From f1602f07a2f5bd65a88eccc8a2270e8f1234d93a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 8 Nov 2022 01:49:19 -0500 Subject: [PATCH] import clevis-15-11.el8 --- SOURCES/0010-avoid-clevis-invalid-msg.patch | 24 +++++++++ ...ot-performance-by-removing-key-check.patch | 53 +++++++++++++++++++ SPECS/clevis.spec | 29 ++++++---- 3 files changed, 95 insertions(+), 11 deletions(-) create mode 100644 SOURCES/0010-avoid-clevis-invalid-msg.patch create mode 100644 SOURCES/0011-Improve-boot-performance-by-removing-key-check.patch diff --git a/SOURCES/0010-avoid-clevis-invalid-msg.patch b/SOURCES/0010-avoid-clevis-invalid-msg.patch new file mode 100644 index 0000000..bf86dec --- /dev/null +++ b/SOURCES/0010-avoid-clevis-invalid-msg.patch @@ -0,0 +1,24 @@ +--- clevis-15.ori/src/clevis 2020-10-28 19:55:47.663228800 +0100 ++++ clevis-15/src/clevis 2022-06-22 11:06:27.061230653 +0200 +@@ -27,6 +27,7 @@ + } + + cmd=clevis ++input_commands="$cmd $@" + while [ $# -gt 0 ]; do + [[ "$1" =~ ^- ]] && break + cmd="$cmd-$1" +@@ -36,8 +37,11 @@ + done + + exec >&2 +-echo +-echo "Command '$cmd' is invalid" ++if [ "$cmd" != "clevis" ]; ++then ++ echo ++ echo "Command '$input_commands' is invalid" ++fi + echo + echo "Usage: clevis COMMAND [OPTIONS]" + echo diff --git a/SOURCES/0011-Improve-boot-performance-by-removing-key-check.patch b/SOURCES/0011-Improve-boot-performance-by-removing-key-check.patch new file mode 100644 index 0000000..8d0a70a --- /dev/null +++ b/SOURCES/0011-Improve-boot-performance-by-removing-key-check.patch @@ -0,0 +1,53 @@ +From 51ae4f94a4955d9f06955ccd5a8b396b01c80d48 Mon Sep 17 00:00:00 2001 +From: Sergio Arroutbi +Date: Tue, 2 Aug 2022 11:07:00 -0300 +Subject: [PATCH] Improve boot performance by removing key check + +--- + src/luks/clevis-luks-common-functions | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions +index 038cc37..950f217 100644 +--- a/src/luks/clevis-luks-common-functions ++++ b/src/luks/clevis-luks-common-functions +@@ -328,6 +328,7 @@ clevis_luks_check_valid_key_or_keyfile() { + clevis_luks_unlock_device_by_slot() { + local DEV="${1}" + local SLT="${2}" ++ local SKIP_CHECK="${3}" + + [ -z "${DEV}" ] && return 1 + [ -z "${SLT}" ] && return 1 +@@ -343,7 +344,9 @@ clevis_luks_unlock_device_by_slot() { + return 1 + fi + +- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1 ++ if [ -z "${SKIP_CHECK}" ]; then ++ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1 ++ fi + printf '%s' "${passphrase}" + } + +@@ -351,6 +354,8 @@ clevis_luks_unlock_device_by_slot() { + # parameter and returns the decoded passphrase. + clevis_luks_unlock_device() { + local DEV="${1}" ++ local SKIP_CHECK="YES" ++ + [ -z "${DEV}" ] && return 1 + + local used_slots +@@ -361,7 +366,7 @@ clevis_luks_unlock_device() { + + local slt pt + for slt in ${used_slots}; do +- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \ ++ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \ + || [ -z "${pt}" ]; then + continue + fi +-- +2.35.1 + diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec index df4282e..c63c7b3 100644 --- a/SPECS/clevis.spec +++ b/SPECS/clevis.spec @@ -2,7 +2,7 @@ Name: clevis Version: 15 -Release: 8%{?dist} +Release: 11%{?dist} Summary: Automated decryption framework License: GPLv3+ @@ -18,6 +18,8 @@ Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch Patch0008: 0008-tang-dump-url-on-error-communication.patch Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch +Patch0010: 0010-avoid-clevis-invalid-msg.patch +Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch BuildRequires: git BuildRequires: gcc @@ -53,6 +55,7 @@ Requires: jose >= 8 Requires: curl Requires: jq Requires(pre): shadow-utils +Requires(post): systemd %description Clevis is a framework for automated decryption. It allows you to encrypt @@ -138,16 +141,8 @@ if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then fi exit 0 -%posttrans -# In case clevis-luks-askpass is enabled, make sure it's using the -# correct target, which changed in v14. -[ "$(find /etc/systemd/system/ -name "clevis-luks-askpass*")" ] || exit 0 -find /etc/systemd/system/ -name "clevis-luks-askpass*" \ - | grep -q cryptsetup.target.wants && exit 0 - -find /etc/systemd/system/ -name "clevis-luks-askpass*" -exec rm {} + -systemctl enable clevis-luks-askpass.path >/dev/null 2>&1 || : -exit 0 +%post systemd +systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : %files %license COPYING @@ -205,6 +200,18 @@ exit 0 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %changelog +* Tue Aug 02 2022 Sergio Arroutbi - 15-11 +- Start clevis-luks-askpass.path service according to global policy + Resolves: rhbz#2107081 + +* Thu Jul 21 2022 Sergio Arroutbi - 15-10 +- Improve boot performance by removing key check + Resolves: rhbz#2099748 + +* Wed Jun 22 2022 Sergio Arroutbi - 15-9 +- Avoid invalid message for clevis command + Resolves: rhbz#2099325 + * Wed Jan 26 2022 Sergio Correia - 15-8 - Support a null pin Resolves: rhbz#2028096