import clevis-11-2.el8

2019-08-02 12:01:18 -04:00 · 2019-08-02 12:01:18 -04:00 · 84b05707ca
commit 84b05707ca
7 changed files with 470 additions and 0 deletions
--- a/.clevis.metadata
+++ b/.clevis.metadata
@ -0,0 +1 @@
 086374814a4d71db8625d27a1719e03244a7cff0 SOURCES/clevis-11.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
 SOURCES/clevis-11.tar.xz
--- a/SOURCES/Add-device-TCTI-library-to-the-initramfs.patch
+++ b/SOURCES/Add-device-TCTI-library-to-the-initramfs.patch
@ -0,0 +1,34 @@
 From 6826e5d31d6323eac5137404f0194bf2183b561c Mon Sep 17 00:00:00 2001
 From: Javier Martinez Canillas <javierm@redhat.com>
 Date: Wed, 7 Nov 2018 16:48:47 +0100
 Subject: [PATCH 3/3] Add device TCTI library to the initramfs
 The tpm2-tools don't dynamically link against the TCTI libraries anymore,
 but instead dlopen() the correct library depending on the TCTI used.
 So dracut isn't able anymore to figure out automatically using ldd what
 libraries are needed by the tpm2-tools. Since clevis uses the device TCTI
 to access the TPM directly, add the libtss2-tcti-device.so to the initrd.
 Suggested-by: Federico Chiacchiaretta <federico.chia@gmail.com>
 Fixes: ##74
 ---
 src/luks/systemd/dracut/module-setup.sh.in | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
 index 41e7d6c9b002..990bf4aeed56 100755
 --- a/src/luks/systemd/dracut/module-setup.sh.in
 +++ b/src/luks/systemd/dracut/module-setup.sh.in
@@ -65,6 +65,7 @@ install() {
 	    tpm2_pcrlist \
 	    tpm2_unseal \
 	    tpm2_load
 +	inst_libdir_file "libtss2-tcti-device.so*"
     fi
     dracut_need_initqueue
 -- 
 2.19.1
--- a/SOURCES/Check-key-derivation-key-is-available.patch
+++ b/SOURCES/Check-key-derivation-key-is-available.patch
@ -0,0 +1,30 @@
 From 8b707e8bfcbfd073579ee553b982b4784490f5ea Mon Sep 17 00:00:00 2001
 From: Daniel Kopecek <dkopecek@redhat.com>
 Date: Wed, 5 Dec 2018 13:18:59 +0100
 Subject: [PATCH] clevis-encrypt-tang: check key derivation key is available
 before encryption
 ---
 src/pins/tang/clevis-encrypt-tang | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/src/pins/tang/clevis-encrypt-tang b/src/pins/tang/clevis-encrypt-tang
 index e65a7d1..7fc55ca 100755
 --- a/src/pins/tang/clevis-encrypt-tang
 +++ b/src/pins/tang/clevis-encrypt-tang
@@ -114,7 +114,11 @@ elif [ "$thp" != "any" ] && \
 fi
 ### Perform encryption
 -enc=`jose jwk use -i- -r -u deriveKey -o- <<< "$jwks"`
 +if ! enc=`jose jwk use -i- -r -u deriveKey -o- <<< "$jwks"`; then
 +    echo "Key derivation key not available!" >&2
 +    exit 1
 +fi
 +
 jose fmt -j "$enc" -Og keys -A || enc="{\"keys\":[$enc]}"
 for jwk in `jose fmt -j- -Og keys -Af- <<< "$enc"`; do
 -- 
 2.13.6
--- a/SOURCES/Delete-remaining-references-to-the-removed-http-pin.patch
+++ b/SOURCES/Delete-remaining-references-to-the-removed-http-pin.patch
@ -0,0 +1,132 @@
 From 1e344dbf6a60fcd2c60a4b8512be455e112d8398 Mon Sep 17 00:00:00 2001
 From: Javier Martinez Canillas <javierm@redhat.com>
 Date: Wed, 7 Nov 2018 14:53:08 +0100
 Subject: [PATCH 1/3] Delete remaining references to the removed http pin
 Commit 800d73185d7f ("Remove HTTP pin") removed the clevis http pin, but
 there are still references of it in the docs and also the dracut module.
 This was causing dracut to fail building the initramfs due the following:
 dracut-install: ERROR: installing 'clevis-decrypt-http'
 Suggested-by: Dominick Grift <dac.override@gmail.com>
 Fixes: #73
 ---
 README.md                                  | 21 ---------------------
 src/clevis.1.adoc                          | 21 ---------------------
 src/luks/clevis-luks-bind.1.adoc           |  1 -
 src/luks/systemd/dracut/module-setup.sh.in |  1 -
 src/pins/sss/clevis-encrypt-sss.1.adoc     |  1 -
 5 files changed, 45 deletions(-)
 diff --git a/README.md b/README.md
 index ce8def12ec96..d57339aca5d9 100644
 --- a/README.md
 +++ b/README.md
@@ -58,27 +58,6 @@ advertisement is stored, or the JSON contents of the advertisment itself. When
 the advertisment is specified manually like this, Clevis presumes that the
 advertisement is trusted.
 -#### PIN: HTTP
 -
 -Clevis also ships a pin for performing escrow using HTTP. Please note that,
 -at this time, this pin does not provide HTTPS support and is suitable only
 -for use over local sockets. This provides integration with services like
 -[Custodia](http://github.com/latchset/custodia).
 -
 -For example:
 -
 -```bash
 -$ echo hi | clevis encrypt http '{"url": "http://server.local/key"}' > hi.jwe
 -```
 -
 -The HTTP pin generate a new (cryptographically-strong random) key and performs
 -encryption using it. It then performs a PUT request to the URL specified. It is
 -understood that the server will securely store this key for later retrieval.
 -During decryption, the pin will perform a GET request to retrieve the key and
 -perform decryption.
 -
 -Patches to provide support for HTTPS and authentication are welcome.
 -
 #### PIN: TPM2
 Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2)
 diff --git a/src/clevis.1.adoc b/src/clevis.1.adoc
 index 756aba57a4c8..dea0a696f5f7 100644
 --- a/src/clevis.1.adoc
 +++ b/src/clevis.1.adoc
@@ -21,26 +21,6 @@ take a policy as its first argument and plaintext on standard input and to
 encrypt the data so that it can be automatically decrypted if the policy is
 met. Lets walk through an example.
 -== HTTP ESCROW
 -
 -When using the HTTP pin, we create a new, cryptographically-strong, random key.
 -This key is stored in a remote HTTP escrow server (using a simple PUT or POST).
 -Then at decryption time, we attempt to fetch the key back again in order to
 -decrypt our data. So, for our configuration we need to pass the URL to the key
 -location:
 -
 -    $ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE
 -
 -To decrypt the data, simply provide the ciphertext (JWE):
 -
 -    $ clevis decrypt < JWE > PLAINTEXT
 -
 -Notice that we did not pass any configuration during decryption. The decrypt
 -command extracted the URL (and possibly other configuration) from the JWE
 -object, fetched the encryption key from the escrow and performed decryption.
 -
 -For more information, see link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)].
 -
 == TANG BINDING
 Clevis provides support for the Tang network binding server. Tang provides
@@ -136,7 +116,6 @@ For more information, see link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)].
 == SEE ALSO
 -link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
 link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
 link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)],
 link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
 diff --git a/src/luks/clevis-luks-bind.1.adoc b/src/luks/clevis-luks-bind.1.adoc
 index 9f3a880cfb0c..0d649e3ec28b 100644
 --- a/src/luks/clevis-luks-bind.1.adoc
 +++ b/src/luks/clevis-luks-bind.1.adoc
@@ -61,7 +61,6 @@ The images cannot be shared without also sharing a master key.
 == SEE ALSO
 link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)],
 -link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
 link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
 link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
 link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
 diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
 index 119762e38326..48aea5b3f29a 100755
 --- a/src/luks/systemd/dracut/module-setup.sh.in
 +++ b/src/luks/systemd/dracut/module-setup.sh.in
@@ -36,7 +36,6 @@ install() {
     inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
     inst_multiple /etc/services \
 -        clevis-decrypt-http \
         clevis-decrypt-tang \
         clevis-decrypt-sss \
         @libexecdir@/clevis-luks-askpass \
 diff --git a/src/pins/sss/clevis-encrypt-sss.1.adoc b/src/pins/sss/clevis-encrypt-sss.1.adoc
 index d46498db328c..7144e7e9ea96 100644
 --- a/src/pins/sss/clevis-encrypt-sss.1.adoc
 +++ b/src/pins/sss/clevis-encrypt-sss.1.adoc
@@ -54,6 +54,5 @@ receive key fragments.
 == SEE ALSO
 -link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
 link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
 link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
 -- 
 2.19.1
--- a/SOURCES/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch
+++ b/SOURCES/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch
@ -0,0 +1,49 @@
 From 34658590e45ab85f6008379d9433406a5c7fd914 Mon Sep 17 00:00:00 2001
 From: Javier Martinez Canillas <javierm@redhat.com>
 Date: Wed, 7 Nov 2018 15:12:17 +0100
 Subject: [PATCH 2/3] Install cryptsetup and tpm2_pcrlist in the initramfs
 The cryptsetup and tpm2_pcrlist are missing in the initramfs, this makes
 automatic LUKS unlocking fail with the following errors:
 dracut-initqueue[382]: /usr/libexec/clevis-luks-askpass: line 52: cryptsetup: command not found
 dracut-initqueue[382]: /usr/bin/clevis-decrypt-tpm2: line 40: tpm2_pcrlist: command not found
 Suggested-by: Federico Chiacchiaretta <federico.chia@gmail.com>
 Fixes: #74
 ---
 src/luks/systemd/dracut/module-setup.sh.in | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
 index 48aea5b3f29a..41e7d6c9b002 100755
 --- a/src/luks/systemd/dracut/module-setup.sh.in
 +++ b/src/luks/systemd/dracut/module-setup.sh.in
@@ -40,6 +40,7 @@ install() {
         clevis-decrypt-sss \
         @libexecdir@/clevis-luks-askpass \
         clevis-decrypt \
 +        cryptsetup \
         luksmeta \
         clevis \
         mktemp \
@@ -49,6 +50,7 @@ install() {
     for cmd in clevis-decrypt-tpm2 \
 	tpm2_createprimary \
 +	tpm2_pcrlist \
 	tpm2_unseal \
 	tpm2_load; do
@@ -60,6 +62,7 @@ install() {
     if (($ret == 0)); then
 	inst_multiple clevis-decrypt-tpm2 \
 	    tpm2_createprimary \
 +	    tpm2_pcrlist \
 	    tpm2_unseal \
 	    tpm2_load
     fi
 -- 
 2.19.1
--- a/SPECS/clevis.spec
+++ b/SPECS/clevis.spec
@ -0,0 +1,223 @@
 %global _hardened_build 1
 Name:           clevis
 Version:        11
 Release:        2%{?dist}
 Summary:        Automated decryption framework
 License:        GPLv3+
 URL:            https://github.com/latchset/%{name}
 Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
 Patch0: Delete-remaining-references-to-the-removed-http-pin.patch
 Patch1: Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch
 Patch2: Add-device-TCTI-library-to-the-initramfs.patch
 Patch3: Check-key-derivation-key-is-available.patch
 BuildRequires:  gcc
 BuildRequires:  meson
 BuildRequires:  asciidoc
 BuildRequires:  ninja-build
 BuildRequires:  bash-completion
 BuildRequires:  libjose-devel >= 8
 BuildRequires:  libluksmeta-devel >= 8
 BuildRequires:  audit-libs-devel
 BuildRequires:  libudisks2-devel
 BuildRequires:  openssl-devel
 BuildRequires:  tpm2-tools >= 3.0.0
 BuildRequires:  desktop-file-utils
 BuildRequires:  pkgconfig
 BuildRequires:  systemd
 BuildRequires:  dracut
 BuildRequires:  tang >= 6
 BuildRequires:  curl
 Requires:       tpm2-tools >= 3.0.0
 Requires:       coreutils
 Requires:       jose >= 8
 Requires:       curl
 Requires(pre):  shadow-utils
 %description
 Clevis is a framework for automated decryption. It allows you to encrypt
 data using sophisticated unlocking policies which enable decryption to
 occur automatically.
 The clevis package provides basic encryption/decryption policy support.
 Users can use this directly; but most commonly, it will be used as a
 building block for other packages. For example, see the clevis-luks
 and clevis-dracut packages for automatic root volume unlocking of LUKSv1
 volumes during early boot.
 %package luks
 Summary:        LUKSv1 integration for clevis
 Requires:       %{name}%{?_isa} = %{version}-%{release}
 Requires:       cryptsetup
 Requires:       luksmeta >= 8
 %description luks
 LUKSv1 integration for clevis. This package allows you to bind a LUKSv1
 volume to a clevis unlocking policy. For automated unlocking, an unlocker
 will also be required. See, for example, clevis-dracut and clevis-udisks2.
 %package systemd
 Summary:        systemd integration for clevis
 Requires:       %{name}-luks%{?_isa} = %{version}-%{release}
 %if 0%{?fedora} > 27
 Requires:       systemd%{?_isa} >= 235-3
 %else
 %if 0%{?fedora} == 27
 Requires:       systemd%{?_isa} >= 234-9
 %else
 %if 0%{?fedora} == 26
 Requires:       systemd%{?_isa} >= 233-7
 %else
 Requires:       systemd%{?_isa} >= 236
 %endif
 %endif
 %endif
 Requires:       nc
 %description systemd
 Automatically unlocks LUKSv1 _netdev block devices from /etc/crypttab.
 %package dracut
 Summary:        Dracut integration for clevis
 Requires:       %{name}-systemd%{?_isa} = %{version}-%{release}
 Requires:       dracut-network
 %description dracut
 Automatically unlocks LUKSv1 block devices in early boot.
 %package udisks2
 Summary:        UDisks2/Storaged integration for clevis
 Requires:       %{name}-luks%{?_isa} = %{version}-%{release}
 %description udisks2
 Automatically unlocks LUKSv1 block devices in desktop environments that
 use UDisks2 or storaged (like GNOME).
 %prep
 %autosetup -p1
 %build
 %meson -Duser=clevis -Dgroup=clevis
 %meson_build
 %install
 %meson_install
 %check
 desktop-file-validate \
  %{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
 %meson_test
 %pre
 getent group %{name} >/dev/null || groupadd -r %{name}
 getent passwd %{name} >/dev/null || \
    useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
    -c "Clevis Decryption Framework unprivileged user" %{name}
 exit 0
 %files
 %license COPYING
 %{_datadir}/bash-completion/
 %{_bindir}/%{name}-decrypt-tang
 %{_bindir}/%{name}-decrypt-tpm2
 %{_bindir}/%{name}-decrypt-sss
 %{_bindir}/%{name}-decrypt
 %{_bindir}/%{name}-encrypt-tang
 %{_bindir}/%{name}-encrypt-tpm2
 %{_bindir}/%{name}-encrypt-sss
 %{_bindir}/%{name}
 %{_mandir}/man1/%{name}-encrypt-tang.1*
 %{_mandir}/man1/%{name}-encrypt-tpm2.1*
 %{_mandir}/man1/%{name}-encrypt-sss.1*
 %{_mandir}/man1/%{name}-decrypt.1*
 %{_mandir}/man1/%{name}.1*
 %files luks
 %{_mandir}/man7/%{name}-luks-unlockers.7*
 %{_mandir}/man1/%{name}-luks-unlock.1*
 %{_mandir}/man1/%{name}-luks-unbind.1*
 %{_mandir}/man1/%{name}-luks-bind.1*
 %{_bindir}/%{name}-luks-unlock
 %{_bindir}/%{name}-luks-unbind
 %{_bindir}/%{name}-luks-bind
 %files systemd
 %{_libexecdir}/%{name}-luks-askpass
 %{_unitdir}/%{name}-luks-askpass.path
 %{_unitdir}/%{name}-luks-askpass.service
 %files dracut
 %{_prefix}/lib/dracut/modules.d/60%{name}
 %files udisks2
 %{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
 %changelog
 * Fri Jan 04 2019 Daniel Kopecek <dkopecek@redhat.com> - 11-2
 - Check that key derivation key is available
 - Delete remaining references to the removed http pin
 - Install cryptsetup and tpm2_pcrlist in the initramfs
 - Add device TCTI library to the initramfs
  Resolves: rhbz#1648004
  Resolves: rhbz#1650246
 * Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
 - Update to v11
 * Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 10-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Wed Mar 21 2018 Nathaniel McCallum <npmccallum@redhat.com> - 10-1
 - Update to v10
 * Tue Feb 13 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-1
 - Update to v9
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 * Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 8-1
 - Update to v8
 * Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7-2
 - Rebuild for cryptsetup-2.0.0
 * Fri Oct 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
 - Update to v7
 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 * Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 * Tue Jun 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
 - New upstream release
 - Specify unprivileged user/group during configuration
 - Move clevis user/group creation to base clevis package
 * Mon Jun 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
 - New upstream release
 - Run clevis decryption from udisks2 under an unprivileged user
 * Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
 - New upstream release
 * Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
 - New upstream release
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 * Fri Nov 18 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
 - New upstream release
 * Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
 - First release
		`@ -0,0 +1 @@`
							`086374814a4d71db8625d27a1719e03244a7cff0 SOURCES/clevis-11.tar.xz`