rpms/clevis
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to latest upstream version, v19

Browse Source 
Resolves: rhbz#2165258
This commit is contained in:
Sergio Correia 2023-02-01 23:24:50 -03:00
parent be98c83e8d
commit df4b0fde9e
No known key found for this signature in database
GPG Key ID: D0D219ED1F7E762C
15 changed files with 3 additions and 850 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -6,3 +6,4 @@
/clevis-16.tar.xz
/clevis-17.tar.xz
/clevis-18.tar.xz
/clevis-19.tar.xz

47
0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
View File

@ -1,47 +0,0 @@
From 95f25c355fc13727410ccacaa618caf6af5d5eba Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Mon, 3 May 2021 22:36:36 -0300
Subject: [PATCH] sss: use BN_set_word(x, 0) instead of BN_zero()
Different OpenSSL versions define BN_zero() differently -- sometimes
returning an integer, sometimes as void --, so let's use instead
BN_set_word() instead, not to have issues when building with these
different versions.
---
src/pins/sss/sss.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/pins/sss/sss.c b/src/pins/sss/sss.c
index a37215d..7486d6c 100644
--- a/src/pins/sss/sss.c
+++ b/src/pins/sss/sss.c
@@ -214,7 +214,7 @@ sss_point(const json_t *sss, size_t *len)
if (BN_rand_range(xx, pp) <= 0)
return NULL;
- if (BN_zero(yy) <= 0)
+ if (BN_set_word(yy, 0) <= 0)
return NULL;
for (size_t i = 0; i < json_array_size(e); i++) {
@@ -272,7 +272,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
if (!ctx || !pp || !acc || !tmp || !k)
return NULL;
- if (BN_zero(k) <= 0)
+ if (BN_set_word(k, 0) <= 0)
return NULL;
len = jose_b64_dec(p, NULL, 0);
@@ -303,7 +303,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
/* acc *= (0 - xi) / (xo - xi) */
- if (BN_zero(tmp) <= 0)
+ if (BN_set_word(tmp, 0) <= 0)
return NULL;
if (BN_mod_sub(tmp, tmp, xi, pp, ctx) <= 0)
--
2.31.1

41
0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
View File

@ -1,41 +0,0 @@
From 2a16458622be983aba3762079d7a72383bd8be02 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Fri, 29 Oct 2021 10:58:26 -0300
Subject: [PATCH 2/2] systemd: account for unlocking failures in
clevis-luks-askpass
As unlock may fail for some reason, e.g. the network is not up yet,
one way cause problems would be to add extra `rd.luks.uuid' params
to the cmdline, which would then cause such devices to be unlocked
in early boot. If the unlocking fail, those devices might not be
accounted for in the clevis_devices_to_unlock() check, as it is
based on crypttab.
Let's make sure there are no pending ask.* sockets waiting to be
answered, before exiting.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
---
src/luks/systemd/clevis-luks-askpass.in | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in
index 8f54859..a6699c9 100755
--- a/src/luks/systemd/clevis-luks-askpass.in
+++ b/src/luks/systemd/clevis-luks-askpass.in
@@ -67,8 +67,11 @@ while true; do
done
[ "${loop}" != true ] && break
+
# Checking for pending devices to be unlocked.
- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
+ remaining_crypttab=$(clevis_devices_to_unlock) ||:
+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
break;
fi
--
2.33.1

213
0003-feat-rename-the-test-pin-to-null-pin.patch
View File

@ -1,213 +0,0 @@
From f668840e22e45ac8b16d770072b4395a155d089c Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@linux.com>
Date: Wed, 1 Dec 2021 14:17:53 +0100
Subject: [PATCH 6/6] feat: rename the test pin to null pin
Signed-off-by: Antonio Murdaca <runcom@linux.com>
---
src/initramfs-tools/hooks/clevis.in | 1 +
.../dracut/clevis-pin-null/meson.build | 14 ++++++++++
.../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++
src/luks/systemd/dracut/meson.build | 1 +
...levis-decrypt-test => clevis-decrypt-null} | 4 +--
...levis-encrypt-test => clevis-encrypt-null} | 4 +--
src/pins/sss/meson.build | 5 +++-
src/pins/sss/{pin-test => pin-null} | 4 +--
src/pins/sss/pin-sss | 12 ++++----
9 files changed, 60 insertions(+), 13 deletions(-)
create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build
create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%)
rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%)
rename src/pins/sss/{pin-test => pin-null} (53%)
diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
index 7e6d2b3..8d60d05 100755
--- a/src/initramfs-tools/hooks/clevis.in
+++ b/src/initramfs-tools/hooks/clevis.in
@@ -58,6 +58,7 @@ fi
copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
+copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found"
copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"
diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build
new file mode 100644
index 0000000..107e3ba
--- /dev/null
+++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build
@@ -0,0 +1,14 @@
+dracut = dependency('dracut', required: false)
+
+if dracut.found()
+ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null'
+
+ configure_file(
+ input: 'module-setup.sh.in',
+ output: 'module-setup.sh',
+ install_dir: dracutdir,
+ configuration: data,
+ )
+else
+ warning('Will not install dracut module clevis-pin-null due to missing dependencies!')
+endif
diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
new file mode 100755
index 0000000..6a16078
--- /dev/null
+++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
@@ -0,0 +1,28 @@
+#!/bin/bash
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Nathaniel McCallum <npmccallum@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+depends() {
+ echo clevis
+ return 0
+}
+
+install() {
+ inst clevis-decrypt-null
+}
diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build
index fdb264b..7ad5b14 100644
--- a/src/luks/systemd/dracut/meson.build
+++ b/src/luks/systemd/dracut/meson.build
@@ -2,3 +2,4 @@ subdir('clevis')
subdir('clevis-pin-tang')
subdir('clevis-pin-tpm2')
subdir('clevis-pin-sss')
+subdir('clevis-pin-null')
diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null
similarity index 88%
rename from src/pins/sss/clevis-decrypt-test
rename to src/pins/sss/clevis-decrypt-null
index f0e9249..a6217ed 100755
--- a/src/pins/sss/clevis-decrypt-test
+++ b/src/pins/sss/clevis-decrypt-null
@@ -22,11 +22,11 @@
read -r -d . hdr
-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then
+if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then
echo "JWE pin mismatch!" >&2
exit 1
fi
-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1
+jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1
exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null
similarity index 90%
rename from src/pins/sss/clevis-encrypt-test
rename to src/pins/sss/clevis-encrypt-null
index bd2d6ec..af182a5 100755
--- a/src/pins/sss/clevis-encrypt-test
+++ b/src/pins/sss/clevis-encrypt-null
@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
fi
jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"
-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}'
+jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}'
if ! jose fmt -j "$cfg" -g fail -T; then
- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)"
+ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)"
fi
exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build
index 7f20eea..2a5295a 100644
--- a/src/pins/sss/meson.build
+++ b/src/pins/sss/meson.build
@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found()
separator: ':'
)
+ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null')
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null')
+
test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env)
- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env)
+ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env)
else
warning('Will not install sss pin due to missing dependencies!')
endif
diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null
similarity index 53%
rename from src/pins/sss/pin-test
rename to src/pins/sss/pin-null
index 50c8c67..b14ac63 100755
--- a/src/pins/sss/pin-test
+++ b/src/pins/sss/pin-null
@@ -2,9 +2,9 @@
trap 'exit' ERR
-e="$(echo -n hi | clevis encrypt test '{}')"
+e="$(echo -n hi | clevis encrypt null '{}')"
d="$(echo -n "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo -n hi | clevis encrypt test '{"fail":true}')"
+e="$(echo -n hi | clevis encrypt null '{"fail":true}')"
! echo "$e" | clevis decrypt
diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss
index 5c0b8cf..24da052 100755
--- a/src/pins/sss/pin-sss
+++ b/src/pins/sss/pin-sss
@@ -1,24 +1,24 @@
#!/bin/bash -ex
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')"
--
2.33.1

357
0004-clevis-external-token-id.patch
View File

@ -1,357 +0,0 @@
--- clevis-18.ori/src/luks/clevis-luks-bind 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18.new/src/luks/clevis-luks-bind 2022-12-01 12:16:36.564185792 +0100
@@ -25,7 +25,7 @@
usage() {
exec >&2
echo
- echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] -d DEV PIN CFG"
+ echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] [-e EXISTING_TOKEN_ID] -d DEV PIN CFG"
echo
echo "$SUMMARY":
echo
@@ -42,6 +42,8 @@
echo " -k KEY Non-interactively read LUKS password from KEY file"
echo " -k - Non-interactively read LUKS password from standard input"
echo
+ echo " -e E_TKN_ID Existing LUKS token ID for existing passphrase; only available for LUKS2"
+ echo
exit 2
}
@@ -52,13 +54,14 @@
FRC=
YES=
-while getopts ":hfyd:s:k:t:" o; do
+while getopts ":hfyd:s:k:t:e:" o; do
case "$o" in
f) FRC='-f';;
d) DEV="$OPTARG";;
s) SLT="$OPTARG";;
k) KEY="$OPTARG";;
t) TOKEN_ID="$OPTARG";;
+ e) EXISTING_TOKEN_ID="$OPTARG";;
y) FRC='-f'
YES='-y';;
*) usage;;
@@ -99,11 +102,20 @@
exit 1
fi
+if [ -n "${EXISTING_TOKEN_ID}" ] && ! clevis_luks_luks2_existing_token_id_supported; then
+ echo "Existing token ID not supported in this cryptsetup version" >&2
+ exit 1
+fi
+
# Get the existing passphrase/keyfile.
existing_key=
keyfile=
case "${KEY}" in
-"") IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2;;
+ "")
+ if [ -z "${EXISTING_TOKEN_ID}" ] ; then
+ IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2
+ fi
+ ;;
-) IFS= read -r -s -p "" existing_key ||:
if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}" \
&& [ -z "${FRC}" ]; then
@@ -119,6 +131,13 @@
;;
esac
+# Check if existing token id for keyring read is provided
+# If so, keyfile is not allowed
+if [ -n "${EXISTING_TOKEN_ID}" ] && [ -n "${keyfile}" ] ; then
+ echo "Cannot specify kernel keyring description together with key file" >&2
+ exit 1
+fi
+
# If necessary, initialize the LUKS volume.
if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}"; then
luksmeta init -d "${DEV}" ${FRC}
@@ -127,7 +146,7 @@
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "${TOKEN_ID}" \
"${PIN}" "${CFG}" \
"${YES}" "" \
- "${existing_key}" "${keyfile}"; then
+ "${existing_key}" "${keyfile}" "${EXISTING_TOKEN_ID}"; then
echo "Error adding new binding to ${DEV}" >&2
exit 1
fi
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18.new/src/luks/clevis-luks-bind.1.adoc 2022-12-01 12:17:23.877527175 +0100
@@ -9,7 +9,7 @@
== SYNOPSIS
-*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] PIN CFG
+*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] [-e EXISTING_TOKEN_ID] PIN CFG
== OVERVIEW
@@ -54,6 +54,12 @@
* *-k* - :
Non-interactively read LUKS password from standard input
+* *-e* _E_TKN_ID_ :
+ LUKS token ID for existing passphrase; only available for LUKS2.
+ This parameter allows providing a configured token ID in LUKS2
+ containing the existing passphrase for this device, so that
+ existing passphrase is not prompted by clevis
+
== CAVEATS
This command does not change the LUKS master key. This implies that if you
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18.new/src/luks/clevis-luks-common-functions.in 2022-12-01 12:22:36.600783564 +0100
@@ -292,9 +292,10 @@
local KEY="${2:-}"
local KEYFILE="${3:-}"
local SLT="${4:-}"
+ local EXISTING_TOKEN_ID="${5:-}"
[ -z "${DEV}" ] && return 1
- [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
local extra_args
extra_args="$([ -n "${SLT}" ] && printf -- '--key-slot %s' "${SLT}")"
@@ -303,6 +304,11 @@
${extra_args}
return
fi
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
+ cryptsetup open --test-passphrase "${DEV}" --token-id "${EXISTING_TOKEN_ID}" \
+ ${extra_args}
+ return
+ fi
printf '%s' "${KEY}" | cryptsetup open --test-passphrase "${DEV}" \
${extra_args}
@@ -734,10 +740,11 @@
local NEWKEY="${3}"
local KEY="${4}"
local KEYFILE="${5:-}"
+ local EXISTING_TOKEN_ID="${6:-}"
[ -z "${DEV}" ] && return 1
[ -z "${NEWKEY}" ] && return 1
- [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1
+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1
local extra_args='' input
input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
@@ -745,6 +752,10 @@
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
+ input="$(printf '%s' "${NEWKEY}")"
+ fi
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
--key-slot "${SLT}" \
@@ -759,6 +770,7 @@
local NEWKEY="${3}"
local KEY="${4}"
local KEYFILE="${5:-}"
+ local EXISTING_TOKEN_ID="${6:-}"
[ -z "${DEV}" ] && return 1
[ -z "${NEWKEY}" ] && return 1
@@ -768,7 +780,7 @@
local in_place
clevis_luks_check_valid_key_or_keyfile "${DEV}" \
"${KEY}" "${KEYFILE}" \
- "${SLT}" 2>/dev/null \
+ "${SLT}" "${EXISTING_TOKEN_ID}" 2>/dev/null \
&& in_place=true
local input extra_args=
@@ -777,6 +789,10 @@
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
+ input="$(printf '%s' "${NEWKEY}")"
+ fi
if [ -n "${in_place}" ]; then
printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
@@ -803,6 +819,7 @@
local KEY="${4}"
local KEYFILE="${5:-}"
local OVERWRITE="${6:-}"
+ local EXISTING_TOKEN_ID="${7:-}"
[ -z "${DEV}" ] && return 1
[ -z "${SLT}" ] && return 1
@@ -820,13 +837,13 @@
[ -n "${OVERWRITE}" ] || return 1
clevis_luks_update_key "${DEV}" "${SLT}" \
- "${NEWKEY}" "${KEY}" "${KEYFILE}"
+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}"
return
fi
# Add a new key.
clevis_luks_add_key "${DEV}" "${SLT}" \
- "${NEWKEY}" "${KEY}" "${KEYFILE}"
+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}"
}
# clevis_luks_generate_key() generates a new key for use with clevis.
@@ -927,6 +944,8 @@
if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" \
"${KEY}" \
"${KEYFILE}" \
+ "" \
+ "${EXISTING_TOKEN_ID}" \
&& ! KEY="$(clevis_luks_get_existing_key "${DEV}" \
"Enter existing LUKS password: " \
"recover")"; then
@@ -971,7 +990,7 @@
if ! clevis_luks_save_key_to_slot "${DEV}" "${SLT}" \
"${newkey}" "${KEY}" "${KEYFILE}" \
- "${OVERWRITE}"; then
+ "${OVERWRITE}" "${EXISTING_TOKEN_ID}"; then
echo "Unable to save/update key slot; operation cancelled" >&2
clevis_luks_restore_dev "${CLEVIS_TMP_DIR}" || :
rm -rf "${CLEVIS_TMP_DIR}"
@@ -992,12 +1011,19 @@
}
# clevis_luks_luks2_supported() indicates whether we support LUKS2 devices.
-# Suppor is determined at build time.
+# Support is determined at build time.
function clevis_luks_luks2_supported() {
# We require cryptsetup >= 2.0.4 to fully support LUKSv2.
return @OLD_CRYPTSETUP@
}
+# clevis_luks_luks2_existing_token_id_supported() indicates whether
+# cryptsetup allows token id for passphrase providing
+function clevis_luks_luks2_existing_token_id_supported() {
+ # We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID
+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@
+}
+
# clevis_luks_type() returns the LUKS type of a device, e.g. "luks1".
clevis_luks_type() {
local DEV="${1}"
--- clevis-18.ori/src/luks/meson.build 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18.new/src/luks/meson.build 2022-12-01 12:23:01.159960762 +0100
@@ -14,6 +14,15 @@
endif
endif
+libcryptsetup_ext_token_id = dependency('libcryptsetup', version: '>=2.6.0', required: false)
+if libcryptsetup_ext_token_id.found()
+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '0')
+ message('cryptsetup version supports existing token id')
+else
+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '1')
+ warning('cryptsetup version does not support existing token id')
+endif
+
clevis_luks_common_functions = configure_file(
input: 'clevis-luks-common-functions.in',
output: 'clevis-luks-common-functions',
--- clevis-18.ori/src/luks/tests/bind-luks2-ext-token 1970-01-01 01:00:00.000000000 +0100
+++ clevis-18.new/src/luks/tests/bind-luks2-ext-token 2022-12-01 12:23:34.784203368 +0100
@@ -0,0 +1,74 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2022 Red Hat, Inc.
+# Author: Sergio Arroutbi <sarroutb@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+create_existing_token_id_from_keyring() {
+ local DEV="${1}"
+ local KEYDESC="${2}"
+ local TOKEN_ID="${3}"
+ local PASS="${4}"
+ if [[ -z "${DEV}" ]] || [[ -z "${KEYDESC}" ]] || [[ -z "${TOKEN_ID}" ]]; then
+ return 1
+ fi
+ KEYRING_ID=$(keyctl add user "${KEYDESC}" "${PASS}" @s)
+ keyctl print "${KEYRING_ID}" 2>/dev/null 1>/dev/null
+ cryptsetup token add --token-id "${TOKEN_ID}" --key-description "${KEYDESC}" "${DEV}"
+}
+
+if ! luks2_supported; then
+ skip_test "${TEST}: LUKS2 is not supported."
+fi
+
+if ! luks2_existing_token_id_supported; then
+ skip_test "${TEST}: Existing token ID not supported"
+fi
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+tang_create_adv "${TMP}" "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+
+EXISTING_TOKEN_ID=5
+KEYDESC="testkey"
+PASS="123exttokenid_"
+DEV="${TMP}/luks2-device-ext-token"
+new_device "luks2" "${DEV}" "${PASS}"
+
+create_existing_token_id_from_keyring "${DEV}" "${KEYDESC}" "${EXISTING_TOKEN_ID}" "${PASS}"
+
+if ! clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" tang "${CFG}"; then
+ error "${TEST}: Binding expected to succeed with existing token id:${EXISTING_TOKEN_ID}" >&2
+fi
+
+KEYFILE="${TMP}/keyfile.txt"
+touch "${KEYFILE}"
+if clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" -k "${KEYFILE}" tang "${CFG}"; then
+ error "${TEST}: Using existing token id and keyfile should dump an error" >&2
+fi
\ No newline at end of file
--- clevis-18.ori/src/luks/tests/tests-common-functions.in 2021-04-15 13:00:19.967066500 +0200
+++ clevis-18.new/src/luks/tests/tests-common-functions.in 2022-12-01 12:25:06.386864313 +0100
@@ -36,6 +36,12 @@
return @OLD_CRYPTSETUP@
}
+# We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID
+# Support is determined at build time.
+luks2_existing_token_id_supported() {
+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@
+}
+
# Creates a new LUKS1 or LUKS2 device to be used.
new_device() {
local LUKS="${1}"

42
0005-luks-define-max-entropy-bits-for-pwmake.patch
View File

@ -1,42 +0,0 @@
--- clevis-18.ori/src/clevis.1.adoc 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/clevis.1.adoc 2022-12-16 11:25:48.407264932 +0100
@@ -101,7 +101,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2022-12-16 11:23:23.982459214 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-12-16 14:39:32.694114153 +0100
@@ -852,6 +852,7 @@
[ -z "${DEV}" ] && return 1
local dump filter bits
+ local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
dump=$(cryptsetup luksDump "${DEV}")
if cryptsetup isLuks --type luks1 "${DEV}"; then
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
@@ -863,6 +864,9 @@
fi
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
+ bits="${MAX_ENTROPY_BITS}"
+ fi
pwmake "${bits}"
}
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2022-12-16 11:23:23.982459214 +0100
+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2022-12-16 14:41:33.502788100 +0100
@@ -20,7 +20,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.

16
0006-luks-ignore-empty-and-comment-lines-in-crypttab.patch
View File

@ -1,16 +0,0 @@
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2022-12-16 11:23:23.982459214 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-12-16 11:35:54.206644525 +0100
@@ -399,7 +399,12 @@
clevis_devices=
# Build list of devices to unlock.
- while read -r _ crypt_device _; do
+ while read -r _volname_ crypt_device _; do
+ # skip empty lines and lines which begin with the '#' char, per
+ # crypttab(5)
+ case $_volname_ in
+ ''|\#*) continue ;;
+ esac
if ! dev=$(clevis_map_device "${crypt_device}") \
|| [ -z "${dev}" ]; then
# Unable to get the device - maybe it's not available, e.g. a

11
0007-luks-fix-typo-when-adding-a-pending-device.patch
View File

@ -1,11 +0,0 @@
--- clevis-18.0006/src/luks/clevis-luks-common-functions.in 2022-12-16 11:51:32.856881018 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-12-16 11:53:09.717421379 +0100
@@ -410,7 +410,7 @@
# Unable to get the device - maybe it's not available, e.g. a
# device on a volume group that has not been activated yet.
# Add it to the list anyway, since it's a pending device.
- clevis_devices="${clevis_devices} ${dev}"
+ clevis_devices="${clevis_devices} ${crypt_device}"
continue
fi

16
0008-notify-error-url-on-server-connect-fail.patch
View File

@ -1,16 +0,0 @@
--- clevis-18.0007/src/pins/tang/clevis-decrypt-tang 2021-04-15 13:00:19.969067600 +0200
+++ clevis-18/src/pins/tang/clevis-decrypt-tang 2022-12-16 11:55:59.187366809 +0100
@@ -99,10 +99,10 @@
xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"
-url="$url/rec/$kid"
+rec_url="$url/rec/$kid"
ct="Content-Type: application/jwk+json"
-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then
- echo "Error communicating with the server!" >&2
+if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then
+ echo "Error communicating with server $url!" >&2
exit 1
fi

39
0009-improve-boot-performance-by-removing-key-check.patch
View File

@ -1,39 +0,0 @@
--- clevis-18.0008/src/luks/clevis-luks-common-functions.in 2022-12-16 11:59:17.972475773 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-12-16 12:05:07.214424096 +0100
@@ -319,6 +319,7 @@
clevis_luks_unlock_device_by_slot() {
local DEV="${1}"
local SLT="${2}"
+ local SKIP_CHECK="${3}"
[ -z "${DEV}" ] && return 1
[ -z "${SLT}" ] && return 1
@@ -334,7 +335,9 @@
return 1
fi
- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ if [ -z "${SKIP_CHECK}" ]; then
+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ fi
printf '%s' "${passphrase}"
}
@@ -342,6 +345,8 @@
# parameter and returns the decoded passphrase.
clevis_luks_unlock_device() {
local DEV="${1}"
+ local SKIP_CHECK="YES"
+
[ -z "${DEV}" ] && return 1
local used_slots
@@ -352,7 +357,7 @@
local slt pt
for slt in ${used_slots}; do
- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \
+ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \
|| [ -z "${pt}" ]; then
continue
fi

17
0010-fix-typo-in-error-messages.patch
View File

@ -1,17 +0,0 @@
--- clevis-18.0009/src/pins/tpm2/clevis-decrypt-tpm2 2021-04-15 13:00:19.969067600 +0200
+++ clevis-18/src/pins/tpm2/clevis-decrypt-tpm2 2022-12-16 12:22:51.788363059 +0100
@@ -99,12 +99,12 @@
fi
if ! jwk_pub="$(jose fmt -j- -Og clevis -g tpm2 -g jwk_pub -Su- <<< "$jhd")"; then
- echo "JWE missing required 'key' header parameter!" >&2
+ echo "JWE missing required 'jwk_pub' header parameter!" >&2
exit 1
fi
if ! jwk_priv="$(jose fmt -j- -Og clevis -g tpm2 -g jwk_priv -Su- <<< "$jhd")"; then
- echo "JWE missing required 'key' header parameter!" >&2
+ echo "JWE missing required 'jwk_priv' header parameter!" >&2
exit 1
fi

25
0011-avoid-invalid-message-for-clevis-command.patch
View File

@ -1,25 +0,0 @@
--- clevis-18.0010/src/clevis 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/clevis 2022-12-16 12:29:15.122501596 +0100
@@ -27,6 +27,8 @@
}
cmd=clevis
+input_commands="$cmd $@"
+
while [ $# -gt 0 ]; do
[[ "$1" =~ ^- ]] && break
cmd="$cmd-$1"
@@ -36,8 +38,11 @@
done
exec >&2
-echo
-echo "Command '$cmd' is invalid"
+if [ "$cmd" != "clevis" ];
+then
+ echo
+ echo "Command '$input_commands' is invalid"
+fi
echo
echo "Usage: clevis COMMAND [OPTIONS]"
echo

11
0012-luks-edit-remove-unnecessary-2-dev-null.patch
View File

@ -1,11 +0,0 @@
--- clevis-18.0011/src/luks/clevis-luks-edit 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/clevis-luks-edit 2022-12-16 12:32:42.350657681 +0100
@@ -173,7 +173,7 @@
echo "Updating binding..."
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
- "-y" "overwrite" 2>/dev/null; then
+ "-y" "overwrite"; then
echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
exit 1
fi

15
clevis.spec
View File

@ -1,5 +1,5 @@
Name: clevis
Version: 18
Version: 19
Release: %autorelease
Summary: Automated decryption framework
@ -8,19 +8,6 @@ URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Source1: clevis.sysusers
Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
Patch0003: 0003-feat-rename-the-test-pin-to-null-pin.patch
Patch0004: 0004-clevis-external-token-id.patch
Patch0005: 0005-luks-define-max-entropy-bits-for-pwmake.patch
Patch0006: 0006-luks-ignore-empty-and-comment-lines-in-crypttab.patch
Patch0007: 0007-luks-fix-typo-when-adding-a-pending-device.patch
Patch0008: 0008-notify-error-url-on-server-connect-fail.patch
Patch0009: 0009-improve-boot-performance-by-removing-key-check.patch
Patch0010: 0010-fix-typo-in-error-messages.patch
Patch0011: 0011-avoid-invalid-message-for-clevis-command.patch
Patch0012: 0012-luks-edit-remove-unnecessary-2-dev-null.patch
BuildRequires: git-core
BuildRequires: gcc
BuildRequires: meson

2
sources
View File

@ -1 +1 @@
SHA512 (clevis-18.tar.xz) = 2385b49f63b8237d44b3790560cd74372d598fd3728945ac11278c09e1e1583bea279eeff43c4fd57b0530a66c532ebfa7eb7f11da9732a50da80389e45ed1d1
SHA512 (clevis-19.tar.xz) = a4d1545dad8a70579f5f2a3992b71f1034df57386a8881c04cf1552394ad1aa1e39d38ac16312d8b61073b3bd462fe9032b29b68580cd3c50913cc5a77e32029