Compare commits
No commits in common. "c10s" and "c8" have entirely different histories.
@ -1 +0,0 @@
|
|||||||
1
|
|
12
.gitignore
vendored
12
.gitignore
vendored
@ -1,11 +1 @@
|
|||||||
/clevis-11.tar.xz
|
SOURCES/clevis-15.tar.xz
|
||||||
/clevis-12.tar.xz
|
|
||||||
/clevis-13.tar.xz
|
|
||||||
/clevis-14.tar.xz
|
|
||||||
/clevis-15.tar.xz
|
|
||||||
/clevis-16.tar.xz
|
|
||||||
/clevis-17.tar.xz
|
|
||||||
/clevis-18.tar.xz
|
|
||||||
/clevis-19.tar.xz
|
|
||||||
/clevis-20.tar.xz
|
|
||||||
/clevis-21.tar.xz
|
|
||||||
|
@ -1,288 +0,0 @@
|
|||||||
From 691b4136d6077ed7b079a38459b6844dbc584776 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sergio Arroutbi <sarroutb@redhat.com>
|
|
||||||
Date: Mon, 30 Sep 2024 11:27:57 +0200
|
|
||||||
Subject: [PATCH] PKCS#11 pin: fix dracut for unconfigured device
|
|
||||||
|
|
||||||
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
|
|
||||||
---
|
|
||||||
.../clevis-pin-pkcs11/module-setup.sh.in | 2 +-
|
|
||||||
src/luks/systemd/clevis-luks-pkcs11-askpin.in | 72 +++++--------------
|
|
||||||
.../clevis-pkcs11-afunix-socket-unlock.c | 9 ++-
|
|
||||||
src/pins/pkcs11/clevis-pkcs11-common | 52 +++++++++++++-
|
|
||||||
4 files changed, 74 insertions(+), 61 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
|
|
||||||
index 39d06a0..a7a6d6b 100755
|
|
||||||
--- a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
|
|
||||||
+++ b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
|
|
||||||
@@ -23,7 +23,7 @@ depends() {
|
|
||||||
}
|
|
||||||
|
|
||||||
install() {
|
|
||||||
- inst_hook initqueue 60 "${moddir}/clevis-pkcs11-prehook.sh"
|
|
||||||
+ inst_hook pre-trigger 60 "${moddir}/clevis-pkcs11-prehook.sh"
|
|
||||||
inst_hook initqueue/settled 60 "${moddir}/clevis-pkcs11-hook.sh"
|
|
||||||
inst_hook initqueue/online 60 "${moddir}/clevis-pkcs11-hook.sh"
|
|
||||||
|
|
||||||
diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
|
|
||||||
index 8f4092f..b860efa 100755
|
|
||||||
--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in
|
|
||||||
+++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
|
|
||||||
@@ -52,6 +52,7 @@ get_pkcs11_error() {
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
+
|
|
||||||
if command -v pcscd; then
|
|
||||||
echo "clevis-pkcs11: starting pcscd if not available ..."
|
|
||||||
PCSCD_PID=$(ps auxf | grep "[p]cscd")
|
|
||||||
@@ -72,51 +73,6 @@ if [ "${dracut_mode}" != true ]; then
|
|
||||||
pkcs11-tool -L
|
|
||||||
fi
|
|
||||||
|
|
||||||
-if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \
|
|
||||||
- awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then
|
|
||||||
- echo "No PKCS11 device detected (without module option) / pkcs11-tool error"
|
|
||||||
- exit 1
|
|
||||||
-fi
|
|
||||||
-
|
|
||||||
-if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
|
|
||||||
- pkcs11_device=""
|
|
||||||
- echo "No objects in PKCS11 device detected"
|
|
||||||
-fi
|
|
||||||
-
|
|
||||||
-while [ -z "${pkcs11_device}" ]; do
|
|
||||||
- if [ "${dracut_mode}" != true ]; then
|
|
||||||
- module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab")
|
|
||||||
- if [ -n "${module_paths}" ]; then
|
|
||||||
- modules=$(echo ${module_paths} | tr ";" "\n")
|
|
||||||
- for module in $modules; do
|
|
||||||
- pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \
|
|
||||||
- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
|
|
||||||
- if [ -n "${pkcs11_device}" ]; then
|
|
||||||
- break;
|
|
||||||
- fi
|
|
||||||
- done
|
|
||||||
- fi
|
|
||||||
- fi
|
|
||||||
- if [ -z "${pkcs11_device}" ]; then
|
|
||||||
- if [ "${retry_mode}" == true ]; then
|
|
||||||
- option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]")
|
|
||||||
- if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then
|
|
||||||
- echo "Won't continue PKCS11 device detection"
|
|
||||||
- exit 0
|
|
||||||
- fi
|
|
||||||
- pkcs11_device=$(pkcs11-tool -L | grep "Slot" \
|
|
||||||
- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
|
|
||||||
- if ! pkcs11-tool -O 2>/dev/null; then
|
|
||||||
- pkcs11_device=""
|
|
||||||
- echo "No objects in PKCS11 device detected"
|
|
||||||
- fi
|
|
||||||
- else
|
|
||||||
- exit 0
|
|
||||||
- fi
|
|
||||||
- fi
|
|
||||||
-done
|
|
||||||
-echo "Detected PKCS11 device:${pkcs11_device}"
|
|
||||||
-
|
|
||||||
devices_array=()
|
|
||||||
# Let's analyze all entries from /etc/crypttab that contain clevis-pkcs11.sock entries
|
|
||||||
while read -r line;
|
|
||||||
@@ -126,6 +82,8 @@ do
|
|
||||||
next_device=0
|
|
||||||
errors=0
|
|
||||||
msg=""
|
|
||||||
+ # Store passphrases to send to control socket
|
|
||||||
+ systemd_device=$(echo "${line}" | awk '{print $1}')
|
|
||||||
while [ ${next_device} -ne 1 ]; do
|
|
||||||
uuid=$(echo "${line}" | awk '{print $2}')
|
|
||||||
if ! mapped_device=$(clevis_map_device "${uuid}"); then
|
|
||||||
@@ -141,15 +99,23 @@ do
|
|
||||||
fi
|
|
||||||
# If no PKCS#11 configuration, advance to next device
|
|
||||||
if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then
|
|
||||||
- echo "Device:${mapped_device} does not contain PKCS#11 configuration"
|
|
||||||
+ echo "Device:${mapped_device} does not contain PKCS#11 configuration" >&2
|
|
||||||
+ # Send a wrong passphrase
|
|
||||||
+ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock -
|
|
||||||
next_device=1
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
+ if ! pkcs11_device=$(clevis_detect_pkcs11_device "${dracut_mode}" "${retry_mode}"); then
|
|
||||||
+ echo "No PKCS11 device detected" >&2
|
|
||||||
+ exit 0
|
|
||||||
+ else
|
|
||||||
+ echo "Detected PKCS11 device:${pkcs11_device}" >&2
|
|
||||||
+ fi
|
|
||||||
# Get configuration PKCS#11 URI
|
|
||||||
uri=$(clevis luks list -d "${mapped_device}" | awk -F '"uri":' '{print $2}' | awk -F '"' '{print $2}' | awk -F '"' '{print $1}')
|
|
||||||
slot_opt=""
|
|
||||||
if ! slot=$(clevis_get_pkcs11_final_slot_from_uri "${uri}"); then
|
|
||||||
- echo "Could not find slot for uri:${uri}"
|
|
||||||
+ echo "Could not find slot for uri:${uri}" >&2
|
|
||||||
else
|
|
||||||
slot_opt="--slot-index ${slot}"
|
|
||||||
fi
|
|
||||||
@@ -159,8 +125,9 @@ do
|
|
||||||
module_opt="--module ${module}"
|
|
||||||
fi
|
|
||||||
echo "Device:${mapped_device}, slot_opt:${slot_opt}, module_opt:${module_opt}"
|
|
||||||
- if ! pkcs11-tool -O ${module_opt} ${slot_opt}; then
|
|
||||||
- echo "No objects on slot:${slot}, module_opt:${module_opt}"
|
|
||||||
+ if ! pkcs11-tool -O ${module_opt} ${slot_opt} 2>/dev/null 1>/dev/null; then
|
|
||||||
+ echo "No objects on slot:${slot}, module_opt:${module_opt}" >&2
|
|
||||||
+ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock -
|
|
||||||
next_device=1
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
@@ -175,22 +142,21 @@ do
|
|
||||||
# Get key from PKCS11 pin here and feed AF_UNIX socket program
|
|
||||||
echo "${pin}" > /run/systemd/clevis-pkcs11.pin
|
|
||||||
if ! passphrase=$(clevis_luks_unlock_device "${mapped_device}") || [ -z "${passphrase}" ]; then
|
|
||||||
- echo "Could not unlock device:${mapped_device}"
|
|
||||||
+ echo "Could not unlock device:${mapped_device}" >&2
|
|
||||||
msg="$(get_pkcs11_error)"
|
|
||||||
((errors++))
|
|
||||||
if [ ${errors} -eq ${too_many_errors} ]; then
|
|
||||||
- echo "Too many errors !!!" 1>&2
|
|
||||||
+ echo "Too many errors !!!" >&2
|
|
||||||
next_device=1
|
|
||||||
fi
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
next_device=1
|
|
||||||
- echo "Device:${mapped_device} unlocked successfully by clevis"
|
|
||||||
+ echo "Device:${mapped_device} unlocked successfully by clevis" >&2
|
|
||||||
if [ "${dracut_mode}" == true ]; then
|
|
||||||
echo "${mapped_device}" >> /run/systemd/clevis-pkcs11-dracut.devices
|
|
||||||
fi
|
|
||||||
# Store passphrases to send to control socket
|
|
||||||
- systemd_device=$(echo "${line}" | awk '{print $1}')
|
|
||||||
devices_array+=("${systemd_device},${passphrase}")
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
|
|
||||||
index a6ecc63..24bad83 100644
|
|
||||||
--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
|
|
||||||
+++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
|
|
||||||
@@ -146,7 +146,6 @@ static void* control_thread(void *targ) {
|
|
||||||
}
|
|
||||||
char* t = control_msg;
|
|
||||||
int is_device = 1;
|
|
||||||
- fprintf(logfile, "Received control message:[%s]\n", t);
|
|
||||||
while((t = strtok(t, ","))) {
|
|
||||||
if (is_device) {
|
|
||||||
fprintf(logfile, "Adding device:%s\n", t);
|
|
||||||
@@ -185,7 +184,7 @@ static void dump_wide_version(void) {
|
|
||||||
|
|
||||||
static void int_handler(int s) {
|
|
||||||
if(logfile) {
|
|
||||||
- fprintf(logfile, "Closing, signal:[%d]\n", s);
|
|
||||||
+ fprintf(logfile, "Closing, received signal:[%d]\n", s);
|
|
||||||
fclose(logfile);
|
|
||||||
}
|
|
||||||
exit(EXIT_FAILURE);
|
|
||||||
@@ -222,6 +221,7 @@ int main(int argc, char* argv[]) {
|
|
||||||
break;
|
|
||||||
case 'f':
|
|
||||||
strncpy(sock_file, optarg, MAX_PATH - 1);
|
|
||||||
+ unlink(sock_file);
|
|
||||||
break;
|
|
||||||
case 'k':
|
|
||||||
strncpy(key, optarg, MAX_KEY - 1);
|
|
||||||
@@ -275,7 +275,6 @@ int main(int argc, char* argv[]) {
|
|
||||||
memset(&sock_addr, 0, sizeof(sock_addr));
|
|
||||||
sock_addr.sun_family = AF_UNIX;
|
|
||||||
strncpy(sock_addr.sun_path, sock_file, sizeof(sock_addr.sun_path)-1);
|
|
||||||
- unlink(sock_file);
|
|
||||||
s = socket(AF_UNIX, SOCK_STREAM, 0);
|
|
||||||
if (s == -1) {
|
|
||||||
perror("socket");
|
|
||||||
@@ -346,8 +345,8 @@ int main(int argc, char* argv[]) {
|
|
||||||
perror("key entry send error");
|
|
||||||
goto efailure;
|
|
||||||
}
|
|
||||||
- fprintf(logfile, "Sending:[%s] to device:[%s]\n",
|
|
||||||
- entry_key, unlocking_device);
|
|
||||||
+ fprintf(logfile, "Sending passphrase to device:[%s]\n",
|
|
||||||
+ unlocking_device);
|
|
||||||
} else {
|
|
||||||
fprintf(logfile, "Device not found: [%s]\n", unlocking_device);
|
|
||||||
}
|
|
||||||
diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common
|
|
||||||
index 4c0629c..571a2be 100755
|
|
||||||
--- a/src/pins/pkcs11/clevis-pkcs11-common
|
|
||||||
+++ b/src/pins/pkcs11/clevis-pkcs11-common
|
|
||||||
@@ -27,6 +27,56 @@ serial_devices_array=""
|
|
||||||
URI_EXPECTED_FORMAT="pkcs11:"
|
|
||||||
DEFAULT_CRYPTTAB_FILE="/etc/crypttab"
|
|
||||||
|
|
||||||
+clevis_detect_pkcs11_device() {
|
|
||||||
+ dracut_mode="${1:false}"
|
|
||||||
+ retry_mode="${2:false}"
|
|
||||||
+ if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \
|
|
||||||
+ awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then
|
|
||||||
+ echo ""
|
|
||||||
+ return 1
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
|
|
||||||
+ pkcs11_device=""
|
|
||||||
+ echo "No objects in PKCS11 device detected" >&2
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ while [ -z "${pkcs11_device}" ]; do
|
|
||||||
+ if [ "${dracut_mode}" != true ]; then
|
|
||||||
+ module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab")
|
|
||||||
+ if [ -n "${module_paths}" ]; then
|
|
||||||
+ modules=$(echo ${module_paths} | tr ";" "\n")
|
|
||||||
+ for module in $modules; do
|
|
||||||
+ pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \
|
|
||||||
+ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
|
|
||||||
+ if [ -n "${pkcs11_device}" ]; then
|
|
||||||
+ break;
|
|
||||||
+ fi
|
|
||||||
+ done
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+ if [ -z "${pkcs11_device}" ]; then
|
|
||||||
+ if [ "${retry_mode}" == true ]; then
|
|
||||||
+ option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]")
|
|
||||||
+ if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then
|
|
||||||
+ echo ""
|
|
||||||
+ # Straight Forward Mode
|
|
||||||
+ return 0
|
|
||||||
+ fi
|
|
||||||
+ pkcs11_device=$(pkcs11-tool -L | grep "Slot" \
|
|
||||||
+ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
|
|
||||||
+ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
|
|
||||||
+ pkcs11_device=""
|
|
||||||
+ echo "No objects in PKCS11 device detected" >&2
|
|
||||||
+ fi
|
|
||||||
+ else
|
|
||||||
+ echo "${pkcs11_device}"
|
|
||||||
+ return 0
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+ done
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
clevis_parse_devices_array() {
|
|
||||||
INPUT_ARRAY=$(pkcs11-tool -L | grep Slot)
|
|
||||||
counter=0
|
|
||||||
@@ -64,12 +114,10 @@ clevis_get_module_path_from_pkcs11_config() {
|
|
||||||
while read -r line; do
|
|
||||||
uuid=$(echo "${line}" | awk '{print $2}')
|
|
||||||
if ! mapped_device=$(clevis_map_device "${uuid}"); then
|
|
||||||
- echo "Could not check mapped device for UID:${uuid}"
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
# If no PKCS#11 configuration, advance to next device
|
|
||||||
if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then
|
|
||||||
- echo "Device:${mapped_device} does not contain PKCS#11 configuration"
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
# Get configuration PKCS#11 URI
|
|
||||||
--
|
|
||||||
2.46.2
|
|
||||||
|
|
@ -1,49 +0,0 @@
|
|||||||
From 5feea5da42b98302006f2c82ab9c22d43779e0c8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sergio Arroutbi <sarroutb@redhat.com>
|
|
||||||
Date: Fri, 27 Sep 2024 12:12:48 +0200
|
|
||||||
Subject: [PATCH] Fix potential race condition
|
|
||||||
|
|
||||||
Guard the modification of "entry_counter" and the read
|
|
||||||
used to decide whether to modify "entry_counter" with the
|
|
||||||
same set of locks
|
|
||||||
|
|
||||||
Resolves: #478
|
|
||||||
|
|
||||||
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
|
|
||||||
---
|
|
||||||
src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c | 6 ++++--
|
|
||||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
|
|
||||||
index a6ecc63..b1e2004 100644
|
|
||||||
--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
|
|
||||||
+++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
|
|
||||||
@@ -70,21 +70,23 @@ get_control_socket_name(const char* file_sock, char* control_sock, uint32_t cont
|
|
||||||
}
|
|
||||||
|
|
||||||
static void insert_device(const char* dev) {
|
|
||||||
+ pthread_mutex_lock(&mutex);
|
|
||||||
if(MAX_ENTRIES == entry_counter) {
|
|
||||||
+ pthread_mutex_unlock(&mutex);
|
|
||||||
perror("No more entries accepted\n");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
- pthread_mutex_lock(&mutex);
|
|
||||||
strncpy(keys[entry_counter].dev, dev, MAX_DEVICE);
|
|
||||||
pthread_mutex_unlock(&mutex);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void insert_key(const char* key) {
|
|
||||||
+ pthread_mutex_lock(&mutex);
|
|
||||||
if(MAX_ENTRIES == entry_counter) {
|
|
||||||
+ pthread_mutex_unlock(&mutex);
|
|
||||||
perror("No more entries accepted\n");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
- pthread_mutex_lock(&mutex);
|
|
||||||
strncpy(keys[entry_counter++].key, key, MAX_KEY);
|
|
||||||
pthread_mutex_unlock(&mutex);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.46.2
|
|
||||||
|
|
@ -1,110 +0,0 @@
|
|||||||
From c987b0a95d9ebcb310cc3b95609172a8fe31e81e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sergio Arroutbi <sarroutb@redhat.com>
|
|
||||||
Date: Wed, 9 Oct 2024 12:15:18 +0200
|
|
||||||
Subject: [PATCH] Fix to start pcscd appropriately
|
|
||||||
|
|
||||||
diff --git a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
|
|
||||||
index 01a3062..9922bbc 100755
|
|
||||||
--- a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
|
|
||||||
+++ b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
|
|
||||||
@@ -16,9 +16,11 @@
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
+. /usr/bin/clevis-pkcs11-common
|
|
||||||
+
|
|
||||||
if [ ! -f /run/systemd/clevis-pkcs11.run ] && [ -d /run/systemd ];
|
|
||||||
then
|
|
||||||
- pcscd --disable-polkit
|
|
||||||
- echo "" > /run/systemd/clevis-pkcs11.run
|
|
||||||
- /usr/libexec/clevis-luks-pkcs11-askpin -d -r
|
|
||||||
+ clevis_start_pcscd_server
|
|
||||||
+ echo "" > /run/systemd/clevis-pkcs11.run
|
|
||||||
+ /usr/libexec/clevis-luks-pkcs11-askpin -d -r
|
|
||||||
fi
|
|
||||||
diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
|
|
||||||
index b860efa..468ca3c 100755
|
|
||||||
--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in
|
|
||||||
+++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
|
|
||||||
@@ -52,22 +52,7 @@ get_pkcs11_error() {
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
-
|
|
||||||
-if command -v pcscd; then
|
|
||||||
- echo "clevis-pkcs11: starting pcscd if not available ..."
|
|
||||||
- PCSCD_PID=$(ps auxf | grep "[p]cscd")
|
|
||||||
- echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n"
|
|
||||||
- if ! ps auxf | grep "[p]cscd";
|
|
||||||
- then
|
|
||||||
- if pcscd pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then
|
|
||||||
- echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..."
|
|
||||||
- pcscd --disable-polkit
|
|
||||||
- else
|
|
||||||
- echo "clevis-pkcs11: starting pcscd ..."
|
|
||||||
- pcscd
|
|
||||||
- fi
|
|
||||||
- fi
|
|
||||||
-fi
|
|
||||||
+clevis_start_pcscd_server
|
|
||||||
|
|
||||||
if [ "${dracut_mode}" != true ]; then
|
|
||||||
pkcs11-tool -L
|
|
||||||
diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common
|
|
||||||
index 571a2be..c7f2a58 100755
|
|
||||||
--- a/src/pins/pkcs11/clevis-pkcs11-common
|
|
||||||
+++ b/src/pins/pkcs11/clevis-pkcs11-common
|
|
||||||
@@ -77,6 +77,24 @@ clevis_detect_pkcs11_device() {
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
+clevis_start_pcscd_server() {
|
|
||||||
+ if command -v pcscd; then
|
|
||||||
+ echo "clevis-pkcs11: starting pcscd if not available ..."
|
|
||||||
+ PCSCD_PID=$(ps auxf | grep "[p]cscd")
|
|
||||||
+ echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n"
|
|
||||||
+ if ! ps auxf | grep "[p]cscd";
|
|
||||||
+ then
|
|
||||||
+ if pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then
|
|
||||||
+ echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..."
|
|
||||||
+ pcscd --disable-polkit
|
|
||||||
+ else
|
|
||||||
+ echo "clevis-pkcs11: starting pcscd ..."
|
|
||||||
+ pcscd
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
clevis_parse_devices_array() {
|
|
||||||
INPUT_ARRAY=$(pkcs11-tool -L | grep Slot)
|
|
||||||
counter=0
|
|
||||||
diff --git a/src/pins/pkcs11/tests/pin-pkcs11 b/src/pins/pkcs11/tests/pin-pkcs11
|
|
||||||
index 94e1548..c876ca4 100755
|
|
||||||
--- a/src/pins/pkcs11/tests/pin-pkcs11
|
|
||||||
+++ b/src/pins/pkcs11/tests/pin-pkcs11
|
|
||||||
@@ -20,6 +20,7 @@
|
|
||||||
. pkcs11-common-tests
|
|
||||||
. tests-common-functions
|
|
||||||
. clevis-luks-common-functions
|
|
||||||
+. clevis-pkcs11-common
|
|
||||||
|
|
||||||
on_exit() {
|
|
||||||
exit_status=$?
|
|
||||||
@@ -150,5 +151,16 @@ then
|
|
||||||
(${WRONGCFG})"
|
|
||||||
fi
|
|
||||||
|
|
||||||
+if command -v ps && command -v killall; then
|
|
||||||
+ if ! clevis_start_pcscd_server;
|
|
||||||
+ then
|
|
||||||
+ error "${TEST}: Could not start pcscd server"
|
|
||||||
+ fi
|
|
||||||
+ if ! killall -9 pcscd;
|
|
||||||
+ then
|
|
||||||
+ error "${TEST}: Could not kill pcscd server"
|
|
||||||
+ fi
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
softhsm_lib_cleanup
|
|
||||||
test "$?" == 0
|
|
@ -1,65 +0,0 @@
|
|||||||
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2 2024-09-24 10:27:06.000000000 +0200
|
|
||||||
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2 2024-11-05 15:54:16.209993587 +0100
|
|
||||||
@@ -58,7 +58,7 @@
|
|
||||||
echo
|
|
||||||
echo " key: <string> Algorithm type for the generated key (default: ecc)"
|
|
||||||
echo
|
|
||||||
- echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: sha1)"
|
|
||||||
+ echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: first supported by TPM)"
|
|
||||||
echo
|
|
||||||
echo " pcr_ids: <string> PCR list used for policy. If not present, no policy is used"
|
|
||||||
echo
|
|
||||||
@@ -130,7 +130,15 @@
|
|
||||||
|
|
||||||
key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc"
|
|
||||||
|
|
||||||
-pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1"
|
|
||||||
+pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || {
|
|
||||||
+ if ! pcr_bank=$(tpm2_getcap pcrs |
|
|
||||||
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
|
|
||||||
+ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit}
|
|
||||||
+ END {exit !found}'); then
|
|
||||||
+ echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2
|
|
||||||
+ exit 1
|
|
||||||
+ fi
|
|
||||||
+}
|
|
||||||
|
|
||||||
# Trim the spaces from the config, so that we will not have issues parsing
|
|
||||||
# the PCR IDs.
|
|
||||||
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-09-24 10:27:06.000000000 +0200
|
|
||||||
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-11-05 15:54:16.209993587 +0100
|
|
||||||
@@ -91,13 +91,17 @@
|
|
||||||
- *symcipher*
|
|
||||||
|
|
||||||
* *pcr_bank* (string) :
|
|
||||||
- PCR algorithm bank to use for policy (default: sha1)
|
|
||||||
+ PCR algorithm bank to use for policy (default: first supported by TPM)
|
|
||||||
|
|
||||||
- It must be one of the following:
|
|
||||||
+ Examples of PCR algorithm banks, support depends on TPM chip:
|
|
||||||
|
|
||||||
- *sha1*
|
|
||||||
- *sha256*
|
|
||||||
|
|
||||||
+ For the full list of algorithms supported by the TPM chip check output of
|
|
||||||
+ `tpm2_getcap pcrs` and use the algorithm which shows non-empty list of PCR
|
|
||||||
+ numbers.
|
|
||||||
+
|
|
||||||
* *pcr_ids* (string) :
|
|
||||||
Comma separated list of PCR used for policy. If not present, no policy is used
|
|
||||||
|
|
||||||
--- clevis-21.old/src/pins/tpm2/pin-tpm2 2024-09-24 10:27:06.000000000 +0200
|
|
||||||
+++ clevis-21/src/pins/tpm2/pin-tpm2 2024-11-05 15:54:16.209993587 +0100
|
|
||||||
@@ -142,8 +142,10 @@
|
|
||||||
# arrays and check if we get the expected pcr_ids.
|
|
||||||
|
|
||||||
# Let's first make sure this would be a valid configuration.
|
|
||||||
-_default_pcr_bank="sha1"
|
|
||||||
-if validate_pcrs "${_default_pcr_bank}" "4,16"; then
|
|
||||||
+_default_pcr_bank=$(tpm2_getcap pcrs |
|
|
||||||
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
|
|
||||||
+ {split($0, m, /[-:[:space:]]+/); print m[2]; exit}')
|
|
||||||
+if [ -n "$_default_pcr_bank" ] && validate_pcrs "${_default_pcr_bank}" "4,16"; then
|
|
||||||
test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1
|
|
||||||
test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16" || exit 1
|
|
||||||
test_pcr_ids "${orig}" '{"pcr_ids": "4, 16"}' "4,16" || exit 1
|
|
@ -0,0 +1,176 @@
|
|||||||
|
From 16f667d9f3d649e33ca762afa1a8a7f909b953a8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sergio Correia <scorreia@redhat.com>
|
||||||
|
Date: Sun, 25 Oct 2020 11:15:46 -0300
|
||||||
|
Subject: [PATCH] Fixes for dealing with newer tang without tangd-update
|
||||||
|
|
||||||
|
---
|
||||||
|
src/luks/tests/meson.build | 11 +----------
|
||||||
|
src/luks/tests/tests-common-functions.in | 19 +++++++++++--------
|
||||||
|
src/pins/tang/meson.build | 11 +----------
|
||||||
|
src/pins/tang/pin-tang | 11 ++++++++---
|
||||||
|
4 files changed, 21 insertions(+), 31 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
|
||||||
|
index ba5f6a2..c0f9dc3 100644
|
||||||
|
--- a/src/luks/tests/meson.build
|
||||||
|
+++ b/src/luks/tests/meson.build
|
||||||
|
@@ -17,14 +17,6 @@ kgen = find_program(
|
||||||
|
join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
|
||||||
|
required: false
|
||||||
|
)
|
||||||
|
-updt = find_program(
|
||||||
|
- join_paths(libexecdir, 'tangd-update'),
|
||||||
|
- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
|
||||||
|
- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
|
||||||
|
- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
|
||||||
|
- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
|
||||||
|
- required: false
|
||||||
|
-)
|
||||||
|
tang = find_program(
|
||||||
|
join_paths(libexecdir, 'tangd'),
|
||||||
|
join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
|
||||||
|
@@ -58,11 +50,10 @@ env.prepend('PATH',
|
||||||
|
)
|
||||||
|
|
||||||
|
has_tang = false
|
||||||
|
-if actv.found() and kgen.found() and updt.found() and tang.found()
|
||||||
|
+if actv.found() and kgen.found() and tang.found()
|
||||||
|
has_tang = true
|
||||||
|
env.set('SD_ACTIVATE', actv.path())
|
||||||
|
env.set('TANGD_KEYGEN', kgen.path())
|
||||||
|
- env.set('TANGD_UPDATE', updt.path())
|
||||||
|
env.set('TANGD', tang.path())
|
||||||
|
endif
|
||||||
|
|
||||||
|
diff --git a/src/luks/tests/tests-common-functions.in b/src/luks/tests/tests-common-functions.in
|
||||||
|
index 8520715..318d007 100755
|
||||||
|
--- a/src/luks/tests/tests-common-functions.in
|
||||||
|
+++ b/src/luks/tests/tests-common-functions.in
|
||||||
|
@@ -251,18 +251,19 @@ tang_remove_rotated_keys() {
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
|
||||||
|
-
|
||||||
|
local db="${basedir}/db"
|
||||||
|
- local cache="${basedir}/cache"
|
||||||
|
mkdir -p "${db}"
|
||||||
|
- mkdir -p "${cache}"
|
||||||
|
+
|
||||||
|
+ if [ -n "${TANGD_UPDATE}" ]; then
|
||||||
|
+ local cache="${basedir}/cache"
|
||||||
|
+ mkdir -p "${cache}"
|
||||||
|
+ fi
|
||||||
|
|
||||||
|
pushd "${db}"
|
||||||
|
find . -name ".*.jwk" -exec rm -f {} \;
|
||||||
|
popd
|
||||||
|
|
||||||
|
- "${TANGD_UPDATE}" "${db}" "${cache}"
|
||||||
|
+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -277,12 +278,12 @@ tang_new_keys() {
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -z "${TANGD_KEYGEN}" ] && skip_test "WARNING: TANGD_KEYGEN is not defined."
|
||||||
|
- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
|
||||||
|
|
||||||
|
local db="${basedir}/db"
|
||||||
|
- local cache="${basedir}/cache"
|
||||||
|
mkdir -p "${db}"
|
||||||
|
|
||||||
|
+ [ -n "${TANGD_UPDATE}" ] && local cache="${basedir}/cache"
|
||||||
|
+
|
||||||
|
if [ -n "${rotate}" ]; then
|
||||||
|
pushd "${db}"
|
||||||
|
local k
|
||||||
|
@@ -296,7 +297,7 @@ tang_new_keys() {
|
||||||
|
fi
|
||||||
|
|
||||||
|
"${TANGD_KEYGEN}" "${db}"
|
||||||
|
- "${TANGD_UPDATE}" "${db}" "${cache}"
|
||||||
|
+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
@@ -322,6 +323,8 @@ tang_run() {
|
||||||
|
fi
|
||||||
|
|
||||||
|
local KEYS="${basedir}/cache"
|
||||||
|
+ [ -z "${TANGD_UPDATE}" ] && KEYS="${basedir}/db"
|
||||||
|
+
|
||||||
|
local inetd='--inetd'
|
||||||
|
[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
|
||||||
|
|
||||||
|
diff --git a/src/pins/tang/meson.build b/src/pins/tang/meson.build
|
||||||
|
index f7d8226..ebcdd4a 100644
|
||||||
|
--- a/src/pins/tang/meson.build
|
||||||
|
+++ b/src/pins/tang/meson.build
|
||||||
|
@@ -12,14 +12,6 @@ kgen = find_program(
|
||||||
|
join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
|
||||||
|
required: false
|
||||||
|
)
|
||||||
|
-updt = find_program(
|
||||||
|
- join_paths(libexecdir, 'tangd-update'),
|
||||||
|
- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
|
||||||
|
- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
|
||||||
|
- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
|
||||||
|
- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
|
||||||
|
- required: false
|
||||||
|
-)
|
||||||
|
tang = find_program(
|
||||||
|
join_paths(libexecdir, 'tangd'),
|
||||||
|
join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
|
||||||
|
@@ -35,11 +27,10 @@ if curl.found()
|
||||||
|
bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang')
|
||||||
|
mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1')
|
||||||
|
|
||||||
|
- if actv.found() and kgen.found() and updt.found() and tang.found()
|
||||||
|
+ if actv.found() and kgen.found() and tang.found()
|
||||||
|
env = environment()
|
||||||
|
env.set('SD_ACTIVATE', actv.path())
|
||||||
|
env.set('TANGD_KEYGEN', kgen.path())
|
||||||
|
- env.set('TANGD_UPDATE', updt.path())
|
||||||
|
env.set('TANGD', tang.path())
|
||||||
|
env.prepend('PATH',
|
||||||
|
join_paths(meson.source_root(), 'src'),
|
||||||
|
diff --git a/src/pins/tang/pin-tang b/src/pins/tang/pin-tang
|
||||||
|
index 98e5e4d..a63d0a2 100755
|
||||||
|
--- a/src/pins/tang/pin-tang
|
||||||
|
+++ b/src/pins/tang/pin-tang
|
||||||
|
@@ -31,8 +31,12 @@ mkdir -p "$TMP"/db
|
||||||
|
mkdir -p "$TMP"/cache
|
||||||
|
|
||||||
|
# Generate the server keys
|
||||||
|
+KEYS="$TMP"/db
|
||||||
|
"${TANGD_KEYGEN}" "$TMP"/db sig exc
|
||||||
|
-"${TANGD_UPDATE}" "$TMP"/db "$TMP"/cache
|
||||||
|
+if which tangd-update; then
|
||||||
|
+ tangd-update "$TMP"/db "$TMP"/cache
|
||||||
|
+ KEYS="$TMP"/cache
|
||||||
|
+fi
|
||||||
|
|
||||||
|
# Start the server
|
||||||
|
port="$(shuf -i 1024-65536 -n 1)"
|
||||||
|
@@ -40,13 +44,14 @@ port="$(shuf -i 1024-65536 -n 1)"
|
||||||
|
inetd='--inetd'
|
||||||
|
[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
|
||||||
|
|
||||||
|
-"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$TMP"/cache &
|
||||||
|
+"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$KEYS" &
|
||||||
|
PID=$!
|
||||||
|
sleep 0.25
|
||||||
|
|
||||||
|
thp="$(jose jwk thp -i "$TMP/db/sig.jwk")"
|
||||||
|
-adv="$TMP/cache/default.jws"
|
||||||
|
url="http://localhost:${port}"
|
||||||
|
+adv="$TMP/adv"
|
||||||
|
+curl "$url/adv" -o "$adv"
|
||||||
|
|
||||||
|
cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")"
|
||||||
|
enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
|
||||||
|
--
|
||||||
|
2.18.4
|
||||||
|
|
@ -0,0 +1,309 @@
|
|||||||
|
From aa52396c35e76aabd085a819b08167d559042a20 Mon Sep 17 00:00:00 2001
|
||||||
|
From: rpm-build <rpm-build>
|
||||||
|
Date: Tue, 3 Nov 2020 08:42:48 -0300
|
||||||
|
Subject: [PATCH 2/2] Add the option to extract luks passphrase used for
|
||||||
|
binding
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
clevis luks pass -d /dev/sda1 -s 1
|
||||||
|
<passphrase here>
|
||||||
|
---
|
||||||
|
src/luks/clevis-luks-pass | 64 ++++++++++++++++++++++++++++++++
|
||||||
|
src/luks/clevis-luks-pass.1.adoc | 43 +++++++++++++++++++++
|
||||||
|
src/luks/meson.build | 3 ++
|
||||||
|
src/luks/tests/meson.build | 2 +
|
||||||
|
src/luks/tests/pass-tang-luks1 | 59 +++++++++++++++++++++++++++++
|
||||||
|
src/luks/tests/pass-tang-luks2 | 59 +++++++++++++++++++++++++++++
|
||||||
|
6 files changed, 230 insertions(+)
|
||||||
|
create mode 100755 src/luks/clevis-luks-pass
|
||||||
|
create mode 100644 src/luks/clevis-luks-pass.1.adoc
|
||||||
|
create mode 100755 src/luks/tests/pass-tang-luks1
|
||||||
|
create mode 100755 src/luks/tests/pass-tang-luks2
|
||||||
|
|
||||||
|
diff --git a/src/luks/clevis-luks-pass b/src/luks/clevis-luks-pass
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..1f59b39
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/clevis-luks-pass
|
||||||
|
@@ -0,0 +1,64 @@
|
||||||
|
+#!/bin/bash -e
|
||||||
|
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com> - LUKS2 support.
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+. clevis-luks-common-functions
|
||||||
|
+
|
||||||
|
+SUMMARY="Returns the LUKS passphrase used for binding a particular slot."
|
||||||
|
+
|
||||||
|
+usage() {
|
||||||
|
+ exec >&2
|
||||||
|
+ echo "Usage: clevis luks pass -d DEV -s SLT"
|
||||||
|
+ echo
|
||||||
|
+ echo "$SUMMARY"
|
||||||
|
+ echo
|
||||||
|
+ echo " -d DEV The LUKS device to extract the LUKS passphrase used for binding"
|
||||||
|
+ echo
|
||||||
|
+ echo " -s SLOT The slot number to extract the LUKS passphrase"
|
||||||
|
+ echo
|
||||||
|
+ exit 1
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then
|
||||||
|
+ echo "${SUMMARY}"
|
||||||
|
+ exit 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+while getopts ":d:s:" o; do
|
||||||
|
+ case "$o" in
|
||||||
|
+ d) DEV=${OPTARG};;
|
||||||
|
+ s) SLT=${OPTARG};;
|
||||||
|
+ *) usage;;
|
||||||
|
+ esac
|
||||||
|
+done
|
||||||
|
+
|
||||||
|
+if [ -z "${DEV}" ]; then
|
||||||
|
+ echo "Did not specify a device!" >&2
|
||||||
|
+ usage
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ -z "${SLT}" ]; then
|
||||||
|
+ echo "Did not specify a slot!" >&2
|
||||||
|
+ usage
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if ! clevis_luks_unlock_device_by_slot "${DEV}" "${SLT}"; then
|
||||||
|
+ echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in ${DEV}!" >&2
|
||||||
|
+ exit 1
|
||||||
|
+fi
|
||||||
|
diff --git a/src/luks/clevis-luks-pass.1.adoc b/src/luks/clevis-luks-pass.1.adoc
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..fa9526a
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/clevis-luks-pass.1.adoc
|
||||||
|
@@ -0,0 +1,43 @@
|
||||||
|
+CLEVIS-LUKS-PASS(1)
|
||||||
|
+===================
|
||||||
|
+:doctype: manpage
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+== NAME
|
||||||
|
+
|
||||||
|
+clevis-luks-pass - Extracts the passphrase used for binding a particular slot in a LUKS device
|
||||||
|
+
|
||||||
|
+== SYNOPSIS
|
||||||
|
+
|
||||||
|
+*clevis luks pass* -d DEV -s SLT
|
||||||
|
+
|
||||||
|
+== OVERVIEW
|
||||||
|
+
|
||||||
|
+The *clevis luks pass* command extracts the passphrase used for binding a particular slot in a LUKS device.
|
||||||
|
+For example:
|
||||||
|
+
|
||||||
|
+ clevis luks pass -d /dev/sda1 -s 1
|
||||||
|
+
|
||||||
|
+== OPTIONS
|
||||||
|
+
|
||||||
|
+* *-d* _DEV_ :
|
||||||
|
+ The LUKS device on which to extract a passphrase from
|
||||||
|
+
|
||||||
|
+* *-s* _SLT_ :
|
||||||
|
+ The slot to use for extracting the passphrase
|
||||||
|
+
|
||||||
|
+== EXAMPLE
|
||||||
|
+
|
||||||
|
+ clevis luks pass -d /dev/sda1 -s 1
|
||||||
|
+ <passphrase here>
|
||||||
|
+
|
||||||
|
+Note that the output of *clevis luks pass* might be non-printable, in which case it would be better to redirect its output to a file and use it as a key
|
||||||
|
+file together with cryptsetup. For instance:
|
||||||
|
+
|
||||||
|
+ clevis luks pass -d /dev/sda1 -s 1 > slot1-passphrase
|
||||||
|
+
|
||||||
|
+And the file slot1-passphrase will contain the passphrase associated with slot #1 in /dev/sda1.
|
||||||
|
+
|
||||||
|
+== SEE ALSO
|
||||||
|
+
|
||||||
|
+link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)],
|
||||||
|
diff --git a/src/luks/meson.build b/src/luks/meson.build
|
||||||
|
index 12f5a0d..008736e 100644
|
||||||
|
--- a/src/luks/meson.build
|
||||||
|
+++ b/src/luks/meson.build
|
||||||
|
@@ -50,6 +50,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
|
||||||
|
|
||||||
|
bins += join_paths(meson.current_source_dir(), 'clevis-luks-edit')
|
||||||
|
mans += join_paths(meson.current_source_dir(), 'clevis-luks-edit.1')
|
||||||
|
+
|
||||||
|
+ bins += join_paths(meson.current_source_dir(), 'clevis-luks-pass')
|
||||||
|
+ mans += join_paths(meson.current_source_dir(), 'clevis-luks-pass.1')
|
||||||
|
else
|
||||||
|
warning('Will not install LUKS support due to missing dependencies!')
|
||||||
|
endif
|
||||||
|
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
|
||||||
|
index c22a069..f4584aa 100644
|
||||||
|
--- a/src/luks/tests/meson.build
|
||||||
|
+++ b/src/luks/tests/meson.build
|
||||||
|
@@ -84,6 +84,7 @@ if has_tang
|
||||||
|
test('report-tang-luks1', find_program('report-tang-luks1'), env: env, timeout: 90)
|
||||||
|
test('report-sss-luks1', find_program('report-sss-luks1'), env: env, timeout: 90)
|
||||||
|
test('edit-tang-luks1', find_program('edit-tang-luks1'), env: env, timeout: 150)
|
||||||
|
+ test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60)
|
||||||
|
endif
|
||||||
|
|
||||||
|
test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60)
|
||||||
|
@@ -111,6 +112,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
|
||||||
|
test('report-tang-luks2', find_program('report-tang-luks2'), env: env, timeout: 120)
|
||||||
|
test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
|
||||||
|
test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
|
||||||
|
+ test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
|
||||||
|
endif
|
||||||
|
|
||||||
|
test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
|
||||||
|
diff --git a/src/luks/tests/pass-tang-luks1 b/src/luks/tests/pass-tang-luks1
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..0d91e6c
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/pass-tang-luks1
|
||||||
|
@@ -0,0 +1,59 @@
|
||||||
|
+#!/bin/bash -x
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+TEST="${0}"
|
||||||
|
+. tests-common-functions
|
||||||
|
+. clevis-luks-common-functions
|
||||||
|
+
|
||||||
|
+function on_exit() {
|
||||||
|
+ [ ! -d "${TMP}" ] && return 0
|
||||||
|
+ tang_stop "${TMP}"
|
||||||
|
+ rm -rf "${TMP}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+
|
||||||
|
+TMP=$(mktemp -d)
|
||||||
|
+
|
||||||
|
+port=$(get_random_port)
|
||||||
|
+tang_run "${TMP}" "${port}" &
|
||||||
|
+tang_wait_until_ready "${port}"
|
||||||
|
+
|
||||||
|
+url="http://localhost:${port}"
|
||||||
|
+adv="${TMP}/adv"
|
||||||
|
+tang_get_adv "${port}" "${adv}"
|
||||||
|
+
|
||||||
|
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
|
||||||
|
+
|
||||||
|
+# LUKS1.
|
||||||
|
+DEV="${TMP}/luks1-device"
|
||||||
|
+new_device "luks1" "${DEV}"
|
||||||
|
+
|
||||||
|
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
|
||||||
|
+ error "${TEST}: Bind should have succeeded."
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+# Now let's test the passphrase.
|
||||||
|
+SLT=1
|
||||||
|
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
|
||||||
|
+echo $PASS >&2
|
||||||
|
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
|
||||||
|
+ error "Passphrase obtained from clevis luks pass failed."
|
||||||
|
+fi
|
||||||
|
diff --git a/src/luks/tests/pass-tang-luks2 b/src/luks/tests/pass-tang-luks2
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..2d50413
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/tests/pass-tang-luks2
|
||||||
|
@@ -0,0 +1,59 @@
|
||||||
|
+#!/bin/bash -x
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2019 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+TEST="${0}"
|
||||||
|
+. tests-common-functions
|
||||||
|
+. clevis-luks-common-functions
|
||||||
|
+
|
||||||
|
+function on_exit() {
|
||||||
|
+ [ ! -d "${TMP}" ] && return 0
|
||||||
|
+ tang_stop "${TMP}"
|
||||||
|
+ rm -rf "${TMP}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+
|
||||||
|
+TMP=$(mktemp -d)
|
||||||
|
+
|
||||||
|
+port=$(get_random_port)
|
||||||
|
+tang_run "${TMP}" "${port}" &
|
||||||
|
+tang_wait_until_ready "${port}"
|
||||||
|
+
|
||||||
|
+url="http://localhost:${port}"
|
||||||
|
+adv="${TMP}/adv"
|
||||||
|
+tang_get_adv "${port}" "${adv}"
|
||||||
|
+
|
||||||
|
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
|
||||||
|
+
|
||||||
|
+# LUKS2.
|
||||||
|
+DEV="${TMP}/luks2-device"
|
||||||
|
+new_device "luks2" "${DEV}"
|
||||||
|
+
|
||||||
|
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
|
||||||
|
+ error "${TEST}: Bind should have succeeded."
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+# Now let's test the passphrase.
|
||||||
|
+SLT=1
|
||||||
|
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
|
||||||
|
+echo $PASS >&2
|
||||||
|
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
|
||||||
|
+ error "Passphrase obtained from clevis luks pass failed."
|
||||||
|
+fi
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
@ -0,0 +1,41 @@
|
|||||||
|
From 678ef82dd5608439c9a4222c594ab66d69009f06 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sergio Correia <scorreia@redhat.com>
|
||||||
|
Date: Fri, 29 Oct 2021 12:04:46 -0300
|
||||||
|
Subject: [PATCH 3/3] systemd: account for unlocking failures in
|
||||||
|
clevis-luks-askpass (#343)
|
||||||
|
|
||||||
|
As unlock may fail for some reason, e.g. the network is not up yet,
|
||||||
|
one way cause problems would be to add extra `rd.luks.uuid' params
|
||||||
|
to the cmdline, which would then cause such devices to be unlocked
|
||||||
|
in early boot. If the unlocking fail, those devices might not be
|
||||||
|
accounted for in the clevis_devices_to_unlock() check, as it is
|
||||||
|
based on crypttab.
|
||||||
|
|
||||||
|
Let's make sure there are no pending ask.* sockets waiting to be
|
||||||
|
answered, before exiting.
|
||||||
|
|
||||||
|
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
|
||||||
|
---
|
||||||
|
src/luks/systemd/clevis-luks-askpass | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass
|
||||||
|
index 285bba4..f19671f 100755
|
||||||
|
--- a/src/luks/systemd/clevis-luks-askpass
|
||||||
|
+++ b/src/luks/systemd/clevis-luks-askpass
|
||||||
|
@@ -67,8 +67,11 @@ while true; do
|
||||||
|
done
|
||||||
|
|
||||||
|
[ "${loop}" != true ] && break
|
||||||
|
+
|
||||||
|
# Checking for pending devices to be unlocked.
|
||||||
|
- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
|
||||||
|
+ remaining_crypttab=$(clevis_devices_to_unlock) ||:
|
||||||
|
+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
|
||||||
|
+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
|
||||||
|
break;
|
||||||
|
fi
|
||||||
|
|
||||||
|
--
|
||||||
|
2.33.1
|
||||||
|
|
101
SOURCES/0004-systemd-drop-ncat-dependency.patch
Normal file
101
SOURCES/0004-systemd-drop-ncat-dependency.patch
Normal file
@ -0,0 +1,101 @@
|
|||||||
|
From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sergio Correia <scorreia@redhat.com>
|
||||||
|
Date: Thu, 18 Nov 2021 16:45:58 -0300
|
||||||
|
Subject: [PATCH 4/4] systemd: drop ncat dependency
|
||||||
|
|
||||||
|
When using systemd, i.e., clevis-luks-askpass, we use ncat to send
|
||||||
|
the decrypted password to the systemd socket as per systemd's password
|
||||||
|
agents specification [1].
|
||||||
|
|
||||||
|
However, systemd itself has a utility that does exactly that,
|
||||||
|
systemd-reply-password.
|
||||||
|
|
||||||
|
In this commit we drop the ncat dependency and instead use
|
||||||
|
systemd-reply-password in clevis-luks-askpass.
|
||||||
|
|
||||||
|
[1] https://systemd.io/PASSWORD_AGENTS/
|
||||||
|
---
|
||||||
|
...is-luks-askpass => clevis-luks-askpass.in} | 2 +-
|
||||||
|
.../systemd/dracut/clevis/module-setup.sh.in | 4 ++--
|
||||||
|
src/luks/systemd/meson.build | 19 +++++++++++++++++--
|
||||||
|
3 files changed, 20 insertions(+), 5 deletions(-)
|
||||||
|
rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%)
|
||||||
|
|
||||||
|
diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in
|
||||||
|
similarity index 97%
|
||||||
|
rename from src/luks/systemd/clevis-luks-askpass
|
||||||
|
rename to src/luks/systemd/clevis-luks-askpass.in
|
||||||
|
index f19671f..a6699c9 100755
|
||||||
|
--- a/src/luks/systemd/clevis-luks-askpass
|
||||||
|
+++ b/src/luks/systemd/clevis-luks-askpass.in
|
||||||
|
@@ -58,7 +58,7 @@ while true; do
|
||||||
|
fi
|
||||||
|
|
||||||
|
uuid="$(cryptsetup luksUUID "${d}")"
|
||||||
|
- if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
|
||||||
|
+ if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
|
||||||
|
echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in
|
||||||
|
index ebf969f..d46c6e2 100755
|
||||||
|
--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
|
||||||
|
+++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
|
||||||
|
@@ -36,6 +36,7 @@ install() {
|
||||||
|
|
||||||
|
inst_multiple \
|
||||||
|
/etc/services \
|
||||||
|
+ @SYSTEMD_REPLY_PASS@ \
|
||||||
|
@libexecdir@/clevis-luks-askpass \
|
||||||
|
clevis-luks-common-functions \
|
||||||
|
grep sed cut \
|
||||||
|
@@ -45,8 +46,7 @@ install() {
|
||||||
|
luksmeta \
|
||||||
|
clevis \
|
||||||
|
mktemp \
|
||||||
|
- jose \
|
||||||
|
- ncat
|
||||||
|
+ jose
|
||||||
|
|
||||||
|
dracut_need_initqueue
|
||||||
|
}
|
||||||
|
diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
|
||||||
|
index 369e7f7..e3b3d91 100644
|
||||||
|
--- a/src/luks/systemd/meson.build
|
||||||
|
+++ b/src/luks/systemd/meson.build
|
||||||
|
@@ -1,6 +1,15 @@
|
||||||
|
systemd = dependency('systemd', required: false)
|
||||||
|
|
||||||
|
-if systemd.found()
|
||||||
|
+sd_reply_pass = find_program(
|
||||||
|
+ join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
|
||||||
|
+ join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
|
||||||
|
+ join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
|
||||||
|
+ join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
|
||||||
|
+ required: false
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+if systemd.found() and sd_reply_pass.found()
|
||||||
|
+ data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
|
||||||
|
subdir('dracut')
|
||||||
|
|
||||||
|
unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
|
||||||
|
@@ -12,8 +21,14 @@ if systemd.found()
|
||||||
|
configuration: data,
|
||||||
|
)
|
||||||
|
|
||||||
|
+ configure_file(
|
||||||
|
+ input: 'clevis-luks-askpass.in',
|
||||||
|
+ output: 'clevis-luks-askpass',
|
||||||
|
+ install_dir: libexecdir,
|
||||||
|
+ configuration: data
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
install_data('clevis-luks-askpass.path', install_dir: unitdir)
|
||||||
|
- install_data('clevis-luks-askpass', install_dir: libexecdir)
|
||||||
|
else
|
||||||
|
warning('Will not install systemd support due to missing dependencies!')
|
||||||
|
endif
|
||||||
|
--
|
||||||
|
2.33.1
|
||||||
|
|
@ -0,0 +1,26 @@
|
|||||||
|
From da17589f0706b27690a11484165fd58dea1a5eb1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sergio Correia <scorreia@redhat.com>
|
||||||
|
Date: Thu, 25 Nov 2021 19:18:03 -0300
|
||||||
|
Subject: [PATCH 5/5] Stop sending stderr to the void when decryption doesn't
|
||||||
|
happen
|
||||||
|
|
||||||
|
---
|
||||||
|
src/luks/clevis-luks-common-functions | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
|
||||||
|
index 879ca4c..df8e16d 100644
|
||||||
|
--- a/src/luks/clevis-luks-common-functions
|
||||||
|
+++ b/src/luks/clevis-luks-common-functions
|
||||||
|
@@ -323,7 +323,7 @@ clevis_luks_unlock_device_by_slot() {
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
- if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt 2>/dev/null)" \
|
||||||
|
+ if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt)" \
|
||||||
|
|| [ -z "${passphrase}" ]; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
--
|
||||||
|
2.33.1
|
||||||
|
|
@ -0,0 +1,45 @@
|
|||||||
|
From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Renaud=20M=C3=A9trich?=
|
||||||
|
<1163635+rmetrich@users.noreply.github.com>
|
||||||
|
Date: Wed, 1 Dec 2021 09:37:35 -0300
|
||||||
|
Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is
|
||||||
|
set (#340)
|
||||||
|
|
||||||
|
On Fedora/RHEL, the rd.debug kernel command line parameter controls
|
||||||
|
debugging.
|
||||||
|
By implementing the functionality inside clevis, troubleshooting will be
|
||||||
|
greatly eased.
|
||||||
|
See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742).
|
||||||
|
---
|
||||||
|
src/luks/clevis-luks-common-functions | 15 +++++++++++++++
|
||||||
|
1 file changed, 15 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
|
||||||
|
index df8e16d..67ece72 100644
|
||||||
|
--- a/src/luks/clevis-luks-common-functions
|
||||||
|
+++ b/src/luks/clevis-luks-common-functions
|
||||||
|
@@ -20,6 +20,21 @@
|
||||||
|
|
||||||
|
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
||||||
|
|
||||||
|
+enable_debugging() {
|
||||||
|
+ # Automatically enable debugging if in initramfs phase and rd.debug
|
||||||
|
+ if [ -e /usr/lib/dracut-lib.sh ]; then
|
||||||
|
+ local bashopts=$-
|
||||||
|
+ # Because dracut is loosely written, disable hardening options temporarily
|
||||||
|
+ [[ $bashopts != *u* ]] || set +u
|
||||||
|
+ [[ $bashopts != *e* ]] || set +e
|
||||||
|
+ . /usr/lib/dracut-lib.sh
|
||||||
|
+ [[ $bashopts != *u* ]] || set -u
|
||||||
|
+ [[ $bashopts != *e* ]] || set -e
|
||||||
|
+ fi
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+enable_debugging
|
||||||
|
+
|
||||||
|
# valid_slot() will check whether a given slot is possibly valid, i.e., if it
|
||||||
|
# is a numeric value within the specified range.
|
||||||
|
valid_slot() {
|
||||||
|
--
|
||||||
|
2.33.1
|
||||||
|
|
@ -0,0 +1,83 @@
|
|||||||
|
From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Renaud Metrich <rmetrich@redhat.com>
|
||||||
|
Date: Fri, 7 Jan 2022 12:13:03 -0300
|
||||||
|
Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup
|
||||||
|
|
||||||
|
This fixes an Out of memory error when the system has not much memory,
|
||||||
|
such as a VM configured with 2GB currently being installed through the
|
||||||
|
network (hence having ~1GB free memory only).
|
||||||
|
See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
|
||||||
|
---
|
||||||
|
src/luks/clevis-luks-bind.in | 7 +++++--
|
||||||
|
src/luks/clevis-luks-common-functions | 7 ++++++-
|
||||||
|
2 files changed, 11 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
|
||||||
|
index 4748c08..017f762 100755
|
||||||
|
--- a/src/luks/clevis-luks-bind.in
|
||||||
|
+++ b/src/luks/clevis-luks-bind.in
|
||||||
|
@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
+pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||||
|
if [ "$luks_type" == "luks1" ]; then
|
||||||
|
+ pbkdf_args=
|
||||||
|
# In certain circumstances, we may have LUKSMeta slots "not in sync" with
|
||||||
|
# cryptsetup, which means we will try to save LUKSMeta metadata over an
|
||||||
|
# already used or partially used slot -- github issue #70.
|
||||||
|
@@ -184,7 +186,7 @@ fi
|
||||||
|
|
||||||
|
# Add the new key.
|
||||||
|
if [ -n "$SLT" ]; then
|
||||||
|
- cryptsetup luksAddKey --key-slot "$SLT" --key-file \
|
||||||
|
+ cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \
|
||||||
|
<(echo -n "$existing_key") "$DEV"
|
||||||
|
else
|
||||||
|
if [ $luks_type == "luks2" ]; then
|
||||||
|
@@ -194,7 +196,8 @@ else
|
||||||
|
readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
|
||||||
|
| sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
|
||||||
|
fi
|
||||||
|
- cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV"
|
||||||
|
+ cryptsetup luksAddKey ${pbkdf_args} \
|
||||||
|
+ --key-file <(echo -n "${existing_key}") "$DEV"
|
||||||
|
fi < <(echo -n "${key}")
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
echo "Error while adding new key to LUKS header!" >&2
|
||||||
|
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
|
||||||
|
index 67ece72..038cc37 100644
|
||||||
|
--- a/src/luks/clevis-luks-common-functions
|
||||||
|
+++ b/src/luks/clevis-luks-common-functions
|
||||||
|
@@ -760,10 +760,12 @@ clevis_luks_add_key() {
|
||||||
|
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
||||||
|
input="$(printf '%s' "${NEWKEY}")"
|
||||||
|
fi
|
||||||
|
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||||
|
|
||||||
|
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
|
||||||
|
--key-slot "${SLT}" \
|
||||||
|
"${DEV}" \
|
||||||
|
+ ${pbkdf_args} \
|
||||||
|
${extra_args}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -792,11 +794,14 @@ clevis_luks_update_key() {
|
||||||
|
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
||||||
|
input="$(printf '%s' "${NEWKEY}")"
|
||||||
|
fi
|
||||||
|
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||||
|
|
||||||
|
if [ -n "${in_place}" ]; then
|
||||||
|
printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
|
||||||
|
--key-slot "${SLT}" \
|
||||||
|
- --batch-mode ${extra_args}
|
||||||
|
+ --batch-mode \
|
||||||
|
+ ${pbkdf_args} \
|
||||||
|
+ ${extra_args}
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
--
|
||||||
|
2.33.1
|
||||||
|
|
16
SOURCES/0008-tang-dump-url-on-error-communication.patch
Normal file
16
SOURCES/0008-tang-dump-url-on-error-communication.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
--- clevis-15-ori/src/pins/tang/clevis-decrypt-tang 2020-10-28 19:55:47.673228700 +0100
|
||||||
|
+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2022-01-21 10:37:40.327825491 +0100
|
||||||
|
@@ -73,10 +73,10 @@
|
||||||
|
|
||||||
|
xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"
|
||||||
|
|
||||||
|
-url="$url/rec/$kid"
|
||||||
|
+rec_url="$url/rec/$kid"
|
||||||
|
ct="Content-Type: application/jwk+json"
|
||||||
|
-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then
|
||||||
|
- echo "Error communicating with the server!" >&2
|
||||||
|
+if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then
|
||||||
|
+ echo "Error communicating with the server $url" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
213
SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch
Normal file
213
SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch
Normal file
@ -0,0 +1,213 @@
|
|||||||
|
From 87d690e41621878f70a3f6f3305dd23746d1b857 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Antonio Murdaca <runcom@linux.com>
|
||||||
|
Date: Wed, 1 Dec 2021 14:17:53 +0100
|
||||||
|
Subject: [PATCH 9/9] feat: rename the test pin to null pin
|
||||||
|
|
||||||
|
Signed-off-by: Antonio Murdaca <runcom@linux.com>
|
||||||
|
---
|
||||||
|
src/initramfs-tools/hooks/clevis.in | 1 +
|
||||||
|
.../dracut/clevis-pin-null/meson.build | 14 ++++++++++
|
||||||
|
.../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++
|
||||||
|
src/luks/systemd/dracut/meson.build | 1 +
|
||||||
|
...levis-decrypt-test => clevis-decrypt-null} | 4 +--
|
||||||
|
...levis-encrypt-test => clevis-encrypt-null} | 4 +--
|
||||||
|
src/pins/sss/meson.build | 5 +++-
|
||||||
|
src/pins/sss/{pin-test => pin-null} | 4 +--
|
||||||
|
src/pins/sss/pin-sss | 12 ++++----
|
||||||
|
9 files changed, 60 insertions(+), 13 deletions(-)
|
||||||
|
create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build
|
||||||
|
create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
|
||||||
|
rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%)
|
||||||
|
rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%)
|
||||||
|
rename src/pins/sss/{pin-test => pin-null} (53%)
|
||||||
|
|
||||||
|
diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
|
||||||
|
index cc3b492..448ba96 100755
|
||||||
|
--- a/src/initramfs-tools/hooks/clevis.in
|
||||||
|
+++ b/src/initramfs-tools/hooks/clevis.in
|
||||||
|
@@ -58,6 +58,7 @@ fi
|
||||||
|
|
||||||
|
copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
|
||||||
|
copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
|
||||||
|
+copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found"
|
||||||
|
copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
|
||||||
|
copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
|
||||||
|
copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"
|
||||||
|
diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..107e3ba
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build
|
||||||
|
@@ -0,0 +1,14 @@
|
||||||
|
+dracut = dependency('dracut', required: false)
|
||||||
|
+
|
||||||
|
+if dracut.found()
|
||||||
|
+ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null'
|
||||||
|
+
|
||||||
|
+ configure_file(
|
||||||
|
+ input: 'module-setup.sh.in',
|
||||||
|
+ output: 'module-setup.sh',
|
||||||
|
+ install_dir: dracutdir,
|
||||||
|
+ configuration: data,
|
||||||
|
+ )
|
||||||
|
+else
|
||||||
|
+ warning('Will not install dracut module clevis-pin-null due to missing dependencies!')
|
||||||
|
+endif
|
||||||
|
diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..6a16078
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
|
||||||
|
@@ -0,0 +1,28 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
+# Author: Nathaniel McCallum <npmccallum@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+depends() {
|
||||||
|
+ echo clevis
|
||||||
|
+ return 0
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+install() {
|
||||||
|
+ inst clevis-decrypt-null
|
||||||
|
+}
|
||||||
|
diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build
|
||||||
|
index fdb264b..7ad5b14 100644
|
||||||
|
--- a/src/luks/systemd/dracut/meson.build
|
||||||
|
+++ b/src/luks/systemd/dracut/meson.build
|
||||||
|
@@ -2,3 +2,4 @@ subdir('clevis')
|
||||||
|
subdir('clevis-pin-tang')
|
||||||
|
subdir('clevis-pin-tpm2')
|
||||||
|
subdir('clevis-pin-sss')
|
||||||
|
+subdir('clevis-pin-null')
|
||||||
|
diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null
|
||||||
|
similarity index 88%
|
||||||
|
rename from src/pins/sss/clevis-decrypt-test
|
||||||
|
rename to src/pins/sss/clevis-decrypt-null
|
||||||
|
index f0e9249..a6217ed 100755
|
||||||
|
--- a/src/pins/sss/clevis-decrypt-test
|
||||||
|
+++ b/src/pins/sss/clevis-decrypt-null
|
||||||
|
@@ -22,11 +22,11 @@
|
||||||
|
|
||||||
|
read -r -d . hdr
|
||||||
|
|
||||||
|
-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then
|
||||||
|
+if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then
|
||||||
|
echo "JWE pin mismatch!" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1
|
||||||
|
+jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1
|
||||||
|
|
||||||
|
exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
|
||||||
|
diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null
|
||||||
|
similarity index 90%
|
||||||
|
rename from src/pins/sss/clevis-encrypt-test
|
||||||
|
rename to src/pins/sss/clevis-encrypt-null
|
||||||
|
index bd2d6ec..af182a5 100755
|
||||||
|
--- a/src/pins/sss/clevis-encrypt-test
|
||||||
|
+++ b/src/pins/sss/clevis-encrypt-null
|
||||||
|
@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
|
||||||
|
fi
|
||||||
|
|
||||||
|
jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"
|
||||||
|
-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}'
|
||||||
|
+jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}'
|
||||||
|
|
||||||
|
if ! jose fmt -j "$cfg" -g fail -T; then
|
||||||
|
- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)"
|
||||||
|
+ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
|
||||||
|
diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build
|
||||||
|
index 7f20eea..2a5295a 100644
|
||||||
|
--- a/src/pins/sss/meson.build
|
||||||
|
+++ b/src/pins/sss/meson.build
|
||||||
|
@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found()
|
||||||
|
separator: ':'
|
||||||
|
)
|
||||||
|
|
||||||
|
+ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null')
|
||||||
|
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null')
|
||||||
|
+
|
||||||
|
test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env)
|
||||||
|
- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env)
|
||||||
|
+ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env)
|
||||||
|
else
|
||||||
|
warning('Will not install sss pin due to missing dependencies!')
|
||||||
|
endif
|
||||||
|
diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null
|
||||||
|
similarity index 53%
|
||||||
|
rename from src/pins/sss/pin-test
|
||||||
|
rename to src/pins/sss/pin-null
|
||||||
|
index 50c8c67..b14ac63 100755
|
||||||
|
--- a/src/pins/sss/pin-test
|
||||||
|
+++ b/src/pins/sss/pin-null
|
||||||
|
@@ -2,9 +2,9 @@
|
||||||
|
|
||||||
|
trap 'exit' ERR
|
||||||
|
|
||||||
|
-e="$(echo -n hi | clevis encrypt test '{}')"
|
||||||
|
+e="$(echo -n hi | clevis encrypt null '{}')"
|
||||||
|
d="$(echo -n "$e" | clevis decrypt)"
|
||||||
|
test "$d" == "hi"
|
||||||
|
|
||||||
|
-e="$(echo -n hi | clevis encrypt test '{"fail":true}')"
|
||||||
|
+e="$(echo -n hi | clevis encrypt null '{"fail":true}')"
|
||||||
|
! echo "$e" | clevis decrypt
|
||||||
|
diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss
|
||||||
|
index 5c0b8cf..24da052 100755
|
||||||
|
--- a/src/pins/sss/pin-sss
|
||||||
|
+++ b/src/pins/sss/pin-sss
|
||||||
|
@@ -1,24 +1,24 @@
|
||||||
|
#!/bin/bash -ex
|
||||||
|
|
||||||
|
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')"
|
||||||
|
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')"
|
||||||
|
d="$(echo "$e" | clevis decrypt)"
|
||||||
|
test "$d" == "hi"
|
||||||
|
|
||||||
|
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')"
|
||||||
|
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')"
|
||||||
|
d="$(echo "$e" | clevis decrypt)"
|
||||||
|
test "$d" == "hi"
|
||||||
|
|
||||||
|
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
|
||||||
|
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
|
||||||
|
! echo "$e" | clevis decrypt
|
||||||
|
|
||||||
|
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')"
|
||||||
|
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')"
|
||||||
|
d="$(echo "$e" | clevis decrypt)"
|
||||||
|
test "$d" == "hi"
|
||||||
|
|
||||||
|
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')"
|
||||||
|
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')"
|
||||||
|
! echo "$e" | clevis decrypt
|
||||||
|
|
||||||
|
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
|
||||||
|
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
|
||||||
|
! echo "$e" | clevis decrypt
|
||||||
|
|
||||||
|
! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')"
|
||||||
|
--
|
||||||
|
2.33.1
|
||||||
|
|
24
SOURCES/0010-avoid-clevis-invalid-msg.patch
Normal file
24
SOURCES/0010-avoid-clevis-invalid-msg.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
--- clevis-15.ori/src/clevis 2020-10-28 19:55:47.663228800 +0100
|
||||||
|
+++ clevis-15/src/clevis 2022-06-22 11:06:27.061230653 +0200
|
||||||
|
@@ -27,6 +27,7 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
cmd=clevis
|
||||||
|
+input_commands="$cmd $@"
|
||||||
|
while [ $# -gt 0 ]; do
|
||||||
|
[[ "$1" =~ ^- ]] && break
|
||||||
|
cmd="$cmd-$1"
|
||||||
|
@@ -36,8 +37,11 @@
|
||||||
|
done
|
||||||
|
|
||||||
|
exec >&2
|
||||||
|
-echo
|
||||||
|
-echo "Command '$cmd' is invalid"
|
||||||
|
+if [ "$cmd" != "clevis" ];
|
||||||
|
+then
|
||||||
|
+ echo
|
||||||
|
+ echo "Command '$input_commands' is invalid"
|
||||||
|
+fi
|
||||||
|
echo
|
||||||
|
echo "Usage: clevis COMMAND [OPTIONS]"
|
||||||
|
echo
|
@ -0,0 +1,53 @@
|
|||||||
|
From 51ae4f94a4955d9f06955ccd5a8b396b01c80d48 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sergio Arroutbi <sarroutb@redhat.com>
|
||||||
|
Date: Tue, 2 Aug 2022 11:07:00 -0300
|
||||||
|
Subject: [PATCH] Improve boot performance by removing key check
|
||||||
|
|
||||||
|
---
|
||||||
|
src/luks/clevis-luks-common-functions | 9 +++++++--
|
||||||
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
|
||||||
|
index 038cc37..950f217 100644
|
||||||
|
--- a/src/luks/clevis-luks-common-functions
|
||||||
|
+++ b/src/luks/clevis-luks-common-functions
|
||||||
|
@@ -328,6 +328,7 @@ clevis_luks_check_valid_key_or_keyfile() {
|
||||||
|
clevis_luks_unlock_device_by_slot() {
|
||||||
|
local DEV="${1}"
|
||||||
|
local SLT="${2}"
|
||||||
|
+ local SKIP_CHECK="${3}"
|
||||||
|
|
||||||
|
[ -z "${DEV}" ] && return 1
|
||||||
|
[ -z "${SLT}" ] && return 1
|
||||||
|
@@ -343,7 +344,9 @@ clevis_luks_unlock_device_by_slot() {
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
|
||||||
|
+ if [ -z "${SKIP_CHECK}" ]; then
|
||||||
|
+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
|
||||||
|
+ fi
|
||||||
|
printf '%s' "${passphrase}"
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -351,6 +354,8 @@ clevis_luks_unlock_device_by_slot() {
|
||||||
|
# parameter and returns the decoded passphrase.
|
||||||
|
clevis_luks_unlock_device() {
|
||||||
|
local DEV="${1}"
|
||||||
|
+ local SKIP_CHECK="YES"
|
||||||
|
+
|
||||||
|
[ -z "${DEV}" ] && return 1
|
||||||
|
|
||||||
|
local used_slots
|
||||||
|
@@ -361,7 +366,7 @@ clevis_luks_unlock_device() {
|
||||||
|
|
||||||
|
local slt pt
|
||||||
|
for slt in ${used_slots}; do
|
||||||
|
- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \
|
||||||
|
+ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \
|
||||||
|
|| [ -z "${pt}" ]; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
@ -0,0 +1,16 @@
|
|||||||
|
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 11:11:03.050262054 +0100
|
||||||
|
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 11:19:16.004358405 +0100
|
||||||
|
@@ -413,7 +413,12 @@
|
||||||
|
clevis_devices=
|
||||||
|
|
||||||
|
# Build list of devices to unlock.
|
||||||
|
- while read -r _ crypt_device _; do
|
||||||
|
+ while read -r _volname_ crypt_device _; do
|
||||||
|
+ # skip empty lines and lines which begin with the '#' char, per
|
||||||
|
+ # crypttab(5)
|
||||||
|
+ case $_volname_ in
|
||||||
|
+ ''|\#*) continue ;;
|
||||||
|
+ esac
|
||||||
|
if ! dev=$(clevis_map_device "${crypt_device}") \
|
||||||
|
|| [ -z "${dev}" ]; then
|
||||||
|
# Unable to get the device - maybe it's not available, e.g. a
|
73
SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch
Normal file
73
SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
--- clevis-15.ori/src/clevis.1.adoc 2020-10-28 19:55:47.663228800 +0100
|
||||||
|
+++ clevis-15/src/clevis.1.adoc 2023-01-11 17:18:29.967295005 +0100
|
||||||
|
@@ -101,7 +101,7 @@
|
||||||
|
|
||||||
|
This command performs four steps:
|
||||||
|
|
||||||
|
-1. Creates a new key with the same entropy as the LUKS master key.
|
||||||
|
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
||||||
|
2. Encrypts the new key with Clevis.
|
||||||
|
3. Stores the Clevis JWE in the LUKS header.
|
||||||
|
4. Enables the new key for use with LUKS.
|
||||||
|
--- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc 2020-10-28 19:55:47.663228800 +0100
|
||||||
|
+++ clevis-15/src/luks/clevis-luks-bind.1.adoc 2023-01-11 17:18:55.239351209 +0100
|
||||||
|
@@ -20,7 +20,7 @@
|
||||||
|
|
||||||
|
This command performs four steps:
|
||||||
|
|
||||||
|
-1. Creates a new key with the same entropy as the LUKS master key.
|
||||||
|
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
||||||
|
2. Encrypts the new key with Clevis.
|
||||||
|
3. Stores the Clevis JWE in the LUKS header.
|
||||||
|
4. Enables the new key for use with LUKS.
|
||||||
|
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 17:15:44.984928070 +0100
|
||||||
|
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 17:20:53.238613637 +0100
|
||||||
|
@@ -865,6 +865,7 @@
|
||||||
|
[ -z "${DEV}" ] && return 1
|
||||||
|
|
||||||
|
local dump filter bits
|
||||||
|
+ local MAX_ENTROPY_BITS=256
|
||||||
|
dump=$(cryptsetup luksDump "${DEV}")
|
||||||
|
if cryptsetup isLuks --type luks1 "${DEV}"; then
|
||||||
|
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
|
||||||
|
@@ -876,6 +877,9 @@
|
||||||
|
fi
|
||||||
|
|
||||||
|
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
|
||||||
|
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
|
||||||
|
+ bits="${MAX_ENTROPY_BITS}"
|
||||||
|
+ fi
|
||||||
|
pwmake "${bits}"
|
||||||
|
}
|
||||||
|
|
||||||
|
--- clevis-15.ori/src/luks/clevis-luks-bind.in 2023-01-11 17:15:44.815927694 +0100
|
||||||
|
+++ clevis-15/src/luks/clevis-luks-bind.in 2023-01-12 16:20:30.266404993 +0100
|
||||||
|
@@ -19,6 +19,8 @@
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
+. clevis-luks-common-functions
|
||||||
|
+
|
||||||
|
SUMMARY="Binds a LUKS device using the specified policy"
|
||||||
|
UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
|
||||||
|
|
||||||
|
@@ -139,14 +141,11 @@
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Generate a key with the same entropy as the LUKS Master Key
|
||||||
|
-key="$(pwmake "$(
|
||||||
|
-cryptsetup luksDump "$DEV" \
|
||||||
|
- | if [ "$luks_type" == "luks1" ]; then
|
||||||
|
- sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p'
|
||||||
|
- else
|
||||||
|
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p'
|
||||||
|
- fi | sort -n | tail -n 1
|
||||||
|
-)")"
|
||||||
|
+if ! key="$(clevis_luks_generate_key "${DEV}")" \
|
||||||
|
+ || [ -z "${key}" ]; then
|
||||||
|
+ echo "Unable to generate key for ${DEV}" >&2
|
||||||
|
+ return 1
|
||||||
|
+fi
|
||||||
|
|
||||||
|
# Encrypt the new key
|
||||||
|
jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"
|
11
SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch
Normal file
11
SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
--- clevis-15.ori/src/luks/clevis-luks-edit 2020-10-28 19:55:47.663228800 +0100
|
||||||
|
+++ clevis-15/src/luks/clevis-luks-edit 2023-01-16 12:03:14.006998399 +0100
|
||||||
|
@@ -173,7 +173,7 @@
|
||||||
|
|
||||||
|
echo "Updating binding..."
|
||||||
|
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
|
||||||
|
- "-y" "overwrite" 2>/dev/null; then
|
||||||
|
+ "-y" "overwrite"; then
|
||||||
|
echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
219
SOURCES/0015-support-sha256-algorithm.patch
Normal file
219
SOURCES/0015-support-sha256-algorithm.patch
Normal file
@ -0,0 +1,219 @@
|
|||||||
|
--- clevis-15.ori/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:29:59.717465656 +0200
|
||||||
|
+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:49:02.950511503 +0200
|
||||||
|
@@ -50,12 +50,30 @@
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
-if ! srv="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "$jhd" \
|
||||||
|
- | jose jwk thp -i- -f "$kid")"; then
|
||||||
|
+if ! keys="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "${jhd}")"; then
|
||||||
|
echo "JWE missing required 'clevis.tang.adv' header parameter!" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
+# Check if the thumbprint we have in `kid' is in the advertised keys.
|
||||||
|
+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1
|
||||||
|
+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
|
||||||
|
+
|
||||||
|
+if ! srv="$(jose jwk thp -i- -f "${kid}" -a "${CLEVIS_DEFAULT_THP_ALG}" \
|
||||||
|
+ <<< "${keys}")"; then
|
||||||
|
+ # `kid' thumprint not in the advertised keys, but it's possible it was
|
||||||
|
+ # generated using a different algorithm than the default one.
|
||||||
|
+ # Let us try the alternative supported algorithms to make sure `kid'
|
||||||
|
+ # really is not part of the advertised keys.
|
||||||
|
+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
|
||||||
|
+ srv="$(jose jwk thp -i- -f "$kid" -a "${alg}" <<< "${keys}")" && break
|
||||||
|
+ done
|
||||||
|
+ if [ -z "${srv}" ]; then
|
||||||
|
+ echo "JWE header validation of 'clevis.tang.adv' failed: key thumbprint does not match" >&2
|
||||||
|
+ exit 1
|
||||||
|
+ fi
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
if ! url="$(jose fmt -j- -Og clevis -g tang -g url -Su- <<< "$jhd")"; then
|
||||||
|
echo "JWE missing required 'clevis.tang.url' header parameter!" >&2
|
||||||
|
exit 1
|
||||||
|
--- clevis-15.ori/src/pins/tang/clevis-encrypt-tang 2020-10-28 19:55:47.673228700 +0100
|
||||||
|
+++ clevis-15/src/pins/tang/clevis-encrypt-tang 2023-05-23 15:15:18.440099403 +0200
|
||||||
|
@@ -64,6 +64,9 @@
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1
|
||||||
|
+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
|
||||||
|
+
|
||||||
|
trust=
|
||||||
|
[ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes
|
||||||
|
|
||||||
|
@@ -111,15 +114,24 @@
|
||||||
|
if [ -z "$thp" ]; then
|
||||||
|
echo "The advertisement contains the following signing keys:" >&2
|
||||||
|
echo >&2
|
||||||
|
- jose jwk thp -i- <<< "$ver" >&2
|
||||||
|
+ jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$ver" >&2
|
||||||
|
echo >&2
|
||||||
|
read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
|
||||||
|
[[ "$ans" =~ ^[yY]$ ]] || exit 1
|
||||||
|
-
|
||||||
|
elif [ "$thp" != "any" ] && \
|
||||||
|
- ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
|
||||||
|
- echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
|
||||||
|
- exit 1
|
||||||
|
+ ! jose jwk thp -i- -f "${thp}" -o /dev/null -a "${CLEVIS_DEFAULT_THP_ALG}" \
|
||||||
|
+ <<< "$ver"; then
|
||||||
|
+ # Thumbprint of trusted JWK did not match the signature. Let's check
|
||||||
|
+ # alternative thumbprints generated with clevis supported hash
|
||||||
|
+ # algorithms to be sure.
|
||||||
|
+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
|
||||||
|
+ srv="$(jose jwk thp -i- -f "${thp}" -a "${alg}" <<< "${ver}")" \
|
||||||
|
+ && break
|
||||||
|
+ done
|
||||||
|
+ if [ -z "${srv}" ]; then
|
||||||
|
+ echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
|
||||||
|
+ exit 1
|
||||||
|
+ fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
@@ -138,7 +150,7 @@
|
||||||
|
|
||||||
|
jwk="$(jose fmt -j- -Od key_ops -o- <<< "$jwk")"
|
||||||
|
jwk="$(jose fmt -j- -Od alg -o- <<< "$jwk")"
|
||||||
|
-kid="$(jose jwk thp -i- <<< "$jwk")"
|
||||||
|
+kid="$(jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$jwk")"
|
||||||
|
jwe='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
|
||||||
|
jwe="$(jose fmt -j "$jwe" -g protected -q "$kid" -s kid -UUo-)"
|
||||||
|
jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tang -q "$url" -s url -UUUUo-)"
|
||||||
|
--- clevis-15.ori/src/luks/tests/meson.build 2023-05-23 11:29:59.594464890 +0200
|
||||||
|
+++ clevis-15/src/luks/tests/meson.build 2023-05-23 12:00:10.811482757 +0200
|
||||||
|
@@ -113,6 +113,7 @@
|
||||||
|
test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
|
||||||
|
test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
|
||||||
|
test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
|
||||||
|
+ test('default-thp-alg', find_program('default-thp-alg'), env: env)
|
||||||
|
endif
|
||||||
|
|
||||||
|
test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
|
||||||
|
--- clevis-15.ori/src/luks/tests/default-thp-alg 1970-01-01 01:00:00.000000000 +0100
|
||||||
|
+++ clevis-15/src/luks/tests/default-thp-alg 2023-05-23 16:09:21.920385994 +0200
|
||||||
|
@@ -0,0 +1,120 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+set -exo pipefail
|
||||||
|
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||||
|
+#
|
||||||
|
+# Copyright (c) 2020 Red Hat, Inc.
|
||||||
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software: you can redistribute it and/or modify
|
||||||
|
+# it under the terms of the GNU General Public License as published by
|
||||||
|
+# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+# (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+. tests-common-functions
|
||||||
|
+
|
||||||
|
+TEST=$(basename "${0}")
|
||||||
|
+
|
||||||
|
+on_exit() {
|
||||||
|
+ exit_status=$?
|
||||||
|
+ tang_stop "${TMP}"
|
||||||
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||||
|
+ exit "${exit_status}"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+trap 'on_exit' EXIT
|
||||||
|
+
|
||||||
|
+TMP="$(mktemp -d)"
|
||||||
|
+
|
||||||
|
+port=$(get_random_port)
|
||||||
|
+tang_run "${TMP}" "${port}"
|
||||||
|
+
|
||||||
|
+url="http://localhost:${port}"
|
||||||
|
+data="just a sample text"
|
||||||
|
+
|
||||||
|
+adv="${TMP}/adv"
|
||||||
|
+# Get the advertisement and extract the keys.
|
||||||
|
+tang_get_adv "${port}" "${adv}"
|
||||||
|
+
|
||||||
|
+jwks="$(jose fmt --json="${adv}" --get payload --b64load --output=-)"
|
||||||
|
+enc="$(printf '%s' "${jwks}" | jose jwk use --input=- --required \
|
||||||
|
+ --use deriveKey --output=-)"
|
||||||
|
+
|
||||||
|
+jose fmt --json="${enc}" --get keys --array \
|
||||||
|
+ || enc="$(printf '{"keys": [%s]}' "${enc}")"
|
||||||
|
+
|
||||||
|
+jwk="$(jose fmt --json="${enc}" --get keys --array --foreach=- \
|
||||||
|
+ | jose fmt --json=- --delete key_ops --delete alg --output=-)"
|
||||||
|
+
|
||||||
|
+jwe_t='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
|
||||||
|
+jwe_t="$(jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --quote "${url}" --set url -UUUUo-)"
|
||||||
|
+jwe_t="$(printf '%s' "${jwks}" | jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --json=- --set adv -UUUUo-)"
|
||||||
|
+
|
||||||
|
+# We currently support SHA-1 (legacy) and SHA-256.
|
||||||
|
+CLEVIS_SUPPORTED_THP_ALGS="S1 S256"
|
||||||
|
+# Now we will use every hash algorithm supported by jose to create a thumbprint
|
||||||
|
+# for `kid', then we do the encoding and verify clevis decrypt can decode it
|
||||||
|
+# correctly.
|
||||||
|
+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
|
||||||
|
+ kid="$(printf '%s' "${jwk}" | jose jwk thp -a "${alg}" --input=-)"
|
||||||
|
+ jwe="$(jose fmt --json="${jwe_t}" --get protected --quote "${kid}" -s kid -UUo-)"
|
||||||
|
+
|
||||||
|
+ encoded=$(printf '%s%s' "${jwk}" "${data}" \
|
||||||
|
+ | jose jwe enc --input="${jwe}" --key=- --detached=- --compact)
|
||||||
|
+
|
||||||
|
+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
|
||||||
|
+ tang_error "${TEST}: decoding is expected to work (alg = ${alg})"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ if [ "${decoded}" != "${data}" ]; then
|
||||||
|
+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
|
||||||
|
+ fi
|
||||||
|
+done
|
||||||
|
+
|
||||||
|
+# Now let's test encryption providing the thp in the configuration.
|
||||||
|
+data="just another test"
|
||||||
|
+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
|
||||||
|
+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \
|
||||||
|
+ | jose jwk use -i- -r -u verify -o- \
|
||||||
|
+ | jose jwk thp -i- -a "${alg}")"
|
||||||
|
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
|
||||||
|
+ if ! encoded=$(printf '%s' "${data}" | clevis encrypt tang "${cfg}"); then
|
||||||
|
+ tang_error "${TEST}: tang encryption should have succeeded when providing the thp (${thp}) with any supported algorithm (${alg})"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
|
||||||
|
+ tang_error "${TEST}: decoding is expected to work (thp alg = ${alg})"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ if [ "${decoded}" != "${data}" ]; then
|
||||||
|
+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
|
||||||
|
+ fi
|
||||||
|
+done
|
||||||
|
+
|
||||||
|
+# Let's also try some unsupported thp hash algorithms.
|
||||||
|
+UNSUPPORTED="S224 S384 S512" # SHA-224, SHA-384, SHA-512.
|
||||||
|
+for alg in ${UNSUPPORTED}; do
|
||||||
|
+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \
|
||||||
|
+ | jose jwk use -i- -r -u verify -o- \
|
||||||
|
+ | jose jwk thp -i- -a "${alg}")"
|
||||||
|
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
|
||||||
|
+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
|
||||||
|
+ tang_error "${TEST}: tang encryption should have failed when providing the thp (${thp}) with an unsupported algorithm (${alg})"
|
||||||
|
+ fi
|
||||||
|
+done
|
||||||
|
+
|
||||||
|
+# Now let's try some bad values for thp.
|
||||||
|
+for thp in "" "foo" "invalid"; do
|
||||||
|
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
|
||||||
|
+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
|
||||||
|
+ tang_error "${TEST}: tang encryption expected to fail when providing a bad thp"
|
||||||
|
+ fi
|
||||||
|
+done
|
375
SPECS/clevis.spec
Normal file
375
SPECS/clevis.spec
Normal file
@ -0,0 +1,375 @@
|
|||||||
|
%global _hardened_build 1
|
||||||
|
|
||||||
|
Name: clevis
|
||||||
|
Version: 15
|
||||||
|
Release: 15%{?dist}
|
||||||
|
Summary: Automated decryption framework
|
||||||
|
|
||||||
|
License: GPLv3+
|
||||||
|
URL: https://github.com/latchset/%{name}
|
||||||
|
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
|
||||||
|
|
||||||
|
Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch
|
||||||
|
Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch
|
||||||
|
Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
|
||||||
|
Patch0004: 0004-systemd-drop-ncat-dependency.patch
|
||||||
|
Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch
|
||||||
|
Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
|
||||||
|
Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
|
||||||
|
Patch0008: 0008-tang-dump-url-on-error-communication.patch
|
||||||
|
Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch
|
||||||
|
Patch0010: 0010-avoid-clevis-invalid-msg.patch
|
||||||
|
Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch
|
||||||
|
Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch
|
||||||
|
Patch0013: 0013-luks-define-max-entropy-bits-for-pwmake.patch
|
||||||
|
Patch0014: 0014-luks-edit-remove-unnecessary-redirection.patch
|
||||||
|
Patch0015: 0015-support-sha256-algorithm.patch
|
||||||
|
|
||||||
|
BuildRequires: git
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: meson
|
||||||
|
BuildRequires: asciidoc
|
||||||
|
BuildRequires: ninja-build
|
||||||
|
BuildRequires: bash-completion
|
||||||
|
|
||||||
|
BuildRequires: libjose-devel >= 8
|
||||||
|
BuildRequires: libluksmeta-devel >= 8
|
||||||
|
BuildRequires: audit-libs-devel
|
||||||
|
BuildRequires: libudisks2-devel
|
||||||
|
BuildRequires: openssl-devel
|
||||||
|
|
||||||
|
BuildRequires: tpm2-tools >= 3.0.0
|
||||||
|
BuildRequires: desktop-file-utils
|
||||||
|
BuildRequires: pkgconfig
|
||||||
|
BuildRequires: systemd
|
||||||
|
BuildRequires: dracut
|
||||||
|
BuildRequires: tang >= 6
|
||||||
|
BuildRequires: curl
|
||||||
|
BuildRequires: luksmeta
|
||||||
|
BuildRequires: cracklib-dicts
|
||||||
|
BuildRequires: jq
|
||||||
|
BuildRequires: diffutils
|
||||||
|
BuildRequires: expect
|
||||||
|
BuildRequires: openssl
|
||||||
|
|
||||||
|
Requires: cracklib-dicts
|
||||||
|
Requires: tpm2-tools >= 3.0.0
|
||||||
|
Requires: coreutils
|
||||||
|
Requires: jose >= 8
|
||||||
|
Requires: curl
|
||||||
|
Requires: jq
|
||||||
|
Requires(pre): shadow-utils
|
||||||
|
Requires(post): systemd
|
||||||
|
|
||||||
|
%description
|
||||||
|
Clevis is a framework for automated decryption. It allows you to encrypt
|
||||||
|
data using sophisticated unlocking policies which enable decryption to
|
||||||
|
occur automatically.
|
||||||
|
|
||||||
|
The clevis package provides basic encryption/decryption policy support.
|
||||||
|
Users can use this directly; but most commonly, it will be used as a
|
||||||
|
building block for other packages. For example, see the clevis-luks
|
||||||
|
and clevis-dracut packages for automatic root volume unlocking of LUKS
|
||||||
|
volumes during early boot.
|
||||||
|
|
||||||
|
%package luks
|
||||||
|
Summary: LUKS integration for clevis
|
||||||
|
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: cryptsetup
|
||||||
|
Requires: luksmeta >= 8
|
||||||
|
|
||||||
|
%description luks
|
||||||
|
LUKS integration for clevis. This package allows you to bind a LUKS
|
||||||
|
volume to a clevis unlocking policy. For automated unlocking, an unlocker
|
||||||
|
will also be required. See, for example, clevis-dracut and clevis-udisks2.
|
||||||
|
|
||||||
|
%package systemd
|
||||||
|
Summary: systemd integration for clevis
|
||||||
|
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
|
||||||
|
%if 0%{?fedora} > 27
|
||||||
|
Requires: systemd%{?_isa} >= 235-3
|
||||||
|
%else
|
||||||
|
%if 0%{?fedora} == 27
|
||||||
|
Requires: systemd%{?_isa} >= 234-9
|
||||||
|
%else
|
||||||
|
%if 0%{?fedora} == 26
|
||||||
|
Requires: systemd%{?_isa} >= 233-7
|
||||||
|
%else
|
||||||
|
Requires: systemd%{?_isa} >= 236
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%description systemd
|
||||||
|
Automatically unlocks clevis-bound LUKS block devices during boot.
|
||||||
|
|
||||||
|
%package dracut
|
||||||
|
Summary: Dracut integration for clevis
|
||||||
|
Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: dracut-network
|
||||||
|
|
||||||
|
%description dracut
|
||||||
|
Automatically unlocks LUKS block devices in early boot.
|
||||||
|
|
||||||
|
%package udisks2
|
||||||
|
Summary: UDisks2/Storaged integration for clevis
|
||||||
|
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
|
||||||
|
|
||||||
|
%description udisks2
|
||||||
|
Automatically unlocks LUKS block devices in desktop environments that
|
||||||
|
use UDisks2 or storaged (like GNOME).
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -S git
|
||||||
|
|
||||||
|
%build
|
||||||
|
%meson -Duser=clevis -Dgroup=clevis
|
||||||
|
%meson_build
|
||||||
|
|
||||||
|
%install
|
||||||
|
%meson_install
|
||||||
|
|
||||||
|
%check
|
||||||
|
desktop-file-validate \
|
||||||
|
%{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
|
||||||
|
%meson_test
|
||||||
|
|
||||||
|
%pre
|
||||||
|
getent group %{name} >/dev/null || groupadd -r %{name} &>/dev/null
|
||||||
|
getent passwd %{name} >/dev/null || \
|
||||||
|
useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
|
||||||
|
-c "Clevis Decryption Framework unprivileged user" %{name} &>/dev/null
|
||||||
|
# Add clevis user to tss group.
|
||||||
|
if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
|
||||||
|
usermod -a -G tss %{name} &>/dev/null
|
||||||
|
fi
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
%post systemd
|
||||||
|
systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
|
||||||
|
|
||||||
|
%files
|
||||||
|
%license COPYING
|
||||||
|
%{_datadir}/bash-completion/
|
||||||
|
%{_bindir}/%{name}-decrypt-tang
|
||||||
|
%{_bindir}/%{name}-decrypt-tpm2
|
||||||
|
%{_bindir}/%{name}-decrypt-sss
|
||||||
|
%{_bindir}/%{name}-decrypt-null
|
||||||
|
%{_bindir}/%{name}-decrypt
|
||||||
|
%{_bindir}/%{name}-encrypt-tang
|
||||||
|
%{_bindir}/%{name}-encrypt-tpm2
|
||||||
|
%{_bindir}/%{name}-encrypt-sss
|
||||||
|
%{_bindir}/%{name}-encrypt-null
|
||||||
|
%{_bindir}/%{name}
|
||||||
|
%{_mandir}/man1/%{name}-encrypt-tang.1*
|
||||||
|
%{_mandir}/man1/%{name}-encrypt-tpm2.1*
|
||||||
|
%{_mandir}/man1/%{name}-encrypt-sss.1*
|
||||||
|
%{_mandir}/man1/%{name}-decrypt.1*
|
||||||
|
%{_mandir}/man1/%{name}.1*
|
||||||
|
|
||||||
|
%files luks
|
||||||
|
%{_mandir}/man7/%{name}-luks-unlockers.7*
|
||||||
|
%{_mandir}/man1/%{name}-luks-unlock.1*
|
||||||
|
%{_mandir}/man1/%{name}-luks-unbind.1*
|
||||||
|
%{_mandir}/man1/%{name}-luks-bind.1*
|
||||||
|
%{_mandir}/man1/%{name}-luks-list.1*
|
||||||
|
%{_mandir}/man1/%{name}-luks-pass.1*
|
||||||
|
%{_mandir}/man1/%{name}-luks-regen.1*
|
||||||
|
%{_mandir}/man1/%{name}-luks-report.1*
|
||||||
|
%{_mandir}/man1/%{name}-luks-edit.1*
|
||||||
|
%{_bindir}/%{name}-luks-unlock
|
||||||
|
%{_bindir}/%{name}-luks-unbind
|
||||||
|
%{_bindir}/%{name}-luks-bind
|
||||||
|
%{_bindir}/%{name}-luks-common-functions
|
||||||
|
%{_bindir}/%{name}-luks-list
|
||||||
|
%{_bindir}/%{name}-luks-pass
|
||||||
|
%{_bindir}/%{name}-luks-regen
|
||||||
|
%{_bindir}/%{name}-luks-report
|
||||||
|
%{_bindir}/%{name}-luks-edit
|
||||||
|
|
||||||
|
%files systemd
|
||||||
|
%{_libexecdir}/%{name}-luks-askpass
|
||||||
|
%{_unitdir}/%{name}-luks-askpass.path
|
||||||
|
%{_unitdir}/%{name}-luks-askpass.service
|
||||||
|
|
||||||
|
%files dracut
|
||||||
|
%{_prefix}/lib/dracut/modules.d/60%{name}
|
||||||
|
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null
|
||||||
|
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss
|
||||||
|
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang
|
||||||
|
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2
|
||||||
|
|
||||||
|
%files udisks2
|
||||||
|
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
|
||||||
|
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Tue May 23 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-15
|
||||||
|
- Include SHA-256 thumbprints clevis support
|
||||||
|
Resolves: rhbz#2209058
|
||||||
|
|
||||||
|
* Mon Jan 16 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-14
|
||||||
|
- luks-edit: remove unnecessary 2>/dev/null
|
||||||
|
Resolves: rhbz#2159739
|
||||||
|
|
||||||
|
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-13
|
||||||
|
- luks: define max entropy bits for pwmake
|
||||||
|
Resolves: rhbz#2159736
|
||||||
|
|
||||||
|
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-12
|
||||||
|
- Ignore empty & comment lines in crypttab
|
||||||
|
Resolves: rhbz#2159440
|
||||||
|
|
||||||
|
* Tue Aug 02 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-11
|
||||||
|
- Start clevis-luks-askpass.path service according to global policy
|
||||||
|
Resolves: rhbz#2107081
|
||||||
|
|
||||||
|
* Thu Jul 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-10
|
||||||
|
- Improve boot performance by removing key check
|
||||||
|
Resolves: rhbz#2099748
|
||||||
|
|
||||||
|
* Wed Jun 22 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-9
|
||||||
|
- Avoid invalid message for clevis command
|
||||||
|
Resolves: rhbz#2099325
|
||||||
|
|
||||||
|
* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 15-8
|
||||||
|
- Support a null pin
|
||||||
|
Resolves: rhbz#2028096
|
||||||
|
|
||||||
|
* Fri Jan 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-7
|
||||||
|
- Dump server information on server error communication
|
||||||
|
Resolves: rhbz#2020193
|
||||||
|
|
||||||
|
* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 15-6
|
||||||
|
- Explicitly specify pbkdf iterations to cryptsetup
|
||||||
|
Resolves: rhbz#1979256
|
||||||
|
|
||||||
|
* Wed Dec 01 2021 Sergio Correia <scorreia@redhat.com> - 15-5
|
||||||
|
- Enable debugging in clevis scripts when rd.debug is set
|
||||||
|
Resolves: rhbz#1980742
|
||||||
|
|
||||||
|
* Thu Nov 25 2021 Sergio Correia <scorreia@redhat.com> - 15-4
|
||||||
|
- Stop sending stderr to the void when decryption doesn't happen
|
||||||
|
Resolves: rhbz#1976880
|
||||||
|
|
||||||
|
* Thu Nov 18 2021 Sergio Correia <scorreia@redhat.com> - 15-3
|
||||||
|
- Drop ncat dependency
|
||||||
|
Resolves: rhbz#1949289
|
||||||
|
|
||||||
|
* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 15-2
|
||||||
|
- Account for unlocking failures in clevis-luks-askpass
|
||||||
|
Resolves: rhbz#2018292
|
||||||
|
|
||||||
|
* Mon Oct 26 2020 Sergio Correia <scorreia@redhat.com> - 15-1
|
||||||
|
- Update to latest upstream release, v15
|
||||||
|
Resolves: rhbz#1887836
|
||||||
|
Resolves: rhbz#1853651
|
||||||
|
Resolves: rhbz#1874460
|
||||||
|
|
||||||
|
* Wed May 20 2020 Sergio Correia <scorreia@redhat.com> - 13-3
|
||||||
|
- Add clevis luks edit command
|
||||||
|
Resolves: rhbz#1436735
|
||||||
|
|
||||||
|
* Mon May 18 2020 Sergio Correia <scorreia@redhat.com> - 13-2
|
||||||
|
- Introduce -y (assume yes) argument to clevis luks bind
|
||||||
|
Resolves: rhbz#1819767
|
||||||
|
|
||||||
|
* Sun May 10 2020 Sergio Correia <scorreia@redhat.com> - 13-1
|
||||||
|
- Update to new upstream release, v13
|
||||||
|
Resolves: rhbz#1827225
|
||||||
|
Resolves: rhbz#1827665
|
||||||
|
Resolves: rhbz#1801556
|
||||||
|
Resolves: rhbz#1784448
|
||||||
|
Resolves: rhbz#1826917
|
||||||
|
Resolves: rhbz#1812014
|
||||||
|
|
||||||
|
* Sun Feb 02 2020 Sergio Correia <scorreia@redhat.com> - 11-9
|
||||||
|
- Improve clevis luks regen not to unbind+bind in every case
|
||||||
|
Resolves: rhbz#1795675
|
||||||
|
|
||||||
|
* Mon Jan 13 2020 Sergio Correia <scorreia@redhat.com> - 11-8
|
||||||
|
- Use one clevis-luks-askpass per device
|
||||||
|
Resolves: rhbz#1784524
|
||||||
|
|
||||||
|
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 11-7
|
||||||
|
- Add rd.neednet=1 to cmdline only if there are devices bound to tang
|
||||||
|
Resolves: rhbz#1762028
|
||||||
|
|
||||||
|
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 11-6
|
||||||
|
- Add option to extract luks passphrase used for binding
|
||||||
|
Resolves: rhbz#1436780
|
||||||
|
|
||||||
|
* Thu Nov 28 2019 Sergio Correia <scorreia@redhat.com> - 11-5
|
||||||
|
- Add support for listing existing PBD policies in place
|
||||||
|
Resolves: rhbz#1766526
|
||||||
|
|
||||||
|
* Fri Oct 18 2019 Sergio Correia <scorreia@redhat.com> - 11-4
|
||||||
|
- Improve error message when bind is given an invalid PIN
|
||||||
|
Resolves: rhbz#1543380
|
||||||
|
|
||||||
|
* Wed Oct 16 2019 Sergio Correia <scorreia@redhat.com> - 11-3
|
||||||
|
- Add clevis luks report and regen
|
||||||
|
Resolves: rhbz#1564566
|
||||||
|
Resolves: rhbz#1564559
|
||||||
|
|
||||||
|
* Fri Jan 04 2019 Daniel Kopecek <dkopecek@redhat.com> - 11-2
|
||||||
|
- Check that key derivation key is available
|
||||||
|
- Delete remaining references to the removed http pin
|
||||||
|
- Install cryptsetup and tpm2_pcrlist in the initramfs
|
||||||
|
- Add device TCTI library to the initramfs
|
||||||
|
Resolves: rhbz#1648004
|
||||||
|
Resolves: rhbz#1650246
|
||||||
|
|
||||||
|
* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
|
||||||
|
- Update to v11
|
||||||
|
|
||||||
|
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 10-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Mar 21 2018 Nathaniel McCallum <npmccallum@redhat.com> - 10-1
|
||||||
|
- Update to v10
|
||||||
|
|
||||||
|
* Tue Feb 13 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-1
|
||||||
|
- Update to v9
|
||||||
|
|
||||||
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 8-1
|
||||||
|
- Update to v8
|
||||||
|
|
||||||
|
* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7-2
|
||||||
|
- Rebuild for cryptsetup-2.0.0
|
||||||
|
|
||||||
|
* Fri Oct 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
|
||||||
|
- Update to v7
|
||||||
|
|
||||||
|
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jun 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
|
||||||
|
- New upstream release
|
||||||
|
- Specify unprivileged user/group during configuration
|
||||||
|
- Move clevis user/group creation to base clevis package
|
||||||
|
|
||||||
|
* Mon Jun 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
|
||||||
|
- New upstream release
|
||||||
|
- Run clevis decryption from udisks2 under an unprivileged user
|
||||||
|
|
||||||
|
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
|
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
|
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Nov 18 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
|
* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
|
||||||
|
- First release
|
186
changelog
186
changelog
@ -1,186 +0,0 @@
|
|||||||
* Fri Aug 05 2022 Luca BRUNO <lucab@lucabruno.net> - 18-10
|
|
||||||
- Simplify sysusers.d fragment by using default 'nologin' shell
|
|
||||||
|
|
||||||
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 18-9
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri Jul 8 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-8
|
|
||||||
- Support a null pin
|
|
||||||
|
|
||||||
* Tue Jun 28 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-7
|
|
||||||
Start clevis-luks-askpass.patch service according to global policy
|
|
||||||
|
|
||||||
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 18-6
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri Oct 29 2021 Sergio Correia <scorreia@redhat.com> - 18-5
|
|
||||||
Account for unlocking failures in clevis-luks-askpass
|
|
||||||
Resolves: rhbz#1878892
|
|
||||||
|
|
||||||
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 18-4
|
|
||||||
- Rebuilt with OpenSSL 3.0.0
|
|
||||||
|
|
||||||
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 18-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri May 07 2021 Sergio Correia <scorreia@redhat.com> - 18-2
|
|
||||||
- Port to OpenSSL 3
|
|
||||||
Backport of upstream commit (ee1dfedb)
|
|
||||||
|
|
||||||
* Thu Apr 15 2021 Sergio Correia <scorreia@redhat.com> - 18-1
|
|
||||||
- Update to new clevis upstream release, v18.
|
|
||||||
|
|
||||||
* Wed Apr 14 2021 Sergio Correia <scorreia@redhat.com> - 17-1
|
|
||||||
- Update to new clevis upstream release, v17.
|
|
||||||
|
|
||||||
* Tue Mar 16 2021 Sergio Correia <scorreia@redhat.com> - 16-2
|
|
||||||
- Fix for -t option in clevis luks bind - backport upstream commit ea0d0c20
|
|
||||||
|
|
||||||
* Tue Feb 09 2021 Sergio Correia <scorreia@redhat.com> - 16-1
|
|
||||||
- Update to new clevis upstream release, v16.
|
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 15-4
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Nov 23 08:14:40 GMT 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 15-3
|
|
||||||
- Upstream patch for tpm-tools 5.0 support
|
|
||||||
|
|
||||||
* Thu Oct 29 2020 Sergio Correia <scorreia@redhat.com> - 15-2
|
|
||||||
- Add jq to dependencies
|
|
||||||
|
|
||||||
* Wed Oct 28 2020 Sergio Correia <scorreia@redhat.com> - 15-1
|
|
||||||
- Update to new clevis upstream release, v15.
|
|
||||||
|
|
||||||
* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-5
|
|
||||||
- Suppress output in pre scriptlet when adjusting users/groups
|
|
||||||
Resolves: rhbz#1876729
|
|
||||||
|
|
||||||
* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-4
|
|
||||||
- Backport upstream PR#230 - clevis-luks-askpass now exits cleanly
|
|
||||||
when receives a SIGTERM
|
|
||||||
Resolves: rhbz#1876001
|
|
||||||
|
|
||||||
* Sat Sep 05 2020 Sergio Correia <scorreia@redhat.com> - 14-3
|
|
||||||
- If clevis-luks-askpass is enabled, it may be using a wrong target,
|
|
||||||
since that changed in v14. Check and update it, if required.
|
|
||||||
|
|
||||||
* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-2
|
|
||||||
- Update sources file with new v14 release.
|
|
||||||
|
|
||||||
* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-1
|
|
||||||
- Update to new clevis upstream release, v14.
|
|
||||||
|
|
||||||
* Sun Aug 02 2020 Benjamin Gilbert <bgilbert@redhat.com> - 13-3
|
|
||||||
- Downgrade cracklib-dicts to Recommends
|
|
||||||
|
|
||||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 13-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
||||||
|
|
||||||
* Sun May 10 2020 Sergio Correia <scorreia@redhat.com> - 13-1
|
|
||||||
- Update to new clevis upstream release, v13.
|
|
||||||
|
|
||||||
* Thu May 07 2020 Sergio Correia <scorreia@redhat.com> - 12-4
|
|
||||||
- cracklib-dicts should be also listed as a build dependency, since
|
|
||||||
it's required for running some of the tests
|
|
||||||
|
|
||||||
* Mon Apr 06 2020 Sergio Correia <scorreia@redhat.com> - 12-3
|
|
||||||
- Make cracklib-dicts a regular dependency
|
|
||||||
|
|
||||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 12-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Jan 20 2020 Sergio Correia <scorreia@redhat.com> - 12-1
|
|
||||||
- Update to new clevis upstream release, v12.
|
|
||||||
|
|
||||||
* Thu Dec 19 2019 Sergio Correia <scorreia@redhat.com> - 11-11
|
|
||||||
- Backport upstream PR#70 - Handle case where we try to use a partially
|
|
||||||
used luksmeta slot
|
|
||||||
Resolves: rhbz#1672371
|
|
||||||
|
|
||||||
* Thu Dec 05 2019 Sergio Correia <scorreia@redhat.com> - 11-10
|
|
||||||
- Disable LUKS2 tests for now, since they fail randomly in Koji
|
|
||||||
builders, killing the build
|
|
||||||
|
|
||||||
* Wed Dec 04 2019 Sergio Correia <scorreia@redhat.com> - 11-9
|
|
||||||
- Backport of upstream patches and the following fixes:
|
|
||||||
- Rework the logic for reading the existing key
|
|
||||||
- fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 (
|
|
||||||
- pins/tang: check that key derivation key is available
|
|
||||||
|
|
||||||
* Wed Oct 30 2019 Peter Robinson <pbrobinson@fedoraproject.org> 11-8
|
|
||||||
- Drop need network patch
|
|
||||||
|
|
||||||
* Fri Sep 06 2019 Javier Martinez Canillas <javierm@redhat.com> - 11-7
|
|
||||||
- Add support for tpm2-tools 4.0
|
|
||||||
|
|
||||||
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-6
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-5
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-4
|
|
||||||
- Update patch for work around
|
|
||||||
|
|
||||||
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-3
|
|
||||||
- Work around network requirement for early boot
|
|
||||||
|
|
||||||
* Fri Nov 09 2018 Javier Martinez Canillas <javierm@redhat.com> - 11-2
|
|
||||||
- Delete remaining references to the removed http pin
|
|
||||||
- Install cryptsetup and tpm2_pcrlist in the initramfs
|
|
||||||
- Add device TCTI library to the initramfs
|
|
||||||
Resolves: rhbz#1644876
|
|
||||||
|
|
||||||
* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
|
|
||||||
- Update to v11
|
|
||||||
|
|
||||||
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 10-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Mar 21 2018 Nathaniel McCallum <npmccallum@redhat.com> - 10-1
|
|
||||||
- Update to v10
|
|
||||||
|
|
||||||
* Tue Feb 13 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-1
|
|
||||||
- Update to v9
|
|
||||||
|
|
||||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 8-1
|
|
||||||
- Update to v8
|
|
||||||
|
|
||||||
* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7-2
|
|
||||||
- Rebuild for cryptsetup-2.0.0
|
|
||||||
|
|
||||||
* Fri Oct 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
|
|
||||||
- Update to v7
|
|
||||||
|
|
||||||
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jun 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
|
|
||||||
- New upstream release
|
|
||||||
- Specify unprivileged user/group during configuration
|
|
||||||
- Move clevis user/group creation to base clevis package
|
|
||||||
|
|
||||||
* Mon Jun 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
|
|
||||||
- New upstream release
|
|
||||||
- Run clevis decryption from udisks2 under an unprivileged user
|
|
||||||
|
|
||||||
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
|
|
||||||
- New upstream release
|
|
||||||
|
|
||||||
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
|
|
||||||
- New upstream release
|
|
||||||
|
|
||||||
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri Nov 18 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
|
|
||||||
- New upstream release
|
|
||||||
|
|
||||||
* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
|
|
||||||
- First release
|
|
12
ci_tests.fmf
12
ci_tests.fmf
@ -1,12 +0,0 @@
|
|||||||
/e2e:
|
|
||||||
plan:
|
|
||||||
import:
|
|
||||||
url: https://github.com/RedHat-SP-Security/clevis-plans.git
|
|
||||||
name: /generic/e2e_ci
|
|
||||||
|
|
||||||
/rpmverify:
|
|
||||||
plan:
|
|
||||||
import:
|
|
||||||
url: https://github.com/RedHat-SP-Security/clevis-plans.git
|
|
||||||
name: /generic/rpmverify
|
|
||||||
|
|
221
clevis.spec
221
clevis.spec
@ -1,221 +0,0 @@
|
|||||||
Name: clevis
|
|
||||||
Version: 21
|
|
||||||
Release: %autorelease
|
|
||||||
Summary: Automated decryption framework
|
|
||||||
|
|
||||||
License: GPL-3.0-or-later
|
|
||||||
URL: https://github.com/latchset/%{name}
|
|
||||||
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
|
|
||||||
Source1: clevis.sysusers
|
|
||||||
|
|
||||||
Patch0: 0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch
|
|
||||||
Patch1: 0002-Fix-potential-race-condition.patch
|
|
||||||
Patch2: 0003-Fix-to-start-pcscd-appropriately.patch
|
|
||||||
Patch3: 0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch
|
|
||||||
|
|
||||||
BuildRequires: git-core
|
|
||||||
BuildRequires: gcc
|
|
||||||
BuildRequires: meson
|
|
||||||
BuildRequires: asciidoc
|
|
||||||
BuildRequires: ninja-build
|
|
||||||
BuildRequires: bash-completion
|
|
||||||
|
|
||||||
BuildRequires: libjose-devel >= 8
|
|
||||||
BuildRequires: libluksmeta-devel >= 8
|
|
||||||
BuildRequires: audit-libs-devel
|
|
||||||
BuildRequires: libudisks2-devel
|
|
||||||
BuildRequires: openssl-devel
|
|
||||||
|
|
||||||
BuildRequires: tpm2-tools >= 4.0.0
|
|
||||||
BuildRequires: desktop-file-utils
|
|
||||||
BuildRequires: pkgconfig
|
|
||||||
BuildRequires: systemd
|
|
||||||
BuildRequires: systemd-rpm-macros
|
|
||||||
BuildRequires: dracut
|
|
||||||
BuildRequires: tang >= 6
|
|
||||||
BuildRequires: curl
|
|
||||||
BuildRequires: luksmeta
|
|
||||||
BuildRequires: openssl
|
|
||||||
BuildRequires: diffutils
|
|
||||||
BuildRequires: cryptsetup
|
|
||||||
BuildRequires: jq
|
|
||||||
BuildRequires: pcsc-lite
|
|
||||||
BuildRequires: opensc
|
|
||||||
|
|
||||||
Requires: tpm2-tools >= 4.0.0
|
|
||||||
Requires: coreutils
|
|
||||||
Requires: jose >= 8
|
|
||||||
Requires: curl
|
|
||||||
Requires: jq
|
|
||||||
Requires(pre): shadow-utils
|
|
||||||
Requires(post): systemd
|
|
||||||
Requires: clevis-pin-tpm2
|
|
||||||
|
|
||||||
%description
|
|
||||||
Clevis is a framework for automated decryption. It allows you to encrypt
|
|
||||||
data using sophisticated unlocking policies which enable decryption to
|
|
||||||
occur automatically.
|
|
||||||
|
|
||||||
The clevis package provides basic encryption/decryption policy support.
|
|
||||||
Users can use this directly; but most commonly, it will be used as a
|
|
||||||
building block for other packages. For example, see the clevis-luks
|
|
||||||
and clevis-dracut packages for automatic root volume unlocking of
|
|
||||||
LUKSv1/LUKSv2 volumes during early boot.
|
|
||||||
|
|
||||||
%package luks
|
|
||||||
Summary: LUKS integration for clevis
|
|
||||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
|
||||||
Requires: cryptsetup
|
|
||||||
Requires: luksmeta >= 8
|
|
||||||
|
|
||||||
%description luks
|
|
||||||
LUKS integration for clevis. This package allows you to bind a LUKS
|
|
||||||
volume to a clevis unlocking policy. For automated unlocking, an unlocker
|
|
||||||
will also be required. See, for example, clevis-dracut and clevis-udisks2.
|
|
||||||
|
|
||||||
%package systemd
|
|
||||||
Summary: systemd integration for clevis
|
|
||||||
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
|
|
||||||
%if 0%{?fedora} > 27
|
|
||||||
Requires: systemd%{?_isa} >= 235-3
|
|
||||||
%else
|
|
||||||
%if 0%{?fedora} == 27
|
|
||||||
Requires: systemd%{?_isa} >= 234-9
|
|
||||||
%else
|
|
||||||
%if 0%{?fedora} == 26
|
|
||||||
Requires: systemd%{?_isa} >= 233-7
|
|
||||||
%else
|
|
||||||
Requires: systemd%{?_isa} >= 236
|
|
||||||
%endif
|
|
||||||
%endif
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%description systemd
|
|
||||||
Automatically unlocks LUKS _netdev block devices from /etc/crypttab.
|
|
||||||
|
|
||||||
%package dracut
|
|
||||||
Summary: Dracut integration for clevis
|
|
||||||
Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
|
|
||||||
Requires: dracut-network
|
|
||||||
|
|
||||||
%description dracut
|
|
||||||
Automatically unlocks LUKS block devices in early boot.
|
|
||||||
|
|
||||||
%package udisks2
|
|
||||||
Summary: UDisks2/Storaged integration for clevis
|
|
||||||
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
|
|
||||||
|
|
||||||
%description udisks2
|
|
||||||
Automatically unlocks LUKS block devices in desktop environments that
|
|
||||||
use UDisks2 or storaged (like GNOME).
|
|
||||||
|
|
||||||
%package pin-pkcs11
|
|
||||||
Summary: PKCS#11 for clevis
|
|
||||||
Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
|
|
||||||
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
|
|
||||||
Requires: %{name}-dracut%{?_isa} = %{version}-%{release}
|
|
||||||
Requires: pcsc-lite
|
|
||||||
Requires: opensc
|
|
||||||
|
|
||||||
%description pin-pkcs11
|
|
||||||
Automatically unlocks LUKS block devices through a PKCS#11 device.
|
|
||||||
|
|
||||||
%prep
|
|
||||||
%autosetup -S git
|
|
||||||
|
|
||||||
%build
|
|
||||||
%meson -Duser=clevis -Dgroup=clevis
|
|
||||||
%meson_build
|
|
||||||
|
|
||||||
%install
|
|
||||||
%meson_install
|
|
||||||
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/clevis.conf
|
|
||||||
|
|
||||||
%check
|
|
||||||
desktop-file-validate \
|
|
||||||
%{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
|
|
||||||
%meson_test
|
|
||||||
|
|
||||||
%pre
|
|
||||||
%sysusers_create_compat %{SOURCE1}
|
|
||||||
# Add clevis user to tss group.
|
|
||||||
if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
|
|
||||||
usermod -a -G tss %{name} &>/dev/null
|
|
||||||
fi
|
|
||||||
exit 0
|
|
||||||
|
|
||||||
%files
|
|
||||||
%license COPYING
|
|
||||||
%{_datadir}/bash-completion/
|
|
||||||
%{_bindir}/%{name}-decrypt-tang
|
|
||||||
%{_bindir}/%{name}-decrypt-tpm2
|
|
||||||
%{_bindir}/%{name}-decrypt-sss
|
|
||||||
%{_bindir}/%{name}-decrypt-null
|
|
||||||
%{_bindir}/%{name}-decrypt
|
|
||||||
%{_bindir}/%{name}-encrypt-tang
|
|
||||||
%{_bindir}/%{name}-encrypt-tpm2
|
|
||||||
%{_bindir}/%{name}-encrypt-sss
|
|
||||||
%{_bindir}/%{name}-encrypt-null
|
|
||||||
%{_bindir}/%{name}
|
|
||||||
%{_mandir}/man1/%{name}-encrypt-tang.1*
|
|
||||||
%{_mandir}/man1/%{name}-encrypt-tpm2.1*
|
|
||||||
%{_mandir}/man1/%{name}-encrypt-sss.1*
|
|
||||||
%{_mandir}/man1/%{name}-decrypt.1*
|
|
||||||
%{_mandir}/man1/%{name}.1*
|
|
||||||
%{_sysusersdir}/clevis.conf
|
|
||||||
|
|
||||||
%files luks
|
|
||||||
%{_mandir}/man7/%{name}-luks-unlockers.7*
|
|
||||||
%{_mandir}/man1/%{name}-luks-unlock.1*
|
|
||||||
%{_mandir}/man1/%{name}-luks-unbind.1*
|
|
||||||
%{_mandir}/man1/%{name}-luks-bind.1*
|
|
||||||
%{_mandir}/man1/%{name}-luks-list.1.*
|
|
||||||
%{_mandir}/man1/%{name}-luks-edit.1.*
|
|
||||||
%{_mandir}/man1/%{name}-luks-regen.1.*
|
|
||||||
%{_mandir}/man1/%{name}-luks-report.1.*
|
|
||||||
%{_mandir}/man1/%{name}-luks-pass.1.*
|
|
||||||
%{_bindir}/%{name}-luks-unlock
|
|
||||||
%{_bindir}/%{name}-luks-unbind
|
|
||||||
%{_bindir}/%{name}-luks-bind
|
|
||||||
%{_bindir}/%{name}-luks-common-functions
|
|
||||||
%{_bindir}/%{name}-luks-list
|
|
||||||
%{_bindir}/%{name}-luks-edit
|
|
||||||
%{_bindir}/%{name}-luks-regen
|
|
||||||
%{_bindir}/%{name}-luks-report
|
|
||||||
%{_bindir}/%{name}-luks-pass
|
|
||||||
|
|
||||||
%files systemd
|
|
||||||
%{_libexecdir}/%{name}-luks-askpass
|
|
||||||
%{_libexecdir}/%{name}-luks-unlocker
|
|
||||||
%{_unitdir}/%{name}-luks-askpass.path
|
|
||||||
%{_unitdir}/%{name}-luks-askpass.service
|
|
||||||
|
|
||||||
%files dracut
|
|
||||||
%{_prefix}/lib/dracut/modules.d/60%{name}
|
|
||||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null/module-setup.sh
|
|
||||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh
|
|
||||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh
|
|
||||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh
|
|
||||||
|
|
||||||
%files pin-pkcs11
|
|
||||||
%{_libexecdir}/%{name}-luks-pkcs11-askpass
|
|
||||||
%{_libexecdir}/%{name}-luks-pkcs11-askpin
|
|
||||||
%{_bindir}/%{name}-decrypt-pkcs11
|
|
||||||
%{_bindir}/%{name}-encrypt-pkcs11
|
|
||||||
%{_bindir}/%{name}-pkcs11-afunix-socket-unlock
|
|
||||||
%{_bindir}/%{name}-pkcs11-common
|
|
||||||
%{_unitdir}/%{name}-luks-pkcs11-askpass.service
|
|
||||||
%{_unitdir}/%{name}-luks-pkcs11-askpass.socket
|
|
||||||
%{_mandir}/man1/%{name}-encrypt-pkcs11.1*
|
|
||||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/module-setup.sh
|
|
||||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-prehook.sh
|
|
||||||
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-hook.sh
|
|
||||||
|
|
||||||
%files udisks2
|
|
||||||
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
|
|
||||||
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
|
|
||||||
|
|
||||||
%post systemd
|
|
||||||
systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
|
|
||||||
|
|
||||||
%autochangelog
|
|
@ -1 +0,0 @@
|
|||||||
u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis -
|
|
@ -1,7 +0,0 @@
|
|||||||
--- !Policy
|
|
||||||
product_versions:
|
|
||||||
- rhel-10
|
|
||||||
decision_context: osci_compose_gate
|
|
||||||
rules:
|
|
||||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user