import RHEL 10 Beta clevis-20-4.el10
This commit is contained in:
parent
94660c84ce
commit
b45f45132d
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/clevis-15.tar.xz
|
||||
clevis-20.tar.xz
|
||||
|
@ -0,0 +1,56 @@
|
||||
--- clevis-20.old/src/luks/udisks2/clevis-luks-udisks2.c 2024-03-08 09:35:37.000000000 +0100
|
||||
+++ clevis-20/src/luks/udisks2/clevis-luks-udisks2.c 2024-05-21 10:04:15.301469592 +0200
|
||||
@@ -264,8 +264,10 @@
|
||||
|
||||
error:
|
||||
g_list_free_full(ctx.lst, g_free);
|
||||
- g_main_loop_unref(ctx.loop);
|
||||
- g_object_unref(ctx.clt);
|
||||
+ if (ctx.loop)
|
||||
+ g_main_loop_unref(ctx.loop);
|
||||
+ if (ctx.clt)
|
||||
+ g_object_unref(ctx.clt);
|
||||
close(sock);
|
||||
return exit_status;
|
||||
}
|
||||
@@ -299,12 +301,12 @@
|
||||
safeclose(&pair[0]);
|
||||
}
|
||||
|
||||
-static ssize_t
|
||||
-recover_key(const pkt_t *jwe, char *out, size_t max, uid_t uid, gid_t gid)
|
||||
+static uint32_t
|
||||
+recover_key(const pkt_t *jwe, char *out, int32_t max, uid_t uid, gid_t gid)
|
||||
{
|
||||
int push[2] = { -1, -1 };
|
||||
int pull[2] = { -1, -1 };
|
||||
- ssize_t bytes = 0;
|
||||
+ int32_t bytes = 0;
|
||||
pid_t chld = 0;
|
||||
|
||||
if (pipe(push) != 0)
|
||||
@@ -379,12 +381,18 @@
|
||||
}
|
||||
|
||||
bytes = 0;
|
||||
- for (ssize_t block = 1; block > 0; bytes += block) {
|
||||
- block = read(pull[PIPE_RD], &out[bytes], max - bytes);
|
||||
- if (block < 0) {
|
||||
- kill(chld, SIGTERM);
|
||||
- goto error;
|
||||
- }
|
||||
+ ssize_t block = 0;
|
||||
+ while (max > 0 && max > bytes) {
|
||||
+ do {
|
||||
+ block = read(pull[PIPE_RD], &out[bytes], max - bytes);
|
||||
+ } while (block < 0 && errno == EINTR);
|
||||
+ if (block < 0 || block < INT32_MIN || block > INT32_MAX) {
|
||||
+ kill(chld, SIGTERM);
|
||||
+ goto error;
|
||||
+ }
|
||||
+ if (block == 0)
|
||||
+ break;
|
||||
+ bytes += block;
|
||||
}
|
||||
|
||||
safeclose(&pull[PIPE_RD]);
|
@ -1,176 +0,0 @@
|
||||
From 16f667d9f3d649e33ca762afa1a8a7f909b953a8 Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Correia <scorreia@redhat.com>
|
||||
Date: Sun, 25 Oct 2020 11:15:46 -0300
|
||||
Subject: [PATCH] Fixes for dealing with newer tang without tangd-update
|
||||
|
||||
---
|
||||
src/luks/tests/meson.build | 11 +----------
|
||||
src/luks/tests/tests-common-functions.in | 19 +++++++++++--------
|
||||
src/pins/tang/meson.build | 11 +----------
|
||||
src/pins/tang/pin-tang | 11 ++++++++---
|
||||
4 files changed, 21 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
|
||||
index ba5f6a2..c0f9dc3 100644
|
||||
--- a/src/luks/tests/meson.build
|
||||
+++ b/src/luks/tests/meson.build
|
||||
@@ -17,14 +17,6 @@ kgen = find_program(
|
||||
join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
|
||||
required: false
|
||||
)
|
||||
-updt = find_program(
|
||||
- join_paths(libexecdir, 'tangd-update'),
|
||||
- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
|
||||
- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
|
||||
- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
|
||||
- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
|
||||
- required: false
|
||||
-)
|
||||
tang = find_program(
|
||||
join_paths(libexecdir, 'tangd'),
|
||||
join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
|
||||
@@ -58,11 +50,10 @@ env.prepend('PATH',
|
||||
)
|
||||
|
||||
has_tang = false
|
||||
-if actv.found() and kgen.found() and updt.found() and tang.found()
|
||||
+if actv.found() and kgen.found() and tang.found()
|
||||
has_tang = true
|
||||
env.set('SD_ACTIVATE', actv.path())
|
||||
env.set('TANGD_KEYGEN', kgen.path())
|
||||
- env.set('TANGD_UPDATE', updt.path())
|
||||
env.set('TANGD', tang.path())
|
||||
endif
|
||||
|
||||
diff --git a/src/luks/tests/tests-common-functions.in b/src/luks/tests/tests-common-functions.in
|
||||
index 8520715..318d007 100755
|
||||
--- a/src/luks/tests/tests-common-functions.in
|
||||
+++ b/src/luks/tests/tests-common-functions.in
|
||||
@@ -251,18 +251,19 @@ tang_remove_rotated_keys() {
|
||||
return 1
|
||||
fi
|
||||
|
||||
- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
|
||||
-
|
||||
local db="${basedir}/db"
|
||||
- local cache="${basedir}/cache"
|
||||
mkdir -p "${db}"
|
||||
- mkdir -p "${cache}"
|
||||
+
|
||||
+ if [ -n "${TANGD_UPDATE}" ]; then
|
||||
+ local cache="${basedir}/cache"
|
||||
+ mkdir -p "${cache}"
|
||||
+ fi
|
||||
|
||||
pushd "${db}"
|
||||
find . -name ".*.jwk" -exec rm -f {} \;
|
||||
popd
|
||||
|
||||
- "${TANGD_UPDATE}" "${db}" "${cache}"
|
||||
+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
|
||||
return 0
|
||||
}
|
||||
|
||||
@@ -277,12 +278,12 @@ tang_new_keys() {
|
||||
fi
|
||||
|
||||
[ -z "${TANGD_KEYGEN}" ] && skip_test "WARNING: TANGD_KEYGEN is not defined."
|
||||
- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
|
||||
|
||||
local db="${basedir}/db"
|
||||
- local cache="${basedir}/cache"
|
||||
mkdir -p "${db}"
|
||||
|
||||
+ [ -n "${TANGD_UPDATE}" ] && local cache="${basedir}/cache"
|
||||
+
|
||||
if [ -n "${rotate}" ]; then
|
||||
pushd "${db}"
|
||||
local k
|
||||
@@ -296,7 +297,7 @@ tang_new_keys() {
|
||||
fi
|
||||
|
||||
"${TANGD_KEYGEN}" "${db}"
|
||||
- "${TANGD_UPDATE}" "${db}" "${cache}"
|
||||
+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
|
||||
|
||||
return 0
|
||||
}
|
||||
@@ -322,6 +323,8 @@ tang_run() {
|
||||
fi
|
||||
|
||||
local KEYS="${basedir}/cache"
|
||||
+ [ -z "${TANGD_UPDATE}" ] && KEYS="${basedir}/db"
|
||||
+
|
||||
local inetd='--inetd'
|
||||
[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
|
||||
|
||||
diff --git a/src/pins/tang/meson.build b/src/pins/tang/meson.build
|
||||
index f7d8226..ebcdd4a 100644
|
||||
--- a/src/pins/tang/meson.build
|
||||
+++ b/src/pins/tang/meson.build
|
||||
@@ -12,14 +12,6 @@ kgen = find_program(
|
||||
join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
|
||||
required: false
|
||||
)
|
||||
-updt = find_program(
|
||||
- join_paths(libexecdir, 'tangd-update'),
|
||||
- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
|
||||
- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
|
||||
- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
|
||||
- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
|
||||
- required: false
|
||||
-)
|
||||
tang = find_program(
|
||||
join_paths(libexecdir, 'tangd'),
|
||||
join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
|
||||
@@ -35,11 +27,10 @@ if curl.found()
|
||||
bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang')
|
||||
mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1')
|
||||
|
||||
- if actv.found() and kgen.found() and updt.found() and tang.found()
|
||||
+ if actv.found() and kgen.found() and tang.found()
|
||||
env = environment()
|
||||
env.set('SD_ACTIVATE', actv.path())
|
||||
env.set('TANGD_KEYGEN', kgen.path())
|
||||
- env.set('TANGD_UPDATE', updt.path())
|
||||
env.set('TANGD', tang.path())
|
||||
env.prepend('PATH',
|
||||
join_paths(meson.source_root(), 'src'),
|
||||
diff --git a/src/pins/tang/pin-tang b/src/pins/tang/pin-tang
|
||||
index 98e5e4d..a63d0a2 100755
|
||||
--- a/src/pins/tang/pin-tang
|
||||
+++ b/src/pins/tang/pin-tang
|
||||
@@ -31,8 +31,12 @@ mkdir -p "$TMP"/db
|
||||
mkdir -p "$TMP"/cache
|
||||
|
||||
# Generate the server keys
|
||||
+KEYS="$TMP"/db
|
||||
"${TANGD_KEYGEN}" "$TMP"/db sig exc
|
||||
-"${TANGD_UPDATE}" "$TMP"/db "$TMP"/cache
|
||||
+if which tangd-update; then
|
||||
+ tangd-update "$TMP"/db "$TMP"/cache
|
||||
+ KEYS="$TMP"/cache
|
||||
+fi
|
||||
|
||||
# Start the server
|
||||
port="$(shuf -i 1024-65536 -n 1)"
|
||||
@@ -40,13 +44,14 @@ port="$(shuf -i 1024-65536 -n 1)"
|
||||
inetd='--inetd'
|
||||
[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
|
||||
|
||||
-"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$TMP"/cache &
|
||||
+"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$KEYS" &
|
||||
PID=$!
|
||||
sleep 0.25
|
||||
|
||||
thp="$(jose jwk thp -i "$TMP/db/sig.jwk")"
|
||||
-adv="$TMP/cache/default.jws"
|
||||
url="http://localhost:${port}"
|
||||
+adv="$TMP/adv"
|
||||
+curl "$url/adv" -o "$adv"
|
||||
|
||||
cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")"
|
||||
enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
|
||||
--
|
||||
2.18.4
|
||||
|
@ -1,309 +0,0 @@
|
||||
From aa52396c35e76aabd085a819b08167d559042a20 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Tue, 3 Nov 2020 08:42:48 -0300
|
||||
Subject: [PATCH 2/2] Add the option to extract luks passphrase used for
|
||||
binding
|
||||
|
||||
Usage:
|
||||
|
||||
clevis luks pass -d /dev/sda1 -s 1
|
||||
<passphrase here>
|
||||
---
|
||||
src/luks/clevis-luks-pass | 64 ++++++++++++++++++++++++++++++++
|
||||
src/luks/clevis-luks-pass.1.adoc | 43 +++++++++++++++++++++
|
||||
src/luks/meson.build | 3 ++
|
||||
src/luks/tests/meson.build | 2 +
|
||||
src/luks/tests/pass-tang-luks1 | 59 +++++++++++++++++++++++++++++
|
||||
src/luks/tests/pass-tang-luks2 | 59 +++++++++++++++++++++++++++++
|
||||
6 files changed, 230 insertions(+)
|
||||
create mode 100755 src/luks/clevis-luks-pass
|
||||
create mode 100644 src/luks/clevis-luks-pass.1.adoc
|
||||
create mode 100755 src/luks/tests/pass-tang-luks1
|
||||
create mode 100755 src/luks/tests/pass-tang-luks2
|
||||
|
||||
diff --git a/src/luks/clevis-luks-pass b/src/luks/clevis-luks-pass
|
||||
new file mode 100755
|
||||
index 0000000..1f59b39
|
||||
--- /dev/null
|
||||
+++ b/src/luks/clevis-luks-pass
|
||||
@@ -0,0 +1,64 @@
|
||||
+#!/bin/bash -e
|
||||
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||
+#
|
||||
+# Copyright (c) 2019 Red Hat, Inc.
|
||||
+# Author: Sergio Correia <scorreia@redhat.com> - LUKS2 support.
|
||||
+#
|
||||
+# This program is free software: you can redistribute it and/or modify
|
||||
+# it under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation, either version 3 of the License, or
|
||||
+# (at your option) any later version.
|
||||
+#
|
||||
+# This program is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+# GNU General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+#
|
||||
+
|
||||
+. clevis-luks-common-functions
|
||||
+
|
||||
+SUMMARY="Returns the LUKS passphrase used for binding a particular slot."
|
||||
+
|
||||
+usage() {
|
||||
+ exec >&2
|
||||
+ echo "Usage: clevis luks pass -d DEV -s SLT"
|
||||
+ echo
|
||||
+ echo "$SUMMARY"
|
||||
+ echo
|
||||
+ echo " -d DEV The LUKS device to extract the LUKS passphrase used for binding"
|
||||
+ echo
|
||||
+ echo " -s SLOT The slot number to extract the LUKS passphrase"
|
||||
+ echo
|
||||
+ exit 1
|
||||
+}
|
||||
+
|
||||
+if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then
|
||||
+ echo "${SUMMARY}"
|
||||
+ exit 0
|
||||
+fi
|
||||
+
|
||||
+while getopts ":d:s:" o; do
|
||||
+ case "$o" in
|
||||
+ d) DEV=${OPTARG};;
|
||||
+ s) SLT=${OPTARG};;
|
||||
+ *) usage;;
|
||||
+ esac
|
||||
+done
|
||||
+
|
||||
+if [ -z "${DEV}" ]; then
|
||||
+ echo "Did not specify a device!" >&2
|
||||
+ usage
|
||||
+fi
|
||||
+
|
||||
+if [ -z "${SLT}" ]; then
|
||||
+ echo "Did not specify a slot!" >&2
|
||||
+ usage
|
||||
+fi
|
||||
+
|
||||
+if ! clevis_luks_unlock_device_by_slot "${DEV}" "${SLT}"; then
|
||||
+ echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in ${DEV}!" >&2
|
||||
+ exit 1
|
||||
+fi
|
||||
diff --git a/src/luks/clevis-luks-pass.1.adoc b/src/luks/clevis-luks-pass.1.adoc
|
||||
new file mode 100644
|
||||
index 0000000..fa9526a
|
||||
--- /dev/null
|
||||
+++ b/src/luks/clevis-luks-pass.1.adoc
|
||||
@@ -0,0 +1,43 @@
|
||||
+CLEVIS-LUKS-PASS(1)
|
||||
+===================
|
||||
+:doctype: manpage
|
||||
+
|
||||
+
|
||||
+== NAME
|
||||
+
|
||||
+clevis-luks-pass - Extracts the passphrase used for binding a particular slot in a LUKS device
|
||||
+
|
||||
+== SYNOPSIS
|
||||
+
|
||||
+*clevis luks pass* -d DEV -s SLT
|
||||
+
|
||||
+== OVERVIEW
|
||||
+
|
||||
+The *clevis luks pass* command extracts the passphrase used for binding a particular slot in a LUKS device.
|
||||
+For example:
|
||||
+
|
||||
+ clevis luks pass -d /dev/sda1 -s 1
|
||||
+
|
||||
+== OPTIONS
|
||||
+
|
||||
+* *-d* _DEV_ :
|
||||
+ The LUKS device on which to extract a passphrase from
|
||||
+
|
||||
+* *-s* _SLT_ :
|
||||
+ The slot to use for extracting the passphrase
|
||||
+
|
||||
+== EXAMPLE
|
||||
+
|
||||
+ clevis luks pass -d /dev/sda1 -s 1
|
||||
+ <passphrase here>
|
||||
+
|
||||
+Note that the output of *clevis luks pass* might be non-printable, in which case it would be better to redirect its output to a file and use it as a key
|
||||
+file together with cryptsetup. For instance:
|
||||
+
|
||||
+ clevis luks pass -d /dev/sda1 -s 1 > slot1-passphrase
|
||||
+
|
||||
+And the file slot1-passphrase will contain the passphrase associated with slot #1 in /dev/sda1.
|
||||
+
|
||||
+== SEE ALSO
|
||||
+
|
||||
+link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)],
|
||||
diff --git a/src/luks/meson.build b/src/luks/meson.build
|
||||
index 12f5a0d..008736e 100644
|
||||
--- a/src/luks/meson.build
|
||||
+++ b/src/luks/meson.build
|
||||
@@ -50,6 +50,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
|
||||
|
||||
bins += join_paths(meson.current_source_dir(), 'clevis-luks-edit')
|
||||
mans += join_paths(meson.current_source_dir(), 'clevis-luks-edit.1')
|
||||
+
|
||||
+ bins += join_paths(meson.current_source_dir(), 'clevis-luks-pass')
|
||||
+ mans += join_paths(meson.current_source_dir(), 'clevis-luks-pass.1')
|
||||
else
|
||||
warning('Will not install LUKS support due to missing dependencies!')
|
||||
endif
|
||||
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
|
||||
index c22a069..f4584aa 100644
|
||||
--- a/src/luks/tests/meson.build
|
||||
+++ b/src/luks/tests/meson.build
|
||||
@@ -84,6 +84,7 @@ if has_tang
|
||||
test('report-tang-luks1', find_program('report-tang-luks1'), env: env, timeout: 90)
|
||||
test('report-sss-luks1', find_program('report-sss-luks1'), env: env, timeout: 90)
|
||||
test('edit-tang-luks1', find_program('edit-tang-luks1'), env: env, timeout: 150)
|
||||
+ test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60)
|
||||
endif
|
||||
|
||||
test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60)
|
||||
@@ -111,6 +112,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
|
||||
test('report-tang-luks2', find_program('report-tang-luks2'), env: env, timeout: 120)
|
||||
test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
|
||||
test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
|
||||
+ test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
|
||||
endif
|
||||
|
||||
test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
|
||||
diff --git a/src/luks/tests/pass-tang-luks1 b/src/luks/tests/pass-tang-luks1
|
||||
new file mode 100755
|
||||
index 0000000..0d91e6c
|
||||
--- /dev/null
|
||||
+++ b/src/luks/tests/pass-tang-luks1
|
||||
@@ -0,0 +1,59 @@
|
||||
+#!/bin/bash -x
|
||||
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||
+#
|
||||
+# Copyright (c) 2019 Red Hat, Inc.
|
||||
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||
+#
|
||||
+# This program is free software: you can redistribute it and/or modify
|
||||
+# it under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation, either version 3 of the License, or
|
||||
+# (at your option) any later version.
|
||||
+#
|
||||
+# This program is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+# GNU General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+#
|
||||
+
|
||||
+TEST="${0}"
|
||||
+. tests-common-functions
|
||||
+. clevis-luks-common-functions
|
||||
+
|
||||
+function on_exit() {
|
||||
+ [ ! -d "${TMP}" ] && return 0
|
||||
+ tang_stop "${TMP}"
|
||||
+ rm -rf "${TMP}"
|
||||
+}
|
||||
+
|
||||
+trap 'on_exit' EXIT
|
||||
+
|
||||
+TMP=$(mktemp -d)
|
||||
+
|
||||
+port=$(get_random_port)
|
||||
+tang_run "${TMP}" "${port}" &
|
||||
+tang_wait_until_ready "${port}"
|
||||
+
|
||||
+url="http://localhost:${port}"
|
||||
+adv="${TMP}/adv"
|
||||
+tang_get_adv "${port}" "${adv}"
|
||||
+
|
||||
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
|
||||
+
|
||||
+# LUKS1.
|
||||
+DEV="${TMP}/luks1-device"
|
||||
+new_device "luks1" "${DEV}"
|
||||
+
|
||||
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
|
||||
+ error "${TEST}: Bind should have succeeded."
|
||||
+fi
|
||||
+
|
||||
+# Now let's test the passphrase.
|
||||
+SLT=1
|
||||
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
|
||||
+echo $PASS >&2
|
||||
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
|
||||
+ error "Passphrase obtained from clevis luks pass failed."
|
||||
+fi
|
||||
diff --git a/src/luks/tests/pass-tang-luks2 b/src/luks/tests/pass-tang-luks2
|
||||
new file mode 100755
|
||||
index 0000000..2d50413
|
||||
--- /dev/null
|
||||
+++ b/src/luks/tests/pass-tang-luks2
|
||||
@@ -0,0 +1,59 @@
|
||||
+#!/bin/bash -x
|
||||
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||
+#
|
||||
+# Copyright (c) 2019 Red Hat, Inc.
|
||||
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||
+#
|
||||
+# This program is free software: you can redistribute it and/or modify
|
||||
+# it under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation, either version 3 of the License, or
|
||||
+# (at your option) any later version.
|
||||
+#
|
||||
+# This program is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+# GNU General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+#
|
||||
+
|
||||
+TEST="${0}"
|
||||
+. tests-common-functions
|
||||
+. clevis-luks-common-functions
|
||||
+
|
||||
+function on_exit() {
|
||||
+ [ ! -d "${TMP}" ] && return 0
|
||||
+ tang_stop "${TMP}"
|
||||
+ rm -rf "${TMP}"
|
||||
+}
|
||||
+
|
||||
+trap 'on_exit' EXIT
|
||||
+
|
||||
+TMP=$(mktemp -d)
|
||||
+
|
||||
+port=$(get_random_port)
|
||||
+tang_run "${TMP}" "${port}" &
|
||||
+tang_wait_until_ready "${port}"
|
||||
+
|
||||
+url="http://localhost:${port}"
|
||||
+adv="${TMP}/adv"
|
||||
+tang_get_adv "${port}" "${adv}"
|
||||
+
|
||||
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
|
||||
+
|
||||
+# LUKS2.
|
||||
+DEV="${TMP}/luks2-device"
|
||||
+new_device "luks2" "${DEV}"
|
||||
+
|
||||
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
|
||||
+ error "${TEST}: Bind should have succeeded."
|
||||
+fi
|
||||
+
|
||||
+# Now let's test the passphrase.
|
||||
+SLT=1
|
||||
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
|
||||
+echo $PASS >&2
|
||||
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
|
||||
+ error "Passphrase obtained from clevis luks pass failed."
|
||||
+fi
|
||||
--
|
||||
2.29.2
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 678ef82dd5608439c9a4222c594ab66d69009f06 Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Correia <scorreia@redhat.com>
|
||||
Date: Fri, 29 Oct 2021 12:04:46 -0300
|
||||
Subject: [PATCH 3/3] systemd: account for unlocking failures in
|
||||
clevis-luks-askpass (#343)
|
||||
|
||||
As unlock may fail for some reason, e.g. the network is not up yet,
|
||||
one way cause problems would be to add extra `rd.luks.uuid' params
|
||||
to the cmdline, which would then cause such devices to be unlocked
|
||||
in early boot. If the unlocking fail, those devices might not be
|
||||
accounted for in the clevis_devices_to_unlock() check, as it is
|
||||
based on crypttab.
|
||||
|
||||
Let's make sure there are no pending ask.* sockets waiting to be
|
||||
answered, before exiting.
|
||||
|
||||
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
|
||||
---
|
||||
src/luks/systemd/clevis-luks-askpass | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass
|
||||
index 285bba4..f19671f 100755
|
||||
--- a/src/luks/systemd/clevis-luks-askpass
|
||||
+++ b/src/luks/systemd/clevis-luks-askpass
|
||||
@@ -67,8 +67,11 @@ while true; do
|
||||
done
|
||||
|
||||
[ "${loop}" != true ] && break
|
||||
+
|
||||
# Checking for pending devices to be unlocked.
|
||||
- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
|
||||
+ remaining_crypttab=$(clevis_devices_to_unlock) ||:
|
||||
+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
|
||||
+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
|
||||
break;
|
||||
fi
|
||||
|
||||
--
|
||||
2.33.1
|
||||
|
@ -1,101 +0,0 @@
|
||||
From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Correia <scorreia@redhat.com>
|
||||
Date: Thu, 18 Nov 2021 16:45:58 -0300
|
||||
Subject: [PATCH 4/4] systemd: drop ncat dependency
|
||||
|
||||
When using systemd, i.e., clevis-luks-askpass, we use ncat to send
|
||||
the decrypted password to the systemd socket as per systemd's password
|
||||
agents specification [1].
|
||||
|
||||
However, systemd itself has a utility that does exactly that,
|
||||
systemd-reply-password.
|
||||
|
||||
In this commit we drop the ncat dependency and instead use
|
||||
systemd-reply-password in clevis-luks-askpass.
|
||||
|
||||
[1] https://systemd.io/PASSWORD_AGENTS/
|
||||
---
|
||||
...is-luks-askpass => clevis-luks-askpass.in} | 2 +-
|
||||
.../systemd/dracut/clevis/module-setup.sh.in | 4 ++--
|
||||
src/luks/systemd/meson.build | 19 +++++++++++++++++--
|
||||
3 files changed, 20 insertions(+), 5 deletions(-)
|
||||
rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%)
|
||||
|
||||
diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in
|
||||
similarity index 97%
|
||||
rename from src/luks/systemd/clevis-luks-askpass
|
||||
rename to src/luks/systemd/clevis-luks-askpass.in
|
||||
index f19671f..a6699c9 100755
|
||||
--- a/src/luks/systemd/clevis-luks-askpass
|
||||
+++ b/src/luks/systemd/clevis-luks-askpass.in
|
||||
@@ -58,7 +58,7 @@ while true; do
|
||||
fi
|
||||
|
||||
uuid="$(cryptsetup luksUUID "${d}")"
|
||||
- if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
|
||||
+ if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
|
||||
echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
|
||||
continue
|
||||
fi
|
||||
diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in
|
||||
index ebf969f..d46c6e2 100755
|
||||
--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
|
||||
+++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
|
||||
@@ -36,6 +36,7 @@ install() {
|
||||
|
||||
inst_multiple \
|
||||
/etc/services \
|
||||
+ @SYSTEMD_REPLY_PASS@ \
|
||||
@libexecdir@/clevis-luks-askpass \
|
||||
clevis-luks-common-functions \
|
||||
grep sed cut \
|
||||
@@ -45,8 +46,7 @@ install() {
|
||||
luksmeta \
|
||||
clevis \
|
||||
mktemp \
|
||||
- jose \
|
||||
- ncat
|
||||
+ jose
|
||||
|
||||
dracut_need_initqueue
|
||||
}
|
||||
diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
|
||||
index 369e7f7..e3b3d91 100644
|
||||
--- a/src/luks/systemd/meson.build
|
||||
+++ b/src/luks/systemd/meson.build
|
||||
@@ -1,6 +1,15 @@
|
||||
systemd = dependency('systemd', required: false)
|
||||
|
||||
-if systemd.found()
|
||||
+sd_reply_pass = find_program(
|
||||
+ join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
|
||||
+ join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
|
||||
+ join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
|
||||
+ join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
|
||||
+ required: false
|
||||
+)
|
||||
+
|
||||
+if systemd.found() and sd_reply_pass.found()
|
||||
+ data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
|
||||
subdir('dracut')
|
||||
|
||||
unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
|
||||
@@ -12,8 +21,14 @@ if systemd.found()
|
||||
configuration: data,
|
||||
)
|
||||
|
||||
+ configure_file(
|
||||
+ input: 'clevis-luks-askpass.in',
|
||||
+ output: 'clevis-luks-askpass',
|
||||
+ install_dir: libexecdir,
|
||||
+ configuration: data
|
||||
+ )
|
||||
+
|
||||
install_data('clevis-luks-askpass.path', install_dir: unitdir)
|
||||
- install_data('clevis-luks-askpass', install_dir: libexecdir)
|
||||
else
|
||||
warning('Will not install systemd support due to missing dependencies!')
|
||||
endif
|
||||
--
|
||||
2.33.1
|
||||
|
@ -1,26 +0,0 @@
|
||||
From da17589f0706b27690a11484165fd58dea1a5eb1 Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Correia <scorreia@redhat.com>
|
||||
Date: Thu, 25 Nov 2021 19:18:03 -0300
|
||||
Subject: [PATCH 5/5] Stop sending stderr to the void when decryption doesn't
|
||||
happen
|
||||
|
||||
---
|
||||
src/luks/clevis-luks-common-functions | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
|
||||
index 879ca4c..df8e16d 100644
|
||||
--- a/src/luks/clevis-luks-common-functions
|
||||
+++ b/src/luks/clevis-luks-common-functions
|
||||
@@ -323,7 +323,7 @@ clevis_luks_unlock_device_by_slot() {
|
||||
return 1
|
||||
fi
|
||||
|
||||
- if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt 2>/dev/null)" \
|
||||
+ if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt)" \
|
||||
|| [ -z "${passphrase}" ]; then
|
||||
return 1
|
||||
fi
|
||||
--
|
||||
2.33.1
|
||||
|
@ -1,45 +0,0 @@
|
||||
From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Renaud=20M=C3=A9trich?=
|
||||
<1163635+rmetrich@users.noreply.github.com>
|
||||
Date: Wed, 1 Dec 2021 09:37:35 -0300
|
||||
Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is
|
||||
set (#340)
|
||||
|
||||
On Fedora/RHEL, the rd.debug kernel command line parameter controls
|
||||
debugging.
|
||||
By implementing the functionality inside clevis, troubleshooting will be
|
||||
greatly eased.
|
||||
See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742).
|
||||
---
|
||||
src/luks/clevis-luks-common-functions | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
|
||||
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
|
||||
index df8e16d..67ece72 100644
|
||||
--- a/src/luks/clevis-luks-common-functions
|
||||
+++ b/src/luks/clevis-luks-common-functions
|
||||
@@ -20,6 +20,21 @@
|
||||
|
||||
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
||||
|
||||
+enable_debugging() {
|
||||
+ # Automatically enable debugging if in initramfs phase and rd.debug
|
||||
+ if [ -e /usr/lib/dracut-lib.sh ]; then
|
||||
+ local bashopts=$-
|
||||
+ # Because dracut is loosely written, disable hardening options temporarily
|
||||
+ [[ $bashopts != *u* ]] || set +u
|
||||
+ [[ $bashopts != *e* ]] || set +e
|
||||
+ . /usr/lib/dracut-lib.sh
|
||||
+ [[ $bashopts != *u* ]] || set -u
|
||||
+ [[ $bashopts != *e* ]] || set -e
|
||||
+ fi
|
||||
+}
|
||||
+
|
||||
+enable_debugging
|
||||
+
|
||||
# valid_slot() will check whether a given slot is possibly valid, i.e., if it
|
||||
# is a numeric value within the specified range.
|
||||
valid_slot() {
|
||||
--
|
||||
2.33.1
|
||||
|
@ -1,83 +0,0 @@
|
||||
From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001
|
||||
From: Renaud Metrich <rmetrich@redhat.com>
|
||||
Date: Fri, 7 Jan 2022 12:13:03 -0300
|
||||
Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup
|
||||
|
||||
This fixes an Out of memory error when the system has not much memory,
|
||||
such as a VM configured with 2GB currently being installed through the
|
||||
network (hence having ~1GB free memory only).
|
||||
See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
|
||||
---
|
||||
src/luks/clevis-luks-bind.in | 7 +++++--
|
||||
src/luks/clevis-luks-common-functions | 7 ++++++-
|
||||
2 files changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
|
||||
index 4748c08..017f762 100755
|
||||
--- a/src/luks/clevis-luks-bind.in
|
||||
+++ b/src/luks/clevis-luks-bind.in
|
||||
@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \
|
||||
exit 1
|
||||
fi
|
||||
|
||||
+pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
if [ "$luks_type" == "luks1" ]; then
|
||||
+ pbkdf_args=
|
||||
# In certain circumstances, we may have LUKSMeta slots "not in sync" with
|
||||
# cryptsetup, which means we will try to save LUKSMeta metadata over an
|
||||
# already used or partially used slot -- github issue #70.
|
||||
@@ -184,7 +186,7 @@ fi
|
||||
|
||||
# Add the new key.
|
||||
if [ -n "$SLT" ]; then
|
||||
- cryptsetup luksAddKey --key-slot "$SLT" --key-file \
|
||||
+ cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \
|
||||
<(echo -n "$existing_key") "$DEV"
|
||||
else
|
||||
if [ $luks_type == "luks2" ]; then
|
||||
@@ -194,7 +196,8 @@ else
|
||||
readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
|
||||
| sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
|
||||
fi
|
||||
- cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV"
|
||||
+ cryptsetup luksAddKey ${pbkdf_args} \
|
||||
+ --key-file <(echo -n "${existing_key}") "$DEV"
|
||||
fi < <(echo -n "${key}")
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error while adding new key to LUKS header!" >&2
|
||||
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
|
||||
index 67ece72..038cc37 100644
|
||||
--- a/src/luks/clevis-luks-common-functions
|
||||
+++ b/src/luks/clevis-luks-common-functions
|
||||
@@ -760,10 +760,12 @@ clevis_luks_add_key() {
|
||||
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
||||
input="$(printf '%s' "${NEWKEY}")"
|
||||
fi
|
||||
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
|
||||
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
|
||||
--key-slot "${SLT}" \
|
||||
"${DEV}" \
|
||||
+ ${pbkdf_args} \
|
||||
${extra_args}
|
||||
}
|
||||
|
||||
@@ -792,11 +794,14 @@ clevis_luks_update_key() {
|
||||
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
||||
input="$(printf '%s' "${NEWKEY}")"
|
||||
fi
|
||||
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
|
||||
if [ -n "${in_place}" ]; then
|
||||
printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
|
||||
--key-slot "${SLT}" \
|
||||
- --batch-mode ${extra_args}
|
||||
+ --batch-mode \
|
||||
+ ${pbkdf_args} \
|
||||
+ ${extra_args}
|
||||
return
|
||||
fi
|
||||
|
||||
--
|
||||
2.33.1
|
||||
|
@ -1,16 +0,0 @@
|
||||
--- clevis-15-ori/src/pins/tang/clevis-decrypt-tang 2020-10-28 19:55:47.673228700 +0100
|
||||
+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2022-01-21 10:37:40.327825491 +0100
|
||||
@@ -73,10 +73,10 @@
|
||||
|
||||
xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"
|
||||
|
||||
-url="$url/rec/$kid"
|
||||
+rec_url="$url/rec/$kid"
|
||||
ct="Content-Type: application/jwk+json"
|
||||
-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then
|
||||
- echo "Error communicating with the server!" >&2
|
||||
+if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then
|
||||
+ echo "Error communicating with the server $url" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
@ -1,213 +0,0 @@
|
||||
From 87d690e41621878f70a3f6f3305dd23746d1b857 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Murdaca <runcom@linux.com>
|
||||
Date: Wed, 1 Dec 2021 14:17:53 +0100
|
||||
Subject: [PATCH 9/9] feat: rename the test pin to null pin
|
||||
|
||||
Signed-off-by: Antonio Murdaca <runcom@linux.com>
|
||||
---
|
||||
src/initramfs-tools/hooks/clevis.in | 1 +
|
||||
.../dracut/clevis-pin-null/meson.build | 14 ++++++++++
|
||||
.../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++
|
||||
src/luks/systemd/dracut/meson.build | 1 +
|
||||
...levis-decrypt-test => clevis-decrypt-null} | 4 +--
|
||||
...levis-encrypt-test => clevis-encrypt-null} | 4 +--
|
||||
src/pins/sss/meson.build | 5 +++-
|
||||
src/pins/sss/{pin-test => pin-null} | 4 +--
|
||||
src/pins/sss/pin-sss | 12 ++++----
|
||||
9 files changed, 60 insertions(+), 13 deletions(-)
|
||||
create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build
|
||||
create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
|
||||
rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%)
|
||||
rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%)
|
||||
rename src/pins/sss/{pin-test => pin-null} (53%)
|
||||
|
||||
diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
|
||||
index cc3b492..448ba96 100755
|
||||
--- a/src/initramfs-tools/hooks/clevis.in
|
||||
+++ b/src/initramfs-tools/hooks/clevis.in
|
||||
@@ -58,6 +58,7 @@ fi
|
||||
|
||||
copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
|
||||
copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
|
||||
+copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found"
|
||||
copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
|
||||
copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
|
||||
copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"
|
||||
diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build
|
||||
new file mode 100644
|
||||
index 0000000..107e3ba
|
||||
--- /dev/null
|
||||
+++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build
|
||||
@@ -0,0 +1,14 @@
|
||||
+dracut = dependency('dracut', required: false)
|
||||
+
|
||||
+if dracut.found()
|
||||
+ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null'
|
||||
+
|
||||
+ configure_file(
|
||||
+ input: 'module-setup.sh.in',
|
||||
+ output: 'module-setup.sh',
|
||||
+ install_dir: dracutdir,
|
||||
+ configuration: data,
|
||||
+ )
|
||||
+else
|
||||
+ warning('Will not install dracut module clevis-pin-null due to missing dependencies!')
|
||||
+endif
|
||||
diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
|
||||
new file mode 100755
|
||||
index 0000000..6a16078
|
||||
--- /dev/null
|
||||
+++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
|
||||
@@ -0,0 +1,28 @@
|
||||
+#!/bin/bash
|
||||
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||
+#
|
||||
+# Copyright (c) 2016 Red Hat, Inc.
|
||||
+# Author: Nathaniel McCallum <npmccallum@redhat.com>
|
||||
+#
|
||||
+# This program is free software: you can redistribute it and/or modify
|
||||
+# it under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation, either version 3 of the License, or
|
||||
+# (at your option) any later version.
|
||||
+#
|
||||
+# This program is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+# GNU General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+#
|
||||
+
|
||||
+depends() {
|
||||
+ echo clevis
|
||||
+ return 0
|
||||
+}
|
||||
+
|
||||
+install() {
|
||||
+ inst clevis-decrypt-null
|
||||
+}
|
||||
diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build
|
||||
index fdb264b..7ad5b14 100644
|
||||
--- a/src/luks/systemd/dracut/meson.build
|
||||
+++ b/src/luks/systemd/dracut/meson.build
|
||||
@@ -2,3 +2,4 @@ subdir('clevis')
|
||||
subdir('clevis-pin-tang')
|
||||
subdir('clevis-pin-tpm2')
|
||||
subdir('clevis-pin-sss')
|
||||
+subdir('clevis-pin-null')
|
||||
diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null
|
||||
similarity index 88%
|
||||
rename from src/pins/sss/clevis-decrypt-test
|
||||
rename to src/pins/sss/clevis-decrypt-null
|
||||
index f0e9249..a6217ed 100755
|
||||
--- a/src/pins/sss/clevis-decrypt-test
|
||||
+++ b/src/pins/sss/clevis-decrypt-null
|
||||
@@ -22,11 +22,11 @@
|
||||
|
||||
read -r -d . hdr
|
||||
|
||||
-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then
|
||||
+if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then
|
||||
echo "JWE pin mismatch!" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1
|
||||
+jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1
|
||||
|
||||
exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
|
||||
diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null
|
||||
similarity index 90%
|
||||
rename from src/pins/sss/clevis-encrypt-test
|
||||
rename to src/pins/sss/clevis-encrypt-null
|
||||
index bd2d6ec..af182a5 100755
|
||||
--- a/src/pins/sss/clevis-encrypt-test
|
||||
+++ b/src/pins/sss/clevis-encrypt-null
|
||||
@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
|
||||
fi
|
||||
|
||||
jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"
|
||||
-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}'
|
||||
+jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}'
|
||||
|
||||
if ! jose fmt -j "$cfg" -g fail -T; then
|
||||
- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)"
|
||||
+ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)"
|
||||
fi
|
||||
|
||||
exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
|
||||
diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build
|
||||
index 7f20eea..2a5295a 100644
|
||||
--- a/src/pins/sss/meson.build
|
||||
+++ b/src/pins/sss/meson.build
|
||||
@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found()
|
||||
separator: ':'
|
||||
)
|
||||
|
||||
+ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null')
|
||||
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null')
|
||||
+
|
||||
test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env)
|
||||
- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env)
|
||||
+ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env)
|
||||
else
|
||||
warning('Will not install sss pin due to missing dependencies!')
|
||||
endif
|
||||
diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null
|
||||
similarity index 53%
|
||||
rename from src/pins/sss/pin-test
|
||||
rename to src/pins/sss/pin-null
|
||||
index 50c8c67..b14ac63 100755
|
||||
--- a/src/pins/sss/pin-test
|
||||
+++ b/src/pins/sss/pin-null
|
||||
@@ -2,9 +2,9 @@
|
||||
|
||||
trap 'exit' ERR
|
||||
|
||||
-e="$(echo -n hi | clevis encrypt test '{}')"
|
||||
+e="$(echo -n hi | clevis encrypt null '{}')"
|
||||
d="$(echo -n "$e" | clevis decrypt)"
|
||||
test "$d" == "hi"
|
||||
|
||||
-e="$(echo -n hi | clevis encrypt test '{"fail":true}')"
|
||||
+e="$(echo -n hi | clevis encrypt null '{"fail":true}')"
|
||||
! echo "$e" | clevis decrypt
|
||||
diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss
|
||||
index 5c0b8cf..24da052 100755
|
||||
--- a/src/pins/sss/pin-sss
|
||||
+++ b/src/pins/sss/pin-sss
|
||||
@@ -1,24 +1,24 @@
|
||||
#!/bin/bash -ex
|
||||
|
||||
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')"
|
||||
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')"
|
||||
d="$(echo "$e" | clevis decrypt)"
|
||||
test "$d" == "hi"
|
||||
|
||||
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')"
|
||||
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')"
|
||||
d="$(echo "$e" | clevis decrypt)"
|
||||
test "$d" == "hi"
|
||||
|
||||
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
|
||||
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
|
||||
! echo "$e" | clevis decrypt
|
||||
|
||||
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')"
|
||||
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')"
|
||||
d="$(echo "$e" | clevis decrypt)"
|
||||
test "$d" == "hi"
|
||||
|
||||
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')"
|
||||
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')"
|
||||
! echo "$e" | clevis decrypt
|
||||
|
||||
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
|
||||
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
|
||||
! echo "$e" | clevis decrypt
|
||||
|
||||
! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')"
|
||||
--
|
||||
2.33.1
|
||||
|
@ -1,24 +0,0 @@
|
||||
--- clevis-15.ori/src/clevis 2020-10-28 19:55:47.663228800 +0100
|
||||
+++ clevis-15/src/clevis 2022-06-22 11:06:27.061230653 +0200
|
||||
@@ -27,6 +27,7 @@
|
||||
}
|
||||
|
||||
cmd=clevis
|
||||
+input_commands="$cmd $@"
|
||||
while [ $# -gt 0 ]; do
|
||||
[[ "$1" =~ ^- ]] && break
|
||||
cmd="$cmd-$1"
|
||||
@@ -36,8 +37,11 @@
|
||||
done
|
||||
|
||||
exec >&2
|
||||
-echo
|
||||
-echo "Command '$cmd' is invalid"
|
||||
+if [ "$cmd" != "clevis" ];
|
||||
+then
|
||||
+ echo
|
||||
+ echo "Command '$input_commands' is invalid"
|
||||
+fi
|
||||
echo
|
||||
echo "Usage: clevis COMMAND [OPTIONS]"
|
||||
echo
|
@ -1,53 +0,0 @@
|
||||
From 51ae4f94a4955d9f06955ccd5a8b396b01c80d48 Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Arroutbi <sarroutb@redhat.com>
|
||||
Date: Tue, 2 Aug 2022 11:07:00 -0300
|
||||
Subject: [PATCH] Improve boot performance by removing key check
|
||||
|
||||
---
|
||||
src/luks/clevis-luks-common-functions | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
|
||||
index 038cc37..950f217 100644
|
||||
--- a/src/luks/clevis-luks-common-functions
|
||||
+++ b/src/luks/clevis-luks-common-functions
|
||||
@@ -328,6 +328,7 @@ clevis_luks_check_valid_key_or_keyfile() {
|
||||
clevis_luks_unlock_device_by_slot() {
|
||||
local DEV="${1}"
|
||||
local SLT="${2}"
|
||||
+ local SKIP_CHECK="${3}"
|
||||
|
||||
[ -z "${DEV}" ] && return 1
|
||||
[ -z "${SLT}" ] && return 1
|
||||
@@ -343,7 +344,9 @@ clevis_luks_unlock_device_by_slot() {
|
||||
return 1
|
||||
fi
|
||||
|
||||
- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
|
||||
+ if [ -z "${SKIP_CHECK}" ]; then
|
||||
+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
|
||||
+ fi
|
||||
printf '%s' "${passphrase}"
|
||||
}
|
||||
|
||||
@@ -351,6 +354,8 @@ clevis_luks_unlock_device_by_slot() {
|
||||
# parameter and returns the decoded passphrase.
|
||||
clevis_luks_unlock_device() {
|
||||
local DEV="${1}"
|
||||
+ local SKIP_CHECK="YES"
|
||||
+
|
||||
[ -z "${DEV}" ] && return 1
|
||||
|
||||
local used_slots
|
||||
@@ -361,7 +366,7 @@ clevis_luks_unlock_device() {
|
||||
|
||||
local slt pt
|
||||
for slt in ${used_slots}; do
|
||||
- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \
|
||||
+ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \
|
||||
|| [ -z "${pt}" ]; then
|
||||
continue
|
||||
fi
|
||||
--
|
||||
2.35.1
|
||||
|
@ -1,16 +0,0 @@
|
||||
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 11:11:03.050262054 +0100
|
||||
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 11:19:16.004358405 +0100
|
||||
@@ -413,7 +413,12 @@
|
||||
clevis_devices=
|
||||
|
||||
# Build list of devices to unlock.
|
||||
- while read -r _ crypt_device _; do
|
||||
+ while read -r _volname_ crypt_device _; do
|
||||
+ # skip empty lines and lines which begin with the '#' char, per
|
||||
+ # crypttab(5)
|
||||
+ case $_volname_ in
|
||||
+ ''|\#*) continue ;;
|
||||
+ esac
|
||||
if ! dev=$(clevis_map_device "${crypt_device}") \
|
||||
|| [ -z "${dev}" ]; then
|
||||
# Unable to get the device - maybe it's not available, e.g. a
|
@ -1,73 +0,0 @@
|
||||
--- clevis-15.ori/src/clevis.1.adoc 2020-10-28 19:55:47.663228800 +0100
|
||||
+++ clevis-15/src/clevis.1.adoc 2023-01-11 17:18:29.967295005 +0100
|
||||
@@ -101,7 +101,7 @@
|
||||
|
||||
This command performs four steps:
|
||||
|
||||
-1. Creates a new key with the same entropy as the LUKS master key.
|
||||
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
||||
2. Encrypts the new key with Clevis.
|
||||
3. Stores the Clevis JWE in the LUKS header.
|
||||
4. Enables the new key for use with LUKS.
|
||||
--- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc 2020-10-28 19:55:47.663228800 +0100
|
||||
+++ clevis-15/src/luks/clevis-luks-bind.1.adoc 2023-01-11 17:18:55.239351209 +0100
|
||||
@@ -20,7 +20,7 @@
|
||||
|
||||
This command performs four steps:
|
||||
|
||||
-1. Creates a new key with the same entropy as the LUKS master key.
|
||||
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
||||
2. Encrypts the new key with Clevis.
|
||||
3. Stores the Clevis JWE in the LUKS header.
|
||||
4. Enables the new key for use with LUKS.
|
||||
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 17:15:44.984928070 +0100
|
||||
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 17:20:53.238613637 +0100
|
||||
@@ -865,6 +865,7 @@
|
||||
[ -z "${DEV}" ] && return 1
|
||||
|
||||
local dump filter bits
|
||||
+ local MAX_ENTROPY_BITS=256
|
||||
dump=$(cryptsetup luksDump "${DEV}")
|
||||
if cryptsetup isLuks --type luks1 "${DEV}"; then
|
||||
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
|
||||
@@ -876,6 +877,9 @@
|
||||
fi
|
||||
|
||||
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
|
||||
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
|
||||
+ bits="${MAX_ENTROPY_BITS}"
|
||||
+ fi
|
||||
pwmake "${bits}"
|
||||
}
|
||||
|
||||
--- clevis-15.ori/src/luks/clevis-luks-bind.in 2023-01-11 17:15:44.815927694 +0100
|
||||
+++ clevis-15/src/luks/clevis-luks-bind.in 2023-01-12 16:20:30.266404993 +0100
|
||||
@@ -19,6 +19,8 @@
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
|
||||
+. clevis-luks-common-functions
|
||||
+
|
||||
SUMMARY="Binds a LUKS device using the specified policy"
|
||||
UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
|
||||
|
||||
@@ -139,14 +141,11 @@
|
||||
fi
|
||||
|
||||
# Generate a key with the same entropy as the LUKS Master Key
|
||||
-key="$(pwmake "$(
|
||||
-cryptsetup luksDump "$DEV" \
|
||||
- | if [ "$luks_type" == "luks1" ]; then
|
||||
- sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p'
|
||||
- else
|
||||
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p'
|
||||
- fi | sort -n | tail -n 1
|
||||
-)")"
|
||||
+if ! key="$(clevis_luks_generate_key "${DEV}")" \
|
||||
+ || [ -z "${key}" ]; then
|
||||
+ echo "Unable to generate key for ${DEV}" >&2
|
||||
+ return 1
|
||||
+fi
|
||||
|
||||
# Encrypt the new key
|
||||
jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"
|
@ -1,11 +0,0 @@
|
||||
--- clevis-15.ori/src/luks/clevis-luks-edit 2020-10-28 19:55:47.663228800 +0100
|
||||
+++ clevis-15/src/luks/clevis-luks-edit 2023-01-16 12:03:14.006998399 +0100
|
||||
@@ -173,7 +173,7 @@
|
||||
|
||||
echo "Updating binding..."
|
||||
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
|
||||
- "-y" "overwrite" 2>/dev/null; then
|
||||
+ "-y" "overwrite"; then
|
||||
echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
|
||||
exit 1
|
||||
fi
|
@ -1,219 +0,0 @@
|
||||
--- clevis-15.ori/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:29:59.717465656 +0200
|
||||
+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:49:02.950511503 +0200
|
||||
@@ -50,12 +50,30 @@
|
||||
exit 1
|
||||
fi
|
||||
|
||||
-if ! srv="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "$jhd" \
|
||||
- | jose jwk thp -i- -f "$kid")"; then
|
||||
+if ! keys="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "${jhd}")"; then
|
||||
echo "JWE missing required 'clevis.tang.adv' header parameter!" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
+# Check if the thumbprint we have in `kid' is in the advertised keys.
|
||||
+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1
|
||||
+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
|
||||
+
|
||||
+if ! srv="$(jose jwk thp -i- -f "${kid}" -a "${CLEVIS_DEFAULT_THP_ALG}" \
|
||||
+ <<< "${keys}")"; then
|
||||
+ # `kid' thumprint not in the advertised keys, but it's possible it was
|
||||
+ # generated using a different algorithm than the default one.
|
||||
+ # Let us try the alternative supported algorithms to make sure `kid'
|
||||
+ # really is not part of the advertised keys.
|
||||
+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
|
||||
+ srv="$(jose jwk thp -i- -f "$kid" -a "${alg}" <<< "${keys}")" && break
|
||||
+ done
|
||||
+ if [ -z "${srv}" ]; then
|
||||
+ echo "JWE header validation of 'clevis.tang.adv' failed: key thumbprint does not match" >&2
|
||||
+ exit 1
|
||||
+ fi
|
||||
+fi
|
||||
+
|
||||
if ! url="$(jose fmt -j- -Og clevis -g tang -g url -Su- <<< "$jhd")"; then
|
||||
echo "JWE missing required 'clevis.tang.url' header parameter!" >&2
|
||||
exit 1
|
||||
--- clevis-15.ori/src/pins/tang/clevis-encrypt-tang 2020-10-28 19:55:47.673228700 +0100
|
||||
+++ clevis-15/src/pins/tang/clevis-encrypt-tang 2023-05-23 15:15:18.440099403 +0200
|
||||
@@ -64,6 +64,9 @@
|
||||
exit 1
|
||||
fi
|
||||
|
||||
+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1
|
||||
+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
|
||||
+
|
||||
trust=
|
||||
[ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes
|
||||
|
||||
@@ -111,15 +114,24 @@
|
||||
if [ -z "$thp" ]; then
|
||||
echo "The advertisement contains the following signing keys:" >&2
|
||||
echo >&2
|
||||
- jose jwk thp -i- <<< "$ver" >&2
|
||||
+ jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$ver" >&2
|
||||
echo >&2
|
||||
read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
|
||||
[[ "$ans" =~ ^[yY]$ ]] || exit 1
|
||||
-
|
||||
elif [ "$thp" != "any" ] && \
|
||||
- ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
|
||||
- echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
|
||||
- exit 1
|
||||
+ ! jose jwk thp -i- -f "${thp}" -o /dev/null -a "${CLEVIS_DEFAULT_THP_ALG}" \
|
||||
+ <<< "$ver"; then
|
||||
+ # Thumbprint of trusted JWK did not match the signature. Let's check
|
||||
+ # alternative thumbprints generated with clevis supported hash
|
||||
+ # algorithms to be sure.
|
||||
+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
|
||||
+ srv="$(jose jwk thp -i- -f "${thp}" -a "${alg}" <<< "${ver}")" \
|
||||
+ && break
|
||||
+ done
|
||||
+ if [ -z "${srv}" ]; then
|
||||
+ echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
|
||||
+ exit 1
|
||||
+ fi
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -138,7 +150,7 @@
|
||||
|
||||
jwk="$(jose fmt -j- -Od key_ops -o- <<< "$jwk")"
|
||||
jwk="$(jose fmt -j- -Od alg -o- <<< "$jwk")"
|
||||
-kid="$(jose jwk thp -i- <<< "$jwk")"
|
||||
+kid="$(jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$jwk")"
|
||||
jwe='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
|
||||
jwe="$(jose fmt -j "$jwe" -g protected -q "$kid" -s kid -UUo-)"
|
||||
jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tang -q "$url" -s url -UUUUo-)"
|
||||
--- clevis-15.ori/src/luks/tests/meson.build 2023-05-23 11:29:59.594464890 +0200
|
||||
+++ clevis-15/src/luks/tests/meson.build 2023-05-23 12:00:10.811482757 +0200
|
||||
@@ -113,6 +113,7 @@
|
||||
test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
|
||||
test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
|
||||
test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
|
||||
+ test('default-thp-alg', find_program('default-thp-alg'), env: env)
|
||||
endif
|
||||
|
||||
test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
|
||||
--- clevis-15.ori/src/luks/tests/default-thp-alg 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ clevis-15/src/luks/tests/default-thp-alg 2023-05-23 16:09:21.920385994 +0200
|
||||
@@ -0,0 +1,120 @@
|
||||
+#!/bin/bash
|
||||
+set -exo pipefail
|
||||
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||
+#
|
||||
+# Copyright (c) 2020 Red Hat, Inc.
|
||||
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||
+#
|
||||
+# This program is free software: you can redistribute it and/or modify
|
||||
+# it under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation, either version 3 of the License, or
|
||||
+# (at your option) any later version.
|
||||
+#
|
||||
+# This program is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+# GNU General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+
|
||||
+
|
||||
+. tests-common-functions
|
||||
+
|
||||
+TEST=$(basename "${0}")
|
||||
+
|
||||
+on_exit() {
|
||||
+ exit_status=$?
|
||||
+ tang_stop "${TMP}"
|
||||
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||
+ exit "${exit_status}"
|
||||
+}
|
||||
+
|
||||
+trap 'on_exit' EXIT
|
||||
+
|
||||
+TMP="$(mktemp -d)"
|
||||
+
|
||||
+port=$(get_random_port)
|
||||
+tang_run "${TMP}" "${port}"
|
||||
+
|
||||
+url="http://localhost:${port}"
|
||||
+data="just a sample text"
|
||||
+
|
||||
+adv="${TMP}/adv"
|
||||
+# Get the advertisement and extract the keys.
|
||||
+tang_get_adv "${port}" "${adv}"
|
||||
+
|
||||
+jwks="$(jose fmt --json="${adv}" --get payload --b64load --output=-)"
|
||||
+enc="$(printf '%s' "${jwks}" | jose jwk use --input=- --required \
|
||||
+ --use deriveKey --output=-)"
|
||||
+
|
||||
+jose fmt --json="${enc}" --get keys --array \
|
||||
+ || enc="$(printf '{"keys": [%s]}' "${enc}")"
|
||||
+
|
||||
+jwk="$(jose fmt --json="${enc}" --get keys --array --foreach=- \
|
||||
+ | jose fmt --json=- --delete key_ops --delete alg --output=-)"
|
||||
+
|
||||
+jwe_t='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
|
||||
+jwe_t="$(jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --quote "${url}" --set url -UUUUo-)"
|
||||
+jwe_t="$(printf '%s' "${jwks}" | jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --json=- --set adv -UUUUo-)"
|
||||
+
|
||||
+# We currently support SHA-1 (legacy) and SHA-256.
|
||||
+CLEVIS_SUPPORTED_THP_ALGS="S1 S256"
|
||||
+# Now we will use every hash algorithm supported by jose to create a thumbprint
|
||||
+# for `kid', then we do the encoding and verify clevis decrypt can decode it
|
||||
+# correctly.
|
||||
+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
|
||||
+ kid="$(printf '%s' "${jwk}" | jose jwk thp -a "${alg}" --input=-)"
|
||||
+ jwe="$(jose fmt --json="${jwe_t}" --get protected --quote "${kid}" -s kid -UUo-)"
|
||||
+
|
||||
+ encoded=$(printf '%s%s' "${jwk}" "${data}" \
|
||||
+ | jose jwe enc --input="${jwe}" --key=- --detached=- --compact)
|
||||
+
|
||||
+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
|
||||
+ tang_error "${TEST}: decoding is expected to work (alg = ${alg})"
|
||||
+ fi
|
||||
+
|
||||
+ if [ "${decoded}" != "${data}" ]; then
|
||||
+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
+# Now let's test encryption providing the thp in the configuration.
|
||||
+data="just another test"
|
||||
+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
|
||||
+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \
|
||||
+ | jose jwk use -i- -r -u verify -o- \
|
||||
+ | jose jwk thp -i- -a "${alg}")"
|
||||
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
|
||||
+ if ! encoded=$(printf '%s' "${data}" | clevis encrypt tang "${cfg}"); then
|
||||
+ tang_error "${TEST}: tang encryption should have succeeded when providing the thp (${thp}) with any supported algorithm (${alg})"
|
||||
+ fi
|
||||
+
|
||||
+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
|
||||
+ tang_error "${TEST}: decoding is expected to work (thp alg = ${alg})"
|
||||
+ fi
|
||||
+
|
||||
+ if [ "${decoded}" != "${data}" ]; then
|
||||
+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
+# Let's also try some unsupported thp hash algorithms.
|
||||
+UNSUPPORTED="S224 S384 S512" # SHA-224, SHA-384, SHA-512.
|
||||
+for alg in ${UNSUPPORTED}; do
|
||||
+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \
|
||||
+ | jose jwk use -i- -r -u verify -o- \
|
||||
+ | jose jwk thp -i- -a "${alg}")"
|
||||
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
|
||||
+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
|
||||
+ tang_error "${TEST}: tang encryption should have failed when providing the thp (${thp}) with an unsupported algorithm (${alg})"
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
+# Now let's try some bad values for thp.
|
||||
+for thp in "" "foo" "invalid"; do
|
||||
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
|
||||
+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
|
||||
+ tang_error "${TEST}: tang encryption expected to fail when providing a bad thp"
|
||||
+ fi
|
||||
+done
|
@ -1,375 +0,0 @@
|
||||
%global _hardened_build 1
|
||||
|
||||
Name: clevis
|
||||
Version: 15
|
||||
Release: 15%{?dist}
|
||||
Summary: Automated decryption framework
|
||||
|
||||
License: GPLv3+
|
||||
URL: https://github.com/latchset/%{name}
|
||||
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
|
||||
|
||||
Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch
|
||||
Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch
|
||||
Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
|
||||
Patch0004: 0004-systemd-drop-ncat-dependency.patch
|
||||
Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch
|
||||
Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
|
||||
Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
|
||||
Patch0008: 0008-tang-dump-url-on-error-communication.patch
|
||||
Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch
|
||||
Patch0010: 0010-avoid-clevis-invalid-msg.patch
|
||||
Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch
|
||||
Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch
|
||||
Patch0013: 0013-luks-define-max-entropy-bits-for-pwmake.patch
|
||||
Patch0014: 0014-luks-edit-remove-unnecessary-redirection.patch
|
||||
Patch0015: 0015-support-sha256-algorithm.patch
|
||||
|
||||
BuildRequires: git
|
||||
BuildRequires: gcc
|
||||
BuildRequires: meson
|
||||
BuildRequires: asciidoc
|
||||
BuildRequires: ninja-build
|
||||
BuildRequires: bash-completion
|
||||
|
||||
BuildRequires: libjose-devel >= 8
|
||||
BuildRequires: libluksmeta-devel >= 8
|
||||
BuildRequires: audit-libs-devel
|
||||
BuildRequires: libudisks2-devel
|
||||
BuildRequires: openssl-devel
|
||||
|
||||
BuildRequires: tpm2-tools >= 3.0.0
|
||||
BuildRequires: desktop-file-utils
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: systemd
|
||||
BuildRequires: dracut
|
||||
BuildRequires: tang >= 6
|
||||
BuildRequires: curl
|
||||
BuildRequires: luksmeta
|
||||
BuildRequires: cracklib-dicts
|
||||
BuildRequires: jq
|
||||
BuildRequires: diffutils
|
||||
BuildRequires: expect
|
||||
BuildRequires: openssl
|
||||
|
||||
Requires: cracklib-dicts
|
||||
Requires: tpm2-tools >= 3.0.0
|
||||
Requires: coreutils
|
||||
Requires: jose >= 8
|
||||
Requires: curl
|
||||
Requires: jq
|
||||
Requires(pre): shadow-utils
|
||||
Requires(post): systemd
|
||||
|
||||
%description
|
||||
Clevis is a framework for automated decryption. It allows you to encrypt
|
||||
data using sophisticated unlocking policies which enable decryption to
|
||||
occur automatically.
|
||||
|
||||
The clevis package provides basic encryption/decryption policy support.
|
||||
Users can use this directly; but most commonly, it will be used as a
|
||||
building block for other packages. For example, see the clevis-luks
|
||||
and clevis-dracut packages for automatic root volume unlocking of LUKS
|
||||
volumes during early boot.
|
||||
|
||||
%package luks
|
||||
Summary: LUKS integration for clevis
|
||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||
Requires: cryptsetup
|
||||
Requires: luksmeta >= 8
|
||||
|
||||
%description luks
|
||||
LUKS integration for clevis. This package allows you to bind a LUKS
|
||||
volume to a clevis unlocking policy. For automated unlocking, an unlocker
|
||||
will also be required. See, for example, clevis-dracut and clevis-udisks2.
|
||||
|
||||
%package systemd
|
||||
Summary: systemd integration for clevis
|
||||
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
|
||||
%if 0%{?fedora} > 27
|
||||
Requires: systemd%{?_isa} >= 235-3
|
||||
%else
|
||||
%if 0%{?fedora} == 27
|
||||
Requires: systemd%{?_isa} >= 234-9
|
||||
%else
|
||||
%if 0%{?fedora} == 26
|
||||
Requires: systemd%{?_isa} >= 233-7
|
||||
%else
|
||||
Requires: systemd%{?_isa} >= 236
|
||||
%endif
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%description systemd
|
||||
Automatically unlocks clevis-bound LUKS block devices during boot.
|
||||
|
||||
%package dracut
|
||||
Summary: Dracut integration for clevis
|
||||
Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
|
||||
Requires: dracut-network
|
||||
|
||||
%description dracut
|
||||
Automatically unlocks LUKS block devices in early boot.
|
||||
|
||||
%package udisks2
|
||||
Summary: UDisks2/Storaged integration for clevis
|
||||
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
|
||||
|
||||
%description udisks2
|
||||
Automatically unlocks LUKS block devices in desktop environments that
|
||||
use UDisks2 or storaged (like GNOME).
|
||||
|
||||
%prep
|
||||
%autosetup -S git
|
||||
|
||||
%build
|
||||
%meson -Duser=clevis -Dgroup=clevis
|
||||
%meson_build
|
||||
|
||||
%install
|
||||
%meson_install
|
||||
|
||||
%check
|
||||
desktop-file-validate \
|
||||
%{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
|
||||
%meson_test
|
||||
|
||||
%pre
|
||||
getent group %{name} >/dev/null || groupadd -r %{name} &>/dev/null
|
||||
getent passwd %{name} >/dev/null || \
|
||||
useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
|
||||
-c "Clevis Decryption Framework unprivileged user" %{name} &>/dev/null
|
||||
# Add clevis user to tss group.
|
||||
if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
|
||||
usermod -a -G tss %{name} &>/dev/null
|
||||
fi
|
||||
exit 0
|
||||
|
||||
%post systemd
|
||||
systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
|
||||
|
||||
%files
|
||||
%license COPYING
|
||||
%{_datadir}/bash-completion/
|
||||
%{_bindir}/%{name}-decrypt-tang
|
||||
%{_bindir}/%{name}-decrypt-tpm2
|
||||
%{_bindir}/%{name}-decrypt-sss
|
||||
%{_bindir}/%{name}-decrypt-null
|
||||
%{_bindir}/%{name}-decrypt
|
||||
%{_bindir}/%{name}-encrypt-tang
|
||||
%{_bindir}/%{name}-encrypt-tpm2
|
||||
%{_bindir}/%{name}-encrypt-sss
|
||||
%{_bindir}/%{name}-encrypt-null
|
||||
%{_bindir}/%{name}
|
||||
%{_mandir}/man1/%{name}-encrypt-tang.1*
|
||||
%{_mandir}/man1/%{name}-encrypt-tpm2.1*
|
||||
%{_mandir}/man1/%{name}-encrypt-sss.1*
|
||||
%{_mandir}/man1/%{name}-decrypt.1*
|
||||
%{_mandir}/man1/%{name}.1*
|
||||
|
||||
%files luks
|
||||
%{_mandir}/man7/%{name}-luks-unlockers.7*
|
||||
%{_mandir}/man1/%{name}-luks-unlock.1*
|
||||
%{_mandir}/man1/%{name}-luks-unbind.1*
|
||||
%{_mandir}/man1/%{name}-luks-bind.1*
|
||||
%{_mandir}/man1/%{name}-luks-list.1*
|
||||
%{_mandir}/man1/%{name}-luks-pass.1*
|
||||
%{_mandir}/man1/%{name}-luks-regen.1*
|
||||
%{_mandir}/man1/%{name}-luks-report.1*
|
||||
%{_mandir}/man1/%{name}-luks-edit.1*
|
||||
%{_bindir}/%{name}-luks-unlock
|
||||
%{_bindir}/%{name}-luks-unbind
|
||||
%{_bindir}/%{name}-luks-bind
|
||||
%{_bindir}/%{name}-luks-common-functions
|
||||
%{_bindir}/%{name}-luks-list
|
||||
%{_bindir}/%{name}-luks-pass
|
||||
%{_bindir}/%{name}-luks-regen
|
||||
%{_bindir}/%{name}-luks-report
|
||||
%{_bindir}/%{name}-luks-edit
|
||||
|
||||
%files systemd
|
||||
%{_libexecdir}/%{name}-luks-askpass
|
||||
%{_unitdir}/%{name}-luks-askpass.path
|
||||
%{_unitdir}/%{name}-luks-askpass.service
|
||||
|
||||
%files dracut
|
||||
%{_prefix}/lib/dracut/modules.d/60%{name}
|
||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null
|
||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss
|
||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang
|
||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2
|
||||
|
||||
%files udisks2
|
||||
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
|
||||
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
|
||||
|
||||
%changelog
|
||||
* Tue May 23 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-15
|
||||
- Include SHA-256 thumbprints clevis support
|
||||
Resolves: rhbz#2209058
|
||||
|
||||
* Mon Jan 16 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-14
|
||||
- luks-edit: remove unnecessary 2>/dev/null
|
||||
Resolves: rhbz#2159739
|
||||
|
||||
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-13
|
||||
- luks: define max entropy bits for pwmake
|
||||
Resolves: rhbz#2159736
|
||||
|
||||
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-12
|
||||
- Ignore empty & comment lines in crypttab
|
||||
Resolves: rhbz#2159440
|
||||
|
||||
* Tue Aug 02 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-11
|
||||
- Start clevis-luks-askpass.path service according to global policy
|
||||
Resolves: rhbz#2107081
|
||||
|
||||
* Thu Jul 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-10
|
||||
- Improve boot performance by removing key check
|
||||
Resolves: rhbz#2099748
|
||||
|
||||
* Wed Jun 22 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-9
|
||||
- Avoid invalid message for clevis command
|
||||
Resolves: rhbz#2099325
|
||||
|
||||
* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 15-8
|
||||
- Support a null pin
|
||||
Resolves: rhbz#2028096
|
||||
|
||||
* Fri Jan 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-7
|
||||
- Dump server information on server error communication
|
||||
Resolves: rhbz#2020193
|
||||
|
||||
* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 15-6
|
||||
- Explicitly specify pbkdf iterations to cryptsetup
|
||||
Resolves: rhbz#1979256
|
||||
|
||||
* Wed Dec 01 2021 Sergio Correia <scorreia@redhat.com> - 15-5
|
||||
- Enable debugging in clevis scripts when rd.debug is set
|
||||
Resolves: rhbz#1980742
|
||||
|
||||
* Thu Nov 25 2021 Sergio Correia <scorreia@redhat.com> - 15-4
|
||||
- Stop sending stderr to the void when decryption doesn't happen
|
||||
Resolves: rhbz#1976880
|
||||
|
||||
* Thu Nov 18 2021 Sergio Correia <scorreia@redhat.com> - 15-3
|
||||
- Drop ncat dependency
|
||||
Resolves: rhbz#1949289
|
||||
|
||||
* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 15-2
|
||||
- Account for unlocking failures in clevis-luks-askpass
|
||||
Resolves: rhbz#2018292
|
||||
|
||||
* Mon Oct 26 2020 Sergio Correia <scorreia@redhat.com> - 15-1
|
||||
- Update to latest upstream release, v15
|
||||
Resolves: rhbz#1887836
|
||||
Resolves: rhbz#1853651
|
||||
Resolves: rhbz#1874460
|
||||
|
||||
* Wed May 20 2020 Sergio Correia <scorreia@redhat.com> - 13-3
|
||||
- Add clevis luks edit command
|
||||
Resolves: rhbz#1436735
|
||||
|
||||
* Mon May 18 2020 Sergio Correia <scorreia@redhat.com> - 13-2
|
||||
- Introduce -y (assume yes) argument to clevis luks bind
|
||||
Resolves: rhbz#1819767
|
||||
|
||||
* Sun May 10 2020 Sergio Correia <scorreia@redhat.com> - 13-1
|
||||
- Update to new upstream release, v13
|
||||
Resolves: rhbz#1827225
|
||||
Resolves: rhbz#1827665
|
||||
Resolves: rhbz#1801556
|
||||
Resolves: rhbz#1784448
|
||||
Resolves: rhbz#1826917
|
||||
Resolves: rhbz#1812014
|
||||
|
||||
* Sun Feb 02 2020 Sergio Correia <scorreia@redhat.com> - 11-9
|
||||
- Improve clevis luks regen not to unbind+bind in every case
|
||||
Resolves: rhbz#1795675
|
||||
|
||||
* Mon Jan 13 2020 Sergio Correia <scorreia@redhat.com> - 11-8
|
||||
- Use one clevis-luks-askpass per device
|
||||
Resolves: rhbz#1784524
|
||||
|
||||
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 11-7
|
||||
- Add rd.neednet=1 to cmdline only if there are devices bound to tang
|
||||
Resolves: rhbz#1762028
|
||||
|
||||
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 11-6
|
||||
- Add option to extract luks passphrase used for binding
|
||||
Resolves: rhbz#1436780
|
||||
|
||||
* Thu Nov 28 2019 Sergio Correia <scorreia@redhat.com> - 11-5
|
||||
- Add support for listing existing PBD policies in place
|
||||
Resolves: rhbz#1766526
|
||||
|
||||
* Fri Oct 18 2019 Sergio Correia <scorreia@redhat.com> - 11-4
|
||||
- Improve error message when bind is given an invalid PIN
|
||||
Resolves: rhbz#1543380
|
||||
|
||||
* Wed Oct 16 2019 Sergio Correia <scorreia@redhat.com> - 11-3
|
||||
- Add clevis luks report and regen
|
||||
Resolves: rhbz#1564566
|
||||
Resolves: rhbz#1564559
|
||||
|
||||
* Fri Jan 04 2019 Daniel Kopecek <dkopecek@redhat.com> - 11-2
|
||||
- Check that key derivation key is available
|
||||
- Delete remaining references to the removed http pin
|
||||
- Install cryptsetup and tpm2_pcrlist in the initramfs
|
||||
- Add device TCTI library to the initramfs
|
||||
Resolves: rhbz#1648004
|
||||
Resolves: rhbz#1650246
|
||||
|
||||
* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
|
||||
- Update to v11
|
||||
|
||||
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 10-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Wed Mar 21 2018 Nathaniel McCallum <npmccallum@redhat.com> - 10-1
|
||||
- Update to v10
|
||||
|
||||
* Tue Feb 13 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-1
|
||||
- Update to v9
|
||||
|
||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 8-1
|
||||
- Update to v8
|
||||
|
||||
* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7-2
|
||||
- Rebuild for cryptsetup-2.0.0
|
||||
|
||||
* Fri Oct 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
|
||||
- Update to v7
|
||||
|
||||
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Tue Jun 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
|
||||
- New upstream release
|
||||
- Specify unprivileged user/group during configuration
|
||||
- Move clevis user/group creation to base clevis package
|
||||
|
||||
* Mon Jun 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
|
||||
- New upstream release
|
||||
- Run clevis decryption from udisks2 under an unprivileged user
|
||||
|
||||
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
|
||||
- New upstream release
|
||||
|
||||
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
|
||||
- New upstream release
|
||||
|
||||
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Fri Nov 18 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
|
||||
- New upstream release
|
||||
|
||||
* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
|
||||
- First release
|
425
clevis.spec
Normal file
425
clevis.spec
Normal file
@ -0,0 +1,425 @@
|
||||
## START: Set by rpmautospec
|
||||
## (rpmautospec version 0.6.1)
|
||||
## RPMAUTOSPEC: autorelease, autochangelog
|
||||
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
|
||||
release_number = 4;
|
||||
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
|
||||
print(release_number + base_release_number - 1);
|
||||
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
|
||||
## END: Set by rpmautospec
|
||||
|
||||
Name: clevis
|
||||
Version: 20
|
||||
Release: %autorelease
|
||||
Summary: Automated decryption framework
|
||||
|
||||
License: GPL-3.0-or-later
|
||||
URL: https://github.com/latchset/%{name}
|
||||
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
|
||||
Source1: clevis.sysusers
|
||||
Patch1: 0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch
|
||||
|
||||
BuildRequires: git-core
|
||||
BuildRequires: gcc
|
||||
BuildRequires: meson
|
||||
BuildRequires: asciidoc
|
||||
BuildRequires: ninja-build
|
||||
BuildRequires: bash-completion
|
||||
|
||||
BuildRequires: libjose-devel >= 8
|
||||
BuildRequires: libluksmeta-devel >= 8
|
||||
BuildRequires: audit-libs-devel
|
||||
BuildRequires: libudisks2-devel
|
||||
BuildRequires: openssl-devel
|
||||
|
||||
BuildRequires: tpm2-tools >= 4.0.0
|
||||
BuildRequires: desktop-file-utils
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: systemd
|
||||
BuildRequires: systemd-rpm-macros
|
||||
BuildRequires: dracut
|
||||
BuildRequires: tang >= 6
|
||||
BuildRequires: curl
|
||||
BuildRequires: luksmeta
|
||||
BuildRequires: openssl
|
||||
BuildRequires: diffutils
|
||||
BuildRequires: cryptsetup
|
||||
BuildRequires: jq
|
||||
|
||||
Requires: tpm2-tools >= 4.0.0
|
||||
Requires: coreutils
|
||||
Requires: jose >= 8
|
||||
Requires: curl
|
||||
Requires: jq
|
||||
Requires(pre): shadow-utils
|
||||
Requires(post): systemd
|
||||
Requires: clevis-pin-tpm2
|
||||
|
||||
%description
|
||||
Clevis is a framework for automated decryption. It allows you to encrypt
|
||||
data using sophisticated unlocking policies which enable decryption to
|
||||
occur automatically.
|
||||
|
||||
The clevis package provides basic encryption/decryption policy support.
|
||||
Users can use this directly; but most commonly, it will be used as a
|
||||
building block for other packages. For example, see the clevis-luks
|
||||
and clevis-dracut packages for automatic root volume unlocking of
|
||||
LUKSv1/LUKSv2 volumes during early boot.
|
||||
|
||||
%package luks
|
||||
Summary: LUKS integration for clevis
|
||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||
Requires: cryptsetup
|
||||
Requires: luksmeta >= 8
|
||||
|
||||
%description luks
|
||||
LUKS integration for clevis. This package allows you to bind a LUKS
|
||||
volume to a clevis unlocking policy. For automated unlocking, an unlocker
|
||||
will also be required. See, for example, clevis-dracut and clevis-udisks2.
|
||||
|
||||
%package systemd
|
||||
Summary: systemd integration for clevis
|
||||
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
|
||||
%if 0%{?fedora} > 27
|
||||
Requires: systemd%{?_isa} >= 235-3
|
||||
%else
|
||||
%if 0%{?fedora} == 27
|
||||
Requires: systemd%{?_isa} >= 234-9
|
||||
%else
|
||||
%if 0%{?fedora} == 26
|
||||
Requires: systemd%{?_isa} >= 233-7
|
||||
%else
|
||||
Requires: systemd%{?_isa} >= 236
|
||||
%endif
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%description systemd
|
||||
Automatically unlocks LUKS _netdev block devices from /etc/crypttab.
|
||||
|
||||
%package dracut
|
||||
Summary: Dracut integration for clevis
|
||||
Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
|
||||
Requires: dracut-network
|
||||
|
||||
%description dracut
|
||||
Automatically unlocks LUKS block devices in early boot.
|
||||
|
||||
%package udisks2
|
||||
Summary: UDisks2/Storaged integration for clevis
|
||||
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
|
||||
|
||||
%description udisks2
|
||||
Automatically unlocks LUKS block devices in desktop environments that
|
||||
use UDisks2 or storaged (like GNOME).
|
||||
|
||||
%prep
|
||||
%autosetup -S git
|
||||
|
||||
%build
|
||||
%meson -Duser=clevis -Dgroup=clevis
|
||||
%meson_build
|
||||
|
||||
%install
|
||||
%meson_install
|
||||
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/clevis.conf
|
||||
|
||||
%check
|
||||
desktop-file-validate \
|
||||
%{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
|
||||
%meson_test
|
||||
|
||||
%pre
|
||||
%sysusers_create_compat %{SOURCE1}
|
||||
# Add clevis user to tss group.
|
||||
if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
|
||||
usermod -a -G tss %{name} &>/dev/null
|
||||
fi
|
||||
exit 0
|
||||
|
||||
%files
|
||||
%license COPYING
|
||||
%{_datadir}/bash-completion/
|
||||
%{_bindir}/%{name}-decrypt-tang
|
||||
%{_bindir}/%{name}-decrypt-tpm2
|
||||
%{_bindir}/%{name}-decrypt-sss
|
||||
%{_bindir}/%{name}-decrypt-null
|
||||
%{_bindir}/%{name}-decrypt
|
||||
%{_bindir}/%{name}-encrypt-tang
|
||||
%{_bindir}/%{name}-encrypt-tpm2
|
||||
%{_bindir}/%{name}-encrypt-sss
|
||||
%{_bindir}/%{name}-encrypt-null
|
||||
%{_bindir}/%{name}
|
||||
%{_mandir}/man1/%{name}-encrypt-tang.1*
|
||||
%{_mandir}/man1/%{name}-encrypt-tpm2.1*
|
||||
%{_mandir}/man1/%{name}-encrypt-sss.1*
|
||||
%{_mandir}/man1/%{name}-decrypt.1*
|
||||
%{_mandir}/man1/%{name}.1*
|
||||
%{_sysusersdir}/clevis.conf
|
||||
|
||||
%files luks
|
||||
%{_mandir}/man7/%{name}-luks-unlockers.7*
|
||||
%{_mandir}/man1/%{name}-luks-unlock.1*
|
||||
%{_mandir}/man1/%{name}-luks-unbind.1*
|
||||
%{_mandir}/man1/%{name}-luks-bind.1*
|
||||
%{_mandir}/man1/%{name}-luks-list.1.*
|
||||
%{_mandir}/man1/%{name}-luks-edit.1.*
|
||||
%{_mandir}/man1/%{name}-luks-regen.1.*
|
||||
%{_mandir}/man1/%{name}-luks-report.1.*
|
||||
%{_mandir}/man1/%{name}-luks-pass.1.*
|
||||
%{_bindir}/%{name}-luks-unlock
|
||||
%{_bindir}/%{name}-luks-unbind
|
||||
%{_bindir}/%{name}-luks-bind
|
||||
%{_bindir}/%{name}-luks-common-functions
|
||||
%{_bindir}/%{name}-luks-list
|
||||
%{_bindir}/%{name}-luks-edit
|
||||
%{_bindir}/%{name}-luks-regen
|
||||
%{_bindir}/%{name}-luks-report
|
||||
%{_bindir}/%{name}-luks-pass
|
||||
|
||||
%files systemd
|
||||
%{_libexecdir}/%{name}-luks-askpass
|
||||
%{_libexecdir}/%{name}-luks-unlocker
|
||||
%{_unitdir}/%{name}-luks-askpass.path
|
||||
%{_unitdir}/%{name}-luks-askpass.service
|
||||
|
||||
%files dracut
|
||||
%{_prefix}/lib/dracut/modules.d/60%{name}
|
||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null/module-setup.sh
|
||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh
|
||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh
|
||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh
|
||||
|
||||
%files udisks2
|
||||
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
|
||||
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
|
||||
|
||||
%post systemd
|
||||
systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
|
||||
|
||||
%changelog
|
||||
## START: Generated by rpmautospec
|
||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 20-4
|
||||
- Bump release for June 2024 mass rebuild
|
||||
|
||||
* Wed May 22 2024 koncpa <pkoncity@redhat.com> - 20-3
|
||||
- Update name of passing set ot tests in gating
|
||||
|
||||
* Tue May 21 2024 koncpa <pkoncity@redhat.com> - 20-2
|
||||
- Enable RHEL gating for clevis
|
||||
|
||||
* Tue May 21 2024 Sergio Arroutbi <sarroutb@redhat.com> - 20-1
|
||||
- Rebase to clevis-20 upstream version
|
||||
|
||||
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 19-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 19-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 19-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
* Wed May 31 2023 Sergio Arroutbi <sarroutb@redhat.com> - 19-3
|
||||
- Migrate to SPDX like licensing
|
||||
|
||||
* Tue Feb 28 2023 Sergio Arroutbi <sarroutb@redhat.com> - 19-2
|
||||
- Include LUKSv2 volumes in description
|
||||
|
||||
* Thu Feb 02 2023 Sergio Correia <scorreia@redhat.com> - 19-1
|
||||
- Update to latest upstream version, v19
|
||||
|
||||
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 18-16
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Fri Dec 16 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-15
|
||||
- Backport upstream fixes
|
||||
|
||||
* Fri Aug 05 2022 Luca BRUNO <lucab@lucabruno.net> - 18-10
|
||||
- Simplify sysusers.d fragment by using default 'nologin' shell
|
||||
|
||||
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 18-9
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
* Fri Jul 8 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-8
|
||||
- Support a null pin
|
||||
|
||||
* Tue Jun 28 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-7
|
||||
Start clevis-luks-askpass.patch service according to global policy
|
||||
|
||||
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 18-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
* Fri Oct 29 2021 Sergio Correia <scorreia@redhat.com> - 18-5
|
||||
Account for unlocking failures in clevis-luks-askpass
|
||||
Resolves: rhbz#1878892
|
||||
|
||||
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 18-4
|
||||
- Rebuilt with OpenSSL 3.0.0
|
||||
|
||||
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 18-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||
|
||||
* Fri May 07 2021 Sergio Correia <scorreia@redhat.com> - 18-2
|
||||
- Port to OpenSSL 3
|
||||
Backport of upstream commit (ee1dfedb)
|
||||
|
||||
* Thu Apr 15 2021 Sergio Correia <scorreia@redhat.com> - 18-1
|
||||
- Update to new clevis upstream release, v18.
|
||||
|
||||
* Wed Apr 14 2021 Sergio Correia <scorreia@redhat.com> - 17-1
|
||||
- Update to new clevis upstream release, v17.
|
||||
|
||||
* Tue Mar 16 2021 Sergio Correia <scorreia@redhat.com> - 16-2
|
||||
- Fix for -t option in clevis luks bind - backport upstream commit ea0d0c20
|
||||
|
||||
* Tue Feb 09 2021 Sergio Correia <scorreia@redhat.com> - 16-1
|
||||
- Update to new clevis upstream release, v16.
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 15-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Mon Nov 23 08:14:40 GMT 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 15-3
|
||||
- Upstream patch for tpm-tools 5.0 support
|
||||
|
||||
* Thu Oct 29 2020 Sergio Correia <scorreia@redhat.com> - 15-2
|
||||
- Add jq to dependencies
|
||||
|
||||
* Wed Oct 28 2020 Sergio Correia <scorreia@redhat.com> - 15-1
|
||||
- Update to new clevis upstream release, v15.
|
||||
|
||||
* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-5
|
||||
- Suppress output in pre scriptlet when adjusting users/groups
|
||||
Resolves: rhbz#1876729
|
||||
|
||||
* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-4
|
||||
- Backport upstream PR#230 - clevis-luks-askpass now exits cleanly
|
||||
when receives a SIGTERM
|
||||
Resolves: rhbz#1876001
|
||||
|
||||
* Sat Sep 05 2020 Sergio Correia <scorreia@redhat.com> - 14-3
|
||||
- If clevis-luks-askpass is enabled, it may be using a wrong target,
|
||||
since that changed in v14. Check and update it, if required.
|
||||
|
||||
* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-2
|
||||
- Update sources file with new v14 release.
|
||||
|
||||
* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-1
|
||||
- Update to new clevis upstream release, v14.
|
||||
|
||||
* Sun Aug 02 2020 Benjamin Gilbert <bgilbert@redhat.com> - 13-3
|
||||
- Downgrade cracklib-dicts to Recommends
|
||||
|
||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 13-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Sun May 10 2020 Sergio Correia <scorreia@redhat.com> - 13-1
|
||||
- Update to new clevis upstream release, v13.
|
||||
|
||||
* Thu May 07 2020 Sergio Correia <scorreia@redhat.com> - 12-4
|
||||
- cracklib-dicts should be also listed as a build dependency, since
|
||||
it's required for running some of the tests
|
||||
|
||||
* Mon Apr 06 2020 Sergio Correia <scorreia@redhat.com> - 12-3
|
||||
- Make cracklib-dicts a regular dependency
|
||||
|
||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 12-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Mon Jan 20 2020 Sergio Correia <scorreia@redhat.com> - 12-1
|
||||
- Update to new clevis upstream release, v12.
|
||||
|
||||
* Thu Dec 19 2019 Sergio Correia <scorreia@redhat.com> - 11-11
|
||||
- Backport upstream PR#70 - Handle case where we try to use a partially
|
||||
used luksmeta slot
|
||||
Resolves: rhbz#1672371
|
||||
|
||||
* Thu Dec 05 2019 Sergio Correia <scorreia@redhat.com> - 11-10
|
||||
- Disable LUKS2 tests for now, since they fail randomly in Koji
|
||||
builders, killing the build
|
||||
|
||||
* Wed Dec 04 2019 Sergio Correia <scorreia@redhat.com> - 11-9
|
||||
- Backport of upstream patches and the following fixes:
|
||||
- Rework the logic for reading the existing key
|
||||
- fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 (
|
||||
- pins/tang: check that key derivation key is available
|
||||
|
||||
* Wed Oct 30 2019 Peter Robinson <pbrobinson@fedoraproject.org> 11-8
|
||||
- Drop need network patch
|
||||
|
||||
* Fri Sep 06 2019 Javier Martinez Canillas <javierm@redhat.com> - 11-7
|
||||
- Add support for tpm2-tools 4.0
|
||||
|
||||
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-4
|
||||
- Update patch for work around
|
||||
|
||||
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-3
|
||||
- Work around network requirement for early boot
|
||||
|
||||
* Fri Nov 09 2018 Javier Martinez Canillas <javierm@redhat.com> - 11-2
|
||||
- Delete remaining references to the removed http pin
|
||||
- Install cryptsetup and tpm2_pcrlist in the initramfs
|
||||
- Add device TCTI library to the initramfs
|
||||
Resolves: rhbz#1644876
|
||||
|
||||
* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
|
||||
- Update to v11
|
||||
|
||||
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 10-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Wed Mar 21 2018 Nathaniel McCallum <npmccallum@redhat.com> - 10-1
|
||||
- Update to v10
|
||||
|
||||
* Tue Feb 13 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-1
|
||||
- Update to v9
|
||||
|
||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 8-1
|
||||
- Update to v8
|
||||
|
||||
* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7-2
|
||||
- Rebuild for cryptsetup-2.0.0
|
||||
|
||||
* Fri Oct 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
|
||||
- Update to v7
|
||||
|
||||
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Tue Jun 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
|
||||
- New upstream release
|
||||
- Specify unprivileged user/group during configuration
|
||||
- Move clevis user/group creation to base clevis package
|
||||
|
||||
* Mon Jun 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
|
||||
- New upstream release
|
||||
- Run clevis decryption from udisks2 under an unprivileged user
|
||||
|
||||
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
|
||||
- New upstream release
|
||||
|
||||
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
|
||||
- New upstream release
|
||||
|
||||
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Fri Nov 18 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
|
||||
- New upstream release
|
||||
|
||||
* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
|
||||
- First release
|
||||
|
||||
## END: Generated by rpmautospec
|
1
clevis.sysusers
Normal file
1
clevis.sysusers
Normal file
@ -0,0 +1 @@
|
||||
u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis -
|
Loading…
Reference in New Issue
Block a user