Compare commits

...

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

20 changed files with 242 additions and 1537 deletions

1
.clevis.metadata Normal file
View File

@ -0,0 +1 @@
905a3b7a326dfc8e84a0b09d3246bea3d048fa78 SOURCES/clevis-20.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/clevis-15.tar.xz SOURCES/clevis-20.tar.xz

View File

@ -1,176 +0,0 @@
From 16f667d9f3d649e33ca762afa1a8a7f909b953a8 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Sun, 25 Oct 2020 11:15:46 -0300
Subject: [PATCH] Fixes for dealing with newer tang without tangd-update
---
src/luks/tests/meson.build | 11 +----------
src/luks/tests/tests-common-functions.in | 19 +++++++++++--------
src/pins/tang/meson.build | 11 +----------
src/pins/tang/pin-tang | 11 ++++++++---
4 files changed, 21 insertions(+), 31 deletions(-)
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
index ba5f6a2..c0f9dc3 100644
--- a/src/luks/tests/meson.build
+++ b/src/luks/tests/meson.build
@@ -17,14 +17,6 @@ kgen = find_program(
join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
required: false
)
-updt = find_program(
- join_paths(libexecdir, 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
- required: false
-)
tang = find_program(
join_paths(libexecdir, 'tangd'),
join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
@@ -58,11 +50,10 @@ env.prepend('PATH',
)
has_tang = false
-if actv.found() and kgen.found() and updt.found() and tang.found()
+if actv.found() and kgen.found() and tang.found()
has_tang = true
env.set('SD_ACTIVATE', actv.path())
env.set('TANGD_KEYGEN', kgen.path())
- env.set('TANGD_UPDATE', updt.path())
env.set('TANGD', tang.path())
endif
diff --git a/src/luks/tests/tests-common-functions.in b/src/luks/tests/tests-common-functions.in
index 8520715..318d007 100755
--- a/src/luks/tests/tests-common-functions.in
+++ b/src/luks/tests/tests-common-functions.in
@@ -251,18 +251,19 @@ tang_remove_rotated_keys() {
return 1
fi
- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
-
local db="${basedir}/db"
- local cache="${basedir}/cache"
mkdir -p "${db}"
- mkdir -p "${cache}"
+
+ if [ -n "${TANGD_UPDATE}" ]; then
+ local cache="${basedir}/cache"
+ mkdir -p "${cache}"
+ fi
pushd "${db}"
find . -name ".*.jwk" -exec rm -f {} \;
popd
- "${TANGD_UPDATE}" "${db}" "${cache}"
+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
return 0
}
@@ -277,12 +278,12 @@ tang_new_keys() {
fi
[ -z "${TANGD_KEYGEN}" ] && skip_test "WARNING: TANGD_KEYGEN is not defined."
- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
local db="${basedir}/db"
- local cache="${basedir}/cache"
mkdir -p "${db}"
+ [ -n "${TANGD_UPDATE}" ] && local cache="${basedir}/cache"
+
if [ -n "${rotate}" ]; then
pushd "${db}"
local k
@@ -296,7 +297,7 @@ tang_new_keys() {
fi
"${TANGD_KEYGEN}" "${db}"
- "${TANGD_UPDATE}" "${db}" "${cache}"
+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
return 0
}
@@ -322,6 +323,8 @@ tang_run() {
fi
local KEYS="${basedir}/cache"
+ [ -z "${TANGD_UPDATE}" ] && KEYS="${basedir}/db"
+
local inetd='--inetd'
[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
diff --git a/src/pins/tang/meson.build b/src/pins/tang/meson.build
index f7d8226..ebcdd4a 100644
--- a/src/pins/tang/meson.build
+++ b/src/pins/tang/meson.build
@@ -12,14 +12,6 @@ kgen = find_program(
join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
required: false
)
-updt = find_program(
- join_paths(libexecdir, 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
- required: false
-)
tang = find_program(
join_paths(libexecdir, 'tangd'),
join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
@@ -35,11 +27,10 @@ if curl.found()
bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang')
mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1')
- if actv.found() and kgen.found() and updt.found() and tang.found()
+ if actv.found() and kgen.found() and tang.found()
env = environment()
env.set('SD_ACTIVATE', actv.path())
env.set('TANGD_KEYGEN', kgen.path())
- env.set('TANGD_UPDATE', updt.path())
env.set('TANGD', tang.path())
env.prepend('PATH',
join_paths(meson.source_root(), 'src'),
diff --git a/src/pins/tang/pin-tang b/src/pins/tang/pin-tang
index 98e5e4d..a63d0a2 100755
--- a/src/pins/tang/pin-tang
+++ b/src/pins/tang/pin-tang
@@ -31,8 +31,12 @@ mkdir -p "$TMP"/db
mkdir -p "$TMP"/cache
# Generate the server keys
+KEYS="$TMP"/db
"${TANGD_KEYGEN}" "$TMP"/db sig exc
-"${TANGD_UPDATE}" "$TMP"/db "$TMP"/cache
+if which tangd-update; then
+ tangd-update "$TMP"/db "$TMP"/cache
+ KEYS="$TMP"/cache
+fi
# Start the server
port="$(shuf -i 1024-65536 -n 1)"
@@ -40,13 +44,14 @@ port="$(shuf -i 1024-65536 -n 1)"
inetd='--inetd'
[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
-"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$TMP"/cache &
+"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$KEYS" &
PID=$!
sleep 0.25
thp="$(jose jwk thp -i "$TMP/db/sig.jwk")"
-adv="$TMP/cache/default.jws"
url="http://localhost:${port}"
+adv="$TMP/adv"
+curl "$url/adv" -o "$adv"
cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")"
enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
--
2.18.4

View File

@ -0,0 +1,56 @@
--- clevis-20.old/src/luks/udisks2/clevis-luks-udisks2.c 2024-03-08 09:35:37.000000000 +0100
+++ clevis-20/src/luks/udisks2/clevis-luks-udisks2.c 2024-05-21 10:04:15.301469592 +0200
@@ -264,8 +264,10 @@
error:
g_list_free_full(ctx.lst, g_free);
- g_main_loop_unref(ctx.loop);
- g_object_unref(ctx.clt);
+ if (ctx.loop)
+ g_main_loop_unref(ctx.loop);
+ if (ctx.clt)
+ g_object_unref(ctx.clt);
close(sock);
return exit_status;
}
@@ -299,12 +301,12 @@
safeclose(&pair[0]);
}
-static ssize_t
-recover_key(const pkt_t *jwe, char *out, size_t max, uid_t uid, gid_t gid)
+static uint32_t
+recover_key(const pkt_t *jwe, char *out, int32_t max, uid_t uid, gid_t gid)
{
int push[2] = { -1, -1 };
int pull[2] = { -1, -1 };
- ssize_t bytes = 0;
+ int32_t bytes = 0;
pid_t chld = 0;
if (pipe(push) != 0)
@@ -379,12 +381,18 @@
}
bytes = 0;
- for (ssize_t block = 1; block > 0; bytes += block) {
- block = read(pull[PIPE_RD], &out[bytes], max - bytes);
- if (block < 0) {
- kill(chld, SIGTERM);
- goto error;
- }
+ ssize_t block = 0;
+ while (max > 0 && max > bytes) {
+ do {
+ block = read(pull[PIPE_RD], &out[bytes], max - bytes);
+ } while (block < 0 && errno == EINTR);
+ if (block < 0 || block < INT32_MIN || block > INT32_MAX) {
+ kill(chld, SIGTERM);
+ goto error;
+ }
+ if (block == 0)
+ break;
+ bytes += block;
}
safeclose(&pull[PIPE_RD]);

View File

@ -1,309 +0,0 @@
From aa52396c35e76aabd085a819b08167d559042a20 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 3 Nov 2020 08:42:48 -0300
Subject: [PATCH 2/2] Add the option to extract luks passphrase used for
binding
Usage:
clevis luks pass -d /dev/sda1 -s 1
<passphrase here>
---
src/luks/clevis-luks-pass | 64 ++++++++++++++++++++++++++++++++
src/luks/clevis-luks-pass.1.adoc | 43 +++++++++++++++++++++
src/luks/meson.build | 3 ++
src/luks/tests/meson.build | 2 +
src/luks/tests/pass-tang-luks1 | 59 +++++++++++++++++++++++++++++
src/luks/tests/pass-tang-luks2 | 59 +++++++++++++++++++++++++++++
6 files changed, 230 insertions(+)
create mode 100755 src/luks/clevis-luks-pass
create mode 100644 src/luks/clevis-luks-pass.1.adoc
create mode 100755 src/luks/tests/pass-tang-luks1
create mode 100755 src/luks/tests/pass-tang-luks2
diff --git a/src/luks/clevis-luks-pass b/src/luks/clevis-luks-pass
new file mode 100755
index 0000000..1f59b39
--- /dev/null
+++ b/src/luks/clevis-luks-pass
@@ -0,0 +1,64 @@
+#!/bin/bash -e
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com> - LUKS2 support.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+. clevis-luks-common-functions
+
+SUMMARY="Returns the LUKS passphrase used for binding a particular slot."
+
+usage() {
+ exec >&2
+ echo "Usage: clevis luks pass -d DEV -s SLT"
+ echo
+ echo "$SUMMARY"
+ echo
+ echo " -d DEV The LUKS device to extract the LUKS passphrase used for binding"
+ echo
+ echo " -s SLOT The slot number to extract the LUKS passphrase"
+ echo
+ exit 1
+}
+
+if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then
+ echo "${SUMMARY}"
+ exit 0
+fi
+
+while getopts ":d:s:" o; do
+ case "$o" in
+ d) DEV=${OPTARG};;
+ s) SLT=${OPTARG};;
+ *) usage;;
+ esac
+done
+
+if [ -z "${DEV}" ]; then
+ echo "Did not specify a device!" >&2
+ usage
+fi
+
+if [ -z "${SLT}" ]; then
+ echo "Did not specify a slot!" >&2
+ usage
+fi
+
+if ! clevis_luks_unlock_device_by_slot "${DEV}" "${SLT}"; then
+ echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in ${DEV}!" >&2
+ exit 1
+fi
diff --git a/src/luks/clevis-luks-pass.1.adoc b/src/luks/clevis-luks-pass.1.adoc
new file mode 100644
index 0000000..fa9526a
--- /dev/null
+++ b/src/luks/clevis-luks-pass.1.adoc
@@ -0,0 +1,43 @@
+CLEVIS-LUKS-PASS(1)
+===================
+:doctype: manpage
+
+
+== NAME
+
+clevis-luks-pass - Extracts the passphrase used for binding a particular slot in a LUKS device
+
+== SYNOPSIS
+
+*clevis luks pass* -d DEV -s SLT
+
+== OVERVIEW
+
+The *clevis luks pass* command extracts the passphrase used for binding a particular slot in a LUKS device.
+For example:
+
+ clevis luks pass -d /dev/sda1 -s 1
+
+== OPTIONS
+
+* *-d* _DEV_ :
+ The LUKS device on which to extract a passphrase from
+
+* *-s* _SLT_ :
+ The slot to use for extracting the passphrase
+
+== EXAMPLE
+
+ clevis luks pass -d /dev/sda1 -s 1
+ <passphrase here>
+
+Note that the output of *clevis luks pass* might be non-printable, in which case it would be better to redirect its output to a file and use it as a key
+file together with cryptsetup. For instance:
+
+ clevis luks pass -d /dev/sda1 -s 1 > slot1-passphrase
+
+And the file slot1-passphrase will contain the passphrase associated with slot #1 in /dev/sda1.
+
+== SEE ALSO
+
+link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)],
diff --git a/src/luks/meson.build b/src/luks/meson.build
index 12f5a0d..008736e 100644
--- a/src/luks/meson.build
+++ b/src/luks/meson.build
@@ -50,6 +50,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
bins += join_paths(meson.current_source_dir(), 'clevis-luks-edit')
mans += join_paths(meson.current_source_dir(), 'clevis-luks-edit.1')
+
+ bins += join_paths(meson.current_source_dir(), 'clevis-luks-pass')
+ mans += join_paths(meson.current_source_dir(), 'clevis-luks-pass.1')
else
warning('Will not install LUKS support due to missing dependencies!')
endif
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
index c22a069..f4584aa 100644
--- a/src/luks/tests/meson.build
+++ b/src/luks/tests/meson.build
@@ -84,6 +84,7 @@ if has_tang
test('report-tang-luks1', find_program('report-tang-luks1'), env: env, timeout: 90)
test('report-sss-luks1', find_program('report-sss-luks1'), env: env, timeout: 90)
test('edit-tang-luks1', find_program('edit-tang-luks1'), env: env, timeout: 150)
+ test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60)
endif
test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60)
@@ -111,6 +112,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
test('report-tang-luks2', find_program('report-tang-luks2'), env: env, timeout: 120)
test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
+ test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
endif
test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
diff --git a/src/luks/tests/pass-tang-luks1 b/src/luks/tests/pass-tang-luks1
new file mode 100755
index 0000000..0d91e6c
--- /dev/null
+++ b/src/luks/tests/pass-tang-luks1
@@ -0,0 +1,59 @@
+#!/bin/bash -x
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST="${0}"
+. tests-common-functions
+. clevis-luks-common-functions
+
+function on_exit() {
+ [ ! -d "${TMP}" ] && return 0
+ tang_stop "${TMP}"
+ rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+
+TMP=$(mktemp -d)
+
+port=$(get_random_port)
+tang_run "${TMP}" "${port}" &
+tang_wait_until_ready "${port}"
+
+url="http://localhost:${port}"
+adv="${TMP}/adv"
+tang_get_adv "${port}" "${adv}"
+
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+new_device "luks1" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Bind should have succeeded."
+fi
+
+# Now let's test the passphrase.
+SLT=1
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
+echo $PASS >&2
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
+ error "Passphrase obtained from clevis luks pass failed."
+fi
diff --git a/src/luks/tests/pass-tang-luks2 b/src/luks/tests/pass-tang-luks2
new file mode 100755
index 0000000..2d50413
--- /dev/null
+++ b/src/luks/tests/pass-tang-luks2
@@ -0,0 +1,59 @@
+#!/bin/bash -x
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST="${0}"
+. tests-common-functions
+. clevis-luks-common-functions
+
+function on_exit() {
+ [ ! -d "${TMP}" ] && return 0
+ tang_stop "${TMP}"
+ rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+
+TMP=$(mktemp -d)
+
+port=$(get_random_port)
+tang_run "${TMP}" "${port}" &
+tang_wait_until_ready "${port}"
+
+url="http://localhost:${port}"
+adv="${TMP}/adv"
+tang_get_adv "${port}" "${adv}"
+
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
+
+# LUKS2.
+DEV="${TMP}/luks2-device"
+new_device "luks2" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Bind should have succeeded."
+fi
+
+# Now let's test the passphrase.
+SLT=1
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
+echo $PASS >&2
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
+ error "Passphrase obtained from clevis luks pass failed."
+fi
--
2.29.2

View File

@ -1,41 +0,0 @@
From 678ef82dd5608439c9a4222c594ab66d69009f06 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Fri, 29 Oct 2021 12:04:46 -0300
Subject: [PATCH 3/3] systemd: account for unlocking failures in
clevis-luks-askpass (#343)
As unlock may fail for some reason, e.g. the network is not up yet,
one way cause problems would be to add extra `rd.luks.uuid' params
to the cmdline, which would then cause such devices to be unlocked
in early boot. If the unlocking fail, those devices might not be
accounted for in the clevis_devices_to_unlock() check, as it is
based on crypttab.
Let's make sure there are no pending ask.* sockets waiting to be
answered, before exiting.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
---
src/luks/systemd/clevis-luks-askpass | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass
index 285bba4..f19671f 100755
--- a/src/luks/systemd/clevis-luks-askpass
+++ b/src/luks/systemd/clevis-luks-askpass
@@ -67,8 +67,11 @@ while true; do
done
[ "${loop}" != true ] && break
+
# Checking for pending devices to be unlocked.
- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
+ remaining_crypttab=$(clevis_devices_to_unlock) ||:
+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
break;
fi
--
2.33.1

View File

@ -1,101 +0,0 @@
From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Thu, 18 Nov 2021 16:45:58 -0300
Subject: [PATCH 4/4] systemd: drop ncat dependency
When using systemd, i.e., clevis-luks-askpass, we use ncat to send
the decrypted password to the systemd socket as per systemd's password
agents specification [1].
However, systemd itself has a utility that does exactly that,
systemd-reply-password.
In this commit we drop the ncat dependency and instead use
systemd-reply-password in clevis-luks-askpass.
[1] https://systemd.io/PASSWORD_AGENTS/
---
...is-luks-askpass => clevis-luks-askpass.in} | 2 +-
.../systemd/dracut/clevis/module-setup.sh.in | 4 ++--
src/luks/systemd/meson.build | 19 +++++++++++++++++--
3 files changed, 20 insertions(+), 5 deletions(-)
rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%)
diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in
similarity index 97%
rename from src/luks/systemd/clevis-luks-askpass
rename to src/luks/systemd/clevis-luks-askpass.in
index f19671f..a6699c9 100755
--- a/src/luks/systemd/clevis-luks-askpass
+++ b/src/luks/systemd/clevis-luks-askpass.in
@@ -58,7 +58,7 @@ while true; do
fi
uuid="$(cryptsetup luksUUID "${d}")"
- if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
+ if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
continue
fi
diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in
index ebf969f..d46c6e2 100755
--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
+++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
@@ -36,6 +36,7 @@ install() {
inst_multiple \
/etc/services \
+ @SYSTEMD_REPLY_PASS@ \
@libexecdir@/clevis-luks-askpass \
clevis-luks-common-functions \
grep sed cut \
@@ -45,8 +46,7 @@ install() {
luksmeta \
clevis \
mktemp \
- jose \
- ncat
+ jose
dracut_need_initqueue
}
diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
index 369e7f7..e3b3d91 100644
--- a/src/luks/systemd/meson.build
+++ b/src/luks/systemd/meson.build
@@ -1,6 +1,15 @@
systemd = dependency('systemd', required: false)
-if systemd.found()
+sd_reply_pass = find_program(
+ join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
+ join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
+ join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
+ join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
+ required: false
+)
+
+if systemd.found() and sd_reply_pass.found()
+ data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
subdir('dracut')
unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
@@ -12,8 +21,14 @@ if systemd.found()
configuration: data,
)
+ configure_file(
+ input: 'clevis-luks-askpass.in',
+ output: 'clevis-luks-askpass',
+ install_dir: libexecdir,
+ configuration: data
+ )
+
install_data('clevis-luks-askpass.path', install_dir: unitdir)
- install_data('clevis-luks-askpass', install_dir: libexecdir)
else
warning('Will not install systemd support due to missing dependencies!')
endif
--
2.33.1

View File

@ -1,26 +0,0 @@
From da17589f0706b27690a11484165fd58dea1a5eb1 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Thu, 25 Nov 2021 19:18:03 -0300
Subject: [PATCH 5/5] Stop sending stderr to the void when decryption doesn't
happen
---
src/luks/clevis-luks-common-functions | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index 879ca4c..df8e16d 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -323,7 +323,7 @@ clevis_luks_unlock_device_by_slot() {
return 1
fi
- if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt 2>/dev/null)" \
+ if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt)" \
|| [ -z "${passphrase}" ]; then
return 1
fi
--
2.33.1

View File

@ -1,45 +0,0 @@
From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?=
<1163635+rmetrich@users.noreply.github.com>
Date: Wed, 1 Dec 2021 09:37:35 -0300
Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is
set (#340)
On Fedora/RHEL, the rd.debug kernel command line parameter controls
debugging.
By implementing the functionality inside clevis, troubleshooting will be
greatly eased.
See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742).
---
src/luks/clevis-luks-common-functions | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index df8e16d..67ece72 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -20,6 +20,21 @@
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+enable_debugging() {
+ # Automatically enable debugging if in initramfs phase and rd.debug
+ if [ -e /usr/lib/dracut-lib.sh ]; then
+ local bashopts=$-
+ # Because dracut is loosely written, disable hardening options temporarily
+ [[ $bashopts != *u* ]] || set +u
+ [[ $bashopts != *e* ]] || set +e
+ . /usr/lib/dracut-lib.sh
+ [[ $bashopts != *u* ]] || set -u
+ [[ $bashopts != *e* ]] || set -e
+ fi
+}
+
+enable_debugging
+
# valid_slot() will check whether a given slot is possibly valid, i.e., if it
# is a numeric value within the specified range.
valid_slot() {
--
2.33.1

View File

@ -1,83 +0,0 @@
From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001
From: Renaud Metrich <rmetrich@redhat.com>
Date: Fri, 7 Jan 2022 12:13:03 -0300
Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup
This fixes an Out of memory error when the system has not much memory,
such as a VM configured with 2GB currently being installed through the
network (hence having ~1GB free memory only).
See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
---
src/luks/clevis-luks-bind.in | 7 +++++--
src/luks/clevis-luks-common-functions | 7 ++++++-
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
index 4748c08..017f762 100755
--- a/src/luks/clevis-luks-bind.in
+++ b/src/luks/clevis-luks-bind.in
@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \
exit 1
fi
+pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ "$luks_type" == "luks1" ]; then
+ pbkdf_args=
# In certain circumstances, we may have LUKSMeta slots "not in sync" with
# cryptsetup, which means we will try to save LUKSMeta metadata over an
# already used or partially used slot -- github issue #70.
@@ -184,7 +186,7 @@ fi
# Add the new key.
if [ -n "$SLT" ]; then
- cryptsetup luksAddKey --key-slot "$SLT" --key-file \
+ cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \
<(echo -n "$existing_key") "$DEV"
else
if [ $luks_type == "luks2" ]; then
@@ -194,7 +196,8 @@ else
readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
| sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
fi
- cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV"
+ cryptsetup luksAddKey ${pbkdf_args} \
+ --key-file <(echo -n "${existing_key}") "$DEV"
fi < <(echo -n "${key}")
if [ $? -ne 0 ]; then
echo "Error while adding new key to LUKS header!" >&2
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index 67ece72..038cc37 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -760,10 +760,12 @@ clevis_luks_add_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
--key-slot "${SLT}" \
"${DEV}" \
+ ${pbkdf_args} \
${extra_args}
}
@@ -792,11 +794,14 @@ clevis_luks_update_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ -n "${in_place}" ]; then
printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
--key-slot "${SLT}" \
- --batch-mode ${extra_args}
+ --batch-mode \
+ ${pbkdf_args} \
+ ${extra_args}
return
fi
--
2.33.1

View File

@ -1,16 +0,0 @@
--- clevis-15-ori/src/pins/tang/clevis-decrypt-tang 2020-10-28 19:55:47.673228700 +0100
+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2022-01-21 10:37:40.327825491 +0100
@@ -73,10 +73,10 @@
xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"
-url="$url/rec/$kid"
+rec_url="$url/rec/$kid"
ct="Content-Type: application/jwk+json"
-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then
- echo "Error communicating with the server!" >&2
+if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then
+ echo "Error communicating with the server $url" >&2
exit 1
fi

View File

@ -1,213 +0,0 @@
From 87d690e41621878f70a3f6f3305dd23746d1b857 Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@linux.com>
Date: Wed, 1 Dec 2021 14:17:53 +0100
Subject: [PATCH 9/9] feat: rename the test pin to null pin
Signed-off-by: Antonio Murdaca <runcom@linux.com>
---
src/initramfs-tools/hooks/clevis.in | 1 +
.../dracut/clevis-pin-null/meson.build | 14 ++++++++++
.../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++
src/luks/systemd/dracut/meson.build | 1 +
...levis-decrypt-test => clevis-decrypt-null} | 4 +--
...levis-encrypt-test => clevis-encrypt-null} | 4 +--
src/pins/sss/meson.build | 5 +++-
src/pins/sss/{pin-test => pin-null} | 4 +--
src/pins/sss/pin-sss | 12 ++++----
9 files changed, 60 insertions(+), 13 deletions(-)
create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build
create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%)
rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%)
rename src/pins/sss/{pin-test => pin-null} (53%)
diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
index cc3b492..448ba96 100755
--- a/src/initramfs-tools/hooks/clevis.in
+++ b/src/initramfs-tools/hooks/clevis.in
@@ -58,6 +58,7 @@ fi
copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
+copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found"
copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"
diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build
new file mode 100644
index 0000000..107e3ba
--- /dev/null
+++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build
@@ -0,0 +1,14 @@
+dracut = dependency('dracut', required: false)
+
+if dracut.found()
+ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null'
+
+ configure_file(
+ input: 'module-setup.sh.in',
+ output: 'module-setup.sh',
+ install_dir: dracutdir,
+ configuration: data,
+ )
+else
+ warning('Will not install dracut module clevis-pin-null due to missing dependencies!')
+endif
diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
new file mode 100755
index 0000000..6a16078
--- /dev/null
+++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
@@ -0,0 +1,28 @@
+#!/bin/bash
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Nathaniel McCallum <npmccallum@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+depends() {
+ echo clevis
+ return 0
+}
+
+install() {
+ inst clevis-decrypt-null
+}
diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build
index fdb264b..7ad5b14 100644
--- a/src/luks/systemd/dracut/meson.build
+++ b/src/luks/systemd/dracut/meson.build
@@ -2,3 +2,4 @@ subdir('clevis')
subdir('clevis-pin-tang')
subdir('clevis-pin-tpm2')
subdir('clevis-pin-sss')
+subdir('clevis-pin-null')
diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null
similarity index 88%
rename from src/pins/sss/clevis-decrypt-test
rename to src/pins/sss/clevis-decrypt-null
index f0e9249..a6217ed 100755
--- a/src/pins/sss/clevis-decrypt-test
+++ b/src/pins/sss/clevis-decrypt-null
@@ -22,11 +22,11 @@
read -r -d . hdr
-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then
+if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then
echo "JWE pin mismatch!" >&2
exit 1
fi
-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1
+jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1
exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null
similarity index 90%
rename from src/pins/sss/clevis-encrypt-test
rename to src/pins/sss/clevis-encrypt-null
index bd2d6ec..af182a5 100755
--- a/src/pins/sss/clevis-encrypt-test
+++ b/src/pins/sss/clevis-encrypt-null
@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
fi
jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"
-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}'
+jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}'
if ! jose fmt -j "$cfg" -g fail -T; then
- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)"
+ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)"
fi
exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build
index 7f20eea..2a5295a 100644
--- a/src/pins/sss/meson.build
+++ b/src/pins/sss/meson.build
@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found()
separator: ':'
)
+ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null')
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null')
+
test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env)
- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env)
+ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env)
else
warning('Will not install sss pin due to missing dependencies!')
endif
diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null
similarity index 53%
rename from src/pins/sss/pin-test
rename to src/pins/sss/pin-null
index 50c8c67..b14ac63 100755
--- a/src/pins/sss/pin-test
+++ b/src/pins/sss/pin-null
@@ -2,9 +2,9 @@
trap 'exit' ERR
-e="$(echo -n hi | clevis encrypt test '{}')"
+e="$(echo -n hi | clevis encrypt null '{}')"
d="$(echo -n "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo -n hi | clevis encrypt test '{"fail":true}')"
+e="$(echo -n hi | clevis encrypt null '{"fail":true}')"
! echo "$e" | clevis decrypt
diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss
index 5c0b8cf..24da052 100755
--- a/src/pins/sss/pin-sss
+++ b/src/pins/sss/pin-sss
@@ -1,24 +1,24 @@
#!/bin/bash -ex
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')"
--
2.33.1

View File

@ -1,24 +0,0 @@
--- clevis-15.ori/src/clevis 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/clevis 2022-06-22 11:06:27.061230653 +0200
@@ -27,6 +27,7 @@
}
cmd=clevis
+input_commands="$cmd $@"
while [ $# -gt 0 ]; do
[[ "$1" =~ ^- ]] && break
cmd="$cmd-$1"
@@ -36,8 +37,11 @@
done
exec >&2
-echo
-echo "Command '$cmd' is invalid"
+if [ "$cmd" != "clevis" ];
+then
+ echo
+ echo "Command '$input_commands' is invalid"
+fi
echo
echo "Usage: clevis COMMAND [OPTIONS]"
echo

View File

@ -1,53 +0,0 @@
From 51ae4f94a4955d9f06955ccd5a8b396b01c80d48 Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Tue, 2 Aug 2022 11:07:00 -0300
Subject: [PATCH] Improve boot performance by removing key check
---
src/luks/clevis-luks-common-functions | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index 038cc37..950f217 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -328,6 +328,7 @@ clevis_luks_check_valid_key_or_keyfile() {
clevis_luks_unlock_device_by_slot() {
local DEV="${1}"
local SLT="${2}"
+ local SKIP_CHECK="${3}"
[ -z "${DEV}" ] && return 1
[ -z "${SLT}" ] && return 1
@@ -343,7 +344,9 @@ clevis_luks_unlock_device_by_slot() {
return 1
fi
- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ if [ -z "${SKIP_CHECK}" ]; then
+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ fi
printf '%s' "${passphrase}"
}
@@ -351,6 +354,8 @@ clevis_luks_unlock_device_by_slot() {
# parameter and returns the decoded passphrase.
clevis_luks_unlock_device() {
local DEV="${1}"
+ local SKIP_CHECK="YES"
+
[ -z "${DEV}" ] && return 1
local used_slots
@@ -361,7 +366,7 @@ clevis_luks_unlock_device() {
local slt pt
for slt in ${used_slots}; do
- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \
+ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \
|| [ -z "${pt}" ]; then
continue
fi
--
2.35.1

View File

@ -1,16 +0,0 @@
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 11:11:03.050262054 +0100
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 11:19:16.004358405 +0100
@@ -413,7 +413,12 @@
clevis_devices=
# Build list of devices to unlock.
- while read -r _ crypt_device _; do
+ while read -r _volname_ crypt_device _; do
+ # skip empty lines and lines which begin with the '#' char, per
+ # crypttab(5)
+ case $_volname_ in
+ ''|\#*) continue ;;
+ esac
if ! dev=$(clevis_map_device "${crypt_device}") \
|| [ -z "${dev}" ]; then
# Unable to get the device - maybe it's not available, e.g. a

View File

@ -1,73 +0,0 @@
--- clevis-15.ori/src/clevis.1.adoc 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/clevis.1.adoc 2023-01-11 17:18:29.967295005 +0100
@@ -101,7 +101,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/luks/clevis-luks-bind.1.adoc 2023-01-11 17:18:55.239351209 +0100
@@ -20,7 +20,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 17:15:44.984928070 +0100
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 17:20:53.238613637 +0100
@@ -865,6 +865,7 @@
[ -z "${DEV}" ] && return 1
local dump filter bits
+ local MAX_ENTROPY_BITS=256
dump=$(cryptsetup luksDump "${DEV}")
if cryptsetup isLuks --type luks1 "${DEV}"; then
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
@@ -876,6 +877,9 @@
fi
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
+ bits="${MAX_ENTROPY_BITS}"
+ fi
pwmake "${bits}"
}
--- clevis-15.ori/src/luks/clevis-luks-bind.in 2023-01-11 17:15:44.815927694 +0100
+++ clevis-15/src/luks/clevis-luks-bind.in 2023-01-12 16:20:30.266404993 +0100
@@ -19,6 +19,8 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+. clevis-luks-common-functions
+
SUMMARY="Binds a LUKS device using the specified policy"
UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
@@ -139,14 +141,11 @@
fi
# Generate a key with the same entropy as the LUKS Master Key
-key="$(pwmake "$(
-cryptsetup luksDump "$DEV" \
- | if [ "$luks_type" == "luks1" ]; then
- sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p'
- else
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p'
- fi | sort -n | tail -n 1
-)")"
+if ! key="$(clevis_luks_generate_key "${DEV}")" \
+ || [ -z "${key}" ]; then
+ echo "Unable to generate key for ${DEV}" >&2
+ return 1
+fi
# Encrypt the new key
jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"

View File

@ -1,11 +0,0 @@
--- clevis-15.ori/src/luks/clevis-luks-edit 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/luks/clevis-luks-edit 2023-01-16 12:03:14.006998399 +0100
@@ -173,7 +173,7 @@
echo "Updating binding..."
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
- "-y" "overwrite" 2>/dev/null; then
+ "-y" "overwrite"; then
echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
exit 1
fi

View File

@ -1,219 +0,0 @@
--- clevis-15.ori/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:29:59.717465656 +0200
+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:49:02.950511503 +0200
@@ -50,12 +50,30 @@
exit 1
fi
-if ! srv="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "$jhd" \
- | jose jwk thp -i- -f "$kid")"; then
+if ! keys="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "${jhd}")"; then
echo "JWE missing required 'clevis.tang.adv' header parameter!" >&2
exit 1
fi
+# Check if the thumbprint we have in `kid' is in the advertised keys.
+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1
+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
+
+if ! srv="$(jose jwk thp -i- -f "${kid}" -a "${CLEVIS_DEFAULT_THP_ALG}" \
+ <<< "${keys}")"; then
+ # `kid' thumprint not in the advertised keys, but it's possible it was
+ # generated using a different algorithm than the default one.
+ # Let us try the alternative supported algorithms to make sure `kid'
+ # really is not part of the advertised keys.
+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
+ srv="$(jose jwk thp -i- -f "$kid" -a "${alg}" <<< "${keys}")" && break
+ done
+ if [ -z "${srv}" ]; then
+ echo "JWE header validation of 'clevis.tang.adv' failed: key thumbprint does not match" >&2
+ exit 1
+ fi
+fi
+
if ! url="$(jose fmt -j- -Og clevis -g tang -g url -Su- <<< "$jhd")"; then
echo "JWE missing required 'clevis.tang.url' header parameter!" >&2
exit 1
--- clevis-15.ori/src/pins/tang/clevis-encrypt-tang 2020-10-28 19:55:47.673228700 +0100
+++ clevis-15/src/pins/tang/clevis-encrypt-tang 2023-05-23 15:15:18.440099403 +0200
@@ -64,6 +64,9 @@
exit 1
fi
+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1
+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
+
trust=
[ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes
@@ -111,15 +114,24 @@
if [ -z "$thp" ]; then
echo "The advertisement contains the following signing keys:" >&2
echo >&2
- jose jwk thp -i- <<< "$ver" >&2
+ jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$ver" >&2
echo >&2
read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
[[ "$ans" =~ ^[yY]$ ]] || exit 1
-
elif [ "$thp" != "any" ] && \
- ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
- echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
- exit 1
+ ! jose jwk thp -i- -f "${thp}" -o /dev/null -a "${CLEVIS_DEFAULT_THP_ALG}" \
+ <<< "$ver"; then
+ # Thumbprint of trusted JWK did not match the signature. Let's check
+ # alternative thumbprints generated with clevis supported hash
+ # algorithms to be sure.
+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
+ srv="$(jose jwk thp -i- -f "${thp}" -a "${alg}" <<< "${ver}")" \
+ && break
+ done
+ if [ -z "${srv}" ]; then
+ echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
+ exit 1
+ fi
fi
fi
@@ -138,7 +150,7 @@
jwk="$(jose fmt -j- -Od key_ops -o- <<< "$jwk")"
jwk="$(jose fmt -j- -Od alg -o- <<< "$jwk")"
-kid="$(jose jwk thp -i- <<< "$jwk")"
+kid="$(jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$jwk")"
jwe='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
jwe="$(jose fmt -j "$jwe" -g protected -q "$kid" -s kid -UUo-)"
jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tang -q "$url" -s url -UUUUo-)"
--- clevis-15.ori/src/luks/tests/meson.build 2023-05-23 11:29:59.594464890 +0200
+++ clevis-15/src/luks/tests/meson.build 2023-05-23 12:00:10.811482757 +0200
@@ -113,6 +113,7 @@
test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
+ test('default-thp-alg', find_program('default-thp-alg'), env: env)
endif
test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
--- clevis-15.ori/src/luks/tests/default-thp-alg 1970-01-01 01:00:00.000000000 +0100
+++ clevis-15/src/luks/tests/default-thp-alg 2023-05-23 16:09:21.920385994 +0200
@@ -0,0 +1,120 @@
+#!/bin/bash
+set -exo pipefail
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2020 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+
+. tests-common-functions
+
+TEST=$(basename "${0}")
+
+on_exit() {
+ exit_status=$?
+ tang_stop "${TMP}"
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+ exit "${exit_status}"
+}
+
+trap 'on_exit' EXIT
+
+TMP="$(mktemp -d)"
+
+port=$(get_random_port)
+tang_run "${TMP}" "${port}"
+
+url="http://localhost:${port}"
+data="just a sample text"
+
+adv="${TMP}/adv"
+# Get the advertisement and extract the keys.
+tang_get_adv "${port}" "${adv}"
+
+jwks="$(jose fmt --json="${adv}" --get payload --b64load --output=-)"
+enc="$(printf '%s' "${jwks}" | jose jwk use --input=- --required \
+ --use deriveKey --output=-)"
+
+jose fmt --json="${enc}" --get keys --array \
+ || enc="$(printf '{"keys": [%s]}' "${enc}")"
+
+jwk="$(jose fmt --json="${enc}" --get keys --array --foreach=- \
+ | jose fmt --json=- --delete key_ops --delete alg --output=-)"
+
+jwe_t='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
+jwe_t="$(jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --quote "${url}" --set url -UUUUo-)"
+jwe_t="$(printf '%s' "${jwks}" | jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --json=- --set adv -UUUUo-)"
+
+# We currently support SHA-1 (legacy) and SHA-256.
+CLEVIS_SUPPORTED_THP_ALGS="S1 S256"
+# Now we will use every hash algorithm supported by jose to create a thumbprint
+# for `kid', then we do the encoding and verify clevis decrypt can decode it
+# correctly.
+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
+ kid="$(printf '%s' "${jwk}" | jose jwk thp -a "${alg}" --input=-)"
+ jwe="$(jose fmt --json="${jwe_t}" --get protected --quote "${kid}" -s kid -UUo-)"
+
+ encoded=$(printf '%s%s' "${jwk}" "${data}" \
+ | jose jwe enc --input="${jwe}" --key=- --detached=- --compact)
+
+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
+ tang_error "${TEST}: decoding is expected to work (alg = ${alg})"
+ fi
+
+ if [ "${decoded}" != "${data}" ]; then
+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
+ fi
+done
+
+# Now let's test encryption providing the thp in the configuration.
+data="just another test"
+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \
+ | jose jwk use -i- -r -u verify -o- \
+ | jose jwk thp -i- -a "${alg}")"
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
+ if ! encoded=$(printf '%s' "${data}" | clevis encrypt tang "${cfg}"); then
+ tang_error "${TEST}: tang encryption should have succeeded when providing the thp (${thp}) with any supported algorithm (${alg})"
+ fi
+
+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
+ tang_error "${TEST}: decoding is expected to work (thp alg = ${alg})"
+ fi
+
+ if [ "${decoded}" != "${data}" ]; then
+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
+ fi
+done
+
+# Let's also try some unsupported thp hash algorithms.
+UNSUPPORTED="S224 S384 S512" # SHA-224, SHA-384, SHA-512.
+for alg in ${UNSUPPORTED}; do
+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \
+ | jose jwk use -i- -r -u verify -o- \
+ | jose jwk thp -i- -a "${alg}")"
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
+ tang_error "${TEST}: tang encryption should have failed when providing the thp (${thp}) with an unsupported algorithm (${alg})"
+ fi
+done
+
+# Now let's try some bad values for thp.
+for thp in "" "foo" "invalid"; do
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
+ tang_error "${TEST}: tang encryption expected to fail when providing a bad thp"
+ fi
+done

1
SOURCES/clevis.sysusers Normal file
View File

@ -0,0 +1 @@
u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis /usr/sbin/nologin

View File

@ -1,31 +1,16 @@
%global _hardened_build 1
Name: clevis Name: clevis
Version: 15 Version: 20
Release: 15%{?dist} Release: 200%{?dist}
Summary: Automated decryption framework Summary: Automated decryption framework
License: GPLv3+ License: GPLv3+
URL: https://github.com/latchset/%{name} URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Source1: clevis.sysusers
Patch1: 0001-Include-miscellaneous-sast-fixes-clevis-luks-udisk-2.patch
Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch
Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch
Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
Patch0004: 0004-systemd-drop-ncat-dependency.patch
Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch
Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
Patch0008: 0008-tang-dump-url-on-error-communication.patch
Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch
Patch0010: 0010-avoid-clevis-invalid-msg.patch
Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch
Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch
Patch0013: 0013-luks-define-max-entropy-bits-for-pwmake.patch
Patch0014: 0014-luks-edit-remove-unnecessary-redirection.patch
Patch0015: 0015-support-sha256-algorithm.patch
BuildRequires: git BuildRequires: git-core
BuildRequires: gcc BuildRequires: gcc
BuildRequires: meson BuildRequires: meson
BuildRequires: asciidoc BuildRequires: asciidoc
@ -38,22 +23,21 @@ BuildRequires: audit-libs-devel
BuildRequires: libudisks2-devel BuildRequires: libudisks2-devel
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: tpm2-tools >= 3.0.0 BuildRequires: tpm2-tools >= 4.0.0
BuildRequires: desktop-file-utils BuildRequires: desktop-file-utils
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: systemd BuildRequires: systemd
BuildRequires: systemd-rpm-macros
BuildRequires: dracut BuildRequires: dracut
BuildRequires: tang >= 6 BuildRequires: tang >= 6
BuildRequires: curl BuildRequires: curl
BuildRequires: luksmeta BuildRequires: luksmeta
BuildRequires: cracklib-dicts
BuildRequires: jq
BuildRequires: diffutils
BuildRequires: expect
BuildRequires: openssl BuildRequires: openssl
BuildRequires: diffutils
BuildRequires: cryptsetup
BuildRequires: jq
Requires: cracklib-dicts Requires: tpm2-tools >= 4.0.0
Requires: tpm2-tools >= 3.0.0
Requires: coreutils Requires: coreutils
Requires: jose >= 8 Requires: jose >= 8
Requires: curl Requires: curl
@ -69,7 +53,7 @@ occur automatically.
The clevis package provides basic encryption/decryption policy support. The clevis package provides basic encryption/decryption policy support.
Users can use this directly; but most commonly, it will be used as a Users can use this directly; but most commonly, it will be used as a
building block for other packages. For example, see the clevis-luks building block for other packages. For example, see the clevis-luks
and clevis-dracut packages for automatic root volume unlocking of LUKS and clevis-dracut packages for automatic root volume unlocking of LUKSv1
volumes during early boot. volumes during early boot.
%package luks %package luks
@ -101,7 +85,7 @@ Requires: systemd%{?_isa} >= 236
%endif %endif
%description systemd %description systemd
Automatically unlocks clevis-bound LUKS block devices during boot. Automatically unlocks LUKS _netdev block devices from /etc/crypttab.
%package dracut %package dracut
Summary: Dracut integration for clevis Summary: Dracut integration for clevis
@ -128,6 +112,7 @@ use UDisks2 or storaged (like GNOME).
%install %install
%meson_install %meson_install
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/clevis.conf
%check %check
desktop-file-validate \ desktop-file-validate \
@ -135,10 +120,7 @@ desktop-file-validate \
%meson_test %meson_test
%pre %pre
getent group %{name} >/dev/null || groupadd -r %{name} &>/dev/null %sysusers_create_compat %{SOURCE1}
getent passwd %{name} >/dev/null || \
useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
-c "Clevis Decryption Framework unprivileged user" %{name} &>/dev/null
# Add clevis user to tss group. # Add clevis user to tss group.
if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
usermod -a -G tss %{name} &>/dev/null usermod -a -G tss %{name} &>/dev/null
@ -166,159 +148,230 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%{_mandir}/man1/%{name}-encrypt-sss.1* %{_mandir}/man1/%{name}-encrypt-sss.1*
%{_mandir}/man1/%{name}-decrypt.1* %{_mandir}/man1/%{name}-decrypt.1*
%{_mandir}/man1/%{name}.1* %{_mandir}/man1/%{name}.1*
%{_sysusersdir}/clevis.conf
%files luks %files luks
%{_mandir}/man7/%{name}-luks-unlockers.7* %{_mandir}/man7/%{name}-luks-unlockers.7*
%{_mandir}/man1/%{name}-luks-unlock.1* %{_mandir}/man1/%{name}-luks-unlock.1*
%{_mandir}/man1/%{name}-luks-unbind.1* %{_mandir}/man1/%{name}-luks-unbind.1*
%{_mandir}/man1/%{name}-luks-bind.1* %{_mandir}/man1/%{name}-luks-bind.1*
%{_mandir}/man1/%{name}-luks-list.1* %{_mandir}/man1/%{name}-luks-list.1.*
%{_mandir}/man1/%{name}-luks-pass.1* %{_mandir}/man1/%{name}-luks-edit.1.*
%{_mandir}/man1/%{name}-luks-regen.1* %{_mandir}/man1/%{name}-luks-regen.1.*
%{_mandir}/man1/%{name}-luks-report.1* %{_mandir}/man1/%{name}-luks-report.1.*
%{_mandir}/man1/%{name}-luks-edit.1* %{_mandir}/man1/%{name}-luks-pass.1.*
%{_bindir}/%{name}-luks-unlock %{_bindir}/%{name}-luks-unlock
%{_bindir}/%{name}-luks-unbind %{_bindir}/%{name}-luks-unbind
%{_bindir}/%{name}-luks-bind %{_bindir}/%{name}-luks-bind
%{_bindir}/%{name}-luks-common-functions %{_bindir}/%{name}-luks-common-functions
%{_bindir}/%{name}-luks-list %{_bindir}/%{name}-luks-list
%{_bindir}/%{name}-luks-pass %{_bindir}/%{name}-luks-edit
%{_bindir}/%{name}-luks-regen %{_bindir}/%{name}-luks-regen
%{_bindir}/%{name}-luks-report %{_bindir}/%{name}-luks-report
%{_bindir}/%{name}-luks-edit %{_bindir}/%{name}-luks-pass
%files systemd %files systemd
%{_libexecdir}/%{name}-luks-askpass %{_libexecdir}/%{name}-luks-askpass
%{_libexecdir}/%{name}-luks-unlocker
%{_unitdir}/%{name}-luks-askpass.path %{_unitdir}/%{name}-luks-askpass.path
%{_unitdir}/%{name}-luks-askpass.service %{_unitdir}/%{name}-luks-askpass.service
%files dracut %files dracut
%{_prefix}/lib/dracut/modules.d/60%{name} %{_prefix}/lib/dracut/modules.d/60%{name}
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null %{_prefix}/lib/dracut/modules.d/60%{name}-pin-null/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss %{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2 %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh
%files udisks2 %files udisks2
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop %{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog %changelog
* Tue May 23 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-15 * Tue May 21 2024 Sergio Arroutbi <sarroutb@redhat.com> - 20-200
- Include SHA-256 thumbprints clevis support - Rebase to clevis-20
Resolves: rhbz#2209058 Resolves: #RHEL-29282
* Mon Jan 16 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-14 * Thu Jun 1 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-112
- Remove pwmake for password generation
Resolves: rhbz#2207488
* Thu May 4 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-111
- Fix changelog to correct versions
Resolves: rhbz#2180451
* Wed Jan 25 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-110
- luks-edit: remove unnecessary 2>/dev/null - luks-edit: remove unnecessary 2>/dev/null
Resolves: rhbz#2159739 Resolves: rhbz#2159738
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-13 * Fri Jan 13 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-109
- luks: define max entropy bits for pwmake - luks: define max entropy bits for pwmake
Resolves: rhbz#2159736 Resolves: rhbz#2159735
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-12 * Thu Jan 12 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-108
- Ignore empty & comment lines in crypttab - Ignore empty & comment lines in crypttab
Resolves: rhbz#2159440 Resolves: rhbz#2159728
* Tue Aug 02 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-11 * Tue Dec 13 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-107
- Start clevis-luks-askpass.path service according to global policy - Add existing token id parameter
Resolves: rhbz#2107081 Resolves: rhbz#2126533
* Thu Jul 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-10 * Tue Aug 02 2022 Sergio Correia <scorreia@redhat.com> - 18-106
- Improve boot performance by removing key check
Resolves: rhbz#2099748
* Wed Jun 22 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-9
- Avoid invalid message for clevis command
Resolves: rhbz#2099325
* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 15-8
- Support a null pin
Resolves: rhbz#2028096
* Fri Jan 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-7
- Dump server information on server error communication
Resolves: rhbz#2020193
* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 15-6
- Explicitly specify pbkdf iterations to cryptsetup
Resolves: rhbz#1979256
* Wed Dec 01 2021 Sergio Correia <scorreia@redhat.com> - 15-5
- Enable debugging in clevis scripts when rd.debug is set - Enable debugging in clevis scripts when rd.debug is set
Resolves: rhbz#1980742 Resolves: rhbz#2022420
* Thu Nov 25 2021 Sergio Correia <scorreia@redhat.com> - 15-4 * Tue Aug 02 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-105
- Stop sending stderr to the void when decryption doesn't happen - Start clevis-luks-askpass.path service according to global policy
Resolves: rhbz#1976880 Resolves: rhbz#2107078
* Thu Nov 18 2021 Sergio Correia <scorreia@redhat.com> - 15-3 * Thu Jul 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-104
- Drop ncat dependency - Improve boot performance by removing key check
Resolves: rhbz#1949289 Resolves: rhbz#2099701
* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 15-2 * Mon Jun 20 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-103
- Avoid invalid message for clevis command
Resolves: rhbz#2080281
* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 18-102
- Support a null pin
Resolves: rhbz#2028091
* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 18-101
- Revert "Enable debugging in clevis scripts when rd.debug is set"
Related: rhbz#2022420
* Thu Jan 20 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-100
- Dump server information on server error communication
Resolves: rhbz#2022423
* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 18-7
- Explicitly specify pbkdf iterations to cryptsetup
Resolves: rhbz#2022416
* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 18-6
- Enable debugging in clevis scripts when rd.debug is set
Resolves: rhbz#2022420
* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 18-5
- Account for unlocking failures in clevis-luks-askpass - Account for unlocking failures in clevis-luks-askpass
Resolves: rhbz#2018292 Resolves: rhbz#2022421
* Mon Oct 26 2020 Sergio Correia <scorreia@redhat.com> - 15-1 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 18-4
- Update to latest upstream release, v15 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Resolves: rhbz#1887836 Related: rhbz#1991688
Resolves: rhbz#1853651
Resolves: rhbz#1874460
* Wed May 20 2020 Sergio Correia <scorreia@redhat.com> - 13-3 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 18-3
- Add clevis luks edit command - Rebuilt for RHEL 9 BETA for openssl 3.0
Resolves: rhbz#1436735 Related: rhbz#1971065
* Mon May 18 2020 Sergio Correia <scorreia@redhat.com> - 13-2 * Fri May 07 2021 Sergio Correia <scorreia@redhat.com> - 18-2
- Introduce -y (assume yes) argument to clevis luks bind - Port to OpenSSL 3
Resolves: rhbz#1819767 Resolves: rhbz#1956760
* Tue May 04 2021 Sergio Correia <scorreia@redhat.com> - 18-1
- Update to new clevis upstream release, v18
Resolves: rhbz#1956760
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 16-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Mar 16 2021 Sergio Correia <scorreia@redhat.com> - 16-2
- Fix for -t option in clevis luks bind - backport upstream commit ea0d0c20
* Tue Feb 09 2021 Sergio Correia <scorreia@redhat.com> - 16-1
- Update to new clevis upstream release, v16.
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 15-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Nov 23 08:14:40 GMT 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 15-3
- Upstream patch for tpm-tools 5.0 support
* Thu Oct 29 2020 Sergio Correia <scorreia@redhat.com> - 15-2
- Add jq to dependencies
* Wed Oct 28 2020 Sergio Correia <scorreia@redhat.com> - 15-1
- Update to new clevis upstream release, v15.
* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-5
- Suppress output in pre scriptlet when adjusting users/groups
Resolves: rhbz#1876729
* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-4
- Backport upstream PR#230 - clevis-luks-askpass now exits cleanly
when receives a SIGTERM
Resolves: rhbz#1876001
* Sat Sep 05 2020 Sergio Correia <scorreia@redhat.com> - 14-3
- If clevis-luks-askpass is enabled, it may be using a wrong target,
since that changed in v14. Check and update it, if required.
* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-2
- Update sources file with new v14 release.
* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-1
- Update to new clevis upstream release, v14.
* Sun Aug 02 2020 Benjamin Gilbert <bgilbert@redhat.com> - 13-3
- Downgrade cracklib-dicts to Recommends
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 13-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Sun May 10 2020 Sergio Correia <scorreia@redhat.com> - 13-1 * Sun May 10 2020 Sergio Correia <scorreia@redhat.com> - 13-1
- Update to new upstream release, v13 - Update to new clevis upstream release, v13.
Resolves: rhbz#1827225
Resolves: rhbz#1827665
Resolves: rhbz#1801556
Resolves: rhbz#1784448
Resolves: rhbz#1826917
Resolves: rhbz#1812014
* Sun Feb 02 2020 Sergio Correia <scorreia@redhat.com> - 11-9 * Thu May 07 2020 Sergio Correia <scorreia@redhat.com> - 12-4
- Improve clevis luks regen not to unbind+bind in every case - cracklib-dicts should be also listed as a build dependency, since
Resolves: rhbz#1795675 it's required for running some of the tests
* Mon Jan 13 2020 Sergio Correia <scorreia@redhat.com> - 11-8 * Mon Apr 06 2020 Sergio Correia <scorreia@redhat.com> - 12-3
- Use one clevis-luks-askpass per device - Make cracklib-dicts a regular dependency
Resolves: rhbz#1784524
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 11-7 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 12-2
- Add rd.neednet=1 to cmdline only if there are devices bound to tang - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Resolves: rhbz#1762028
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 11-6 * Mon Jan 20 2020 Sergio Correia <scorreia@redhat.com> - 12-1
- Add option to extract luks passphrase used for binding - Update to new clevis upstream release, v12.
Resolves: rhbz#1436780
* Thu Nov 28 2019 Sergio Correia <scorreia@redhat.com> - 11-5 * Thu Dec 19 2019 Sergio Correia <scorreia@redhat.com> - 11-11
- Add support for listing existing PBD policies in place - Backport upstream PR#70 - Handle case where we try to use a partially
Resolves: rhbz#1766526 used luksmeta slot
Resolves: rhbz#1672371
* Fri Oct 18 2019 Sergio Correia <scorreia@redhat.com> - 11-4 * Thu Dec 05 2019 Sergio Correia <scorreia@redhat.com> - 11-10
- Improve error message when bind is given an invalid PIN - Disable LUKS2 tests for now, since they fail randomly in Koji
Resolves: rhbz#1543380 builders, killing the build
* Wed Oct 16 2019 Sergio Correia <scorreia@redhat.com> - 11-3 * Wed Dec 04 2019 Sergio Correia <scorreia@redhat.com> - 11-9
- Add clevis luks report and regen - Backport of upstream patches and the following fixes:
Resolves: rhbz#1564566 - Rework the logic for reading the existing key
Resolves: rhbz#1564559 - fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 (
- pins/tang: check that key derivation key is available
* Fri Jan 04 2019 Daniel Kopecek <dkopecek@redhat.com> - 11-2 * Wed Oct 30 2019 Peter Robinson <pbrobinson@fedoraproject.org> 11-8
- Check that key derivation key is available - Drop need network patch
* Fri Sep 06 2019 Javier Martinez Canillas <javierm@redhat.com> - 11-7
- Add support for tpm2-tools 4.0
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-4
- Update patch for work around
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-3
- Work around network requirement for early boot
* Fri Nov 09 2018 Javier Martinez Canillas <javierm@redhat.com> - 11-2
- Delete remaining references to the removed http pin - Delete remaining references to the removed http pin
- Install cryptsetup and tpm2_pcrlist in the initramfs - Install cryptsetup and tpm2_pcrlist in the initramfs
- Add device TCTI library to the initramfs - Add device TCTI library to the initramfs
Resolves: rhbz#1648004 Resolves: rhbz#1644876
Resolves: rhbz#1650246
* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1 * Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
- Update to v11 - Update to v11