rpms/clevis
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9-beta
rpms:c9s
rpms:c10s
rpms:c10-beta
rpms:c9
rpms:c8-beta
rpms:c8s
rpms:imports/c9-beta/clevis-21-208.el9
rpms:imports/c10s/clevis-21-8.el10
rpms:imports/c10s/clevis-21-7.el10
rpms:imports/c10-beta/clevis-20-4.el10
rpms:imports/c10s/clevis-21-6.el10
rpms:imports/c10s/clevis-21-5.el10
rpms:imports/c10s/clevis-21-4.el10
rpms:imports/c10s/clevis-21-4
rpms:imports/c10s/clevis-21-2.el10
rpms:imports/c9-beta/clevis-20-200.el9
rpms:imports/c10s/clevis-21-1.el10
rpms:imports/c10s/clevis-20-1.el10
rpms:imports/c10s/clevis-20-4.el10
rpms:imports/c8/clevis-15-15.el8
rpms:imports/c9/clevis-18-112.el9
rpms:imports/c8-beta/clevis-15-15.el8
rpms:imports/c9-beta/clevis-18-112.el9
rpms:imports/c8/clevis-15-14.el8
rpms:imports/c9/clevis-18-110.el9
rpms:imports/c9-beta/clevis-18-110.el9
rpms:imports/c8-beta/clevis-15-14.el8
rpms:imports/c8s/clevis-15-14.el8
rpms:imports/c8s/clevis-15-13.el8
rpms:imports/c8s/clevis-15-12.el8
rpms:imports/c9/clevis-18-106.el9
rpms:imports/c8/clevis-15-11.el8
rpms:imports/c9-beta/clevis-18-106.el9
rpms:imports/c8-beta/clevis-15-11.el8
rpms:imports/c8s/clevis-15-11.el8
rpms:imports/c9/clevis-18-102.el9
rpms:imports/c8/clevis-15-8.el8
rpms:imports/c8-beta/clevis-15-8.el8
rpms:imports/c9-beta/clevis-18-102.el9
rpms:imports/c8/clevis-15-1.el8_5.1
rpms:imports/c8s/clevis-15-8.el8
rpms:imports/c8s/clevis-15-7.el8
rpms:imports/c8s/clevis-15-6.el8
rpms:imports/c9-beta/clevis-18-5.el9
rpms:imports/c9-beta/clevis-18-4.el9
rpms:imports/c8s/clevis-15-4.el8
rpms:imports/c8s/clevis-15-3.el8
rpms:imports/c8s/clevis-15-2.el8
rpms:imports/c8-beta/clevis-15-1.el8
rpms:imports/c8-beta/clevis-13-3.el8
rpms:imports/c8-beta/clevis-11-7.el8
rpms:imports/c8-beta/clevis-11-2.el8
rpms:imports/c8s/clevis-15-1.el8
rpms:imports/c8s/clevis-13-3.el8
rpms:imports/c8s/clevis-11-9.el8
rpms:imports/c8/clevis-15-1.el8
rpms:imports/c8/clevis-13-3.el8
rpms:imports/c8/clevis-11-9.el8_2.1
rpms:imports/c8/clevis-11-9.el8
rpms:imports/c8/clevis-11-2.el8
...
pull from: rpms:c10s
Branches Tags
rpms:c9-beta
rpms:c9s
rpms:c10s
rpms:c10-beta
rpms:c8
rpms:c9
rpms:c8-beta
rpms:c8s
rpms:imports/c9-beta/clevis-21-208.el9
rpms:imports/c10s/clevis-21-8.el10
rpms:imports/c10s/clevis-21-7.el10
rpms:imports/c10-beta/clevis-20-4.el10
rpms:imports/c10s/clevis-21-6.el10
rpms:imports/c10s/clevis-21-5.el10
rpms:imports/c10s/clevis-21-4.el10
rpms:imports/c10s/clevis-21-4
rpms:imports/c10s/clevis-21-2.el10
rpms:imports/c9-beta/clevis-20-200.el9
rpms:imports/c10s/clevis-21-1.el10
rpms:imports/c10s/clevis-20-1.el10
rpms:imports/c10s/clevis-20-4.el10
rpms:imports/c8/clevis-15-15.el8
rpms:imports/c9/clevis-18-112.el9
rpms:imports/c8-beta/clevis-15-15.el8
rpms:imports/c9-beta/clevis-18-112.el9
rpms:imports/c8/clevis-15-14.el8
rpms:imports/c9/clevis-18-110.el9
rpms:imports/c9-beta/clevis-18-110.el9
rpms:imports/c8-beta/clevis-15-14.el8
rpms:imports/c8s/clevis-15-14.el8
rpms:imports/c8s/clevis-15-13.el8
rpms:imports/c8s/clevis-15-12.el8
rpms:imports/c9/clevis-18-106.el9
rpms:imports/c8/clevis-15-11.el8
rpms:imports/c9-beta/clevis-18-106.el9
rpms:imports/c8-beta/clevis-15-11.el8
rpms:imports/c8s/clevis-15-11.el8
rpms:imports/c9/clevis-18-102.el9
rpms:imports/c8/clevis-15-8.el8
rpms:imports/c8-beta/clevis-15-8.el8
rpms:imports/c9-beta/clevis-18-102.el9
rpms:imports/c8/clevis-15-1.el8_5.1
rpms:imports/c8s/clevis-15-8.el8
rpms:imports/c8s/clevis-15-7.el8
rpms:imports/c8s/clevis-15-6.el8
rpms:imports/c9-beta/clevis-18-5.el9
rpms:imports/c9-beta/clevis-18-4.el9
rpms:imports/c8s/clevis-15-4.el8
rpms:imports/c8s/clevis-15-3.el8
rpms:imports/c8s/clevis-15-2.el8
rpms:imports/c8-beta/clevis-15-1.el8
rpms:imports/c8-beta/clevis-13-3.el8
rpms:imports/c8-beta/clevis-11-7.el8
rpms:imports/c8-beta/clevis-11-2.el8
rpms:imports/c8s/clevis-15-1.el8
rpms:imports/c8s/clevis-13-3.el8
rpms:imports/c8s/clevis-11-9.el8
rpms:imports/c8/clevis-15-1.el8
rpms:imports/c8/clevis-13-3.el8
rpms:imports/c8/clevis-11-9.el8_2.1
rpms:imports/c8/clevis-11-9.el8
rpms:imports/c8/clevis-11-2.el8

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

29 changed files with 992 additions and 1782 deletions
Show Stats Expand all files Collapse all files

1
.fmf/version Normal file
View File

@ -0,0 +1 @@
1

12
.gitignore vendored
View File

@ -1 +1,11 @@
SOURCES/clevis-15.tar.xz
/clevis-11.tar.xz
/clevis-12.tar.xz
/clevis-13.tar.xz
/clevis-14.tar.xz
/clevis-15.tar.xz
/clevis-16.tar.xz
/clevis-17.tar.xz
/clevis-18.tar.xz
/clevis-19.tar.xz
/clevis-20.tar.xz
/clevis-21.tar.xz

288
0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch Normal file
View File

@ -0,0 +1,288 @@
From 691b4136d6077ed7b079a38459b6844dbc584776 Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Mon, 30 Sep 2024 11:27:57 +0200
Subject: [PATCH] PKCS#11 pin: fix dracut for unconfigured device
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
---
.../clevis-pin-pkcs11/module-setup.sh.in | 2 +-
src/luks/systemd/clevis-luks-pkcs11-askpin.in | 72 +++++--------------
.../clevis-pkcs11-afunix-socket-unlock.c | 9 ++-
src/pins/pkcs11/clevis-pkcs11-common | 52 +++++++++++++-
4 files changed, 74 insertions(+), 61 deletions(-)
diff --git a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
index 39d06a0..a7a6d6b 100755
--- a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
+++ b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
@@ -23,7 +23,7 @@ depends() {
}
install() {
- inst_hook initqueue 60 "${moddir}/clevis-pkcs11-prehook.sh"
+ inst_hook pre-trigger 60 "${moddir}/clevis-pkcs11-prehook.sh"
inst_hook initqueue/settled 60 "${moddir}/clevis-pkcs11-hook.sh"
inst_hook initqueue/online 60 "${moddir}/clevis-pkcs11-hook.sh"
diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
index 8f4092f..b860efa 100755
--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in
+++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
@@ -52,6 +52,7 @@ get_pkcs11_error() {
return 0
}
+
if command -v pcscd; then
echo "clevis-pkcs11: starting pcscd if not available ..."
PCSCD_PID=$(ps auxf | grep "[p]cscd")
@@ -72,51 +73,6 @@ if [ "${dracut_mode}" != true ]; then
pkcs11-tool -L
fi
-if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \
- awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then
- echo "No PKCS11 device detected (without module option) / pkcs11-tool error"
- exit 1
-fi
-
-if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
- pkcs11_device=""
- echo "No objects in PKCS11 device detected"
-fi
-
-while [ -z "${pkcs11_device}" ]; do
- if [ "${dracut_mode}" != true ]; then
- module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab")
- if [ -n "${module_paths}" ]; then
- modules=$(echo ${module_paths} | tr ";" "\n")
- for module in $modules; do
- pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \
- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
- if [ -n "${pkcs11_device}" ]; then
- break;
- fi
- done
- fi
- fi
- if [ -z "${pkcs11_device}" ]; then
- if [ "${retry_mode}" == true ]; then
- option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]")
- if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then
- echo "Won't continue PKCS11 device detection"
- exit 0
- fi
- pkcs11_device=$(pkcs11-tool -L | grep "Slot" \
- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
- if ! pkcs11-tool -O 2>/dev/null; then
- pkcs11_device=""
- echo "No objects in PKCS11 device detected"
- fi
- else
- exit 0
- fi
- fi
-done
-echo "Detected PKCS11 device:${pkcs11_device}"
-
devices_array=()
# Let's analyze all entries from /etc/crypttab that contain clevis-pkcs11.sock entries
while read -r line;
@@ -126,6 +82,8 @@ do
next_device=0
errors=0
msg=""
+ # Store passphrases to send to control socket
+ systemd_device=$(echo "${line}" | awk '{print $1}')
while [ ${next_device} -ne 1 ]; do
uuid=$(echo "${line}" | awk '{print $2}')
if ! mapped_device=$(clevis_map_device "${uuid}"); then
@@ -141,15 +99,23 @@ do
fi
# If no PKCS#11 configuration, advance to next device
if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then
- echo "Device:${mapped_device} does not contain PKCS#11 configuration"
+ echo "Device:${mapped_device} does not contain PKCS#11 configuration" >&2
+ # Send a wrong passphrase
+ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock -
next_device=1
continue
fi
+ if ! pkcs11_device=$(clevis_detect_pkcs11_device "${dracut_mode}" "${retry_mode}"); then
+ echo "No PKCS11 device detected" >&2
+ exit 0
+ else
+ echo "Detected PKCS11 device:${pkcs11_device}" >&2
+ fi
# Get configuration PKCS#11 URI
uri=$(clevis luks list -d "${mapped_device}" | awk -F '"uri":' '{print $2}' | awk -F '"' '{print $2}' | awk -F '"' '{print $1}')
slot_opt=""
if ! slot=$(clevis_get_pkcs11_final_slot_from_uri "${uri}"); then
- echo "Could not find slot for uri:${uri}"
+ echo "Could not find slot for uri:${uri}" >&2
else
slot_opt="--slot-index ${slot}"
fi
@@ -159,8 +125,9 @@ do
module_opt="--module ${module}"
fi
echo "Device:${mapped_device}, slot_opt:${slot_opt}, module_opt:${module_opt}"
- if ! pkcs11-tool -O ${module_opt} ${slot_opt}; then
- echo "No objects on slot:${slot}, module_opt:${module_opt}"
+ if ! pkcs11-tool -O ${module_opt} ${slot_opt} 2>/dev/null 1>/dev/null; then
+ echo "No objects on slot:${slot}, module_opt:${module_opt}" >&2
+ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock -
next_device=1
continue
fi
@@ -175,22 +142,21 @@ do
# Get key from PKCS11 pin here and feed AF_UNIX socket program
echo "${pin}" > /run/systemd/clevis-pkcs11.pin
if ! passphrase=$(clevis_luks_unlock_device "${mapped_device}") || [ -z "${passphrase}" ]; then
- echo "Could not unlock device:${mapped_device}"
+ echo "Could not unlock device:${mapped_device}" >&2
msg="$(get_pkcs11_error)"
((errors++))
if [ ${errors} -eq ${too_many_errors} ]; then
- echo "Too many errors !!!" 1>&2
+ echo "Too many errors !!!" >&2
next_device=1
fi
continue
fi
next_device=1
- echo "Device:${mapped_device} unlocked successfully by clevis"
+ echo "Device:${mapped_device} unlocked successfully by clevis" >&2
if [ "${dracut_mode}" == true ]; then
echo "${mapped_device}" >> /run/systemd/clevis-pkcs11-dracut.devices
fi
# Store passphrases to send to control socket
- systemd_device=$(echo "${line}" | awk '{print $1}')
devices_array+=("${systemd_device},${passphrase}")
done
fi
diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
index a6ecc63..24bad83 100644
--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
+++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
@@ -146,7 +146,6 @@ static void* control_thread(void *targ) {
}
char* t = control_msg;
int is_device = 1;
- fprintf(logfile, "Received control message:[%s]\n", t);
while((t = strtok(t, ","))) {
if (is_device) {
fprintf(logfile, "Adding device:%s\n", t);
@@ -185,7 +184,7 @@ static void dump_wide_version(void) {
static void int_handler(int s) {
if(logfile) {
- fprintf(logfile, "Closing, signal:[%d]\n", s);
+ fprintf(logfile, "Closing, received signal:[%d]\n", s);
fclose(logfile);
}
exit(EXIT_FAILURE);
@@ -222,6 +221,7 @@ int main(int argc, char* argv[]) {
break;
case 'f':
strncpy(sock_file, optarg, MAX_PATH - 1);
+ unlink(sock_file);
break;
case 'k':
strncpy(key, optarg, MAX_KEY - 1);
@@ -275,7 +275,6 @@ int main(int argc, char* argv[]) {
memset(&sock_addr, 0, sizeof(sock_addr));
sock_addr.sun_family = AF_UNIX;
strncpy(sock_addr.sun_path, sock_file, sizeof(sock_addr.sun_path)-1);
- unlink(sock_file);
s = socket(AF_UNIX, SOCK_STREAM, 0);
if (s == -1) {
perror("socket");
@@ -346,8 +345,8 @@ int main(int argc, char* argv[]) {
perror("key entry send error");
goto efailure;
}
- fprintf(logfile, "Sending:[%s] to device:[%s]\n",
- entry_key, unlocking_device);
+ fprintf(logfile, "Sending passphrase to device:[%s]\n",
+ unlocking_device);
} else {
fprintf(logfile, "Device not found: [%s]\n", unlocking_device);
}
diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common
index 4c0629c..571a2be 100755
--- a/src/pins/pkcs11/clevis-pkcs11-common
+++ b/src/pins/pkcs11/clevis-pkcs11-common
@@ -27,6 +27,56 @@ serial_devices_array=""
URI_EXPECTED_FORMAT="pkcs11:"
DEFAULT_CRYPTTAB_FILE="/etc/crypttab"
+clevis_detect_pkcs11_device() {
+ dracut_mode="${1:false}"
+ retry_mode="${2:false}"
+ if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \
+ awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then
+ echo ""
+ return 1
+ fi
+
+ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
+ pkcs11_device=""
+ echo "No objects in PKCS11 device detected" >&2
+ fi
+
+ while [ -z "${pkcs11_device}" ]; do
+ if [ "${dracut_mode}" != true ]; then
+ module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab")
+ if [ -n "${module_paths}" ]; then
+ modules=$(echo ${module_paths} | tr ";" "\n")
+ for module in $modules; do
+ pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \
+ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
+ if [ -n "${pkcs11_device}" ]; then
+ break;
+ fi
+ done
+ fi
+ fi
+ if [ -z "${pkcs11_device}" ]; then
+ if [ "${retry_mode}" == true ]; then
+ option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]")
+ if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then
+ echo ""
+ # Straight Forward Mode
+ return 0
+ fi
+ pkcs11_device=$(pkcs11-tool -L | grep "Slot" \
+ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
+ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
+ pkcs11_device=""
+ echo "No objects in PKCS11 device detected" >&2
+ fi
+ else
+ echo "${pkcs11_device}"
+ return 0
+ fi
+ fi
+ done
+}
+
clevis_parse_devices_array() {
INPUT_ARRAY=$(pkcs11-tool -L | grep Slot)
counter=0
@@ -64,12 +114,10 @@ clevis_get_module_path_from_pkcs11_config() {
while read -r line; do
uuid=$(echo "${line}" | awk '{print $2}')
if ! mapped_device=$(clevis_map_device "${uuid}"); then
- echo "Could not check mapped device for UID:${uuid}"
continue
fi
# If no PKCS#11 configuration, advance to next device
if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then
- echo "Device:${mapped_device} does not contain PKCS#11 configuration"
continue
fi
# Get configuration PKCS#11 URI
--
2.46.2

49
0002-Fix-potential-race-condition.patch Normal file
View File

@ -0,0 +1,49 @@
From 5feea5da42b98302006f2c82ab9c22d43779e0c8 Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Fri, 27 Sep 2024 12:12:48 +0200
Subject: [PATCH] Fix potential race condition
Guard the modification of "entry_counter" and the read
used to decide whether to modify "entry_counter" with the
same set of locks
Resolves: #478
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
---
src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
index a6ecc63..b1e2004 100644
--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
+++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
@@ -70,21 +70,23 @@ get_control_socket_name(const char* file_sock, char* control_sock, uint32_t cont
}
static void insert_device(const char* dev) {
+ pthread_mutex_lock(&mutex);
if(MAX_ENTRIES == entry_counter) {
+ pthread_mutex_unlock(&mutex);
perror("No more entries accepted\n");
return;
}
- pthread_mutex_lock(&mutex);
strncpy(keys[entry_counter].dev, dev, MAX_DEVICE);
pthread_mutex_unlock(&mutex);
}
static void insert_key(const char* key) {
+ pthread_mutex_lock(&mutex);
if(MAX_ENTRIES == entry_counter) {
+ pthread_mutex_unlock(&mutex);
perror("No more entries accepted\n");
return;
}
- pthread_mutex_lock(&mutex);
strncpy(keys[entry_counter++].key, key, MAX_KEY);
pthread_mutex_unlock(&mutex);
}
--
2.46.2

110
0003-Fix-to-start-pcscd-appropriately.patch Normal file
View File

@ -0,0 +1,110 @@
From c987b0a95d9ebcb310cc3b95609172a8fe31e81e Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Wed, 9 Oct 2024 12:15:18 +0200
Subject: [PATCH] Fix to start pcscd appropriately
diff --git a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
index 01a3062..9922bbc 100755
--- a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
+++ b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
@@ -16,9 +16,11 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+. /usr/bin/clevis-pkcs11-common
+
if [ ! -f /run/systemd/clevis-pkcs11.run ] && [ -d /run/systemd ];
then
- pcscd --disable-polkit
- echo "" > /run/systemd/clevis-pkcs11.run
- /usr/libexec/clevis-luks-pkcs11-askpin -d -r
+ clevis_start_pcscd_server
+ echo "" > /run/systemd/clevis-pkcs11.run
+ /usr/libexec/clevis-luks-pkcs11-askpin -d -r
fi
diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
index b860efa..468ca3c 100755
--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in
+++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
@@ -52,22 +52,7 @@ get_pkcs11_error() {
return 0
}
-
-if command -v pcscd; then
- echo "clevis-pkcs11: starting pcscd if not available ..."
- PCSCD_PID=$(ps auxf | grep "[p]cscd")
- echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n"
- if ! ps auxf | grep "[p]cscd";
- then
- if pcscd pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then
- echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..."
- pcscd --disable-polkit
- else
- echo "clevis-pkcs11: starting pcscd ..."
- pcscd
- fi
- fi
-fi
+clevis_start_pcscd_server
if [ "${dracut_mode}" != true ]; then
pkcs11-tool -L
diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common
index 571a2be..c7f2a58 100755
--- a/src/pins/pkcs11/clevis-pkcs11-common
+++ b/src/pins/pkcs11/clevis-pkcs11-common
@@ -77,6 +77,24 @@ clevis_detect_pkcs11_device() {
done
}
+clevis_start_pcscd_server() {
+ if command -v pcscd; then
+ echo "clevis-pkcs11: starting pcscd if not available ..."
+ PCSCD_PID=$(ps auxf | grep "[p]cscd")
+ echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n"
+ if ! ps auxf | grep "[p]cscd";
+ then
+ if pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then
+ echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..."
+ pcscd --disable-polkit
+ else
+ echo "clevis-pkcs11: starting pcscd ..."
+ pcscd
+ fi
+ fi
+ fi
+}
+
clevis_parse_devices_array() {
INPUT_ARRAY=$(pkcs11-tool -L | grep Slot)
counter=0
diff --git a/src/pins/pkcs11/tests/pin-pkcs11 b/src/pins/pkcs11/tests/pin-pkcs11
index 94e1548..c876ca4 100755
--- a/src/pins/pkcs11/tests/pin-pkcs11
+++ b/src/pins/pkcs11/tests/pin-pkcs11
@@ -20,6 +20,7 @@
. pkcs11-common-tests
. tests-common-functions
. clevis-luks-common-functions
+. clevis-pkcs11-common
on_exit() {
exit_status=$?
@@ -150,5 +151,16 @@ then
(${WRONGCFG})"
fi
+if command -v ps && command -v killall; then
+ if ! clevis_start_pcscd_server;
+ then
+ error "${TEST}: Could not start pcscd server"
+ fi
+ if ! killall -9 pcscd;
+ then
+ error "${TEST}: Could not kill pcscd server"
+ fi
+fi
+
softhsm_lib_cleanup
test "$?" == 0

65
0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch Normal file
View File

@ -0,0 +1,65 @@
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2 2024-09-24 10:27:06.000000000 +0200
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2 2024-11-05 15:54:16.209993587 +0100
@@ -58,7 +58,7 @@
echo
echo " key: <string> Algorithm type for the generated key (default: ecc)"
echo
- echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: sha1)"
+ echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: first supported by TPM)"
echo
echo " pcr_ids: <string> PCR list used for policy. If not present, no policy is used"
echo
@@ -130,7 +130,15 @@
key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc"
-pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1"
+pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || {
+ if ! pcr_bank=$(tpm2_getcap pcrs |
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
+ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit}
+ END {exit !found}'); then
+ echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2
+ exit 1
+ fi
+}
# Trim the spaces from the config, so that we will not have issues parsing
# the PCR IDs.
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-09-24 10:27:06.000000000 +0200
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-11-05 15:54:16.209993587 +0100
@@ -91,13 +91,17 @@
- *symcipher*
* *pcr_bank* (string) :
- PCR algorithm bank to use for policy (default: sha1)
+ PCR algorithm bank to use for policy (default: first supported by TPM)
- It must be one of the following:
+ Examples of PCR algorithm banks, support depends on TPM chip:
- *sha1*
- *sha256*
+ For the full list of algorithms supported by the TPM chip check output of
+ `tpm2_getcap pcrs` and use the algorithm which shows non-empty list of PCR
+ numbers.
+
* *pcr_ids* (string) :
Comma separated list of PCR used for policy. If not present, no policy is used
--- clevis-21.old/src/pins/tpm2/pin-tpm2 2024-09-24 10:27:06.000000000 +0200
+++ clevis-21/src/pins/tpm2/pin-tpm2 2024-11-05 15:54:16.209993587 +0100
@@ -142,8 +142,10 @@
# arrays and check if we get the expected pcr_ids.
# Let's first make sure this would be a valid configuration.
-_default_pcr_bank="sha1"
-if validate_pcrs "${_default_pcr_bank}" "4,16"; then
+_default_pcr_bank=$(tpm2_getcap pcrs |
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
+ {split($0, m, /[-:[:space:]]+/); print m[2]; exit}')
+if [ -n "$_default_pcr_bank" ] && validate_pcrs "${_default_pcr_bank}" "4,16"; then
test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1
test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16" || exit 1
test_pcr_ids "${orig}" '{"pcr_ids": "4, 16"}' "4,16" || exit 1

36
0005-Include-tpm2_getcap-as-dracut-required-binary.patch Normal file
View File

@ -0,0 +1,36 @@
From fc371d25a72806109e9a5c0205d67ba2232a6f17 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 20 Nov 2024 18:45:56 +0100
Subject: [PATCH] Include tpm2_getcap as dracut required binary
---
src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in b/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in
index 5ff0640..723df7a 100755
--- a/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in
+++ b/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in
@@ -19,7 +19,8 @@
#
check() {
- require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext tpm2_load tpm2_unseal || return 1
+ require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext \
+ tpm2_load tpm2_unseal tpm2_pcrread tpm2_getcap || return 1
require_any_binary tpm2_pcrread tpm2_pcrlist || return 1
return 0
}
@@ -30,7 +31,8 @@ depends() {
}
install() {
- inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext tpm2_load tpm2_unseal
+ inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext \
+ tpm2_load tpm2_unseal tpm2_getcap
inst_multiple -o tpm2_pcrread tpm2_pcrlist
inst_libdir_file "libtss2-tcti-device.so*"
}
--
2.47.0

176
SOURCES/0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch
View File

@ -1,176 +0,0 @@
From 16f667d9f3d649e33ca762afa1a8a7f909b953a8 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Sun, 25 Oct 2020 11:15:46 -0300
Subject: [PATCH] Fixes for dealing with newer tang without tangd-update
---
src/luks/tests/meson.build | 11 +----------
src/luks/tests/tests-common-functions.in | 19 +++++++++++--------
src/pins/tang/meson.build | 11 +----------
src/pins/tang/pin-tang | 11 ++++++++---
4 files changed, 21 insertions(+), 31 deletions(-)
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
index ba5f6a2..c0f9dc3 100644
--- a/src/luks/tests/meson.build
+++ b/src/luks/tests/meson.build
@@ -17,14 +17,6 @@ kgen = find_program(
join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
required: false
)
-updt = find_program(
- join_paths(libexecdir, 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
- required: false
-)
tang = find_program(
join_paths(libexecdir, 'tangd'),
join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
@@ -58,11 +50,10 @@ env.prepend('PATH',
)
has_tang = false
-if actv.found() and kgen.found() and updt.found() and tang.found()
+if actv.found() and kgen.found() and tang.found()
has_tang = true
env.set('SD_ACTIVATE', actv.path())
env.set('TANGD_KEYGEN', kgen.path())
- env.set('TANGD_UPDATE', updt.path())
env.set('TANGD', tang.path())
endif
diff --git a/src/luks/tests/tests-common-functions.in b/src/luks/tests/tests-common-functions.in
index 8520715..318d007 100755
--- a/src/luks/tests/tests-common-functions.in
+++ b/src/luks/tests/tests-common-functions.in
@@ -251,18 +251,19 @@ tang_remove_rotated_keys() {
return 1
fi
- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
-
local db="${basedir}/db"
- local cache="${basedir}/cache"
mkdir -p "${db}"
- mkdir -p "${cache}"
+
+ if [ -n "${TANGD_UPDATE}" ]; then
+ local cache="${basedir}/cache"
+ mkdir -p "${cache}"
+ fi
pushd "${db}"
find . -name ".*.jwk" -exec rm -f {} \;
popd
- "${TANGD_UPDATE}" "${db}" "${cache}"
+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
return 0
}
@@ -277,12 +278,12 @@ tang_new_keys() {
fi
[ -z "${TANGD_KEYGEN}" ] && skip_test "WARNING: TANGD_KEYGEN is not defined."
- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
local db="${basedir}/db"
- local cache="${basedir}/cache"
mkdir -p "${db}"
+ [ -n "${TANGD_UPDATE}" ] && local cache="${basedir}/cache"
+
if [ -n "${rotate}" ]; then
pushd "${db}"
local k
@@ -296,7 +297,7 @@ tang_new_keys() {
fi
"${TANGD_KEYGEN}" "${db}"
- "${TANGD_UPDATE}" "${db}" "${cache}"
+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
return 0
}
@@ -322,6 +323,8 @@ tang_run() {
fi
local KEYS="${basedir}/cache"
+ [ -z "${TANGD_UPDATE}" ] && KEYS="${basedir}/db"
+
local inetd='--inetd'
[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
diff --git a/src/pins/tang/meson.build b/src/pins/tang/meson.build
index f7d8226..ebcdd4a 100644
--- a/src/pins/tang/meson.build
+++ b/src/pins/tang/meson.build
@@ -12,14 +12,6 @@ kgen = find_program(
join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
required: false
)
-updt = find_program(
- join_paths(libexecdir, 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
- required: false
-)
tang = find_program(
join_paths(libexecdir, 'tangd'),
join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
@@ -35,11 +27,10 @@ if curl.found()
bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang')
mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1')
- if actv.found() and kgen.found() and updt.found() and tang.found()
+ if actv.found() and kgen.found() and tang.found()
env = environment()
env.set('SD_ACTIVATE', actv.path())
env.set('TANGD_KEYGEN', kgen.path())
- env.set('TANGD_UPDATE', updt.path())
env.set('TANGD', tang.path())
env.prepend('PATH',
join_paths(meson.source_root(), 'src'),
diff --git a/src/pins/tang/pin-tang b/src/pins/tang/pin-tang
index 98e5e4d..a63d0a2 100755
--- a/src/pins/tang/pin-tang
+++ b/src/pins/tang/pin-tang
@@ -31,8 +31,12 @@ mkdir -p "$TMP"/db
mkdir -p "$TMP"/cache
# Generate the server keys
+KEYS="$TMP"/db
"${TANGD_KEYGEN}" "$TMP"/db sig exc
-"${TANGD_UPDATE}" "$TMP"/db "$TMP"/cache
+if which tangd-update; then
+ tangd-update "$TMP"/db "$TMP"/cache
+ KEYS="$TMP"/cache
+fi
# Start the server
port="$(shuf -i 1024-65536 -n 1)"
@@ -40,13 +44,14 @@ port="$(shuf -i 1024-65536 -n 1)"
inetd='--inetd'
[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
-"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$TMP"/cache &
+"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$KEYS" &
PID=$!
sleep 0.25
thp="$(jose jwk thp -i "$TMP/db/sig.jwk")"
-adv="$TMP/cache/default.jws"
url="http://localhost:${port}"
+adv="$TMP/adv"
+curl "$url/adv" -o "$adv"
cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")"
enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
--
2.18.4

309
SOURCES/0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch
View File

@ -1,309 +0,0 @@
From aa52396c35e76aabd085a819b08167d559042a20 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 3 Nov 2020 08:42:48 -0300
Subject: [PATCH 2/2] Add the option to extract luks passphrase used for
binding
Usage:
clevis luks pass -d /dev/sda1 -s 1
<passphrase here>
---
src/luks/clevis-luks-pass | 64 ++++++++++++++++++++++++++++++++
src/luks/clevis-luks-pass.1.adoc | 43 +++++++++++++++++++++
src/luks/meson.build | 3 ++
src/luks/tests/meson.build | 2 +
src/luks/tests/pass-tang-luks1 | 59 +++++++++++++++++++++++++++++
src/luks/tests/pass-tang-luks2 | 59 +++++++++++++++++++++++++++++
6 files changed, 230 insertions(+)
create mode 100755 src/luks/clevis-luks-pass
create mode 100644 src/luks/clevis-luks-pass.1.adoc
create mode 100755 src/luks/tests/pass-tang-luks1
create mode 100755 src/luks/tests/pass-tang-luks2
diff --git a/src/luks/clevis-luks-pass b/src/luks/clevis-luks-pass
new file mode 100755
index 0000000..1f59b39
--- /dev/null
+++ b/src/luks/clevis-luks-pass
@@ -0,0 +1,64 @@
+#!/bin/bash -e
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com> - LUKS2 support.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+. clevis-luks-common-functions
+
+SUMMARY="Returns the LUKS passphrase used for binding a particular slot."
+
+usage() {
+ exec >&2
+ echo "Usage: clevis luks pass -d DEV -s SLT"
+ echo
+ echo "$SUMMARY"
+ echo
+ echo " -d DEV The LUKS device to extract the LUKS passphrase used for binding"
+ echo
+ echo " -s SLOT The slot number to extract the LUKS passphrase"
+ echo
+ exit 1
+}
+
+if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then
+ echo "${SUMMARY}"
+ exit 0
+fi
+
+while getopts ":d:s:" o; do
+ case "$o" in
+ d) DEV=${OPTARG};;
+ s) SLT=${OPTARG};;
+ *) usage;;
+ esac
+done
+
+if [ -z "${DEV}" ]; then
+ echo "Did not specify a device!" >&2
+ usage
+fi
+
+if [ -z "${SLT}" ]; then
+ echo "Did not specify a slot!" >&2
+ usage
+fi
+
+if ! clevis_luks_unlock_device_by_slot "${DEV}" "${SLT}"; then
+ echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in ${DEV}!" >&2
+ exit 1
+fi
diff --git a/src/luks/clevis-luks-pass.1.adoc b/src/luks/clevis-luks-pass.1.adoc
new file mode 100644
index 0000000..fa9526a
--- /dev/null
+++ b/src/luks/clevis-luks-pass.1.adoc
@@ -0,0 +1,43 @@
+CLEVIS-LUKS-PASS(1)
+===================
+:doctype: manpage
+
+
+== NAME
+
+clevis-luks-pass - Extracts the passphrase used for binding a particular slot in a LUKS device
+
+== SYNOPSIS
+
+*clevis luks pass* -d DEV -s SLT
+
+== OVERVIEW
+
+The *clevis luks pass* command extracts the passphrase used for binding a particular slot in a LUKS device.
+For example:
+
+ clevis luks pass -d /dev/sda1 -s 1
+
+== OPTIONS
+
+* *-d* _DEV_ :
+ The LUKS device on which to extract a passphrase from
+
+* *-s* _SLT_ :
+ The slot to use for extracting the passphrase
+
+== EXAMPLE
+
+ clevis luks pass -d /dev/sda1 -s 1
+ <passphrase here>
+
+Note that the output of *clevis luks pass* might be non-printable, in which case it would be better to redirect its output to a file and use it as a key
+file together with cryptsetup. For instance:
+
+ clevis luks pass -d /dev/sda1 -s 1 > slot1-passphrase
+
+And the file slot1-passphrase will contain the passphrase associated with slot #1 in /dev/sda1.
+
+== SEE ALSO
+
+link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)],
diff --git a/src/luks/meson.build b/src/luks/meson.build
index 12f5a0d..008736e 100644
--- a/src/luks/meson.build
+++ b/src/luks/meson.build
@@ -50,6 +50,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
bins += join_paths(meson.current_source_dir(), 'clevis-luks-edit')
mans += join_paths(meson.current_source_dir(), 'clevis-luks-edit.1')
+
+ bins += join_paths(meson.current_source_dir(), 'clevis-luks-pass')
+ mans += join_paths(meson.current_source_dir(), 'clevis-luks-pass.1')
else
warning('Will not install LUKS support due to missing dependencies!')
endif
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
index c22a069..f4584aa 100644
--- a/src/luks/tests/meson.build
+++ b/src/luks/tests/meson.build
@@ -84,6 +84,7 @@ if has_tang
test('report-tang-luks1', find_program('report-tang-luks1'), env: env, timeout: 90)
test('report-sss-luks1', find_program('report-sss-luks1'), env: env, timeout: 90)
test('edit-tang-luks1', find_program('edit-tang-luks1'), env: env, timeout: 150)
+ test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60)
endif
test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60)
@@ -111,6 +112,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
test('report-tang-luks2', find_program('report-tang-luks2'), env: env, timeout: 120)
test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
+ test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
endif
test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
diff --git a/src/luks/tests/pass-tang-luks1 b/src/luks/tests/pass-tang-luks1
new file mode 100755
index 0000000..0d91e6c
--- /dev/null
+++ b/src/luks/tests/pass-tang-luks1
@@ -0,0 +1,59 @@
+#!/bin/bash -x
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST="${0}"
+. tests-common-functions
+. clevis-luks-common-functions
+
+function on_exit() {
+ [ ! -d "${TMP}" ] && return 0
+ tang_stop "${TMP}"
+ rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+
+TMP=$(mktemp -d)
+
+port=$(get_random_port)
+tang_run "${TMP}" "${port}" &
+tang_wait_until_ready "${port}"
+
+url="http://localhost:${port}"
+adv="${TMP}/adv"
+tang_get_adv "${port}" "${adv}"
+
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+new_device "luks1" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Bind should have succeeded."
+fi
+
+# Now let's test the passphrase.
+SLT=1
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
+echo $PASS >&2
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
+ error "Passphrase obtained from clevis luks pass failed."
+fi
diff --git a/src/luks/tests/pass-tang-luks2 b/src/luks/tests/pass-tang-luks2
new file mode 100755
index 0000000..2d50413
--- /dev/null
+++ b/src/luks/tests/pass-tang-luks2
@@ -0,0 +1,59 @@
+#!/bin/bash -x
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST="${0}"
+. tests-common-functions
+. clevis-luks-common-functions
+
+function on_exit() {
+ [ ! -d "${TMP}" ] && return 0
+ tang_stop "${TMP}"
+ rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+
+TMP=$(mktemp -d)
+
+port=$(get_random_port)
+tang_run "${TMP}" "${port}" &
+tang_wait_until_ready "${port}"
+
+url="http://localhost:${port}"
+adv="${TMP}/adv"
+tang_get_adv "${port}" "${adv}"
+
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
+
+# LUKS2.
+DEV="${TMP}/luks2-device"
+new_device "luks2" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Bind should have succeeded."
+fi
+
+# Now let's test the passphrase.
+SLT=1
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
+echo $PASS >&2
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
+ error "Passphrase obtained from clevis luks pass failed."
+fi
--
2.29.2

41
SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
View File

@ -1,41 +0,0 @@
From 678ef82dd5608439c9a4222c594ab66d69009f06 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Fri, 29 Oct 2021 12:04:46 -0300
Subject: [PATCH 3/3] systemd: account for unlocking failures in
clevis-luks-askpass (#343)
As unlock may fail for some reason, e.g. the network is not up yet,
one way cause problems would be to add extra `rd.luks.uuid' params
to the cmdline, which would then cause such devices to be unlocked
in early boot. If the unlocking fail, those devices might not be
accounted for in the clevis_devices_to_unlock() check, as it is
based on crypttab.
Let's make sure there are no pending ask.* sockets waiting to be
answered, before exiting.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
---
src/luks/systemd/clevis-luks-askpass | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass
index 285bba4..f19671f 100755
--- a/src/luks/systemd/clevis-luks-askpass
+++ b/src/luks/systemd/clevis-luks-askpass
@@ -67,8 +67,11 @@ while true; do
done
[ "${loop}" != true ] && break
+
# Checking for pending devices to be unlocked.
- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
+ remaining_crypttab=$(clevis_devices_to_unlock) ||:
+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
break;
fi
--
2.33.1

101
SOURCES/0004-systemd-drop-ncat-dependency.patch
View File

@ -1,101 +0,0 @@
From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Thu, 18 Nov 2021 16:45:58 -0300
Subject: [PATCH 4/4] systemd: drop ncat dependency
When using systemd, i.e., clevis-luks-askpass, we use ncat to send
the decrypted password to the systemd socket as per systemd's password
agents specification [1].
However, systemd itself has a utility that does exactly that,
systemd-reply-password.
In this commit we drop the ncat dependency and instead use
systemd-reply-password in clevis-luks-askpass.
[1] https://systemd.io/PASSWORD_AGENTS/
---
...is-luks-askpass => clevis-luks-askpass.in} | 2 +-
.../systemd/dracut/clevis/module-setup.sh.in | 4 ++--
src/luks/systemd/meson.build | 19 +++++++++++++++++--
3 files changed, 20 insertions(+), 5 deletions(-)
rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%)
diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in
similarity index 97%
rename from src/luks/systemd/clevis-luks-askpass
rename to src/luks/systemd/clevis-luks-askpass.in
index f19671f..a6699c9 100755
--- a/src/luks/systemd/clevis-luks-askpass
+++ b/src/luks/systemd/clevis-luks-askpass.in
@@ -58,7 +58,7 @@ while true; do
fi
uuid="$(cryptsetup luksUUID "${d}")"
- if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
+ if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
continue
fi
diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in
index ebf969f..d46c6e2 100755
--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
+++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
@@ -36,6 +36,7 @@ install() {
inst_multiple \
/etc/services \
+ @SYSTEMD_REPLY_PASS@ \
@libexecdir@/clevis-luks-askpass \
clevis-luks-common-functions \
grep sed cut \
@@ -45,8 +46,7 @@ install() {
luksmeta \
clevis \
mktemp \
- jose \
- ncat
+ jose
dracut_need_initqueue
}
diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
index 369e7f7..e3b3d91 100644
--- a/src/luks/systemd/meson.build
+++ b/src/luks/systemd/meson.build
@@ -1,6 +1,15 @@
systemd = dependency('systemd', required: false)
-if systemd.found()
+sd_reply_pass = find_program(
+ join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
+ join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
+ join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
+ join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
+ required: false
+)
+
+if systemd.found() and sd_reply_pass.found()
+ data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
subdir('dracut')
unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
@@ -12,8 +21,14 @@ if systemd.found()
configuration: data,
)
+ configure_file(
+ input: 'clevis-luks-askpass.in',
+ output: 'clevis-luks-askpass',
+ install_dir: libexecdir,
+ configuration: data
+ )
+
install_data('clevis-luks-askpass.path', install_dir: unitdir)
- install_data('clevis-luks-askpass', install_dir: libexecdir)
else
warning('Will not install systemd support due to missing dependencies!')
endif
--
2.33.1

26
SOURCES/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch
View File

@ -1,26 +0,0 @@
From da17589f0706b27690a11484165fd58dea1a5eb1 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Thu, 25 Nov 2021 19:18:03 -0300
Subject: [PATCH 5/5] Stop sending stderr to the void when decryption doesn't
happen
---
src/luks/clevis-luks-common-functions | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index 879ca4c..df8e16d 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -323,7 +323,7 @@ clevis_luks_unlock_device_by_slot() {
return 1
fi
- if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt 2>/dev/null)" \
+ if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt)" \
|| [ -z "${passphrase}" ]; then
return 1
fi
--
2.33.1

45
SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
View File

@ -1,45 +0,0 @@
From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?=
<1163635+rmetrich@users.noreply.github.com>
Date: Wed, 1 Dec 2021 09:37:35 -0300
Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is
set (#340)
On Fedora/RHEL, the rd.debug kernel command line parameter controls
debugging.
By implementing the functionality inside clevis, troubleshooting will be
greatly eased.
See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742).
---
src/luks/clevis-luks-common-functions | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index df8e16d..67ece72 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -20,6 +20,21 @@
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+enable_debugging() {
+ # Automatically enable debugging if in initramfs phase and rd.debug
+ if [ -e /usr/lib/dracut-lib.sh ]; then
+ local bashopts=$-
+ # Because dracut is loosely written, disable hardening options temporarily
+ [[ $bashopts != *u* ]] || set +u
+ [[ $bashopts != *e* ]] || set +e
+ . /usr/lib/dracut-lib.sh
+ [[ $bashopts != *u* ]] || set -u
+ [[ $bashopts != *e* ]] || set -e
+ fi
+}
+
+enable_debugging
+
# valid_slot() will check whether a given slot is possibly valid, i.e., if it
# is a numeric value within the specified range.
valid_slot() {
--
2.33.1

83
SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
View File

@ -1,83 +0,0 @@
From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001
From: Renaud Metrich <rmetrich@redhat.com>
Date: Fri, 7 Jan 2022 12:13:03 -0300
Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup
This fixes an Out of memory error when the system has not much memory,
such as a VM configured with 2GB currently being installed through the
network (hence having ~1GB free memory only).
See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
---
src/luks/clevis-luks-bind.in | 7 +++++--
src/luks/clevis-luks-common-functions | 7 ++++++-
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
index 4748c08..017f762 100755
--- a/src/luks/clevis-luks-bind.in
+++ b/src/luks/clevis-luks-bind.in
@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \
exit 1
fi
+pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ "$luks_type" == "luks1" ]; then
+ pbkdf_args=
# In certain circumstances, we may have LUKSMeta slots "not in sync" with
# cryptsetup, which means we will try to save LUKSMeta metadata over an
# already used or partially used slot -- github issue #70.
@@ -184,7 +186,7 @@ fi
# Add the new key.
if [ -n "$SLT" ]; then
- cryptsetup luksAddKey --key-slot "$SLT" --key-file \
+ cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \
<(echo -n "$existing_key") "$DEV"
else
if [ $luks_type == "luks2" ]; then
@@ -194,7 +196,8 @@ else
readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
| sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
fi
- cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV"
+ cryptsetup luksAddKey ${pbkdf_args} \
+ --key-file <(echo -n "${existing_key}") "$DEV"
fi < <(echo -n "${key}")
if [ $? -ne 0 ]; then
echo "Error while adding new key to LUKS header!" >&2
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index 67ece72..038cc37 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -760,10 +760,12 @@ clevis_luks_add_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
--key-slot "${SLT}" \
"${DEV}" \
+ ${pbkdf_args} \
${extra_args}
}
@@ -792,11 +794,14 @@ clevis_luks_update_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ -n "${in_place}" ]; then
printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
--key-slot "${SLT}" \
- --batch-mode ${extra_args}
+ --batch-mode \
+ ${pbkdf_args} \
+ ${extra_args}
return
fi
--
2.33.1

16
SOURCES/0008-tang-dump-url-on-error-communication.patch
View File

@ -1,16 +0,0 @@
--- clevis-15-ori/src/pins/tang/clevis-decrypt-tang 2020-10-28 19:55:47.673228700 +0100
+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2022-01-21 10:37:40.327825491 +0100
@@ -73,10 +73,10 @@
xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"
-url="$url/rec/$kid"
+rec_url="$url/rec/$kid"
ct="Content-Type: application/jwk+json"
-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then
- echo "Error communicating with the server!" >&2
+if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then
+ echo "Error communicating with the server $url" >&2
exit 1
fi

213
SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch
View File

@ -1,213 +0,0 @@
From 87d690e41621878f70a3f6f3305dd23746d1b857 Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@linux.com>
Date: Wed, 1 Dec 2021 14:17:53 +0100
Subject: [PATCH 9/9] feat: rename the test pin to null pin
Signed-off-by: Antonio Murdaca <runcom@linux.com>
---
src/initramfs-tools/hooks/clevis.in | 1 +
.../dracut/clevis-pin-null/meson.build | 14 ++++++++++
.../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++
src/luks/systemd/dracut/meson.build | 1 +
...levis-decrypt-test => clevis-decrypt-null} | 4 +--
...levis-encrypt-test => clevis-encrypt-null} | 4 +--
src/pins/sss/meson.build | 5 +++-
src/pins/sss/{pin-test => pin-null} | 4 +--
src/pins/sss/pin-sss | 12 ++++----
9 files changed, 60 insertions(+), 13 deletions(-)
create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build
create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%)
rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%)
rename src/pins/sss/{pin-test => pin-null} (53%)
diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
index cc3b492..448ba96 100755
--- a/src/initramfs-tools/hooks/clevis.in
+++ b/src/initramfs-tools/hooks/clevis.in
@@ -58,6 +58,7 @@ fi
copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
+copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found"
copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"
diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build
new file mode 100644
index 0000000..107e3ba
--- /dev/null
+++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build
@@ -0,0 +1,14 @@
+dracut = dependency('dracut', required: false)
+
+if dracut.found()
+ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null'
+
+ configure_file(
+ input: 'module-setup.sh.in',
+ output: 'module-setup.sh',
+ install_dir: dracutdir,
+ configuration: data,
+ )
+else
+ warning('Will not install dracut module clevis-pin-null due to missing dependencies!')
+endif
diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
new file mode 100755
index 0000000..6a16078
--- /dev/null
+++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
@@ -0,0 +1,28 @@
+#!/bin/bash
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Nathaniel McCallum <npmccallum@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+depends() {
+ echo clevis
+ return 0
+}
+
+install() {
+ inst clevis-decrypt-null
+}
diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build
index fdb264b..7ad5b14 100644
--- a/src/luks/systemd/dracut/meson.build
+++ b/src/luks/systemd/dracut/meson.build
@@ -2,3 +2,4 @@ subdir('clevis')
subdir('clevis-pin-tang')
subdir('clevis-pin-tpm2')
subdir('clevis-pin-sss')
+subdir('clevis-pin-null')
diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null
similarity index 88%
rename from src/pins/sss/clevis-decrypt-test
rename to src/pins/sss/clevis-decrypt-null
index f0e9249..a6217ed 100755
--- a/src/pins/sss/clevis-decrypt-test
+++ b/src/pins/sss/clevis-decrypt-null
@@ -22,11 +22,11 @@
read -r -d . hdr
-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then
+if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then
echo "JWE pin mismatch!" >&2
exit 1
fi
-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1
+jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1
exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null
similarity index 90%
rename from src/pins/sss/clevis-encrypt-test
rename to src/pins/sss/clevis-encrypt-null
index bd2d6ec..af182a5 100755
--- a/src/pins/sss/clevis-encrypt-test
+++ b/src/pins/sss/clevis-encrypt-null
@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
fi
jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"
-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}'
+jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}'
if ! jose fmt -j "$cfg" -g fail -T; then
- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)"
+ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)"
fi
exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build
index 7f20eea..2a5295a 100644
--- a/src/pins/sss/meson.build
+++ b/src/pins/sss/meson.build
@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found()
separator: ':'
)
+ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null')
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null')
+
test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env)
- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env)
+ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env)
else
warning('Will not install sss pin due to missing dependencies!')
endif
diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null
similarity index 53%
rename from src/pins/sss/pin-test
rename to src/pins/sss/pin-null
index 50c8c67..b14ac63 100755
--- a/src/pins/sss/pin-test
+++ b/src/pins/sss/pin-null
@@ -2,9 +2,9 @@
trap 'exit' ERR
-e="$(echo -n hi | clevis encrypt test '{}')"
+e="$(echo -n hi | clevis encrypt null '{}')"
d="$(echo -n "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo -n hi | clevis encrypt test '{"fail":true}')"
+e="$(echo -n hi | clevis encrypt null '{"fail":true}')"
! echo "$e" | clevis decrypt
diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss
index 5c0b8cf..24da052 100755
--- a/src/pins/sss/pin-sss
+++ b/src/pins/sss/pin-sss
@@ -1,24 +1,24 @@
#!/bin/bash -ex
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')"
--
2.33.1

24
SOURCES/0010-avoid-clevis-invalid-msg.patch
View File

@ -1,24 +0,0 @@
--- clevis-15.ori/src/clevis 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/clevis 2022-06-22 11:06:27.061230653 +0200
@@ -27,6 +27,7 @@
}
cmd=clevis
+input_commands="$cmd $@"
while [ $# -gt 0 ]; do
[[ "$1" =~ ^- ]] && break
cmd="$cmd-$1"
@@ -36,8 +37,11 @@
done
exec >&2
-echo
-echo "Command '$cmd' is invalid"
+if [ "$cmd" != "clevis" ];
+then
+ echo
+ echo "Command '$input_commands' is invalid"
+fi
echo
echo "Usage: clevis COMMAND [OPTIONS]"
echo

53
SOURCES/0011-Improve-boot-performance-by-removing-key-check.patch
View File

@ -1,53 +0,0 @@
From 51ae4f94a4955d9f06955ccd5a8b396b01c80d48 Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Tue, 2 Aug 2022 11:07:00 -0300
Subject: [PATCH] Improve boot performance by removing key check
---
src/luks/clevis-luks-common-functions | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index 038cc37..950f217 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -328,6 +328,7 @@ clevis_luks_check_valid_key_or_keyfile() {
clevis_luks_unlock_device_by_slot() {
local DEV="${1}"
local SLT="${2}"
+ local SKIP_CHECK="${3}"
[ -z "${DEV}" ] && return 1
[ -z "${SLT}" ] && return 1
@@ -343,7 +344,9 @@ clevis_luks_unlock_device_by_slot() {
return 1
fi
- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ if [ -z "${SKIP_CHECK}" ]; then
+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ fi
printf '%s' "${passphrase}"
}
@@ -351,6 +354,8 @@ clevis_luks_unlock_device_by_slot() {
# parameter and returns the decoded passphrase.
clevis_luks_unlock_device() {
local DEV="${1}"
+ local SKIP_CHECK="YES"
+
[ -z "${DEV}" ] && return 1
local used_slots
@@ -361,7 +366,7 @@ clevis_luks_unlock_device() {
local slt pt
for slt in ${used_slots}; do
- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \
+ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \
|| [ -z "${pt}" ]; then
continue
fi
--
2.35.1

16
SOURCES/0012-ignore-empty-and-comment-lines-in-crypttab.patch
View File

@ -1,16 +0,0 @@
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 11:11:03.050262054 +0100
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 11:19:16.004358405 +0100
@@ -413,7 +413,12 @@
clevis_devices=
# Build list of devices to unlock.
- while read -r _ crypt_device _; do
+ while read -r _volname_ crypt_device _; do
+ # skip empty lines and lines which begin with the '#' char, per
+ # crypttab(5)
+ case $_volname_ in
+ ''|\#*) continue ;;
+ esac
if ! dev=$(clevis_map_device "${crypt_device}") \
|| [ -z "${dev}" ]; then
# Unable to get the device - maybe it's not available, e.g. a

73
SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch
View File

@ -1,73 +0,0 @@
--- clevis-15.ori/src/clevis.1.adoc 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/clevis.1.adoc 2023-01-11 17:18:29.967295005 +0100
@@ -101,7 +101,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/luks/clevis-luks-bind.1.adoc 2023-01-11 17:18:55.239351209 +0100
@@ -20,7 +20,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 17:15:44.984928070 +0100
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 17:20:53.238613637 +0100
@@ -865,6 +865,7 @@
[ -z "${DEV}" ] && return 1
local dump filter bits
+ local MAX_ENTROPY_BITS=256
dump=$(cryptsetup luksDump "${DEV}")
if cryptsetup isLuks --type luks1 "${DEV}"; then
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
@@ -876,6 +877,9 @@
fi
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
+ bits="${MAX_ENTROPY_BITS}"
+ fi
pwmake "${bits}"
}
--- clevis-15.ori/src/luks/clevis-luks-bind.in 2023-01-11 17:15:44.815927694 +0100
+++ clevis-15/src/luks/clevis-luks-bind.in 2023-01-12 16:20:30.266404993 +0100
@@ -19,6 +19,8 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+. clevis-luks-common-functions
+
SUMMARY="Binds a LUKS device using the specified policy"
UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
@@ -139,14 +141,11 @@
fi
# Generate a key with the same entropy as the LUKS Master Key
-key="$(pwmake "$(
-cryptsetup luksDump "$DEV" \
- | if [ "$luks_type" == "luks1" ]; then
- sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p'
- else
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p'
- fi | sort -n | tail -n 1
-)")"
+if ! key="$(clevis_luks_generate_key "${DEV}")" \
+ || [ -z "${key}" ]; then
+ echo "Unable to generate key for ${DEV}" >&2
+ return 1
+fi
# Encrypt the new key
jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"

11
SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch
View File

@ -1,11 +0,0 @@
--- clevis-15.ori/src/luks/clevis-luks-edit 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/luks/clevis-luks-edit 2023-01-16 12:03:14.006998399 +0100
@@ -173,7 +173,7 @@
echo "Updating binding..."
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
- "-y" "overwrite" 2>/dev/null; then
+ "-y" "overwrite"; then
echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
exit 1
fi

219
SOURCES/0015-support-sha256-algorithm.patch
View File

@ -1,219 +0,0 @@
--- clevis-15.ori/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:29:59.717465656 +0200
+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:49:02.950511503 +0200
@@ -50,12 +50,30 @@
exit 1
fi
-if ! srv="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "$jhd" \
- | jose jwk thp -i- -f "$kid")"; then
+if ! keys="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "${jhd}")"; then
echo "JWE missing required 'clevis.tang.adv' header parameter!" >&2
exit 1
fi
+# Check if the thumbprint we have in `kid' is in the advertised keys.
+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1
+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
+
+if ! srv="$(jose jwk thp -i- -f "${kid}" -a "${CLEVIS_DEFAULT_THP_ALG}" \
+ <<< "${keys}")"; then
+ # `kid' thumprint not in the advertised keys, but it's possible it was
+ # generated using a different algorithm than the default one.
+ # Let us try the alternative supported algorithms to make sure `kid'
+ # really is not part of the advertised keys.
+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
+ srv="$(jose jwk thp -i- -f "$kid" -a "${alg}" <<< "${keys}")" && break
+ done
+ if [ -z "${srv}" ]; then
+ echo "JWE header validation of 'clevis.tang.adv' failed: key thumbprint does not match" >&2
+ exit 1
+ fi
+fi
+
if ! url="$(jose fmt -j- -Og clevis -g tang -g url -Su- <<< "$jhd")"; then
echo "JWE missing required 'clevis.tang.url' header parameter!" >&2
exit 1
--- clevis-15.ori/src/pins/tang/clevis-encrypt-tang 2020-10-28 19:55:47.673228700 +0100
+++ clevis-15/src/pins/tang/clevis-encrypt-tang 2023-05-23 15:15:18.440099403 +0200
@@ -64,6 +64,9 @@
exit 1
fi
+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1
+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
+
trust=
[ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes
@@ -111,15 +114,24 @@
if [ -z "$thp" ]; then
echo "The advertisement contains the following signing keys:" >&2
echo >&2
- jose jwk thp -i- <<< "$ver" >&2
+ jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$ver" >&2
echo >&2
read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
[[ "$ans" =~ ^[yY]$ ]] || exit 1
-
elif [ "$thp" != "any" ] && \
- ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
- echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
- exit 1
+ ! jose jwk thp -i- -f "${thp}" -o /dev/null -a "${CLEVIS_DEFAULT_THP_ALG}" \
+ <<< "$ver"; then
+ # Thumbprint of trusted JWK did not match the signature. Let's check
+ # alternative thumbprints generated with clevis supported hash
+ # algorithms to be sure.
+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
+ srv="$(jose jwk thp -i- -f "${thp}" -a "${alg}" <<< "${ver}")" \
+ && break
+ done
+ if [ -z "${srv}" ]; then
+ echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
+ exit 1
+ fi
fi
fi
@@ -138,7 +150,7 @@
jwk="$(jose fmt -j- -Od key_ops -o- <<< "$jwk")"
jwk="$(jose fmt -j- -Od alg -o- <<< "$jwk")"
-kid="$(jose jwk thp -i- <<< "$jwk")"
+kid="$(jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$jwk")"
jwe='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
jwe="$(jose fmt -j "$jwe" -g protected -q "$kid" -s kid -UUo-)"
jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tang -q "$url" -s url -UUUUo-)"
--- clevis-15.ori/src/luks/tests/meson.build 2023-05-23 11:29:59.594464890 +0200
+++ clevis-15/src/luks/tests/meson.build 2023-05-23 12:00:10.811482757 +0200
@@ -113,6 +113,7 @@
test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
+ test('default-thp-alg', find_program('default-thp-alg'), env: env)
endif
test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
--- clevis-15.ori/src/luks/tests/default-thp-alg 1970-01-01 01:00:00.000000000 +0100
+++ clevis-15/src/luks/tests/default-thp-alg 2023-05-23 16:09:21.920385994 +0200
@@ -0,0 +1,120 @@
+#!/bin/bash
+set -exo pipefail
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2020 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+
+. tests-common-functions
+
+TEST=$(basename "${0}")
+
+on_exit() {
+ exit_status=$?
+ tang_stop "${TMP}"
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+ exit "${exit_status}"
+}
+
+trap 'on_exit' EXIT
+
+TMP="$(mktemp -d)"
+
+port=$(get_random_port)
+tang_run "${TMP}" "${port}"
+
+url="http://localhost:${port}"
+data="just a sample text"
+
+adv="${TMP}/adv"
+# Get the advertisement and extract the keys.
+tang_get_adv "${port}" "${adv}"
+
+jwks="$(jose fmt --json="${adv}" --get payload --b64load --output=-)"
+enc="$(printf '%s' "${jwks}" | jose jwk use --input=- --required \
+ --use deriveKey --output=-)"
+
+jose fmt --json="${enc}" --get keys --array \
+ || enc="$(printf '{"keys": [%s]}' "${enc}")"
+
+jwk="$(jose fmt --json="${enc}" --get keys --array --foreach=- \
+ | jose fmt --json=- --delete key_ops --delete alg --output=-)"
+
+jwe_t='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
+jwe_t="$(jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --quote "${url}" --set url -UUUUo-)"
+jwe_t="$(printf '%s' "${jwks}" | jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --json=- --set adv -UUUUo-)"
+
+# We currently support SHA-1 (legacy) and SHA-256.
+CLEVIS_SUPPORTED_THP_ALGS="S1 S256"
+# Now we will use every hash algorithm supported by jose to create a thumbprint
+# for `kid', then we do the encoding and verify clevis decrypt can decode it
+# correctly.
+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
+ kid="$(printf '%s' "${jwk}" | jose jwk thp -a "${alg}" --input=-)"
+ jwe="$(jose fmt --json="${jwe_t}" --get protected --quote "${kid}" -s kid -UUo-)"
+
+ encoded=$(printf '%s%s' "${jwk}" "${data}" \
+ | jose jwe enc --input="${jwe}" --key=- --detached=- --compact)
+
+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
+ tang_error "${TEST}: decoding is expected to work (alg = ${alg})"
+ fi
+
+ if [ "${decoded}" != "${data}" ]; then
+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
+ fi
+done
+
+# Now let's test encryption providing the thp in the configuration.
+data="just another test"
+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \
+ | jose jwk use -i- -r -u verify -o- \
+ | jose jwk thp -i- -a "${alg}")"
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
+ if ! encoded=$(printf '%s' "${data}" | clevis encrypt tang "${cfg}"); then
+ tang_error "${TEST}: tang encryption should have succeeded when providing the thp (${thp}) with any supported algorithm (${alg})"
+ fi
+
+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
+ tang_error "${TEST}: decoding is expected to work (thp alg = ${alg})"
+ fi
+
+ if [ "${decoded}" != "${data}" ]; then
+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
+ fi
+done
+
+# Let's also try some unsupported thp hash algorithms.
+UNSUPPORTED="S224 S384 S512" # SHA-224, SHA-384, SHA-512.
+for alg in ${UNSUPPORTED}; do
+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \
+ | jose jwk use -i- -r -u verify -o- \
+ | jose jwk thp -i- -a "${alg}")"
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
+ tang_error "${TEST}: tang encryption should have failed when providing the thp (${thp}) with an unsupported algorithm (${alg})"
+ fi
+done
+
+# Now let's try some bad values for thp.
+for thp in "" "foo" "invalid"; do
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
+ tang_error "${TEST}: tang encryption expected to fail when providing a bad thp"
+ fi
+done

375
SPECS/clevis.spec
View File

@ -1,375 +0,0 @@
%global _hardened_build 1
Name: clevis
Version: 15
Release: 15%{?dist}
Summary: Automated decryption framework
License: GPLv3+
URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch
Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch
Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
Patch0004: 0004-systemd-drop-ncat-dependency.patch
Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch
Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
Patch0008: 0008-tang-dump-url-on-error-communication.patch
Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch
Patch0010: 0010-avoid-clevis-invalid-msg.patch
Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch
Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch
Patch0013: 0013-luks-define-max-entropy-bits-for-pwmake.patch
Patch0014: 0014-luks-edit-remove-unnecessary-redirection.patch
Patch0015: 0015-support-sha256-algorithm.patch
BuildRequires: git
BuildRequires: gcc
BuildRequires: meson
BuildRequires: asciidoc
BuildRequires: ninja-build
BuildRequires: bash-completion
BuildRequires: libjose-devel >= 8
BuildRequires: libluksmeta-devel >= 8
BuildRequires: audit-libs-devel
BuildRequires: libudisks2-devel
BuildRequires: openssl-devel
BuildRequires: tpm2-tools >= 3.0.0
BuildRequires: desktop-file-utils
BuildRequires: pkgconfig
BuildRequires: systemd
BuildRequires: dracut
BuildRequires: tang >= 6
BuildRequires: curl
BuildRequires: luksmeta
BuildRequires: cracklib-dicts
BuildRequires: jq
BuildRequires: diffutils
BuildRequires: expect
BuildRequires: openssl
Requires: cracklib-dicts
Requires: tpm2-tools >= 3.0.0
Requires: coreutils
Requires: jose >= 8
Requires: curl
Requires: jq
Requires(pre): shadow-utils
Requires(post): systemd
%description
Clevis is a framework for automated decryption. It allows you to encrypt
data using sophisticated unlocking policies which enable decryption to
occur automatically.
The clevis package provides basic encryption/decryption policy support.
Users can use this directly; but most commonly, it will be used as a
building block for other packages. For example, see the clevis-luks
and clevis-dracut packages for automatic root volume unlocking of LUKS
volumes during early boot.
%package luks
Summary: LUKS integration for clevis
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: cryptsetup
Requires: luksmeta >= 8
%description luks
LUKS integration for clevis. This package allows you to bind a LUKS
volume to a clevis unlocking policy. For automated unlocking, an unlocker
will also be required. See, for example, clevis-dracut and clevis-udisks2.
%package systemd
Summary: systemd integration for clevis
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
%if 0%{?fedora} > 27
Requires: systemd%{?_isa} >= 235-3
%else
%if 0%{?fedora} == 27
Requires: systemd%{?_isa} >= 234-9
%else
%if 0%{?fedora} == 26
Requires: systemd%{?_isa} >= 233-7
%else
Requires: systemd%{?_isa} >= 236
%endif
%endif
%endif
%description systemd
Automatically unlocks clevis-bound LUKS block devices during boot.
%package dracut
Summary: Dracut integration for clevis
Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
Requires: dracut-network
%description dracut
Automatically unlocks LUKS block devices in early boot.
%package udisks2
Summary: UDisks2/Storaged integration for clevis
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
%description udisks2
Automatically unlocks LUKS block devices in desktop environments that
use UDisks2 or storaged (like GNOME).
%prep
%autosetup -S git
%build
%meson -Duser=clevis -Dgroup=clevis
%meson_build
%install
%meson_install
%check
desktop-file-validate \
%{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%meson_test
%pre
getent group %{name} >/dev/null || groupadd -r %{name} &>/dev/null
getent passwd %{name} >/dev/null || \
useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
-c "Clevis Decryption Framework unprivileged user" %{name} &>/dev/null
# Add clevis user to tss group.
if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
usermod -a -G tss %{name} &>/dev/null
fi
exit 0
%post systemd
systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%files
%license COPYING
%{_datadir}/bash-completion/
%{_bindir}/%{name}-decrypt-tang
%{_bindir}/%{name}-decrypt-tpm2
%{_bindir}/%{name}-decrypt-sss
%{_bindir}/%{name}-decrypt-null
%{_bindir}/%{name}-decrypt
%{_bindir}/%{name}-encrypt-tang
%{_bindir}/%{name}-encrypt-tpm2
%{_bindir}/%{name}-encrypt-sss
%{_bindir}/%{name}-encrypt-null
%{_bindir}/%{name}
%{_mandir}/man1/%{name}-encrypt-tang.1*
%{_mandir}/man1/%{name}-encrypt-tpm2.1*
%{_mandir}/man1/%{name}-encrypt-sss.1*
%{_mandir}/man1/%{name}-decrypt.1*
%{_mandir}/man1/%{name}.1*
%files luks
%{_mandir}/man7/%{name}-luks-unlockers.7*
%{_mandir}/man1/%{name}-luks-unlock.1*
%{_mandir}/man1/%{name}-luks-unbind.1*
%{_mandir}/man1/%{name}-luks-bind.1*
%{_mandir}/man1/%{name}-luks-list.1*
%{_mandir}/man1/%{name}-luks-pass.1*
%{_mandir}/man1/%{name}-luks-regen.1*
%{_mandir}/man1/%{name}-luks-report.1*
%{_mandir}/man1/%{name}-luks-edit.1*
%{_bindir}/%{name}-luks-unlock
%{_bindir}/%{name}-luks-unbind
%{_bindir}/%{name}-luks-bind
%{_bindir}/%{name}-luks-common-functions
%{_bindir}/%{name}-luks-list
%{_bindir}/%{name}-luks-pass
%{_bindir}/%{name}-luks-regen
%{_bindir}/%{name}-luks-report
%{_bindir}/%{name}-luks-edit
%files systemd
%{_libexecdir}/%{name}-luks-askpass
%{_unitdir}/%{name}-luks-askpass.path
%{_unitdir}/%{name}-luks-askpass.service
%files dracut
%{_prefix}/lib/dracut/modules.d/60%{name}
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2
%files udisks2
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog
* Tue May 23 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-15
- Include SHA-256 thumbprints clevis support
Resolves: rhbz#2209058
* Mon Jan 16 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-14
- luks-edit: remove unnecessary 2>/dev/null
Resolves: rhbz#2159739
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-13
- luks: define max entropy bits for pwmake
Resolves: rhbz#2159736
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-12
- Ignore empty & comment lines in crypttab
Resolves: rhbz#2159440
* Tue Aug 02 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-11
- Start clevis-luks-askpass.path service according to global policy
Resolves: rhbz#2107081
* Thu Jul 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-10
- Improve boot performance by removing key check
Resolves: rhbz#2099748
* Wed Jun 22 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-9
- Avoid invalid message for clevis command
Resolves: rhbz#2099325
* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 15-8
- Support a null pin
Resolves: rhbz#2028096
* Fri Jan 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-7
- Dump server information on server error communication
Resolves: rhbz#2020193
* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 15-6
- Explicitly specify pbkdf iterations to cryptsetup
Resolves: rhbz#1979256
* Wed Dec 01 2021 Sergio Correia <scorreia@redhat.com> - 15-5
- Enable debugging in clevis scripts when rd.debug is set
Resolves: rhbz#1980742
* Thu Nov 25 2021 Sergio Correia <scorreia@redhat.com> - 15-4
- Stop sending stderr to the void when decryption doesn't happen
Resolves: rhbz#1976880
* Thu Nov 18 2021 Sergio Correia <scorreia@redhat.com> - 15-3
- Drop ncat dependency
Resolves: rhbz#1949289
* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 15-2
- Account for unlocking failures in clevis-luks-askpass
Resolves: rhbz#2018292
* Mon Oct 26 2020 Sergio Correia <scorreia@redhat.com> - 15-1
- Update to latest upstream release, v15
Resolves: rhbz#1887836
Resolves: rhbz#1853651
Resolves: rhbz#1874460
* Wed May 20 2020 Sergio Correia <scorreia@redhat.com> - 13-3
- Add clevis luks edit command
Resolves: rhbz#1436735
* Mon May 18 2020 Sergio Correia <scorreia@redhat.com> - 13-2
- Introduce -y (assume yes) argument to clevis luks bind
Resolves: rhbz#1819767
* Sun May 10 2020 Sergio Correia <scorreia@redhat.com> - 13-1
- Update to new upstream release, v13
Resolves: rhbz#1827225
Resolves: rhbz#1827665
Resolves: rhbz#1801556
Resolves: rhbz#1784448
Resolves: rhbz#1826917
Resolves: rhbz#1812014
* Sun Feb 02 2020 Sergio Correia <scorreia@redhat.com> - 11-9
- Improve clevis luks regen not to unbind+bind in every case
Resolves: rhbz#1795675
* Mon Jan 13 2020 Sergio Correia <scorreia@redhat.com> - 11-8
- Use one clevis-luks-askpass per device
Resolves: rhbz#1784524
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 11-7
- Add rd.neednet=1 to cmdline only if there are devices bound to tang
Resolves: rhbz#1762028
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 11-6
- Add option to extract luks passphrase used for binding
Resolves: rhbz#1436780
* Thu Nov 28 2019 Sergio Correia <scorreia@redhat.com> - 11-5
- Add support for listing existing PBD policies in place
Resolves: rhbz#1766526
* Fri Oct 18 2019 Sergio Correia <scorreia@redhat.com> - 11-4
- Improve error message when bind is given an invalid PIN
Resolves: rhbz#1543380
* Wed Oct 16 2019 Sergio Correia <scorreia@redhat.com> - 11-3
- Add clevis luks report and regen
Resolves: rhbz#1564566
Resolves: rhbz#1564559
* Fri Jan 04 2019 Daniel Kopecek <dkopecek@redhat.com> - 11-2
- Check that key derivation key is available
- Delete remaining references to the removed http pin
- Install cryptsetup and tpm2_pcrlist in the initramfs
- Add device TCTI library to the initramfs
Resolves: rhbz#1648004
Resolves: rhbz#1650246
* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
- Update to v11
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Mar 21 2018 Nathaniel McCallum <npmccallum@redhat.com> - 10-1
- Update to v10
* Tue Feb 13 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-1
- Update to v9
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 8-1
- Update to v8
* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7-2
- Rebuild for cryptsetup-2.0.0
* Fri Oct 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
- Update to v7
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Jun 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
- New upstream release
- Specify unprivileged user/group during configuration
- Move clevis user/group creation to base clevis package
* Mon Jun 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
- New upstream release
- Run clevis decryption from udisks2 under an unprivileged user
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
- New upstream release
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
- New upstream release
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Nov 18 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
- New upstream release
* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
- First release

186
changelog Normal file
View File

@ -0,0 +1,186 @@
* Fri Aug 05 2022 Luca BRUNO <lucab@lucabruno.net> - 18-10
- Simplify sysusers.d fragment by using default 'nologin' shell
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 18-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Fri Jul 8 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-8
- Support a null pin
* Tue Jun 28 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-7
Start clevis-luks-askpass.patch service according to global policy
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 18-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Oct 29 2021 Sergio Correia <scorreia@redhat.com> - 18-5
Account for unlocking failures in clevis-luks-askpass
Resolves: rhbz#1878892
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 18-4
- Rebuilt with OpenSSL 3.0.0
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 18-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri May 07 2021 Sergio Correia <scorreia@redhat.com> - 18-2
- Port to OpenSSL 3
Backport of upstream commit (ee1dfedb)
* Thu Apr 15 2021 Sergio Correia <scorreia@redhat.com> - 18-1
- Update to new clevis upstream release, v18.
* Wed Apr 14 2021 Sergio Correia <scorreia@redhat.com> - 17-1
- Update to new clevis upstream release, v17.
* Tue Mar 16 2021 Sergio Correia <scorreia@redhat.com> - 16-2
- Fix for -t option in clevis luks bind - backport upstream commit ea0d0c20
* Tue Feb 09 2021 Sergio Correia <scorreia@redhat.com> - 16-1
- Update to new clevis upstream release, v16.
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 15-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Nov 23 08:14:40 GMT 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 15-3
- Upstream patch for tpm-tools 5.0 support
* Thu Oct 29 2020 Sergio Correia <scorreia@redhat.com> - 15-2
- Add jq to dependencies
* Wed Oct 28 2020 Sergio Correia <scorreia@redhat.com> - 15-1
- Update to new clevis upstream release, v15.
* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-5
- Suppress output in pre scriptlet when adjusting users/groups
Resolves: rhbz#1876729
* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-4
- Backport upstream PR#230 - clevis-luks-askpass now exits cleanly
when receives a SIGTERM
Resolves: rhbz#1876001
* Sat Sep 05 2020 Sergio Correia <scorreia@redhat.com> - 14-3
- If clevis-luks-askpass is enabled, it may be using a wrong target,
since that changed in v14. Check and update it, if required.
* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-2
- Update sources file with new v14 release.
* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-1
- Update to new clevis upstream release, v14.
* Sun Aug 02 2020 Benjamin Gilbert <bgilbert@redhat.com> - 13-3
- Downgrade cracklib-dicts to Recommends
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 13-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Sun May 10 2020 Sergio Correia <scorreia@redhat.com> - 13-1
- Update to new clevis upstream release, v13.
* Thu May 07 2020 Sergio Correia <scorreia@redhat.com> - 12-4
- cracklib-dicts should be also listed as a build dependency, since
it's required for running some of the tests
* Mon Apr 06 2020 Sergio Correia <scorreia@redhat.com> - 12-3
- Make cracklib-dicts a regular dependency
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 12-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Jan 20 2020 Sergio Correia <scorreia@redhat.com> - 12-1
- Update to new clevis upstream release, v12.
* Thu Dec 19 2019 Sergio Correia <scorreia@redhat.com> - 11-11
- Backport upstream PR#70 - Handle case where we try to use a partially
used luksmeta slot
Resolves: rhbz#1672371
* Thu Dec 05 2019 Sergio Correia <scorreia@redhat.com> - 11-10
- Disable LUKS2 tests for now, since they fail randomly in Koji
builders, killing the build
* Wed Dec 04 2019 Sergio Correia <scorreia@redhat.com> - 11-9
- Backport of upstream patches and the following fixes:
- Rework the logic for reading the existing key
- fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 (
- pins/tang: check that key derivation key is available
* Wed Oct 30 2019 Peter Robinson <pbrobinson@fedoraproject.org> 11-8
- Drop need network patch
* Fri Sep 06 2019 Javier Martinez Canillas <javierm@redhat.com> - 11-7
- Add support for tpm2-tools 4.0
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-4
- Update patch for work around
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-3
- Work around network requirement for early boot
* Fri Nov 09 2018 Javier Martinez Canillas <javierm@redhat.com> - 11-2
- Delete remaining references to the removed http pin
- Install cryptsetup and tpm2_pcrlist in the initramfs
- Add device TCTI library to the initramfs
Resolves: rhbz#1644876
* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
- Update to v11
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Mar 21 2018 Nathaniel McCallum <npmccallum@redhat.com> - 10-1
- Update to v10
* Tue Feb 13 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-1
- Update to v9
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 8-1
- Update to v8
* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7-2
- Rebuild for cryptsetup-2.0.0
* Fri Oct 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
- Update to v7
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Jun 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
- New upstream release
- Specify unprivileged user/group during configuration
- Move clevis user/group creation to base clevis package
* Mon Jun 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
- New upstream release
- Run clevis decryption from udisks2 under an unprivileged user
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
- New upstream release
* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
- New upstream release
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Nov 18 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
- New upstream release
* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
- First release

12
ci_tests.fmf Normal file
View File

@ -0,0 +1,12 @@
/e2e:
plan:
import:
url: https://github.com/RedHat-SP-Security/clevis-plans.git
name: /generic/e2e_ci
/rpmverify:
plan:
import:
url: https://github.com/RedHat-SP-Security/clevis-plans.git
name: /generic/rpmverify

225
clevis.spec Normal file
View File

@ -0,0 +1,225 @@
Name: clevis
Version: 21
Release: %autorelease
Summary: Automated decryption framework
License: GPL-3.0-or-later
URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Source1: clevis.sysusers
Patch0: 0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch
Patch1: 0002-Fix-potential-race-condition.patch
Patch2: 0003-Fix-to-start-pcscd-appropriately.patch
Patch3: 0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch
Patch4: 0005-Include-tpm2_getcap-as-dracut-required-binary.patch
BuildRequires: git-core
BuildRequires: gcc
BuildRequires: meson
BuildRequires: asciidoc
BuildRequires: ninja-build
BuildRequires: bash-completion
BuildRequires: libjose-devel >= 8
BuildRequires: libluksmeta-devel >= 8
BuildRequires: audit-libs-devel
BuildRequires: libudisks2-devel
BuildRequires: openssl-devel
BuildRequires: tpm2-tools >= 4.0.0
BuildRequires: desktop-file-utils
BuildRequires: pkgconfig
BuildRequires: systemd
BuildRequires: systemd-rpm-macros
BuildRequires: dracut
BuildRequires: tang >= 6
BuildRequires: curl
BuildRequires: luksmeta
BuildRequires: openssl
BuildRequires: diffutils
BuildRequires: cryptsetup
BuildRequires: jq
BuildRequires: pcsc-lite
BuildRequires: opensc
Requires: tpm2-tools >= 4.0.0
Requires: coreutils
Requires: jose >= 8
Requires: curl
Requires: jq
Requires(pre): shadow-utils
Requires(post): systemd
Requires: clevis-pin-tpm2
%description
Clevis is a framework for automated decryption. It allows you to encrypt
data using sophisticated unlocking policies which enable decryption to
occur automatically.
The clevis package provides basic encryption/decryption policy support.
Users can use this directly; but most commonly, it will be used as a
building block for other packages. For example, see the clevis-luks
and clevis-dracut packages for automatic root volume unlocking of
LUKSv1/LUKSv2 volumes during early boot.
%package luks
Summary: LUKS integration for clevis
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: cryptsetup
Requires: luksmeta >= 8
%description luks
LUKS integration for clevis. This package allows you to bind a LUKS
volume to a clevis unlocking policy. For automated unlocking, an unlocker
will also be required. See, for example, clevis-dracut and clevis-udisks2.
%package systemd
Summary: systemd integration for clevis
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
%if 0%{?fedora} > 27
Requires: systemd%{?_isa} >= 235-3
%else
%if 0%{?fedora} == 27
Requires: systemd%{?_isa} >= 234-9
%else
%if 0%{?fedora} == 26
Requires: systemd%{?_isa} >= 233-7
%else
Requires: systemd%{?_isa} >= 236
%endif
%endif
%endif
%description systemd
Automatically unlocks LUKS _netdev block devices from /etc/crypttab.
%package dracut
Summary: Dracut integration for clevis
Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
Requires: dracut-network
%description dracut
Automatically unlocks LUKS block devices in early boot.
%package udisks2
Summary: UDisks2/Storaged integration for clevis
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
%description udisks2
Automatically unlocks LUKS block devices in desktop environments that
use UDisks2 or storaged (like GNOME).
%package pin-pkcs11
Summary: PKCS#11 for clevis
Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
Requires: %{name}-dracut%{?_isa} = %{version}-%{release}
Requires: pcsc-lite
Requires: opensc
Requires: socat
Requires: openssl
%description pin-pkcs11
Automatically unlocks LUKS block devices through a PKCS#11 device.
%prep
%autosetup -S git
%build
%meson -Duser=clevis -Dgroup=clevis
%meson_build
%install
%meson_install
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/clevis.conf
%check
desktop-file-validate \
%{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%meson_test
%pre
%sysusers_create_compat %{SOURCE1}
# Add clevis user to tss group.
if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
usermod -a -G tss %{name} &>/dev/null
fi
exit 0
%files
%license COPYING
%{_datadir}/bash-completion/
%{_bindir}/%{name}-decrypt-tang
%{_bindir}/%{name}-decrypt-tpm2
%{_bindir}/%{name}-decrypt-sss
%{_bindir}/%{name}-decrypt-null
%{_bindir}/%{name}-decrypt
%{_bindir}/%{name}-encrypt-tang
%{_bindir}/%{name}-encrypt-tpm2
%{_bindir}/%{name}-encrypt-sss
%{_bindir}/%{name}-encrypt-null
%{_bindir}/%{name}
%{_mandir}/man1/%{name}-encrypt-tang.1*
%{_mandir}/man1/%{name}-encrypt-tpm2.1*
%{_mandir}/man1/%{name}-encrypt-sss.1*
%{_mandir}/man1/%{name}-decrypt.1*
%{_mandir}/man1/%{name}.1*
%{_sysusersdir}/clevis.conf
%files luks
%{_mandir}/man7/%{name}-luks-unlockers.7*
%{_mandir}/man1/%{name}-luks-unlock.1*
%{_mandir}/man1/%{name}-luks-unbind.1*
%{_mandir}/man1/%{name}-luks-bind.1*
%{_mandir}/man1/%{name}-luks-list.1.*
%{_mandir}/man1/%{name}-luks-edit.1.*
%{_mandir}/man1/%{name}-luks-regen.1.*
%{_mandir}/man1/%{name}-luks-report.1.*
%{_mandir}/man1/%{name}-luks-pass.1.*
%{_bindir}/%{name}-luks-unlock
%{_bindir}/%{name}-luks-unbind
%{_bindir}/%{name}-luks-bind
%{_bindir}/%{name}-luks-common-functions
%{_bindir}/%{name}-luks-list
%{_bindir}/%{name}-luks-edit
%{_bindir}/%{name}-luks-regen
%{_bindir}/%{name}-luks-report
%{_bindir}/%{name}-luks-pass
%files systemd
%{_libexecdir}/%{name}-luks-askpass
%{_libexecdir}/%{name}-luks-unlocker
%{_unitdir}/%{name}-luks-askpass.path
%{_unitdir}/%{name}-luks-askpass.service
%files dracut
%{_prefix}/lib/dracut/modules.d/60%{name}
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh
%files pin-pkcs11
%{_libexecdir}/%{name}-luks-pkcs11-askpass
%{_libexecdir}/%{name}-luks-pkcs11-askpin
%{_bindir}/%{name}-decrypt-pkcs11
%{_bindir}/%{name}-encrypt-pkcs11
%{_bindir}/%{name}-pkcs11-afunix-socket-unlock
%{_bindir}/%{name}-pkcs11-common
%{_unitdir}/%{name}-luks-pkcs11-askpass.service
%{_unitdir}/%{name}-luks-pkcs11-askpass.socket
%{_mandir}/man1/%{name}-encrypt-pkcs11.1*
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-prehook.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-hook.sh
%files udisks2
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%post systemd
systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%autochangelog

1
clevis.sysusers Normal file
View File

@ -0,0 +1 @@
u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis -

7
gating.yaml Normal file
View File

@ -0,0 +1,7 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (clevis-21.tar.xz) = 66f141b9d0c35ec3bb975b49053ee11f8fd5492b2af0377797892d6e28f4491b146e48477107dcf0ae5860ed1b08920bc95ed69893664689077c1342169cd399