Commit Graph

73 Commits

Author SHA1 Message Date
Sergio Arroutbi
1c694a08aa TPM2 use first PCR algorithm bank supported by TPM
Resolves: #RHEL-65469

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2024-11-05 16:19:26 +01:00
Sergio Arroutbi
18a84f13b2 Split PKCS#11 files into clevis-pin-pkcs11 package
Resolves: #RHEL-62072

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2024-10-18 11:11:05 +00:00
Sergio Arroutbi
8a9b4eb00d Fix clevis v21 tang functionality at boot time
Resolves: #RHEL-61661

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2024-10-09 12:20:42 +02:00
Sergio Arroutbi
9ceb9926a0 Fix clevis v21 tang functionality at boot time
Resolves: #RHEL-61186

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2024-10-01 17:25:46 +02:00
Sergio Arroutbi
205a7189bd Rebase to clevis-21 upstream version
Resolves: RHEL-60113

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2024-09-26 15:03:23 +02:00
Sergio Arroutbi
a9afd51906 Rebase to clevis-20 upstream version
Resolves: RHEL-29279

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2024-05-21 10:10:50 +02:00
Sergio Arroutbi
c1f7a45957
Migrate to SPDX like licensing
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2023-05-31 12:06:33 +02:00
Sergio Arroutbi
0318ae55d0 Include LUKSv2 volumes in description
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2023-02-28 20:41:52 +01:00
Sergio Correia
df4b0fde9e
Update to latest upstream version, v19
Resolves: rhbz#2165258
2023-02-01 23:24:50 -03:00
Sergio Arroutbi
b7dbfb6f3e Backport upstream fixes
6e48a1c: luks-edit: remove unnecessary 2>/dev/null
3f879a3: Avoid invalid message for clevis command
e0e92f8: Fix typo in error messages
47b01ab: Improve boot performance by removing key check
f5786d3: Notify error url on server connect fail
f621575: luks: fix typo when adding a pending device
0589c14: luks: ignore empty & comment lines in crypttab
3bb852b: luks: define max entropy bits for pwmake

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2022-12-16 14:45:23 +01:00
Sergio Arroutbi
594feccd06 External token id parameter
This change introduces new parameter "-e", that
allows specifying an existing token ID to avoid
having to provide an existing passphrase and
use an already configured LUKS2 token ID to read it

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2022-12-09 12:12:31 +01:00
Sergio Correia
2efddf72e8 Opt into %autorelease/%autochangelog 2022-08-05 16:54:37 -03:00
Luca BRUNO
94157136c2 clevis: simplify sysusers.d fragment by using default 'nologin' shell
This tweaks the existing sysuser.d fragment in order to simplify it.
The 'nologin' shell is the documented systemd default, so there is
no need to explicitly specify it.
This change allows better handling of default vs custom shell in the
macro logic which bridges between `systemd-sysusers` and `useradd`.
2022-08-05 09:32:00 +00:00
Fedora Release Engineering
3eb26d224b Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-07-20 23:04:49 +00:00
Sergio Arroutbi
e4d2e989a6 Support a null pin
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2022-07-08 15:46:15 +02:00
Sergio Arroutbi
fb2f34f129 Apply systemd-preset in clevis-systemd postinstall
This change calls "systemd preset" command after
clevis-systemd postinstall, so that it applies
distro global policies after installation, allowing
to start the service when global policies indicate so

Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
2022-06-28 15:49:54 +02:00
Fedora Release Engineering
1b2bdf29ff - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-01-19 23:21:01 +00:00
Sergio Correia
93af905e1f Account for unlocking failures in clevis-luks-askpass
Resolves: rhbz#1878892
2021-10-29 12:10:03 -03:00
Sahana Prasad
2fc1533e5b Rebuilt with OpenSSL 3.0.0 2021-09-14 18:59:34 +02:00
Fedora Release Engineering
9a0b8d7fad - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-07-21 19:34:39 +00:00
Sergio Correia
7df4966cc9 Port to OpenSSL 3
Backport of upstream commit (ee1dfedb)
2021-05-07 09:14:44 -03:00
Sergio Correia
22efa77106 Update to latest upstream version, v18 2021-04-15 08:18:36 -03:00
Sergio Correia
bf943bd577 Update to latest upstream version, v17 2021-04-14 17:52:08 -03:00
Sergio Correia
accda6600e Fix for -t option in clevis luks bind
Backport upstream commit ea0d0c20
2021-03-16 10:48:57 -03:00
Sergio Correia
abb66036e6
Update to latest upstream version, v16 2021-02-09 14:53:16 -03:00
Fedora Release Engineering
79bc444333 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-01-26 02:05:10 +00:00
Luca BRUNO
2b2840995c
spec: add clevis sysusers.d entry
This adds a sysusers.d entry for the package, and moves user creation
to the relevant compat macro.

Refs:
 * https://www.freedesktop.org/software/systemd/man/sysusers.d.html
 * https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format
 * https://pagure.io/packaging-committee/pull-request/981
2020-12-17 10:33:25 +00:00
Peter Robinson
d1703cbd94 Upstream patch for tpm-tools 5.0 support 2020-11-23 08:15:01 +00:00
Sergio Correia
ced0ef05e5 Add jq to dependencies 2020-10-29 10:33:10 -03:00
Sergio Correia
c29e330dd8 Update to latest upstream version, v15 2020-10-28 16:23:35 -03:00
Sergio Correia
6e9ce1a014 Suppress output in %pre scriptlet when adjusting users/groups
This approach is also used in other packages, e.g., systemd.
Resolves: rhbz#1876729
2020-09-08 10:50:58 -03:00
Sergio Correia
fe15ade0e2 clevis-luks-askpass now exits cleanly with SIGTERM
Backport of upstream PR#230.
Resolves: rhbz#1876001
2020-09-08 10:50:40 -03:00
Sergio Correia
aedbfaae21 Make sure clevis-luks-askpass is using the correct path, if enabled 2020-09-08 09:37:29 -03:00
Sergio Correia
ce9256d835 Use autosetup -S git 2020-09-05 12:02:28 -03:00
Sergio Correia
c408be4b5f Update sources file with new release 2020-08-31 09:01:33 -03:00
Sergio Correia
3830667585 Update to latest upstream version, v14 2020-08-31 08:44:43 -03:00
Benjamin Gilbert
1c516e45a0 Downgrade cracklib-dicts to Recommends
It's a 10 MB dependency, and isn't needed if dictcheck = 0 in
/etc/security/pwquality.conf.
2020-08-02 15:41:05 -04:00
Fedora Release Engineering
54371165dc - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-07-27 14:05:14 +00:00
Sergio Correia
f809e9547c
Update to latest upstream version, v13 2020-05-10 11:10:44 -03:00
Sergio Correia
01ab2d45ee List cracklib-dicts also in BuildRequires
As it's required for running some of the tests.
2020-05-07 16:08:33 -03:00
Sergio Correia
da1cc2c84c Make cracklib-dicts a regular dependency 2020-04-06 11:55:07 -03:00
Fedora Release Engineering
46bbd21faf - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-28 14:11:51 +00:00
Sergio Correia
402b5b8896
Update to new upstream version, v12 2020-01-20 13:29:15 +01:00
Sergio Correia
e9acb551d3 Handle case where we try to use a partially used luksmeta slot
In some situations, especially with older versions of clevis, we can end
up with a partially used luksmeta slot.

We can identify such slots because they will be marked as inactive, yet
they will contain the clevis UUID, "cb6e8904-81ff-40da-a84a-07ab9ab5715e".

When this situation happens, we have cryptsetup and luksmeta slots "out
of sync", and since we currently have cryptsetup choose the slot, we may
end up trying to use such a partially used slot, which in turn will fail
because luksmeta will not be able to save data to it.

We handle this case by wiping the partially used slot, if we identify
the situation will arise.

Tests also added to verify this case is handled properly.

Fixes: #70
2019-12-19 09:43:27 -03:00
Sergio Correia
745ee46295
Disable LUKS2 tests for now
As they fail randomly in Koji builders, killing the build.
2019-12-05 08:50:32 -03:00
Sergio Correia
c3193c30ba
Backport upstream tests and fixes
Commits backported:

* Add tests for LUKS binding and unbinding
- f5d42cb3ba

* Rework the logic for reading the existing key
- 834eda9db6

* fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 (
- 62bd6de0b8

* pins/tang: check that key derivation key is available
- c231352729
2019-12-05 08:06:14 -03:00
Peter Robinson
8f866ee158 fix patch application 2019-10-31 16:16:47 +00:00
Peter Robinson
b1fb02f6fe drop the rd.neednet for the time being 2019-10-31 16:07:08 +00:00
Javier Martinez Canillas
0f1aa4e16b
Add support for tpm2-tools 4.0
The tpm2-tools package in Fedora 32 was updated to version 4.0, but clevis
still only has 3.0 support. Support for the latest release is in the works
and will probable make it to the next clevis release.

But until that happens, let's backport the patches that add tpm2-tools 4.0
support for clevis so it continues to work in Fedora 32.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2019-09-06 17:34:52 +02:00
Fedora Release Engineering
03eb6fb719 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-24 20:24:00 +00:00