import clevis-15-13.el8

This commit is contained in:
CentOS Sources 2023-01-14 08:09:49 +00:00 committed by Stepan Oksanichenko
parent e856faf8f7
commit 977f304fe5
2 changed files with 79 additions and 1 deletions

View File

@ -0,0 +1,73 @@
--- clevis-15.ori/src/clevis.1.adoc 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/clevis.1.adoc 2023-01-11 17:18:29.967295005 +0100
@@ -101,7 +101,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/luks/clevis-luks-bind.1.adoc 2023-01-11 17:18:55.239351209 +0100
@@ -20,7 +20,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 17:15:44.984928070 +0100
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 17:20:53.238613637 +0100
@@ -865,6 +865,7 @@
[ -z "${DEV}" ] && return 1
local dump filter bits
+ local MAX_ENTROPY_BITS=256
dump=$(cryptsetup luksDump "${DEV}")
if cryptsetup isLuks --type luks1 "${DEV}"; then
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
@@ -876,6 +877,9 @@
fi
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
+ bits="${MAX_ENTROPY_BITS}"
+ fi
pwmake "${bits}"
}
--- clevis-15.ori/src/luks/clevis-luks-bind.in 2023-01-11 17:15:44.815927694 +0100
+++ clevis-15/src/luks/clevis-luks-bind.in 2023-01-12 16:20:30.266404993 +0100
@@ -19,6 +19,8 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+. clevis-luks-common-functions
+
SUMMARY="Binds a LUKS device using the specified policy"
UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
@@ -139,14 +141,11 @@
fi
# Generate a key with the same entropy as the LUKS Master Key
-key="$(pwmake "$(
-cryptsetup luksDump "$DEV" \
- | if [ "$luks_type" == "luks1" ]; then
- sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p'
- else
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p'
- fi | sort -n | tail -n 1
-)")"
+if ! key="$(clevis_luks_generate_key "${DEV}")" \
+ || [ -z "${key}" ]; then
+ echo "Unable to generate key for ${DEV}" >&2
+ return 1
+fi
# Encrypt the new key
jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"

View File

@ -2,7 +2,7 @@
Name: clevis Name: clevis
Version: 15 Version: 15
Release: 12%{?dist} Release: 13%{?dist}
Summary: Automated decryption framework Summary: Automated decryption framework
License: GPLv3+ License: GPLv3+
@ -21,6 +21,7 @@ Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch
Patch0010: 0010-avoid-clevis-invalid-msg.patch Patch0010: 0010-avoid-clevis-invalid-msg.patch
Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch
Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch
Patch0013: 0013-luks-define-max-entropy-bits-for-pwmake.patch
BuildRequires: git BuildRequires: git
BuildRequires: gcc BuildRequires: gcc
@ -201,6 +202,10 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog %changelog
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-13
- luks: define max entropy bits for pwmake
Resolves: rhbz#2159736
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-12 * Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-12
- Ignore empty & comment lines in crypttab - Ignore empty & comment lines in crypttab
Resolves: rhbz#2159440 Resolves: rhbz#2159440