rpms/clevis
6
0
Fork 0
Code Issues Pull Requests Releases Activity

luks: limit max entropy bits for pwmake

Browse Source 
Resolves: rhbz#2159735

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
This commit is contained in:
Sergio Arroutbi 2023-01-13 12:37:55 +01:00
parent 15b9c96c8d
commit ab2e102c65
2 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
0012-luks-define-max-entropy-bits-for-pwmake.patch Normal file
View File

@ -0,0 +1,42 @@
--- clevis-18.ori/src/clevis.1.adoc 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/clevis.1.adoc 2023-01-13 12:08:31.162012856 +0100
@@ -101,7 +101,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:02:52.005243591 +0100
+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:08:05.873955501 +0100
@@ -20,7 +20,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-13 12:02:52.005243591 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-13 12:06:29.233736316 +0100
@@ -875,6 +875,7 @@
[ -z "${DEV}" ] && return 1
local dump filter bits
+ local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
dump=$(cryptsetup luksDump "${DEV}")
if cryptsetup isLuks --type luks1 "${DEV}"; then
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
@@ -886,6 +887,9 @@
fi
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
+ bits="${MAX_ENTROPY_BITS}"
+ fi
pwmake "${bits}"
}

7
clevis.spec
View File

@ -1,6 +1,6 @@
Name: clevis Name: clevis
Version: 18 Version: 18
Release: 108%{?dist} Release: 109%{?dist}
Summary: Automated decryption framework Summary: Automated decryption framework
License: GPLv3+ License: GPLv3+
@ -18,6 +18,7 @@ Patch0008: 0008-Improve-boot-performance-by-removing-key-check.patch
Patch0009: 0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch Patch0009: 0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
Patch0010: 0010-existing-luks2-token-id.patch Patch0010: 0010-existing-luks2-token-id.patch
Patch0011: 0011-ignore-empty-and-comment-lines-in-crypttab.patch Patch0011: 0011-ignore-empty-and-comment-lines-in-crypttab.patch
Patch0012: 0012-luks-define-max-entropy-bits-for-pwmake.patch
BuildRequires: git-core BuildRequires: git-core
BuildRequires: gcc BuildRequires: gcc
@ -198,6 +199,10 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog %changelog
* Fri Jan 13 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-109
- luks: define max entropy bits for pwmake
Resolves: rhbz#2159735
* Thu Jan 12 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-108 * Thu Jan 12 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-108
- Ignore empty & comment lines in crypttab - Ignore empty & comment lines in crypttab
Resolves: rhbz#2159728 Resolves: rhbz#2159728