rpms/clevis
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Account for unlocking failures in clevis-luks-askpass

Browse Source 
Resolves: rhbz#1878892
This commit is contained in:
Sergio Correia 2021-10-29 12:10:03 -03:00
parent 2fc1533e5b
commit 93af905e1f
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch Normal file
View File

@ -0,0 +1,41 @@
From 2a16458622be983aba3762079d7a72383bd8be02 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Fri, 29 Oct 2021 10:58:26 -0300
Subject: [PATCH 2/2] systemd: account for unlocking failures in
clevis-luks-askpass
As unlock may fail for some reason, e.g. the network is not up yet,
one way cause problems would be to add extra `rd.luks.uuid' params
to the cmdline, which would then cause such devices to be unlocked
in early boot. If the unlocking fail, those devices might not be
accounted for in the clevis_devices_to_unlock() check, as it is
based on crypttab.
Let's make sure there are no pending ask.* sockets waiting to be
answered, before exiting.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
---
src/luks/systemd/clevis-luks-askpass.in | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in
index 8f54859..a6699c9 100755
--- a/src/luks/systemd/clevis-luks-askpass.in
+++ b/src/luks/systemd/clevis-luks-askpass.in
@@ -67,8 +67,11 @@ while true; do
done
[ "${loop}" != true ] && break
+
# Checking for pending devices to be unlocked.
- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
+ remaining_crypttab=$(clevis_devices_to_unlock) ||:
+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
break;
fi
--
2.33.1

7
clevis.spec
View File

@ -1,6 +1,6 @@
Name: clevis Name: clevis
Version: 18 Version: 18
Release: 4%{?dist} Release: 5%{?dist}
Summary: Automated decryption framework Summary: Automated decryption framework
License: GPLv3+ License: GPLv3+
@ -9,6 +9,7 @@ Source0: https://github.com/latchset/%{name}/releases/download/v%{version
Source1: clevis.sysusers Source1: clevis.sysusers
Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
BuildRequires: git-core BuildRequires: git-core
BuildRequires: gcc BuildRequires: gcc
@ -194,6 +195,10 @@ exit 0
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog %changelog
* Fri Oct 29 2021 Sergio Correia <scorreia@redhat.com> - 18-5
Account for unlocking failures in clevis-luks-askpass
Resolves: rhbz#1878892
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 18-4 * Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 18-4
- Rebuilt with OpenSSL 3.0.0 - Rebuilt with OpenSSL 3.0.0