Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/clevis.git#d1703cbd944c200baff50c4fcaa6d1ca060eb580
2020-11-23 08:32:07 +00:00 · 2020-11-23 08:32:07 +00:00 · 9558b9d05f
commit 9558b9d05f
parent a86908812a
2 changed files with 126 additions and 4 deletions
--- a/clevis-tpm2-tools-5.patch
+++ b/clevis-tpm2-tools-5.patch
@ -0,0 +1,118 @@
+From ef76951e4486dadf41ca8085e09849466a0c7fd3 Mon Sep 17 00:00:00 2001
+From: Jonas Witschel <diabonas@gmx.de>
+Date: Wed, 11 Nov 2020 12:43:18 +0100
+Subject: [PATCH] pins/tpm2: add support for tpm2-tools 5.X
+
+tpm2-tools 5.0 consolidates all tools into a single busybox-style binary, so
+the preferred way to invoke the commands would be e.g. "tpm2 createprimary"
+instead of "tpm2_createprimary". However, compatibility symlinks tpm2_* -> tpm2
+are installed by default, so we keep the old syntax for tpm2-tools 5.0 to avoid
+creating another special case, since the option syntax has not changed (it
+should be stable since version 4).
+
+tpm2-tools 3.X is deprecated, but unfortunately still packaged by a few Linux
+distributions, so keep supporting it for now at least.
+---
+ src/pins/tpm2/clevis-decrypt-tpm2 | 12 ++++++------
+ src/pins/tpm2/clevis-encrypt-tpm2 | 16 ++++++++--------
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/src/pins/tpm2/clevis-decrypt-tpm2 b/src/pins/tpm2/clevis-decrypt-tpm2
+index 83bf8f0..6226cb7 100755
+--- a/src/pins/tpm2/clevis-decrypt-tpm2
+++ b/src/pins/tpm2/clevis-decrypt-tpm2
+@@ -49,8 +49,8 @@ TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
+ 
+ match='version="(.)\.'
+ [[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
+-if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
+-    echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
+if [[ $TPM2TOOLS_VERSION -lt 3 ]] || [[ $TPM2TOOLS_VERSION -gt 5 ]]; then
+    echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" >&2
+     exit 1
+ fi
+ 
+@@ -135,7 +135,7 @@ fi
+ 
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
+-    4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
+    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+@@ -146,8 +146,8 @@ fi
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_load -Q -c "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
+                  -C "$TMP"/load.context || fail=$?;;
+-    4) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
+-                 -c "$TMP"/load.context || fail=$?;;
+    4|5) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
+                   -c "$TMP"/load.context || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+@@ -157,7 +157,7 @@ fi
+ 
+ case "$TPM2TOOLS_VERSION" in
+     3) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-L $pcr_spec})" || fail=$?;;
+-    4) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
+    4|5) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2
+index 16d35c4..69a1126 100755
+--- a/src/pins/tpm2/clevis-encrypt-tpm2
+++ b/src/pins/tpm2/clevis-encrypt-tpm2
+@@ -71,8 +71,8 @@ TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
+ 
+ match='version="(.)\.'
+ [[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
+-if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
+-    echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
+if [[ $TPM2TOOLS_VERSION -lt 3 ]] || [[ $TPM2TOOLS_VERSION -gt 5 ]]; then
+    echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" >&2
+     exit 1
+ fi
+ 
+@@ -153,7 +153,7 @@ trap 'on_exit' EXIT
+ 
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
+-    4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
+    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+@@ -166,7 +166,7 @@ if [ -n "$pcr_ids" ]; then
+     if [ -z "$pcr_digest" ]; then
+         case "$TPM2TOOLS_VERSION" in
+             3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
+-            4) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
+            4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
+             *) fail=1;;
+         esac
+         if [ -n "$fail" ]; then
+@@ -183,8 +183,8 @@ if [ -n "$pcr_ids" ]; then
+     case "$TPM2TOOLS_VERSION" in
+         3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \
+                              -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;;
+-        4) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
+-                             -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
+        4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
+                               -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
+         *) fail=1;;
+     esac
+     if [ -n "$fail" ]; then
+@@ -200,8 +200,8 @@ fi
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \
+                    -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;;
+-    4) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
+-                   -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
+    4|5) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
+                     -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
--- a/clevis.spec
+++ b/clevis.spec
@ -1,13 +1,14 @@
 Name:           clevis
 Version:        15
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Automated decryption framework

 License:        GPLv3+
 URL:            https://github.com/latchset/%{name}
 Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
+Patch0:         clevis-tpm2-tools-5.patch

-BuildRequires:  git
+BuildRequires:  git-core
 BuildRequires:  gcc
 BuildRequires:  meson
 BuildRequires:  asciidoc
@ -20,7 +21,7 @@ BuildRequires:  audit-libs-devel
 BuildRequires:  libudisks2-devel
 BuildRequires:  openssl-devel

-BuildRequires:  tpm2-tools >= 3.0.0
+BuildRequires:  tpm2-tools >= 4.0.0
 BuildRequires:  desktop-file-utils
 BuildRequires:  pkgconfig
 BuildRequires:  systemd
@ -33,7 +34,7 @@ BuildRequires:  openssl
 BuildRequires:  diffutils
 BuildRequires:  jq

-Requires:       tpm2-tools >= 3.0.0
+Requires:       tpm2-tools >= 4.0.0
 Requires:       coreutils
 Requires:       jose >= 8
 Requires:       curl
@ -189,6 +190,9 @@ exit 0
 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2

 %changelog
+* Mon Nov 23 08:14:40 GMT 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 15-3
+- Upstream patch for tpm-tools 5.0 support
+
 * Thu Oct 29 2020 Sergio Correia <scorreia@redhat.com> - 15-2
 - Add jq to dependencies