import clevis-15-14.el8
This commit is contained in:
parent
f1602f07a2
commit
df329799da
@ -0,0 +1,16 @@
|
|||||||
|
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 11:11:03.050262054 +0100
|
||||||
|
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 11:19:16.004358405 +0100
|
||||||
|
@@ -413,7 +413,12 @@
|
||||||
|
clevis_devices=
|
||||||
|
|
||||||
|
# Build list of devices to unlock.
|
||||||
|
- while read -r _ crypt_device _; do
|
||||||
|
+ while read -r _volname_ crypt_device _; do
|
||||||
|
+ # skip empty lines and lines which begin with the '#' char, per
|
||||||
|
+ # crypttab(5)
|
||||||
|
+ case $_volname_ in
|
||||||
|
+ ''|\#*) continue ;;
|
||||||
|
+ esac
|
||||||
|
if ! dev=$(clevis_map_device "${crypt_device}") \
|
||||||
|
|| [ -z "${dev}" ]; then
|
||||||
|
# Unable to get the device - maybe it's not available, e.g. a
|
73
SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch
Normal file
73
SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
--- clevis-15.ori/src/clevis.1.adoc 2020-10-28 19:55:47.663228800 +0100
|
||||||
|
+++ clevis-15/src/clevis.1.adoc 2023-01-11 17:18:29.967295005 +0100
|
||||||
|
@@ -101,7 +101,7 @@
|
||||||
|
|
||||||
|
This command performs four steps:
|
||||||
|
|
||||||
|
-1. Creates a new key with the same entropy as the LUKS master key.
|
||||||
|
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
||||||
|
2. Encrypts the new key with Clevis.
|
||||||
|
3. Stores the Clevis JWE in the LUKS header.
|
||||||
|
4. Enables the new key for use with LUKS.
|
||||||
|
--- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc 2020-10-28 19:55:47.663228800 +0100
|
||||||
|
+++ clevis-15/src/luks/clevis-luks-bind.1.adoc 2023-01-11 17:18:55.239351209 +0100
|
||||||
|
@@ -20,7 +20,7 @@
|
||||||
|
|
||||||
|
This command performs four steps:
|
||||||
|
|
||||||
|
-1. Creates a new key with the same entropy as the LUKS master key.
|
||||||
|
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
||||||
|
2. Encrypts the new key with Clevis.
|
||||||
|
3. Stores the Clevis JWE in the LUKS header.
|
||||||
|
4. Enables the new key for use with LUKS.
|
||||||
|
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 17:15:44.984928070 +0100
|
||||||
|
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 17:20:53.238613637 +0100
|
||||||
|
@@ -865,6 +865,7 @@
|
||||||
|
[ -z "${DEV}" ] && return 1
|
||||||
|
|
||||||
|
local dump filter bits
|
||||||
|
+ local MAX_ENTROPY_BITS=256
|
||||||
|
dump=$(cryptsetup luksDump "${DEV}")
|
||||||
|
if cryptsetup isLuks --type luks1 "${DEV}"; then
|
||||||
|
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
|
||||||
|
@@ -876,6 +877,9 @@
|
||||||
|
fi
|
||||||
|
|
||||||
|
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
|
||||||
|
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
|
||||||
|
+ bits="${MAX_ENTROPY_BITS}"
|
||||||
|
+ fi
|
||||||
|
pwmake "${bits}"
|
||||||
|
}
|
||||||
|
|
||||||
|
--- clevis-15.ori/src/luks/clevis-luks-bind.in 2023-01-11 17:15:44.815927694 +0100
|
||||||
|
+++ clevis-15/src/luks/clevis-luks-bind.in 2023-01-12 16:20:30.266404993 +0100
|
||||||
|
@@ -19,6 +19,8 @@
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
+. clevis-luks-common-functions
|
||||||
|
+
|
||||||
|
SUMMARY="Binds a LUKS device using the specified policy"
|
||||||
|
UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
|
||||||
|
|
||||||
|
@@ -139,14 +141,11 @@
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Generate a key with the same entropy as the LUKS Master Key
|
||||||
|
-key="$(pwmake "$(
|
||||||
|
-cryptsetup luksDump "$DEV" \
|
||||||
|
- | if [ "$luks_type" == "luks1" ]; then
|
||||||
|
- sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p'
|
||||||
|
- else
|
||||||
|
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p'
|
||||||
|
- fi | sort -n | tail -n 1
|
||||||
|
-)")"
|
||||||
|
+if ! key="$(clevis_luks_generate_key "${DEV}")" \
|
||||||
|
+ || [ -z "${key}" ]; then
|
||||||
|
+ echo "Unable to generate key for ${DEV}" >&2
|
||||||
|
+ return 1
|
||||||
|
+fi
|
||||||
|
|
||||||
|
# Encrypt the new key
|
||||||
|
jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"
|
11
SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch
Normal file
11
SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
--- clevis-15.ori/src/luks/clevis-luks-edit 2020-10-28 19:55:47.663228800 +0100
|
||||||
|
+++ clevis-15/src/luks/clevis-luks-edit 2023-01-16 12:03:14.006998399 +0100
|
||||||
|
@@ -173,7 +173,7 @@
|
||||||
|
|
||||||
|
echo "Updating binding..."
|
||||||
|
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
|
||||||
|
- "-y" "overwrite" 2>/dev/null; then
|
||||||
|
+ "-y" "overwrite"; then
|
||||||
|
echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Name: clevis
|
Name: clevis
|
||||||
Version: 15
|
Version: 15
|
||||||
Release: 11%{?dist}
|
Release: 14%{?dist}
|
||||||
Summary: Automated decryption framework
|
Summary: Automated decryption framework
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -20,6 +20,9 @@ Patch0008: 0008-tang-dump-url-on-error-communication.patch
|
|||||||
Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch
|
Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch
|
||||||
Patch0010: 0010-avoid-clevis-invalid-msg.patch
|
Patch0010: 0010-avoid-clevis-invalid-msg.patch
|
||||||
Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch
|
Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch
|
||||||
|
Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch
|
||||||
|
Patch0013: 0013-luks-define-max-entropy-bits-for-pwmake.patch
|
||||||
|
Patch0014: 0014-luks-edit-remove-unnecessary-redirection.patch
|
||||||
|
|
||||||
BuildRequires: git
|
BuildRequires: git
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -200,6 +203,18 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
|
|||||||
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
|
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 16 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-14
|
||||||
|
- luks-edit: remove unnecessary 2>/dev/null
|
||||||
|
Resolves: rhbz#2159739
|
||||||
|
|
||||||
|
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-13
|
||||||
|
- luks: define max entropy bits for pwmake
|
||||||
|
Resolves: rhbz#2159736
|
||||||
|
|
||||||
|
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-12
|
||||||
|
- Ignore empty & comment lines in crypttab
|
||||||
|
Resolves: rhbz#2159440
|
||||||
|
|
||||||
* Tue Aug 02 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-11
|
* Tue Aug 02 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-11
|
||||||
- Start clevis-luks-askpass.path service according to global policy
|
- Start clevis-luks-askpass.path service according to global policy
|
||||||
Resolves: rhbz#2107081
|
Resolves: rhbz#2107081
|
||||||
|
Loading…
Reference in New Issue
Block a user