From accda6600ef0b8f1bbbccdf9b133d306cf94ae9e Mon Sep 17 00:00:00 2001 From: Sergio Correia Date: Tue, 16 Mar 2021 10:48:57 -0300 Subject: [PATCH] Fix for -t option in clevis luks bind Backport upstream commit ea0d0c20 --- ...for-t-option-in-clevis-luks-bind-297.patch | 52 +++++++++++++++++++ clevis.spec | 8 ++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 0001-Fix-for-t-option-in-clevis-luks-bind-297.patch diff --git a/0001-Fix-for-t-option-in-clevis-luks-bind-297.patch b/0001-Fix-for-t-option-in-clevis-luks-bind-297.patch new file mode 100644 index 0000000..9fb9745 --- /dev/null +++ b/0001-Fix-for-t-option-in-clevis-luks-bind-297.patch @@ -0,0 +1,52 @@ +From a7d17dab6957b3036972575af04b55590c53b9ad Mon Sep 17 00:00:00 2001 +From: John Baublitz +Date: Tue, 16 Mar 2021 09:36:46 -0400 +Subject: [PATCH] Fix for -t option in clevis luks bind (#297) + +--- + src/luks/clevis-luks-bind | 2 +- + src/luks/clevis-luks-common-functions.in | 2 +- + src/luks/tests/bind-luks2 | 4 ++++ + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/luks/clevis-luks-bind b/src/luks/clevis-luks-bind +index 9bea9b1..a0f3430 100755 +--- a/src/luks/clevis-luks-bind ++++ b/src/luks/clevis-luks-bind +@@ -119,7 +119,7 @@ if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}"; then + luksmeta init -d "${DEV}" ${FRC} + fi + +-if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" \ ++if ! clevis_luks_do_bind "${DEV}" "${SLT}" "${TOKEN_ID}" \ + "${PIN}" "${CFG}" \ + "${YES}" "" \ + "${existing_key}" "${keyfile}"; then +diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in +index 1bd7616..30fef56 100644 +--- a/src/luks/clevis-luks-common-functions.in ++++ b/src/luks/clevis-luks-common-functions.in +@@ -978,7 +978,7 @@ clevis_luks_do_bind() { + return 1 + fi + +- if ! clevis_luks_save_slot "${DEV}" "${SLT}" "${tkn_id}" \ ++ if ! clevis_luks_save_slot "${DEV}" "${SLT}" "${TKN_ID}" \ + "${jwe}" "${OVERWRITE}"; then + echo "Unable to update metadata; operation cancelled" >&2 + clevis_luks_restore_dev "${CLEVIS_TMP_DIR}" || : +diff --git a/src/luks/tests/bind-luks2 b/src/luks/tests/bind-luks2 +index 492db50..04c6b8e 100755 +--- a/src/luks/tests/bind-luks2 ++++ b/src/luks/tests/bind-luks2 +@@ -47,3 +47,7 @@ new_device "luks2" "${DEV}" + if ! clevis luks bind -d "${DEV}" -t "$TOKEN_ID" tang "${CFG}" <<< "${DEFAULT_PASS}"; then + error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password." >&2 + fi ++ ++if ! cryptsetup token export --token-id=5 "${DEV}"; then ++ error "${TEST}: Clevis did not add the LUKS2 token to the correct slot." >&2 ++fi +-- +2.30.2 + diff --git a/clevis.spec b/clevis.spec index 31e8780..ee0527f 100644 --- a/clevis.spec +++ b/clevis.spec @@ -1,6 +1,6 @@ Name: clevis Version: 16 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Automated decryption framework License: GPLv3+ @@ -8,6 +8,8 @@ URL: https://github.com/latchset/%{name} Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz Source1: clevis.sysusers +Patch0001: 0001-Fix-for-t-option-in-clevis-luks-bind-297.patch + BuildRequires: git-core BuildRequires: gcc BuildRequires: meson @@ -33,6 +35,7 @@ BuildRequires: cracklib-dicts BuildRequires: luksmeta BuildRequires: openssl BuildRequires: diffutils +BuildRequires: cryptsetup BuildRequires: jq Requires: tpm2-tools >= 4.0.0 @@ -191,6 +194,9 @@ exit 0 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %changelog +* Tue Mar 16 2021 Sergio Correia - 16-2 +- Fix for -t option in clevis luks bind - backport upstream commit ea0d0c20 + * Tue Feb 09 2021 Sergio Correia - 16-1 - Update to new clevis upstream release, v16.