diff --git a/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch b/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch new file mode 100644 index 0000000..c3650b3 --- /dev/null +++ b/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch @@ -0,0 +1,41 @@ +From 2a16458622be983aba3762079d7a72383bd8be02 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Fri, 29 Oct 2021 10:58:26 -0300 +Subject: [PATCH 2/2] systemd: account for unlocking failures in + clevis-luks-askpass + +As unlock may fail for some reason, e.g. the network is not up yet, +one way cause problems would be to add extra `rd.luks.uuid' params +to the cmdline, which would then cause such devices to be unlocked +in early boot. If the unlocking fail, those devices might not be +accounted for in the clevis_devices_to_unlock() check, as it is +based on crypttab. + +Let's make sure there are no pending ask.* sockets waiting to be +answered, before exiting. + +Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892 +--- + src/luks/systemd/clevis-luks-askpass.in | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in +index 8f54859..a6699c9 100755 +--- a/src/luks/systemd/clevis-luks-askpass.in ++++ b/src/luks/systemd/clevis-luks-askpass.in +@@ -67,8 +67,11 @@ while true; do + done + + [ "${loop}" != true ] && break ++ + # Checking for pending devices to be unlocked. +- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then ++ remaining_crypttab=$(clevis_devices_to_unlock) ||: ++ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||: ++ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then + break; + fi + +-- +2.33.1 + diff --git a/clevis.spec b/clevis.spec index 7033e63..d53277b 100644 --- a/clevis.spec +++ b/clevis.spec @@ -1,6 +1,6 @@ Name: clevis Version: 18 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Automated decryption framework License: GPLv3+ @@ -9,6 +9,7 @@ Source0: https://github.com/latchset/%{name}/releases/download/v%{version Source1: clevis.sysusers Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch +Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch BuildRequires: git-core BuildRequires: gcc @@ -194,6 +195,10 @@ exit 0 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %changelog +* Fri Oct 29 2021 Sergio Correia - 18-5 + Account for unlocking failures in clevis-luks-askpass + Resolves: rhbz#1878892 + * Tue Sep 14 2021 Sahana Prasad - 18-4 - Rebuilt with OpenSSL 3.0.0