Compare commits

...

No commits in common. "c10s" and "c8" have entirely different histories.
c10s ... c8

28 changed files with 1782 additions and 952 deletions

View File

@ -1 +0,0 @@
1

12
.gitignore vendored
View File

@ -1,11 +1 @@
/clevis-11.tar.xz SOURCES/clevis-15.tar.xz
/clevis-12.tar.xz
/clevis-13.tar.xz
/clevis-14.tar.xz
/clevis-15.tar.xz
/clevis-16.tar.xz
/clevis-17.tar.xz
/clevis-18.tar.xz
/clevis-19.tar.xz
/clevis-20.tar.xz
/clevis-21.tar.xz

View File

@ -1,288 +0,0 @@
From 691b4136d6077ed7b079a38459b6844dbc584776 Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Mon, 30 Sep 2024 11:27:57 +0200
Subject: [PATCH] PKCS#11 pin: fix dracut for unconfigured device
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
---
.../clevis-pin-pkcs11/module-setup.sh.in | 2 +-
src/luks/systemd/clevis-luks-pkcs11-askpin.in | 72 +++++--------------
.../clevis-pkcs11-afunix-socket-unlock.c | 9 ++-
src/pins/pkcs11/clevis-pkcs11-common | 52 +++++++++++++-
4 files changed, 74 insertions(+), 61 deletions(-)
diff --git a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
index 39d06a0..a7a6d6b 100755
--- a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
+++ b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
@@ -23,7 +23,7 @@ depends() {
}
install() {
- inst_hook initqueue 60 "${moddir}/clevis-pkcs11-prehook.sh"
+ inst_hook pre-trigger 60 "${moddir}/clevis-pkcs11-prehook.sh"
inst_hook initqueue/settled 60 "${moddir}/clevis-pkcs11-hook.sh"
inst_hook initqueue/online 60 "${moddir}/clevis-pkcs11-hook.sh"
diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
index 8f4092f..b860efa 100755
--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in
+++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
@@ -52,6 +52,7 @@ get_pkcs11_error() {
return 0
}
+
if command -v pcscd; then
echo "clevis-pkcs11: starting pcscd if not available ..."
PCSCD_PID=$(ps auxf | grep "[p]cscd")
@@ -72,51 +73,6 @@ if [ "${dracut_mode}" != true ]; then
pkcs11-tool -L
fi
-if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \
- awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then
- echo "No PKCS11 device detected (without module option) / pkcs11-tool error"
- exit 1
-fi
-
-if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
- pkcs11_device=""
- echo "No objects in PKCS11 device detected"
-fi
-
-while [ -z "${pkcs11_device}" ]; do
- if [ "${dracut_mode}" != true ]; then
- module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab")
- if [ -n "${module_paths}" ]; then
- modules=$(echo ${module_paths} | tr ";" "\n")
- for module in $modules; do
- pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \
- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
- if [ -n "${pkcs11_device}" ]; then
- break;
- fi
- done
- fi
- fi
- if [ -z "${pkcs11_device}" ]; then
- if [ "${retry_mode}" == true ]; then
- option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]")
- if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then
- echo "Won't continue PKCS11 device detection"
- exit 0
- fi
- pkcs11_device=$(pkcs11-tool -L | grep "Slot" \
- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
- if ! pkcs11-tool -O 2>/dev/null; then
- pkcs11_device=""
- echo "No objects in PKCS11 device detected"
- fi
- else
- exit 0
- fi
- fi
-done
-echo "Detected PKCS11 device:${pkcs11_device}"
-
devices_array=()
# Let's analyze all entries from /etc/crypttab that contain clevis-pkcs11.sock entries
while read -r line;
@@ -126,6 +82,8 @@ do
next_device=0
errors=0
msg=""
+ # Store passphrases to send to control socket
+ systemd_device=$(echo "${line}" | awk '{print $1}')
while [ ${next_device} -ne 1 ]; do
uuid=$(echo "${line}" | awk '{print $2}')
if ! mapped_device=$(clevis_map_device "${uuid}"); then
@@ -141,15 +99,23 @@ do
fi
# If no PKCS#11 configuration, advance to next device
if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then
- echo "Device:${mapped_device} does not contain PKCS#11 configuration"
+ echo "Device:${mapped_device} does not contain PKCS#11 configuration" >&2
+ # Send a wrong passphrase
+ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock -
next_device=1
continue
fi
+ if ! pkcs11_device=$(clevis_detect_pkcs11_device "${dracut_mode}" "${retry_mode}"); then
+ echo "No PKCS11 device detected" >&2
+ exit 0
+ else
+ echo "Detected PKCS11 device:${pkcs11_device}" >&2
+ fi
# Get configuration PKCS#11 URI
uri=$(clevis luks list -d "${mapped_device}" | awk -F '"uri":' '{print $2}' | awk -F '"' '{print $2}' | awk -F '"' '{print $1}')
slot_opt=""
if ! slot=$(clevis_get_pkcs11_final_slot_from_uri "${uri}"); then
- echo "Could not find slot for uri:${uri}"
+ echo "Could not find slot for uri:${uri}" >&2
else
slot_opt="--slot-index ${slot}"
fi
@@ -159,8 +125,9 @@ do
module_opt="--module ${module}"
fi
echo "Device:${mapped_device}, slot_opt:${slot_opt}, module_opt:${module_opt}"
- if ! pkcs11-tool -O ${module_opt} ${slot_opt}; then
- echo "No objects on slot:${slot}, module_opt:${module_opt}"
+ if ! pkcs11-tool -O ${module_opt} ${slot_opt} 2>/dev/null 1>/dev/null; then
+ echo "No objects on slot:${slot}, module_opt:${module_opt}" >&2
+ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock -
next_device=1
continue
fi
@@ -175,22 +142,21 @@ do
# Get key from PKCS11 pin here and feed AF_UNIX socket program
echo "${pin}" > /run/systemd/clevis-pkcs11.pin
if ! passphrase=$(clevis_luks_unlock_device "${mapped_device}") || [ -z "${passphrase}" ]; then
- echo "Could not unlock device:${mapped_device}"
+ echo "Could not unlock device:${mapped_device}" >&2
msg="$(get_pkcs11_error)"
((errors++))
if [ ${errors} -eq ${too_many_errors} ]; then
- echo "Too many errors !!!" 1>&2
+ echo "Too many errors !!!" >&2
next_device=1
fi
continue
fi
next_device=1
- echo "Device:${mapped_device} unlocked successfully by clevis"
+ echo "Device:${mapped_device} unlocked successfully by clevis" >&2
if [ "${dracut_mode}" == true ]; then
echo "${mapped_device}" >> /run/systemd/clevis-pkcs11-dracut.devices
fi
# Store passphrases to send to control socket
- systemd_device=$(echo "${line}" | awk '{print $1}')
devices_array+=("${systemd_device},${passphrase}")
done
fi
diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
index a6ecc63..24bad83 100644
--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
+++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
@@ -146,7 +146,6 @@ static void* control_thread(void *targ) {
}
char* t = control_msg;
int is_device = 1;
- fprintf(logfile, "Received control message:[%s]\n", t);
while((t = strtok(t, ","))) {
if (is_device) {
fprintf(logfile, "Adding device:%s\n", t);
@@ -185,7 +184,7 @@ static void dump_wide_version(void) {
static void int_handler(int s) {
if(logfile) {
- fprintf(logfile, "Closing, signal:[%d]\n", s);
+ fprintf(logfile, "Closing, received signal:[%d]\n", s);
fclose(logfile);
}
exit(EXIT_FAILURE);
@@ -222,6 +221,7 @@ int main(int argc, char* argv[]) {
break;
case 'f':
strncpy(sock_file, optarg, MAX_PATH - 1);
+ unlink(sock_file);
break;
case 'k':
strncpy(key, optarg, MAX_KEY - 1);
@@ -275,7 +275,6 @@ int main(int argc, char* argv[]) {
memset(&sock_addr, 0, sizeof(sock_addr));
sock_addr.sun_family = AF_UNIX;
strncpy(sock_addr.sun_path, sock_file, sizeof(sock_addr.sun_path)-1);
- unlink(sock_file);
s = socket(AF_UNIX, SOCK_STREAM, 0);
if (s == -1) {
perror("socket");
@@ -346,8 +345,8 @@ int main(int argc, char* argv[]) {
perror("key entry send error");
goto efailure;
}
- fprintf(logfile, "Sending:[%s] to device:[%s]\n",
- entry_key, unlocking_device);
+ fprintf(logfile, "Sending passphrase to device:[%s]\n",
+ unlocking_device);
} else {
fprintf(logfile, "Device not found: [%s]\n", unlocking_device);
}
diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common
index 4c0629c..571a2be 100755
--- a/src/pins/pkcs11/clevis-pkcs11-common
+++ b/src/pins/pkcs11/clevis-pkcs11-common
@@ -27,6 +27,56 @@ serial_devices_array=""
URI_EXPECTED_FORMAT="pkcs11:"
DEFAULT_CRYPTTAB_FILE="/etc/crypttab"
+clevis_detect_pkcs11_device() {
+ dracut_mode="${1:false}"
+ retry_mode="${2:false}"
+ if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \
+ awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then
+ echo ""
+ return 1
+ fi
+
+ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
+ pkcs11_device=""
+ echo "No objects in PKCS11 device detected" >&2
+ fi
+
+ while [ -z "${pkcs11_device}" ]; do
+ if [ "${dracut_mode}" != true ]; then
+ module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab")
+ if [ -n "${module_paths}" ]; then
+ modules=$(echo ${module_paths} | tr ";" "\n")
+ for module in $modules; do
+ pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \
+ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
+ if [ -n "${pkcs11_device}" ]; then
+ break;
+ fi
+ done
+ fi
+ fi
+ if [ -z "${pkcs11_device}" ]; then
+ if [ "${retry_mode}" == true ]; then
+ option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]")
+ if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then
+ echo ""
+ # Straight Forward Mode
+ return 0
+ fi
+ pkcs11_device=$(pkcs11-tool -L | grep "Slot" \
+ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
+ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
+ pkcs11_device=""
+ echo "No objects in PKCS11 device detected" >&2
+ fi
+ else
+ echo "${pkcs11_device}"
+ return 0
+ fi
+ fi
+ done
+}
+
clevis_parse_devices_array() {
INPUT_ARRAY=$(pkcs11-tool -L | grep Slot)
counter=0
@@ -64,12 +114,10 @@ clevis_get_module_path_from_pkcs11_config() {
while read -r line; do
uuid=$(echo "${line}" | awk '{print $2}')
if ! mapped_device=$(clevis_map_device "${uuid}"); then
- echo "Could not check mapped device for UID:${uuid}"
continue
fi
# If no PKCS#11 configuration, advance to next device
if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then
- echo "Device:${mapped_device} does not contain PKCS#11 configuration"
continue
fi
# Get configuration PKCS#11 URI
--
2.46.2

View File

@ -1,49 +0,0 @@
From 5feea5da42b98302006f2c82ab9c22d43779e0c8 Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Fri, 27 Sep 2024 12:12:48 +0200
Subject: [PATCH] Fix potential race condition
Guard the modification of "entry_counter" and the read
used to decide whether to modify "entry_counter" with the
same set of locks
Resolves: #478
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
---
src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
index a6ecc63..b1e2004 100644
--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
+++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
@@ -70,21 +70,23 @@ get_control_socket_name(const char* file_sock, char* control_sock, uint32_t cont
}
static void insert_device(const char* dev) {
+ pthread_mutex_lock(&mutex);
if(MAX_ENTRIES == entry_counter) {
+ pthread_mutex_unlock(&mutex);
perror("No more entries accepted\n");
return;
}
- pthread_mutex_lock(&mutex);
strncpy(keys[entry_counter].dev, dev, MAX_DEVICE);
pthread_mutex_unlock(&mutex);
}
static void insert_key(const char* key) {
+ pthread_mutex_lock(&mutex);
if(MAX_ENTRIES == entry_counter) {
+ pthread_mutex_unlock(&mutex);
perror("No more entries accepted\n");
return;
}
- pthread_mutex_lock(&mutex);
strncpy(keys[entry_counter++].key, key, MAX_KEY);
pthread_mutex_unlock(&mutex);
}
--
2.46.2

View File

@ -1,110 +0,0 @@
From c987b0a95d9ebcb310cc3b95609172a8fe31e81e Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Wed, 9 Oct 2024 12:15:18 +0200
Subject: [PATCH] Fix to start pcscd appropriately
diff --git a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
index 01a3062..9922bbc 100755
--- a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
+++ b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
@@ -16,9 +16,11 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+. /usr/bin/clevis-pkcs11-common
+
if [ ! -f /run/systemd/clevis-pkcs11.run ] && [ -d /run/systemd ];
then
- pcscd --disable-polkit
- echo "" > /run/systemd/clevis-pkcs11.run
- /usr/libexec/clevis-luks-pkcs11-askpin -d -r
+ clevis_start_pcscd_server
+ echo "" > /run/systemd/clevis-pkcs11.run
+ /usr/libexec/clevis-luks-pkcs11-askpin -d -r
fi
diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
index b860efa..468ca3c 100755
--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in
+++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
@@ -52,22 +52,7 @@ get_pkcs11_error() {
return 0
}
-
-if command -v pcscd; then
- echo "clevis-pkcs11: starting pcscd if not available ..."
- PCSCD_PID=$(ps auxf | grep "[p]cscd")
- echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n"
- if ! ps auxf | grep "[p]cscd";
- then
- if pcscd pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then
- echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..."
- pcscd --disable-polkit
- else
- echo "clevis-pkcs11: starting pcscd ..."
- pcscd
- fi
- fi
-fi
+clevis_start_pcscd_server
if [ "${dracut_mode}" != true ]; then
pkcs11-tool -L
diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common
index 571a2be..c7f2a58 100755
--- a/src/pins/pkcs11/clevis-pkcs11-common
+++ b/src/pins/pkcs11/clevis-pkcs11-common
@@ -77,6 +77,24 @@ clevis_detect_pkcs11_device() {
done
}
+clevis_start_pcscd_server() {
+ if command -v pcscd; then
+ echo "clevis-pkcs11: starting pcscd if not available ..."
+ PCSCD_PID=$(ps auxf | grep "[p]cscd")
+ echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n"
+ if ! ps auxf | grep "[p]cscd";
+ then
+ if pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then
+ echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..."
+ pcscd --disable-polkit
+ else
+ echo "clevis-pkcs11: starting pcscd ..."
+ pcscd
+ fi
+ fi
+ fi
+}
+
clevis_parse_devices_array() {
INPUT_ARRAY=$(pkcs11-tool -L | grep Slot)
counter=0
diff --git a/src/pins/pkcs11/tests/pin-pkcs11 b/src/pins/pkcs11/tests/pin-pkcs11
index 94e1548..c876ca4 100755
--- a/src/pins/pkcs11/tests/pin-pkcs11
+++ b/src/pins/pkcs11/tests/pin-pkcs11
@@ -20,6 +20,7 @@
. pkcs11-common-tests
. tests-common-functions
. clevis-luks-common-functions
+. clevis-pkcs11-common
on_exit() {
exit_status=$?
@@ -150,5 +151,16 @@ then
(${WRONGCFG})"
fi
+if command -v ps && command -v killall; then
+ if ! clevis_start_pcscd_server;
+ then
+ error "${TEST}: Could not start pcscd server"
+ fi
+ if ! killall -9 pcscd;
+ then
+ error "${TEST}: Could not kill pcscd server"
+ fi
+fi
+
softhsm_lib_cleanup
test "$?" == 0

View File

@ -1,65 +0,0 @@
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2 2024-09-24 10:27:06.000000000 +0200
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2 2024-11-05 15:54:16.209993587 +0100
@@ -58,7 +58,7 @@
echo
echo " key: <string> Algorithm type for the generated key (default: ecc)"
echo
- echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: sha1)"
+ echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: first supported by TPM)"
echo
echo " pcr_ids: <string> PCR list used for policy. If not present, no policy is used"
echo
@@ -130,7 +130,15 @@
key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc"
-pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1"
+pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || {
+ if ! pcr_bank=$(tpm2_getcap pcrs |
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
+ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit}
+ END {exit !found}'); then
+ echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2
+ exit 1
+ fi
+}
# Trim the spaces from the config, so that we will not have issues parsing
# the PCR IDs.
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-09-24 10:27:06.000000000 +0200
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-11-05 15:54:16.209993587 +0100
@@ -91,13 +91,17 @@
- *symcipher*
* *pcr_bank* (string) :
- PCR algorithm bank to use for policy (default: sha1)
+ PCR algorithm bank to use for policy (default: first supported by TPM)
- It must be one of the following:
+ Examples of PCR algorithm banks, support depends on TPM chip:
- *sha1*
- *sha256*
+ For the full list of algorithms supported by the TPM chip check output of
+ `tpm2_getcap pcrs` and use the algorithm which shows non-empty list of PCR
+ numbers.
+
* *pcr_ids* (string) :
Comma separated list of PCR used for policy. If not present, no policy is used
--- clevis-21.old/src/pins/tpm2/pin-tpm2 2024-09-24 10:27:06.000000000 +0200
+++ clevis-21/src/pins/tpm2/pin-tpm2 2024-11-05 15:54:16.209993587 +0100
@@ -142,8 +142,10 @@
# arrays and check if we get the expected pcr_ids.
# Let's first make sure this would be a valid configuration.
-_default_pcr_bank="sha1"
-if validate_pcrs "${_default_pcr_bank}" "4,16"; then
+_default_pcr_bank=$(tpm2_getcap pcrs |
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
+ {split($0, m, /[-:[:space:]]+/); print m[2]; exit}')
+if [ -n "$_default_pcr_bank" ] && validate_pcrs "${_default_pcr_bank}" "4,16"; then
test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1
test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16" || exit 1
test_pcr_ids "${orig}" '{"pcr_ids": "4, 16"}' "4,16" || exit 1

View File

@ -0,0 +1,176 @@
From 16f667d9f3d649e33ca762afa1a8a7f909b953a8 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Sun, 25 Oct 2020 11:15:46 -0300
Subject: [PATCH] Fixes for dealing with newer tang without tangd-update
---
src/luks/tests/meson.build | 11 +----------
src/luks/tests/tests-common-functions.in | 19 +++++++++++--------
src/pins/tang/meson.build | 11 +----------
src/pins/tang/pin-tang | 11 ++++++++---
4 files changed, 21 insertions(+), 31 deletions(-)
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
index ba5f6a2..c0f9dc3 100644
--- a/src/luks/tests/meson.build
+++ b/src/luks/tests/meson.build
@@ -17,14 +17,6 @@ kgen = find_program(
join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
required: false
)
-updt = find_program(
- join_paths(libexecdir, 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
- required: false
-)
tang = find_program(
join_paths(libexecdir, 'tangd'),
join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
@@ -58,11 +50,10 @@ env.prepend('PATH',
)
has_tang = false
-if actv.found() and kgen.found() and updt.found() and tang.found()
+if actv.found() and kgen.found() and tang.found()
has_tang = true
env.set('SD_ACTIVATE', actv.path())
env.set('TANGD_KEYGEN', kgen.path())
- env.set('TANGD_UPDATE', updt.path())
env.set('TANGD', tang.path())
endif
diff --git a/src/luks/tests/tests-common-functions.in b/src/luks/tests/tests-common-functions.in
index 8520715..318d007 100755
--- a/src/luks/tests/tests-common-functions.in
+++ b/src/luks/tests/tests-common-functions.in
@@ -251,18 +251,19 @@ tang_remove_rotated_keys() {
return 1
fi
- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
-
local db="${basedir}/db"
- local cache="${basedir}/cache"
mkdir -p "${db}"
- mkdir -p "${cache}"
+
+ if [ -n "${TANGD_UPDATE}" ]; then
+ local cache="${basedir}/cache"
+ mkdir -p "${cache}"
+ fi
pushd "${db}"
find . -name ".*.jwk" -exec rm -f {} \;
popd
- "${TANGD_UPDATE}" "${db}" "${cache}"
+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
return 0
}
@@ -277,12 +278,12 @@ tang_new_keys() {
fi
[ -z "${TANGD_KEYGEN}" ] && skip_test "WARNING: TANGD_KEYGEN is not defined."
- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
local db="${basedir}/db"
- local cache="${basedir}/cache"
mkdir -p "${db}"
+ [ -n "${TANGD_UPDATE}" ] && local cache="${basedir}/cache"
+
if [ -n "${rotate}" ]; then
pushd "${db}"
local k
@@ -296,7 +297,7 @@ tang_new_keys() {
fi
"${TANGD_KEYGEN}" "${db}"
- "${TANGD_UPDATE}" "${db}" "${cache}"
+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
return 0
}
@@ -322,6 +323,8 @@ tang_run() {
fi
local KEYS="${basedir}/cache"
+ [ -z "${TANGD_UPDATE}" ] && KEYS="${basedir}/db"
+
local inetd='--inetd'
[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
diff --git a/src/pins/tang/meson.build b/src/pins/tang/meson.build
index f7d8226..ebcdd4a 100644
--- a/src/pins/tang/meson.build
+++ b/src/pins/tang/meson.build
@@ -12,14 +12,6 @@ kgen = find_program(
join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
required: false
)
-updt = find_program(
- join_paths(libexecdir, 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
- required: false
-)
tang = find_program(
join_paths(libexecdir, 'tangd'),
join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
@@ -35,11 +27,10 @@ if curl.found()
bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang')
mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1')
- if actv.found() and kgen.found() and updt.found() and tang.found()
+ if actv.found() and kgen.found() and tang.found()
env = environment()
env.set('SD_ACTIVATE', actv.path())
env.set('TANGD_KEYGEN', kgen.path())
- env.set('TANGD_UPDATE', updt.path())
env.set('TANGD', tang.path())
env.prepend('PATH',
join_paths(meson.source_root(), 'src'),
diff --git a/src/pins/tang/pin-tang b/src/pins/tang/pin-tang
index 98e5e4d..a63d0a2 100755
--- a/src/pins/tang/pin-tang
+++ b/src/pins/tang/pin-tang
@@ -31,8 +31,12 @@ mkdir -p "$TMP"/db
mkdir -p "$TMP"/cache
# Generate the server keys
+KEYS="$TMP"/db
"${TANGD_KEYGEN}" "$TMP"/db sig exc
-"${TANGD_UPDATE}" "$TMP"/db "$TMP"/cache
+if which tangd-update; then
+ tangd-update "$TMP"/db "$TMP"/cache
+ KEYS="$TMP"/cache
+fi
# Start the server
port="$(shuf -i 1024-65536 -n 1)"
@@ -40,13 +44,14 @@ port="$(shuf -i 1024-65536 -n 1)"
inetd='--inetd'
[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
-"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$TMP"/cache &
+"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$KEYS" &
PID=$!
sleep 0.25
thp="$(jose jwk thp -i "$TMP/db/sig.jwk")"
-adv="$TMP/cache/default.jws"
url="http://localhost:${port}"
+adv="$TMP/adv"
+curl "$url/adv" -o "$adv"
cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")"
enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
--
2.18.4

View File

@ -0,0 +1,309 @@
From aa52396c35e76aabd085a819b08167d559042a20 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 3 Nov 2020 08:42:48 -0300
Subject: [PATCH 2/2] Add the option to extract luks passphrase used for
binding
Usage:
clevis luks pass -d /dev/sda1 -s 1
<passphrase here>
---
src/luks/clevis-luks-pass | 64 ++++++++++++++++++++++++++++++++
src/luks/clevis-luks-pass.1.adoc | 43 +++++++++++++++++++++
src/luks/meson.build | 3 ++
src/luks/tests/meson.build | 2 +
src/luks/tests/pass-tang-luks1 | 59 +++++++++++++++++++++++++++++
src/luks/tests/pass-tang-luks2 | 59 +++++++++++++++++++++++++++++
6 files changed, 230 insertions(+)
create mode 100755 src/luks/clevis-luks-pass
create mode 100644 src/luks/clevis-luks-pass.1.adoc
create mode 100755 src/luks/tests/pass-tang-luks1
create mode 100755 src/luks/tests/pass-tang-luks2
diff --git a/src/luks/clevis-luks-pass b/src/luks/clevis-luks-pass
new file mode 100755
index 0000000..1f59b39
--- /dev/null
+++ b/src/luks/clevis-luks-pass
@@ -0,0 +1,64 @@
+#!/bin/bash -e
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com> - LUKS2 support.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+. clevis-luks-common-functions
+
+SUMMARY="Returns the LUKS passphrase used for binding a particular slot."
+
+usage() {
+ exec >&2
+ echo "Usage: clevis luks pass -d DEV -s SLT"
+ echo
+ echo "$SUMMARY"
+ echo
+ echo " -d DEV The LUKS device to extract the LUKS passphrase used for binding"
+ echo
+ echo " -s SLOT The slot number to extract the LUKS passphrase"
+ echo
+ exit 1
+}
+
+if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then
+ echo "${SUMMARY}"
+ exit 0
+fi
+
+while getopts ":d:s:" o; do
+ case "$o" in
+ d) DEV=${OPTARG};;
+ s) SLT=${OPTARG};;
+ *) usage;;
+ esac
+done
+
+if [ -z "${DEV}" ]; then
+ echo "Did not specify a device!" >&2
+ usage
+fi
+
+if [ -z "${SLT}" ]; then
+ echo "Did not specify a slot!" >&2
+ usage
+fi
+
+if ! clevis_luks_unlock_device_by_slot "${DEV}" "${SLT}"; then
+ echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in ${DEV}!" >&2
+ exit 1
+fi
diff --git a/src/luks/clevis-luks-pass.1.adoc b/src/luks/clevis-luks-pass.1.adoc
new file mode 100644
index 0000000..fa9526a
--- /dev/null
+++ b/src/luks/clevis-luks-pass.1.adoc
@@ -0,0 +1,43 @@
+CLEVIS-LUKS-PASS(1)
+===================
+:doctype: manpage
+
+
+== NAME
+
+clevis-luks-pass - Extracts the passphrase used for binding a particular slot in a LUKS device
+
+== SYNOPSIS
+
+*clevis luks pass* -d DEV -s SLT
+
+== OVERVIEW
+
+The *clevis luks pass* command extracts the passphrase used for binding a particular slot in a LUKS device.
+For example:
+
+ clevis luks pass -d /dev/sda1 -s 1
+
+== OPTIONS
+
+* *-d* _DEV_ :
+ The LUKS device on which to extract a passphrase from
+
+* *-s* _SLT_ :
+ The slot to use for extracting the passphrase
+
+== EXAMPLE
+
+ clevis luks pass -d /dev/sda1 -s 1
+ <passphrase here>
+
+Note that the output of *clevis luks pass* might be non-printable, in which case it would be better to redirect its output to a file and use it as a key
+file together with cryptsetup. For instance:
+
+ clevis luks pass -d /dev/sda1 -s 1 > slot1-passphrase
+
+And the file slot1-passphrase will contain the passphrase associated with slot #1 in /dev/sda1.
+
+== SEE ALSO
+
+link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)],
diff --git a/src/luks/meson.build b/src/luks/meson.build
index 12f5a0d..008736e 100644
--- a/src/luks/meson.build
+++ b/src/luks/meson.build
@@ -50,6 +50,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
bins += join_paths(meson.current_source_dir(), 'clevis-luks-edit')
mans += join_paths(meson.current_source_dir(), 'clevis-luks-edit.1')
+
+ bins += join_paths(meson.current_source_dir(), 'clevis-luks-pass')
+ mans += join_paths(meson.current_source_dir(), 'clevis-luks-pass.1')
else
warning('Will not install LUKS support due to missing dependencies!')
endif
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
index c22a069..f4584aa 100644
--- a/src/luks/tests/meson.build
+++ b/src/luks/tests/meson.build
@@ -84,6 +84,7 @@ if has_tang
test('report-tang-luks1', find_program('report-tang-luks1'), env: env, timeout: 90)
test('report-sss-luks1', find_program('report-sss-luks1'), env: env, timeout: 90)
test('edit-tang-luks1', find_program('edit-tang-luks1'), env: env, timeout: 150)
+ test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60)
endif
test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60)
@@ -111,6 +112,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
test('report-tang-luks2', find_program('report-tang-luks2'), env: env, timeout: 120)
test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
+ test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
endif
test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
diff --git a/src/luks/tests/pass-tang-luks1 b/src/luks/tests/pass-tang-luks1
new file mode 100755
index 0000000..0d91e6c
--- /dev/null
+++ b/src/luks/tests/pass-tang-luks1
@@ -0,0 +1,59 @@
+#!/bin/bash -x
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST="${0}"
+. tests-common-functions
+. clevis-luks-common-functions
+
+function on_exit() {
+ [ ! -d "${TMP}" ] && return 0
+ tang_stop "${TMP}"
+ rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+
+TMP=$(mktemp -d)
+
+port=$(get_random_port)
+tang_run "${TMP}" "${port}" &
+tang_wait_until_ready "${port}"
+
+url="http://localhost:${port}"
+adv="${TMP}/adv"
+tang_get_adv "${port}" "${adv}"
+
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+new_device "luks1" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Bind should have succeeded."
+fi
+
+# Now let's test the passphrase.
+SLT=1
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
+echo $PASS >&2
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
+ error "Passphrase obtained from clevis luks pass failed."
+fi
diff --git a/src/luks/tests/pass-tang-luks2 b/src/luks/tests/pass-tang-luks2
new file mode 100755
index 0000000..2d50413
--- /dev/null
+++ b/src/luks/tests/pass-tang-luks2
@@ -0,0 +1,59 @@
+#!/bin/bash -x
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST="${0}"
+. tests-common-functions
+. clevis-luks-common-functions
+
+function on_exit() {
+ [ ! -d "${TMP}" ] && return 0
+ tang_stop "${TMP}"
+ rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+
+TMP=$(mktemp -d)
+
+port=$(get_random_port)
+tang_run "${TMP}" "${port}" &
+tang_wait_until_ready "${port}"
+
+url="http://localhost:${port}"
+adv="${TMP}/adv"
+tang_get_adv "${port}" "${adv}"
+
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
+
+# LUKS2.
+DEV="${TMP}/luks2-device"
+new_device "luks2" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Bind should have succeeded."
+fi
+
+# Now let's test the passphrase.
+SLT=1
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
+echo $PASS >&2
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
+ error "Passphrase obtained from clevis luks pass failed."
+fi
--
2.29.2

View File

@ -0,0 +1,41 @@
From 678ef82dd5608439c9a4222c594ab66d69009f06 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Fri, 29 Oct 2021 12:04:46 -0300
Subject: [PATCH 3/3] systemd: account for unlocking failures in
clevis-luks-askpass (#343)
As unlock may fail for some reason, e.g. the network is not up yet,
one way cause problems would be to add extra `rd.luks.uuid' params
to the cmdline, which would then cause such devices to be unlocked
in early boot. If the unlocking fail, those devices might not be
accounted for in the clevis_devices_to_unlock() check, as it is
based on crypttab.
Let's make sure there are no pending ask.* sockets waiting to be
answered, before exiting.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
---
src/luks/systemd/clevis-luks-askpass | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass
index 285bba4..f19671f 100755
--- a/src/luks/systemd/clevis-luks-askpass
+++ b/src/luks/systemd/clevis-luks-askpass
@@ -67,8 +67,11 @@ while true; do
done
[ "${loop}" != true ] && break
+
# Checking for pending devices to be unlocked.
- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
+ remaining_crypttab=$(clevis_devices_to_unlock) ||:
+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
break;
fi
--
2.33.1

View File

@ -0,0 +1,101 @@
From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Thu, 18 Nov 2021 16:45:58 -0300
Subject: [PATCH 4/4] systemd: drop ncat dependency
When using systemd, i.e., clevis-luks-askpass, we use ncat to send
the decrypted password to the systemd socket as per systemd's password
agents specification [1].
However, systemd itself has a utility that does exactly that,
systemd-reply-password.
In this commit we drop the ncat dependency and instead use
systemd-reply-password in clevis-luks-askpass.
[1] https://systemd.io/PASSWORD_AGENTS/
---
...is-luks-askpass => clevis-luks-askpass.in} | 2 +-
.../systemd/dracut/clevis/module-setup.sh.in | 4 ++--
src/luks/systemd/meson.build | 19 +++++++++++++++++--
3 files changed, 20 insertions(+), 5 deletions(-)
rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%)
diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in
similarity index 97%
rename from src/luks/systemd/clevis-luks-askpass
rename to src/luks/systemd/clevis-luks-askpass.in
index f19671f..a6699c9 100755
--- a/src/luks/systemd/clevis-luks-askpass
+++ b/src/luks/systemd/clevis-luks-askpass.in
@@ -58,7 +58,7 @@ while true; do
fi
uuid="$(cryptsetup luksUUID "${d}")"
- if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
+ if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
continue
fi
diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in
index ebf969f..d46c6e2 100755
--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
+++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
@@ -36,6 +36,7 @@ install() {
inst_multiple \
/etc/services \
+ @SYSTEMD_REPLY_PASS@ \
@libexecdir@/clevis-luks-askpass \
clevis-luks-common-functions \
grep sed cut \
@@ -45,8 +46,7 @@ install() {
luksmeta \
clevis \
mktemp \
- jose \
- ncat
+ jose
dracut_need_initqueue
}
diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
index 369e7f7..e3b3d91 100644
--- a/src/luks/systemd/meson.build
+++ b/src/luks/systemd/meson.build
@@ -1,6 +1,15 @@
systemd = dependency('systemd', required: false)
-if systemd.found()
+sd_reply_pass = find_program(
+ join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
+ join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
+ join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
+ join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
+ required: false
+)
+
+if systemd.found() and sd_reply_pass.found()
+ data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
subdir('dracut')
unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
@@ -12,8 +21,14 @@ if systemd.found()
configuration: data,
)
+ configure_file(
+ input: 'clevis-luks-askpass.in',
+ output: 'clevis-luks-askpass',
+ install_dir: libexecdir,
+ configuration: data
+ )
+
install_data('clevis-luks-askpass.path', install_dir: unitdir)
- install_data('clevis-luks-askpass', install_dir: libexecdir)
else
warning('Will not install systemd support due to missing dependencies!')
endif
--
2.33.1

View File

@ -0,0 +1,26 @@
From da17589f0706b27690a11484165fd58dea1a5eb1 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Thu, 25 Nov 2021 19:18:03 -0300
Subject: [PATCH 5/5] Stop sending stderr to the void when decryption doesn't
happen
---
src/luks/clevis-luks-common-functions | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index 879ca4c..df8e16d 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -323,7 +323,7 @@ clevis_luks_unlock_device_by_slot() {
return 1
fi
- if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt 2>/dev/null)" \
+ if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt)" \
|| [ -z "${passphrase}" ]; then
return 1
fi
--
2.33.1

View File

@ -0,0 +1,45 @@
From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?=
<1163635+rmetrich@users.noreply.github.com>
Date: Wed, 1 Dec 2021 09:37:35 -0300
Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is
set (#340)
On Fedora/RHEL, the rd.debug kernel command line parameter controls
debugging.
By implementing the functionality inside clevis, troubleshooting will be
greatly eased.
See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742).
---
src/luks/clevis-luks-common-functions | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index df8e16d..67ece72 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -20,6 +20,21 @@
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+enable_debugging() {
+ # Automatically enable debugging if in initramfs phase and rd.debug
+ if [ -e /usr/lib/dracut-lib.sh ]; then
+ local bashopts=$-
+ # Because dracut is loosely written, disable hardening options temporarily
+ [[ $bashopts != *u* ]] || set +u
+ [[ $bashopts != *e* ]] || set +e
+ . /usr/lib/dracut-lib.sh
+ [[ $bashopts != *u* ]] || set -u
+ [[ $bashopts != *e* ]] || set -e
+ fi
+}
+
+enable_debugging
+
# valid_slot() will check whether a given slot is possibly valid, i.e., if it
# is a numeric value within the specified range.
valid_slot() {
--
2.33.1

View File

@ -0,0 +1,83 @@
From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001
From: Renaud Metrich <rmetrich@redhat.com>
Date: Fri, 7 Jan 2022 12:13:03 -0300
Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup
This fixes an Out of memory error when the system has not much memory,
such as a VM configured with 2GB currently being installed through the
network (hence having ~1GB free memory only).
See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
---
src/luks/clevis-luks-bind.in | 7 +++++--
src/luks/clevis-luks-common-functions | 7 ++++++-
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
index 4748c08..017f762 100755
--- a/src/luks/clevis-luks-bind.in
+++ b/src/luks/clevis-luks-bind.in
@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \
exit 1
fi
+pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ "$luks_type" == "luks1" ]; then
+ pbkdf_args=
# In certain circumstances, we may have LUKSMeta slots "not in sync" with
# cryptsetup, which means we will try to save LUKSMeta metadata over an
# already used or partially used slot -- github issue #70.
@@ -184,7 +186,7 @@ fi
# Add the new key.
if [ -n "$SLT" ]; then
- cryptsetup luksAddKey --key-slot "$SLT" --key-file \
+ cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \
<(echo -n "$existing_key") "$DEV"
else
if [ $luks_type == "luks2" ]; then
@@ -194,7 +196,8 @@ else
readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
| sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
fi
- cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV"
+ cryptsetup luksAddKey ${pbkdf_args} \
+ --key-file <(echo -n "${existing_key}") "$DEV"
fi < <(echo -n "${key}")
if [ $? -ne 0 ]; then
echo "Error while adding new key to LUKS header!" >&2
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index 67ece72..038cc37 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -760,10 +760,12 @@ clevis_luks_add_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
--key-slot "${SLT}" \
"${DEV}" \
+ ${pbkdf_args} \
${extra_args}
}
@@ -792,11 +794,14 @@ clevis_luks_update_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ -n "${in_place}" ]; then
printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
--key-slot "${SLT}" \
- --batch-mode ${extra_args}
+ --batch-mode \
+ ${pbkdf_args} \
+ ${extra_args}
return
fi
--
2.33.1

View File

@ -0,0 +1,16 @@
--- clevis-15-ori/src/pins/tang/clevis-decrypt-tang 2020-10-28 19:55:47.673228700 +0100
+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2022-01-21 10:37:40.327825491 +0100
@@ -73,10 +73,10 @@
xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"
-url="$url/rec/$kid"
+rec_url="$url/rec/$kid"
ct="Content-Type: application/jwk+json"
-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then
- echo "Error communicating with the server!" >&2
+if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then
+ echo "Error communicating with the server $url" >&2
exit 1
fi

View File

@ -0,0 +1,213 @@
From 87d690e41621878f70a3f6f3305dd23746d1b857 Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@linux.com>
Date: Wed, 1 Dec 2021 14:17:53 +0100
Subject: [PATCH 9/9] feat: rename the test pin to null pin
Signed-off-by: Antonio Murdaca <runcom@linux.com>
---
src/initramfs-tools/hooks/clevis.in | 1 +
.../dracut/clevis-pin-null/meson.build | 14 ++++++++++
.../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++
src/luks/systemd/dracut/meson.build | 1 +
...levis-decrypt-test => clevis-decrypt-null} | 4 +--
...levis-encrypt-test => clevis-encrypt-null} | 4 +--
src/pins/sss/meson.build | 5 +++-
src/pins/sss/{pin-test => pin-null} | 4 +--
src/pins/sss/pin-sss | 12 ++++----
9 files changed, 60 insertions(+), 13 deletions(-)
create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build
create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%)
rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%)
rename src/pins/sss/{pin-test => pin-null} (53%)
diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
index cc3b492..448ba96 100755
--- a/src/initramfs-tools/hooks/clevis.in
+++ b/src/initramfs-tools/hooks/clevis.in
@@ -58,6 +58,7 @@ fi
copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
+copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found"
copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"
diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build
new file mode 100644
index 0000000..107e3ba
--- /dev/null
+++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build
@@ -0,0 +1,14 @@
+dracut = dependency('dracut', required: false)
+
+if dracut.found()
+ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null'
+
+ configure_file(
+ input: 'module-setup.sh.in',
+ output: 'module-setup.sh',
+ install_dir: dracutdir,
+ configuration: data,
+ )
+else
+ warning('Will not install dracut module clevis-pin-null due to missing dependencies!')
+endif
diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
new file mode 100755
index 0000000..6a16078
--- /dev/null
+++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
@@ -0,0 +1,28 @@
+#!/bin/bash
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Nathaniel McCallum <npmccallum@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+depends() {
+ echo clevis
+ return 0
+}
+
+install() {
+ inst clevis-decrypt-null
+}
diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build
index fdb264b..7ad5b14 100644
--- a/src/luks/systemd/dracut/meson.build
+++ b/src/luks/systemd/dracut/meson.build
@@ -2,3 +2,4 @@ subdir('clevis')
subdir('clevis-pin-tang')
subdir('clevis-pin-tpm2')
subdir('clevis-pin-sss')
+subdir('clevis-pin-null')
diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null
similarity index 88%
rename from src/pins/sss/clevis-decrypt-test
rename to src/pins/sss/clevis-decrypt-null
index f0e9249..a6217ed 100755
--- a/src/pins/sss/clevis-decrypt-test
+++ b/src/pins/sss/clevis-decrypt-null
@@ -22,11 +22,11 @@
read -r -d . hdr
-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then
+if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then
echo "JWE pin mismatch!" >&2
exit 1
fi
-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1
+jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1
exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null
similarity index 90%
rename from src/pins/sss/clevis-encrypt-test
rename to src/pins/sss/clevis-encrypt-null
index bd2d6ec..af182a5 100755
--- a/src/pins/sss/clevis-encrypt-test
+++ b/src/pins/sss/clevis-encrypt-null
@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
fi
jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"
-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}'
+jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}'
if ! jose fmt -j "$cfg" -g fail -T; then
- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)"
+ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)"
fi
exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build
index 7f20eea..2a5295a 100644
--- a/src/pins/sss/meson.build
+++ b/src/pins/sss/meson.build
@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found()
separator: ':'
)
+ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null')
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null')
+
test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env)
- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env)
+ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env)
else
warning('Will not install sss pin due to missing dependencies!')
endif
diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null
similarity index 53%
rename from src/pins/sss/pin-test
rename to src/pins/sss/pin-null
index 50c8c67..b14ac63 100755
--- a/src/pins/sss/pin-test
+++ b/src/pins/sss/pin-null
@@ -2,9 +2,9 @@
trap 'exit' ERR
-e="$(echo -n hi | clevis encrypt test '{}')"
+e="$(echo -n hi | clevis encrypt null '{}')"
d="$(echo -n "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo -n hi | clevis encrypt test '{"fail":true}')"
+e="$(echo -n hi | clevis encrypt null '{"fail":true}')"
! echo "$e" | clevis decrypt
diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss
index 5c0b8cf..24da052 100755
--- a/src/pins/sss/pin-sss
+++ b/src/pins/sss/pin-sss
@@ -1,24 +1,24 @@
#!/bin/bash -ex
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')"
--
2.33.1

View File

@ -0,0 +1,24 @@
--- clevis-15.ori/src/clevis 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/clevis 2022-06-22 11:06:27.061230653 +0200
@@ -27,6 +27,7 @@
}
cmd=clevis
+input_commands="$cmd $@"
while [ $# -gt 0 ]; do
[[ "$1" =~ ^- ]] && break
cmd="$cmd-$1"
@@ -36,8 +37,11 @@
done
exec >&2
-echo
-echo "Command '$cmd' is invalid"
+if [ "$cmd" != "clevis" ];
+then
+ echo
+ echo "Command '$input_commands' is invalid"
+fi
echo
echo "Usage: clevis COMMAND [OPTIONS]"
echo

View File

@ -0,0 +1,53 @@
From 51ae4f94a4955d9f06955ccd5a8b396b01c80d48 Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Tue, 2 Aug 2022 11:07:00 -0300
Subject: [PATCH] Improve boot performance by removing key check
---
src/luks/clevis-luks-common-functions | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index 038cc37..950f217 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -328,6 +328,7 @@ clevis_luks_check_valid_key_or_keyfile() {
clevis_luks_unlock_device_by_slot() {
local DEV="${1}"
local SLT="${2}"
+ local SKIP_CHECK="${3}"
[ -z "${DEV}" ] && return 1
[ -z "${SLT}" ] && return 1
@@ -343,7 +344,9 @@ clevis_luks_unlock_device_by_slot() {
return 1
fi
- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ if [ -z "${SKIP_CHECK}" ]; then
+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ fi
printf '%s' "${passphrase}"
}
@@ -351,6 +354,8 @@ clevis_luks_unlock_device_by_slot() {
# parameter and returns the decoded passphrase.
clevis_luks_unlock_device() {
local DEV="${1}"
+ local SKIP_CHECK="YES"
+
[ -z "${DEV}" ] && return 1
local used_slots
@@ -361,7 +366,7 @@ clevis_luks_unlock_device() {
local slt pt
for slt in ${used_slots}; do
- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \
+ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \
|| [ -z "${pt}" ]; then
continue
fi
--
2.35.1

View File

@ -0,0 +1,16 @@
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 11:11:03.050262054 +0100
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 11:19:16.004358405 +0100
@@ -413,7 +413,12 @@
clevis_devices=
# Build list of devices to unlock.
- while read -r _ crypt_device _; do
+ while read -r _volname_ crypt_device _; do
+ # skip empty lines and lines which begin with the '#' char, per
+ # crypttab(5)
+ case $_volname_ in
+ ''|\#*) continue ;;
+ esac
if ! dev=$(clevis_map_device "${crypt_device}") \
|| [ -z "${dev}" ]; then
# Unable to get the device - maybe it's not available, e.g. a

View File

@ -0,0 +1,73 @@
--- clevis-15.ori/src/clevis.1.adoc 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/clevis.1.adoc 2023-01-11 17:18:29.967295005 +0100
@@ -101,7 +101,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/luks/clevis-luks-bind.1.adoc 2023-01-11 17:18:55.239351209 +0100
@@ -20,7 +20,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 17:15:44.984928070 +0100
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 17:20:53.238613637 +0100
@@ -865,6 +865,7 @@
[ -z "${DEV}" ] && return 1
local dump filter bits
+ local MAX_ENTROPY_BITS=256
dump=$(cryptsetup luksDump "${DEV}")
if cryptsetup isLuks --type luks1 "${DEV}"; then
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
@@ -876,6 +877,9 @@
fi
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
+ bits="${MAX_ENTROPY_BITS}"
+ fi
pwmake "${bits}"
}
--- clevis-15.ori/src/luks/clevis-luks-bind.in 2023-01-11 17:15:44.815927694 +0100
+++ clevis-15/src/luks/clevis-luks-bind.in 2023-01-12 16:20:30.266404993 +0100
@@ -19,6 +19,8 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+. clevis-luks-common-functions
+
SUMMARY="Binds a LUKS device using the specified policy"
UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
@@ -139,14 +141,11 @@
fi
# Generate a key with the same entropy as the LUKS Master Key
-key="$(pwmake "$(
-cryptsetup luksDump "$DEV" \
- | if [ "$luks_type" == "luks1" ]; then
- sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p'
- else
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p'
- fi | sort -n | tail -n 1
-)")"
+if ! key="$(clevis_luks_generate_key "${DEV}")" \
+ || [ -z "${key}" ]; then
+ echo "Unable to generate key for ${DEV}" >&2
+ return 1
+fi
# Encrypt the new key
jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"

View File

@ -0,0 +1,11 @@
--- clevis-15.ori/src/luks/clevis-luks-edit 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/luks/clevis-luks-edit 2023-01-16 12:03:14.006998399 +0100
@@ -173,7 +173,7 @@
echo "Updating binding..."
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
- "-y" "overwrite" 2>/dev/null; then
+ "-y" "overwrite"; then
echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
exit 1
fi

View File

@ -0,0 +1,219 @@
--- clevis-15.ori/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:29:59.717465656 +0200
+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:49:02.950511503 +0200
@@ -50,12 +50,30 @@
exit 1
fi
-if ! srv="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "$jhd" \
- | jose jwk thp -i- -f "$kid")"; then
+if ! keys="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "${jhd}")"; then
echo "JWE missing required 'clevis.tang.adv' header parameter!" >&2
exit 1
fi
+# Check if the thumbprint we have in `kid' is in the advertised keys.
+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1
+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
+
+if ! srv="$(jose jwk thp -i- -f "${kid}" -a "${CLEVIS_DEFAULT_THP_ALG}" \
+ <<< "${keys}")"; then
+ # `kid' thumprint not in the advertised keys, but it's possible it was
+ # generated using a different algorithm than the default one.
+ # Let us try the alternative supported algorithms to make sure `kid'
+ # really is not part of the advertised keys.
+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
+ srv="$(jose jwk thp -i- -f "$kid" -a "${alg}" <<< "${keys}")" && break
+ done
+ if [ -z "${srv}" ]; then
+ echo "JWE header validation of 'clevis.tang.adv' failed: key thumbprint does not match" >&2
+ exit 1
+ fi
+fi
+
if ! url="$(jose fmt -j- -Og clevis -g tang -g url -Su- <<< "$jhd")"; then
echo "JWE missing required 'clevis.tang.url' header parameter!" >&2
exit 1
--- clevis-15.ori/src/pins/tang/clevis-encrypt-tang 2020-10-28 19:55:47.673228700 +0100
+++ clevis-15/src/pins/tang/clevis-encrypt-tang 2023-05-23 15:15:18.440099403 +0200
@@ -64,6 +64,9 @@
exit 1
fi
+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1
+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
+
trust=
[ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes
@@ -111,15 +114,24 @@
if [ -z "$thp" ]; then
echo "The advertisement contains the following signing keys:" >&2
echo >&2
- jose jwk thp -i- <<< "$ver" >&2
+ jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$ver" >&2
echo >&2
read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
[[ "$ans" =~ ^[yY]$ ]] || exit 1
-
elif [ "$thp" != "any" ] && \
- ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
- echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
- exit 1
+ ! jose jwk thp -i- -f "${thp}" -o /dev/null -a "${CLEVIS_DEFAULT_THP_ALG}" \
+ <<< "$ver"; then
+ # Thumbprint of trusted JWK did not match the signature. Let's check
+ # alternative thumbprints generated with clevis supported hash
+ # algorithms to be sure.
+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
+ srv="$(jose jwk thp -i- -f "${thp}" -a "${alg}" <<< "${ver}")" \
+ && break
+ done
+ if [ -z "${srv}" ]; then
+ echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
+ exit 1
+ fi
fi
fi
@@ -138,7 +150,7 @@
jwk="$(jose fmt -j- -Od key_ops -o- <<< "$jwk")"
jwk="$(jose fmt -j- -Od alg -o- <<< "$jwk")"
-kid="$(jose jwk thp -i- <<< "$jwk")"
+kid="$(jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$jwk")"
jwe='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
jwe="$(jose fmt -j "$jwe" -g protected -q "$kid" -s kid -UUo-)"
jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tang -q "$url" -s url -UUUUo-)"
--- clevis-15.ori/src/luks/tests/meson.build 2023-05-23 11:29:59.594464890 +0200
+++ clevis-15/src/luks/tests/meson.build 2023-05-23 12:00:10.811482757 +0200
@@ -113,6 +113,7 @@
test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
+ test('default-thp-alg', find_program('default-thp-alg'), env: env)
endif
test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
--- clevis-15.ori/src/luks/tests/default-thp-alg 1970-01-01 01:00:00.000000000 +0100
+++ clevis-15/src/luks/tests/default-thp-alg 2023-05-23 16:09:21.920385994 +0200
@@ -0,0 +1,120 @@
+#!/bin/bash
+set -exo pipefail
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2020 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+
+. tests-common-functions
+
+TEST=$(basename "${0}")
+
+on_exit() {
+ exit_status=$?
+ tang_stop "${TMP}"
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+ exit "${exit_status}"
+}
+
+trap 'on_exit' EXIT
+
+TMP="$(mktemp -d)"
+
+port=$(get_random_port)
+tang_run "${TMP}" "${port}"
+
+url="http://localhost:${port}"
+data="just a sample text"
+
+adv="${TMP}/adv"
+# Get the advertisement and extract the keys.
+tang_get_adv "${port}" "${adv}"
+
+jwks="$(jose fmt --json="${adv}" --get payload --b64load --output=-)"
+enc="$(printf '%s' "${jwks}" | jose jwk use --input=- --required \
+ --use deriveKey --output=-)"
+
+jose fmt --json="${enc}" --get keys --array \
+ || enc="$(printf '{"keys": [%s]}' "${enc}")"
+
+jwk="$(jose fmt --json="${enc}" --get keys --array --foreach=- \
+ | jose fmt --json=- --delete key_ops --delete alg --output=-)"
+
+jwe_t='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
+jwe_t="$(jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --quote "${url}" --set url -UUUUo-)"
+jwe_t="$(printf '%s' "${jwks}" | jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --json=- --set adv -UUUUo-)"
+
+# We currently support SHA-1 (legacy) and SHA-256.
+CLEVIS_SUPPORTED_THP_ALGS="S1 S256"
+# Now we will use every hash algorithm supported by jose to create a thumbprint
+# for `kid', then we do the encoding and verify clevis decrypt can decode it
+# correctly.
+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
+ kid="$(printf '%s' "${jwk}" | jose jwk thp -a "${alg}" --input=-)"
+ jwe="$(jose fmt --json="${jwe_t}" --get protected --quote "${kid}" -s kid -UUo-)"
+
+ encoded=$(printf '%s%s' "${jwk}" "${data}" \
+ | jose jwe enc --input="${jwe}" --key=- --detached=- --compact)
+
+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
+ tang_error "${TEST}: decoding is expected to work (alg = ${alg})"
+ fi
+
+ if [ "${decoded}" != "${data}" ]; then
+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
+ fi
+done
+
+# Now let's test encryption providing the thp in the configuration.
+data="just another test"
+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \
+ | jose jwk use -i- -r -u verify -o- \
+ | jose jwk thp -i- -a "${alg}")"
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
+ if ! encoded=$(printf '%s' "${data}" | clevis encrypt tang "${cfg}"); then
+ tang_error "${TEST}: tang encryption should have succeeded when providing the thp (${thp}) with any supported algorithm (${alg})"
+ fi
+
+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
+ tang_error "${TEST}: decoding is expected to work (thp alg = ${alg})"
+ fi
+
+ if [ "${decoded}" != "${data}" ]; then
+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
+ fi
+done
+
+# Let's also try some unsupported thp hash algorithms.
+UNSUPPORTED="S224 S384 S512" # SHA-224, SHA-384, SHA-512.
+for alg in ${UNSUPPORTED}; do
+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \
+ | jose jwk use -i- -r -u verify -o- \
+ | jose jwk thp -i- -a "${alg}")"
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
+ tang_error "${TEST}: tang encryption should have failed when providing the thp (${thp}) with an unsupported algorithm (${alg})"
+ fi
+done
+
+# Now let's try some bad values for thp.
+for thp in "" "foo" "invalid"; do
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
+ tang_error "${TEST}: tang encryption expected to fail when providing a bad thp"
+ fi
+done

375
SPECS/clevis.spec Normal file
View File

@ -0,0 +1,375 @@
%global _hardened_build 1
Name: clevis
Version: 15
Release: 15%{?dist}
Summary: Automated decryption framework
License: GPLv3+
URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch
Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch
Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
Patch0004: 0004-systemd-drop-ncat-dependency.patch
Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch
Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
Patch0008: 0008-tang-dump-url-on-error-communication.patch
Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch
Patch0010: 0010-avoid-clevis-invalid-msg.patch
Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch
Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch
Patch0013: 0013-luks-define-max-entropy-bits-for-pwmake.patch
Patch0014: 0014-luks-edit-remove-unnecessary-redirection.patch
Patch0015: 0015-support-sha256-algorithm.patch
BuildRequires: git
BuildRequires: gcc
BuildRequires: meson
BuildRequires: asciidoc
BuildRequires: ninja-build
BuildRequires: bash-completion
BuildRequires: libjose-devel >= 8
BuildRequires: libluksmeta-devel >= 8
BuildRequires: audit-libs-devel
BuildRequires: libudisks2-devel
BuildRequires: openssl-devel
BuildRequires: tpm2-tools >= 3.0.0
BuildRequires: desktop-file-utils
BuildRequires: pkgconfig
BuildRequires: systemd
BuildRequires: dracut
BuildRequires: tang >= 6
BuildRequires: curl
BuildRequires: luksmeta
BuildRequires: cracklib-dicts
BuildRequires: jq
BuildRequires: diffutils
BuildRequires: expect
BuildRequires: openssl
Requires: cracklib-dicts
Requires: tpm2-tools >= 3.0.0
Requires: coreutils
Requires: jose >= 8
Requires: curl
Requires: jq
Requires(pre): shadow-utils
Requires(post): systemd
%description
Clevis is a framework for automated decryption. It allows you to encrypt
data using sophisticated unlocking policies which enable decryption to
occur automatically.
The clevis package provides basic encryption/decryption policy support.
Users can use this directly; but most commonly, it will be used as a
building block for other packages. For example, see the clevis-luks
and clevis-dracut packages for automatic root volume unlocking of LUKS
volumes during early boot.
%package luks
Summary: LUKS integration for clevis
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: cryptsetup
Requires: luksmeta >= 8
%description luks
LUKS integration for clevis. This package allows you to bind a LUKS
volume to a clevis unlocking policy. For automated unlocking, an unlocker
will also be required. See, for example, clevis-dracut and clevis-udisks2.
%package systemd
Summary: systemd integration for clevis
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
%if 0%{?fedora} > 27
Requires: systemd%{?_isa} >= 235-3
%else
%if 0%{?fedora} == 27
Requires: systemd%{?_isa} >= 234-9
%else
%if 0%{?fedora} == 26
Requires: systemd%{?_isa} >= 233-7
%else
Requires: systemd%{?_isa} >= 236
%endif
%endif
%endif
%description systemd
Automatically unlocks clevis-bound LUKS block devices during boot.
%package dracut
Summary: Dracut integration for clevis
Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
Requires: dracut-network
%description dracut
Automatically unlocks LUKS block devices in early boot.
%package udisks2
Summary: UDisks2/Storaged integration for clevis
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
%description udisks2
Automatically unlocks LUKS block devices in desktop environments that
use UDisks2 or storaged (like GNOME).
%prep
%autosetup -S git
%build
%meson -Duser=clevis -Dgroup=clevis
%meson_build
%install
%meson_install
%check
desktop-file-validate \
%{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%meson_test
%pre
getent group %{name} >/dev/null || groupadd -r %{name} &>/dev/null
getent passwd %{name} >/dev/null || \
useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
-c "Clevis Decryption Framework unprivileged user" %{name} &>/dev/null
# Add clevis user to tss group.
if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
usermod -a -G tss %{name} &>/dev/null
fi
exit 0
%post systemd
systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%files
%license COPYING
%{_datadir}/bash-completion/
%{_bindir}/%{name}-decrypt-tang
%{_bindir}/%{name}-decrypt-tpm2
%{_bindir}/%{name}-decrypt-sss
%{_bindir}/%{name}-decrypt-null
%{_bindir}/%{name}-decrypt
%{_bindir}/%{name}-encrypt-tang
%{_bindir}/%{name}-encrypt-tpm2
%{_bindir}/%{name}-encrypt-sss
%{_bindir}/%{name}-encrypt-null
%{_bindir}/%{name}
%{_mandir}/man1/%{name}-encrypt-tang.1*
%{_mandir}/man1/%{name}-encrypt-tpm2.1*
%{_mandir}/man1/%{name}-encrypt-sss.1*
%{_mandir}/man1/%{name}-decrypt.1*
%{_mandir}/man1/%{name}.1*
%files luks
%{_mandir}/man7/%{name}-luks-unlockers.7*
%{_mandir}/man1/%{name}-luks-unlock.1*
%{_mandir}/man1/%{name}-luks-unbind.1*
%{_mandir}/man1/%{name}-luks-bind.1*
%{_mandir}/man1/%{name}-luks-list.1*
%{_mandir}/man1/%{name}-luks-pass.1*
%{_mandir}/man1/%{name}-luks-regen.1*
%{_mandir}/man1/%{name}-luks-report.1*
%{_mandir}/man1/%{name}-luks-edit.1*
%{_bindir}/%{name}-luks-unlock
%{_bindir}/%{name}-luks-unbind
%{_bindir}/%{name}-luks-bind
%{_bindir}/%{name}-luks-common-functions
%{_bindir}/%{name}-luks-list
%{_bindir}/%{name}-luks-pass
%{_bindir}/%{name}-luks-regen
%{_bindir}/%{name}-luks-report
%{_bindir}/%{name}-luks-edit
%files systemd
%{_libexecdir}/%{name}-luks-askpass
%{_unitdir}/%{name}-luks-askpass.path
%{_unitdir}/%{name}-luks-askpass.service
%files dracut
%{_prefix}/lib/dracut/modules.d/60%{name}
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2
%files udisks2
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog
* Tue May 23 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-15
- Include SHA-256 thumbprints clevis support
Resolves: rhbz#2209058
* Mon Jan 16 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-14
- luks-edit: remove unnecessary 2>/dev/null
Resolves: rhbz#2159739
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-13
- luks: define max entropy bits for pwmake
Resolves: rhbz#2159736
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-12
- Ignore empty & comment lines in crypttab
Resolves: rhbz#2159440
* Tue Aug 02 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-11
- Start clevis-luks-askpass.path service according to global policy
Resolves: rhbz#2107081
* Thu Jul 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-10
- Improve boot performance by removing key check
Resolves: rhbz#2099748
* Wed Jun 22 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-9
- Avoid invalid message for clevis command
Resolves: rhbz#2099325
* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 15-8
- Support a null pin
Resolves: rhbz#2028096
* Fri Jan 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-7
- Dump server information on server error communication
Resolves: rhbz#2020193
* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 15-6
- Explicitly specify pbkdf iterations to cryptsetup
Resolves: rhbz#1979256
* Wed Dec 01 2021 Sergio Correia <scorreia@redhat.com> - 15-5
- Enable debugging in clevis scripts when rd.debug is set
Resolves: rhbz#1980742
* Thu Nov 25 2021 Sergio Correia <scorreia@redhat.com> - 15-4
- Stop sending stderr to the void when decryption doesn't happen
Resolves: rhbz#1976880
* Thu Nov 18 2021 Sergio Correia <scorreia@redhat.com> - 15-3
- Drop ncat dependency
Resolves: rhbz#1949289
* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 15-2
- Account for unlocking failures in clevis-luks-askpass
Resolves: rhbz#2018292
* Mon Oct 26 2020 Sergio Correia <scorreia@redhat.com> - 15-1
- Update to latest upstream release, v15
Resolves: rhbz#1887836
Resolves: rhbz#1853651
Resolves: rhbz#1874460
* Wed May 20 2020 Sergio Correia <scorreia@redhat.com> - 13-3
- Add clevis luks edit command
Resolves: rhbz#1436735
* Mon May 18 2020 Sergio Correia <scorreia@redhat.com> - 13-2
- Introduce -y (assume yes) argument to clevis luks bind
Resolves: rhbz#1819767
* Sun May 10 2020 Sergio Correia <scorreia@redhat.com> - 13-1
- Update to new upstream release, v13
Resolves: rhbz#1827225
Resolves: rhbz#1827665
Resolves: rhbz#1801556
Resolves: rhbz#1784448
Resolves: rhbz#1826917
Resolves: rhbz#1812014
* Sun Feb 02 2020 Sergio Correia <scorreia@redhat.com> - 11-9
- Improve clevis luks regen not to unbind+bind in every case
Resolves: rhbz#1795675
* Mon Jan 13 2020 Sergio Correia <scorreia@redhat.com> - 11-8
- Use one clevis-luks-askpass per device
Resolves: rhbz#1784524
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 11-7
- Add rd.neednet=1 to cmdline only if there are devices bound to tang
Resolves: rhbz#1762028
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 11-6
- Add option to extract luks passphrase used for binding
Resolves: rhbz#1436780
* Thu Nov 28 2019 Sergio Correia <scorreia@redhat.com> - 11-5
- Add support for listing existing PBD policies in place
Resolves: rhbz#1766526
* Fri Oct 18 2019 Sergio Correia <scorreia@redhat.com> - 11-4
- Improve error message when bind is given an invalid PIN
Resolves: rhbz#1543380
* Wed Oct 16 2019 Sergio Correia <scorreia@redhat.com> - 11-3
- Add clevis luks report and regen
Resolves: rhbz#1564566
Resolves: rhbz#1564559
* Fri Jan 04 2019 Daniel Kopecek <dkopecek@redhat.com> - 11-2
- Check that key derivation key is available
- Delete remaining references to the removed http pin
- Install cryptsetup and tpm2_pcrlist in the initramfs
- Add device TCTI library to the initramfs
Resolves: rhbz#1648004
Resolves: rhbz#1650246
* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
- Update to v11
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Mar 21 2018 Nathaniel McCallum <npmccallum@redhat.com> - 10-1
- Update to v10
* Tue Feb 13 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-1
- Update to v9
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 8-1
- Update to v8
* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7-2
- Rebuild for cryptsetup-2.0.0
* Fri Oct 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
- Update to v7
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Jun 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
- New upstream release
- Specify unprivileged user/group during configuration
- Move clevis user/group creation to base clevis package
* Mon Jun 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
- New upstream release
- Run clevis decryption from udisks2 under an unprivileged user
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
- New upstream release
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
- New upstream release
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Nov 18 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
- New upstream release
* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
- First release

186
changelog
View File

@ -1,186 +0,0 @@
* Fri Aug 05 2022 Luca BRUNO <lucab@lucabruno.net> - 18-10
- Simplify sysusers.d fragment by using default 'nologin' shell
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 18-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Fri Jul 8 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-8
- Support a null pin
* Tue Jun 28 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-7
Start clevis-luks-askpass.patch service according to global policy
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 18-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Oct 29 2021 Sergio Correia <scorreia@redhat.com> - 18-5
Account for unlocking failures in clevis-luks-askpass
Resolves: rhbz#1878892
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 18-4
- Rebuilt with OpenSSL 3.0.0
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 18-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri May 07 2021 Sergio Correia <scorreia@redhat.com> - 18-2
- Port to OpenSSL 3
Backport of upstream commit (ee1dfedb)
* Thu Apr 15 2021 Sergio Correia <scorreia@redhat.com> - 18-1
- Update to new clevis upstream release, v18.
* Wed Apr 14 2021 Sergio Correia <scorreia@redhat.com> - 17-1
- Update to new clevis upstream release, v17.
* Tue Mar 16 2021 Sergio Correia <scorreia@redhat.com> - 16-2
- Fix for -t option in clevis luks bind - backport upstream commit ea0d0c20
* Tue Feb 09 2021 Sergio Correia <scorreia@redhat.com> - 16-1
- Update to new clevis upstream release, v16.
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 15-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Nov 23 08:14:40 GMT 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 15-3
- Upstream patch for tpm-tools 5.0 support
* Thu Oct 29 2020 Sergio Correia <scorreia@redhat.com> - 15-2
- Add jq to dependencies
* Wed Oct 28 2020 Sergio Correia <scorreia@redhat.com> - 15-1
- Update to new clevis upstream release, v15.
* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-5
- Suppress output in pre scriptlet when adjusting users/groups
Resolves: rhbz#1876729
* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-4
- Backport upstream PR#230 - clevis-luks-askpass now exits cleanly
when receives a SIGTERM
Resolves: rhbz#1876001
* Sat Sep 05 2020 Sergio Correia <scorreia@redhat.com> - 14-3
- If clevis-luks-askpass is enabled, it may be using a wrong target,
since that changed in v14. Check and update it, if required.
* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-2
- Update sources file with new v14 release.
* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-1
- Update to new clevis upstream release, v14.
* Sun Aug 02 2020 Benjamin Gilbert <bgilbert@redhat.com> - 13-3
- Downgrade cracklib-dicts to Recommends
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 13-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Sun May 10 2020 Sergio Correia <scorreia@redhat.com> - 13-1
- Update to new clevis upstream release, v13.
* Thu May 07 2020 Sergio Correia <scorreia@redhat.com> - 12-4
- cracklib-dicts should be also listed as a build dependency, since
it's required for running some of the tests
* Mon Apr 06 2020 Sergio Correia <scorreia@redhat.com> - 12-3
- Make cracklib-dicts a regular dependency
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 12-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Jan 20 2020 Sergio Correia <scorreia@redhat.com> - 12-1
- Update to new clevis upstream release, v12.
* Thu Dec 19 2019 Sergio Correia <scorreia@redhat.com> - 11-11
- Backport upstream PR#70 - Handle case where we try to use a partially
used luksmeta slot
Resolves: rhbz#1672371
* Thu Dec 05 2019 Sergio Correia <scorreia@redhat.com> - 11-10
- Disable LUKS2 tests for now, since they fail randomly in Koji
builders, killing the build
* Wed Dec 04 2019 Sergio Correia <scorreia@redhat.com> - 11-9
- Backport of upstream patches and the following fixes:
- Rework the logic for reading the existing key
- fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 (
- pins/tang: check that key derivation key is available
* Wed Oct 30 2019 Peter Robinson <pbrobinson@fedoraproject.org> 11-8
- Drop need network patch
* Fri Sep 06 2019 Javier Martinez Canillas <javierm@redhat.com> - 11-7
- Add support for tpm2-tools 4.0
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-4
- Update patch for work around
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-3
- Work around network requirement for early boot
* Fri Nov 09 2018 Javier Martinez Canillas <javierm@redhat.com> - 11-2
- Delete remaining references to the removed http pin
- Install cryptsetup and tpm2_pcrlist in the initramfs
- Add device TCTI library to the initramfs
Resolves: rhbz#1644876
* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
- Update to v11
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Mar 21 2018 Nathaniel McCallum <npmccallum@redhat.com> - 10-1
- Update to v10
* Tue Feb 13 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-1
- Update to v9
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 8-1
- Update to v8
* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7-2
- Rebuild for cryptsetup-2.0.0
* Fri Oct 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
- Update to v7
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Jun 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
- New upstream release
- Specify unprivileged user/group during configuration
- Move clevis user/group creation to base clevis package
* Mon Jun 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
- New upstream release
- Run clevis decryption from udisks2 under an unprivileged user
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
- New upstream release
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
- New upstream release
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Nov 18 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
- New upstream release
* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
- First release

View File

@ -1,12 +0,0 @@
/e2e:
plan:
import:
url: https://github.com/RedHat-SP-Security/clevis-plans.git
name: /generic/e2e_ci
/rpmverify:
plan:
import:
url: https://github.com/RedHat-SP-Security/clevis-plans.git
name: /generic/rpmverify

View File

@ -1,221 +0,0 @@
Name: clevis
Version: 21
Release: %autorelease
Summary: Automated decryption framework
License: GPL-3.0-or-later
URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Source1: clevis.sysusers
Patch0: 0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch
Patch1: 0002-Fix-potential-race-condition.patch
Patch2: 0003-Fix-to-start-pcscd-appropriately.patch
Patch3: 0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch
BuildRequires: git-core
BuildRequires: gcc
BuildRequires: meson
BuildRequires: asciidoc
BuildRequires: ninja-build
BuildRequires: bash-completion
BuildRequires: libjose-devel >= 8
BuildRequires: libluksmeta-devel >= 8
BuildRequires: audit-libs-devel
BuildRequires: libudisks2-devel
BuildRequires: openssl-devel
BuildRequires: tpm2-tools >= 4.0.0
BuildRequires: desktop-file-utils
BuildRequires: pkgconfig
BuildRequires: systemd
BuildRequires: systemd-rpm-macros
BuildRequires: dracut
BuildRequires: tang >= 6
BuildRequires: curl
BuildRequires: luksmeta
BuildRequires: openssl
BuildRequires: diffutils
BuildRequires: cryptsetup
BuildRequires: jq
BuildRequires: pcsc-lite
BuildRequires: opensc
Requires: tpm2-tools >= 4.0.0
Requires: coreutils
Requires: jose >= 8
Requires: curl
Requires: jq
Requires(pre): shadow-utils
Requires(post): systemd
Requires: clevis-pin-tpm2
%description
Clevis is a framework for automated decryption. It allows you to encrypt
data using sophisticated unlocking policies which enable decryption to
occur automatically.
The clevis package provides basic encryption/decryption policy support.
Users can use this directly; but most commonly, it will be used as a
building block for other packages. For example, see the clevis-luks
and clevis-dracut packages for automatic root volume unlocking of
LUKSv1/LUKSv2 volumes during early boot.
%package luks
Summary: LUKS integration for clevis
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: cryptsetup
Requires: luksmeta >= 8
%description luks
LUKS integration for clevis. This package allows you to bind a LUKS
volume to a clevis unlocking policy. For automated unlocking, an unlocker
will also be required. See, for example, clevis-dracut and clevis-udisks2.
%package systemd
Summary: systemd integration for clevis
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
%if 0%{?fedora} > 27
Requires: systemd%{?_isa} >= 235-3
%else
%if 0%{?fedora} == 27
Requires: systemd%{?_isa} >= 234-9
%else
%if 0%{?fedora} == 26
Requires: systemd%{?_isa} >= 233-7
%else
Requires: systemd%{?_isa} >= 236
%endif
%endif
%endif
%description systemd
Automatically unlocks LUKS _netdev block devices from /etc/crypttab.
%package dracut
Summary: Dracut integration for clevis
Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
Requires: dracut-network
%description dracut
Automatically unlocks LUKS block devices in early boot.
%package udisks2
Summary: UDisks2/Storaged integration for clevis
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
%description udisks2
Automatically unlocks LUKS block devices in desktop environments that
use UDisks2 or storaged (like GNOME).
%package pin-pkcs11
Summary: PKCS#11 for clevis
Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
Requires: %{name}-dracut%{?_isa} = %{version}-%{release}
Requires: pcsc-lite
Requires: opensc
%description pin-pkcs11
Automatically unlocks LUKS block devices through a PKCS#11 device.
%prep
%autosetup -S git
%build
%meson -Duser=clevis -Dgroup=clevis
%meson_build
%install
%meson_install
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/clevis.conf
%check
desktop-file-validate \
%{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%meson_test
%pre
%sysusers_create_compat %{SOURCE1}
# Add clevis user to tss group.
if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
usermod -a -G tss %{name} &>/dev/null
fi
exit 0
%files
%license COPYING
%{_datadir}/bash-completion/
%{_bindir}/%{name}-decrypt-tang
%{_bindir}/%{name}-decrypt-tpm2
%{_bindir}/%{name}-decrypt-sss
%{_bindir}/%{name}-decrypt-null
%{_bindir}/%{name}-decrypt
%{_bindir}/%{name}-encrypt-tang
%{_bindir}/%{name}-encrypt-tpm2
%{_bindir}/%{name}-encrypt-sss
%{_bindir}/%{name}-encrypt-null
%{_bindir}/%{name}
%{_mandir}/man1/%{name}-encrypt-tang.1*
%{_mandir}/man1/%{name}-encrypt-tpm2.1*
%{_mandir}/man1/%{name}-encrypt-sss.1*
%{_mandir}/man1/%{name}-decrypt.1*
%{_mandir}/man1/%{name}.1*
%{_sysusersdir}/clevis.conf
%files luks
%{_mandir}/man7/%{name}-luks-unlockers.7*
%{_mandir}/man1/%{name}-luks-unlock.1*
%{_mandir}/man1/%{name}-luks-unbind.1*
%{_mandir}/man1/%{name}-luks-bind.1*
%{_mandir}/man1/%{name}-luks-list.1.*
%{_mandir}/man1/%{name}-luks-edit.1.*
%{_mandir}/man1/%{name}-luks-regen.1.*
%{_mandir}/man1/%{name}-luks-report.1.*
%{_mandir}/man1/%{name}-luks-pass.1.*
%{_bindir}/%{name}-luks-unlock
%{_bindir}/%{name}-luks-unbind
%{_bindir}/%{name}-luks-bind
%{_bindir}/%{name}-luks-common-functions
%{_bindir}/%{name}-luks-list
%{_bindir}/%{name}-luks-edit
%{_bindir}/%{name}-luks-regen
%{_bindir}/%{name}-luks-report
%{_bindir}/%{name}-luks-pass
%files systemd
%{_libexecdir}/%{name}-luks-askpass
%{_libexecdir}/%{name}-luks-unlocker
%{_unitdir}/%{name}-luks-askpass.path
%{_unitdir}/%{name}-luks-askpass.service
%files dracut
%{_prefix}/lib/dracut/modules.d/60%{name}
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh
%files pin-pkcs11
%{_libexecdir}/%{name}-luks-pkcs11-askpass
%{_libexecdir}/%{name}-luks-pkcs11-askpin
%{_bindir}/%{name}-decrypt-pkcs11
%{_bindir}/%{name}-encrypt-pkcs11
%{_bindir}/%{name}-pkcs11-afunix-socket-unlock
%{_bindir}/%{name}-pkcs11-common
%{_unitdir}/%{name}-luks-pkcs11-askpass.service
%{_unitdir}/%{name}-luks-pkcs11-askpass.socket
%{_mandir}/man1/%{name}-encrypt-pkcs11.1*
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-prehook.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-hook.sh
%files udisks2
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%post systemd
systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%autochangelog

View File

@ -1 +0,0 @@
u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis -

View File

@ -1,7 +0,0 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

View File

@ -1 +0,0 @@
SHA512 (clevis-21.tar.xz) = 66f141b9d0c35ec3bb975b49053ee11f8fd5492b2af0377797892d6e28f4491b146e48477107dcf0ae5860ed1b08920bc95ed69893664689077c1342169cd399