Update to latest upstream version, v19
Resolves: rhbz#2165258
This commit is contained in:
parent
be98c83e8d
commit
df4b0fde9e
1
.gitignore
vendored
1
.gitignore
vendored
@ -6,3 +6,4 @@
|
|||||||
/clevis-16.tar.xz
|
/clevis-16.tar.xz
|
||||||
/clevis-17.tar.xz
|
/clevis-17.tar.xz
|
||||||
/clevis-18.tar.xz
|
/clevis-18.tar.xz
|
||||||
|
/clevis-19.tar.xz
|
||||||
|
@ -1,47 +0,0 @@
|
|||||||
From 95f25c355fc13727410ccacaa618caf6af5d5eba Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sergio Correia <scorreia@redhat.com>
|
|
||||||
Date: Mon, 3 May 2021 22:36:36 -0300
|
|
||||||
Subject: [PATCH] sss: use BN_set_word(x, 0) instead of BN_zero()
|
|
||||||
|
|
||||||
Different OpenSSL versions define BN_zero() differently -- sometimes
|
|
||||||
returning an integer, sometimes as void --, so let's use instead
|
|
||||||
BN_set_word() instead, not to have issues when building with these
|
|
||||||
different versions.
|
|
||||||
---
|
|
||||||
src/pins/sss/sss.c | 6 +++---
|
|
||||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/pins/sss/sss.c b/src/pins/sss/sss.c
|
|
||||||
index a37215d..7486d6c 100644
|
|
||||||
--- a/src/pins/sss/sss.c
|
|
||||||
+++ b/src/pins/sss/sss.c
|
|
||||||
@@ -214,7 +214,7 @@ sss_point(const json_t *sss, size_t *len)
|
|
||||||
if (BN_rand_range(xx, pp) <= 0)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
- if (BN_zero(yy) <= 0)
|
|
||||||
+ if (BN_set_word(yy, 0) <= 0)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
for (size_t i = 0; i < json_array_size(e); i++) {
|
|
||||||
@@ -272,7 +272,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
|
|
||||||
if (!ctx || !pp || !acc || !tmp || !k)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
- if (BN_zero(k) <= 0)
|
|
||||||
+ if (BN_set_word(k, 0) <= 0)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
len = jose_b64_dec(p, NULL, 0);
|
|
||||||
@@ -303,7 +303,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
|
|
||||||
|
|
||||||
/* acc *= (0 - xi) / (xo - xi) */
|
|
||||||
|
|
||||||
- if (BN_zero(tmp) <= 0)
|
|
||||||
+ if (BN_set_word(tmp, 0) <= 0)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
if (BN_mod_sub(tmp, tmp, xi, pp, ctx) <= 0)
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
From 2a16458622be983aba3762079d7a72383bd8be02 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sergio Correia <scorreia@redhat.com>
|
|
||||||
Date: Fri, 29 Oct 2021 10:58:26 -0300
|
|
||||||
Subject: [PATCH 2/2] systemd: account for unlocking failures in
|
|
||||||
clevis-luks-askpass
|
|
||||||
|
|
||||||
As unlock may fail for some reason, e.g. the network is not up yet,
|
|
||||||
one way cause problems would be to add extra `rd.luks.uuid' params
|
|
||||||
to the cmdline, which would then cause such devices to be unlocked
|
|
||||||
in early boot. If the unlocking fail, those devices might not be
|
|
||||||
accounted for in the clevis_devices_to_unlock() check, as it is
|
|
||||||
based on crypttab.
|
|
||||||
|
|
||||||
Let's make sure there are no pending ask.* sockets waiting to be
|
|
||||||
answered, before exiting.
|
|
||||||
|
|
||||||
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
|
|
||||||
---
|
|
||||||
src/luks/systemd/clevis-luks-askpass.in | 5 ++++-
|
|
||||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in
|
|
||||||
index 8f54859..a6699c9 100755
|
|
||||||
--- a/src/luks/systemd/clevis-luks-askpass.in
|
|
||||||
+++ b/src/luks/systemd/clevis-luks-askpass.in
|
|
||||||
@@ -67,8 +67,11 @@ while true; do
|
|
||||||
done
|
|
||||||
|
|
||||||
[ "${loop}" != true ] && break
|
|
||||||
+
|
|
||||||
# Checking for pending devices to be unlocked.
|
|
||||||
- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
|
|
||||||
+ remaining_crypttab=$(clevis_devices_to_unlock) ||:
|
|
||||||
+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
|
|
||||||
+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
|
|
||||||
break;
|
|
||||||
fi
|
|
||||||
|
|
||||||
--
|
|
||||||
2.33.1
|
|
||||||
|
|
@ -1,213 +0,0 @@
|
|||||||
From f668840e22e45ac8b16d770072b4395a155d089c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Antonio Murdaca <runcom@linux.com>
|
|
||||||
Date: Wed, 1 Dec 2021 14:17:53 +0100
|
|
||||||
Subject: [PATCH 6/6] feat: rename the test pin to null pin
|
|
||||||
|
|
||||||
Signed-off-by: Antonio Murdaca <runcom@linux.com>
|
|
||||||
---
|
|
||||||
src/initramfs-tools/hooks/clevis.in | 1 +
|
|
||||||
.../dracut/clevis-pin-null/meson.build | 14 ++++++++++
|
|
||||||
.../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++
|
|
||||||
src/luks/systemd/dracut/meson.build | 1 +
|
|
||||||
...levis-decrypt-test => clevis-decrypt-null} | 4 +--
|
|
||||||
...levis-encrypt-test => clevis-encrypt-null} | 4 +--
|
|
||||||
src/pins/sss/meson.build | 5 +++-
|
|
||||||
src/pins/sss/{pin-test => pin-null} | 4 +--
|
|
||||||
src/pins/sss/pin-sss | 12 ++++----
|
|
||||||
9 files changed, 60 insertions(+), 13 deletions(-)
|
|
||||||
create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build
|
|
||||||
create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
|
|
||||||
rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%)
|
|
||||||
rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%)
|
|
||||||
rename src/pins/sss/{pin-test => pin-null} (53%)
|
|
||||||
|
|
||||||
diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
|
|
||||||
index 7e6d2b3..8d60d05 100755
|
|
||||||
--- a/src/initramfs-tools/hooks/clevis.in
|
|
||||||
+++ b/src/initramfs-tools/hooks/clevis.in
|
|
||||||
@@ -58,6 +58,7 @@ fi
|
|
||||||
|
|
||||||
copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
|
|
||||||
copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
|
|
||||||
+copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found"
|
|
||||||
copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
|
|
||||||
copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
|
|
||||||
copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"
|
|
||||||
diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..107e3ba
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build
|
|
||||||
@@ -0,0 +1,14 @@
|
|
||||||
+dracut = dependency('dracut', required: false)
|
|
||||||
+
|
|
||||||
+if dracut.found()
|
|
||||||
+ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null'
|
|
||||||
+
|
|
||||||
+ configure_file(
|
|
||||||
+ input: 'module-setup.sh.in',
|
|
||||||
+ output: 'module-setup.sh',
|
|
||||||
+ install_dir: dracutdir,
|
|
||||||
+ configuration: data,
|
|
||||||
+ )
|
|
||||||
+else
|
|
||||||
+ warning('Will not install dracut module clevis-pin-null due to missing dependencies!')
|
|
||||||
+endif
|
|
||||||
diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000..6a16078
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
|
|
||||||
@@ -0,0 +1,28 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
||||||
+#
|
|
||||||
+# Copyright (c) 2016 Red Hat, Inc.
|
|
||||||
+# Author: Nathaniel McCallum <npmccallum@redhat.com>
|
|
||||||
+#
|
|
||||||
+# This program is free software: you can redistribute it and/or modify
|
|
||||||
+# it under the terms of the GNU General Public License as published by
|
|
||||||
+# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
+# (at your option) any later version.
|
|
||||||
+#
|
|
||||||
+# This program is distributed in the hope that it will be useful,
|
|
||||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+# GNU General Public License for more details.
|
|
||||||
+#
|
|
||||||
+# You should have received a copy of the GNU General Public License
|
|
||||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
+#
|
|
||||||
+
|
|
||||||
+depends() {
|
|
||||||
+ echo clevis
|
|
||||||
+ return 0
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+install() {
|
|
||||||
+ inst clevis-decrypt-null
|
|
||||||
+}
|
|
||||||
diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build
|
|
||||||
index fdb264b..7ad5b14 100644
|
|
||||||
--- a/src/luks/systemd/dracut/meson.build
|
|
||||||
+++ b/src/luks/systemd/dracut/meson.build
|
|
||||||
@@ -2,3 +2,4 @@ subdir('clevis')
|
|
||||||
subdir('clevis-pin-tang')
|
|
||||||
subdir('clevis-pin-tpm2')
|
|
||||||
subdir('clevis-pin-sss')
|
|
||||||
+subdir('clevis-pin-null')
|
|
||||||
diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null
|
|
||||||
similarity index 88%
|
|
||||||
rename from src/pins/sss/clevis-decrypt-test
|
|
||||||
rename to src/pins/sss/clevis-decrypt-null
|
|
||||||
index f0e9249..a6217ed 100755
|
|
||||||
--- a/src/pins/sss/clevis-decrypt-test
|
|
||||||
+++ b/src/pins/sss/clevis-decrypt-null
|
|
||||||
@@ -22,11 +22,11 @@
|
|
||||||
|
|
||||||
read -r -d . hdr
|
|
||||||
|
|
||||||
-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then
|
|
||||||
+if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then
|
|
||||||
echo "JWE pin mismatch!" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1
|
|
||||||
+jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1
|
|
||||||
|
|
||||||
exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
|
|
||||||
diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null
|
|
||||||
similarity index 90%
|
|
||||||
rename from src/pins/sss/clevis-encrypt-test
|
|
||||||
rename to src/pins/sss/clevis-encrypt-null
|
|
||||||
index bd2d6ec..af182a5 100755
|
|
||||||
--- a/src/pins/sss/clevis-encrypt-test
|
|
||||||
+++ b/src/pins/sss/clevis-encrypt-null
|
|
||||||
@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
|
|
||||||
fi
|
|
||||||
|
|
||||||
jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"
|
|
||||||
-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}'
|
|
||||||
+jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}'
|
|
||||||
|
|
||||||
if ! jose fmt -j "$cfg" -g fail -T; then
|
|
||||||
- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)"
|
|
||||||
+ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)"
|
|
||||||
fi
|
|
||||||
|
|
||||||
exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
|
|
||||||
diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build
|
|
||||||
index 7f20eea..2a5295a 100644
|
|
||||||
--- a/src/pins/sss/meson.build
|
|
||||||
+++ b/src/pins/sss/meson.build
|
|
||||||
@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found()
|
|
||||||
separator: ':'
|
|
||||||
)
|
|
||||||
|
|
||||||
+ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null')
|
|
||||||
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null')
|
|
||||||
+
|
|
||||||
test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env)
|
|
||||||
- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env)
|
|
||||||
+ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env)
|
|
||||||
else
|
|
||||||
warning('Will not install sss pin due to missing dependencies!')
|
|
||||||
endif
|
|
||||||
diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null
|
|
||||||
similarity index 53%
|
|
||||||
rename from src/pins/sss/pin-test
|
|
||||||
rename to src/pins/sss/pin-null
|
|
||||||
index 50c8c67..b14ac63 100755
|
|
||||||
--- a/src/pins/sss/pin-test
|
|
||||||
+++ b/src/pins/sss/pin-null
|
|
||||||
@@ -2,9 +2,9 @@
|
|
||||||
|
|
||||||
trap 'exit' ERR
|
|
||||||
|
|
||||||
-e="$(echo -n hi | clevis encrypt test '{}')"
|
|
||||||
+e="$(echo -n hi | clevis encrypt null '{}')"
|
|
||||||
d="$(echo -n "$e" | clevis decrypt)"
|
|
||||||
test "$d" == "hi"
|
|
||||||
|
|
||||||
-e="$(echo -n hi | clevis encrypt test '{"fail":true}')"
|
|
||||||
+e="$(echo -n hi | clevis encrypt null '{"fail":true}')"
|
|
||||||
! echo "$e" | clevis decrypt
|
|
||||||
diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss
|
|
||||||
index 5c0b8cf..24da052 100755
|
|
||||||
--- a/src/pins/sss/pin-sss
|
|
||||||
+++ b/src/pins/sss/pin-sss
|
|
||||||
@@ -1,24 +1,24 @@
|
|
||||||
#!/bin/bash -ex
|
|
||||||
|
|
||||||
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')"
|
|
||||||
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')"
|
|
||||||
d="$(echo "$e" | clevis decrypt)"
|
|
||||||
test "$d" == "hi"
|
|
||||||
|
|
||||||
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')"
|
|
||||||
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')"
|
|
||||||
d="$(echo "$e" | clevis decrypt)"
|
|
||||||
test "$d" == "hi"
|
|
||||||
|
|
||||||
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
|
|
||||||
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
|
|
||||||
! echo "$e" | clevis decrypt
|
|
||||||
|
|
||||||
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')"
|
|
||||||
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')"
|
|
||||||
d="$(echo "$e" | clevis decrypt)"
|
|
||||||
test "$d" == "hi"
|
|
||||||
|
|
||||||
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')"
|
|
||||||
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')"
|
|
||||||
! echo "$e" | clevis decrypt
|
|
||||||
|
|
||||||
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
|
|
||||||
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
|
|
||||||
! echo "$e" | clevis decrypt
|
|
||||||
|
|
||||||
! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')"
|
|
||||||
--
|
|
||||||
2.33.1
|
|
||||||
|
|
@ -1,357 +0,0 @@
|
|||||||
--- clevis-18.ori/src/luks/clevis-luks-bind 2021-04-15 13:00:19.965065700 +0200
|
|
||||||
+++ clevis-18.new/src/luks/clevis-luks-bind 2022-12-01 12:16:36.564185792 +0100
|
|
||||||
@@ -25,7 +25,7 @@
|
|
||||||
usage() {
|
|
||||||
exec >&2
|
|
||||||
echo
|
|
||||||
- echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] -d DEV PIN CFG"
|
|
||||||
+ echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] [-e EXISTING_TOKEN_ID] -d DEV PIN CFG"
|
|
||||||
echo
|
|
||||||
echo "$SUMMARY":
|
|
||||||
echo
|
|
||||||
@@ -42,6 +42,8 @@
|
|
||||||
echo " -k KEY Non-interactively read LUKS password from KEY file"
|
|
||||||
echo " -k - Non-interactively read LUKS password from standard input"
|
|
||||||
echo
|
|
||||||
+ echo " -e E_TKN_ID Existing LUKS token ID for existing passphrase; only available for LUKS2"
|
|
||||||
+ echo
|
|
||||||
exit 2
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -52,13 +54,14 @@
|
|
||||||
|
|
||||||
FRC=
|
|
||||||
YES=
|
|
||||||
-while getopts ":hfyd:s:k:t:" o; do
|
|
||||||
+while getopts ":hfyd:s:k:t:e:" o; do
|
|
||||||
case "$o" in
|
|
||||||
f) FRC='-f';;
|
|
||||||
d) DEV="$OPTARG";;
|
|
||||||
s) SLT="$OPTARG";;
|
|
||||||
k) KEY="$OPTARG";;
|
|
||||||
t) TOKEN_ID="$OPTARG";;
|
|
||||||
+ e) EXISTING_TOKEN_ID="$OPTARG";;
|
|
||||||
y) FRC='-f'
|
|
||||||
YES='-y';;
|
|
||||||
*) usage;;
|
|
||||||
@@ -99,11 +102,20 @@
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
+if [ -n "${EXISTING_TOKEN_ID}" ] && ! clevis_luks_luks2_existing_token_id_supported; then
|
|
||||||
+ echo "Existing token ID not supported in this cryptsetup version" >&2
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
# Get the existing passphrase/keyfile.
|
|
||||||
existing_key=
|
|
||||||
keyfile=
|
|
||||||
case "${KEY}" in
|
|
||||||
-"") IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2;;
|
|
||||||
+ "")
|
|
||||||
+ if [ -z "${EXISTING_TOKEN_ID}" ] ; then
|
|
||||||
+ IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2
|
|
||||||
+ fi
|
|
||||||
+ ;;
|
|
||||||
-) IFS= read -r -s -p "" existing_key ||:
|
|
||||||
if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}" \
|
|
||||||
&& [ -z "${FRC}" ]; then
|
|
||||||
@@ -119,6 +131,13 @@
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
+# Check if existing token id for keyring read is provided
|
|
||||||
+# If so, keyfile is not allowed
|
|
||||||
+if [ -n "${EXISTING_TOKEN_ID}" ] && [ -n "${keyfile}" ] ; then
|
|
||||||
+ echo "Cannot specify kernel keyring description together with key file" >&2
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
# If necessary, initialize the LUKS volume.
|
|
||||||
if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}"; then
|
|
||||||
luksmeta init -d "${DEV}" ${FRC}
|
|
||||||
@@ -127,7 +146,7 @@
|
|
||||||
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "${TOKEN_ID}" \
|
|
||||||
"${PIN}" "${CFG}" \
|
|
||||||
"${YES}" "" \
|
|
||||||
- "${existing_key}" "${keyfile}"; then
|
|
||||||
+ "${existing_key}" "${keyfile}" "${EXISTING_TOKEN_ID}"; then
|
|
||||||
echo "Error adding new binding to ${DEV}" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2021-04-15 13:00:19.965065700 +0200
|
|
||||||
+++ clevis-18.new/src/luks/clevis-luks-bind.1.adoc 2022-12-01 12:17:23.877527175 +0100
|
|
||||||
@@ -9,7 +9,7 @@
|
|
||||||
|
|
||||||
== SYNOPSIS
|
|
||||||
|
|
||||||
-*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] PIN CFG
|
|
||||||
+*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] [-e EXISTING_TOKEN_ID] PIN CFG
|
|
||||||
|
|
||||||
== OVERVIEW
|
|
||||||
|
|
||||||
@@ -54,6 +54,12 @@
|
|
||||||
* *-k* - :
|
|
||||||
Non-interactively read LUKS password from standard input
|
|
||||||
|
|
||||||
+* *-e* _E_TKN_ID_ :
|
|
||||||
+ LUKS token ID for existing passphrase; only available for LUKS2.
|
|
||||||
+ This parameter allows providing a configured token ID in LUKS2
|
|
||||||
+ containing the existing passphrase for this device, so that
|
|
||||||
+ existing passphrase is not prompted by clevis
|
|
||||||
+
|
|
||||||
== CAVEATS
|
|
||||||
|
|
||||||
This command does not change the LUKS master key. This implies that if you
|
|
||||||
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2021-04-15 13:00:19.965065700 +0200
|
|
||||||
+++ clevis-18.new/src/luks/clevis-luks-common-functions.in 2022-12-01 12:22:36.600783564 +0100
|
|
||||||
@@ -292,9 +292,10 @@
|
|
||||||
local KEY="${2:-}"
|
|
||||||
local KEYFILE="${3:-}"
|
|
||||||
local SLT="${4:-}"
|
|
||||||
+ local EXISTING_TOKEN_ID="${5:-}"
|
|
||||||
|
|
||||||
[ -z "${DEV}" ] && return 1
|
|
||||||
- [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
|
|
||||||
+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
|
|
||||||
|
|
||||||
local extra_args
|
|
||||||
extra_args="$([ -n "${SLT}" ] && printf -- '--key-slot %s' "${SLT}")"
|
|
||||||
@@ -303,6 +304,11 @@
|
|
||||||
${extra_args}
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
|
|
||||||
+ cryptsetup open --test-passphrase "${DEV}" --token-id "${EXISTING_TOKEN_ID}" \
|
|
||||||
+ ${extra_args}
|
|
||||||
+ return
|
|
||||||
+ fi
|
|
||||||
|
|
||||||
printf '%s' "${KEY}" | cryptsetup open --test-passphrase "${DEV}" \
|
|
||||||
${extra_args}
|
|
||||||
@@ -734,10 +740,11 @@
|
|
||||||
local NEWKEY="${3}"
|
|
||||||
local KEY="${4}"
|
|
||||||
local KEYFILE="${5:-}"
|
|
||||||
+ local EXISTING_TOKEN_ID="${6:-}"
|
|
||||||
|
|
||||||
[ -z "${DEV}" ] && return 1
|
|
||||||
[ -z "${NEWKEY}" ] && return 1
|
|
||||||
- [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1
|
|
||||||
+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1
|
|
||||||
|
|
||||||
local extra_args='' input
|
|
||||||
input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
|
|
||||||
@@ -745,6 +752,10 @@
|
|
||||||
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
|
||||||
input="$(printf '%s' "${NEWKEY}")"
|
|
||||||
fi
|
|
||||||
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
|
|
||||||
+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
|
|
||||||
+ input="$(printf '%s' "${NEWKEY}")"
|
|
||||||
+ fi
|
|
||||||
|
|
||||||
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
|
|
||||||
--key-slot "${SLT}" \
|
|
||||||
@@ -759,6 +770,7 @@
|
|
||||||
local NEWKEY="${3}"
|
|
||||||
local KEY="${4}"
|
|
||||||
local KEYFILE="${5:-}"
|
|
||||||
+ local EXISTING_TOKEN_ID="${6:-}"
|
|
||||||
|
|
||||||
[ -z "${DEV}" ] && return 1
|
|
||||||
[ -z "${NEWKEY}" ] && return 1
|
|
||||||
@@ -768,7 +780,7 @@
|
|
||||||
local in_place
|
|
||||||
clevis_luks_check_valid_key_or_keyfile "${DEV}" \
|
|
||||||
"${KEY}" "${KEYFILE}" \
|
|
||||||
- "${SLT}" 2>/dev/null \
|
|
||||||
+ "${SLT}" "${EXISTING_TOKEN_ID}" 2>/dev/null \
|
|
||||||
&& in_place=true
|
|
||||||
|
|
||||||
local input extra_args=
|
|
||||||
@@ -777,6 +789,10 @@
|
|
||||||
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
|
||||||
input="$(printf '%s' "${NEWKEY}")"
|
|
||||||
fi
|
|
||||||
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
|
|
||||||
+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
|
|
||||||
+ input="$(printf '%s' "${NEWKEY}")"
|
|
||||||
+ fi
|
|
||||||
|
|
||||||
if [ -n "${in_place}" ]; then
|
|
||||||
printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
|
|
||||||
@@ -803,6 +819,7 @@
|
|
||||||
local KEY="${4}"
|
|
||||||
local KEYFILE="${5:-}"
|
|
||||||
local OVERWRITE="${6:-}"
|
|
||||||
+ local EXISTING_TOKEN_ID="${7:-}"
|
|
||||||
|
|
||||||
[ -z "${DEV}" ] && return 1
|
|
||||||
[ -z "${SLT}" ] && return 1
|
|
||||||
@@ -820,13 +837,13 @@
|
|
||||||
[ -n "${OVERWRITE}" ] || return 1
|
|
||||||
|
|
||||||
clevis_luks_update_key "${DEV}" "${SLT}" \
|
|
||||||
- "${NEWKEY}" "${KEY}" "${KEYFILE}"
|
|
||||||
+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}"
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Add a new key.
|
|
||||||
clevis_luks_add_key "${DEV}" "${SLT}" \
|
|
||||||
- "${NEWKEY}" "${KEY}" "${KEYFILE}"
|
|
||||||
+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}"
|
|
||||||
}
|
|
||||||
|
|
||||||
# clevis_luks_generate_key() generates a new key for use with clevis.
|
|
||||||
@@ -927,6 +944,8 @@
|
|
||||||
if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" \
|
|
||||||
"${KEY}" \
|
|
||||||
"${KEYFILE}" \
|
|
||||||
+ "" \
|
|
||||||
+ "${EXISTING_TOKEN_ID}" \
|
|
||||||
&& ! KEY="$(clevis_luks_get_existing_key "${DEV}" \
|
|
||||||
"Enter existing LUKS password: " \
|
|
||||||
"recover")"; then
|
|
||||||
@@ -971,7 +990,7 @@
|
|
||||||
|
|
||||||
if ! clevis_luks_save_key_to_slot "${DEV}" "${SLT}" \
|
|
||||||
"${newkey}" "${KEY}" "${KEYFILE}" \
|
|
||||||
- "${OVERWRITE}"; then
|
|
||||||
+ "${OVERWRITE}" "${EXISTING_TOKEN_ID}"; then
|
|
||||||
echo "Unable to save/update key slot; operation cancelled" >&2
|
|
||||||
clevis_luks_restore_dev "${CLEVIS_TMP_DIR}" || :
|
|
||||||
rm -rf "${CLEVIS_TMP_DIR}"
|
|
||||||
@@ -992,12 +1011,19 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
# clevis_luks_luks2_supported() indicates whether we support LUKS2 devices.
|
|
||||||
-# Suppor is determined at build time.
|
|
||||||
+# Support is determined at build time.
|
|
||||||
function clevis_luks_luks2_supported() {
|
|
||||||
# We require cryptsetup >= 2.0.4 to fully support LUKSv2.
|
|
||||||
return @OLD_CRYPTSETUP@
|
|
||||||
}
|
|
||||||
|
|
||||||
+# clevis_luks_luks2_existing_token_id_supported() indicates whether
|
|
||||||
+# cryptsetup allows token id for passphrase providing
|
|
||||||
+function clevis_luks_luks2_existing_token_id_supported() {
|
|
||||||
+ # We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID
|
|
||||||
+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
# clevis_luks_type() returns the LUKS type of a device, e.g. "luks1".
|
|
||||||
clevis_luks_type() {
|
|
||||||
local DEV="${1}"
|
|
||||||
--- clevis-18.ori/src/luks/meson.build 2021-04-15 13:00:19.965065700 +0200
|
|
||||||
+++ clevis-18.new/src/luks/meson.build 2022-12-01 12:23:01.159960762 +0100
|
|
||||||
@@ -14,6 +14,15 @@
|
|
||||||
endif
|
|
||||||
endif
|
|
||||||
|
|
||||||
+libcryptsetup_ext_token_id = dependency('libcryptsetup', version: '>=2.6.0', required: false)
|
|
||||||
+if libcryptsetup_ext_token_id.found()
|
|
||||||
+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '0')
|
|
||||||
+ message('cryptsetup version supports existing token id')
|
|
||||||
+else
|
|
||||||
+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '1')
|
|
||||||
+ warning('cryptsetup version does not support existing token id')
|
|
||||||
+endif
|
|
||||||
+
|
|
||||||
clevis_luks_common_functions = configure_file(
|
|
||||||
input: 'clevis-luks-common-functions.in',
|
|
||||||
output: 'clevis-luks-common-functions',
|
|
||||||
--- clevis-18.ori/src/luks/tests/bind-luks2-ext-token 1970-01-01 01:00:00.000000000 +0100
|
|
||||||
+++ clevis-18.new/src/luks/tests/bind-luks2-ext-token 2022-12-01 12:23:34.784203368 +0100
|
|
||||||
@@ -0,0 +1,74 @@
|
|
||||||
+#!/bin/bash -ex
|
|
||||||
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
||||||
+#
|
|
||||||
+# Copyright (c) 2022 Red Hat, Inc.
|
|
||||||
+# Author: Sergio Arroutbi <sarroutb@redhat.com>
|
|
||||||
+#
|
|
||||||
+# This program is free software: you can redistribute it and/or modify
|
|
||||||
+# it under the terms of the GNU General Public License as published by
|
|
||||||
+# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
+# (at your option) any later version.
|
|
||||||
+#
|
|
||||||
+# This program is distributed in the hope that it will be useful,
|
|
||||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+# GNU General Public License for more details.
|
|
||||||
+#
|
|
||||||
+# You should have received a copy of the GNU General Public License
|
|
||||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
+#
|
|
||||||
+
|
|
||||||
+TEST=$(basename "${0}")
|
|
||||||
+. tests-common-functions
|
|
||||||
+
|
|
||||||
+on_exit() {
|
|
||||||
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+create_existing_token_id_from_keyring() {
|
|
||||||
+ local DEV="${1}"
|
|
||||||
+ local KEYDESC="${2}"
|
|
||||||
+ local TOKEN_ID="${3}"
|
|
||||||
+ local PASS="${4}"
|
|
||||||
+ if [[ -z "${DEV}" ]] || [[ -z "${KEYDESC}" ]] || [[ -z "${TOKEN_ID}" ]]; then
|
|
||||||
+ return 1
|
|
||||||
+ fi
|
|
||||||
+ KEYRING_ID=$(keyctl add user "${KEYDESC}" "${PASS}" @s)
|
|
||||||
+ keyctl print "${KEYRING_ID}" 2>/dev/null 1>/dev/null
|
|
||||||
+ cryptsetup token add --token-id "${TOKEN_ID}" --key-description "${KEYDESC}" "${DEV}"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+if ! luks2_supported; then
|
|
||||||
+ skip_test "${TEST}: LUKS2 is not supported."
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+if ! luks2_existing_token_id_supported; then
|
|
||||||
+ skip_test "${TEST}: Existing token ID not supported"
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+trap 'on_exit' EXIT
|
|
||||||
+trap 'exit' ERR
|
|
||||||
+
|
|
||||||
+TMP="$(mktemp -d)"
|
|
||||||
+
|
|
||||||
+ADV="${TMP}/adv.jws"
|
|
||||||
+tang_create_adv "${TMP}" "${ADV}"
|
|
||||||
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
|
|
||||||
+
|
|
||||||
+EXISTING_TOKEN_ID=5
|
|
||||||
+KEYDESC="testkey"
|
|
||||||
+PASS="123exttokenid_"
|
|
||||||
+DEV="${TMP}/luks2-device-ext-token"
|
|
||||||
+new_device "luks2" "${DEV}" "${PASS}"
|
|
||||||
+
|
|
||||||
+create_existing_token_id_from_keyring "${DEV}" "${KEYDESC}" "${EXISTING_TOKEN_ID}" "${PASS}"
|
|
||||||
+
|
|
||||||
+if ! clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" tang "${CFG}"; then
|
|
||||||
+ error "${TEST}: Binding expected to succeed with existing token id:${EXISTING_TOKEN_ID}" >&2
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+KEYFILE="${TMP}/keyfile.txt"
|
|
||||||
+touch "${KEYFILE}"
|
|
||||||
+if clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" -k "${KEYFILE}" tang "${CFG}"; then
|
|
||||||
+ error "${TEST}: Using existing token id and keyfile should dump an error" >&2
|
|
||||||
+fi
|
|
||||||
\ No newline at end of file
|
|
||||||
--- clevis-18.ori/src/luks/tests/tests-common-functions.in 2021-04-15 13:00:19.967066500 +0200
|
|
||||||
+++ clevis-18.new/src/luks/tests/tests-common-functions.in 2022-12-01 12:25:06.386864313 +0100
|
|
||||||
@@ -36,6 +36,12 @@
|
|
||||||
return @OLD_CRYPTSETUP@
|
|
||||||
}
|
|
||||||
|
|
||||||
+# We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID
|
|
||||||
+# Support is determined at build time.
|
|
||||||
+luks2_existing_token_id_supported() {
|
|
||||||
+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
# Creates a new LUKS1 or LUKS2 device to be used.
|
|
||||||
new_device() {
|
|
||||||
local LUKS="${1}"
|
|
@ -1,42 +0,0 @@
|
|||||||
--- clevis-18.ori/src/clevis.1.adoc 2021-04-15 13:00:19.965065700 +0200
|
|
||||||
+++ clevis-18/src/clevis.1.adoc 2022-12-16 11:25:48.407264932 +0100
|
|
||||||
@@ -101,7 +101,7 @@
|
|
||||||
|
|
||||||
This command performs four steps:
|
|
||||||
|
|
||||||
-1. Creates a new key with the same entropy as the LUKS master key.
|
|
||||||
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
|
||||||
2. Encrypts the new key with Clevis.
|
|
||||||
3. Stores the Clevis JWE in the LUKS header.
|
|
||||||
4. Enables the new key for use with LUKS.
|
|
||||||
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2022-12-16 11:23:23.982459214 +0100
|
|
||||||
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-12-16 14:39:32.694114153 +0100
|
|
||||||
@@ -852,6 +852,7 @@
|
|
||||||
[ -z "${DEV}" ] && return 1
|
|
||||||
|
|
||||||
local dump filter bits
|
|
||||||
+ local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
|
|
||||||
dump=$(cryptsetup luksDump "${DEV}")
|
|
||||||
if cryptsetup isLuks --type luks1 "${DEV}"; then
|
|
||||||
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
|
|
||||||
@@ -863,6 +864,9 @@
|
|
||||||
fi
|
|
||||||
|
|
||||||
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
|
|
||||||
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
|
|
||||||
+ bits="${MAX_ENTROPY_BITS}"
|
|
||||||
+ fi
|
|
||||||
pwmake "${bits}"
|
|
||||||
}
|
|
||||||
|
|
||||||
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2022-12-16 11:23:23.982459214 +0100
|
|
||||||
+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2022-12-16 14:41:33.502788100 +0100
|
|
||||||
@@ -20,7 +20,7 @@
|
|
||||||
|
|
||||||
This command performs four steps:
|
|
||||||
|
|
||||||
-1. Creates a new key with the same entropy as the LUKS master key.
|
|
||||||
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
|
||||||
2. Encrypts the new key with Clevis.
|
|
||||||
3. Stores the Clevis JWE in the LUKS header.
|
|
||||||
4. Enables the new key for use with LUKS.
|
|
@ -1,16 +0,0 @@
|
|||||||
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2022-12-16 11:23:23.982459214 +0100
|
|
||||||
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-12-16 11:35:54.206644525 +0100
|
|
||||||
@@ -399,7 +399,12 @@
|
|
||||||
clevis_devices=
|
|
||||||
|
|
||||||
# Build list of devices to unlock.
|
|
||||||
- while read -r _ crypt_device _; do
|
|
||||||
+ while read -r _volname_ crypt_device _; do
|
|
||||||
+ # skip empty lines and lines which begin with the '#' char, per
|
|
||||||
+ # crypttab(5)
|
|
||||||
+ case $_volname_ in
|
|
||||||
+ ''|\#*) continue ;;
|
|
||||||
+ esac
|
|
||||||
if ! dev=$(clevis_map_device "${crypt_device}") \
|
|
||||||
|| [ -z "${dev}" ]; then
|
|
||||||
# Unable to get the device - maybe it's not available, e.g. a
|
|
@ -1,11 +0,0 @@
|
|||||||
--- clevis-18.0006/src/luks/clevis-luks-common-functions.in 2022-12-16 11:51:32.856881018 +0100
|
|
||||||
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-12-16 11:53:09.717421379 +0100
|
|
||||||
@@ -410,7 +410,7 @@
|
|
||||||
# Unable to get the device - maybe it's not available, e.g. a
|
|
||||||
# device on a volume group that has not been activated yet.
|
|
||||||
# Add it to the list anyway, since it's a pending device.
|
|
||||||
- clevis_devices="${clevis_devices} ${dev}"
|
|
||||||
+ clevis_devices="${clevis_devices} ${crypt_device}"
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
|
|
@ -1,16 +0,0 @@
|
|||||||
--- clevis-18.0007/src/pins/tang/clevis-decrypt-tang 2021-04-15 13:00:19.969067600 +0200
|
|
||||||
+++ clevis-18/src/pins/tang/clevis-decrypt-tang 2022-12-16 11:55:59.187366809 +0100
|
|
||||||
@@ -99,10 +99,10 @@
|
|
||||||
|
|
||||||
xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"
|
|
||||||
|
|
||||||
-url="$url/rec/$kid"
|
|
||||||
+rec_url="$url/rec/$kid"
|
|
||||||
ct="Content-Type: application/jwk+json"
|
|
||||||
-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then
|
|
||||||
- echo "Error communicating with the server!" >&2
|
|
||||||
+if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then
|
|
||||||
+ echo "Error communicating with server $url!" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
@ -1,39 +0,0 @@
|
|||||||
--- clevis-18.0008/src/luks/clevis-luks-common-functions.in 2022-12-16 11:59:17.972475773 +0100
|
|
||||||
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-12-16 12:05:07.214424096 +0100
|
|
||||||
@@ -319,6 +319,7 @@
|
|
||||||
clevis_luks_unlock_device_by_slot() {
|
|
||||||
local DEV="${1}"
|
|
||||||
local SLT="${2}"
|
|
||||||
+ local SKIP_CHECK="${3}"
|
|
||||||
|
|
||||||
[ -z "${DEV}" ] && return 1
|
|
||||||
[ -z "${SLT}" ] && return 1
|
|
||||||
@@ -334,7 +335,9 @@
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
|
|
||||||
+ if [ -z "${SKIP_CHECK}" ]; then
|
|
||||||
+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
|
|
||||||
+ fi
|
|
||||||
printf '%s' "${passphrase}"
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -342,6 +345,8 @@
|
|
||||||
# parameter and returns the decoded passphrase.
|
|
||||||
clevis_luks_unlock_device() {
|
|
||||||
local DEV="${1}"
|
|
||||||
+ local SKIP_CHECK="YES"
|
|
||||||
+
|
|
||||||
[ -z "${DEV}" ] && return 1
|
|
||||||
|
|
||||||
local used_slots
|
|
||||||
@@ -352,7 +357,7 @@
|
|
||||||
|
|
||||||
local slt pt
|
|
||||||
for slt in ${used_slots}; do
|
|
||||||
- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \
|
|
||||||
+ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \
|
|
||||||
|| [ -z "${pt}" ]; then
|
|
||||||
continue
|
|
||||||
fi
|
|
@ -1,17 +0,0 @@
|
|||||||
--- clevis-18.0009/src/pins/tpm2/clevis-decrypt-tpm2 2021-04-15 13:00:19.969067600 +0200
|
|
||||||
+++ clevis-18/src/pins/tpm2/clevis-decrypt-tpm2 2022-12-16 12:22:51.788363059 +0100
|
|
||||||
@@ -99,12 +99,12 @@
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! jwk_pub="$(jose fmt -j- -Og clevis -g tpm2 -g jwk_pub -Su- <<< "$jhd")"; then
|
|
||||||
- echo "JWE missing required 'key' header parameter!" >&2
|
|
||||||
+ echo "JWE missing required 'jwk_pub' header parameter!" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! jwk_priv="$(jose fmt -j- -Og clevis -g tpm2 -g jwk_priv -Su- <<< "$jhd")"; then
|
|
||||||
- echo "JWE missing required 'key' header parameter!" >&2
|
|
||||||
+ echo "JWE missing required 'jwk_priv' header parameter!" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
@ -1,25 +0,0 @@
|
|||||||
--- clevis-18.0010/src/clevis 2021-04-15 13:00:19.965065700 +0200
|
|
||||||
+++ clevis-18/src/clevis 2022-12-16 12:29:15.122501596 +0100
|
|
||||||
@@ -27,6 +27,8 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
cmd=clevis
|
|
||||||
+input_commands="$cmd $@"
|
|
||||||
+
|
|
||||||
while [ $# -gt 0 ]; do
|
|
||||||
[[ "$1" =~ ^- ]] && break
|
|
||||||
cmd="$cmd-$1"
|
|
||||||
@@ -36,8 +38,11 @@
|
|
||||||
done
|
|
||||||
|
|
||||||
exec >&2
|
|
||||||
-echo
|
|
||||||
-echo "Command '$cmd' is invalid"
|
|
||||||
+if [ "$cmd" != "clevis" ];
|
|
||||||
+then
|
|
||||||
+ echo
|
|
||||||
+ echo "Command '$input_commands' is invalid"
|
|
||||||
+fi
|
|
||||||
echo
|
|
||||||
echo "Usage: clevis COMMAND [OPTIONS]"
|
|
||||||
echo
|
|
@ -1,11 +0,0 @@
|
|||||||
--- clevis-18.0011/src/luks/clevis-luks-edit 2021-04-15 13:00:19.965065700 +0200
|
|
||||||
+++ clevis-18/src/luks/clevis-luks-edit 2022-12-16 12:32:42.350657681 +0100
|
|
||||||
@@ -173,7 +173,7 @@
|
|
||||||
|
|
||||||
echo "Updating binding..."
|
|
||||||
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
|
|
||||||
- "-y" "overwrite" 2>/dev/null; then
|
|
||||||
+ "-y" "overwrite"; then
|
|
||||||
echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
15
clevis.spec
15
clevis.spec
@ -1,5 +1,5 @@
|
|||||||
Name: clevis
|
Name: clevis
|
||||||
Version: 18
|
Version: 19
|
||||||
Release: %autorelease
|
Release: %autorelease
|
||||||
Summary: Automated decryption framework
|
Summary: Automated decryption framework
|
||||||
|
|
||||||
@ -8,19 +8,6 @@ URL: https://github.com/latchset/%{name}
|
|||||||
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
|
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
|
||||||
Source1: clevis.sysusers
|
Source1: clevis.sysusers
|
||||||
|
|
||||||
Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
|
|
||||||
Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
|
|
||||||
Patch0003: 0003-feat-rename-the-test-pin-to-null-pin.patch
|
|
||||||
Patch0004: 0004-clevis-external-token-id.patch
|
|
||||||
Patch0005: 0005-luks-define-max-entropy-bits-for-pwmake.patch
|
|
||||||
Patch0006: 0006-luks-ignore-empty-and-comment-lines-in-crypttab.patch
|
|
||||||
Patch0007: 0007-luks-fix-typo-when-adding-a-pending-device.patch
|
|
||||||
Patch0008: 0008-notify-error-url-on-server-connect-fail.patch
|
|
||||||
Patch0009: 0009-improve-boot-performance-by-removing-key-check.patch
|
|
||||||
Patch0010: 0010-fix-typo-in-error-messages.patch
|
|
||||||
Patch0011: 0011-avoid-invalid-message-for-clevis-command.patch
|
|
||||||
Patch0012: 0012-luks-edit-remove-unnecessary-2-dev-null.patch
|
|
||||||
|
|
||||||
BuildRequires: git-core
|
BuildRequires: git-core
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: meson
|
BuildRequires: meson
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (clevis-18.tar.xz) = 2385b49f63b8237d44b3790560cd74372d598fd3728945ac11278c09e1e1583bea279eeff43c4fd57b0530a66c532ebfa7eb7f11da9732a50da80389e45ed1d1
|
SHA512 (clevis-19.tar.xz) = a4d1545dad8a70579f5f2a3992b71f1034df57386a8881c04cf1552394ad1aa1e39d38ac16312d8b61073b3bd462fe9032b29b68580cd3c50913cc5a77e32029
|
||||||
|
Loading…
Reference in New Issue
Block a user