) + +diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in +index cc3b492..448ba96 100755 +--- a/src/initramfs-tools/hooks/clevis.in ++++ b/src/initramfs-tools/hooks/clevis.in +@@ -58,6 +58,7 @@ fi + + copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found" + copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found" ++copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found" + copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found" + copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found" + copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found" +diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build +new file mode 100644 +index 0000000..107e3ba +--- /dev/null ++++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build +@@ -0,0 +1,14 @@ ++dracut = dependency('dracut', required: false) ++ ++if dracut.found() ++ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null' ++ ++ configure_file( ++ input: 'module-setup.sh.in', ++ output: 'module-setup.sh', ++ install_dir: dracutdir, ++ configuration: data, ++ ) ++else ++ warning('Will not install dracut module clevis-pin-null due to missing dependencies!') ++endif +diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in +new file mode 100755 +index 0000000..6a16078 +--- /dev/null ++++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in +@@ -0,0 +1,28 @@ ++#!/bin/bash ++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2016 Red Hat, Inc. ++# Author: Nathaniel McCallum ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++depends() { ++ echo clevis ++ return 0 ++} ++ ++install() { ++ inst clevis-decrypt-null ++} +diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build +index fdb264b..7ad5b14 100644 +--- a/src/luks/systemd/dracut/meson.build ++++ b/src/luks/systemd/dracut/meson.build +@@ -2,3 +2,4 @@ subdir('clevis') + subdir('clevis-pin-tang') + subdir('clevis-pin-tpm2') + subdir('clevis-pin-sss') ++subdir('clevis-pin-null') +diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null +similarity index 88% +rename from src/pins/sss/clevis-decrypt-test +rename to src/pins/sss/clevis-decrypt-null +index f0e9249..a6217ed 100755 +--- a/src/pins/sss/clevis-decrypt-test ++++ b/src/pins/sss/clevis-decrypt-null +@@ -22,11 +22,11 @@ + + read -r -d . hdr + +-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then ++if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then + echo "JWE pin mismatch!" >&2 + exit 1 + fi + +-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1 ++jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1 + + exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat) +diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null +similarity index 90% +rename from src/pins/sss/clevis-encrypt-test +rename to src/pins/sss/clevis-encrypt-null +index bd2d6ec..af182a5 100755 +--- a/src/pins/sss/clevis-encrypt-test ++++ b/src/pins/sss/clevis-encrypt-null +@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then + fi + + jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')" +-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}' ++jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}' + + if ! jose fmt -j "$cfg" -g fail -T; then +- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)" ++ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)" + fi + + exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat) +diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build +index 7f20eea..2a5295a 100644 +--- a/src/pins/sss/meson.build ++++ b/src/pins/sss/meson.build +@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found() + separator: ':' + ) + ++ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null') ++ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null') ++ + test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env) +- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env) ++ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env) + else + warning('Will not install sss pin due to missing dependencies!') + endif +diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null +similarity index 53% +rename from src/pins/sss/pin-test +rename to src/pins/sss/pin-null +index 50c8c67..b14ac63 100755 +--- a/src/pins/sss/pin-test ++++ b/src/pins/sss/pin-null +@@ -2,9 +2,9 @@ + + trap 'exit' ERR + +-e="$(echo -n hi | clevis encrypt test '{}')" ++e="$(echo -n hi | clevis encrypt null '{}')" + d="$(echo -n "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo -n hi | clevis encrypt test '{"fail":true}')" ++e="$(echo -n hi | clevis encrypt null '{"fail":true}')" + ! echo "$e" | clevis decrypt +diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss +index 5c0b8cf..24da052 100755 +--- a/src/pins/sss/pin-sss ++++ b/src/pins/sss/pin-sss +@@ -1,24 +1,24 @@ + #!/bin/bash -ex + +-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')" + d="$(echo "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')" + d="$(echo "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')" + ! echo "$e" | clevis decrypt + +-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')" + d="$(echo "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')" + ! echo "$e" | clevis decrypt + +-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')" + ! echo "$e" | clevis decrypt + + ! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')" +-- +2.33.1 + diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/clevis.spec b/clevis.spec new file mode 100644 index 0000000..df4282e --- /dev/null +++ b/clevis.spec @@ -0,0 +1,348 @@ +%global _hardened_build 1 + +Name: clevis +Version: 15 +Release: 8%{?dist} +Summary: Automated decryption framework + +License: GPLv3+ +URL: https://github.com/latchset/%{name} +Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz + +Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch +Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch +Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch +Patch0004: 0004-systemd-drop-ncat-dependency.patch +Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch +Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch +Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch +Patch0008: 0008-tang-dump-url-on-error-communication.patch +Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch + +BuildRequires: git +BuildRequires: gcc +BuildRequires: meson +BuildRequires: asciidoc +BuildRequires: ninja-build +BuildRequires: bash-completion + +BuildRequires: libjose-devel >= 8 +BuildRequires: libluksmeta-devel >= 8 +BuildRequires: audit-libs-devel +BuildRequires: libudisks2-devel +BuildRequires: openssl-devel + +BuildRequires: tpm2-tools >= 3.0.0 +BuildRequires: desktop-file-utils +BuildRequires: pkgconfig +BuildRequires: systemd +BuildRequires: dracut +BuildRequires: tang >= 6 +BuildRequires: curl +BuildRequires: luksmeta +BuildRequires: cracklib-dicts +BuildRequires: jq +BuildRequires: diffutils +BuildRequires: expect +BuildRequires: openssl + +Requires: cracklib-dicts +Requires: tpm2-tools >= 3.0.0 +Requires: coreutils +Requires: jose >= 8 +Requires: curl +Requires: jq +Requires(pre): shadow-utils + +%description +Clevis is a framework for automated decryption. It allows you to encrypt +data using sophisticated unlocking policies which enable decryption to +occur automatically. + +The clevis package provides basic encryption/decryption policy support. +Users can use this directly; but most commonly, it will be used as a +building block for other packages. For example, see the clevis-luks +and clevis-dracut packages for automatic root volume unlocking of LUKS +volumes during early boot. + +%package luks +Summary: LUKS integration for clevis +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: cryptsetup +Requires: luksmeta >= 8 + +%description luks +LUKS integration for clevis. This package allows you to bind a LUKS +volume to a clevis unlocking policy. For automated unlocking, an unlocker +will also be required. See, for example, clevis-dracut and clevis-udisks2. + +%package systemd +Summary: systemd integration for clevis +Requires: %{name}-luks%{?_isa} = %{version}-%{release} +%if 0%{?fedora} > 27 +Requires: systemd%{?_isa} >= 235-3 +%else +%if 0%{?fedora} == 27 +Requires: systemd%{?_isa} >= 234-9 +%else +%if 0%{?fedora} == 26 +Requires: systemd%{?_isa} >= 233-7 +%else +Requires: systemd%{?_isa} >= 236 +%endif +%endif +%endif + +%description systemd +Automatically unlocks clevis-bound LUKS block devices during boot. + +%package dracut +Summary: Dracut integration for clevis +Requires: %{name}-systemd%{?_isa} = %{version}-%{release} +Requires: dracut-network + +%description dracut +Automatically unlocks LUKS block devices in early boot. + +%package udisks2 +Summary: UDisks2/Storaged integration for clevis +Requires: %{name}-luks%{?_isa} = %{version}-%{release} + +%description udisks2 +Automatically unlocks LUKS block devices in desktop environments that +use UDisks2 or storaged (like GNOME). + +%prep +%autosetup -S git + +%build +%meson -Duser=clevis -Dgroup=clevis +%meson_build + +%install +%meson_install + +%check +desktop-file-validate \ + %{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop +%meson_test + +%pre +getent group %{name} >/dev/null || groupadd -r %{name} &>/dev/null +getent passwd %{name} >/dev/null || \ + useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \ + -c "Clevis Decryption Framework unprivileged user" %{name} &>/dev/null +# Add clevis user to tss group. +if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then + usermod -a -G tss %{name} &>/dev/null +fi +exit 0 + +%posttrans +# In case clevis-luks-askpass is enabled, make sure it's using the +# correct target, which changed in v14. +[ "$(find /etc/systemd/system/ -name "clevis-luks-askpass*")" ] || exit 0 +find /etc/systemd/system/ -name "clevis-luks-askpass*" \ + | grep -q cryptsetup.target.wants && exit 0 + +find /etc/systemd/system/ -name "clevis-luks-askpass*" -exec rm {} + +systemctl enable clevis-luks-askpass.path >/dev/null 2>&1 || : +exit 0 + +%files +%license COPYING +%{_datadir}/bash-completion/ +%{_bindir}/%{name}-decrypt-tang +%{_bindir}/%{name}-decrypt-tpm2 +%{_bindir}/%{name}-decrypt-sss +%{_bindir}/%{name}-decrypt-null +%{_bindir}/%{name}-decrypt +%{_bindir}/%{name}-encrypt-tang +%{_bindir}/%{name}-encrypt-tpm2 +%{_bindir}/%{name}-encrypt-sss +%{_bindir}/%{name}-encrypt-null +%{_bindir}/%{name} +%{_mandir}/man1/%{name}-encrypt-tang.1* +%{_mandir}/man1/%{name}-encrypt-tpm2.1* +%{_mandir}/man1/%{name}-encrypt-sss.1* +%{_mandir}/man1/%{name}-decrypt.1* +%{_mandir}/man1/%{name}.1* + +%files luks +%{_mandir}/man7/%{name}-luks-unlockers.7* +%{_mandir}/man1/%{name}-luks-unlock.1* +%{_mandir}/man1/%{name}-luks-unbind.1* +%{_mandir}/man1/%{name}-luks-bind.1* +%{_mandir}/man1/%{name}-luks-list.1* +%{_mandir}/man1/%{name}-luks-pass.1* +%{_mandir}/man1/%{name}-luks-regen.1* +%{_mandir}/man1/%{name}-luks-report.1* +%{_mandir}/man1/%{name}-luks-edit.1* +%{_bindir}/%{name}-luks-unlock +%{_bindir}/%{name}-luks-unbind +%{_bindir}/%{name}-luks-bind +%{_bindir}/%{name}-luks-common-functions +%{_bindir}/%{name}-luks-list +%{_bindir}/%{name}-luks-pass +%{_bindir}/%{name}-luks-regen +%{_bindir}/%{name}-luks-report +%{_bindir}/%{name}-luks-edit + +%files systemd +%{_libexecdir}/%{name}-luks-askpass +%{_unitdir}/%{name}-luks-askpass.path +%{_unitdir}/%{name}-luks-askpass.service + +%files dracut +%{_prefix}/lib/dracut/modules.d/60%{name} +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2 + +%files udisks2 +%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop +%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 + +%changelog +* Wed Jan 26 2022 Sergio Correia - 15-8 +- Support a null pin + Resolves: rhbz#2028096 + +* Fri Jan 21 2022 Sergio Arroutbi - 15-7 +- Dump server information on server error communication + Resolves: rhbz#2020193 + +* Tue Jan 04 2022 Sergio Correia - 15-6 +- Explicitly specify pbkdf iterations to cryptsetup + Resolves: rhbz#1979256 + +* Wed Dec 01 2021 Sergio Correia - 15-5 +- Enable debugging in clevis scripts when rd.debug is set + Resolves: rhbz#1980742 + +* Thu Nov 25 2021 Sergio Correia - 15-4 +- Stop sending stderr to the void when decryption doesn't happen + Resolves: rhbz#1976880 + +* Thu Nov 18 2021 Sergio Correia - 15-3 +- Drop ncat dependency + Resolves: rhbz#1949289 + +* Wed Nov 17 2021 Sergio Correia - 15-2 +- Account for unlocking failures in clevis-luks-askpass + Resolves: rhbz#2018292 + +* Mon Oct 26 2020 Sergio Correia - 15-1 +- Update to latest upstream release, v15 + Resolves: rhbz#1887836 + Resolves: rhbz#1853651 + Resolves: rhbz#1874460 + +* Wed May 20 2020 Sergio Correia - 13-3 +- Add clevis luks edit command + Resolves: rhbz#1436735 + +* Mon May 18 2020 Sergio Correia - 13-2 +- Introduce -y (assume yes) argument to clevis luks bind + Resolves: rhbz#1819767 + +* Sun May 10 2020 Sergio Correia - 13-1 +- Update to new upstream release, v13 + Resolves: rhbz#1827225 + Resolves: rhbz#1827665 + Resolves: rhbz#1801556 + Resolves: rhbz#1784448 + Resolves: rhbz#1826917 + Resolves: rhbz#1812014 + +* Sun Feb 02 2020 Sergio Correia - 11-9 +- Improve clevis luks regen not to unbind+bind in every case + Resolves: rhbz#1795675 + +* Mon Jan 13 2020 Sergio Correia - 11-8 +- Use one clevis-luks-askpass per device + Resolves: rhbz#1784524 + +* Sat Nov 30 2019 Sergio Correia - 11-7 +- Add rd.neednet=1 to cmdline only if there are devices bound to tang + Resolves: rhbz#1762028 + +* Sat Nov 30 2019 Sergio Correia - 11-6 +- Add option to extract luks passphrase used for binding + Resolves: rhbz#1436780 + +* Thu Nov 28 2019 Sergio Correia - 11-5 +- Add support for listing existing PBD policies in place + Resolves: rhbz#1766526 + +* Fri Oct 18 2019 Sergio Correia - 11-4 +- Improve error message when bind is given an invalid PIN + Resolves: rhbz#1543380 + +* Wed Oct 16 2019 Sergio Correia - 11-3 +- Add clevis luks report and regen + Resolves: rhbz#1564566 + Resolves: rhbz#1564559 + +* Fri Jan 04 2019 Daniel Kopecek - 11-2 +- Check that key derivation key is available +- Delete remaining references to the removed http pin +- Install cryptsetup and tpm2_pcrlist in the initramfs +- Add device TCTI library to the initramfs + Resolves: rhbz#1648004 + Resolves: rhbz#1650246 + +* Tue Aug 14 2018 Nathaniel McCallum - 11-1 +- Update to v11 + +* Thu Jul 12 2018 Fedora Release Engineering - 10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Mar 21 2018 Nathaniel McCallum - 10-1 +- Update to v10 + +* Tue Feb 13 2018 Nathaniel McCallum - 9-1 +- Update to v9 + +* Wed Feb 07 2018 Fedora Release Engineering - 8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Nov 13 2017 Nathaniel McCallum - 8-1 +- Update to v8 + +* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek - 7-2 +- Rebuild for cryptsetup-2.0.0 + +* Fri Oct 27 2017 Nathaniel McCallum - 7-1 +- Update to v7 + +* Wed Aug 02 2017 Fedora Release Engineering - 6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jun 27 2017 Nathaniel McCallum - 6-1 +- New upstream release +- Specify unprivileged user/group during configuration +- Move clevis user/group creation to base clevis package + +* Mon Jun 26 2017 Nathaniel McCallum - 5-1 +- New upstream release +- Run clevis decryption from udisks2 under an unprivileged user + +* Wed Jun 14 2017 Nathaniel McCallum - 4-1 +- New upstream release + +* Wed Jun 14 2017 Nathaniel McCallum - 3-1 +- New upstream release + +* Fri Feb 10 2017 Fedora Release Engineering - 2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Nov 18 2016 Nathaniel McCallum - 2-1 +- New upstream release + +* Mon Nov 14 2016 Nathaniel McCallum - 1-1 +- First release diff --git a/sources b/sources new file mode 100644 index 0000000..ba551e3 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (clevis-15.tar.xz) = 8a84b9e081d02742c2c718bdc8b2c834764da6ec9ad1ae5640e8af80a38c2a1ec83eeea5de7696f60f7dd8f165b3dc527290831621440b1a46459d2c8bd56918