import clevis-15-6.el8

SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch

@@ -0,0 +1,45 @@
+From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Renaud=20M=C3=A9trich?=
+ <1163635+rmetrich@users.noreply.github.com>
+Date: Wed, 1 Dec 2021 09:37:35 -0300
+Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is
+ set (#340)
+
+On Fedora/RHEL, the rd.debug kernel command line parameter controls
+debugging.
+By implementing the functionality inside clevis, troubleshooting will be
+greatly eased.
+See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742).
+---
+ src/luks/clevis-luks-common-functions | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
+index df8e16d..67ece72 100644
+--- a/src/luks/clevis-luks-common-functions
++++ b/src/luks/clevis-luks-common-functions
+@@ -20,6 +20,21 @@
+ 
+ CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+ 
++enable_debugging() {
++    # Automatically enable debugging if in initramfs phase and rd.debug
++    if [ -e /usr/lib/dracut-lib.sh ]; then
++        local bashopts=$-
++        # Because dracut is loosely written, disable hardening options temporarily
++        [[ $bashopts != *u* ]] || set +u
++        [[ $bashopts != *e* ]] || set +e
++        . /usr/lib/dracut-lib.sh
++        [[ $bashopts != *u* ]] || set -u
++        [[ $bashopts != *e* ]] || set -e
++    fi
++}
++
++enable_debugging
++
+ # valid_slot() will check whether a given slot is possibly valid, i.e., if it
+ # is a numeric value within the specified range.
+ valid_slot() {
+-- 
+2.33.1
+

SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch

@@ -0,0 +1,83 @@
+From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001
+From: Renaud Metrich <rmetrich@redhat.com>
+Date: Fri, 7 Jan 2022 12:13:03 -0300
+Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup
+
+This fixes an Out of memory error when the system has not much memory,
+such as a VM configured with 2GB currently being installed through the
+network (hence having ~1GB free memory only).
+See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
+---
+ src/luks/clevis-luks-bind.in          | 7 +++++--
+ src/luks/clevis-luks-common-functions | 7 ++++++-
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
+index 4748c08..017f762 100755
+--- a/src/luks/clevis-luks-bind.in
++++ b/src/luks/clevis-luks-bind.in
+@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \
+     exit 1
+ fi
+ 
++pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+ if [ "$luks_type" == "luks1" ]; then
++    pbkdf_args=
+     # In certain circumstances, we may have LUKSMeta slots "not in sync" with
+     # cryptsetup, which means we will try to save LUKSMeta metadata over an
+     # already used or partially used slot -- github issue #70.
+@@ -184,7 +186,7 @@ fi
+ 
+ # Add the new key.
+ if [ -n "$SLT" ]; then
+-    cryptsetup luksAddKey --key-slot "$SLT" --key-file \
++    cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \
+         <(echo -n "$existing_key") "$DEV"
+ else
+     if [ $luks_type == "luks2" ]; then
+@@ -194,7 +196,8 @@ else
+         readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
+             | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
+     fi
+-    cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV"
++    cryptsetup luksAddKey ${pbkdf_args} \
++        --key-file <(echo -n "${existing_key}") "$DEV"
+ fi < <(echo -n "${key}")
+ if [ $? -ne 0 ]; then
+     echo "Error while adding new key to LUKS header!" >&2
+diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
+index 67ece72..038cc37 100644
+--- a/src/luks/clevis-luks-common-functions
++++ b/src/luks/clevis-luks-common-functions
+@@ -760,10 +760,12 @@ clevis_luks_add_key() {
+         extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
+         input="$(printf '%s' "${NEWKEY}")"
+     fi
++    local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+ 
+     printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
+                                          --key-slot "${SLT}" \
+                                          "${DEV}" \
++                                         ${pbkdf_args} \
+                                          ${extra_args}
+ }
+ 
+@@ -792,11 +794,14 @@ clevis_luks_update_key() {
+         extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
+         input="$(printf '%s' "${NEWKEY}")"
+     fi
++    local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+ 
+     if [ -n "${in_place}" ]; then
+         printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
+                                             --key-slot "${SLT}" \
+-                                            --batch-mode ${extra_args}
++                                            --batch-mode \
++                                            ${pbkdf_args} \
++                                            ${extra_args}
+         return
+     fi
+ 
+-- 
+2.33.1
+

SPECS/clevis.spec

@@ -2,7 +2,7 @@
 
 Name:           clevis
 Version:        15
-Release:        4%{?dist}
+Release:        6%{?dist}
 Summary:        Automated decryption framework
 
 License:        GPLv3+
@@ -14,6 +14,8 @@ Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch
 Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
 Patch0004: 0004-systemd-drop-ncat-dependency.patch
 Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch
+Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
+Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
 
 BuildRequires:  git
 BuildRequires:  gcc
@@ -198,6 +200,14 @@ exit 0
 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
 
 %changelog
+* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 15-6
+- Explicitly specify pbkdf iterations to cryptsetup
+  Resolves: rhbz#1979256
+
+* Wed Dec 01 2021 Sergio Correia <scorreia@redhat.com> - 15-5
+- Enable debugging in clevis scripts when rd.debug is set
+  Resolves: rhbz#1980742
+
 * Thu Nov 25 2021 Sergio Correia <scorreia@redhat.com> - 15-4
 - Stop sending stderr to the void when decryption doesn't happen
   Resolves: rhbz#1976880