Backport upstream fixes

6e48a1c: luks-edit: remove unnecessary 2>/dev/null 3f879a3: Avoid invalid message for clevis command e0e92f8: Fix typo in error messages 47b01ab: Improve boot performance by removing key check f5786d3: Notify error url on server connect fail f621575: luks: fix typo when adding a pending device 0589c14: luks: ignore empty & comment lines in crypttab 3bb852b: luks: define max entropy bits for pwmake Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2022-12-16 12:36:54 +01:00 · 2022-12-16 12:36:54 +01:00 · b7dbfb6f3e
commit b7dbfb6f3e
parent de7b822cf3
9 changed files with 185 additions and 0 deletions
--- a/0005-luks-define-max-entropy-bits-for-pwmake.patch
+++ b/0005-luks-define-max-entropy-bits-for-pwmake.patch
@ -0,0 +1,42 @@
+--- clevis-18.ori/src/clevis.1.adoc	2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/clevis.1.adoc	2022-12-16 11:25:48.407264932 +0100
+@@ -101,7 +101,7 @@
+ 
+ This command performs four steps:
+ 
+-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
+ 2. Encrypts the new key with Clevis.
+ 3. Stores the Clevis JWE in the LUKS header.
+ 4. Enables the new key for use with LUKS.
+--- clevis-18.ori/src/luks/clevis-luks-common-functions.in	2022-12-16 11:23:23.982459214 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in	2022-12-16 14:39:32.694114153 +0100
+@@ -852,6 +852,7 @@
+     [ -z "${DEV}" ] && return 1
+ 
+     local dump filter bits
+    local MAX_ENTROPY_BITS=256  # Maximum allowed by pwmake.
+     dump=$(cryptsetup luksDump "${DEV}")
+     if cryptsetup isLuks --type luks1 "${DEV}"; then
+         filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
+@@ -863,6 +864,9 @@
+     fi
+ 
+     bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
+    if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
+        bits="${MAX_ENTROPY_BITS}"
+    fi
+     pwmake "${bits}"
+ }
+ 
+--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc	2022-12-16 11:23:23.982459214 +0100
+++ clevis-18/src/luks/clevis-luks-bind.1.adoc	2022-12-16 14:41:33.502788100 +0100
+@@ -20,7 +20,7 @@
+ 
+ This command performs four steps:
+ 
+-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
+ 2. Encrypts the new key with Clevis.
+ 3. Stores the Clevis JWE in the LUKS header.
+ 4. Enables the new key for use with LUKS.
--- a/0006-luks-ignore-empty-and-comment-lines-in-crypttab.patch
+++ b/0006-luks-ignore-empty-and-comment-lines-in-crypttab.patch
@ -0,0 +1,16 @@
+--- clevis-18.ori/src/luks/clevis-luks-common-functions.in	2022-12-16 11:23:23.982459214 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in	2022-12-16 11:35:54.206644525 +0100
+@@ -399,7 +399,12 @@
+     clevis_devices=
+ 
+     # Build list of devices to unlock.
+-    while read -r _ crypt_device _; do
+    while read -r _volname_ crypt_device _; do
+        # skip empty lines and lines which begin with the '#' char, per
+        # crypttab(5)
+        case $_volname_ in
+            ''|\#*) continue ;;
+        esac
+         if ! dev=$(clevis_map_device "${crypt_device}") \
+                    || [ -z "${dev}" ]; then
+             # Unable to get the device - maybe it's not available, e.g. a
--- a/0007-luks-fix-typo-when-adding-a-pending-device.patch
+++ b/0007-luks-fix-typo-when-adding-a-pending-device.patch
@ -0,0 +1,11 @@
+--- clevis-18.0006/src/luks/clevis-luks-common-functions.in	2022-12-16 11:51:32.856881018 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in	2022-12-16 11:53:09.717421379 +0100
+@@ -410,7 +410,7 @@
+             # Unable to get the device - maybe it's not available, e.g. a
+             # device on a volume group that has not been activated yet.
+             # Add it to the list anyway, since it's a pending device.
+-            clevis_devices="${clevis_devices} ${dev}"
+            clevis_devices="${clevis_devices} ${crypt_device}"
+             continue
+         fi
+ 
--- a/0008-notify-error-url-on-server-connect-fail.patch
+++ b/0008-notify-error-url-on-server-connect-fail.patch
@ -0,0 +1,16 @@
+--- clevis-18.0007/src/pins/tang/clevis-decrypt-tang	2021-04-15 13:00:19.969067600 +0200
+++ clevis-18/src/pins/tang/clevis-decrypt-tang	2022-12-16 11:55:59.187366809 +0100
+@@ -99,10 +99,10 @@
+ 
+ xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"
+ 
+-url="$url/rec/$kid"
+rec_url="$url/rec/$kid"
+ ct="Content-Type: application/jwk+json"
+-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then
+-    echo "Error communicating with the server!" >&2
+if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then
+    echo "Error communicating with server $url!" >&2
+     exit 1
+ fi
+ 
--- a/0009-improve-boot-performance-by-removing-key-check.patch
+++ b/0009-improve-boot-performance-by-removing-key-check.patch
@ -0,0 +1,39 @@
+--- clevis-18.0008/src/luks/clevis-luks-common-functions.in	2022-12-16 11:59:17.972475773 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in	2022-12-16 12:05:07.214424096 +0100
+@@ -319,6 +319,7 @@
+ clevis_luks_unlock_device_by_slot() {
+     local DEV="${1}"
+     local SLT="${2}"
+    local SKIP_CHECK="${3}"
+ 
+     [ -z "${DEV}" ] && return 1
+     [ -z "${SLT}" ] && return 1
+@@ -334,7 +335,9 @@
+         return 1
+     fi
+ 
+-    clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+    if [ -z "${SKIP_CHECK}" ]; then
+        clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+    fi
+     printf '%s' "${passphrase}"
+ }
+ 
+@@ -342,6 +345,8 @@
+ # parameter and returns the decoded passphrase.
+ clevis_luks_unlock_device() {
+     local DEV="${1}"
+    local SKIP_CHECK="YES"
+
+     [ -z "${DEV}" ] && return 1
+ 
+     local used_slots
+@@ -352,7 +357,7 @@
+ 
+     local slt pt
+     for slt in ${used_slots}; do
+-        if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \
+        if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \
+                   || [ -z "${pt}" ]; then
+              continue
+         fi
--- a/0010-fix-typo-in-error-messages.patch
+++ b/0010-fix-typo-in-error-messages.patch
@ -0,0 +1,17 @@
+--- clevis-18.0009/src/pins/tpm2/clevis-decrypt-tpm2	2021-04-15 13:00:19.969067600 +0200
+++ clevis-18/src/pins/tpm2/clevis-decrypt-tpm2	2022-12-16 12:22:51.788363059 +0100
+@@ -99,12 +99,12 @@
+ fi
+ 
+ if ! jwk_pub="$(jose fmt -j- -Og clevis -g tpm2 -g jwk_pub -Su- <<< "$jhd")"; then
+-    echo "JWE missing required 'key' header parameter!" >&2
+    echo "JWE missing required 'jwk_pub' header parameter!" >&2
+     exit 1
+ fi
+ 
+ if ! jwk_priv="$(jose fmt -j- -Og clevis -g tpm2 -g jwk_priv -Su- <<< "$jhd")"; then
+-    echo "JWE missing required 'key' header parameter!" >&2
+    echo "JWE missing required 'jwk_priv' header parameter!" >&2
+     exit 1
+ fi
+ 
--- a/0011-avoid-invalid-message-for-clevis-command.patch
+++ b/0011-avoid-invalid-message-for-clevis-command.patch
@ -0,0 +1,25 @@
+--- clevis-18.0010/src/clevis	2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/clevis	2022-12-16 12:29:15.122501596 +0100
+@@ -27,6 +27,8 @@
+ }
+ 
+ cmd=clevis
+input_commands="$cmd $@"
+
+ while [ $# -gt 0 ]; do
+     [[ "$1" =~ ^- ]] && break
+     cmd="$cmd-$1"
+@@ -36,8 +38,11 @@
+ done
+ 
+ exec >&2
+-echo
+-echo "Command '$cmd' is invalid"
+if [ "$cmd" != "clevis" ];
+then
+    echo
+    echo "Command '$input_commands' is invalid"
+fi
+ echo
+ echo "Usage: clevis COMMAND [OPTIONS]"
+ echo
--- a/0012-luks-edit-remove-unnecessary-2-dev-null.patch
+++ b/0012-luks-edit-remove-unnecessary-2-dev-null.patch
@ -0,0 +1,11 @@
+--- clevis-18.0011/src/luks/clevis-luks-edit	2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/clevis-luks-edit	2022-12-16 12:32:42.350657681 +0100
+@@ -173,7 +173,7 @@
+ 
+ echo "Updating binding..."
+ if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
+-                         "-y" "overwrite" 2>/dev/null; then
+                         "-y" "overwrite"; then
+     echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
+     exit 1
+ fi
--- a/clevis.spec
+++ b/clevis.spec
@ -12,6 +12,14 @@ Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
 Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
 Patch0003: 0003-feat-rename-the-test-pin-to-null-pin.patch
 Patch0004: 0004-clevis-external-token-id.patch
+Patch0005: 0005-luks-define-max-entropy-bits-for-pwmake.patch
+Patch0006: 0006-luks-ignore-empty-and-comment-lines-in-crypttab.patch
+Patch0007: 0007-luks-fix-typo-when-adding-a-pending-device.patch
+Patch0008: 0008-notify-error-url-on-server-connect-fail.patch
+Patch0009: 0009-improve-boot-performance-by-removing-key-check.patch
+Patch0010: 0010-fix-typo-in-error-messages.patch
+Patch0011: 0011-avoid-invalid-message-for-clevis-command.patch
+Patch0012: 0012-luks-edit-remove-unnecessary-2-dev-null.patch

 BuildRequires:  git-core
 BuildRequires:  gcc