diff --git a/.gitignore b/.gitignore index 2e87ac2..83e3bcd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/clevis-15.tar.xz +clevis-20.tar.xz diff --git a/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch b/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch new file mode 100644 index 0000000..263166d --- /dev/null +++ b/0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch @@ -0,0 +1,56 @@ +--- clevis-20.old/src/luks/udisks2/clevis-luks-udisks2.c 2024-03-08 09:35:37.000000000 +0100 ++++ clevis-20/src/luks/udisks2/clevis-luks-udisks2.c 2024-05-21 10:04:15.301469592 +0200 +@@ -264,8 +264,10 @@ + + error: + g_list_free_full(ctx.lst, g_free); +- g_main_loop_unref(ctx.loop); +- g_object_unref(ctx.clt); ++ if (ctx.loop) ++ g_main_loop_unref(ctx.loop); ++ if (ctx.clt) ++ g_object_unref(ctx.clt); + close(sock); + return exit_status; + } +@@ -299,12 +301,12 @@ + safeclose(&pair[0]); + } + +-static ssize_t +-recover_key(const pkt_t *jwe, char *out, size_t max, uid_t uid, gid_t gid) ++static uint32_t ++recover_key(const pkt_t *jwe, char *out, int32_t max, uid_t uid, gid_t gid) + { + int push[2] = { -1, -1 }; + int pull[2] = { -1, -1 }; +- ssize_t bytes = 0; ++ int32_t bytes = 0; + pid_t chld = 0; + + if (pipe(push) != 0) +@@ -379,12 +381,18 @@ + } + + bytes = 0; +- for (ssize_t block = 1; block > 0; bytes += block) { +- block = read(pull[PIPE_RD], &out[bytes], max - bytes); +- if (block < 0) { +- kill(chld, SIGTERM); +- goto error; +- } ++ ssize_t block = 0; ++ while (max > 0 && max > bytes) { ++ do { ++ block = read(pull[PIPE_RD], &out[bytes], max - bytes); ++ } while (block < 0 && errno == EINTR); ++ if (block < 0 || block < INT32_MIN || block > INT32_MAX) { ++ kill(chld, SIGTERM); ++ goto error; ++ } ++ if (block == 0) ++ break; ++ bytes += block; + } + + safeclose(&pull[PIPE_RD]); diff --git a/SOURCES/0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch b/SOURCES/0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch deleted file mode 100644 index 23679bc..0000000 --- a/SOURCES/0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch +++ /dev/null @@ -1,176 +0,0 @@ -From 16f667d9f3d649e33ca762afa1a8a7f909b953a8 Mon Sep 17 00:00:00 2001 -From: Sergio Correia -Date: Sun, 25 Oct 2020 11:15:46 -0300 -Subject: [PATCH] Fixes for dealing with newer tang without tangd-update - ---- - src/luks/tests/meson.build | 11 +---------- - src/luks/tests/tests-common-functions.in | 19 +++++++++++-------- - src/pins/tang/meson.build | 11 +---------- - src/pins/tang/pin-tang | 11 ++++++++--- - 4 files changed, 21 insertions(+), 31 deletions(-) - -diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build -index ba5f6a2..c0f9dc3 100644 ---- a/src/luks/tests/meson.build -+++ b/src/luks/tests/meson.build -@@ -17,14 +17,6 @@ kgen = find_program( - join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'), - required: false - ) --updt = find_program( -- join_paths(libexecdir, 'tangd-update'), -- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'), -- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'), -- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'), -- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'), -- required: false --) - tang = find_program( - join_paths(libexecdir, 'tangd'), - join_paths(get_option('prefix'), get_option('libdir'), 'tangd'), -@@ -58,11 +50,10 @@ env.prepend('PATH', - ) - - has_tang = false --if actv.found() and kgen.found() and updt.found() and tang.found() -+if actv.found() and kgen.found() and tang.found() - has_tang = true - env.set('SD_ACTIVATE', actv.path()) - env.set('TANGD_KEYGEN', kgen.path()) -- env.set('TANGD_UPDATE', updt.path()) - env.set('TANGD', tang.path()) - endif - -diff --git a/src/luks/tests/tests-common-functions.in b/src/luks/tests/tests-common-functions.in -index 8520715..318d007 100755 ---- a/src/luks/tests/tests-common-functions.in -+++ b/src/luks/tests/tests-common-functions.in -@@ -251,18 +251,19 @@ tang_remove_rotated_keys() { - return 1 - fi - -- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined." -- - local db="${basedir}/db" -- local cache="${basedir}/cache" - mkdir -p "${db}" -- mkdir -p "${cache}" -+ -+ if [ -n "${TANGD_UPDATE}" ]; then -+ local cache="${basedir}/cache" -+ mkdir -p "${cache}" -+ fi - - pushd "${db}" - find . -name ".*.jwk" -exec rm -f {} \; - popd - -- "${TANGD_UPDATE}" "${db}" "${cache}" -+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}" - return 0 - } - -@@ -277,12 +278,12 @@ tang_new_keys() { - fi - - [ -z "${TANGD_KEYGEN}" ] && skip_test "WARNING: TANGD_KEYGEN is not defined." -- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined." - - local db="${basedir}/db" -- local cache="${basedir}/cache" - mkdir -p "${db}" - -+ [ -n "${TANGD_UPDATE}" ] && local cache="${basedir}/cache" -+ - if [ -n "${rotate}" ]; then - pushd "${db}" - local k -@@ -296,7 +297,7 @@ tang_new_keys() { - fi - - "${TANGD_KEYGEN}" "${db}" -- "${TANGD_UPDATE}" "${db}" "${cache}" -+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}" - - return 0 - } -@@ -322,6 +323,8 @@ tang_run() { - fi - - local KEYS="${basedir}/cache" -+ [ -z "${TANGD_UPDATE}" ] && KEYS="${basedir}/db" -+ - local inetd='--inetd' - [ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd= - -diff --git a/src/pins/tang/meson.build b/src/pins/tang/meson.build -index f7d8226..ebcdd4a 100644 ---- a/src/pins/tang/meson.build -+++ b/src/pins/tang/meson.build -@@ -12,14 +12,6 @@ kgen = find_program( - join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'), - required: false - ) --updt = find_program( -- join_paths(libexecdir, 'tangd-update'), -- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'), -- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'), -- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'), -- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'), -- required: false --) - tang = find_program( - join_paths(libexecdir, 'tangd'), - join_paths(get_option('prefix'), get_option('libdir'), 'tangd'), -@@ -35,11 +27,10 @@ if curl.found() - bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang') - mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1') - -- if actv.found() and kgen.found() and updt.found() and tang.found() -+ if actv.found() and kgen.found() and tang.found() - env = environment() - env.set('SD_ACTIVATE', actv.path()) - env.set('TANGD_KEYGEN', kgen.path()) -- env.set('TANGD_UPDATE', updt.path()) - env.set('TANGD', tang.path()) - env.prepend('PATH', - join_paths(meson.source_root(), 'src'), -diff --git a/src/pins/tang/pin-tang b/src/pins/tang/pin-tang -index 98e5e4d..a63d0a2 100755 ---- a/src/pins/tang/pin-tang -+++ b/src/pins/tang/pin-tang -@@ -31,8 +31,12 @@ mkdir -p "$TMP"/db - mkdir -p "$TMP"/cache - - # Generate the server keys -+KEYS="$TMP"/db - "${TANGD_KEYGEN}" "$TMP"/db sig exc --"${TANGD_UPDATE}" "$TMP"/db "$TMP"/cache -+if which tangd-update; then -+ tangd-update "$TMP"/db "$TMP"/cache -+ KEYS="$TMP"/cache -+fi - - # Start the server - port="$(shuf -i 1024-65536 -n 1)" -@@ -40,13 +44,14 @@ port="$(shuf -i 1024-65536 -n 1)" - inetd='--inetd' - [ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd= - --"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$TMP"/cache & -+"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$KEYS" & - PID=$! - sleep 0.25 - - thp="$(jose jwk thp -i "$TMP/db/sig.jwk")" --adv="$TMP/cache/default.jws" - url="http://localhost:${port}" -+adv="$TMP/adv" -+curl "$url/adv" -o "$adv" - - cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")" - enc="$(echo -n "hi" | clevis encrypt tang "$cfg")" --- -2.18.4 - diff --git a/SOURCES/0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch b/SOURCES/0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch deleted file mode 100644 index 103911c..0000000 --- a/SOURCES/0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch +++ /dev/null @@ -1,309 +0,0 @@ -From aa52396c35e76aabd085a819b08167d559042a20 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Tue, 3 Nov 2020 08:42:48 -0300 -Subject: [PATCH 2/2] Add the option to extract luks passphrase used for - binding - -Usage: - -clevis luks pass -d /dev/sda1 -s 1 - ---- - src/luks/clevis-luks-pass | 64 ++++++++++++++++++++++++++++++++ - src/luks/clevis-luks-pass.1.adoc | 43 +++++++++++++++++++++ - src/luks/meson.build | 3 ++ - src/luks/tests/meson.build | 2 + - src/luks/tests/pass-tang-luks1 | 59 +++++++++++++++++++++++++++++ - src/luks/tests/pass-tang-luks2 | 59 +++++++++++++++++++++++++++++ - 6 files changed, 230 insertions(+) - create mode 100755 src/luks/clevis-luks-pass - create mode 100644 src/luks/clevis-luks-pass.1.adoc - create mode 100755 src/luks/tests/pass-tang-luks1 - create mode 100755 src/luks/tests/pass-tang-luks2 - -diff --git a/src/luks/clevis-luks-pass b/src/luks/clevis-luks-pass -new file mode 100755 -index 0000000..1f59b39 ---- /dev/null -+++ b/src/luks/clevis-luks-pass -@@ -0,0 +1,64 @@ -+#!/bin/bash -e -+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia - LUKS2 support. -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+. clevis-luks-common-functions -+ -+SUMMARY="Returns the LUKS passphrase used for binding a particular slot." -+ -+usage() { -+ exec >&2 -+ echo "Usage: clevis luks pass -d DEV -s SLT" -+ echo -+ echo "$SUMMARY" -+ echo -+ echo " -d DEV The LUKS device to extract the LUKS passphrase used for binding" -+ echo -+ echo " -s SLOT The slot number to extract the LUKS passphrase" -+ echo -+ exit 1 -+} -+ -+if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then -+ echo "${SUMMARY}" -+ exit 0 -+fi -+ -+while getopts ":d:s:" o; do -+ case "$o" in -+ d) DEV=${OPTARG};; -+ s) SLT=${OPTARG};; -+ *) usage;; -+ esac -+done -+ -+if [ -z "${DEV}" ]; then -+ echo "Did not specify a device!" >&2 -+ usage -+fi -+ -+if [ -z "${SLT}" ]; then -+ echo "Did not specify a slot!" >&2 -+ usage -+fi -+ -+if ! clevis_luks_unlock_device_by_slot "${DEV}" "${SLT}"; then -+ echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in ${DEV}!" >&2 -+ exit 1 -+fi -diff --git a/src/luks/clevis-luks-pass.1.adoc b/src/luks/clevis-luks-pass.1.adoc -new file mode 100644 -index 0000000..fa9526a ---- /dev/null -+++ b/src/luks/clevis-luks-pass.1.adoc -@@ -0,0 +1,43 @@ -+CLEVIS-LUKS-PASS(1) -+=================== -+:doctype: manpage -+ -+ -+== NAME -+ -+clevis-luks-pass - Extracts the passphrase used for binding a particular slot in a LUKS device -+ -+== SYNOPSIS -+ -+*clevis luks pass* -d DEV -s SLT -+ -+== OVERVIEW -+ -+The *clevis luks pass* command extracts the passphrase used for binding a particular slot in a LUKS device. -+For example: -+ -+ clevis luks pass -d /dev/sda1 -s 1 -+ -+== OPTIONS -+ -+* *-d* _DEV_ : -+ The LUKS device on which to extract a passphrase from -+ -+* *-s* _SLT_ : -+ The slot to use for extracting the passphrase -+ -+== EXAMPLE -+ -+ clevis luks pass -d /dev/sda1 -s 1 -+ -+ -+Note that the output of *clevis luks pass* might be non-printable, in which case it would be better to redirect its output to a file and use it as a key -+file together with cryptsetup. For instance: -+ -+ clevis luks pass -d /dev/sda1 -s 1 > slot1-passphrase -+ -+And the file slot1-passphrase will contain the passphrase associated with slot #1 in /dev/sda1. -+ -+== SEE ALSO -+ -+link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)], -diff --git a/src/luks/meson.build b/src/luks/meson.build -index 12f5a0d..008736e 100644 ---- a/src/luks/meson.build -+++ b/src/luks/meson.build -@@ -50,6 +50,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found() - - bins += join_paths(meson.current_source_dir(), 'clevis-luks-edit') - mans += join_paths(meson.current_source_dir(), 'clevis-luks-edit.1') -+ -+ bins += join_paths(meson.current_source_dir(), 'clevis-luks-pass') -+ mans += join_paths(meson.current_source_dir(), 'clevis-luks-pass.1') - else - warning('Will not install LUKS support due to missing dependencies!') - endif -diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build -index c22a069..f4584aa 100644 ---- a/src/luks/tests/meson.build -+++ b/src/luks/tests/meson.build -@@ -84,6 +84,7 @@ if has_tang - test('report-tang-luks1', find_program('report-tang-luks1'), env: env, timeout: 90) - test('report-sss-luks1', find_program('report-sss-luks1'), env: env, timeout: 90) - test('edit-tang-luks1', find_program('edit-tang-luks1'), env: env, timeout: 150) -+ test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60) - endif - - test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60) -@@ -111,6 +112,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0' - test('report-tang-luks2', find_program('report-tang-luks2'), env: env, timeout: 120) - test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120) - test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210) -+ test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60) - endif - - test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120) -diff --git a/src/luks/tests/pass-tang-luks1 b/src/luks/tests/pass-tang-luks1 -new file mode 100755 -index 0000000..0d91e6c ---- /dev/null -+++ b/src/luks/tests/pass-tang-luks1 -@@ -0,0 +1,59 @@ -+#!/bin/bash -x -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST="${0}" -+. tests-common-functions -+. clevis-luks-common-functions -+ -+function on_exit() { -+ [ ! -d "${TMP}" ] && return 0 -+ tang_stop "${TMP}" -+ rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+ -+TMP=$(mktemp -d) -+ -+port=$(get_random_port) -+tang_run "${TMP}" "${port}" & -+tang_wait_until_ready "${port}" -+ -+url="http://localhost:${port}" -+adv="${TMP}/adv" -+tang_get_adv "${port}" "${adv}" -+ -+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv") -+ -+# LUKS1. -+DEV="${TMP}/luks1-device" -+new_device "luks1" "${DEV}" -+ -+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then -+ error "${TEST}: Bind should have succeeded." -+fi -+ -+# Now let's test the passphrase. -+SLT=1 -+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}") -+echo $PASS >&2 -+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then -+ error "Passphrase obtained from clevis luks pass failed." -+fi -diff --git a/src/luks/tests/pass-tang-luks2 b/src/luks/tests/pass-tang-luks2 -new file mode 100755 -index 0000000..2d50413 ---- /dev/null -+++ b/src/luks/tests/pass-tang-luks2 -@@ -0,0 +1,59 @@ -+#!/bin/bash -x -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2019 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+TEST="${0}" -+. tests-common-functions -+. clevis-luks-common-functions -+ -+function on_exit() { -+ [ ! -d "${TMP}" ] && return 0 -+ tang_stop "${TMP}" -+ rm -rf "${TMP}" -+} -+ -+trap 'on_exit' EXIT -+ -+TMP=$(mktemp -d) -+ -+port=$(get_random_port) -+tang_run "${TMP}" "${port}" & -+tang_wait_until_ready "${port}" -+ -+url="http://localhost:${port}" -+adv="${TMP}/adv" -+tang_get_adv "${port}" "${adv}" -+ -+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv") -+ -+# LUKS2. -+DEV="${TMP}/luks2-device" -+new_device "luks2" "${DEV}" -+ -+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then -+ error "${TEST}: Bind should have succeeded." -+fi -+ -+# Now let's test the passphrase. -+SLT=1 -+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}") -+echo $PASS >&2 -+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then -+ error "Passphrase obtained from clevis luks pass failed." -+fi --- -2.29.2 - diff --git a/SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch b/SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch deleted file mode 100644 index 35738b5..0000000 --- a/SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 678ef82dd5608439c9a4222c594ab66d69009f06 Mon Sep 17 00:00:00 2001 -From: Sergio Correia -Date: Fri, 29 Oct 2021 12:04:46 -0300 -Subject: [PATCH 3/3] systemd: account for unlocking failures in - clevis-luks-askpass (#343) - -As unlock may fail for some reason, e.g. the network is not up yet, -one way cause problems would be to add extra `rd.luks.uuid' params -to the cmdline, which would then cause such devices to be unlocked -in early boot. If the unlocking fail, those devices might not be -accounted for in the clevis_devices_to_unlock() check, as it is -based on crypttab. - -Let's make sure there are no pending ask.* sockets waiting to be -answered, before exiting. - -Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892 ---- - src/luks/systemd/clevis-luks-askpass | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass -index 285bba4..f19671f 100755 ---- a/src/luks/systemd/clevis-luks-askpass -+++ b/src/luks/systemd/clevis-luks-askpass -@@ -67,8 +67,11 @@ while true; do - done - - [ "${loop}" != true ] && break -+ - # Checking for pending devices to be unlocked. -- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then -+ remaining_crypttab=$(clevis_devices_to_unlock) ||: -+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||: -+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then - break; - fi - --- -2.33.1 - diff --git a/SOURCES/0004-systemd-drop-ncat-dependency.patch b/SOURCES/0004-systemd-drop-ncat-dependency.patch deleted file mode 100644 index fbd22de..0000000 --- a/SOURCES/0004-systemd-drop-ncat-dependency.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001 -From: Sergio Correia -Date: Thu, 18 Nov 2021 16:45:58 -0300 -Subject: [PATCH 4/4] systemd: drop ncat dependency - -When using systemd, i.e., clevis-luks-askpass, we use ncat to send -the decrypted password to the systemd socket as per systemd's password -agents specification [1]. - -However, systemd itself has a utility that does exactly that, -systemd-reply-password. - -In this commit we drop the ncat dependency and instead use -systemd-reply-password in clevis-luks-askpass. - -[1] https://systemd.io/PASSWORD_AGENTS/ ---- - ...is-luks-askpass => clevis-luks-askpass.in} | 2 +- - .../systemd/dracut/clevis/module-setup.sh.in | 4 ++-- - src/luks/systemd/meson.build | 19 +++++++++++++++++-- - 3 files changed, 20 insertions(+), 5 deletions(-) - rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%) - -diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in -similarity index 97% -rename from src/luks/systemd/clevis-luks-askpass -rename to src/luks/systemd/clevis-luks-askpass.in -index f19671f..a6699c9 100755 ---- a/src/luks/systemd/clevis-luks-askpass -+++ b/src/luks/systemd/clevis-luks-askpass.in -@@ -58,7 +58,7 @@ while true; do - fi - - uuid="$(cryptsetup luksUUID "${d}")" -- if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then -+ if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then - echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2 - continue - fi -diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in -index ebf969f..d46c6e2 100755 ---- a/src/luks/systemd/dracut/clevis/module-setup.sh.in -+++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in -@@ -36,6 +36,7 @@ install() { - - inst_multiple \ - /etc/services \ -+ @SYSTEMD_REPLY_PASS@ \ - @libexecdir@/clevis-luks-askpass \ - clevis-luks-common-functions \ - grep sed cut \ -@@ -45,8 +46,7 @@ install() { - luksmeta \ - clevis \ - mktemp \ -- jose \ -- ncat -+ jose - - dracut_need_initqueue - } -diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build -index 369e7f7..e3b3d91 100644 ---- a/src/luks/systemd/meson.build -+++ b/src/luks/systemd/meson.build -@@ -1,6 +1,15 @@ - systemd = dependency('systemd', required: false) - --if systemd.found() -+sd_reply_pass = find_program( -+ join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'), -+ join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'), -+ join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'), -+ join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'), -+ required: false -+) -+ -+if systemd.found() and sd_reply_pass.found() -+ data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path()) - subdir('dracut') - - unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir') -@@ -12,8 +21,14 @@ if systemd.found() - configuration: data, - ) - -+ configure_file( -+ input: 'clevis-luks-askpass.in', -+ output: 'clevis-luks-askpass', -+ install_dir: libexecdir, -+ configuration: data -+ ) -+ - install_data('clevis-luks-askpass.path', install_dir: unitdir) -- install_data('clevis-luks-askpass', install_dir: libexecdir) - else - warning('Will not install systemd support due to missing dependencies!') - endif --- -2.33.1 - diff --git a/SOURCES/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch b/SOURCES/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch deleted file mode 100644 index e20b68b..0000000 --- a/SOURCES/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch +++ /dev/null @@ -1,26 +0,0 @@ -From da17589f0706b27690a11484165fd58dea1a5eb1 Mon Sep 17 00:00:00 2001 -From: Sergio Correia -Date: Thu, 25 Nov 2021 19:18:03 -0300 -Subject: [PATCH 5/5] Stop sending stderr to the void when decryption doesn't - happen - ---- - src/luks/clevis-luks-common-functions | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions -index 879ca4c..df8e16d 100644 ---- a/src/luks/clevis-luks-common-functions -+++ b/src/luks/clevis-luks-common-functions -@@ -323,7 +323,7 @@ clevis_luks_unlock_device_by_slot() { - return 1 - fi - -- if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt 2>/dev/null)" \ -+ if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt)" \ - || [ -z "${passphrase}" ]; then - return 1 - fi --- -2.33.1 - diff --git a/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch b/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch deleted file mode 100644 index e7df18a..0000000 --- a/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch +++ /dev/null @@ -1,45 +0,0 @@ -From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Renaud=20M=C3=A9trich?= - <1163635+rmetrich@users.noreply.github.com> -Date: Wed, 1 Dec 2021 09:37:35 -0300 -Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is - set (#340) - -On Fedora/RHEL, the rd.debug kernel command line parameter controls -debugging. -By implementing the functionality inside clevis, troubleshooting will be -greatly eased. -See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742). ---- - src/luks/clevis-luks-common-functions | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions -index df8e16d..67ece72 100644 ---- a/src/luks/clevis-luks-common-functions -+++ b/src/luks/clevis-luks-common-functions -@@ -20,6 +20,21 @@ - - CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" - -+enable_debugging() { -+ # Automatically enable debugging if in initramfs phase and rd.debug -+ if [ -e /usr/lib/dracut-lib.sh ]; then -+ local bashopts=$- -+ # Because dracut is loosely written, disable hardening options temporarily -+ [[ $bashopts != *u* ]] || set +u -+ [[ $bashopts != *e* ]] || set +e -+ . /usr/lib/dracut-lib.sh -+ [[ $bashopts != *u* ]] || set -u -+ [[ $bashopts != *e* ]] || set -e -+ fi -+} -+ -+enable_debugging -+ - # valid_slot() will check whether a given slot is possibly valid, i.e., if it - # is a numeric value within the specified range. - valid_slot() { --- -2.33.1 - diff --git a/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch b/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch deleted file mode 100644 index 18cee3b..0000000 --- a/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch +++ /dev/null @@ -1,83 +0,0 @@ -From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001 -From: Renaud Metrich -Date: Fri, 7 Jan 2022 12:13:03 -0300 -Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup - -This fixes an Out of memory error when the system has not much memory, -such as a VM configured with 2GB currently being installed through the -network (hence having ~1GB free memory only). -See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256). ---- - src/luks/clevis-luks-bind.in | 7 +++++-- - src/luks/clevis-luks-common-functions | 7 ++++++- - 2 files changed, 11 insertions(+), 3 deletions(-) - -diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in -index 4748c08..017f762 100755 ---- a/src/luks/clevis-luks-bind.in -+++ b/src/luks/clevis-luks-bind.in -@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \ - exit 1 - fi - -+pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" - if [ "$luks_type" == "luks1" ]; then -+ pbkdf_args= - # In certain circumstances, we may have LUKSMeta slots "not in sync" with - # cryptsetup, which means we will try to save LUKSMeta metadata over an - # already used or partially used slot -- github issue #70. -@@ -184,7 +186,7 @@ fi - - # Add the new key. - if [ -n "$SLT" ]; then -- cryptsetup luksAddKey --key-slot "$SLT" --key-file \ -+ cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \ - <(echo -n "$existing_key") "$DEV" - else - if [ $luks_type == "luks2" ]; then -@@ -194,7 +196,8 @@ else - readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \ - | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p') - fi -- cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV" -+ cryptsetup luksAddKey ${pbkdf_args} \ -+ --key-file <(echo -n "${existing_key}") "$DEV" - fi < <(echo -n "${key}") - if [ $? -ne 0 ]; then - echo "Error while adding new key to LUKS header!" >&2 -diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions -index 67ece72..038cc37 100644 ---- a/src/luks/clevis-luks-common-functions -+++ b/src/luks/clevis-luks-common-functions -@@ -760,10 +760,12 @@ clevis_luks_add_key() { - extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" - input="$(printf '%s' "${NEWKEY}")" - fi -+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" - - printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ - --key-slot "${SLT}" \ - "${DEV}" \ -+ ${pbkdf_args} \ - ${extra_args} - } - -@@ -792,11 +794,14 @@ clevis_luks_update_key() { - extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" - input="$(printf '%s' "${NEWKEY}")" - fi -+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" - - if [ -n "${in_place}" ]; then - printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \ - --key-slot "${SLT}" \ -- --batch-mode ${extra_args} -+ --batch-mode \ -+ ${pbkdf_args} \ -+ ${extra_args} - return - fi - --- -2.33.1 - diff --git a/SOURCES/0008-tang-dump-url-on-error-communication.patch b/SOURCES/0008-tang-dump-url-on-error-communication.patch deleted file mode 100644 index e907694..0000000 --- a/SOURCES/0008-tang-dump-url-on-error-communication.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- clevis-15-ori/src/pins/tang/clevis-decrypt-tang 2020-10-28 19:55:47.673228700 +0100 -+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2022-01-21 10:37:40.327825491 +0100 -@@ -73,10 +73,10 @@ - - xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")" - --url="$url/rec/$kid" -+rec_url="$url/rec/$kid" - ct="Content-Type: application/jwk+json" --if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then -- echo "Error communicating with the server!" >&2 -+if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then -+ echo "Error communicating with the server $url" >&2 - exit 1 - fi - diff --git a/SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch b/SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch deleted file mode 100644 index deb5ad3..0000000 --- a/SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch +++ /dev/null @@ -1,213 +0,0 @@ -From 87d690e41621878f70a3f6f3305dd23746d1b857 Mon Sep 17 00:00:00 2001 -From: Antonio Murdaca -Date: Wed, 1 Dec 2021 14:17:53 +0100 -Subject: [PATCH 9/9] feat: rename the test pin to null pin - -Signed-off-by: Antonio Murdaca ---- - src/initramfs-tools/hooks/clevis.in | 1 + - .../dracut/clevis-pin-null/meson.build | 14 ++++++++++ - .../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++ - src/luks/systemd/dracut/meson.build | 1 + - ...levis-decrypt-test => clevis-decrypt-null} | 4 +-- - ...levis-encrypt-test => clevis-encrypt-null} | 4 +-- - src/pins/sss/meson.build | 5 +++- - src/pins/sss/{pin-test => pin-null} | 4 +-- - src/pins/sss/pin-sss | 12 ++++---- - 9 files changed, 60 insertions(+), 13 deletions(-) - create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build - create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in - rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%) - rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%) - rename src/pins/sss/{pin-test => pin-null} (53%) - -diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in -index cc3b492..448ba96 100755 ---- a/src/initramfs-tools/hooks/clevis.in -+++ b/src/initramfs-tools/hooks/clevis.in -@@ -58,6 +58,7 @@ fi - - copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found" - copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found" -+copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found" - copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found" - copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found" - copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found" -diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build -new file mode 100644 -index 0000000..107e3ba ---- /dev/null -+++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build -@@ -0,0 +1,14 @@ -+dracut = dependency('dracut', required: false) -+ -+if dracut.found() -+ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null' -+ -+ configure_file( -+ input: 'module-setup.sh.in', -+ output: 'module-setup.sh', -+ install_dir: dracutdir, -+ configuration: data, -+ ) -+else -+ warning('Will not install dracut module clevis-pin-null due to missing dependencies!') -+endif -diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in -new file mode 100755 -index 0000000..6a16078 ---- /dev/null -+++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in -@@ -0,0 +1,28 @@ -+#!/bin/bash -+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2016 Red Hat, Inc. -+# Author: Nathaniel McCallum -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+depends() { -+ echo clevis -+ return 0 -+} -+ -+install() { -+ inst clevis-decrypt-null -+} -diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build -index fdb264b..7ad5b14 100644 ---- a/src/luks/systemd/dracut/meson.build -+++ b/src/luks/systemd/dracut/meson.build -@@ -2,3 +2,4 @@ subdir('clevis') - subdir('clevis-pin-tang') - subdir('clevis-pin-tpm2') - subdir('clevis-pin-sss') -+subdir('clevis-pin-null') -diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null -similarity index 88% -rename from src/pins/sss/clevis-decrypt-test -rename to src/pins/sss/clevis-decrypt-null -index f0e9249..a6217ed 100755 ---- a/src/pins/sss/clevis-decrypt-test -+++ b/src/pins/sss/clevis-decrypt-null -@@ -22,11 +22,11 @@ - - read -r -d . hdr - --if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then -+if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then - echo "JWE pin mismatch!" >&2 - exit 1 - fi - --jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1 -+jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1 - - exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat) -diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null -similarity index 90% -rename from src/pins/sss/clevis-encrypt-test -rename to src/pins/sss/clevis-encrypt-null -index bd2d6ec..af182a5 100755 ---- a/src/pins/sss/clevis-encrypt-test -+++ b/src/pins/sss/clevis-encrypt-null -@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then - fi - - jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')" --jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}' -+jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}' - - if ! jose fmt -j "$cfg" -g fail -T; then -- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)" -+ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)" - fi - - exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat) -diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build -index 7f20eea..2a5295a 100644 ---- a/src/pins/sss/meson.build -+++ b/src/pins/sss/meson.build -@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found() - separator: ':' - ) - -+ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null') -+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null') -+ - test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env) -- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env) -+ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env) - else - warning('Will not install sss pin due to missing dependencies!') - endif -diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null -similarity index 53% -rename from src/pins/sss/pin-test -rename to src/pins/sss/pin-null -index 50c8c67..b14ac63 100755 ---- a/src/pins/sss/pin-test -+++ b/src/pins/sss/pin-null -@@ -2,9 +2,9 @@ - - trap 'exit' ERR - --e="$(echo -n hi | clevis encrypt test '{}')" -+e="$(echo -n hi | clevis encrypt null '{}')" - d="$(echo -n "$e" | clevis decrypt)" - test "$d" == "hi" - --e="$(echo -n hi | clevis encrypt test '{"fail":true}')" -+e="$(echo -n hi | clevis encrypt null '{"fail":true}')" - ! echo "$e" | clevis decrypt -diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss -index 5c0b8cf..24da052 100755 ---- a/src/pins/sss/pin-sss -+++ b/src/pins/sss/pin-sss -@@ -1,24 +1,24 @@ - #!/bin/bash -ex - --e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')" -+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')" - d="$(echo "$e" | clevis decrypt)" - test "$d" == "hi" - --e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')" -+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')" - d="$(echo "$e" | clevis decrypt)" - test "$d" == "hi" - --e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')" -+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')" - ! echo "$e" | clevis decrypt - --e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')" -+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')" - d="$(echo "$e" | clevis decrypt)" - test "$d" == "hi" - --e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')" -+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')" - ! echo "$e" | clevis decrypt - --e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')" -+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')" - ! echo "$e" | clevis decrypt - - ! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')" --- -2.33.1 - diff --git a/SOURCES/0010-avoid-clevis-invalid-msg.patch b/SOURCES/0010-avoid-clevis-invalid-msg.patch deleted file mode 100644 index bf86dec..0000000 --- a/SOURCES/0010-avoid-clevis-invalid-msg.patch +++ /dev/null @@ -1,24 +0,0 @@ ---- clevis-15.ori/src/clevis 2020-10-28 19:55:47.663228800 +0100 -+++ clevis-15/src/clevis 2022-06-22 11:06:27.061230653 +0200 -@@ -27,6 +27,7 @@ - } - - cmd=clevis -+input_commands="$cmd $@" - while [ $# -gt 0 ]; do - [[ "$1" =~ ^- ]] && break - cmd="$cmd-$1" -@@ -36,8 +37,11 @@ - done - - exec >&2 --echo --echo "Command '$cmd' is invalid" -+if [ "$cmd" != "clevis" ]; -+then -+ echo -+ echo "Command '$input_commands' is invalid" -+fi - echo - echo "Usage: clevis COMMAND [OPTIONS]" - echo diff --git a/SOURCES/0011-Improve-boot-performance-by-removing-key-check.patch b/SOURCES/0011-Improve-boot-performance-by-removing-key-check.patch deleted file mode 100644 index 8d0a70a..0000000 --- a/SOURCES/0011-Improve-boot-performance-by-removing-key-check.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 51ae4f94a4955d9f06955ccd5a8b396b01c80d48 Mon Sep 17 00:00:00 2001 -From: Sergio Arroutbi -Date: Tue, 2 Aug 2022 11:07:00 -0300 -Subject: [PATCH] Improve boot performance by removing key check - ---- - src/luks/clevis-luks-common-functions | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions -index 038cc37..950f217 100644 ---- a/src/luks/clevis-luks-common-functions -+++ b/src/luks/clevis-luks-common-functions -@@ -328,6 +328,7 @@ clevis_luks_check_valid_key_or_keyfile() { - clevis_luks_unlock_device_by_slot() { - local DEV="${1}" - local SLT="${2}" -+ local SKIP_CHECK="${3}" - - [ -z "${DEV}" ] && return 1 - [ -z "${SLT}" ] && return 1 -@@ -343,7 +344,9 @@ clevis_luks_unlock_device_by_slot() { - return 1 - fi - -- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1 -+ if [ -z "${SKIP_CHECK}" ]; then -+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1 -+ fi - printf '%s' "${passphrase}" - } - -@@ -351,6 +354,8 @@ clevis_luks_unlock_device_by_slot() { - # parameter and returns the decoded passphrase. - clevis_luks_unlock_device() { - local DEV="${1}" -+ local SKIP_CHECK="YES" -+ - [ -z "${DEV}" ] && return 1 - - local used_slots -@@ -361,7 +366,7 @@ clevis_luks_unlock_device() { - - local slt pt - for slt in ${used_slots}; do -- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \ -+ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \ - || [ -z "${pt}" ]; then - continue - fi --- -2.35.1 - diff --git a/SOURCES/0012-ignore-empty-and-comment-lines-in-crypttab.patch b/SOURCES/0012-ignore-empty-and-comment-lines-in-crypttab.patch deleted file mode 100644 index 7dcd5ac..0000000 --- a/SOURCES/0012-ignore-empty-and-comment-lines-in-crypttab.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 11:11:03.050262054 +0100 -+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 11:19:16.004358405 +0100 -@@ -413,7 +413,12 @@ - clevis_devices= - - # Build list of devices to unlock. -- while read -r _ crypt_device _; do -+ while read -r _volname_ crypt_device _; do -+ # skip empty lines and lines which begin with the '#' char, per -+ # crypttab(5) -+ case $_volname_ in -+ ''|\#*) continue ;; -+ esac - if ! dev=$(clevis_map_device "${crypt_device}") \ - || [ -z "${dev}" ]; then - # Unable to get the device - maybe it's not available, e.g. a diff --git a/SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch b/SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch deleted file mode 100644 index 4b18e61..0000000 --- a/SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch +++ /dev/null @@ -1,73 +0,0 @@ ---- clevis-15.ori/src/clevis.1.adoc 2020-10-28 19:55:47.663228800 +0100 -+++ clevis-15/src/clevis.1.adoc 2023-01-11 17:18:29.967295005 +0100 -@@ -101,7 +101,7 @@ - - This command performs four steps: - --1. Creates a new key with the same entropy as the LUKS master key. -+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256. - 2. Encrypts the new key with Clevis. - 3. Stores the Clevis JWE in the LUKS header. - 4. Enables the new key for use with LUKS. ---- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc 2020-10-28 19:55:47.663228800 +0100 -+++ clevis-15/src/luks/clevis-luks-bind.1.adoc 2023-01-11 17:18:55.239351209 +0100 -@@ -20,7 +20,7 @@ - - This command performs four steps: - --1. Creates a new key with the same entropy as the LUKS master key. -+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256. - 2. Encrypts the new key with Clevis. - 3. Stores the Clevis JWE in the LUKS header. - 4. Enables the new key for use with LUKS. ---- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 17:15:44.984928070 +0100 -+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 17:20:53.238613637 +0100 -@@ -865,6 +865,7 @@ - [ -z "${DEV}" ] && return 1 - - local dump filter bits -+ local MAX_ENTROPY_BITS=256 - dump=$(cryptsetup luksDump "${DEV}") - if cryptsetup isLuks --type luks1 "${DEV}"; then - filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')" -@@ -876,6 +877,9 @@ - fi - - bits="$(echo -n "${filter}" | sort -n | tail -n 1)" -+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then -+ bits="${MAX_ENTROPY_BITS}" -+ fi - pwmake "${bits}" - } - ---- clevis-15.ori/src/luks/clevis-luks-bind.in 2023-01-11 17:15:44.815927694 +0100 -+++ clevis-15/src/luks/clevis-luks-bind.in 2023-01-12 16:20:30.266404993 +0100 -@@ -19,6 +19,8 @@ - # along with this program. If not, see . - # - -+. clevis-luks-common-functions -+ - SUMMARY="Binds a LUKS device using the specified policy" - UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e - -@@ -139,14 +141,11 @@ - fi - - # Generate a key with the same entropy as the LUKS Master Key --key="$(pwmake "$( --cryptsetup luksDump "$DEV" \ -- | if [ "$luks_type" == "luks1" ]; then -- sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p' -- else -- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p' -- fi | sort -n | tail -n 1 --)")" -+if ! key="$(clevis_luks_generate_key "${DEV}")" \ -+ || [ -z "${key}" ]; then -+ echo "Unable to generate key for ${DEV}" >&2 -+ return 1 -+fi - - # Encrypt the new key - jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")" diff --git a/SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch b/SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch deleted file mode 100644 index 0280ec5..0000000 --- a/SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- clevis-15.ori/src/luks/clevis-luks-edit 2020-10-28 19:55:47.663228800 +0100 -+++ clevis-15/src/luks/clevis-luks-edit 2023-01-16 12:03:14.006998399 +0100 -@@ -173,7 +173,7 @@ - - echo "Updating binding..." - if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \ -- "-y" "overwrite" 2>/dev/null; then -+ "-y" "overwrite"; then - echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2 - exit 1 - fi diff --git a/SOURCES/0015-support-sha256-algorithm.patch b/SOURCES/0015-support-sha256-algorithm.patch deleted file mode 100644 index 086517f..0000000 --- a/SOURCES/0015-support-sha256-algorithm.patch +++ /dev/null @@ -1,219 +0,0 @@ ---- clevis-15.ori/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:29:59.717465656 +0200 -+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:49:02.950511503 +0200 -@@ -50,12 +50,30 @@ - exit 1 - fi - --if ! srv="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "$jhd" \ -- | jose jwk thp -i- -f "$kid")"; then -+if ! keys="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "${jhd}")"; then - echo "JWE missing required 'clevis.tang.adv' header parameter!" >&2 - exit 1 - fi - -+# Check if the thumbprint we have in `kid' is in the advertised keys. -+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1 -+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256 -+ -+if ! srv="$(jose jwk thp -i- -f "${kid}" -a "${CLEVIS_DEFAULT_THP_ALG}" \ -+ <<< "${keys}")"; then -+ # `kid' thumprint not in the advertised keys, but it's possible it was -+ # generated using a different algorithm than the default one. -+ # Let us try the alternative supported algorithms to make sure `kid' -+ # really is not part of the advertised keys. -+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do -+ srv="$(jose jwk thp -i- -f "$kid" -a "${alg}" <<< "${keys}")" && break -+ done -+ if [ -z "${srv}" ]; then -+ echo "JWE header validation of 'clevis.tang.adv' failed: key thumbprint does not match" >&2 -+ exit 1 -+ fi -+fi -+ - if ! url="$(jose fmt -j- -Og clevis -g tang -g url -Su- <<< "$jhd")"; then - echo "JWE missing required 'clevis.tang.url' header parameter!" >&2 - exit 1 ---- clevis-15.ori/src/pins/tang/clevis-encrypt-tang 2020-10-28 19:55:47.673228700 +0100 -+++ clevis-15/src/pins/tang/clevis-encrypt-tang 2023-05-23 15:15:18.440099403 +0200 -@@ -64,6 +64,9 @@ - exit 1 - fi - -+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1 -+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256 -+ - trust= - [ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes - -@@ -111,15 +114,24 @@ - if [ -z "$thp" ]; then - echo "The advertisement contains the following signing keys:" >&2 - echo >&2 -- jose jwk thp -i- <<< "$ver" >&2 -+ jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$ver" >&2 - echo >&2 - read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty - [[ "$ans" =~ ^[yY]$ ]] || exit 1 -- - elif [ "$thp" != "any" ] && \ -- ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then -- echo "Trusted JWK '$thp' did not sign the advertisement!" >&2 -- exit 1 -+ ! jose jwk thp -i- -f "${thp}" -o /dev/null -a "${CLEVIS_DEFAULT_THP_ALG}" \ -+ <<< "$ver"; then -+ # Thumbprint of trusted JWK did not match the signature. Let's check -+ # alternative thumbprints generated with clevis supported hash -+ # algorithms to be sure. -+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do -+ srv="$(jose jwk thp -i- -f "${thp}" -a "${alg}" <<< "${ver}")" \ -+ && break -+ done -+ if [ -z "${srv}" ]; then -+ echo "Trusted JWK '$thp' did not sign the advertisement!" >&2 -+ exit 1 -+ fi - fi - fi - -@@ -138,7 +150,7 @@ - - jwk="$(jose fmt -j- -Od key_ops -o- <<< "$jwk")" - jwk="$(jose fmt -j- -Od alg -o- <<< "$jwk")" --kid="$(jose jwk thp -i- <<< "$jwk")" -+kid="$(jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$jwk")" - jwe='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}' - jwe="$(jose fmt -j "$jwe" -g protected -q "$kid" -s kid -UUo-)" - jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tang -q "$url" -s url -UUUUo-)" ---- clevis-15.ori/src/luks/tests/meson.build 2023-05-23 11:29:59.594464890 +0200 -+++ clevis-15/src/luks/tests/meson.build 2023-05-23 12:00:10.811482757 +0200 -@@ -113,6 +113,7 @@ - test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120) - test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210) - test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60) -+ test('default-thp-alg', find_program('default-thp-alg'), env: env) - endif - - test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120) ---- clevis-15.ori/src/luks/tests/default-thp-alg 1970-01-01 01:00:00.000000000 +0100 -+++ clevis-15/src/luks/tests/default-thp-alg 2023-05-23 16:09:21.920385994 +0200 -@@ -0,0 +1,120 @@ -+#!/bin/bash -+set -exo pipefail -+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2020 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+ -+ -+. tests-common-functions -+ -+TEST=$(basename "${0}") -+ -+on_exit() { -+ exit_status=$? -+ tang_stop "${TMP}" -+ [ -d "${TMP}" ] && rm -rf "${TMP}" -+ exit "${exit_status}" -+} -+ -+trap 'on_exit' EXIT -+ -+TMP="$(mktemp -d)" -+ -+port=$(get_random_port) -+tang_run "${TMP}" "${port}" -+ -+url="http://localhost:${port}" -+data="just a sample text" -+ -+adv="${TMP}/adv" -+# Get the advertisement and extract the keys. -+tang_get_adv "${port}" "${adv}" -+ -+jwks="$(jose fmt --json="${adv}" --get payload --b64load --output=-)" -+enc="$(printf '%s' "${jwks}" | jose jwk use --input=- --required \ -+ --use deriveKey --output=-)" -+ -+jose fmt --json="${enc}" --get keys --array \ -+ || enc="$(printf '{"keys": [%s]}' "${enc}")" -+ -+jwk="$(jose fmt --json="${enc}" --get keys --array --foreach=- \ -+ | jose fmt --json=- --delete key_ops --delete alg --output=-)" -+ -+jwe_t='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}' -+jwe_t="$(jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --quote "${url}" --set url -UUUUo-)" -+jwe_t="$(printf '%s' "${jwks}" | jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --json=- --set adv -UUUUo-)" -+ -+# We currently support SHA-1 (legacy) and SHA-256. -+CLEVIS_SUPPORTED_THP_ALGS="S1 S256" -+# Now we will use every hash algorithm supported by jose to create a thumbprint -+# for `kid', then we do the encoding and verify clevis decrypt can decode it -+# correctly. -+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do -+ kid="$(printf '%s' "${jwk}" | jose jwk thp -a "${alg}" --input=-)" -+ jwe="$(jose fmt --json="${jwe_t}" --get protected --quote "${kid}" -s kid -UUo-)" -+ -+ encoded=$(printf '%s%s' "${jwk}" "${data}" \ -+ | jose jwe enc --input="${jwe}" --key=- --detached=- --compact) -+ -+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then -+ tang_error "${TEST}: decoding is expected to work (alg = ${alg})" -+ fi -+ -+ if [ "${decoded}" != "${data}" ]; then -+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})" -+ fi -+done -+ -+# Now let's test encryption providing the thp in the configuration. -+data="just another test" -+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do -+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \ -+ | jose jwk use -i- -r -u verify -o- \ -+ | jose jwk thp -i- -a "${alg}")" -+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")" -+ if ! encoded=$(printf '%s' "${data}" | clevis encrypt tang "${cfg}"); then -+ tang_error "${TEST}: tang encryption should have succeeded when providing the thp (${thp}) with any supported algorithm (${alg})" -+ fi -+ -+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then -+ tang_error "${TEST}: decoding is expected to work (thp alg = ${alg})" -+ fi -+ -+ if [ "${decoded}" != "${data}" ]; then -+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})" -+ fi -+done -+ -+# Let's also try some unsupported thp hash algorithms. -+UNSUPPORTED="S224 S384 S512" # SHA-224, SHA-384, SHA-512. -+for alg in ${UNSUPPORTED}; do -+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \ -+ | jose jwk use -i- -r -u verify -o- \ -+ | jose jwk thp -i- -a "${alg}")" -+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")" -+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then -+ tang_error "${TEST}: tang encryption should have failed when providing the thp (${thp}) with an unsupported algorithm (${alg})" -+ fi -+done -+ -+# Now let's try some bad values for thp. -+for thp in "" "foo" "invalid"; do -+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")" -+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then -+ tang_error "${TEST}: tang encryption expected to fail when providing a bad thp" -+ fi -+done diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec deleted file mode 100644 index 9f85e1e..0000000 --- a/SPECS/clevis.spec +++ /dev/null @@ -1,375 +0,0 @@ -%global _hardened_build 1 - -Name: clevis -Version: 15 -Release: 15%{?dist} -Summary: Automated decryption framework - -License: GPLv3+ -URL: https://github.com/latchset/%{name} -Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz - -Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch -Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch -Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch -Patch0004: 0004-systemd-drop-ncat-dependency.patch -Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch -Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch -Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch -Patch0008: 0008-tang-dump-url-on-error-communication.patch -Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch -Patch0010: 0010-avoid-clevis-invalid-msg.patch -Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch -Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch -Patch0013: 0013-luks-define-max-entropy-bits-for-pwmake.patch -Patch0014: 0014-luks-edit-remove-unnecessary-redirection.patch -Patch0015: 0015-support-sha256-algorithm.patch - -BuildRequires: git -BuildRequires: gcc -BuildRequires: meson -BuildRequires: asciidoc -BuildRequires: ninja-build -BuildRequires: bash-completion - -BuildRequires: libjose-devel >= 8 -BuildRequires: libluksmeta-devel >= 8 -BuildRequires: audit-libs-devel -BuildRequires: libudisks2-devel -BuildRequires: openssl-devel - -BuildRequires: tpm2-tools >= 3.0.0 -BuildRequires: desktop-file-utils -BuildRequires: pkgconfig -BuildRequires: systemd -BuildRequires: dracut -BuildRequires: tang >= 6 -BuildRequires: curl -BuildRequires: luksmeta -BuildRequires: cracklib-dicts -BuildRequires: jq -BuildRequires: diffutils -BuildRequires: expect -BuildRequires: openssl - -Requires: cracklib-dicts -Requires: tpm2-tools >= 3.0.0 -Requires: coreutils -Requires: jose >= 8 -Requires: curl -Requires: jq -Requires(pre): shadow-utils -Requires(post): systemd - -%description -Clevis is a framework for automated decryption. It allows you to encrypt -data using sophisticated unlocking policies which enable decryption to -occur automatically. - -The clevis package provides basic encryption/decryption policy support. -Users can use this directly; but most commonly, it will be used as a -building block for other packages. For example, see the clevis-luks -and clevis-dracut packages for automatic root volume unlocking of LUKS -volumes during early boot. - -%package luks -Summary: LUKS integration for clevis -Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: cryptsetup -Requires: luksmeta >= 8 - -%description luks -LUKS integration for clevis. This package allows you to bind a LUKS -volume to a clevis unlocking policy. For automated unlocking, an unlocker -will also be required. See, for example, clevis-dracut and clevis-udisks2. - -%package systemd -Summary: systemd integration for clevis -Requires: %{name}-luks%{?_isa} = %{version}-%{release} -%if 0%{?fedora} > 27 -Requires: systemd%{?_isa} >= 235-3 -%else -%if 0%{?fedora} == 27 -Requires: systemd%{?_isa} >= 234-9 -%else -%if 0%{?fedora} == 26 -Requires: systemd%{?_isa} >= 233-7 -%else -Requires: systemd%{?_isa} >= 236 -%endif -%endif -%endif - -%description systemd -Automatically unlocks clevis-bound LUKS block devices during boot. - -%package dracut -Summary: Dracut integration for clevis -Requires: %{name}-systemd%{?_isa} = %{version}-%{release} -Requires: dracut-network - -%description dracut -Automatically unlocks LUKS block devices in early boot. - -%package udisks2 -Summary: UDisks2/Storaged integration for clevis -Requires: %{name}-luks%{?_isa} = %{version}-%{release} - -%description udisks2 -Automatically unlocks LUKS block devices in desktop environments that -use UDisks2 or storaged (like GNOME). - -%prep -%autosetup -S git - -%build -%meson -Duser=clevis -Dgroup=clevis -%meson_build - -%install -%meson_install - -%check -desktop-file-validate \ - %{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop -%meson_test - -%pre -getent group %{name} >/dev/null || groupadd -r %{name} &>/dev/null -getent passwd %{name} >/dev/null || \ - useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \ - -c "Clevis Decryption Framework unprivileged user" %{name} &>/dev/null -# Add clevis user to tss group. -if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then - usermod -a -G tss %{name} &>/dev/null -fi -exit 0 - -%post systemd -systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : - -%files -%license COPYING -%{_datadir}/bash-completion/ -%{_bindir}/%{name}-decrypt-tang -%{_bindir}/%{name}-decrypt-tpm2 -%{_bindir}/%{name}-decrypt-sss -%{_bindir}/%{name}-decrypt-null -%{_bindir}/%{name}-decrypt -%{_bindir}/%{name}-encrypt-tang -%{_bindir}/%{name}-encrypt-tpm2 -%{_bindir}/%{name}-encrypt-sss -%{_bindir}/%{name}-encrypt-null -%{_bindir}/%{name} -%{_mandir}/man1/%{name}-encrypt-tang.1* -%{_mandir}/man1/%{name}-encrypt-tpm2.1* -%{_mandir}/man1/%{name}-encrypt-sss.1* -%{_mandir}/man1/%{name}-decrypt.1* -%{_mandir}/man1/%{name}.1* - -%files luks -%{_mandir}/man7/%{name}-luks-unlockers.7* -%{_mandir}/man1/%{name}-luks-unlock.1* -%{_mandir}/man1/%{name}-luks-unbind.1* -%{_mandir}/man1/%{name}-luks-bind.1* -%{_mandir}/man1/%{name}-luks-list.1* -%{_mandir}/man1/%{name}-luks-pass.1* -%{_mandir}/man1/%{name}-luks-regen.1* -%{_mandir}/man1/%{name}-luks-report.1* -%{_mandir}/man1/%{name}-luks-edit.1* -%{_bindir}/%{name}-luks-unlock -%{_bindir}/%{name}-luks-unbind -%{_bindir}/%{name}-luks-bind -%{_bindir}/%{name}-luks-common-functions -%{_bindir}/%{name}-luks-list -%{_bindir}/%{name}-luks-pass -%{_bindir}/%{name}-luks-regen -%{_bindir}/%{name}-luks-report -%{_bindir}/%{name}-luks-edit - -%files systemd -%{_libexecdir}/%{name}-luks-askpass -%{_unitdir}/%{name}-luks-askpass.path -%{_unitdir}/%{name}-luks-askpass.service - -%files dracut -%{_prefix}/lib/dracut/modules.d/60%{name} -%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null -%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss -%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang -%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2 - -%files udisks2 -%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop -%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 - -%changelog -* Tue May 23 2023 Sergio Arroutbi - 15-15 -- Include SHA-256 thumbprints clevis support - Resolves: rhbz#2209058 - -* Mon Jan 16 2023 Sergio Arroutbi - 15-14 -- luks-edit: remove unnecessary 2>/dev/null - Resolves: rhbz#2159739 - -* Wed Jan 11 2023 Sergio Arroutbi - 15-13 -- luks: define max entropy bits for pwmake - Resolves: rhbz#2159736 - -* Wed Jan 11 2023 Sergio Arroutbi - 15-12 -- Ignore empty & comment lines in crypttab - Resolves: rhbz#2159440 - -* Tue Aug 02 2022 Sergio Arroutbi - 15-11 -- Start clevis-luks-askpass.path service according to global policy - Resolves: rhbz#2107081 - -* Thu Jul 21 2022 Sergio Arroutbi - 15-10 -- Improve boot performance by removing key check - Resolves: rhbz#2099748 - -* Wed Jun 22 2022 Sergio Arroutbi - 15-9 -- Avoid invalid message for clevis command - Resolves: rhbz#2099325 - -* Wed Jan 26 2022 Sergio Correia - 15-8 -- Support a null pin - Resolves: rhbz#2028096 - -* Fri Jan 21 2022 Sergio Arroutbi - 15-7 -- Dump server information on server error communication - Resolves: rhbz#2020193 - -* Tue Jan 04 2022 Sergio Correia - 15-6 -- Explicitly specify pbkdf iterations to cryptsetup - Resolves: rhbz#1979256 - -* Wed Dec 01 2021 Sergio Correia - 15-5 -- Enable debugging in clevis scripts when rd.debug is set - Resolves: rhbz#1980742 - -* Thu Nov 25 2021 Sergio Correia - 15-4 -- Stop sending stderr to the void when decryption doesn't happen - Resolves: rhbz#1976880 - -* Thu Nov 18 2021 Sergio Correia - 15-3 -- Drop ncat dependency - Resolves: rhbz#1949289 - -* Wed Nov 17 2021 Sergio Correia - 15-2 -- Account for unlocking failures in clevis-luks-askpass - Resolves: rhbz#2018292 - -* Mon Oct 26 2020 Sergio Correia - 15-1 -- Update to latest upstream release, v15 - Resolves: rhbz#1887836 - Resolves: rhbz#1853651 - Resolves: rhbz#1874460 - -* Wed May 20 2020 Sergio Correia - 13-3 -- Add clevis luks edit command - Resolves: rhbz#1436735 - -* Mon May 18 2020 Sergio Correia - 13-2 -- Introduce -y (assume yes) argument to clevis luks bind - Resolves: rhbz#1819767 - -* Sun May 10 2020 Sergio Correia - 13-1 -- Update to new upstream release, v13 - Resolves: rhbz#1827225 - Resolves: rhbz#1827665 - Resolves: rhbz#1801556 - Resolves: rhbz#1784448 - Resolves: rhbz#1826917 - Resolves: rhbz#1812014 - -* Sun Feb 02 2020 Sergio Correia - 11-9 -- Improve clevis luks regen not to unbind+bind in every case - Resolves: rhbz#1795675 - -* Mon Jan 13 2020 Sergio Correia - 11-8 -- Use one clevis-luks-askpass per device - Resolves: rhbz#1784524 - -* Sat Nov 30 2019 Sergio Correia - 11-7 -- Add rd.neednet=1 to cmdline only if there are devices bound to tang - Resolves: rhbz#1762028 - -* Sat Nov 30 2019 Sergio Correia - 11-6 -- Add option to extract luks passphrase used for binding - Resolves: rhbz#1436780 - -* Thu Nov 28 2019 Sergio Correia - 11-5 -- Add support for listing existing PBD policies in place - Resolves: rhbz#1766526 - -* Fri Oct 18 2019 Sergio Correia - 11-4 -- Improve error message when bind is given an invalid PIN - Resolves: rhbz#1543380 - -* Wed Oct 16 2019 Sergio Correia - 11-3 -- Add clevis luks report and regen - Resolves: rhbz#1564566 - Resolves: rhbz#1564559 - -* Fri Jan 04 2019 Daniel Kopecek - 11-2 -- Check that key derivation key is available -- Delete remaining references to the removed http pin -- Install cryptsetup and tpm2_pcrlist in the initramfs -- Add device TCTI library to the initramfs - Resolves: rhbz#1648004 - Resolves: rhbz#1650246 - -* Tue Aug 14 2018 Nathaniel McCallum - 11-1 -- Update to v11 - -* Thu Jul 12 2018 Fedora Release Engineering - 10-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Wed Mar 21 2018 Nathaniel McCallum - 10-1 -- Update to v10 - -* Tue Feb 13 2018 Nathaniel McCallum - 9-1 -- Update to v9 - -* Wed Feb 07 2018 Fedora Release Engineering - 8-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Mon Nov 13 2017 Nathaniel McCallum - 8-1 -- Update to v8 - -* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek - 7-2 -- Rebuild for cryptsetup-2.0.0 - -* Fri Oct 27 2017 Nathaniel McCallum - 7-1 -- Update to v7 - -* Wed Aug 02 2017 Fedora Release Engineering - 6-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 6-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Tue Jun 27 2017 Nathaniel McCallum - 6-1 -- New upstream release -- Specify unprivileged user/group during configuration -- Move clevis user/group creation to base clevis package - -* Mon Jun 26 2017 Nathaniel McCallum - 5-1 -- New upstream release -- Run clevis decryption from udisks2 under an unprivileged user - -* Wed Jun 14 2017 Nathaniel McCallum - 4-1 -- New upstream release - -* Wed Jun 14 2017 Nathaniel McCallum - 3-1 -- New upstream release - -* Fri Feb 10 2017 Fedora Release Engineering - 2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Fri Nov 18 2016 Nathaniel McCallum - 2-1 -- New upstream release - -* Mon Nov 14 2016 Nathaniel McCallum - 1-1 -- First release diff --git a/clevis.spec b/clevis.spec new file mode 100644 index 0000000..5552f4b --- /dev/null +++ b/clevis.spec @@ -0,0 +1,425 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.6.1) +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 4; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + +Name: clevis +Version: 20 +Release: %autorelease +Summary: Automated decryption framework + +License: GPL-3.0-or-later +URL: https://github.com/latchset/%{name} +Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz +Source1: clevis.sysusers +Patch1: 0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch + +BuildRequires: git-core +BuildRequires: gcc +BuildRequires: meson +BuildRequires: asciidoc +BuildRequires: ninja-build +BuildRequires: bash-completion + +BuildRequires: libjose-devel >= 8 +BuildRequires: libluksmeta-devel >= 8 +BuildRequires: audit-libs-devel +BuildRequires: libudisks2-devel +BuildRequires: openssl-devel + +BuildRequires: tpm2-tools >= 4.0.0 +BuildRequires: desktop-file-utils +BuildRequires: pkgconfig +BuildRequires: systemd +BuildRequires: systemd-rpm-macros +BuildRequires: dracut +BuildRequires: tang >= 6 +BuildRequires: curl +BuildRequires: luksmeta +BuildRequires: openssl +BuildRequires: diffutils +BuildRequires: cryptsetup +BuildRequires: jq + +Requires: tpm2-tools >= 4.0.0 +Requires: coreutils +Requires: jose >= 8 +Requires: curl +Requires: jq +Requires(pre): shadow-utils +Requires(post): systemd +Requires: clevis-pin-tpm2 + +%description +Clevis is a framework for automated decryption. It allows you to encrypt +data using sophisticated unlocking policies which enable decryption to +occur automatically. + +The clevis package provides basic encryption/decryption policy support. +Users can use this directly; but most commonly, it will be used as a +building block for other packages. For example, see the clevis-luks +and clevis-dracut packages for automatic root volume unlocking of +LUKSv1/LUKSv2 volumes during early boot. + +%package luks +Summary: LUKS integration for clevis +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: cryptsetup +Requires: luksmeta >= 8 + +%description luks +LUKS integration for clevis. This package allows you to bind a LUKS +volume to a clevis unlocking policy. For automated unlocking, an unlocker +will also be required. See, for example, clevis-dracut and clevis-udisks2. + +%package systemd +Summary: systemd integration for clevis +Requires: %{name}-luks%{?_isa} = %{version}-%{release} +%if 0%{?fedora} > 27 +Requires: systemd%{?_isa} >= 235-3 +%else +%if 0%{?fedora} == 27 +Requires: systemd%{?_isa} >= 234-9 +%else +%if 0%{?fedora} == 26 +Requires: systemd%{?_isa} >= 233-7 +%else +Requires: systemd%{?_isa} >= 236 +%endif +%endif +%endif + +%description systemd +Automatically unlocks LUKS _netdev block devices from /etc/crypttab. + +%package dracut +Summary: Dracut integration for clevis +Requires: %{name}-systemd%{?_isa} = %{version}-%{release} +Requires: dracut-network + +%description dracut +Automatically unlocks LUKS block devices in early boot. + +%package udisks2 +Summary: UDisks2/Storaged integration for clevis +Requires: %{name}-luks%{?_isa} = %{version}-%{release} + +%description udisks2 +Automatically unlocks LUKS block devices in desktop environments that +use UDisks2 or storaged (like GNOME). + +%prep +%autosetup -S git + +%build +%meson -Duser=clevis -Dgroup=clevis +%meson_build + +%install +%meson_install +install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/clevis.conf + +%check +desktop-file-validate \ + %{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop +%meson_test + +%pre +%sysusers_create_compat %{SOURCE1} +# Add clevis user to tss group. +if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then + usermod -a -G tss %{name} &>/dev/null +fi +exit 0 + +%files +%license COPYING +%{_datadir}/bash-completion/ +%{_bindir}/%{name}-decrypt-tang +%{_bindir}/%{name}-decrypt-tpm2 +%{_bindir}/%{name}-decrypt-sss +%{_bindir}/%{name}-decrypt-null +%{_bindir}/%{name}-decrypt +%{_bindir}/%{name}-encrypt-tang +%{_bindir}/%{name}-encrypt-tpm2 +%{_bindir}/%{name}-encrypt-sss +%{_bindir}/%{name}-encrypt-null +%{_bindir}/%{name} +%{_mandir}/man1/%{name}-encrypt-tang.1* +%{_mandir}/man1/%{name}-encrypt-tpm2.1* +%{_mandir}/man1/%{name}-encrypt-sss.1* +%{_mandir}/man1/%{name}-decrypt.1* +%{_mandir}/man1/%{name}.1* +%{_sysusersdir}/clevis.conf + +%files luks +%{_mandir}/man7/%{name}-luks-unlockers.7* +%{_mandir}/man1/%{name}-luks-unlock.1* +%{_mandir}/man1/%{name}-luks-unbind.1* +%{_mandir}/man1/%{name}-luks-bind.1* +%{_mandir}/man1/%{name}-luks-list.1.* +%{_mandir}/man1/%{name}-luks-edit.1.* +%{_mandir}/man1/%{name}-luks-regen.1.* +%{_mandir}/man1/%{name}-luks-report.1.* +%{_mandir}/man1/%{name}-luks-pass.1.* +%{_bindir}/%{name}-luks-unlock +%{_bindir}/%{name}-luks-unbind +%{_bindir}/%{name}-luks-bind +%{_bindir}/%{name}-luks-common-functions +%{_bindir}/%{name}-luks-list +%{_bindir}/%{name}-luks-edit +%{_bindir}/%{name}-luks-regen +%{_bindir}/%{name}-luks-report +%{_bindir}/%{name}-luks-pass + +%files systemd +%{_libexecdir}/%{name}-luks-askpass +%{_libexecdir}/%{name}-luks-unlocker +%{_unitdir}/%{name}-luks-askpass.path +%{_unitdir}/%{name}-luks-askpass.service + +%files dracut +%{_prefix}/lib/dracut/modules.d/60%{name} +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh + +%files udisks2 +%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop +%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 + +%post systemd +systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : + +%changelog +## START: Generated by rpmautospec +* Mon Jun 24 2024 Troy Dawson - 20-4 +- Bump release for June 2024 mass rebuild + +* Wed May 22 2024 koncpa - 20-3 +- Update name of passing set ot tests in gating + +* Tue May 21 2024 koncpa - 20-2 +- Enable RHEL gating for clevis + +* Tue May 21 2024 Sergio Arroutbi - 20-1 +- Rebase to clevis-20 upstream version + +* Wed Jan 24 2024 Fedora Release Engineering - 19-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 19-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Jul 19 2023 Fedora Release Engineering - 19-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed May 31 2023 Sergio Arroutbi - 19-3 +- Migrate to SPDX like licensing + +* Tue Feb 28 2023 Sergio Arroutbi - 19-2 +- Include LUKSv2 volumes in description + +* Thu Feb 02 2023 Sergio Correia - 19-1 +- Update to latest upstream version, v19 + +* Wed Jan 18 2023 Fedora Release Engineering - 18-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Dec 16 2022 Sergio Arroutbi - 18-15 +- Backport upstream fixes + +* Fri Aug 05 2022 Luca BRUNO - 18-10 +- Simplify sysusers.d fragment by using default 'nologin' shell + +* Wed Jul 20 2022 Fedora Release Engineering - 18-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Fri Jul 8 2022 Sergio Arroutbi - 18-8 +- Support a null pin + +* Tue Jun 28 2022 Sergio Arroutbi - 18-7 + Start clevis-luks-askpass.patch service according to global policy + +* Wed Jan 19 2022 Fedora Release Engineering - 18-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Fri Oct 29 2021 Sergio Correia - 18-5 + Account for unlocking failures in clevis-luks-askpass + Resolves: rhbz#1878892 + +* Tue Sep 14 2021 Sahana Prasad - 18-4 +- Rebuilt with OpenSSL 3.0.0 + +* Wed Jul 21 2021 Fedora Release Engineering - 18-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri May 07 2021 Sergio Correia - 18-2 +- Port to OpenSSL 3 + Backport of upstream commit (ee1dfedb) + +* Thu Apr 15 2021 Sergio Correia - 18-1 +- Update to new clevis upstream release, v18. + +* Wed Apr 14 2021 Sergio Correia - 17-1 +- Update to new clevis upstream release, v17. + +* Tue Mar 16 2021 Sergio Correia - 16-2 +- Fix for -t option in clevis luks bind - backport upstream commit ea0d0c20 + +* Tue Feb 09 2021 Sergio Correia - 16-1 +- Update to new clevis upstream release, v16. + +* Tue Jan 26 2021 Fedora Release Engineering - 15-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Nov 23 08:14:40 GMT 2020 Peter Robinson - 15-3 +- Upstream patch for tpm-tools 5.0 support + +* Thu Oct 29 2020 Sergio Correia - 15-2 +- Add jq to dependencies + +* Wed Oct 28 2020 Sergio Correia - 15-1 +- Update to new clevis upstream release, v15. + +* Tue Sep 08 2020 Sergio Correia - 14-5 +- Suppress output in pre scriptlet when adjusting users/groups + Resolves: rhbz#1876729 + +* Tue Sep 08 2020 Sergio Correia - 14-4 +- Backport upstream PR#230 - clevis-luks-askpass now exits cleanly + when receives a SIGTERM + Resolves: rhbz#1876001 + +* Sat Sep 05 2020 Sergio Correia - 14-3 +- If clevis-luks-askpass is enabled, it may be using a wrong target, + since that changed in v14. Check and update it, if required. + +* Mon Aug 31 2020 Sergio Correia - 14-2 +- Update sources file with new v14 release. + +* Mon Aug 31 2020 Sergio Correia - 14-1 +- Update to new clevis upstream release, v14. + +* Sun Aug 02 2020 Benjamin Gilbert - 13-3 +- Downgrade cracklib-dicts to Recommends + +* Mon Jul 27 2020 Fedora Release Engineering - 13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sun May 10 2020 Sergio Correia - 13-1 +- Update to new clevis upstream release, v13. + +* Thu May 07 2020 Sergio Correia - 12-4 +- cracklib-dicts should be also listed as a build dependency, since + it's required for running some of the tests + +* Mon Apr 06 2020 Sergio Correia - 12-3 +- Make cracklib-dicts a regular dependency + +* Tue Jan 28 2020 Fedora Release Engineering - 12-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 20 2020 Sergio Correia - 12-1 +- Update to new clevis upstream release, v12. + +* Thu Dec 19 2019 Sergio Correia - 11-11 +- Backport upstream PR#70 - Handle case where we try to use a partially + used luksmeta slot + Resolves: rhbz#1672371 + +* Thu Dec 05 2019 Sergio Correia - 11-10 +- Disable LUKS2 tests for now, since they fail randomly in Koji + builders, killing the build + +* Wed Dec 04 2019 Sergio Correia - 11-9 +- Backport of upstream patches and the following fixes: + - Rework the logic for reading the existing key + - fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 ( + - pins/tang: check that key derivation key is available + +* Wed Oct 30 2019 Peter Robinson 11-8 +- Drop need network patch + +* Fri Sep 06 2019 Javier Martinez Canillas - 11-7 +- Add support for tpm2-tools 4.0 + +* Wed Jul 24 2019 Fedora Release Engineering - 11-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 11-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Dec 6 2018 Peter Robinson 11-4 +- Update patch for work around + +* Thu Dec 6 2018 Peter Robinson 11-3 +- Work around network requirement for early boot + +* Fri Nov 09 2018 Javier Martinez Canillas - 11-2 +- Delete remaining references to the removed http pin +- Install cryptsetup and tpm2_pcrlist in the initramfs +- Add device TCTI library to the initramfs + Resolves: rhbz#1644876 + +* Tue Aug 14 2018 Nathaniel McCallum - 11-1 +- Update to v11 + +* Thu Jul 12 2018 Fedora Release Engineering - 10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Mar 21 2018 Nathaniel McCallum - 10-1 +- Update to v10 + +* Tue Feb 13 2018 Nathaniel McCallum - 9-1 +- Update to v9 + +* Wed Feb 07 2018 Fedora Release Engineering - 8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Nov 13 2017 Nathaniel McCallum - 8-1 +- Update to v8 + +* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek - 7-2 +- Rebuild for cryptsetup-2.0.0 + +* Fri Oct 27 2017 Nathaniel McCallum - 7-1 +- Update to v7 + +* Wed Aug 02 2017 Fedora Release Engineering - 6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jun 27 2017 Nathaniel McCallum - 6-1 +- New upstream release +- Specify unprivileged user/group during configuration +- Move clevis user/group creation to base clevis package + +* Mon Jun 26 2017 Nathaniel McCallum - 5-1 +- New upstream release +- Run clevis decryption from udisks2 under an unprivileged user + +* Wed Jun 14 2017 Nathaniel McCallum - 4-1 +- New upstream release + +* Wed Jun 14 2017 Nathaniel McCallum - 3-1 +- New upstream release + +* Fri Feb 10 2017 Fedora Release Engineering - 2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Nov 18 2016 Nathaniel McCallum - 2-1 +- New upstream release + +* Mon Nov 14 2016 Nathaniel McCallum - 1-1 +- First release + +## END: Generated by rpmautospec diff --git a/clevis.sysusers b/clevis.sysusers new file mode 100644 index 0000000..daad762 --- /dev/null +++ b/clevis.sysusers @@ -0,0 +1 @@ +u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis - diff --git a/sources b/sources new file mode 100644 index 0000000..ebb2917 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (clevis-20.tar.xz) = 26b89d7ca21a08dfb6abdf894c9867eb6954593adc384c651b2cf8effe6be962fa67a116b15e1a40a720d36d9726ea859dc907ffb72585da91949d9a620893fe