import clevis-15-1.el8
This commit is contained in:
		
							parent
							
								
									b2e84aface
								
							
						
					
					
						commit
						dbe4f9bd04
					
				| @ -1 +1 @@ | ||||
| 83aebcbe5792b43bf281b442f379cea08d7c43b0 SOURCES/clevis-13.tar.xz | ||||
| ce825a10c5aa885e001c963be4cc4a8dea2137b0 SOURCES/clevis-15.tar.xz | ||||
|  | ||||
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -1 +1 @@ | ||||
| SOURCES/clevis-13.tar.xz | ||||
| SOURCES/clevis-15.tar.xz | ||||
|  | ||||
| @ -1,84 +0,0 @@ | ||||
| From 27a27befed2257c2156ed8b94d679951b9b1a4d5 Mon Sep 17 00:00:00 2001 | ||||
| From: Sergio Correia <scorreia@redhat.com> | ||||
| Date: Wed, 13 May 2020 23:51:04 -0300 | ||||
| Subject: [PATCH 1/8] Adjust pin-tang test to account for newer tang without | ||||
|  tangd-update | ||||
| 
 | ||||
| ---
 | ||||
|  src/luks/tests/unbind-unbound-slot-luks2 |  1 + | ||||
|  src/pins/tang/meson.build                |  8 +------- | ||||
|  src/pins/tang/pin-tang                   | 11 ++++++++--- | ||||
|  3 files changed, 10 insertions(+), 10 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/luks/tests/unbind-unbound-slot-luks2 b/src/luks/tests/unbind-unbound-slot-luks2
 | ||||
| index 6a2aca5..6d814ad 100755
 | ||||
| --- a/src/luks/tests/unbind-unbound-slot-luks2
 | ||||
| +++ b/src/luks/tests/unbind-unbound-slot-luks2
 | ||||
| @@ -36,6 +36,7 @@ TMP="$(mktemp -d)"
 | ||||
|   | ||||
|  DEV="${TMP}/luks2-device" | ||||
|  new_device "luks2" "${DEV}" | ||||
| +SLT=2
 | ||||
|  if clevis luks unbind -d "${DEV}" -s "${SLT}"; then | ||||
|      error "${TEST}: Unbind is expected to fail for device ${DEV} and slot ${SLT}" >&2 | ||||
|  fi | ||||
| diff --git a/src/pins/tang/meson.build b/src/pins/tang/meson.build
 | ||||
| index 74a3442..9b9a3db 100644
 | ||||
| --- a/src/pins/tang/meson.build
 | ||||
| +++ b/src/pins/tang/meson.build
 | ||||
| @@ -9,12 +9,6 @@ kgen = find_program(
 | ||||
|    '/usr/lib/x86_64-linux-gnu/tangd-keygen', | ||||
|    required: false | ||||
|  ) | ||||
| -updt = find_program(
 | ||||
| -  join_paths(libexecdir, 'tangd-update'),
 | ||||
| -  '/usr/libexec/tangd-update',
 | ||||
| -  '/usr/lib/x86_64-linux-gnu/tangd-update',
 | ||||
| -  required: false
 | ||||
| -)
 | ||||
|  tang = find_program( | ||||
|    join_paths(libexecdir, 'tangd'), | ||||
|    '/usr/libexec/tangd', | ||||
| @@ -28,7 +22,7 @@ if curl.found()
 | ||||
|    bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang') | ||||
|    mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1') | ||||
|   | ||||
| -  if actv.found() and kgen.found() and updt.found() and tang.found()
 | ||||
| +  if actv.found() and kgen.found() and tang.found()
 | ||||
|      env = environment() | ||||
|      env.set('SD_ACTIVATE', actv.path()) | ||||
|      env.append('PATH', | ||||
| diff --git a/src/pins/tang/pin-tang b/src/pins/tang/pin-tang
 | ||||
| index 1720d3d..8190f3d 100755
 | ||||
| --- a/src/pins/tang/pin-tang
 | ||||
| +++ b/src/pins/tang/pin-tang
 | ||||
| @@ -31,18 +31,23 @@ mkdir -p "$TMP"/db
 | ||||
|  mkdir -p "$TMP"/cache | ||||
|   | ||||
|  # Generate the server keys | ||||
| +KEYS="$TMP"/db
 | ||||
|  tangd-keygen "$TMP"/db sig exc | ||||
| -tangd-update "$TMP"/db "$TMP"/cache
 | ||||
| +if which tangd-update; then
 | ||||
| +    tangd-update "$TMP"/db "$TMP"/cache
 | ||||
| +    KEYS=$TMP/cache
 | ||||
| +fi
 | ||||
|   | ||||
|  # Start the server | ||||
|  port="$(shuf -i 1024-65536 -n 1)" | ||||
| -$SD_ACTIVATE --inetd -l 127.0.0.1:$port -a tangd "$TMP"/cache &
 | ||||
| +$SD_ACTIVATE --inetd -l 127.0.0.1:$port -a tangd "$KEYS" &
 | ||||
|  PID=$! | ||||
|  sleep 0.25 | ||||
|   | ||||
|  thp="$(jose jwk thp -i "$TMP/db/sig.jwk")" | ||||
| -adv="$TMP/cache/default.jws"
 | ||||
|  url="http://localhost:${port}" | ||||
| +adv="$TMP/adv"
 | ||||
| +curl "$url/adv" -o $adv
 | ||||
|   | ||||
|  cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")" | ||||
|  enc="$(echo -n "hi" | clevis encrypt tang "$cfg")" | ||||
| -- 
 | ||||
| 2.18.4 | ||||
| 
 | ||||
| @ -0,0 +1,176 @@ | ||||
| From 16f667d9f3d649e33ca762afa1a8a7f909b953a8 Mon Sep 17 00:00:00 2001 | ||||
| From: Sergio Correia <scorreia@redhat.com> | ||||
| Date: Sun, 25 Oct 2020 11:15:46 -0300 | ||||
| Subject: [PATCH] Fixes for dealing with newer tang without tangd-update | ||||
| 
 | ||||
| ---
 | ||||
|  src/luks/tests/meson.build               | 11 +---------- | ||||
|  src/luks/tests/tests-common-functions.in | 19 +++++++++++-------- | ||||
|  src/pins/tang/meson.build                | 11 +---------- | ||||
|  src/pins/tang/pin-tang                   | 11 ++++++++--- | ||||
|  4 files changed, 21 insertions(+), 31 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
 | ||||
| index ba5f6a2..c0f9dc3 100644
 | ||||
| --- a/src/luks/tests/meson.build
 | ||||
| +++ b/src/luks/tests/meson.build
 | ||||
| @@ -17,14 +17,6 @@ kgen = find_program(
 | ||||
|    join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'), | ||||
|    required: false | ||||
|  ) | ||||
| -updt = find_program(
 | ||||
| -  join_paths(libexecdir, 'tangd-update'),
 | ||||
| -  join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
 | ||||
| -  join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
 | ||||
| -  join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
 | ||||
| -  join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
 | ||||
| -  required: false
 | ||||
| -)
 | ||||
|  tang = find_program( | ||||
|    join_paths(libexecdir, 'tangd'), | ||||
|    join_paths(get_option('prefix'), get_option('libdir'), 'tangd'), | ||||
| @@ -58,11 +50,10 @@ env.prepend('PATH',
 | ||||
|  ) | ||||
|   | ||||
|  has_tang = false | ||||
| -if actv.found() and kgen.found() and updt.found() and tang.found()
 | ||||
| +if actv.found() and kgen.found() and tang.found()
 | ||||
|    has_tang = true | ||||
|    env.set('SD_ACTIVATE', actv.path()) | ||||
|    env.set('TANGD_KEYGEN', kgen.path()) | ||||
| -  env.set('TANGD_UPDATE', updt.path())
 | ||||
|    env.set('TANGD', tang.path()) | ||||
|  endif | ||||
|   | ||||
| diff --git a/src/luks/tests/tests-common-functions.in b/src/luks/tests/tests-common-functions.in
 | ||||
| index 8520715..318d007 100755
 | ||||
| --- a/src/luks/tests/tests-common-functions.in
 | ||||
| +++ b/src/luks/tests/tests-common-functions.in
 | ||||
| @@ -251,18 +251,19 @@ tang_remove_rotated_keys() {
 | ||||
|          return 1 | ||||
|      fi | ||||
|   | ||||
| -    [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
 | ||||
| -
 | ||||
|      local db="${basedir}/db" | ||||
| -    local cache="${basedir}/cache"
 | ||||
|      mkdir -p "${db}" | ||||
| -    mkdir -p "${cache}"
 | ||||
| +
 | ||||
| +    if [ -n "${TANGD_UPDATE}" ]; then
 | ||||
| +        local cache="${basedir}/cache"
 | ||||
| +        mkdir -p "${cache}"
 | ||||
| +    fi
 | ||||
|   | ||||
|      pushd "${db}" | ||||
|          find . -name ".*.jwk" -exec rm -f {} \; | ||||
|      popd | ||||
|   | ||||
| -    "${TANGD_UPDATE}" "${db}" "${cache}"
 | ||||
| +    [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
 | ||||
|      return 0 | ||||
|  } | ||||
|   | ||||
| @@ -277,12 +278,12 @@ tang_new_keys() {
 | ||||
|      fi | ||||
|   | ||||
|      [ -z "${TANGD_KEYGEN}" ] && skip_test "WARNING: TANGD_KEYGEN is not defined." | ||||
| -    [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
 | ||||
|   | ||||
|      local db="${basedir}/db" | ||||
| -    local cache="${basedir}/cache"
 | ||||
|      mkdir -p "${db}" | ||||
|   | ||||
| +    [ -n "${TANGD_UPDATE}" ] && local cache="${basedir}/cache"
 | ||||
| +
 | ||||
|      if [ -n "${rotate}" ]; then | ||||
|          pushd "${db}" | ||||
|              local k | ||||
| @@ -296,7 +297,7 @@ tang_new_keys() {
 | ||||
|      fi | ||||
|   | ||||
|      "${TANGD_KEYGEN}" "${db}" | ||||
| -    "${TANGD_UPDATE}" "${db}" "${cache}"
 | ||||
| +    [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
 | ||||
|   | ||||
|      return 0 | ||||
|  } | ||||
| @@ -322,6 +323,8 @@ tang_run() {
 | ||||
|      fi | ||||
|   | ||||
|      local KEYS="${basedir}/cache" | ||||
| +    [ -z "${TANGD_UPDATE}" ] && KEYS="${basedir}/db"
 | ||||
| +
 | ||||
|      local inetd='--inetd' | ||||
|      [ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd= | ||||
|   | ||||
| diff --git a/src/pins/tang/meson.build b/src/pins/tang/meson.build
 | ||||
| index f7d8226..ebcdd4a 100644
 | ||||
| --- a/src/pins/tang/meson.build
 | ||||
| +++ b/src/pins/tang/meson.build
 | ||||
| @@ -12,14 +12,6 @@ kgen = find_program(
 | ||||
|    join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'), | ||||
|    required: false | ||||
|  ) | ||||
| -updt = find_program(
 | ||||
| -  join_paths(libexecdir, 'tangd-update'),
 | ||||
| -  join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
 | ||||
| -  join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
 | ||||
| -  join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
 | ||||
| -  join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
 | ||||
| -  required: false
 | ||||
| -)
 | ||||
|  tang = find_program( | ||||
|    join_paths(libexecdir, 'tangd'), | ||||
|    join_paths(get_option('prefix'), get_option('libdir'), 'tangd'), | ||||
| @@ -35,11 +27,10 @@ if curl.found()
 | ||||
|    bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang') | ||||
|    mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1') | ||||
|   | ||||
| -  if actv.found() and kgen.found() and updt.found() and tang.found()
 | ||||
| +  if actv.found() and kgen.found() and tang.found()
 | ||||
|      env = environment() | ||||
|      env.set('SD_ACTIVATE', actv.path()) | ||||
|      env.set('TANGD_KEYGEN', kgen.path()) | ||||
| -    env.set('TANGD_UPDATE', updt.path())
 | ||||
|      env.set('TANGD', tang.path()) | ||||
|      env.prepend('PATH', | ||||
|        join_paths(meson.source_root(), 'src'), | ||||
| diff --git a/src/pins/tang/pin-tang b/src/pins/tang/pin-tang
 | ||||
| index 98e5e4d..a63d0a2 100755
 | ||||
| --- a/src/pins/tang/pin-tang
 | ||||
| +++ b/src/pins/tang/pin-tang
 | ||||
| @@ -31,8 +31,12 @@ mkdir -p "$TMP"/db
 | ||||
|  mkdir -p "$TMP"/cache | ||||
|   | ||||
|  # Generate the server keys | ||||
| +KEYS="$TMP"/db
 | ||||
|  "${TANGD_KEYGEN}" "$TMP"/db sig exc | ||||
| -"${TANGD_UPDATE}" "$TMP"/db "$TMP"/cache
 | ||||
| +if which tangd-update; then
 | ||||
| +    tangd-update "$TMP"/db "$TMP"/cache
 | ||||
| +    KEYS="$TMP"/cache
 | ||||
| +fi
 | ||||
|   | ||||
|  # Start the server | ||||
|  port="$(shuf -i 1024-65536 -n 1)" | ||||
| @@ -40,13 +44,14 @@ port="$(shuf -i 1024-65536 -n 1)"
 | ||||
|  inetd='--inetd' | ||||
|  [ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd= | ||||
|   | ||||
| -"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$TMP"/cache &
 | ||||
| +"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$KEYS" &
 | ||||
|  PID=$! | ||||
|  sleep 0.25 | ||||
|   | ||||
|  thp="$(jose jwk thp -i "$TMP/db/sig.jwk")" | ||||
| -adv="$TMP/cache/default.jws"
 | ||||
|  url="http://localhost:${port}" | ||||
| +adv="$TMP/adv"
 | ||||
| +curl "$url/adv" -o "$adv"
 | ||||
|   | ||||
|  cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")" | ||||
|  enc="$(echo -n "hi" | clevis encrypt tang "$cfg")" | ||||
| -- 
 | ||||
| 2.18.4 | ||||
| 
 | ||||
| @ -1,7 +1,7 @@ | ||||
| From e3641a7193adac1cea525c093f39679c2cfa22c9 Mon Sep 17 00:00:00 2001 | ||||
| From: Sergio Correia <scorreia@redhat.com> | ||||
| Date: Wed, 13 May 2020 23:53:38 -0300 | ||||
| Subject: [PATCH 5/8] Add the option to extract luks passphrase used for | ||||
| From aa52396c35e76aabd085a819b08167d559042a20 Mon Sep 17 00:00:00 2001 | ||||
| From: rpm-build <rpm-build> | ||||
| Date: Tue, 3 Nov 2020 08:42:48 -0300 | ||||
| Subject: [PATCH 2/2] Add the option to extract luks passphrase used for | ||||
|  binding | ||||
| 
 | ||||
| Usage: | ||||
| @ -9,13 +9,13 @@ Usage: | ||||
| clevis luks pass -d /dev/sda1 -s 1 | ||||
| <passphrase here> | ||||
| ---
 | ||||
|  src/luks/clevis-luks-pass        | 69 +++++++++++++++++++++++++++++ | ||||
|  src/luks/clevis-luks-pass.1.adoc | 43 ++++++++++++++++++ | ||||
|  src/luks/clevis-luks-pass        | 64 ++++++++++++++++++++++++++++++++ | ||||
|  src/luks/clevis-luks-pass.1.adoc | 43 +++++++++++++++++++++ | ||||
|  src/luks/meson.build             |  3 ++ | ||||
|  src/luks/tests/meson.build       | 11 +++++ | ||||
|  src/luks/tests/pass-tang-luks1   | 75 ++++++++++++++++++++++++++++++++ | ||||
|  src/luks/tests/pass-tang-luks2   | 75 ++++++++++++++++++++++++++++++++ | ||||
|  6 files changed, 276 insertions(+) | ||||
|  src/luks/tests/meson.build       |  2 + | ||||
|  src/luks/tests/pass-tang-luks1   | 59 +++++++++++++++++++++++++++++ | ||||
|  src/luks/tests/pass-tang-luks2   | 59 +++++++++++++++++++++++++++++ | ||||
|  6 files changed, 230 insertions(+) | ||||
|  create mode 100755 src/luks/clevis-luks-pass | ||||
|  create mode 100644 src/luks/clevis-luks-pass.1.adoc | ||||
|  create mode 100755 src/luks/tests/pass-tang-luks1 | ||||
| @ -23,12 +23,12 @@ clevis luks pass -d /dev/sda1 -s 1 | ||||
| 
 | ||||
| diff --git a/src/luks/clevis-luks-pass b/src/luks/clevis-luks-pass
 | ||||
| new file mode 100755 | ||||
| index 0000000..1ce8c4c
 | ||||
| index 0000000..1f59b39
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/clevis-luks-pass
 | ||||
| @@ -0,0 +1,69 @@
 | ||||
| @@ -0,0 +1,64 @@
 | ||||
| +#!/bin/bash -e
 | ||||
| +# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +#
 | ||||
| +# Copyright (c) 2019 Red Hat, Inc.
 | ||||
| +# Author: Sergio Correia <scorreia@redhat.com> - LUKS2 support.
 | ||||
| @ -51,16 +51,16 @@ index 0000000..1ce8c4c | ||||
| +
 | ||||
| +SUMMARY="Returns the LUKS passphrase used for binding a particular slot."
 | ||||
| +
 | ||||
| +function usage() {
 | ||||
| +    echo >&2
 | ||||
| +    echo "Usage: clevis luks pass -d DEV -s SLT" >&2
 | ||||
| +    echo >&2
 | ||||
| +    echo "$SUMMARY": >&2
 | ||||
| +    echo >&2
 | ||||
| +    echo "  -d DEV  The LUKS device to extract the LUKS passphrase used for binding" >&2
 | ||||
| +    echo >&2
 | ||||
| +    echo "  -s SLOT The slot number to extract the LUKS passphrase" >&2
 | ||||
| +    echo >&2
 | ||||
| +usage() {
 | ||||
| +    exec >&2
 | ||||
| +    echo "Usage: clevis luks pass -d DEV -s SLT"
 | ||||
| +    echo
 | ||||
| +    echo "$SUMMARY"
 | ||||
| +    echo
 | ||||
| +    echo "  -d DEV  The LUKS device to extract the LUKS passphrase used for binding"
 | ||||
| +    echo
 | ||||
| +    echo "  -s SLOT The slot number to extract the LUKS passphrase"
 | ||||
| +    echo
 | ||||
| +    exit 1
 | ||||
| +}
 | ||||
| +
 | ||||
| @ -87,13 +87,8 @@ index 0000000..1ce8c4c | ||||
| +    usage
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if ! jwe=$(clevis_luks_read_slot "${DEV}" "${SLT}" 2>/dev/null); then
 | ||||
| +    echo "It was not possible to read slot ${SLT} from ${DEV}!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if ! clevis decrypt < <(echo -n "${jwe}"); then
 | ||||
| +    echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in {DEV}!" >&2
 | ||||
| +if ! clevis_luks_unlock_device_by_slot "${DEV}" "${SLT}"; then
 | ||||
| +    echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in ${DEV}!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| diff --git a/src/luks/clevis-luks-pass.1.adoc b/src/luks/clevis-luks-pass.1.adoc
 | ||||
| @ -146,13 +141,13 @@ index 0000000..fa9526a | ||||
| +
 | ||||
| +link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)],
 | ||||
| diff --git a/src/luks/meson.build b/src/luks/meson.build
 | ||||
| index 0d24f8d..fda2ca8 100644
 | ||||
| index 12f5a0d..008736e 100644
 | ||||
| --- a/src/luks/meson.build
 | ||||
| +++ b/src/luks/meson.build
 | ||||
| @@ -41,6 +41,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
 | ||||
| @@ -50,6 +50,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
 | ||||
|   | ||||
|    bins += join_paths(meson.current_source_dir(), 'clevis-luks-unlock') | ||||
|    mans += join_paths(meson.current_source_dir(), 'clevis-luks-unlock.1') | ||||
|    bins += join_paths(meson.current_source_dir(), 'clevis-luks-edit') | ||||
|    mans += join_paths(meson.current_source_dir(), 'clevis-luks-edit.1') | ||||
| +
 | ||||
| +  bins += join_paths(meson.current_source_dir(), 'clevis-luks-pass')
 | ||||
| +  mans += join_paths(meson.current_source_dir(), 'clevis-luks-pass.1')
 | ||||
| @ -160,51 +155,31 @@ index 0d24f8d..fda2ca8 100644 | ||||
|    warning('Will not install LUKS support due to missing dependencies!') | ||||
|  endif | ||||
| diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
 | ||||
| index 9a16b42..4757c4b 100644
 | ||||
| index c22a069..f4584aa 100644
 | ||||
| --- a/src/luks/tests/meson.build
 | ||||
| +++ b/src/luks/tests/meson.build
 | ||||
| @@ -1,3 +1,9 @@
 | ||||
| +actv = find_program(
 | ||||
| +  'systemd-socket-activate',
 | ||||
| +  'systemd-activate',
 | ||||
| +  required: false
 | ||||
| +)
 | ||||
| +
 | ||||
|  # We use jq for comparing the pin config in the clevis luks list tests. | ||||
|  jq = find_program('jq', required: false) | ||||
|   | ||||
| @@ -45,8 +51,11 @@ env.prepend('PATH',
 | ||||
|    join_paths(meson.build_root(), 'src', 'pins', 'sss'), | ||||
|    join_paths(meson.build_root(), 'src', 'pins', 'tang'), | ||||
|    join_paths(meson.build_root(), 'src', 'pins', 'tpm2'), | ||||
| +  libexecdir,
 | ||||
| +  '/usr/libexec',
 | ||||
|    separator: ':' | ||||
|  ) | ||||
| +env.set('SD_ACTIVATE', actv.path())
 | ||||
|   | ||||
|  has_tang = false | ||||
|  if actv.found() and kgen.found() and tang.found() | ||||
| @@ -77,6 +86,7 @@ endif
 | ||||
|  if has_tang | ||||
|    test('unlock-tang-luks1', find_program('unlock-tang-luks1'), env: env, timeout: 90) | ||||
| @@ -84,6 +84,7 @@ if has_tang
 | ||||
|    test('report-tang-luks1', find_program('report-tang-luks1'), env: env, timeout: 90) | ||||
|    test('report-sss-luks1', find_program('report-sss-luks1'), env: env, timeout: 90) | ||||
|    test('edit-tang-luks1', find_program('edit-tang-luks1'), env: env, timeout: 150) | ||||
| +  test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60)
 | ||||
|  endif | ||||
| +test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env)
 | ||||
|   | ||||
|  # LUKS2 tests go here, and they get included if we get support for it, based | ||||
|  # on the cryptsetup version. | ||||
| @@ -96,4 +106,5 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
 | ||||
|    if has_tang | ||||
|      test('unlock-tang-luks2', find_program('unlock-tang-luks2'), env: env, timeout: 120) | ||||
|    endif | ||||
|  test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60) | ||||
| @@ -111,6 +112,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
 | ||||
|      test('report-tang-luks2', find_program('report-tang-luks2'), env: env, timeout: 120) | ||||
|      test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120) | ||||
|      test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210) | ||||
| +    test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
 | ||||
|    endif | ||||
|   | ||||
|  test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120) | ||||
| diff --git a/src/luks/tests/pass-tang-luks1 b/src/luks/tests/pass-tang-luks1
 | ||||
| new file mode 100755 | ||||
| index 0000000..05cdb3e
 | ||||
| index 0000000..0d91e6c
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/tests/pass-tang-luks1
 | ||||
| @@ -0,0 +1,75 @@
 | ||||
| @@ -0,0 +1,59 @@
 | ||||
| +#!/bin/bash -x
 | ||||
| +# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +#
 | ||||
| @ -227,36 +202,25 @@ index 0000000..05cdb3e | ||||
| +
 | ||||
| +TEST="${0}"
 | ||||
| +. tests-common-functions
 | ||||
| +. clevis-luks-common-functions
 | ||||
| +
 | ||||
| +function on_exit() {
 | ||||
| +    if [ "$PID" ]; then kill $PID; wait $PID || true; fi
 | ||||
| +    [ -d "$TMP" ] && rm -rf $TMP
 | ||||
| +    [ ! -d "${TMP}" ] && return 0
 | ||||
| +    tang_stop "${TMP}"
 | ||||
| +    rm -rf "${TMP}"
 | ||||
| +}
 | ||||
| +
 | ||||
| +trap 'on_exit' EXIT
 | ||||
| +trap 'exit' ERR
 | ||||
| +
 | ||||
| +export TMP=$(mktemp -d)
 | ||||
| +mkdir -p "${TMP}/db"
 | ||||
| +TMP=$(mktemp -d)
 | ||||
| +
 | ||||
| +# Generate the server keys
 | ||||
| +KEYS="$TMP/db"
 | ||||
| +tangd-keygen $TMP/db sig exc
 | ||||
| +if which tangd-update; then
 | ||||
| +    mkdir -p "${TMP}/cache"
 | ||||
| +    tangd-update "${TMP}/db" "${TMP}/cache"
 | ||||
| +    KEYS="${TMP}/cache"
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Start the server.
 | ||||
| +port=$(shuf -i 1024-65536 -n 1)
 | ||||
| +"${SD_ACTIVATE}" --inetd -l 127.0.0.1:"${port}" -a tangd "${KEYS}" &
 | ||||
| +export PID=$!
 | ||||
| +sleep 0.25
 | ||||
| +port=$(get_random_port)
 | ||||
| +tang_run "${TMP}" "${port}" &
 | ||||
| +tang_wait_until_ready "${port}"
 | ||||
| +
 | ||||
| +url="http://localhost:${port}"
 | ||||
| +adv="${TMP}/adv"
 | ||||
| +curl "${url}/adv" -o "${adv}"
 | ||||
| +tang_get_adv "${port}" "${adv}"
 | ||||
| +
 | ||||
| +cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
 | ||||
| +
 | ||||
| @ -272,20 +236,15 @@ index 0000000..05cdb3e | ||||
| +SLT=1
 | ||||
| +PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
 | ||||
| +echo $PASS >&2
 | ||||
| +if ! cryptsetup luksOpen --test-passphrase ""${DEV} \
 | ||||
| +        --key-file <(clevis luks pass -d "${DEV}" -s "${SLT}"); then
 | ||||
| +if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
 | ||||
| +    error "Passphrase obtained from clevis luks pass failed."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +kill -9 "${PID}"
 | ||||
| +! wait "${PID}"
 | ||||
| +unset PID
 | ||||
| diff --git a/src/luks/tests/pass-tang-luks2 b/src/luks/tests/pass-tang-luks2
 | ||||
| new file mode 100755 | ||||
| index 0000000..9123aa0
 | ||||
| index 0000000..2d50413
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/tests/pass-tang-luks2
 | ||||
| @@ -0,0 +1,75 @@
 | ||||
| @@ -0,0 +1,59 @@
 | ||||
| +#!/bin/bash -x
 | ||||
| +# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +#
 | ||||
| @ -308,36 +267,25 @@ index 0000000..9123aa0 | ||||
| +
 | ||||
| +TEST="${0}"
 | ||||
| +. tests-common-functions
 | ||||
| +. clevis-luks-common-functions
 | ||||
| +
 | ||||
| +function on_exit() {
 | ||||
| +    if [ "$PID" ]; then kill $PID; wait $PID || true; fi
 | ||||
| +    [ -d "$TMP" ] && rm -rf $TMP
 | ||||
| +    [ ! -d "${TMP}" ] && return 0
 | ||||
| +    tang_stop "${TMP}"
 | ||||
| +    rm -rf "${TMP}"
 | ||||
| +}
 | ||||
| +
 | ||||
| +trap 'on_exit' EXIT
 | ||||
| +trap 'exit' ERR
 | ||||
| +
 | ||||
| +export TMP=$(mktemp -d)
 | ||||
| +mkdir -p "${TMP}/db"
 | ||||
| +TMP=$(mktemp -d)
 | ||||
| +
 | ||||
| +# Generate the server keys
 | ||||
| +KEYS="$TMP/db"
 | ||||
| +tangd-keygen $TMP/db sig exc
 | ||||
| +if which tangd-update; then
 | ||||
| +    mkdir -p "${TMP}/cache"
 | ||||
| +    tangd-update "${TMP}/db" "${TMP}/cache"
 | ||||
| +    KEYS="${TMP}/cache"
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Start the server.
 | ||||
| +port=$(shuf -i 1024-65536 -n 1)
 | ||||
| +"${SD_ACTIVATE}" --inetd -l 127.0.0.1:"${port}" -a tangd "${KEYS}" &
 | ||||
| +export PID=$!
 | ||||
| +sleep 0.25
 | ||||
| +port=$(get_random_port)
 | ||||
| +tang_run "${TMP}" "${port}" &
 | ||||
| +tang_wait_until_ready "${port}"
 | ||||
| +
 | ||||
| +url="http://localhost:${port}"
 | ||||
| +adv="${TMP}/adv"
 | ||||
| +curl "${url}/adv" -o "${adv}"
 | ||||
| +tang_get_adv "${port}" "${adv}"
 | ||||
| +
 | ||||
| +cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
 | ||||
| +
 | ||||
| @ -353,14 +301,9 @@ index 0000000..9123aa0 | ||||
| +SLT=1
 | ||||
| +PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
 | ||||
| +echo $PASS >&2
 | ||||
| +if ! cryptsetup luksOpen --test-passphrase ""${DEV} \
 | ||||
| +        --key-file <(clevis luks pass -d "${DEV}" -s "${SLT}"); then
 | ||||
| +if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
 | ||||
| +    error "Passphrase obtained from clevis luks pass failed."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +kill -9 "${PID}"
 | ||||
| +! wait "${PID}"
 | ||||
| +unset PID
 | ||||
| -- 
 | ||||
| 2.18.4 | ||||
| 2.29.2 | ||||
| 
 | ||||
| @ -1,732 +0,0 @@ | ||||
| From e5f6d87d5c71f3faf0c0dbe38534fd3eab30f43e Mon Sep 17 00:00:00 2001 | ||||
| From: Sergio Correia <scorreia@redhat.com> | ||||
| Date: Wed, 13 May 2020 23:51:04 -0300 | ||||
| Subject: [PATCH 2/8] Fix clevis luks unlock and add related tests | ||||
| 
 | ||||
| ---
 | ||||
|  src/luks/clevis-luks-common-functions    |  35 ++++++ | ||||
|  src/luks/clevis-luks-unlock              |  68 ++++++++++++ | ||||
|  src/luks/clevis-luks-unlock.in           | 130 ---------------------- | ||||
|  src/luks/meson.build                     |  10 +- | ||||
|  src/luks/tests/meson.build               |  40 +++++++ | ||||
|  src/luks/tests/tests-common-functions.in | 134 +++++++++++++++++++++-- | ||||
|  src/luks/tests/unlock-tang-luks1         |  83 ++++++++++++++ | ||||
|  src/luks/tests/unlock-tang-luks2         |  83 ++++++++++++++ | ||||
|  8 files changed, 439 insertions(+), 144 deletions(-) | ||||
|  create mode 100755 src/luks/clevis-luks-unlock | ||||
|  delete mode 100755 src/luks/clevis-luks-unlock.in | ||||
|  create mode 100755 src/luks/tests/unlock-tang-luks1 | ||||
|  create mode 100755 src/luks/tests/unlock-tang-luks2 | ||||
| 
 | ||||
| diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
 | ||||
| index e27c444..d04fdb5 100644
 | ||||
| --- a/src/luks/clevis-luks-common-functions
 | ||||
| +++ b/src/luks/clevis-luks-common-functions
 | ||||
| @@ -281,3 +281,38 @@ clevis_luks_read_pins_from_slot() {
 | ||||
|      fi | ||||
|      printf "%s: %s\n" "${SLOT}" "${cfg}" | ||||
|  } | ||||
| +
 | ||||
| +# clevis_luks_unlock_device() does the unlock of the device passed as
 | ||||
| +# parameter and returns the decoded passphrase.
 | ||||
| +clevis_luks_unlock_device() {
 | ||||
| +    local DEV="${1}"
 | ||||
| +    [ -z "${DEV}" ] && return 1
 | ||||
| +
 | ||||
| +    local used_slots
 | ||||
| +    if ! used_slots=$(clevis_luks_used_slots "${DEV}") \
 | ||||
| +                      || [ -z "${used_slots}" ]; then
 | ||||
| +        return 1
 | ||||
| +    fi
 | ||||
| +
 | ||||
| +    local slt jwe passphrase
 | ||||
| +    for slt in ${used_slots}; do
 | ||||
| +        if ! jwe="$(clevis_luks_read_slot "${DEV}" "${slt}" 2>/dev/null)" \
 | ||||
| +                   || [ -z "${jwe}" ]; then
 | ||||
| +            continue
 | ||||
| +        fi
 | ||||
| +
 | ||||
| +        if ! passphrase="$(clevis decrypt < <(echo -n "${jwe}"))" \
 | ||||
| +                           || [ -z "${passphrase}" ]; then
 | ||||
| +            continue
 | ||||
| +        fi
 | ||||
| +
 | ||||
| +        if ! cryptsetup luksOpen --test-passphrase "${DEV}" \
 | ||||
| +             --key-file <(echo -n "${passphrase}"); then
 | ||||
| +            continue
 | ||||
| +        fi
 | ||||
| +        echo -n "${passphrase}"
 | ||||
| +        return 0
 | ||||
| +    done
 | ||||
| +
 | ||||
| +    return 1
 | ||||
| +}
 | ||||
| diff --git a/src/luks/clevis-luks-unlock b/src/luks/clevis-luks-unlock
 | ||||
| new file mode 100755 | ||||
| index 0000000..580fde8
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/clevis-luks-unlock
 | ||||
| @@ -0,0 +1,68 @@
 | ||||
| +#!/bin/bash -e
 | ||||
| +# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +#
 | ||||
| +# Copyright (c) 2016 Red Hat, Inc.
 | ||||
| +# Author: Nathaniel McCallum <npmccallum@redhat.com>
 | ||||
| +#
 | ||||
| +# This program is free software: you can redistribute it and/or modify
 | ||||
| +# it under the terms of the GNU General Public License as published by
 | ||||
| +# the Free Software Foundation, either version 3 of the License, or
 | ||||
| +# (at your option) any later version.
 | ||||
| +#
 | ||||
| +# This program is distributed in the hope that it will be useful,
 | ||||
| +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 | ||||
| +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | ||||
| +# GNU General Public License for more details.
 | ||||
| +#
 | ||||
| +# You should have received a copy of the GNU General Public License
 | ||||
| +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | ||||
| +#
 | ||||
| +. clevis-luks-common-functions
 | ||||
| +
 | ||||
| +SUMMARY="Unlocks a LUKS volume"
 | ||||
| +
 | ||||
| +function usage() {
 | ||||
| +    exec >&2
 | ||||
| +    echo
 | ||||
| +    echo "Usage: clevis luks unlock -d DEV [-n NAME]"
 | ||||
| +    echo
 | ||||
| +    echo "$SUMMARY":
 | ||||
| +    echo
 | ||||
| +    echo "  -d DEV  The LUKS device on which to perform unlocking"
 | ||||
| +    echo
 | ||||
| +    echo "  -n NAME The name of the unlocked device node"
 | ||||
| +    echo
 | ||||
| +    exit 2
 | ||||
| +}
 | ||||
| +
 | ||||
| +if [ $# -eq 1 ] && [ "$1" == "--summary" ]; then
 | ||||
| +    echo "$SUMMARY"
 | ||||
| +    exit 0
 | ||||
| +fi
 | ||||
| +
 | ||||
| +while getopts ":d:n:" o; do
 | ||||
| +    case "$o" in
 | ||||
| +    d) DEV="$OPTARG";;
 | ||||
| +    n) NAME="$OPTARG";;
 | ||||
| +    *) usage;;
 | ||||
| +    esac
 | ||||
| +done
 | ||||
| +
 | ||||
| +if [ -z "$DEV" ]; then
 | ||||
| +    echo "Did not specify a device!" >&2
 | ||||
| +    usage
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if ! cryptsetup isLuks "$DEV"; then
 | ||||
| +    echo "$DEV is not a LUKS device!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +NAME="${NAME:-luks-"$(cryptsetup luksUUID "$DEV")"}"
 | ||||
| +
 | ||||
| +if ! pt=$(clevis_luks_unlock_device "${DEV}"); then
 | ||||
| +    echo "${DEV} could not be opened." >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +cryptsetup open -d- "${DEV}" "${NAME}" < <(echo -n "${pt}")
 | ||||
| diff --git a/src/luks/clevis-luks-unlock.in b/src/luks/clevis-luks-unlock.in
 | ||||
| deleted file mode 100755 | ||||
| index aa3134b..0000000
 | ||||
| --- a/src/luks/clevis-luks-unlock.in
 | ||||
| +++ /dev/null
 | ||||
| @@ -1,130 +0,0 @@
 | ||||
| -#!/bin/bash -e
 | ||||
| -# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| -#
 | ||||
| -# Copyright (c) 2016 Red Hat, Inc.
 | ||||
| -# Author: Nathaniel McCallum <npmccallum@redhat.com>
 | ||||
| -#
 | ||||
| -# This program is free software: you can redistribute it and/or modify
 | ||||
| -# it under the terms of the GNU General Public License as published by
 | ||||
| -# the Free Software Foundation, either version 3 of the License, or
 | ||||
| -# (at your option) any later version.
 | ||||
| -#
 | ||||
| -# This program is distributed in the hope that it will be useful,
 | ||||
| -# but WITHOUT ANY WARRANTY; without even the implied warranty of
 | ||||
| -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | ||||
| -# GNU General Public License for more details.
 | ||||
| -#
 | ||||
| -# You should have received a copy of the GNU General Public License
 | ||||
| -# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | ||||
| -#
 | ||||
| -
 | ||||
| -SUMMARY="Unlocks a LUKS volume"
 | ||||
| -UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
 | ||||
| -
 | ||||
| -# We require cryptsetup >= 2.0.4 to fully support LUKSv2.
 | ||||
| -# Support is determined at build time.
 | ||||
| -function luks2_supported() {
 | ||||
| -    return @OLD_CRYPTSETUP@
 | ||||
| -}
 | ||||
| -
 | ||||
| -function usage() {
 | ||||
| -    exec >&2
 | ||||
| -    echo
 | ||||
| -    echo "Usage: clevis luks unlock -d DEV [-n NAME]"
 | ||||
| -    echo
 | ||||
| -    echo "$SUMMARY":
 | ||||
| -    echo
 | ||||
| -    echo "  -d DEV  The LUKS device on which to perform unlocking"
 | ||||
| -    echo
 | ||||
| -    echo "  -n NAME The name of the unlocked device node"
 | ||||
| -    echo
 | ||||
| -    exit 2
 | ||||
| -}
 | ||||
| -
 | ||||
| -if [ $# -eq 1 ] && [ "$1" == "--summary" ]; then
 | ||||
| -    echo "$SUMMARY"
 | ||||
| -    exit 0
 | ||||
| -fi
 | ||||
| -
 | ||||
| -while getopts ":d:n:" o; do
 | ||||
| -    case "$o" in
 | ||||
| -    d) DEV="$OPTARG";;
 | ||||
| -    n) NAME="$OPTARG";;
 | ||||
| -    *) usage;;
 | ||||
| -    esac
 | ||||
| -done
 | ||||
| -
 | ||||
| -if [ -z "$DEV" ]; then
 | ||||
| -    echo "Did not specify a device!" >&2
 | ||||
| -    usage
 | ||||
| -fi
 | ||||
| -
 | ||||
| -if ! cryptsetup isLuks "$DEV"; then
 | ||||
| -    echo "$DEV is not a LUKS device!" >&2
 | ||||
| -    exit 1
 | ||||
| -fi
 | ||||
| -
 | ||||
| -if luks2_supported; then
 | ||||
| -    if cryptsetup isLuks --type luks1 "$DEV"; then
 | ||||
| -        luks_type="luks1"
 | ||||
| -    elif cryptsetup isLuks --type luks2 "$DEV";then
 | ||||
| -        luks_type="luks2"
 | ||||
| -    else
 | ||||
| -        echo "$DEV is not a supported LUKS device!" >&2
 | ||||
| -        exit 1
 | ||||
| -    fi
 | ||||
| -else
 | ||||
| -    luks_type="luks1"
 | ||||
| -fi
 | ||||
| -NAME="${NAME:-luks-"$(cryptsetup luksUUID "$DEV")"}"
 | ||||
| -
 | ||||
| -luks1_decrypt() {
 | ||||
| -    luksmeta load "$@" \
 | ||||
| -        | clevis decrypt
 | ||||
| -
 | ||||
| -    local rc
 | ||||
| -    for rc in "${PIPESTATUS[@]}"; do
 | ||||
| -        [ $rc -eq 0 ] || return $rc
 | ||||
| -    done
 | ||||
| -    return 0
 | ||||
| -}
 | ||||
| -
 | ||||
| -luks2_decrypt() {
 | ||||
| -    # jose jwe fmt -c outputs extra \n, so clean it up
 | ||||
| -    cryptsetup token export "$@" \
 | ||||
| -        | jose fmt -j- -Og jwe -o- \
 | ||||
| -        | jose jwe fmt -i- -c \
 | ||||
| -        | tr -d '\n' \
 | ||||
| -        | clevis decrypt
 | ||||
| -
 | ||||
| -    local rc
 | ||||
| -    for rc in "${PIPESTATUS[@]}"; do
 | ||||
| -        [ $rc -eq 0 ] || return $rc
 | ||||
| -    done
 | ||||
| -    return 0
 | ||||
| -}
 | ||||
| -
 | ||||
| -if [ "$luks_type" == "luks1" ]; then
 | ||||
| -    while read -r slot state uuid; do
 | ||||
| -        [ "$state" == "active" ] || continue
 | ||||
| -        [ "$uuid" == "$UUID" ] || continue
 | ||||
| -
 | ||||
| -        pt="$(luks1_decrypt -d $DEV -s $slot -u $UUID)" \
 | ||||
| -            || continue
 | ||||
| -        exec cryptsetup open -d- "$DEV" "$NAME" < <(
 | ||||
| -            echo -n "$pt"
 | ||||
| -        )
 | ||||
| -    done < <(luksmeta show -d "$DEV")
 | ||||
| -
 | ||||
| -elif [ "$luks_type" == "luks2" ]; then
 | ||||
| -    while read -r id; do
 | ||||
| -        pt="$(luks2_decrypt --token-id "$id" "$DEV")" \
 | ||||
| -            || continue
 | ||||
| -        exec cryptsetup open -d- "$DEV" "$NAME" < <(
 | ||||
| -            echo -n "$pt"
 | ||||
| -        )
 | ||||
| -    done < <(cryptsetup luksDump "$DEV" | sed -rn 's|^\s+([0-9]+): clevis|\1|p')
 | ||||
| -fi
 | ||||
| -
 | ||||
| -echo "$DEV could not be opened." >&2
 | ||||
| -exit 1
 | ||||
| diff --git a/src/luks/meson.build b/src/luks/meson.build
 | ||||
| index bbba63f..0d24f8d 100644
 | ||||
| --- a/src/luks/meson.build
 | ||||
| +++ b/src/luks/meson.build
 | ||||
| @@ -21,9 +21,7 @@ clevis_luks_bind = configure_file(input: 'clevis-luks-bind.in',
 | ||||
|  clevis_luks_unbind = configure_file(input: 'clevis-luks-unbind.in', | ||||
|                 output: 'clevis-luks-unbind', | ||||
|                 configuration: luksmeta_data) | ||||
| -clevis_luks_unlock = configure_file(input: 'clevis-luks-unlock.in',
 | ||||
| -               output: 'clevis-luks-unlock',
 | ||||
| -               configuration: luksmeta_data)
 | ||||
| +
 | ||||
|  if libcryptsetup.found() and luksmeta.found() and pwmake.found() | ||||
|    subdir('systemd') | ||||
|    subdir('udisks2') | ||||
| @@ -31,18 +29,18 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
 | ||||
|    bins += clevis_luks_unbind | ||||
|    mans += join_paths(meson.current_source_dir(), 'clevis-luks-unbind.1') | ||||
|   | ||||
| -  bins += clevis_luks_unlock
 | ||||
| -  mans += join_paths(meson.current_source_dir(), 'clevis-luks-unlock.1')
 | ||||
| -
 | ||||
|    bins += clevis_luks_bind | ||||
|    mans += join_paths(meson.current_source_dir(), 'clevis-luks-bind.1') | ||||
|   | ||||
|    mans += join_paths(meson.current_source_dir(), 'clevis-luks-unlockers.7') | ||||
|   | ||||
|    bins += join_paths(meson.current_source_dir(), 'clevis-luks-common-functions') | ||||
| +
 | ||||
|    bins += join_paths(meson.current_source_dir(), 'clevis-luks-list') | ||||
|    mans += join_paths(meson.current_source_dir(), 'clevis-luks-list.1') | ||||
|   | ||||
| +  bins += join_paths(meson.current_source_dir(), 'clevis-luks-unlock')
 | ||||
| +  mans += join_paths(meson.current_source_dir(), 'clevis-luks-unlock.1')
 | ||||
|  else | ||||
|    warning('Will not install LUKS support due to missing dependencies!') | ||||
|  endif | ||||
| diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
 | ||||
| index 2e0fb92..9a16b42 100644
 | ||||
| --- a/src/luks/tests/meson.build
 | ||||
| +++ b/src/luks/tests/meson.build
 | ||||
| @@ -1,6 +1,30 @@
 | ||||
|  # We use jq for comparing the pin config in the clevis luks list tests. | ||||
|  jq = find_program('jq', required: false) | ||||
|   | ||||
| +# we use systemd-socket-activate for running test tang servers.
 | ||||
| +actv = find_program(
 | ||||
| +  'systemd-socket-activate',
 | ||||
| +  'systemd-activate',
 | ||||
| +  required: false
 | ||||
| +)
 | ||||
| +
 | ||||
| +kgen = find_program(
 | ||||
| +  join_paths(libexecdir, 'tangd-keygen'),
 | ||||
| +  join_paths(get_option('prefix'), get_option('libdir'), 'tangd-keygen'),
 | ||||
| +  join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-keygen'),
 | ||||
| +  join_paths('/', 'usr', get_option('libdir'), 'tangd-keygen'),
 | ||||
| +  join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
 | ||||
| +  required: false
 | ||||
| +)
 | ||||
| +tang = find_program(
 | ||||
| +  join_paths(libexecdir, 'tangd'),
 | ||||
| +  join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
 | ||||
| +  join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd'),
 | ||||
| +  join_paths('/', 'usr', get_option('libdir'), 'tangd'),
 | ||||
| +  join_paths('/', 'usr', get_option('libexecdir'), 'tangd'),
 | ||||
| +  required: false
 | ||||
| +)
 | ||||
| +
 | ||||
|  common_functions = configure_file(input: 'tests-common-functions.in', | ||||
|    output: 'tests-common-functions', | ||||
|    configuration: luksmeta_data, | ||||
| @@ -24,6 +48,14 @@ env.prepend('PATH',
 | ||||
|    separator: ':' | ||||
|  ) | ||||
|   | ||||
| +has_tang = false
 | ||||
| +if actv.found() and kgen.found() and tang.found()
 | ||||
| +  has_tang = true
 | ||||
| +  env.set('SD_ACTIVATE', actv.path())
 | ||||
| +  env.set('TANGD_KEYGEN', kgen.path())
 | ||||
| +  env.set('TANGD', tang.path())
 | ||||
| +endif
 | ||||
| +
 | ||||
|  test('bind-wrong-pass-luks1', find_program('bind-wrong-pass-luks1'), env: env) | ||||
|  test('bind-luks1', find_program('bind-luks1'), env: env) | ||||
|  test('unbind-unbound-slot-luks1', find_program('unbind-unbound-slot-luks1'), env: env) | ||||
| @@ -42,6 +74,10 @@ else
 | ||||
|    warning('Will not run "clevis luks list" tests due to missing jq dependency') | ||||
|  endif | ||||
|   | ||||
| +if has_tang
 | ||||
| +  test('unlock-tang-luks1', find_program('unlock-tang-luks1'), env: env, timeout: 90)
 | ||||
| +endif
 | ||||
| +
 | ||||
|  # LUKS2 tests go here, and they get included if we get support for it, based | ||||
|  # on the cryptsetup version. | ||||
|  # Binding LUKS2 takes longer, so timeout is increased for a few tests. | ||||
| @@ -56,4 +92,8 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
 | ||||
|      test('list-tang-luks2', find_program('list-tang-luks2'), env: env, timeout: 60) | ||||
|      test('list-sss-tang-luks2', find_program('list-sss-tang-luks2'), env: env, timeout: 60) | ||||
|    endif | ||||
| +
 | ||||
| +  if has_tang
 | ||||
| +    test('unlock-tang-luks2', find_program('unlock-tang-luks2'), env: env, timeout: 120)
 | ||||
| +  endif
 | ||||
|  endif | ||||
| diff --git a/src/luks/tests/tests-common-functions.in b/src/luks/tests/tests-common-functions.in
 | ||||
| index 90420d1..7b3fdad 100755
 | ||||
| --- a/src/luks/tests/tests-common-functions.in
 | ||||
| +++ b/src/luks/tests/tests-common-functions.in
 | ||||
| @@ -56,7 +56,7 @@ new_device() {
 | ||||
|   | ||||
|      # Some builders fail if the cryptsetup steps are not ran as root, so let's | ||||
|      # skip the test now if not running as root. | ||||
| -    if [ $(id -u) != 0 ]; then
 | ||||
| +    if [ "$(id -u)" != 0 ]; then
 | ||||
|          skip_test "WARNING: You must be root to run this test; test skipped." | ||||
|      fi | ||||
|   | ||||
| @@ -74,9 +74,9 @@ new_device() {
 | ||||
|          return 0 | ||||
|      fi | ||||
|   | ||||
| -    fallocate -l16M "${DEV}"
 | ||||
| -    local extra_options='--pbkdf pbkdf2 --pbkdf-force-iterations 1000'
 | ||||
| -    cryptsetup luksFormat --type "${LUKS}" ${extra_options} --batch-mode \
 | ||||
| +    fallocate -l64M "${DEV}"
 | ||||
| +    cryptsetup luksFormat --type "${LUKS}" --pbkdf pbkdf2 \
 | ||||
| +        --pbkdf-force-iterations 1000 --batch-mode \
 | ||||
|          --force-password "${DEV}" <<< "${PASS}" | ||||
|      # Caching the just-formatted device for possible reuse. | ||||
|      cp -f "${DEV}" "${DEV_CACHED}" | ||||
| @@ -90,7 +90,7 @@ new_device_keyfile() {
 | ||||
|   | ||||
|      # Some builders fail if the cryptsetup steps are not ran as root, so let's | ||||
|      # skip the test now if not running as root. | ||||
| -    if [ $(id -u) != 0 ]; then
 | ||||
| +    if [ "$(id -u)" != 0 ]; then
 | ||||
|          skip_test "WARNING: You must be root to run this test; test skipped." | ||||
|      fi | ||||
|   | ||||
| @@ -98,9 +98,9 @@ new_device_keyfile() {
 | ||||
|          error "Invalid keyfile (${KEYFILE})." | ||||
|      fi | ||||
|   | ||||
| -    fallocate -l16M "${DEV}"
 | ||||
| -    local extra_options='--pbkdf pbkdf2 --pbkdf-force-iterations 1000'
 | ||||
| -    cryptsetup luksFormat --type "${LUKS}"  ${extra_options} --batch-mode \
 | ||||
| +    fallocate -l64M "${DEV}"
 | ||||
| +    cryptsetup luksFormat --type "${LUKS}" --pbkdf pbkdf2 \
 | ||||
| +        --pbkdf-force-iterations 1000 --batch-mode \
 | ||||
|          "${DEV}" "${KEYFILE}" | ||||
|  } | ||||
|   | ||||
| @@ -112,4 +112,122 @@ pin_cfg_equal() {
 | ||||
|           <(jq -S . < <(echo -n "${cfg2}")) | ||||
|  } | ||||
|   | ||||
| +# Get a random port to be used with a test tang server.
 | ||||
| +get_random_port() {
 | ||||
| +    shuf -i 1024-65535 -n 1
 | ||||
| +}
 | ||||
| +
 | ||||
| +# Removes tang rotated keys from the test server.
 | ||||
| +tang_remove_rotated_keys() {
 | ||||
| +    local basedir="${1}"
 | ||||
| +
 | ||||
| +    if [ -z "${basedir}" ]; then
 | ||||
| +        echo "Please pass a valid base directory for tang"
 | ||||
| +        return 1
 | ||||
| +    fi
 | ||||
| +
 | ||||
| +    local db="${basedir}/db"
 | ||||
| +    mkdir -p "${db}"
 | ||||
| +
 | ||||
| +    pushd "${db}"
 | ||||
| +        find . -name ".*.jwk" -exec rm -f {} \;
 | ||||
| +    popd
 | ||||
| +}
 | ||||
| +
 | ||||
| +# Creates new keys for the test tang server.
 | ||||
| +tang_new_keys() {
 | ||||
| +    local basedir="${1}"
 | ||||
| +    local rotate="${2}"
 | ||||
| +
 | ||||
| +    if [ -z "${basedir}" ]; then
 | ||||
| +        echo "Please pass a valid base directory for tang"
 | ||||
| +        return 1
 | ||||
| +    fi
 | ||||
| +
 | ||||
| +    [ -z "${TANGD_KEYGEN}" ] && skip_test "WARNING: TANGD_KEYGEN is not defined."
 | ||||
| +
 | ||||
| +    local db="${basedir}/db"
 | ||||
| +    mkdir -p "${db}"
 | ||||
| +
 | ||||
| +    if [ -n "${rotate}" ]; then
 | ||||
| +        pushd "${db}"
 | ||||
| +            local k
 | ||||
| +            k=$(find . -name "*.jwk" | wc -l)
 | ||||
| +            if [ "${k}" -gt 0 ]; then
 | ||||
| +                for k in *.jwk; do
 | ||||
| +                    mv -f -- "${k}" ".${k}"
 | ||||
| +                done
 | ||||
| +            fi
 | ||||
| +        popd
 | ||||
| +    fi
 | ||||
| +
 | ||||
| +    "${TANGD_KEYGEN}" "${db}"
 | ||||
| +
 | ||||
| +    return 0
 | ||||
| +}
 | ||||
| +
 | ||||
| +# Start a test tang server.
 | ||||
| +tang_run() {
 | ||||
| +    local basedir="${1}"
 | ||||
| +    local port="${2}"
 | ||||
| +
 | ||||
| +    if [ -z "${basedir}" ]; then
 | ||||
| +        echo "Please pass a valid base directory for tang" >&2
 | ||||
| +        return 1
 | ||||
| +    fi
 | ||||
| +
 | ||||
| +    if [ -z "${port}" ]; then
 | ||||
| +        echo "Please pass a valid port for tang" >&2
 | ||||
| +        return 1
 | ||||
| +    fi
 | ||||
| +
 | ||||
| +    if ! tang_new_keys "${basedir}"; then
 | ||||
| +        echo "Error creating new keys for tang server" >&2
 | ||||
| +        return 1
 | ||||
| +    fi
 | ||||
| +
 | ||||
| +    local KEYS="${basedir}/db"
 | ||||
| +
 | ||||
| +    local inetd='--inetd'
 | ||||
| +    [ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
 | ||||
| +
 | ||||
| +    local pid pidfile
 | ||||
| +    pidfile="${basedir}/tang.pid"
 | ||||
| +
 | ||||
| +    "${SD_ACTIVATE}" ${inetd} -l "${TANG_HOST}":"${port}" \
 | ||||
| +            -a "${TANGD}" "${KEYS}" &
 | ||||
| +    pid=$!
 | ||||
| +    echo "${pid}" > "${pidfile}"
 | ||||
| +}
 | ||||
| +
 | ||||
| +# Stop tang server.
 | ||||
| +tang_stop() {
 | ||||
| +    local basedir="${1}"
 | ||||
| +    local pidfile="${basedir}/tang.pid"
 | ||||
| +    [ -f "${pidfile}" ] || return 0
 | ||||
| +
 | ||||
| +    local pid
 | ||||
| +    pid=$(<"${pidfile}")
 | ||||
| +    kill "${pid}"
 | ||||
| +}
 | ||||
| +
 | ||||
| +# Wait for the tang server to be operational.
 | ||||
| +tang_wait_until_ready() {
 | ||||
| +   local port="${1}"
 | ||||
| +   while ! curl --output /dev/null --silent --fail \
 | ||||
| +                http://"${TANG_HOST}":"${port}"/adv; do
 | ||||
| +       sleep 0.1
 | ||||
| +       echo -n . >&2
 | ||||
| +   done
 | ||||
| +}
 | ||||
| +
 | ||||
| +# Get tang advertisement.
 | ||||
| +tang_get_adv() {
 | ||||
| +    local port="${1}"
 | ||||
| +    local adv="${2}"
 | ||||
| +
 | ||||
| +    curl -o "${adv}" http://"${TANG_HOST}":"${port}"/adv
 | ||||
| +}
 | ||||
| +
 | ||||
| +export TANG_HOST=127.0.0.1
 | ||||
|  export DEFAULT_PASS='just-some-test-password-here' | ||||
| diff --git a/src/luks/tests/unlock-tang-luks1 b/src/luks/tests/unlock-tang-luks1
 | ||||
| new file mode 100755 | ||||
| index 0000000..841ba01
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/tests/unlock-tang-luks1
 | ||||
| @@ -0,0 +1,83 @@
 | ||||
| +#!/bin/bash -ex
 | ||||
| +# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +#
 | ||||
| +# Copyright (c) 2020 Red Hat, Inc.
 | ||||
| +# Author: Sergio Correia <scorreia@redhat.com>
 | ||||
| +#
 | ||||
| +# This program is free software: you can redistribute it and/or modify
 | ||||
| +# it under the terms of the GNU General Public License as published by
 | ||||
| +# the Free Software Foundation, either version 3 of the License, or
 | ||||
| +# (at your option) any later version.
 | ||||
| +#
 | ||||
| +# This program is distributed in the hope that it will be useful,
 | ||||
| +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 | ||||
| +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | ||||
| +# GNU General Public License for more details.
 | ||||
| +#
 | ||||
| +# You should have received a copy of the GNU General Public License
 | ||||
| +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | ||||
| +
 | ||||
| +TEST=$(basename "${0}")
 | ||||
| +. tests-common-functions
 | ||||
| +
 | ||||
| +. clevis-luks-common-functions
 | ||||
| +
 | ||||
| +on_exit() {
 | ||||
| +    [ ! -d "${TMP}" ] && return 0
 | ||||
| +    tang_stop "${TMP}"
 | ||||
| +    rm -rf "${TMP}"
 | ||||
| +}
 | ||||
| +
 | ||||
| +trap 'on_exit' EXIT
 | ||||
| +trap 'on_exit' ERR
 | ||||
| +
 | ||||
| +TMP="$(mktemp -d)"
 | ||||
| +
 | ||||
| +port=$(get_random_port)
 | ||||
| +tang_run "${TMP}" "${port}" &
 | ||||
| +tang_wait_until_ready "${port}"
 | ||||
| +
 | ||||
| +url="http://${TANG_HOST}:${port}"
 | ||||
| +adv="${TMP}/adv"
 | ||||
| +tang_get_adv "${port}" "${adv}"
 | ||||
| +
 | ||||
| +cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
 | ||||
| +
 | ||||
| +# LUKS1.
 | ||||
| +DEV="${TMP}/luks1-device"
 | ||||
| +new_device "luks1" "${DEV}"
 | ||||
| +
 | ||||
| +if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
 | ||||
| +    error "${TEST}: Bind should have succeeded."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if ! clevis_luks_unlock_device "${DEV}"; then
 | ||||
| +    error "${TEST}: we were unable to unlock ${DEV}."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Let's rotate the tang keys and add another binding with the new key.
 | ||||
| +tang_new_keys "${TMP}" "rotate-keys"
 | ||||
| +
 | ||||
| +# Unlock should still work now.
 | ||||
| +if ! clevis_luks_unlock_device "${DEV}"; then
 | ||||
| +    error "${TEST}: we should still be able to unlock ${DEV}"
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Now let's remove the rotated keys.
 | ||||
| +tang_remove_rotated_keys "${TMP}"
 | ||||
| +
 | ||||
| +# Unlock should not work anymore.
 | ||||
| +if clevis_luks_unlock_device "${DEV}"; then
 | ||||
| +    error "${TEST}: we should not be able to unlock ${DEV}"
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Now let's add another binding with the new keys.
 | ||||
| +tang_get_adv "${port}" "${adv}" # Updating the advertisement.
 | ||||
| +if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
 | ||||
| +    error "${TEST}: Bind should have succeeded."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Unlock should work again, using the new keys.
 | ||||
| +if ! clevis_luks_unlock_device "${DEV}"; then
 | ||||
| +    error "${TEST}: we should be able to unlock ${DEV} with the new keys"
 | ||||
| +fi
 | ||||
| diff --git a/src/luks/tests/unlock-tang-luks2 b/src/luks/tests/unlock-tang-luks2
 | ||||
| new file mode 100755 | ||||
| index 0000000..81822fb
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/tests/unlock-tang-luks2
 | ||||
| @@ -0,0 +1,83 @@
 | ||||
| +#!/bin/bash -ex
 | ||||
| +# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +#
 | ||||
| +# Copyright (c) 2020 Red Hat, Inc.
 | ||||
| +# Author: Sergio Correia <scorreia@redhat.com>
 | ||||
| +#
 | ||||
| +# This program is free software: you can redistribute it and/or modify
 | ||||
| +# it under the terms of the GNU General Public License as published by
 | ||||
| +# the Free Software Foundation, either version 3 of the License, or
 | ||||
| +# (at your option) any later version.
 | ||||
| +#
 | ||||
| +# This program is distributed in the hope that it will be useful,
 | ||||
| +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 | ||||
| +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | ||||
| +# GNU General Public License for more details.
 | ||||
| +#
 | ||||
| +# You should have received a copy of the GNU General Public License
 | ||||
| +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | ||||
| +
 | ||||
| +TEST=$(basename "${0}")
 | ||||
| +. tests-common-functions
 | ||||
| +
 | ||||
| +. clevis-luks-common-functions
 | ||||
| +
 | ||||
| +on_exit() {
 | ||||
| +    [ ! -d "${TMP}" ] && return 0
 | ||||
| +    tang_stop "${TMP}"
 | ||||
| +    rm -rf "${TMP}"
 | ||||
| +}
 | ||||
| +
 | ||||
| +trap 'on_exit' EXIT
 | ||||
| +trap 'on_exit' ERR
 | ||||
| +
 | ||||
| +TMP="$(mktemp -d)"
 | ||||
| +
 | ||||
| +port=$(get_random_port)
 | ||||
| +tang_run "${TMP}" "${port}" &
 | ||||
| +tang_wait_until_ready "${port}"
 | ||||
| +
 | ||||
| +url="http://${TANG_HOST}:${port}"
 | ||||
| +adv="${TMP}/adv"
 | ||||
| +tang_get_adv "${port}" "${adv}"
 | ||||
| +
 | ||||
| +cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
 | ||||
| +
 | ||||
| +# LUKS2.
 | ||||
| +DEV="${TMP}/luks2-device"
 | ||||
| +new_device "luks2" "${DEV}"
 | ||||
| +
 | ||||
| +if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
 | ||||
| +    error "${TEST}: Bind should have succeeded."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if ! clevis_luks_unlock_device "${DEV}"; then
 | ||||
| +    error "${TEST}: we were unable to unlock ${DEV}."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Let's rotate the tang keys and add another binding with the new key.
 | ||||
| +tang_new_keys "${TMP}" "rotate-keys"
 | ||||
| +
 | ||||
| +# Unlock should still work now.
 | ||||
| +if ! clevis_luks_unlock_device "${DEV}"; then
 | ||||
| +    error "${TEST}: we should still be able to unlock ${DEV}"
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Now let's remove the rotated keys.
 | ||||
| +tang_remove_rotated_keys "${TMP}"
 | ||||
| +
 | ||||
| +# Unlock should not work anymore.
 | ||||
| +if clevis_luks_unlock_device "${DEV}"; then
 | ||||
| +    error "${TEST}: we should not be able to unlock ${DEV}"
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Now let's add another binding with the new keys.
 | ||||
| +tang_get_adv "${port}" "${adv}" # Updating the advertisement.
 | ||||
| +if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
 | ||||
| +    error "${TEST}: Bind should have succeeded."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Unlock should work again, using the new keys.
 | ||||
| +if ! clevis_luks_unlock_device "${DEV}"; then
 | ||||
| +    error "${TEST}: we should be able to unlock ${DEV} with the new keys"
 | ||||
| +fi
 | ||||
| -- 
 | ||||
| 2.18.4 | ||||
| 
 | ||||
| @ -1,57 +0,0 @@ | ||||
| From d393fbc256e22cc8019d18214e4d140d58f3302a Mon Sep 17 00:00:00 2001 | ||||
| From: Sergio Correia <scorreia@redhat.com> | ||||
| Date: Wed, 13 May 2020 23:51:04 -0300 | ||||
| Subject: [PATCH 3/8] Improve error message when bind is given an invalid PIN | ||||
| 
 | ||||
| ---
 | ||||
|  src/luks/clevis-luks-bind.in          | 6 ++++++ | ||||
|  src/luks/clevis-luks-common-functions | 9 +++++++++ | ||||
|  2 files changed, 15 insertions(+) | ||||
| 
 | ||||
| diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
 | ||||
| index a5d3c5f..89a5e22 100755
 | ||||
| --- a/src/luks/clevis-luks-bind.in
 | ||||
| +++ b/src/luks/clevis-luks-bind.in
 | ||||
| @@ -19,6 +19,8 @@
 | ||||
|  # along with this program.  If not, see <http://www.gnu.org/licenses/>. | ||||
|  # | ||||
|   | ||||
| +. clevis-luks-common-functions
 | ||||
| +
 | ||||
|  SUMMARY="Binds a LUKS device using the specified policy" | ||||
|  UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e | ||||
|   | ||||
| @@ -76,6 +78,10 @@ fi
 | ||||
|  if ! PIN="${@:$((OPTIND++)):1}" || [ -z "$PIN" ]; then | ||||
|      echo "Did not specify a pin!" >&2 | ||||
|      usage | ||||
| +elif ! EXE=$(findexe clevis-encrypt-"${PIN}") \
 | ||||
| +             || [ -z "${EXE}" ]; then
 | ||||
| +    echo "'$PIN' is not a valid pin!" >&2
 | ||||
| +    usage
 | ||||
|  fi | ||||
|   | ||||
|  if ! CFG="${@:$((OPTIND++)):1}" || [ -z "$CFG" ]; then | ||||
| diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
 | ||||
| index d04fdb5..36f0bfd 100644
 | ||||
| --- a/src/luks/clevis-luks-common-functions
 | ||||
| +++ b/src/luks/clevis-luks-common-functions
 | ||||
| @@ -108,6 +108,15 @@ clevis_luks_read_slot() {
 | ||||
|      echo "${DATA_CODED}" | ||||
|  } | ||||
|   | ||||
| +# findexe() finds an executable.
 | ||||
| +findexe() {
 | ||||
| +    while read -r -d: path; do
 | ||||
| +        [ -f "${path}/${1}" ] && [ -x "${path}/${1}" ] && \
 | ||||
| +          echo "${path}/${1}" && return 0
 | ||||
| +    done <<< "${PATH}:"
 | ||||
| +    return 1
 | ||||
| +}
 | ||||
| +
 | ||||
|  # clevis_luks_used_slots() will return the list of used slots for a given LUKS | ||||
|  # device. | ||||
|  clevis_luks_used_slots() { | ||||
| -- 
 | ||||
| 2.18.4 | ||||
| 
 | ||||
| @ -1,53 +0,0 @@ | ||||
| From fc0cc6f159857e463aacababdc0735b0972d103c Mon Sep 17 00:00:00 2001 | ||||
| From: Sergio Correia <scorreia@redhat.com> | ||||
| Date: Wed, 13 May 2020 23:51:04 -0300 | ||||
| Subject: [PATCH 4/8] Add rd.neednet=1 to cmdline only if there are devices | ||||
|  bound to tang | ||||
| 
 | ||||
| ---
 | ||||
|  .../dracut/clevis-pin-tang/module-setup.sh.in | 21 +++++++++++++++++-- | ||||
|  1 file changed, 19 insertions(+), 2 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in
 | ||||
| index 1bb2ead..a4984dc 100755
 | ||||
| --- a/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in
 | ||||
| +++ b/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in
 | ||||
| @@ -18,8 +18,23 @@
 | ||||
|  # along with this program.  If not, see <http://www.gnu.org/licenses/>. | ||||
|  # | ||||
|   | ||||
| +has_devices_bound_to_tang() {
 | ||||
| +    local dev
 | ||||
| +    for dev in $(lsblk -p -n -s -r \
 | ||||
| +                 | awk '$6 == "crypt" { getline; print $1 }' | sort -u); do
 | ||||
| +       if clevis luks list -d "${dev}" 2>/dev/null | grep -q tang; then
 | ||||
| +           return 0
 | ||||
| +       fi
 | ||||
| +    done
 | ||||
| +    return 1
 | ||||
| +}
 | ||||
| +
 | ||||
|  depends() { | ||||
| -    echo clevis network
 | ||||
| +    local deps="clevis"
 | ||||
| +    if has_devices_bound_to_tang; then
 | ||||
| +         deps=$(printf "%s network" "${deps}")
 | ||||
| +    fi
 | ||||
| +    echo "${deps}"
 | ||||
|      return 0 | ||||
|  } | ||||
|   | ||||
| @@ -28,7 +43,9 @@ cmdline() {
 | ||||
|  } | ||||
|   | ||||
|  install() { | ||||
| -    cmdline > "${initdir}/etc/cmdline.d/99clevis-pin-tang.conf"
 | ||||
| +    if has_devices_bound_to_tang; then
 | ||||
| +        cmdline > "${initdir}/etc/cmdline.d/99clevis-pin-tang.conf"
 | ||||
| +    fi
 | ||||
|   | ||||
|      inst_multiple \ | ||||
|  	clevis-decrypt-tang \ | ||||
| -- 
 | ||||
| 2.18.4 | ||||
| 
 | ||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -1,464 +0,0 @@ | ||||
| From a85f50f789d69d9ca0a4096a64ac912f5967f97f Mon Sep 17 00:00:00 2001 | ||||
| From: Sergio Correia <scorreia@redhat.com> | ||||
| Date: Sun, 10 May 2020 15:32:50 -0300 | ||||
| Subject: [PATCH 7/8] Add clevis luks report | ||||
| 
 | ||||
| ---
 | ||||
|  src/luks/clevis-luks-report         | 95 +++++++++++++++++++++++++++++ | ||||
|  src/luks/clevis-luks-report-compare | 71 +++++++++++++++++++++ | ||||
|  src/luks/clevis-luks-report-decode  | 59 ++++++++++++++++++ | ||||
|  src/luks/clevis-luks-report-sss     | 53 ++++++++++++++++ | ||||
|  src/luks/clevis-luks-report-tang    | 67 ++++++++++++++++++++ | ||||
|  src/luks/clevis-luks-report.1.adoc  | 41 +++++++++++++ | ||||
|  src/luks/meson.build                |  7 +++ | ||||
|  7 files changed, 393 insertions(+) | ||||
|  create mode 100755 src/luks/clevis-luks-report | ||||
|  create mode 100755 src/luks/clevis-luks-report-compare | ||||
|  create mode 100755 src/luks/clevis-luks-report-decode | ||||
|  create mode 100755 src/luks/clevis-luks-report-sss | ||||
|  create mode 100755 src/luks/clevis-luks-report-tang | ||||
|  create mode 100644 src/luks/clevis-luks-report.1.adoc | ||||
| 
 | ||||
| diff --git a/src/luks/clevis-luks-report b/src/luks/clevis-luks-report
 | ||||
| new file mode 100755 | ||||
| index 0000000..f047256
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/clevis-luks-report
 | ||||
| @@ -0,0 +1,95 @@
 | ||||
| +#!/usr/bin/bash -e
 | ||||
| +# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +#
 | ||||
| +# Copyright (c) 2018 Red Hat, Inc.
 | ||||
| +# Author: Radovan Sroka <rsroka@redhat.com>
 | ||||
| +#
 | ||||
| +# This program is free software: you can redistribute it and/or modify
 | ||||
| +# it under the terms of the GNU General Public License as published by
 | ||||
| +# the Free Software Foundation, either version 3 of the License, or
 | ||||
| +# (at your option) any later version.
 | ||||
| +#
 | ||||
| +# This program is distributed in the hope that it will be useful,
 | ||||
| +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 | ||||
| +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | ||||
| +# GNU General Public License for more details.
 | ||||
| +#
 | ||||
| +# You should have received a copy of the GNU General Public License
 | ||||
| +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | ||||
| +#
 | ||||
| +
 | ||||
| +. clevis-luks-common-functions
 | ||||
| +
 | ||||
| +SUMMARY="Report any key rotation on the server side"
 | ||||
| +
 | ||||
| +if [ "$1" == "--summary" ]; then
 | ||||
| +    echo "$SUMMARY"
 | ||||
| +    exit 0
 | ||||
| +fi
 | ||||
| +
 | ||||
| +function usage_and_exit () {
 | ||||
| +    echo >&2
 | ||||
| +    echo "Usage: clevis luks report [-qr] -d DEV -s SLOT" >&2
 | ||||
| +    echo >&2
 | ||||
| +    echo -e "  -q\t Quiet mode" >&2
 | ||||
| +    echo -e "  -r\t Regenerate luks metadata with \"clevis luks regen -d DEV -s SLOT\"" >&2
 | ||||
| +    echo >&2
 | ||||
| +    echo "$SUMMARY" >&2
 | ||||
| +    echo >&2
 | ||||
| +    exit "$1"
 | ||||
| +}
 | ||||
| +
 | ||||
| +while getopts "hd:s:rq" o; do
 | ||||
| +    case "$o" in
 | ||||
| +    d) DEV="$OPTARG";;
 | ||||
| +    h) usage_and_exit 0;;
 | ||||
| +    r) ROPT="regen";;
 | ||||
| +    s) SLT="$OPTARG";;
 | ||||
| +    q) QOPT="quiet";;
 | ||||
| +    *) usage_and_exit 1;;
 | ||||
| +    esac
 | ||||
| +done
 | ||||
| +
 | ||||
| +### get luks metadata
 | ||||
| +
 | ||||
| +if [ -z "$DEV" ]; then
 | ||||
| +    echo "Did not specify a device!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if [ -z "$SLT" ]; then
 | ||||
| +    echo "Did not specify a slot!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if ! DATA_CODED=$(clevis_luks_read_slot "${DEV}" "${SLT}"); then
 | ||||
| +    # Error message was already displayed by clevis_luks_read_slot(),
 | ||||
| +    # at this point.
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +EXE="$(findexe clevis-luks-report-decode)"
 | ||||
| +RESULT="$($EXE "${DATA_CODED}")"
 | ||||
| +
 | ||||
| +if [ -n "$RESULT" ]; then
 | ||||
| +    echo "$RESULT"
 | ||||
| +    echo "Report detected that some keys were rotated."
 | ||||
| +    if [ -z "$QOPT" ]; then
 | ||||
| +        if [ -z "$ROPT" ]; then
 | ||||
| +            read -r -p "Do you want to regenerate luks metadata with \"clevis luks regen -d $DEV -s $SLT\"? [ynYN] " ans < /dev/tty
 | ||||
| +            [[ "$ans" =~ ^[yY]$ ]] && ROPT="regen"
 | ||||
| +        fi
 | ||||
| +    fi
 | ||||
| +else
 | ||||
| +    exit 0
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if [ "$ROPT" = "regen" ]; then
 | ||||
| +    EXE="$(findexe clevis-luks-regen)"
 | ||||
| +    exec "$EXE" -d "$DEV" -s "$SLT"
 | ||||
| +else
 | ||||
| +    if [ -n "${RESULT}" ]; then
 | ||||
| +        # Keys were rotated.
 | ||||
| +        exit 1
 | ||||
| +    fi
 | ||||
| +fi
 | ||||
| diff --git a/src/luks/clevis-luks-report-compare b/src/luks/clevis-luks-report-compare
 | ||||
| new file mode 100755 | ||||
| index 0000000..2ba5132
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/clevis-luks-report-compare
 | ||||
| @@ -0,0 +1,71 @@
 | ||||
| +#!/usr/bin/bash -e
 | ||||
| +# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +#
 | ||||
| +# Copyright (c) 2018 Red Hat, Inc.
 | ||||
| +# Author: Radovan Sroka <rsroka@redhat.com>
 | ||||
| +#
 | ||||
| +# This program is free software: you can redistribute it and/or modify
 | ||||
| +# it under the terms of the GNU General Public License as published by
 | ||||
| +# the Free Software Foundation, either version 3 of the License, or
 | ||||
| +# (at your option) any later version.
 | ||||
| +#
 | ||||
| +# This program is distributed in the hope that it will be useful,
 | ||||
| +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 | ||||
| +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | ||||
| +# GNU General Public License for more details.
 | ||||
| +#
 | ||||
| +# You should have received a copy of the GNU General Public License
 | ||||
| +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | ||||
| +#
 | ||||
| +
 | ||||
| +SUMMARY="Compare two sets of keys"
 | ||||
| +
 | ||||
| +if [ "$1" == "--summary" ]; then
 | ||||
| +    echo "$SUMMARY"
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if [ -z "$1" ]; then
 | ||||
| +    echo "$0 missing the first argument!"
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if [ -z "$2" ]; then
 | ||||
| +    echo "$0 missing the second argument!"
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +ADV_KEYS="$1" # keys from advertisement
 | ||||
| +LUKS_KEYS="$2" # keys from luks metadata
 | ||||
| +
 | ||||
| +### iterate over adv keys and make thumbprints
 | ||||
| +CNT=0
 | ||||
| +declare -a ADV_KEYS_ARRAY
 | ||||
| +while res="$(jose fmt -j- -g keys -g"$CNT" -o- <<< "$ADV_KEYS")"; do
 | ||||
| +    thp="$(echo "$res" | jose jwk thp -i-)"
 | ||||
| +    ADV_KEYS_ARRAY["$CNT"]="$thp"
 | ||||
| +    CNT=$(( CNT + 1 ))
 | ||||
| +done
 | ||||
| +
 | ||||
| +CNT=0
 | ||||
| +while key="$(jose fmt -j- -g keys -g"$CNT" -o- <<< "$LUKS_KEYS")"; do
 | ||||
| +    thp="$(echo "$key" | jose jwk thp -i-)"
 | ||||
| +
 | ||||
| +    FOUND=0
 | ||||
| +    for k in "${ADV_KEYS_ARRAY[@]}"
 | ||||
| +    do
 | ||||
| +        if [ "$k" = "$thp" ]; then
 | ||||
| +            FOUND=1
 | ||||
| +            break
 | ||||
| +        fi
 | ||||
| +    done
 | ||||
| +
 | ||||
| +    if [ "$FOUND" -eq "0" ]; then
 | ||||
| +        echo "Key \"$thp\" is not in the advertisement and was probably rotated!"
 | ||||
| +        echo "$key"
 | ||||
| +        echo
 | ||||
| +    fi
 | ||||
| +    CNT=$(( CNT + 1 ))
 | ||||
| +done
 | ||||
| +
 | ||||
| +exit 0
 | ||||
| diff --git a/src/luks/clevis-luks-report-decode b/src/luks/clevis-luks-report-decode
 | ||||
| new file mode 100755 | ||||
| index 0000000..f39d1e9
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/clevis-luks-report-decode
 | ||||
| @@ -0,0 +1,59 @@
 | ||||
| +#!/usr/bin/bash -e
 | ||||
| +# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +#
 | ||||
| +# Copyright (c) 2018 Red Hat, Inc.
 | ||||
| +# Author: Radovan Sroka <rsroka@redhat.com>
 | ||||
| +#
 | ||||
| +# This program is free software: you can redistribute it and/or modify
 | ||||
| +# it under the terms of the GNU General Public License as published by
 | ||||
| +# the Free Software Foundation, either version 3 of the License, or
 | ||||
| +# (at your option) any later version.
 | ||||
| +#
 | ||||
| +# This program is distributed in the hope that it will be useful,
 | ||||
| +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 | ||||
| +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | ||||
| +# GNU General Public License for more details.
 | ||||
| +#
 | ||||
| +# You should have received a copy of the GNU General Public License
 | ||||
| +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | ||||
| +#
 | ||||
| +
 | ||||
| +. clevis-luks-common-functions
 | ||||
| +
 | ||||
| +SUMMARY="Decode luks header"
 | ||||
| +
 | ||||
| +if [ "$1" == "--summary" ]; then
 | ||||
| +    echo "$SUMMARY"
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if [ -z "$1" ]; then
 | ||||
| +    echo "$0 missing the first argument!"
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +DATA_CODED="$1"
 | ||||
| +
 | ||||
| +if DATA_CODED="$(jose jwe fmt -i- <<< "$DATA_CODED")"; then
 | ||||
| +    DATA_CODED="$(jose fmt -j- -g protected -u- <<< "$DATA_CODED")"
 | ||||
| +    DATA_DECODED="$(jose b64 dec -i- <<< "$DATA_CODED")"
 | ||||
| +else
 | ||||
| +    echo "Error decoding JWE protected header!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +### get pin and url
 | ||||
| +
 | ||||
| +if ! PIN="$(jose fmt -j- -g clevis -g pin -u- <<< "$DATA_DECODED")" || [ -z "$PIN" ]; then
 | ||||
| +    echo "Pin wasn't found in luks metadata!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if ! CONTENT="$(jose fmt -j- -g clevis -g "$PIN" -o- <<< "$DATA_DECODED")" || [ -z "$CONTENT" ]; then
 | ||||
| +    echo "Content wasn't found!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +EXE="$(findexe clevis-luks-report-"$PIN")"
 | ||||
| +
 | ||||
| +exec "$EXE" "$CONTENT"
 | ||||
| diff --git a/src/luks/clevis-luks-report-sss b/src/luks/clevis-luks-report-sss
 | ||||
| new file mode 100755 | ||||
| index 0000000..1dba4c1
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/clevis-luks-report-sss
 | ||||
| @@ -0,0 +1,53 @@
 | ||||
| +#!/bin/bash -e
 | ||||
| +# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +#
 | ||||
| +# Copyright (c) 2018 Red Hat, Inc.
 | ||||
| +# Author: Radovan Sroka <rsroka@redhat.com>
 | ||||
| +#
 | ||||
| +# This program is free software: you can redistribute it and/or modify
 | ||||
| +# it under the terms of the GNU General Public License as published by
 | ||||
| +# the Free Software Foundation, either version 3 of the License, or
 | ||||
| +# (at your option) any later version.
 | ||||
| +#
 | ||||
| +# This program is distributed in the hope that it will be useful,
 | ||||
| +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 | ||||
| +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | ||||
| +# GNU General Public License for more details.
 | ||||
| +#
 | ||||
| +# You should have received a copy of the GNU General Public License
 | ||||
| +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | ||||
| +#
 | ||||
| +
 | ||||
| +. clevis-luks-common-functions
 | ||||
| +
 | ||||
| +SUMMARY="SSS report plugin"
 | ||||
| +
 | ||||
| +if [ "$1" == "--summary" ]; then
 | ||||
| +    echo "$SUMMARY"
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if [ -z "$1" ]; then
 | ||||
| +    echo "$0 missing the first argument!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +CONTENT="$1" # sss content
 | ||||
| +
 | ||||
| +CNT=0
 | ||||
| +while DATA_CODED="$(jose fmt -j- -g jwe -g"$CNT" -u- <<< "$CONTENT")"; do
 | ||||
| +    if [ -z "$DATA_CODED" ]; then
 | ||||
| +        CNT=$(( CNT + 1 ))
 | ||||
| +        continue # in some cases it can be empty string
 | ||||
| +    fi
 | ||||
| +
 | ||||
| +    EXE="$(findexe clevis-luks-report-decode)"
 | ||||
| +    if ! $EXE "$DATA_CODED"; then
 | ||||
| +        echo "Failed" >&2
 | ||||
| +        exit 1
 | ||||
| +    fi
 | ||||
| +
 | ||||
| +    CNT=$(( CNT + 1 ))
 | ||||
| +done
 | ||||
| +
 | ||||
| +exit 0
 | ||||
| diff --git a/src/luks/clevis-luks-report-tang b/src/luks/clevis-luks-report-tang
 | ||||
| new file mode 100755 | ||||
| index 0000000..07f2a72
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/clevis-luks-report-tang
 | ||||
| @@ -0,0 +1,67 @@
 | ||||
| +#!/usr/bin/bash -e
 | ||||
| +# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +#
 | ||||
| +# Copyright (c) 2018 Red Hat, Inc.
 | ||||
| +# Author: Radovan Sroka <rsroka@redhat.com>
 | ||||
| +#
 | ||||
| +# This program is free software: you can redistribute it and/or modify
 | ||||
| +# it under the terms of the GNU General Public License as published by
 | ||||
| +# the Free Software Foundation, either version 3 of the License, or
 | ||||
| +# (at your option) any later version.
 | ||||
| +#
 | ||||
| +# This program is distributed in the hope that it will be useful,
 | ||||
| +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 | ||||
| +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | ||||
| +# GNU General Public License for more details.
 | ||||
| +#
 | ||||
| +# You should have received a copy of the GNU General Public License
 | ||||
| +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | ||||
| +#
 | ||||
| +
 | ||||
| +. clevis-luks-common-functions
 | ||||
| +
 | ||||
| +SUMMARY="Tang report plugin"
 | ||||
| +
 | ||||
| +if [ "$1" == "--summary" ]; then
 | ||||
| +    echo "$SUMMARY"
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if [ -z "$1" ]; then
 | ||||
| +    echo "$0 missing the first argument!"
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +CONTENT="$1"
 | ||||
| +
 | ||||
| +### Get the advertisement
 | ||||
| +if ! URL="$(jose fmt -j- -g url -u- <<< "$CONTENT")" || [ -z "$URL" ]; then
 | ||||
| +    echo "URL was not found!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if ! jws="$(curl -sfg "$URL/adv")"; then
 | ||||
| +    echo "Unable to fetch advertisement: $URL/adv!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if ! TANG_KEYS="$(jose fmt -j- -Og payload -SyOg keys -AUo- <<< "$jws")"; then
 | ||||
| +    echo "Advertisement is malformed!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +### Check advertisement validity
 | ||||
| +ver="$(jose jwk use -i- -r -u verify -o- <<< "$TANG_KEYS")"
 | ||||
| +if ! jose jws ver -i "$jws" -k- -a <<< "$ver"; then
 | ||||
| +    echo "Advertisement is missing signatures!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if ! LUKS_KEYS="$(jose fmt -j- -g adv -o- <<< "$CONTENT")" || [ -z "$LUKS_KEYS" ]; then
 | ||||
| +    echo "LUKS keys from LUKS metadata were not found!" >&2
 | ||||
| +    exit 1
 | ||||
| +fi
 | ||||
| +
 | ||||
| +EXE="$(findexe clevis-luks-report-compare)"
 | ||||
| +
 | ||||
| +exec "$EXE" "$TANG_KEYS" "$LUKS_KEYS"
 | ||||
| diff --git a/src/luks/clevis-luks-report.1.adoc b/src/luks/clevis-luks-report.1.adoc
 | ||||
| new file mode 100644 | ||||
| index 0000000..cf42afe
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/clevis-luks-report.1.adoc
 | ||||
| @@ -0,0 +1,41 @@
 | ||||
| +CLEVIS-LUKS-REPORT(1)
 | ||||
| +=====================
 | ||||
| +:doctype: manpage
 | ||||
| +
 | ||||
| +
 | ||||
| +== NAME
 | ||||
| +
 | ||||
| +clevis-luks-report - Reports whether a pin bound to a LUKS1 or LUKS2 volume has been rotated
 | ||||
| +
 | ||||
| +== SYNOPSIS
 | ||||
| +
 | ||||
| +*clevis luks report* -d DEV -s SLT
 | ||||
| +
 | ||||
| +== OVERVIEW
 | ||||
| +
 | ||||
| +The *clevis luks report* command checks a given slot of a LUKS device and reports whether the pin bound to it
 | ||||
| +-- if any -- has been rotated.
 | ||||
| +
 | ||||
| +== OPTIONS
 | ||||
| +
 | ||||
| +* *-d* _DEV_ :
 | ||||
| +  The bound LUKS device
 | ||||
| +
 | ||||
| +* *-s* _SLT_ :
 | ||||
| +  The slot or key slot number for the pin to be verified
 | ||||
| +
 | ||||
| +* *-q* :
 | ||||
| +  Quiet mode. If used, we will not prompt whether to regenerate data with *clevis luks regen*
 | ||||
| +
 | ||||
| +* *-r* :
 | ||||
| +  Regenerates LUKS metadata with *clevis luks regen -d DEV -s SLOT*
 | ||||
| +
 | ||||
| +== EXAMPLE
 | ||||
| +
 | ||||
| +    Check whether the pin bound to slot 1 in /dev/sda1 has been rotated:
 | ||||
| +
 | ||||
| +    # clevis luks report -d /dev/sda1 -s 1
 | ||||
| +
 | ||||
| +== SEE ALSO
 | ||||
| +
 | ||||
| +link:clevis-luks-regen.1.adoc[*clevis-luks-regen*(1)]
 | ||||
| diff --git a/src/luks/meson.build b/src/luks/meson.build
 | ||||
| index f21388d..ee588c3 100644
 | ||||
| --- a/src/luks/meson.build
 | ||||
| +++ b/src/luks/meson.build
 | ||||
| @@ -47,6 +47,13 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
 | ||||
|   | ||||
|    bins += join_paths(meson.current_source_dir(), 'clevis-luks-regen') | ||||
|    mans += join_paths(meson.current_source_dir(), 'clevis-luks-regen.1') | ||||
| +
 | ||||
| +  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report')
 | ||||
| +  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-compare')
 | ||||
| +  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-decode')
 | ||||
| +  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-sss')
 | ||||
| +  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-tang')
 | ||||
| +  mans += join_paths(meson.current_source_dir(), 'clevis-luks-report.1')
 | ||||
|  else | ||||
|    warning('Will not install LUKS support due to missing dependencies!') | ||||
|  endif | ||||
| -- 
 | ||||
| 2.18.4 | ||||
| 
 | ||||
| @ -1,339 +0,0 @@ | ||||
| From 3250784e99016d9f920892dbb1438b9e76fb210b Mon Sep 17 00:00:00 2001 | ||||
| From: Sergio Correia <scorreia@redhat.com> | ||||
| Date: Sun, 10 May 2020 15:57:23 -0300 | ||||
| Subject: [PATCH 8/8] Use one clevis-luks-askpass per device | ||||
| 
 | ||||
| This should improve the reliability of the boot unlocking, especially | ||||
| when unlocking multiple devices upon boot. | ||||
| 
 | ||||
| It also greatly simplifies the configuration, as there is no need to | ||||
| enable any systemd units manually nor add _netdev to either fstab or | ||||
| crypttab. | ||||
| ---
 | ||||
|  src/luks/clevis-luks-common-functions         |  8 ++ | ||||
|  src/luks/clevis-luks-unlockers.7.adoc         | 16 +--- | ||||
|  src/luks/systemd/clevis-luks-askpass          | 81 ++++++------------- | ||||
|  src/luks/systemd/clevis-luks-askpass.path     | 10 --- | ||||
|  .../systemd/clevis-luks-askpass.service.in    |  8 -- | ||||
|  src/luks/systemd/clevis-luks-askpass@.path    | 12 +++ | ||||
|  .../systemd/clevis-luks-askpass@.service.in   |  8 ++ | ||||
|  .../systemd/dracut/clevis/module-setup.sh.in  | 23 ++++++ | ||||
|  src/luks/systemd/meson.build                  |  6 +- | ||||
|  9 files changed, 80 insertions(+), 92 deletions(-) | ||||
|  delete mode 100644 src/luks/systemd/clevis-luks-askpass.path | ||||
|  delete mode 100644 src/luks/systemd/clevis-luks-askpass.service.in | ||||
|  create mode 100644 src/luks/systemd/clevis-luks-askpass@.path | ||||
|  create mode 100644 src/luks/systemd/clevis-luks-askpass@.service.in | ||||
| 
 | ||||
| diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
 | ||||
| index 5b515ad..c9d712a 100644
 | ||||
| --- a/src/luks/clevis-luks-common-functions
 | ||||
| +++ b/src/luks/clevis-luks-common-functions
 | ||||
| @@ -555,3 +555,11 @@ clevis_luks_restore_dev() {
 | ||||
|      fi | ||||
|      return 0 | ||||
|  } | ||||
| +
 | ||||
| +# clevis_is_luks_device_by_uuid_open() checks whether the LUKS device with
 | ||||
| +# given UUID is open.
 | ||||
| +clevis_is_luks_device_by_uuid_open() {
 | ||||
| +    local LUKS_UUID="${1}"
 | ||||
| +    [ -z "${LUKS_UUID}" ] && return 1
 | ||||
| +    test -b /dev/disk/by-id/dm-uuid-*"${LUKS_UUID//-/}"*
 | ||||
| +}
 | ||||
| diff --git a/src/luks/clevis-luks-unlockers.7.adoc b/src/luks/clevis-luks-unlockers.7.adoc
 | ||||
| index 161b73a..e8d47ba 100644
 | ||||
| --- a/src/luks/clevis-luks-unlockers.7.adoc
 | ||||
| +++ b/src/luks/clevis-luks-unlockers.7.adoc
 | ||||
| @@ -26,7 +26,7 @@ You can unlock a LUKS volume manually using the following command:
 | ||||
|   | ||||
|  For more information, see link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)]. | ||||
|   | ||||
| -== EARLY BOOT UNLOCKING
 | ||||
| +== BOOT UNLOCKING
 | ||||
|   | ||||
|  If Clevis integration does not already ship in your initramfs, you may need to | ||||
|  rebuild your initramfs with this command: | ||||
| @@ -34,23 +34,13 @@ rebuild your initramfs with this command:
 | ||||
|      $ sudo dracut -f | ||||
|   | ||||
|  Once Clevis is integrated into your initramfs, a simple reboot should unlock | ||||
| -your root volume. Note, however, that early boot integration only works for the
 | ||||
| -root volume. Non-root volumes should use the late boot unlocker.
 | ||||
| +your clevis-bound volumes. Root volumes will be unlocked in early-boot, while the
 | ||||
| +remaining volumes will be unlocked after dracut switch-root.
 | ||||
|   | ||||
|  Dracut will bring up your network using DHCP by default. If you need to specify | ||||
|  additional network parameters, such as static IP configuration, please consult | ||||
|  the dracut documentation. | ||||
|   | ||||
| -== LATE BOOT UNLOCKING
 | ||||
| -
 | ||||
| -You can enable late boot unlocking by executing the following command:
 | ||||
| -
 | ||||
| -    $ sudo systemctl enable clevis-luks-askpass.path
 | ||||
| -
 | ||||
| -After a reboot, Clevis will attempt to unlock all *_netdev* devices listed in
 | ||||
| -*/etc/crypttab* when systemd prompts for their passwords. This implies that
 | ||||
| -systemd support for *_netdev* is required.
 | ||||
| -
 | ||||
|  == DESKTOP UNLOCKING | ||||
|   | ||||
|  When the udisks2 unlocker is installed, your GNOME desktop session should | ||||
| diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass
 | ||||
| index 9fea6aa..20294e5 100755
 | ||||
| --- a/src/luks/systemd/clevis-luks-askpass
 | ||||
| +++ b/src/luks/systemd/clevis-luks-askpass
 | ||||
| @@ -19,96 +19,61 @@
 | ||||
|  # along with this program.  If not, see <http://www.gnu.org/licenses/>. | ||||
|  # | ||||
|   | ||||
| -UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
 | ||||
| +. clevis-luks-common-functions
 | ||||
|   | ||||
|  shopt -s nullglob | ||||
|   | ||||
|  path=/run/systemd/ask-password | ||||
| -while getopts ":lp:" o; do
 | ||||
| +while getopts ":lp:u:" o; do
 | ||||
|      case "$o" in | ||||
|      l) loop=true;; | ||||
|      p) path="$OPTARG";; | ||||
| +    u) device_uuid=$OPTARG;;
 | ||||
| +    *) ;;
 | ||||
|      esac | ||||
|  done | ||||
|   | ||||
| -luks1_decrypt() {
 | ||||
| -    luksmeta load "$@" \
 | ||||
| -        | clevis decrypt
 | ||||
| -
 | ||||
| -    local rc
 | ||||
| -    for rc in "${PIPESTATUS[@]}"; do
 | ||||
| -        [ $rc -eq 0 ] || return $rc
 | ||||
| -    done
 | ||||
| -    return 0
 | ||||
| -}
 | ||||
| -
 | ||||
| -luks2_jwe() {
 | ||||
| -    # jose jwe fmt -c outputs extra \n, so clean it up
 | ||||
| -    cryptsetup token export "$@" \
 | ||||
| -        | jose fmt -j- -Og jwe -o- \
 | ||||
| -        | jose jwe fmt -i- -c \
 | ||||
| -        | tr -d '\n'
 | ||||
| -
 | ||||
| -    local rc
 | ||||
| -    for rc in "${PIPESTATUS[@]}"; do
 | ||||
| -        [ $rc -eq 0 ] || return $rc
 | ||||
| -    done
 | ||||
| -    return 0
 | ||||
| -}
 | ||||
| -
 | ||||
|  while true; do | ||||
|      todo=0 | ||||
|   | ||||
|      for question in "$path"/ask.*; do | ||||
| -        metadata=false
 | ||||
|          unlocked=false | ||||
|          d= | ||||
|          s= | ||||
|   | ||||
| -        while read line; do
 | ||||
| +        while read -r line; do
 | ||||
|              case "$line" in | ||||
|                  Id=cryptsetup:*) d="${line##Id=cryptsetup:}";; | ||||
|                  Socket=*) s="${line##Socket=}";; | ||||
|              esac | ||||
|          done < "$question" | ||||
|   | ||||
| -        [ "$d" ] && [ "$s" ] || continue
 | ||||
| +        [ -b "${d}" ] || continue
 | ||||
| +        [ -S "${s}" ] || continue
 | ||||
|   | ||||
| -        if cryptsetup isLuks --type luks1 "$d"; then
 | ||||
| -            # If the device is not initialized, sliently skip it.
 | ||||
| -            luksmeta test -d "$d" || continue
 | ||||
| -
 | ||||
| -            while read -r slot state uuid; do
 | ||||
| -                [ "$state" == "active" ] || continue
 | ||||
| -                [ "$uuid" == "$UUID" ] || continue
 | ||||
| -                metadata=true
 | ||||
| -
 | ||||
| -                if pt="$(luks1_decrypt -d "$d" -s "$slot" -u "$UUID")"; then
 | ||||
| -                    echo -n "+$pt" | ncat -U -u --send-only "$s"
 | ||||
| -                    unlocked=true
 | ||||
| -                    break
 | ||||
| -                fi
 | ||||
| -            done < <(luksmeta show -d "$d")
 | ||||
| -        elif cryptsetup isLuks --type luks2 "$d"; then
 | ||||
| -            while read -r id; do
 | ||||
| -                jwe="$(luks2_jwe --token-id "$id" "$d")" \
 | ||||
| -                    || continue
 | ||||
| -                metadata=true
 | ||||
| +        if [ -n "${device_uuid}" ]; then
 | ||||
| +            uuid="$(cryptsetup luksUUID "${d}")"
 | ||||
| +            [ "${uuid}" != "${device_uuid}" ] && todo=1 && continue
 | ||||
| +        fi
 | ||||
|   | ||||
| -                if pt="$(echo -n "$jwe" | clevis decrypt)"; then
 | ||||
| -                    echo -n "+$pt" | ncat -U -u --send-only "$s"
 | ||||
| -                    unlocked=true
 | ||||
| -                    break
 | ||||
| -                fi
 | ||||
| -            done < <(cryptsetup luksDump "$d" | sed -rn 's|^\s+([0-9]+): clevis|\1|p')
 | ||||
| +        if pt="$(clevis_luks_unlock_device "${d}")"; then
 | ||||
| +            echo -n "+$pt" | ncat -U -u --send-only "$s"
 | ||||
| +            unlocked=true
 | ||||
|          fi | ||||
|   | ||||
| -        [ "$metadata" == true ] || continue
 | ||||
| +        [ -n "${device_uuid}" ] && [ "${unlocked}" == true ] && break
 | ||||
|          [ "$unlocked" == true ] && continue | ||||
|          ((todo++)) | ||||
|      done | ||||
|   | ||||
| -    if [ $todo -eq 0 ] || [ "$loop" != true ]; then
 | ||||
| +    if [ -n "${device_uuid}" ]; then
 | ||||
| +        [ ! -b /dev/disk/by-uuid/"${device_uuid}" ] && break
 | ||||
| +        if clevis_is_luks_device_by_uuid_open "${device_uuid}"; then
 | ||||
| +            break
 | ||||
| +        fi
 | ||||
| +    fi
 | ||||
| +
 | ||||
| +    if [ "$todo" -eq 0 ] || [ "$loop" != true ]; then
 | ||||
|          break; | ||||
|      fi | ||||
|   | ||||
| diff --git a/src/luks/systemd/clevis-luks-askpass.path b/src/luks/systemd/clevis-luks-askpass.path
 | ||||
| deleted file mode 100644 | ||||
| index a4d01ba..0000000
 | ||||
| --- a/src/luks/systemd/clevis-luks-askpass.path
 | ||||
| +++ /dev/null
 | ||||
| @@ -1,10 +0,0 @@
 | ||||
| -[Unit]
 | ||||
| -Description=Clevis systemd-ask-password Watcher
 | ||||
| -Before=remote-fs-pre.target
 | ||||
| -Wants=remote-fs-pre.target
 | ||||
| -
 | ||||
| -[Path]
 | ||||
| -PathChanged=/run/systemd/ask-password
 | ||||
| -
 | ||||
| -[Install]
 | ||||
| -WantedBy=remote-fs.target
 | ||||
| diff --git a/src/luks/systemd/clevis-luks-askpass.service.in b/src/luks/systemd/clevis-luks-askpass.service.in
 | ||||
| deleted file mode 100644 | ||||
| index 2c6bbed..0000000
 | ||||
| --- a/src/luks/systemd/clevis-luks-askpass.service.in
 | ||||
| +++ /dev/null
 | ||||
| @@ -1,8 +0,0 @@
 | ||||
| -[Unit]
 | ||||
| -Description=Clevis LUKS systemd-ask-password Responder
 | ||||
| -Requires=network-online.target
 | ||||
| -After=network-online.target
 | ||||
| -
 | ||||
| -[Service]
 | ||||
| -Type=oneshot
 | ||||
| -ExecStart=@libexecdir@/clevis-luks-askpass -l
 | ||||
| diff --git a/src/luks/systemd/clevis-luks-askpass@.path b/src/luks/systemd/clevis-luks-askpass@.path
 | ||||
| new file mode 100644 | ||||
| index 0000000..3f23665
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/systemd/clevis-luks-askpass@.path
 | ||||
| @@ -0,0 +1,12 @@
 | ||||
| +[Unit]
 | ||||
| +Description=Clevis systemd-ask-password Watcher for %i
 | ||||
| +DefaultDependencies=no
 | ||||
| +Conflicts=shutdown.target
 | ||||
| +Before=basic.target shutdown.target
 | ||||
| +
 | ||||
| +[Path]
 | ||||
| +DirectoryNotEmpty=/run/systemd/ask-password
 | ||||
| +MakeDirectory=yes
 | ||||
| +
 | ||||
| +[Install]
 | ||||
| +WantedBy=basic.target
 | ||||
| diff --git a/src/luks/systemd/clevis-luks-askpass@.service.in b/src/luks/systemd/clevis-luks-askpass@.service.in
 | ||||
| new file mode 100644 | ||||
| index 0000000..4165ec5
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/systemd/clevis-luks-askpass@.service.in
 | ||||
| @@ -0,0 +1,8 @@
 | ||||
| +[Unit]
 | ||||
| +Description=Clevis LUKS systemd-ask-password Responder for luks-%i
 | ||||
| +DefaultDependencies=no
 | ||||
| +Conflicts=shutdown.target
 | ||||
| +Before=shutdown.target
 | ||||
| +
 | ||||
| +[Service]
 | ||||
| +ExecStart=@libexecdir@/clevis-luks-askpass -u %i
 | ||||
| diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in
 | ||||
| index abc79b3..1a0d6f7 100755
 | ||||
| --- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
 | ||||
| +++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
 | ||||
| @@ -23,6 +23,24 @@ depends() {
 | ||||
|      return 255 | ||||
|  } | ||||
|   | ||||
| +configure_passwd_watchers() {
 | ||||
| +    if ! command -v systemctl >/dev/null; then
 | ||||
| +        return 1
 | ||||
| +    fi
 | ||||
| +
 | ||||
| +    find /etc/systemd/system/ -name "clevis-luks-askpass*" -exec rm -f {} \;
 | ||||
| +
 | ||||
| +    local uuid
 | ||||
| +    for dev in $(lsblk -p -n -s -r \
 | ||||
| +                 | awk '$6 == "crypt" { getline; print $1 }' | sort -u); do
 | ||||
| +        uuid=$(cryptsetup luksUUID "${dev}")
 | ||||
| +
 | ||||
| +        if clevis luks list -d "${dev}" >/dev/null 2>/dev/null; then
 | ||||
| +            systemctl enable "clevis-luks-askpass@${uuid}.path" 2>/dev/null
 | ||||
| +        fi
 | ||||
| +    done
 | ||||
| +}
 | ||||
| +
 | ||||
|  install() { | ||||
|      inst_hook initqueue/online 60 "$moddir/clevis-hook.sh" | ||||
|      inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh" | ||||
| @@ -30,6 +48,10 @@ install() {
 | ||||
|      inst_multiple \ | ||||
|  	/etc/services \ | ||||
|          @libexecdir@/clevis-luks-askpass \ | ||||
| +        clevis-luks-common-functions \
 | ||||
| +        head \
 | ||||
| +        grep \
 | ||||
| +        sed \
 | ||||
|          clevis-decrypt \ | ||||
|          cryptsetup \ | ||||
|          luksmeta \ | ||||
| @@ -38,5 +60,6 @@ install() {
 | ||||
|          jose \ | ||||
|          ncat | ||||
|   | ||||
| +    configure_passwd_watchers
 | ||||
|      dracut_need_initqueue | ||||
|  } | ||||
| diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
 | ||||
| index 369e7f7..334e84c 100644
 | ||||
| --- a/src/luks/systemd/meson.build
 | ||||
| +++ b/src/luks/systemd/meson.build
 | ||||
| @@ -6,13 +6,13 @@ if systemd.found()
 | ||||
|    unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir') | ||||
|   | ||||
|    configure_file( | ||||
| -    input: 'clevis-luks-askpass.service.in',
 | ||||
| -    output: 'clevis-luks-askpass.service',
 | ||||
| +    input: 'clevis-luks-askpass@.service.in',
 | ||||
| +    output: 'clevis-luks-askpass@.service',
 | ||||
|      install_dir: unitdir, | ||||
|      configuration: data, | ||||
|    ) | ||||
|   | ||||
| -  install_data('clevis-luks-askpass.path', install_dir: unitdir)
 | ||||
| +  install_data('clevis-luks-askpass@.path', install_dir: unitdir)
 | ||||
|    install_data('clevis-luks-askpass', install_dir: libexecdir) | ||||
|  else | ||||
|    warning('Will not install systemd support due to missing dependencies!') | ||||
| -- 
 | ||||
| 2.18.4 | ||||
| 
 | ||||
| @ -1,555 +0,0 @@ | ||||
| From 7b1639b2194a8bfbb0daedf1cbdfc4ebef5f6b31 Mon Sep 17 00:00:00 2001 | ||||
| From: Sergio Correia <scorreia@redhat.com> | ||||
| Date: Mon, 18 May 2020 08:36:17 -0300 | ||||
| Subject: [PATCH] Introduce -y (assume yes) argument to clevis luks bind | ||||
| 
 | ||||
| In order to simplify automated operations with e.g. ansible, | ||||
| it would be helpful to have a way to automate the creation of | ||||
| bindings with clevis. | ||||
| 
 | ||||
| In simple scenarios, it's possible to download the advertisement | ||||
| from a tang server and pass it in the binding configuration, to | ||||
| do the binding offline, in the following way: | ||||
| 
 | ||||
| curl -sfg http://tang.server/adv -o adv.jws | ||||
| 
 | ||||
| clevis luks bind -d /dev/sda2 tang '{"url":"http://tang.server", "adv":"adv.jws}' | ||||
| 
 | ||||
| However, for more complex scenarios using multiple servers with | ||||
| the sss pin, it becomes a lot more complicated to do the same | ||||
| thing and do the binding in an automated fashion. An alternative | ||||
| would be to use expect (tcl), but it can also be complicated. | ||||
| 
 | ||||
| In this commit we introduce -y as a parameter to clevis luks bind, | ||||
| meanining _assume yes_. Essentially, this would make it so that | ||||
| the user would not have to manually trust tang key(s) by typing | ||||
| y/yes. | ||||
| 
 | ||||
| Security-wise, it would be similar to downloading the advertisement | ||||
| manually and passing it to tang as the "adv" configuration option, | ||||
| something already supported. | ||||
| 
 | ||||
| We already have a -f parameter, so we picked something different, | ||||
| not to change existing behavior and possibly break existing scripts. | ||||
| ---
 | ||||
|  src/luks/clevis-luks-bind.1.adoc         |  7 +- | ||||
|  src/luks/clevis-luks-bind.in             | 11 +++- | ||||
|  src/luks/clevis-luks-regen               |  4 +- | ||||
|  src/luks/tests/assume-yes-luks1          | 81 ++++++++++++++++++++++++ | ||||
|  src/luks/tests/assume-yes-luks2          | 81 ++++++++++++++++++++++++ | ||||
|  src/luks/tests/meson.build               |  2 + | ||||
|  src/pins/sss/clevis-encrypt-sss.1.adoc   | 14 +++- | ||||
|  src/pins/sss/clevis-encrypt-sss.c        | 30 ++++++--- | ||||
|  src/pins/tang/clevis-encrypt-tang        | 35 ++++++---- | ||||
|  src/pins/tang/clevis-encrypt-tang.1.adoc | 11 +++- | ||||
|  10 files changed, 246 insertions(+), 30 deletions(-) | ||||
|  create mode 100755 src/luks/tests/assume-yes-luks1 | ||||
|  create mode 100755 src/luks/tests/assume-yes-luks2 | ||||
| 
 | ||||
| diff --git a/src/luks/clevis-luks-bind.1.adoc b/src/luks/clevis-luks-bind.1.adoc
 | ||||
| index 336c0f4..438e517 100644
 | ||||
| --- a/src/luks/clevis-luks-bind.1.adoc
 | ||||
| +++ b/src/luks/clevis-luks-bind.1.adoc
 | ||||
| @@ -9,7 +9,7 @@ clevis-luks-bind - Bind a LUKS device using the specified policy
 | ||||
|   | ||||
|  == SYNOPSIS | ||||
|   | ||||
| -*clevis luks bind* [-f] -d DEV [-s SLT] [-k KEY] PIN CFG
 | ||||
| +*clevis luks bind* [-f] [-y] -d DEV [-s SLT] [-k KEY] PIN CFG
 | ||||
|   | ||||
|  == OVERVIEW | ||||
|   | ||||
| @@ -34,6 +34,11 @@ Clevis LUKS unlockers. See link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlock
 | ||||
|  * *-f* : | ||||
|    Do not prompt for LUKSMeta initialization | ||||
|   | ||||
| +* *-y* :
 | ||||
| +  Automatically answer yes for all questions. When using _tang_, it
 | ||||
| +  causes the advertisement trust check to be skipped, which can be
 | ||||
| +  useful in automated deployments
 | ||||
| +
 | ||||
|  * *-d* _DEV_ : | ||||
|    The LUKS device on which to perform binding | ||||
|   | ||||
| diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
 | ||||
| index 89a5e22..8b8b5ee 100755
 | ||||
| --- a/src/luks/clevis-luks-bind.in
 | ||||
| +++ b/src/luks/clevis-luks-bind.in
 | ||||
| @@ -33,12 +33,14 @@ function luks2_supported() {
 | ||||
|  function usage() { | ||||
|      exec >&2 | ||||
|      echo | ||||
| -    echo "Usage: clevis luks bind [-f] [-s SLT] [-k KEY] -d DEV PIN CFG"
 | ||||
| +    echo "Usage: clevis luks bind [-f] [-y] [-s SLT] [-k KEY] -d DEV PIN CFG"
 | ||||
|      echo | ||||
|      echo "$SUMMARY": | ||||
|      echo | ||||
|      echo "  -f      Do not prompt for LUKSMeta initialization" | ||||
|      echo | ||||
| +    echo "  -y      Automatically answer yes for all questions"
 | ||||
| +    echo
 | ||||
|      echo "  -d DEV  The LUKS device on which to perform binding" | ||||
|      echo | ||||
|      echo "  -s SLT  The LUKS slot to use" | ||||
| @@ -55,12 +57,15 @@ if [ $# -eq 1 ] && [ "$1" == "--summary" ]; then
 | ||||
|  fi | ||||
|   | ||||
|  FRC=() | ||||
| -while getopts ":hfd:s:k:" o; do
 | ||||
| +YES=()
 | ||||
| +while getopts ":fyd:s:k:" o; do
 | ||||
|      case "$o" in | ||||
|      f) FRC+=(-f);; | ||||
|      d) DEV="$OPTARG";; | ||||
|      s) SLT="$OPTARG";; | ||||
|      k) KEY="$OPTARG";; | ||||
| +    y) FRC+=(-f)
 | ||||
| +       YES+=(-y);;
 | ||||
|      *) usage;; | ||||
|      esac | ||||
|  done | ||||
| @@ -139,7 +144,7 @@ cryptsetup luksDump "$DEV" \
 | ||||
|  )")" | ||||
|   | ||||
|  # Encrypt the new key | ||||
| -jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG")"
 | ||||
| +jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"
 | ||||
|   | ||||
|  # If necessary, initialize the LUKS volume | ||||
|  if [ "$luks_type" == "luks1" ] && ! luksmeta test -d "$DEV"; then | ||||
| diff --git a/src/luks/clevis-luks-regen b/src/luks/clevis-luks-regen
 | ||||
| index 44fd673..6071d85 100755
 | ||||
| --- a/src/luks/clevis-luks-regen
 | ||||
| +++ b/src/luks/clevis-luks-regen
 | ||||
| @@ -110,7 +110,7 @@ if ! new_passphrase=$(generate_key "${DEV}"); then
 | ||||
|  fi | ||||
|   | ||||
|  # Reencrypt the new password. | ||||
| -if ! jwe=$(clevis encrypt "${PIN}" "${CFG}" <<< "${new_passphrase}"); then
 | ||||
| +if ! jwe="$(clevis encrypt "${PIN}" "${CFG}" <<< "${new_passphrase}")"; then
 | ||||
|      echo "Error using pin '${PIN}' with config '${CFG}'" >&2 | ||||
|      exit 1 | ||||
|  fi | ||||
| @@ -176,7 +176,7 @@ fi
 | ||||
|  # Now make sure that we can unlock this device after the change. | ||||
|  # If we can't, undo the changes. | ||||
|  if ! cryptsetup open --test-passphrase --key-slot "${SLT}" "${DEV}" 2>/dev/null \ | ||||
| -        <<< $(clevis luks pass -d "${DEV}" -s "${SLT}" 2>/dev/null); then
 | ||||
| +        <<< "$(clevis luks pass -d "${DEV}" -s "${SLT}" 2>/dev/null)"; then
 | ||||
|      echo "Invalid configuration detected after rebinding. Reverting changes." | ||||
|      restore_device "${DEV}" "${TMP}" | ||||
|      exit 1 | ||||
| diff --git a/src/luks/tests/assume-yes-luks1 b/src/luks/tests/assume-yes-luks1
 | ||||
| new file mode 100755 | ||||
| index 0000000..ad9dea4
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/tests/assume-yes-luks1
 | ||||
| @@ -0,0 +1,81 @@
 | ||||
| +#!/bin/bash -ex
 | ||||
| +# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +#
 | ||||
| +# Copyright (c) 2020 Red Hat, Inc.
 | ||||
| +# Author: Sergio Correia <scorreia@redhat.com>
 | ||||
| +#
 | ||||
| +# This program is free software: you can redistribute it and/or modify
 | ||||
| +# it under the terms of the GNU General Public License as published by
 | ||||
| +# the Free Software Foundation, either version 3 of the License, or
 | ||||
| +# (at your option) any later version.
 | ||||
| +#
 | ||||
| +# This program is distributed in the hope that it will be useful,
 | ||||
| +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 | ||||
| +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | ||||
| +# GNU General Public License for more details.
 | ||||
| +#
 | ||||
| +# You should have received a copy of the GNU General Public License
 | ||||
| +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | ||||
| +
 | ||||
| +TEST=$(basename "${0}")
 | ||||
| +. tests-common-functions
 | ||||
| +
 | ||||
| +. clevis-luks-common-functions
 | ||||
| +
 | ||||
| +on_exit() {
 | ||||
| +    local d
 | ||||
| +    for d in "${TMP}" "${TMP2}"; do
 | ||||
| +        [ ! -d "${d}" ] && continue
 | ||||
| +        tang_stop "${d}"
 | ||||
| +        rm -rf "${d}"
 | ||||
| +    done
 | ||||
| +}
 | ||||
| +
 | ||||
| +trap 'on_exit' EXIT
 | ||||
| +trap 'on_exit' ERR
 | ||||
| +
 | ||||
| +TMP="$(mktemp -d)"
 | ||||
| +
 | ||||
| +port=$(get_random_port)
 | ||||
| +tang_run "${TMP}" "${port}" &
 | ||||
| +tang_wait_until_ready "${port}"
 | ||||
| +
 | ||||
| +url="http://${TANG_HOST}:${port}"
 | ||||
| +
 | ||||
| +cfg=$(printf '{"url":"%s"}' "$url")
 | ||||
| +
 | ||||
| +# LUKS1.
 | ||||
| +DEV="${TMP}/luks1-device"
 | ||||
| +new_device "luks1" "${DEV}"
 | ||||
| +
 | ||||
| +if ! clevis luks bind -y -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
 | ||||
| +    error "${TEST}: Bind should have succeeded."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if ! clevis_luks_unlock_device "${DEV}"; then
 | ||||
| +    error "${TEST}: we were unable to unlock ${DEV}."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Let's use a second tang server to test the sss pin.
 | ||||
| +TMP2="$(mktemp -d)"
 | ||||
| +
 | ||||
| +port2=$(get_random_port)
 | ||||
| +tang_run "${TMP2}" "${port2}" &
 | ||||
| +tang_wait_until_ready "${port2}"
 | ||||
| +
 | ||||
| +url2="http://${TANG_HOST}:${port2}"
 | ||||
| +
 | ||||
| +cfg2=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \
 | ||||
| +       "${url1}" "${url2}")
 | ||||
| +
 | ||||
| +# LUKS1.
 | ||||
| +new_device "luks1" "${DEV}"
 | ||||
| +# Now let's test the sss pin with the two test tang servers we deployed.
 | ||||
| +if ! clevis luks bind -y -d "${DEV}" sss "${cfg2}" <<< "${DEFAULT_PASS}"; then
 | ||||
| +    error "${TEST}: Bind should have succeeded."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Unlock should still work now.
 | ||||
| +if ! clevis_luks_unlock_device "${DEV}"; then
 | ||||
| +    error "${TEST}: we should still be able to unlock ${DEV}"
 | ||||
| +fi
 | ||||
| diff --git a/src/luks/tests/assume-yes-luks2 b/src/luks/tests/assume-yes-luks2
 | ||||
| new file mode 100755 | ||||
| index 0000000..5c0edc3
 | ||||
| --- /dev/null
 | ||||
| +++ b/src/luks/tests/assume-yes-luks2
 | ||||
| @@ -0,0 +1,81 @@
 | ||||
| +#!/bin/bash -ex
 | ||||
| +# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 | ||||
| +#
 | ||||
| +# Copyright (c) 2020 Red Hat, Inc.
 | ||||
| +# Author: Sergio Correia <scorreia@redhat.com>
 | ||||
| +#
 | ||||
| +# This program is free software: you can redistribute it and/or modify
 | ||||
| +# it under the terms of the GNU General Public License as published by
 | ||||
| +# the Free Software Foundation, either version 3 of the License, or
 | ||||
| +# (at your option) any later version.
 | ||||
| +#
 | ||||
| +# This program is distributed in the hope that it will be useful,
 | ||||
| +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 | ||||
| +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | ||||
| +# GNU General Public License for more details.
 | ||||
| +#
 | ||||
| +# You should have received a copy of the GNU General Public License
 | ||||
| +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | ||||
| +
 | ||||
| +TEST=$(basename "${0}")
 | ||||
| +. tests-common-functions
 | ||||
| +
 | ||||
| +. clevis-luks-common-functions
 | ||||
| +
 | ||||
| +on_exit() {
 | ||||
| +    local d
 | ||||
| +    for d in "${TMP}" "${TMP2}"; do
 | ||||
| +        [ ! -d "${d}" ] && continue
 | ||||
| +        tang_stop "${d}"
 | ||||
| +        rm -rf "${d}"
 | ||||
| +    done
 | ||||
| +}
 | ||||
| +
 | ||||
| +trap 'on_exit' EXIT
 | ||||
| +trap 'on_exit' ERR
 | ||||
| +
 | ||||
| +TMP="$(mktemp -d)"
 | ||||
| +
 | ||||
| +port=$(get_random_port)
 | ||||
| +tang_run "${TMP}" "${port}" &
 | ||||
| +tang_wait_until_ready "${port}"
 | ||||
| +
 | ||||
| +url="http://${TANG_HOST}:${port}"
 | ||||
| +
 | ||||
| +cfg=$(printf '{"url":"%s"}' "$url")
 | ||||
| +
 | ||||
| +# LUKS2.
 | ||||
| +DEV="${TMP}/luks2-device"
 | ||||
| +new_device "luks2" "${DEV}"
 | ||||
| +
 | ||||
| +if ! clevis luks bind -y -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
 | ||||
| +    error "${TEST}: Bind should have succeeded."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +if ! clevis_luks_unlock_device "${DEV}"; then
 | ||||
| +    error "${TEST}: we were unable to unlock ${DEV}."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Let's use a second tang server to test the sss pin.
 | ||||
| +TMP2="$(mktemp -d)"
 | ||||
| +
 | ||||
| +port2=$(get_random_port)
 | ||||
| +tang_run "${TMP2}" "${port2}" &
 | ||||
| +tang_wait_until_ready "${port2}"
 | ||||
| +
 | ||||
| +url2="http://${TANG_HOST}:${port2}"
 | ||||
| +
 | ||||
| +cfg2=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \
 | ||||
| +       "${url1}" "${url2}")
 | ||||
| +
 | ||||
| +# LUKS2.
 | ||||
| +new_device "luks2" "${DEV}"
 | ||||
| +# Now let's test the sss pin with the two test tang servers we deployed.
 | ||||
| +if ! clevis luks bind -y -d "${DEV}" sss "${cfg2}" <<< "${DEFAULT_PASS}"; then
 | ||||
| +    error "${TEST}: Bind should have succeeded."
 | ||||
| +fi
 | ||||
| +
 | ||||
| +# Unlock should still work now.
 | ||||
| +if ! clevis_luks_unlock_device "${DEV}"; then
 | ||||
| +    error "${TEST}: we should still be able to unlock ${DEV}"
 | ||||
| +fi
 | ||||
| diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
 | ||||
| index dbef9bf..4795488 100644
 | ||||
| --- a/src/luks/tests/meson.build
 | ||||
| +++ b/src/luks/tests/meson.build
 | ||||
| @@ -85,6 +85,7 @@ endif
 | ||||
|   | ||||
|  if has_tang | ||||
|    test('unlock-tang-luks1', find_program('unlock-tang-luks1'), env: env, timeout: 90) | ||||
| +  test('assume-yes-luks1', find_program('assume-yes-luks1'), env: env)
 | ||||
|  endif | ||||
|  test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env) | ||||
|  test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env) | ||||
| @@ -108,6 +109,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
 | ||||
|   | ||||
|    if has_tang | ||||
|      test('unlock-tang-luks2', find_program('unlock-tang-luks2'), env: env, timeout: 120) | ||||
| +    test('assume-yes-luks2', find_program('assume-yes-luks2'), env: env, timeout: 60)
 | ||||
|    endif | ||||
|    test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60) | ||||
|    test('backup-restore-luks2', find_program('backup-restore-luks2'), env:env, timeout: 90) | ||||
| diff --git a/src/pins/sss/clevis-encrypt-sss.1.adoc b/src/pins/sss/clevis-encrypt-sss.1.adoc
 | ||||
| index 7144e7e..7152144 100644
 | ||||
| --- a/src/pins/sss/clevis-encrypt-sss.1.adoc
 | ||||
| +++ b/src/pins/sss/clevis-encrypt-sss.1.adoc
 | ||||
| @@ -5,11 +5,11 @@ CLEVIS-ENCRYPT-SSS(1)
 | ||||
|   | ||||
|  == NAME | ||||
|   | ||||
| -clevis-encrypt-sss - Encrypts using a Shamir's Secret Sharing policy 
 | ||||
| +clevis-encrypt-sss - Encrypts using a Shamir's Secret Sharing policy
 | ||||
|   | ||||
|  == SYNOPSIS | ||||
|   | ||||
| -*clevis encrypt sss* CONFIG < PT > JWE
 | ||||
| +*clevis encrypt sss* CONFIG [-y] < PT > JWE
 | ||||
|   | ||||
|  == OVERVIEW | ||||
|   | ||||
| @@ -52,6 +52,16 @@ The format of the *pins* property is as follows:
 | ||||
|  When the list version of the format is used, multiple pins of that type will | ||||
|  receive key fragments. | ||||
|   | ||||
| +== OPTIONS
 | ||||
| +
 | ||||
| +* *-y* :
 | ||||
| +  Automatically answer yes for all questions. For the _tang_ pin, it will
 | ||||
| +  skip the advertisement trust check, which can be useful in automated
 | ||||
| +  deployments:
 | ||||
| +
 | ||||
| +    $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}'
 | ||||
| +    $ clevis encrypt sss "$cfg" -y < PT > JWE
 | ||||
| +
 | ||||
|  == SEE ALSO | ||||
|   | ||||
|  link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], | ||||
| diff --git a/src/pins/sss/clevis-encrypt-sss.c b/src/pins/sss/clevis-encrypt-sss.c
 | ||||
| index d6f2c2c..531e918 100644
 | ||||
| --- a/src/pins/sss/clevis-encrypt-sss.c
 | ||||
| +++ b/src/pins/sss/clevis-encrypt-sss.c
 | ||||
| @@ -86,9 +86,9 @@ npins(json_t *pins)
 | ||||
|  } | ||||
|   | ||||
|  static json_t * | ||||
| -encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
 | ||||
| +encrypt_frag(json_t *sss, const char *pin, const json_t *cfg, int assume_yes)
 | ||||
|  { | ||||
| -    char *args[] = { "clevis", "encrypt", (char *) pin, NULL, NULL };
 | ||||
| +    char *args[] = { "clevis", "encrypt", (char *) pin, NULL, NULL, NULL };
 | ||||
|      json_auto_t *jwe = json_string(""); | ||||
|      str_auto_t *str = NULL; | ||||
|      uint8_t *pnt = NULL; | ||||
| @@ -100,6 +100,10 @@ encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
 | ||||
|      if (!str) | ||||
|          return NULL; | ||||
|   | ||||
| +    if (assume_yes) {
 | ||||
| +        args[4] = "-y";
 | ||||
| +    }
 | ||||
| +
 | ||||
|      pnt = sss_point(sss, &pntl); | ||||
|      if (!pnt) | ||||
|          return NULL; | ||||
| @@ -137,7 +141,7 @@ encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
 | ||||
|  } | ||||
|   | ||||
|  static json_t * | ||||
| -encrypt_frags(json_int_t t, json_t *pins)
 | ||||
| +encrypt_frags(json_int_t t, json_t *pins, int assume_yes)
 | ||||
|  { | ||||
|      const char *pname = NULL; | ||||
|      json_auto_t *sss = NULL; | ||||
| @@ -172,7 +176,7 @@ encrypt_frags(json_int_t t, json_t *pins)
 | ||||
|          json_array_foreach(pcfgs, i, pcfg) { | ||||
|              json_auto_t *jwe = NULL; | ||||
|   | ||||
| -            jwe = encrypt_frag(sss, pname, pcfg);
 | ||||
| +            jwe = encrypt_frag(sss, pname, pcfg, assume_yes);
 | ||||
|              if (!jwe) | ||||
|                  return NULL; | ||||
|   | ||||
| @@ -201,14 +205,24 @@ main(int argc, char *argv[])
 | ||||
|      const char *iv = NULL; | ||||
|      json_t *pins = NULL; | ||||
|      json_int_t t = 1; | ||||
| +    int assume_yes = 0;
 | ||||
|   | ||||
|      if (argc == 2 && strcmp(argv[1], "--summary") == 0) { | ||||
|          fprintf(stdout, "%s\n", SUMMARY); | ||||
|          return EXIT_SUCCESS; | ||||
|      } | ||||
|   | ||||
| -    if (isatty(STDIN_FILENO) || argc != 2)
 | ||||
| -        goto usage;
 | ||||
| +    if (isatty(STDIN_FILENO) || argc != 2) {
 | ||||
| +        if (argc != 3) {
 | ||||
| +            goto usage;
 | ||||
| +        }
 | ||||
| +
 | ||||
| +        if (strcmp(argv[2], "-y") == 0) {
 | ||||
| +            assume_yes = 1;
 | ||||
| +        } else if (strlen(argv[2]) > 0) {
 | ||||
| +            goto usage;
 | ||||
| +        }
 | ||||
| +    }
 | ||||
|   | ||||
|      /* Parse configuration. */ | ||||
|      cfg = json_loads(argv[1], 0, NULL); | ||||
| @@ -228,7 +242,7 @@ main(int argc, char *argv[])
 | ||||
|          return EXIT_FAILURE; | ||||
|      } | ||||
|   | ||||
| -    sss = encrypt_frags(t, pins);
 | ||||
| +    sss = encrypt_frags(t, pins, assume_yes);
 | ||||
|      if (!sss) | ||||
|          return EXIT_FAILURE; | ||||
|   | ||||
| @@ -287,7 +301,7 @@ main(int argc, char *argv[])
 | ||||
|   | ||||
|  usage: | ||||
|      fprintf(stderr, "\n"); | ||||
| -    fprintf(stderr, "Usage: clevis encrypt sss CONFIG < PLAINTEXT > JWE\n");
 | ||||
| +    fprintf(stderr, "Usage: clevis encrypt sss CONFIG [-y] < PLAINTEXT > JWE\n");
 | ||||
|      fprintf(stderr, "\n"); | ||||
|      fprintf(stderr, "%s\n", SUMMARY); | ||||
|      fprintf(stderr, "\n"); | ||||
| diff --git a/src/pins/tang/clevis-encrypt-tang b/src/pins/tang/clevis-encrypt-tang
 | ||||
| index 378b25d..4a43f1f 100755
 | ||||
| --- a/src/pins/tang/clevis-encrypt-tang
 | ||||
| +++ b/src/pins/tang/clevis-encrypt-tang
 | ||||
| @@ -28,10 +28,14 @@ fi
 | ||||
|  if [ -t 0 ]; then | ||||
|      exec >&2 | ||||
|      echo | ||||
| -    echo "Usage: clevis encrypt tang CONFIG < PLAINTEXT > JWE"
 | ||||
| +    echo "Usage: clevis encrypt tang CONFIG [-y] < PLAINTEXT > JWE"
 | ||||
|      echo | ||||
|      echo "$SUMMARY" | ||||
|      echo | ||||
| +    echo "  -y              Use this option for skipping the advertisement"
 | ||||
| +    echo "                  trust check. This can be useful in automated"
 | ||||
| +    echo "                  deployments"
 | ||||
| +    echo
 | ||||
|      echo "This command uses the following configuration properties:" | ||||
|      echo | ||||
|      echo "  url: <string>   The base URL of the Tang server (REQUIRED)" | ||||
| @@ -60,6 +64,9 @@ if ! cfg="$(jose fmt -j- -Oo- <<< "$1" 2>/dev/null)"; then
 | ||||
|      exit 1 | ||||
|  fi | ||||
|   | ||||
| +trust=
 | ||||
| +[ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes
 | ||||
| +
 | ||||
|  if ! url="$(jose fmt -j- -Og url -u- <<< "$cfg")"; then | ||||
|      echo "Missing the required 'url' property!" >&2 | ||||
|      exit 1 | ||||
| @@ -100,18 +107,20 @@ if ! jose jws ver -i "$jws" -k- -a <<< "$ver"; then
 | ||||
|  fi | ||||
|   | ||||
|  ### Check advertisement trust | ||||
| -if [ -z "$thp" ]; then
 | ||||
| -    echo "The advertisement contains the following signing keys:" >&2
 | ||||
| -    echo >&2
 | ||||
| -    jose jwk thp -i- <<< "$ver" >&2
 | ||||
| -    echo >&2
 | ||||
| -    read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
 | ||||
| -    [[ "$ans" =~ ^[yY]$ ]] || exit 1
 | ||||
| -
 | ||||
| -elif [ "$thp" != "any" ] && \
 | ||||
| -    ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
 | ||||
| -    echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
 | ||||
| -    exit 1
 | ||||
| +if [ -z "${trust}" ]; then
 | ||||
| +    if [ -z "$thp" ]; then
 | ||||
| +        echo "The advertisement contains the following signing keys:" >&2
 | ||||
| +        echo >&2
 | ||||
| +        jose jwk thp -i- <<< "$ver" >&2
 | ||||
| +        echo >&2
 | ||||
| +        read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
 | ||||
| +        [[ "$ans" =~ ^[yY]$ ]] || exit 1
 | ||||
| +
 | ||||
| +    elif [ "$thp" != "any" ] && \
 | ||||
| +        ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
 | ||||
| +        echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
 | ||||
| +        exit 1
 | ||||
| +    fi
 | ||||
|  fi | ||||
|   | ||||
|  ### Perform encryption | ||||
| diff --git a/src/pins/tang/clevis-encrypt-tang.1.adoc b/src/pins/tang/clevis-encrypt-tang.1.adoc
 | ||||
| index 276575f..c34d109 100644
 | ||||
| --- a/src/pins/tang/clevis-encrypt-tang.1.adoc
 | ||||
| +++ b/src/pins/tang/clevis-encrypt-tang.1.adoc
 | ||||
| @@ -9,7 +9,7 @@ clevis-encrypt-tang - Encrypts using a Tang binding server policy
 | ||||
|   | ||||
|  == SYNOPSIS | ||||
|   | ||||
| -*clevis encrypt tang* CONFIG < PT > JWE
 | ||||
| +*clevis encrypt tang* CONFIG [-y] < PT > JWE
 | ||||
|   | ||||
|  == OVERVIEW | ||||
|   | ||||
| @@ -76,6 +76,15 @@ This command uses the following configuration properties:
 | ||||
|  * *adv* (object) : | ||||
|    A trusted advertisement (raw JSON) | ||||
|   | ||||
| +== OPTIONS
 | ||||
| +
 | ||||
| +* *-y* :
 | ||||
| +  Automatically answer yes for all questions. Use this option for skipping
 | ||||
| +  the advertisement trust check. This can be useful in automated deployments:
 | ||||
| +
 | ||||
| +    $ clevis encrypt tang '{"url":...}' -y < PT > JWE
 | ||||
| +
 | ||||
| +
 | ||||
|  == SEE ALSO | ||||
|   | ||||
|  link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)] | ||||
| -- 
 | ||||
| 2.18.4 | ||||
| 
 | ||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -1,25 +1,18 @@ | ||||
| %global _hardened_build 1 | ||||
| 
 | ||||
| Name:           clevis | ||||
| Version:        13 | ||||
| Release:        3%{?dist} | ||||
| Version:        15 | ||||
| Release:        1%{?dist} | ||||
| Summary:        Automated decryption framework | ||||
| 
 | ||||
| License:        GPLv3+ | ||||
| URL:            https://github.com/latchset/%{name} | ||||
| Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz | ||||
| 
 | ||||
| Patch0001: 0001-Adjust-pin-tang-test-to-account-for-newer-tang-witho.patch | ||||
| Patch0002: 0002-Fix-clevis-luks-unlock-and-add-related-tests.patch | ||||
| Patch0003: 0003-Improve-error-message-when-bind-is-given-an-invalid-.patch | ||||
| Patch0004: 0004-Add-rd.neednet-1-to-cmdline-only-if-there-are-device.patch | ||||
| Patch0005: 0005-Add-the-option-to-extract-luks-passphrase-used-for-b.patch | ||||
| Patch0006: 0006-Add-clevis-luks-regen-command.patch | ||||
| Patch0007: 0007-Add-clevis-luks-report.patch | ||||
| Patch0008: 0008-Use-one-clevis-luks-askpass-per-device.patch | ||||
| Patch0009: 0009-Introduce-y-assume-yes-argument-to-clevis-luks-bind.patch | ||||
| Patch0010: 0010-Add-clevis-luks-edit-command.patch | ||||
| Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch | ||||
| Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch | ||||
| 
 | ||||
| BuildRequires:  git | ||||
| BuildRequires:  gcc | ||||
| BuildRequires:  meson | ||||
| BuildRequires:  asciidoc | ||||
| @ -129,19 +122,25 @@ desktop-file-validate \ | ||||
| %meson_test | ||||
| 
 | ||||
| %pre | ||||
| getent group %{name} >/dev/null || groupadd -r %{name} | ||||
| getent group %{name} >/dev/null || groupadd -r %{name} &>/dev/null | ||||
| getent passwd %{name} >/dev/null || \ | ||||
|     useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \ | ||||
|     -c "Clevis Decryption Framework unprivileged user" %{name} | ||||
|     -c "Clevis Decryption Framework unprivileged user" %{name} &>/dev/null | ||||
| # Add clevis user to tss group. | ||||
| if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then | ||||
|     usermod -a -G tss %{name} &>/dev/null | ||||
| fi | ||||
| exit 0 | ||||
| 
 | ||||
| %pre systemd | ||||
| if [ $1 -ge 0 ]; then | ||||
|     # clevis-systemd < 11-8 shipped with clevis-luks-askpass.path unit. | ||||
|     # Make sure it's gone. | ||||
|     [ -e /usr/lib/systemd/system/clevis-luks-askpass.path ] && \ | ||||
|         systemctl disable clevis-luks-askpass.path | ||||
| fi | ||||
| %posttrans | ||||
| # In case clevis-luks-askpass is enabled, make sure it's using the | ||||
| # correct target, which changed in v14. | ||||
| [ "$(find /etc/systemd/system/ -name "clevis-luks-askpass*")" ] || exit 0 | ||||
| find /etc/systemd/system/ -name "clevis-luks-askpass*" \ | ||||
|      | grep -q cryptsetup.target.wants && exit 0 | ||||
| 
 | ||||
| find /etc/systemd/system/ -name "clevis-luks-askpass*" -exec rm {} + | ||||
| systemctl enable clevis-luks-askpass.path >/dev/null 2>&1 || : | ||||
| exit 0 | ||||
| 
 | ||||
| %files | ||||
| @ -179,16 +178,12 @@ exit 0 | ||||
| %{_bindir}/%{name}-luks-pass | ||||
| %{_bindir}/%{name}-luks-regen | ||||
| %{_bindir}/%{name}-luks-report | ||||
| %{_bindir}/%{name}-luks-report-compare | ||||
| %{_bindir}/%{name}-luks-report-decode | ||||
| %{_bindir}/%{name}-luks-report-sss | ||||
| %{_bindir}/%{name}-luks-report-tang | ||||
| %{_bindir}/%{name}-luks-edit | ||||
| 
 | ||||
| %files systemd | ||||
| %{_libexecdir}/%{name}-luks-askpass | ||||
| %{_unitdir}/%{name}-luks-askpass@.path | ||||
| %{_unitdir}/%{name}-luks-askpass@.service | ||||
| %{_unitdir}/%{name}-luks-askpass.path | ||||
| %{_unitdir}/%{name}-luks-askpass.service | ||||
| 
 | ||||
| %files dracut | ||||
| %{_prefix}/lib/dracut/modules.d/60%{name} | ||||
| @ -201,6 +196,12 @@ exit 0 | ||||
| %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 | ||||
| 
 | ||||
| %changelog | ||||
| * Mon Oct 26 2020 Sergio Correia <scorreia@redhat.com> - 15-1 | ||||
| - Update to latest upstream release, v15 | ||||
|   Resolves: rhbz#1887836 | ||||
|   Resolves: rhbz#1853651 | ||||
|   Resolves: rhbz#1874460 | ||||
| 
 | ||||
| * Wed May 20 2020 Sergio Correia <scorreia@redhat.com> - 13-3 | ||||
| - Add clevis luks edit command | ||||
|   Resolves: rhbz#1436735 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user