import clevis-15-13.el8
This commit is contained in:
parent
e856faf8f7
commit
977f304fe5
73
SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch
Normal file
73
SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
--- clevis-15.ori/src/clevis.1.adoc 2020-10-28 19:55:47.663228800 +0100
|
||||||
|
+++ clevis-15/src/clevis.1.adoc 2023-01-11 17:18:29.967295005 +0100
|
||||||
|
@@ -101,7 +101,7 @@
|
||||||
|
|
||||||
|
This command performs four steps:
|
||||||
|
|
||||||
|
-1. Creates a new key with the same entropy as the LUKS master key.
|
||||||
|
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
||||||
|
2. Encrypts the new key with Clevis.
|
||||||
|
3. Stores the Clevis JWE in the LUKS header.
|
||||||
|
4. Enables the new key for use with LUKS.
|
||||||
|
--- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc 2020-10-28 19:55:47.663228800 +0100
|
||||||
|
+++ clevis-15/src/luks/clevis-luks-bind.1.adoc 2023-01-11 17:18:55.239351209 +0100
|
||||||
|
@@ -20,7 +20,7 @@
|
||||||
|
|
||||||
|
This command performs four steps:
|
||||||
|
|
||||||
|
-1. Creates a new key with the same entropy as the LUKS master key.
|
||||||
|
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
||||||
|
2. Encrypts the new key with Clevis.
|
||||||
|
3. Stores the Clevis JWE in the LUKS header.
|
||||||
|
4. Enables the new key for use with LUKS.
|
||||||
|
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 17:15:44.984928070 +0100
|
||||||
|
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 17:20:53.238613637 +0100
|
||||||
|
@@ -865,6 +865,7 @@
|
||||||
|
[ -z "${DEV}" ] && return 1
|
||||||
|
|
||||||
|
local dump filter bits
|
||||||
|
+ local MAX_ENTROPY_BITS=256
|
||||||
|
dump=$(cryptsetup luksDump "${DEV}")
|
||||||
|
if cryptsetup isLuks --type luks1 "${DEV}"; then
|
||||||
|
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
|
||||||
|
@@ -876,6 +877,9 @@
|
||||||
|
fi
|
||||||
|
|
||||||
|
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
|
||||||
|
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
|
||||||
|
+ bits="${MAX_ENTROPY_BITS}"
|
||||||
|
+ fi
|
||||||
|
pwmake "${bits}"
|
||||||
|
}
|
||||||
|
|
||||||
|
--- clevis-15.ori/src/luks/clevis-luks-bind.in 2023-01-11 17:15:44.815927694 +0100
|
||||||
|
+++ clevis-15/src/luks/clevis-luks-bind.in 2023-01-12 16:20:30.266404993 +0100
|
||||||
|
@@ -19,6 +19,8 @@
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
+. clevis-luks-common-functions
|
||||||
|
+
|
||||||
|
SUMMARY="Binds a LUKS device using the specified policy"
|
||||||
|
UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
|
||||||
|
|
||||||
|
@@ -139,14 +141,11 @@
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Generate a key with the same entropy as the LUKS Master Key
|
||||||
|
-key="$(pwmake "$(
|
||||||
|
-cryptsetup luksDump "$DEV" \
|
||||||
|
- | if [ "$luks_type" == "luks1" ]; then
|
||||||
|
- sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p'
|
||||||
|
- else
|
||||||
|
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p'
|
||||||
|
- fi | sort -n | tail -n 1
|
||||||
|
-)")"
|
||||||
|
+if ! key="$(clevis_luks_generate_key "${DEV}")" \
|
||||||
|
+ || [ -z "${key}" ]; then
|
||||||
|
+ echo "Unable to generate key for ${DEV}" >&2
|
||||||
|
+ return 1
|
||||||
|
+fi
|
||||||
|
|
||||||
|
# Encrypt the new key
|
||||||
|
jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Name: clevis
|
Name: clevis
|
||||||
Version: 15
|
Version: 15
|
||||||
Release: 12%{?dist}
|
Release: 13%{?dist}
|
||||||
Summary: Automated decryption framework
|
Summary: Automated decryption framework
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -21,6 +21,7 @@ Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch
|
|||||||
Patch0010: 0010-avoid-clevis-invalid-msg.patch
|
Patch0010: 0010-avoid-clevis-invalid-msg.patch
|
||||||
Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch
|
Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch
|
||||||
Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch
|
Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch
|
||||||
|
Patch0013: 0013-luks-define-max-entropy-bits-for-pwmake.patch
|
||||||
|
|
||||||
BuildRequires: git
|
BuildRequires: git
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -201,6 +202,10 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
|
|||||||
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
|
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-13
|
||||||
|
- luks: define max entropy bits for pwmake
|
||||||
|
Resolves: rhbz#2159736
|
||||||
|
|
||||||
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-12
|
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-12
|
||||||
- Ignore empty & comment lines in crypttab
|
- Ignore empty & comment lines in crypttab
|
||||||
Resolves: rhbz#2159440
|
Resolves: rhbz#2159440
|
||||||
|
Loading…
Reference in New Issue
Block a user