rpms
/
clevis
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:imports/c9/clevis-18-110.el9
Branches Tags
rpms:c8
rpms:c9s
rpms:c9
rpms:c8-beta
rpms:c9-beta
rpms:c8s
rpms:imports/c8/clevis-15-15.el8
rpms:imports/c9/clevis-18-112.el9
rpms:imports/c8-beta/clevis-15-15.el8
rpms:imports/c9-beta/clevis-18-112.el9
rpms:imports/c8/clevis-15-14.el8
rpms:imports/c9/clevis-18-110.el9
rpms:imports/c9-beta/clevis-18-110.el9
rpms:imports/c8-beta/clevis-15-14.el8
rpms:imports/c8s/clevis-15-14.el8
rpms:imports/c8s/clevis-15-13.el8
rpms:imports/c8s/clevis-15-12.el8
rpms:imports/c9/clevis-18-106.el9
rpms:imports/c8/clevis-15-11.el8
rpms:imports/c9-beta/clevis-18-106.el9
rpms:imports/c8-beta/clevis-15-11.el8
rpms:imports/c8s/clevis-15-11.el8
rpms:imports/c9/clevis-18-102.el9
rpms:imports/c8/clevis-15-8.el8
rpms:imports/c8-beta/clevis-15-8.el8
rpms:imports/c9-beta/clevis-18-102.el9
rpms:imports/c8/clevis-15-1.el8_5.1
rpms:imports/c8s/clevis-15-8.el8
rpms:imports/c8s/clevis-15-7.el8
rpms:imports/c8s/clevis-15-6.el8
rpms:imports/c9-beta/clevis-18-5.el9
rpms:imports/c9-beta/clevis-18-4.el9
rpms:imports/c8s/clevis-15-4.el8
rpms:imports/c8s/clevis-15-3.el8
rpms:imports/c8s/clevis-15-2.el8
rpms:imports/c8-beta/clevis-15-1.el8
rpms:imports/c8-beta/clevis-13-3.el8
rpms:imports/c8-beta/clevis-11-7.el8
rpms:imports/c8-beta/clevis-11-2.el8
rpms:imports/c8s/clevis-15-1.el8
rpms:imports/c8s/clevis-13-3.el8
rpms:imports/c8s/clevis-11-9.el8
rpms:imports/c8/clevis-15-1.el8
rpms:imports/c8/clevis-13-3.el8
rpms:imports/c8/clevis-11-9.el8_2.1
rpms:imports/c8/clevis-11-9.el8
rpms:imports/c8/clevis-11-2.el8
...
compare: rpms:c8
Branches Tags
rpms:c8
rpms:c9s
rpms:c9
rpms:c8-beta
rpms:c9-beta
rpms:c8s
rpms:imports/c8/clevis-15-15.el8
rpms:imports/c9/clevis-18-112.el9
rpms:imports/c8-beta/clevis-15-15.el8
rpms:imports/c9-beta/clevis-18-112.el9
rpms:imports/c8/clevis-15-14.el8
rpms:imports/c9/clevis-18-110.el9
rpms:imports/c9-beta/clevis-18-110.el9
rpms:imports/c8-beta/clevis-15-14.el8
rpms:imports/c8s/clevis-15-14.el8
rpms:imports/c8s/clevis-15-13.el8
rpms:imports/c8s/clevis-15-12.el8
rpms:imports/c9/clevis-18-106.el9
rpms:imports/c8/clevis-15-11.el8
rpms:imports/c9-beta/clevis-18-106.el9
rpms:imports/c8-beta/clevis-15-11.el8
rpms:imports/c8s/clevis-15-11.el8
rpms:imports/c9/clevis-18-102.el9
rpms:imports/c8/clevis-15-8.el8
rpms:imports/c8-beta/clevis-15-8.el8
rpms:imports/c9-beta/clevis-18-102.el9
rpms:imports/c8/clevis-15-1.el8_5.1
rpms:imports/c8s/clevis-15-8.el8
rpms:imports/c8s/clevis-15-7.el8
rpms:imports/c8s/clevis-15-6.el8
rpms:imports/c9-beta/clevis-18-5.el9
rpms:imports/c9-beta/clevis-18-4.el9
rpms:imports/c8s/clevis-15-4.el8
rpms:imports/c8s/clevis-15-3.el8
rpms:imports/c8s/clevis-15-2.el8
rpms:imports/c8-beta/clevis-15-1.el8
rpms:imports/c8-beta/clevis-13-3.el8
rpms:imports/c8-beta/clevis-11-7.el8
rpms:imports/c8-beta/clevis-11-2.el8
rpms:imports/c8s/clevis-15-1.el8
rpms:imports/c8s/clevis-13-3.el8
rpms:imports/c8s/clevis-11-9.el8
rpms:imports/c8/clevis-15-1.el8
rpms:imports/c8/clevis-13-3.el8
rpms:imports/c8/clevis-11-9.el8_2.1
rpms:imports/c8/clevis-11-9.el8
rpms:imports/c8/clevis-11-2.el8

No commits in common. "imports/c9/clevis-18-110.el9" and "c8" have entirely different histories.
imports/c9 ... c8

23 changed files with 1154 additions and 747 deletions
Show Stats Expand all files Collapse all files

1
.clevis.metadata
View File

@ -1 +0,0 @@
dc2e95d0c0ce9118bc01b3872869657b0d43f1bc SOURCES/clevis-18.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/clevis-18.tar.xz
SOURCES/clevis-15.tar.xz

176
SOURCES/0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch Normal file
View File

@ -0,0 +1,176 @@
From 16f667d9f3d649e33ca762afa1a8a7f909b953a8 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Sun, 25 Oct 2020 11:15:46 -0300
Subject: [PATCH] Fixes for dealing with newer tang without tangd-update
---
src/luks/tests/meson.build | 11 +----------
src/luks/tests/tests-common-functions.in | 19 +++++++++++--------
src/pins/tang/meson.build | 11 +----------
src/pins/tang/pin-tang | 11 ++++++++---
4 files changed, 21 insertions(+), 31 deletions(-)
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
index ba5f6a2..c0f9dc3 100644
--- a/src/luks/tests/meson.build
+++ b/src/luks/tests/meson.build
@@ -17,14 +17,6 @@ kgen = find_program(
join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
required: false
)
-updt = find_program(
- join_paths(libexecdir, 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
- required: false
-)
tang = find_program(
join_paths(libexecdir, 'tangd'),
join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
@@ -58,11 +50,10 @@ env.prepend('PATH',
)
has_tang = false
-if actv.found() and kgen.found() and updt.found() and tang.found()
+if actv.found() and kgen.found() and tang.found()
has_tang = true
env.set('SD_ACTIVATE', actv.path())
env.set('TANGD_KEYGEN', kgen.path())
- env.set('TANGD_UPDATE', updt.path())
env.set('TANGD', tang.path())
endif
diff --git a/src/luks/tests/tests-common-functions.in b/src/luks/tests/tests-common-functions.in
index 8520715..318d007 100755
--- a/src/luks/tests/tests-common-functions.in
+++ b/src/luks/tests/tests-common-functions.in
@@ -251,18 +251,19 @@ tang_remove_rotated_keys() {
return 1
fi
- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
-
local db="${basedir}/db"
- local cache="${basedir}/cache"
mkdir -p "${db}"
- mkdir -p "${cache}"
+
+ if [ -n "${TANGD_UPDATE}" ]; then
+ local cache="${basedir}/cache"
+ mkdir -p "${cache}"
+ fi
pushd "${db}"
find . -name ".*.jwk" -exec rm -f {} \;
popd
- "${TANGD_UPDATE}" "${db}" "${cache}"
+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
return 0
}
@@ -277,12 +278,12 @@ tang_new_keys() {
fi
[ -z "${TANGD_KEYGEN}" ] && skip_test "WARNING: TANGD_KEYGEN is not defined."
- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined."
local db="${basedir}/db"
- local cache="${basedir}/cache"
mkdir -p "${db}"
+ [ -n "${TANGD_UPDATE}" ] && local cache="${basedir}/cache"
+
if [ -n "${rotate}" ]; then
pushd "${db}"
local k
@@ -296,7 +297,7 @@ tang_new_keys() {
fi
"${TANGD_KEYGEN}" "${db}"
- "${TANGD_UPDATE}" "${db}" "${cache}"
+ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}"
return 0
}
@@ -322,6 +323,8 @@ tang_run() {
fi
local KEYS="${basedir}/cache"
+ [ -z "${TANGD_UPDATE}" ] && KEYS="${basedir}/db"
+
local inetd='--inetd'
[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
diff --git a/src/pins/tang/meson.build b/src/pins/tang/meson.build
index f7d8226..ebcdd4a 100644
--- a/src/pins/tang/meson.build
+++ b/src/pins/tang/meson.build
@@ -12,14 +12,6 @@ kgen = find_program(
join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'),
required: false
)
-updt = find_program(
- join_paths(libexecdir, 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'),
- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'),
- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'),
- required: false
-)
tang = find_program(
join_paths(libexecdir, 'tangd'),
join_paths(get_option('prefix'), get_option('libdir'), 'tangd'),
@@ -35,11 +27,10 @@ if curl.found()
bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang')
mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1')
- if actv.found() and kgen.found() and updt.found() and tang.found()
+ if actv.found() and kgen.found() and tang.found()
env = environment()
env.set('SD_ACTIVATE', actv.path())
env.set('TANGD_KEYGEN', kgen.path())
- env.set('TANGD_UPDATE', updt.path())
env.set('TANGD', tang.path())
env.prepend('PATH',
join_paths(meson.source_root(), 'src'),
diff --git a/src/pins/tang/pin-tang b/src/pins/tang/pin-tang
index 98e5e4d..a63d0a2 100755
--- a/src/pins/tang/pin-tang
+++ b/src/pins/tang/pin-tang
@@ -31,8 +31,12 @@ mkdir -p "$TMP"/db
mkdir -p "$TMP"/cache
# Generate the server keys
+KEYS="$TMP"/db
"${TANGD_KEYGEN}" "$TMP"/db sig exc
-"${TANGD_UPDATE}" "$TMP"/db "$TMP"/cache
+if which tangd-update; then
+ tangd-update "$TMP"/db "$TMP"/cache
+ KEYS="$TMP"/cache
+fi
# Start the server
port="$(shuf -i 1024-65536 -n 1)"
@@ -40,13 +44,14 @@ port="$(shuf -i 1024-65536 -n 1)"
inetd='--inetd'
[ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd=
-"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$TMP"/cache &
+"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$KEYS" &
PID=$!
sleep 0.25
thp="$(jose jwk thp -i "$TMP/db/sig.jwk")"
-adv="$TMP/cache/default.jws"
url="http://localhost:${port}"
+adv="$TMP/adv"
+curl "$url/adv" -o "$adv"
cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")"
enc="$(echo -n "hi" | clevis encrypt tang "$cfg")"
--
2.18.4

47
SOURCES/0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
View File

@ -1,47 +0,0 @@
From 95f25c355fc13727410ccacaa618caf6af5d5eba Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Mon, 3 May 2021 22:36:36 -0300
Subject: [PATCH] sss: use BN_set_word(x, 0) instead of BN_zero()
Different OpenSSL versions define BN_zero() differently -- sometimes
returning an integer, sometimes as void --, so let's use instead
BN_set_word() instead, not to have issues when building with these
different versions.
---
src/pins/sss/sss.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/pins/sss/sss.c b/src/pins/sss/sss.c
index a37215d..7486d6c 100644
--- a/src/pins/sss/sss.c
+++ b/src/pins/sss/sss.c
@@ -214,7 +214,7 @@ sss_point(const json_t *sss, size_t *len)
if (BN_rand_range(xx, pp) <= 0)
return NULL;
- if (BN_zero(yy) <= 0)
+ if (BN_set_word(yy, 0) <= 0)
return NULL;
for (size_t i = 0; i < json_array_size(e); i++) {
@@ -272,7 +272,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
if (!ctx || !pp || !acc || !tmp || !k)
return NULL;
- if (BN_zero(k) <= 0)
+ if (BN_set_word(k, 0) <= 0)
return NULL;
len = jose_b64_dec(p, NULL, 0);
@@ -303,7 +303,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
/* acc *= (0 - xi) / (xo - xi) */
- if (BN_zero(tmp) <= 0)
+ if (BN_set_word(tmp, 0) <= 0)
return NULL;
if (BN_mod_sub(tmp, tmp, xi, pp, ctx) <= 0)
--
2.31.1

309
SOURCES/0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch Normal file
View File

@ -0,0 +1,309 @@
From aa52396c35e76aabd085a819b08167d559042a20 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 3 Nov 2020 08:42:48 -0300
Subject: [PATCH 2/2] Add the option to extract luks passphrase used for
binding
Usage:
clevis luks pass -d /dev/sda1 -s 1
<passphrase here>
---
src/luks/clevis-luks-pass | 64 ++++++++++++++++++++++++++++++++
src/luks/clevis-luks-pass.1.adoc | 43 +++++++++++++++++++++
src/luks/meson.build | 3 ++
src/luks/tests/meson.build | 2 +
src/luks/tests/pass-tang-luks1 | 59 +++++++++++++++++++++++++++++
src/luks/tests/pass-tang-luks2 | 59 +++++++++++++++++++++++++++++
6 files changed, 230 insertions(+)
create mode 100755 src/luks/clevis-luks-pass
create mode 100644 src/luks/clevis-luks-pass.1.adoc
create mode 100755 src/luks/tests/pass-tang-luks1
create mode 100755 src/luks/tests/pass-tang-luks2
diff --git a/src/luks/clevis-luks-pass b/src/luks/clevis-luks-pass
new file mode 100755
index 0000000..1f59b39
--- /dev/null
+++ b/src/luks/clevis-luks-pass
@@ -0,0 +1,64 @@
+#!/bin/bash -e
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com> - LUKS2 support.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+. clevis-luks-common-functions
+
+SUMMARY="Returns the LUKS passphrase used for binding a particular slot."
+
+usage() {
+ exec >&2
+ echo "Usage: clevis luks pass -d DEV -s SLT"
+ echo
+ echo "$SUMMARY"
+ echo
+ echo " -d DEV The LUKS device to extract the LUKS passphrase used for binding"
+ echo
+ echo " -s SLOT The slot number to extract the LUKS passphrase"
+ echo
+ exit 1
+}
+
+if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then
+ echo "${SUMMARY}"
+ exit 0
+fi
+
+while getopts ":d:s:" o; do
+ case "$o" in
+ d) DEV=${OPTARG};;
+ s) SLT=${OPTARG};;
+ *) usage;;
+ esac
+done
+
+if [ -z "${DEV}" ]; then
+ echo "Did not specify a device!" >&2
+ usage
+fi
+
+if [ -z "${SLT}" ]; then
+ echo "Did not specify a slot!" >&2
+ usage
+fi
+
+if ! clevis_luks_unlock_device_by_slot "${DEV}" "${SLT}"; then
+ echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in ${DEV}!" >&2
+ exit 1
+fi
diff --git a/src/luks/clevis-luks-pass.1.adoc b/src/luks/clevis-luks-pass.1.adoc
new file mode 100644
index 0000000..fa9526a
--- /dev/null
+++ b/src/luks/clevis-luks-pass.1.adoc
@@ -0,0 +1,43 @@
+CLEVIS-LUKS-PASS(1)
+===================
+:doctype: manpage
+
+
+== NAME
+
+clevis-luks-pass - Extracts the passphrase used for binding a particular slot in a LUKS device
+
+== SYNOPSIS
+
+*clevis luks pass* -d DEV -s SLT
+
+== OVERVIEW
+
+The *clevis luks pass* command extracts the passphrase used for binding a particular slot in a LUKS device.
+For example:
+
+ clevis luks pass -d /dev/sda1 -s 1
+
+== OPTIONS
+
+* *-d* _DEV_ :
+ The LUKS device on which to extract a passphrase from
+
+* *-s* _SLT_ :
+ The slot to use for extracting the passphrase
+
+== EXAMPLE
+
+ clevis luks pass -d /dev/sda1 -s 1
+ <passphrase here>
+
+Note that the output of *clevis luks pass* might be non-printable, in which case it would be better to redirect its output to a file and use it as a key
+file together with cryptsetup. For instance:
+
+ clevis luks pass -d /dev/sda1 -s 1 > slot1-passphrase
+
+And the file slot1-passphrase will contain the passphrase associated with slot #1 in /dev/sda1.
+
+== SEE ALSO
+
+link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)],
diff --git a/src/luks/meson.build b/src/luks/meson.build
index 12f5a0d..008736e 100644
--- a/src/luks/meson.build
+++ b/src/luks/meson.build
@@ -50,6 +50,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
bins += join_paths(meson.current_source_dir(), 'clevis-luks-edit')
mans += join_paths(meson.current_source_dir(), 'clevis-luks-edit.1')
+
+ bins += join_paths(meson.current_source_dir(), 'clevis-luks-pass')
+ mans += join_paths(meson.current_source_dir(), 'clevis-luks-pass.1')
else
warning('Will not install LUKS support due to missing dependencies!')
endif
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
index c22a069..f4584aa 100644
--- a/src/luks/tests/meson.build
+++ b/src/luks/tests/meson.build
@@ -84,6 +84,7 @@ if has_tang
test('report-tang-luks1', find_program('report-tang-luks1'), env: env, timeout: 90)
test('report-sss-luks1', find_program('report-sss-luks1'), env: env, timeout: 90)
test('edit-tang-luks1', find_program('edit-tang-luks1'), env: env, timeout: 150)
+ test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60)
endif
test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60)
@@ -111,6 +112,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
test('report-tang-luks2', find_program('report-tang-luks2'), env: env, timeout: 120)
test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
+ test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
endif
test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
diff --git a/src/luks/tests/pass-tang-luks1 b/src/luks/tests/pass-tang-luks1
new file mode 100755
index 0000000..0d91e6c
--- /dev/null
+++ b/src/luks/tests/pass-tang-luks1
@@ -0,0 +1,59 @@
+#!/bin/bash -x
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST="${0}"
+. tests-common-functions
+. clevis-luks-common-functions
+
+function on_exit() {
+ [ ! -d "${TMP}" ] && return 0
+ tang_stop "${TMP}"
+ rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+
+TMP=$(mktemp -d)
+
+port=$(get_random_port)
+tang_run "${TMP}" "${port}" &
+tang_wait_until_ready "${port}"
+
+url="http://localhost:${port}"
+adv="${TMP}/adv"
+tang_get_adv "${port}" "${adv}"
+
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+new_device "luks1" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Bind should have succeeded."
+fi
+
+# Now let's test the passphrase.
+SLT=1
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
+echo $PASS >&2
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
+ error "Passphrase obtained from clevis luks pass failed."
+fi
diff --git a/src/luks/tests/pass-tang-luks2 b/src/luks/tests/pass-tang-luks2
new file mode 100755
index 0000000..2d50413
--- /dev/null
+++ b/src/luks/tests/pass-tang-luks2
@@ -0,0 +1,59 @@
+#!/bin/bash -x
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST="${0}"
+. tests-common-functions
+. clevis-luks-common-functions
+
+function on_exit() {
+ [ ! -d "${TMP}" ] && return 0
+ tang_stop "${TMP}"
+ rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+
+TMP=$(mktemp -d)
+
+port=$(get_random_port)
+tang_run "${TMP}" "${port}" &
+tang_wait_until_ready "${port}"
+
+url="http://localhost:${port}"
+adv="${TMP}/adv"
+tang_get_adv "${port}" "${adv}"
+
+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")
+
+# LUKS2.
+DEV="${TMP}/luks2-device"
+new_device "luks2" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Bind should have succeeded."
+fi
+
+# Now let's test the passphrase.
+SLT=1
+PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}")
+echo $PASS >&2
+if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then
+ error "Passphrase obtained from clevis luks pass failed."
+fi
--
2.29.2

14
SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch → SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
View File

@ -1,7 +1,7 @@
From d3010c89a8f516a0c9695a939a8cccca0918da2b Mon Sep 17 00:00:00 2001
From 678ef82dd5608439c9a4222c594ab66d69009f06 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Fri, 29 Oct 2021 12:04:46 -0300
Subject: [PATCH 2/2] systemd: account for unlocking failures in
Subject: [PATCH 3/3] systemd: account for unlocking failures in
clevis-luks-askpass (#343)
As unlock may fail for some reason, e.g. the network is not up yet,
@ -16,13 +16,13 @@ answered, before exiting.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
---
src/luks/systemd/clevis-luks-askpass.in | 5 ++++-
src/luks/systemd/clevis-luks-askpass | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in
index 8f54859..a6699c9 100755
--- a/src/luks/systemd/clevis-luks-askpass.in
+++ b/src/luks/systemd/clevis-luks-askpass.in
diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass
index 285bba4..f19671f 100755
--- a/src/luks/systemd/clevis-luks-askpass
+++ b/src/luks/systemd/clevis-luks-askpass
@@ -67,8 +67,11 @@ while true; do
done

49
SOURCES/0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
View File

@ -1,49 +0,0 @@
From 76ad9b21b61627a728bc9499821cf8e09446725d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Thu, 21 Oct 2021 13:58:52 +0200
Subject: [PATCH 4/4] luks: explicitly specify pbkdf iterations to cryptsetup
This fixes an Out of memory error when the system has not much memory,
such as a VM configured with 2GB currently being installed through the
network (hence having ~1GB free memory only).
See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
---
src/luks/clevis-luks-common-functions.in | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
index d53d2ab..360eb7e 100644
--- a/src/luks/clevis-luks-common-functions.in
+++ b/src/luks/clevis-luks-common-functions.in
@@ -760,10 +760,12 @@ clevis_luks_add_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
--key-slot "${SLT}" \
"${DEV}" \
+ ${pbkdf_args} \
${extra_args}
}
@@ -792,11 +794,14 @@ clevis_luks_update_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ -n "${in_place}" ]; then
printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
--key-slot "${SLT}" \
- --batch-mode ${extra_args}
+ --batch-mode \
+ ${pbkdf_args} \
+ ${extra_args}
return
fi
--
2.33.1

101
SOURCES/0004-systemd-drop-ncat-dependency.patch Normal file
View File

@ -0,0 +1,101 @@
From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Thu, 18 Nov 2021 16:45:58 -0300
Subject: [PATCH 4/4] systemd: drop ncat dependency
When using systemd, i.e., clevis-luks-askpass, we use ncat to send
the decrypted password to the systemd socket as per systemd's password
agents specification [1].
However, systemd itself has a utility that does exactly that,
systemd-reply-password.
In this commit we drop the ncat dependency and instead use
systemd-reply-password in clevis-luks-askpass.
[1] https://systemd.io/PASSWORD_AGENTS/
---
...is-luks-askpass => clevis-luks-askpass.in} | 2 +-
.../systemd/dracut/clevis/module-setup.sh.in | 4 ++--
src/luks/systemd/meson.build | 19 +++++++++++++++++--
3 files changed, 20 insertions(+), 5 deletions(-)
rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%)
diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in
similarity index 97%
rename from src/luks/systemd/clevis-luks-askpass
rename to src/luks/systemd/clevis-luks-askpass.in
index f19671f..a6699c9 100755
--- a/src/luks/systemd/clevis-luks-askpass
+++ b/src/luks/systemd/clevis-luks-askpass.in
@@ -58,7 +58,7 @@ while true; do
fi
uuid="$(cryptsetup luksUUID "${d}")"
- if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
+ if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
continue
fi
diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in
index ebf969f..d46c6e2 100755
--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
+++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
@@ -36,6 +36,7 @@ install() {
inst_multiple \
/etc/services \
+ @SYSTEMD_REPLY_PASS@ \
@libexecdir@/clevis-luks-askpass \
clevis-luks-common-functions \
grep sed cut \
@@ -45,8 +46,7 @@ install() {
luksmeta \
clevis \
mktemp \
- jose \
- ncat
+ jose
dracut_need_initqueue
}
diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
index 369e7f7..e3b3d91 100644
--- a/src/luks/systemd/meson.build
+++ b/src/luks/systemd/meson.build
@@ -1,6 +1,15 @@
systemd = dependency('systemd', required: false)
-if systemd.found()
+sd_reply_pass = find_program(
+ join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
+ join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
+ join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
+ join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
+ required: false
+)
+
+if systemd.found() and sd_reply_pass.found()
+ data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
subdir('dracut')
unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
@@ -12,8 +21,14 @@ if systemd.found()
configuration: data,
)
+ configure_file(
+ input: 'clevis-luks-askpass.in',
+ output: 'clevis-luks-askpass',
+ install_dir: libexecdir,
+ configuration: data
+ )
+
install_data('clevis-luks-askpass.path', install_dir: unitdir)
- install_data('clevis-luks-askpass', install_dir: libexecdir)
else
warning('Will not install systemd support due to missing dependencies!')
endif
--
2.33.1

26
SOURCES/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch Normal file
View File

@ -0,0 +1,26 @@
From da17589f0706b27690a11484165fd58dea1a5eb1 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Thu, 25 Nov 2021 19:18:03 -0300
Subject: [PATCH 5/5] Stop sending stderr to the void when decryption doesn't
happen
---
src/luks/clevis-luks-common-functions | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index 879ca4c..df8e16d 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -323,7 +323,7 @@ clevis_luks_unlock_device_by_slot() {
return 1
fi
- if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt 2>/dev/null)" \
+ if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt)" \
|| [ -z "${passphrase}" ]; then
return 1
fi
--
2.33.1

18
SOURCES/0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch → SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
View File

@ -1,9 +1,9 @@
From 0654fd3f3fd1ebc080cb1140774120d8f392137b Mon Sep 17 00:00:00 2001
From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?=
<1163635+rmetrich@users.noreply.github.com>
Date: Wed, 1 Dec 2021 09:37:35 -0300
Subject: [PATCH] luks: enable debugging in clevis scripts when rd.debug is set
(#340)
Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is
set (#340)
On Fedora/RHEL, the rd.debug kernel command line parameter controls
debugging.
@ -11,13 +11,13 @@ By implementing the functionality inside clevis, troubleshooting will be
greatly eased.
See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742).
---
src/luks/clevis-luks-common-functions.in | 15 +++++++++++++++
src/luks/clevis-luks-common-functions | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
index d059aae..87b370f 100644
--- a/src/luks/clevis-luks-common-functions.in
+++ b/src/luks/clevis-luks-common-functions.in
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index df8e16d..67ece72 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -20,6 +20,21 @@
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
@ -41,5 +41,5 @@ index d059aae..87b370f 100644
# is a numeric value within the specified range.
valid_slot() {
--
2.35.1
2.33.1

83
SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch Normal file
View File

@ -0,0 +1,83 @@
From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001
From: Renaud Metrich <rmetrich@redhat.com>
Date: Fri, 7 Jan 2022 12:13:03 -0300
Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup
This fixes an Out of memory error when the system has not much memory,
such as a VM configured with 2GB currently being installed through the
network (hence having ~1GB free memory only).
See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
---
src/luks/clevis-luks-bind.in | 7 +++++--
src/luks/clevis-luks-common-functions | 7 ++++++-
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
index 4748c08..017f762 100755
--- a/src/luks/clevis-luks-bind.in
+++ b/src/luks/clevis-luks-bind.in
@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \
exit 1
fi
+pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ "$luks_type" == "luks1" ]; then
+ pbkdf_args=
# In certain circumstances, we may have LUKSMeta slots "not in sync" with
# cryptsetup, which means we will try to save LUKSMeta metadata over an
# already used or partially used slot -- github issue #70.
@@ -184,7 +186,7 @@ fi
# Add the new key.
if [ -n "$SLT" ]; then
- cryptsetup luksAddKey --key-slot "$SLT" --key-file \
+ cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \
<(echo -n "$existing_key") "$DEV"
else
if [ $luks_type == "luks2" ]; then
@@ -194,7 +196,8 @@ else
readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
| sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
fi
- cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV"
+ cryptsetup luksAddKey ${pbkdf_args} \
+ --key-file <(echo -n "${existing_key}") "$DEV"
fi < <(echo -n "${key}")
if [ $? -ne 0 ]; then
echo "Error while adding new key to LUKS header!" >&2
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index 67ece72..038cc37 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -760,10 +760,12 @@ clevis_luks_add_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
--key-slot "${SLT}" \
"${DEV}" \
+ ${pbkdf_args} \
${extra_args}
}
@@ -792,11 +794,14 @@ clevis_luks_update_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ -n "${in_place}" ]; then
printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
--key-slot "${SLT}" \
- --batch-mode ${extra_args}
+ --batch-mode \
+ ${pbkdf_args} \
+ ${extra_args}
return
fi
--
2.33.1

6
SOURCES/0005-tang-dump-url-on-error-communication.patch → SOURCES/0008-tang-dump-url-on-error-communication.patch
View File

@ -1,6 +1,6 @@
--- clevis-18.ori/src/pins/tang/clevis-decrypt-tang 2021-04-15 13:00:19.969067600 +0200
+++ clevis-18/src/pins/tang/clevis-decrypt-tang 2022-01-20 17:29:21.859897964 +0100
@@ -99,10 +99,10 @@
--- clevis-15-ori/src/pins/tang/clevis-decrypt-tang 2020-10-28 19:55:47.673228700 +0100
+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2022-01-21 10:37:40.327825491 +0100
@@ -73,10 +73,10 @@
xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"

6
SOURCES/0006-feat-rename-the-test-pin-to-null-pin.patch → SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch
View File

@ -1,7 +1,7 @@
From f668840e22e45ac8b16d770072b4395a155d089c Mon Sep 17 00:00:00 2001
From 87d690e41621878f70a3f6f3305dd23746d1b857 Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@linux.com>
Date: Wed, 1 Dec 2021 14:17:53 +0100
Subject: [PATCH 6/6] feat: rename the test pin to null pin
Subject: [PATCH 9/9] feat: rename the test pin to null pin
Signed-off-by: Antonio Murdaca <runcom@linux.com>
---
@ -22,7 +22,7 @@ Signed-off-by: Antonio Murdaca <runcom@linux.com>
rename src/pins/sss/{pin-test => pin-null} (53%)
diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
index 7e6d2b3..8d60d05 100755
index cc3b492..448ba96 100755
--- a/src/initramfs-tools/hooks/clevis.in
+++ b/src/initramfs-tools/hooks/clevis.in
@@ -58,6 +58,7 @@ fi

9
SOURCES/0007-avoid-clevis-invalid-msg.patch → SOURCES/0010-avoid-clevis-invalid-msg.patch
View File

@ -1,15 +1,14 @@
--- clevis-18.ori/src/clevis 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/clevis 2022-06-20 14:29:50.148261656 +0200
@@ -27,6 +27,8 @@
--- clevis-15.ori/src/clevis 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/clevis 2022-06-22 11:06:27.061230653 +0200
@@ -27,6 +27,7 @@
}
cmd=clevis
+input_commands="$cmd $@"
+
while [ $# -gt 0 ]; do
[[ "$1" =~ ^- ]] && break
cmd="$cmd-$1"
@@ -36,8 +38,11 @@
@@ -36,8 +37,11 @@
done
exec >&2

385
SOURCES/0010-existing-luks2-token-id.patch
View File

@ -1,385 +0,0 @@
--- clevis-18.ori/src/luks/clevis-luks-bind 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/clevis-luks-bind 2022-11-24 12:53:59.613676320 +0100
@@ -25,7 +25,7 @@
usage() {
exec >&2
echo
- echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] -d DEV PIN CFG"
+ echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] [-e EXISTING_TOKEN_ID] -d DEV PIN CFG"
echo
echo "$SUMMARY":
echo
@@ -42,6 +42,8 @@
echo " -k KEY Non-interactively read LUKS password from KEY file"
echo " -k - Non-interactively read LUKS password from standard input"
echo
+ echo " -e E_TKN_ID Existing LUKS token ID for existing passphrase; only available for LUKS2"
+ echo
exit 2
}
@@ -52,13 +54,14 @@
FRC=
YES=
-while getopts ":hfyd:s:k:t:" o; do
+while getopts ":hfyd:s:k:t:e:" o; do
case "$o" in
f) FRC='-f';;
d) DEV="$OPTARG";;
s) SLT="$OPTARG";;
k) KEY="$OPTARG";;
t) TOKEN_ID="$OPTARG";;
+ e) EXISTING_TOKEN_ID="$OPTARG";;
y) FRC='-f'
YES='-y';;
*) usage;;
@@ -99,11 +102,20 @@
exit 1
fi
+if [ -n "${EXISTING_TOKEN_ID}" ] && ! clevis_luks_luks2_existing_token_id_supported; then
+ echo "Existing token ID not supported in this cryptsetup version" >&2
+ exit 1
+fi
+
# Get the existing passphrase/keyfile.
existing_key=
keyfile=
case "${KEY}" in
-"") IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2;;
+ "")
+ if [ -z "${EXISTING_TOKEN_ID}" ] ; then
+ IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2
+ fi
+ ;;
-) IFS= read -r -s -p "" existing_key ||:
if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}" \
&& [ -z "${FRC}" ]; then
@@ -119,6 +131,13 @@
;;
esac
+# Check if existing token id for keyring read is provided
+# If so, keyfile is not allowed
+if [ -n "${EXISTING_TOKEN_ID}" ] && [ -n "${keyfile}" ] ; then
+ echo "Cannot specify kernel keyring description together with key file" >&2
+ exit 1
+fi
+
# If necessary, initialize the LUKS volume.
if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}"; then
luksmeta init -d "${DEV}" ${FRC}
@@ -127,7 +146,7 @@
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "${TOKEN_ID}" \
"${PIN}" "${CFG}" \
"${YES}" "" \
- "${existing_key}" "${keyfile}"; then
+ "${existing_key}" "${keyfile}" "${EXISTING_TOKEN_ID}"; then
echo "Error adding new binding to ${DEV}" >&2
exit 1
fi
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2022-11-24 12:54:48.476829197 +0100
@@ -9,7 +9,7 @@
== SYNOPSIS
-*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] PIN CFG
+*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] [-e EXISTING_TOKEN_ID] PIN CFG
== OVERVIEW
@@ -54,6 +54,12 @@
* *-k* - :
Non-interactively read LUKS password from standard input
+* *-e* _E_TKN_ID_ :
+ LUKS token ID for existing passphrase; only available for LUKS2.
+ This parameter allows providing a configured token ID in LUKS2
+ containing the existing passphrase for this device, so that
+ existing passphrase is not prompted by clevis
+
== CAVEATS
This command does not change the LUKS master key. This implies that if you
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2022-11-24 12:46:09.130204312 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-11-24 13:01:57.087170193 +0100
@@ -307,9 +307,10 @@
local KEY="${2:-}"
local KEYFILE="${3:-}"
local SLT="${4:-}"
+ local EXISTING_TOKEN_ID="${5:-}"
[ -z "${DEV}" ] && return 1
- [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
local extra_args
extra_args="$([ -n "${SLT}" ] && printf -- '--key-slot %s' "${SLT}")"
@@ -318,6 +319,11 @@
${extra_args}
return
fi
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
+ cryptsetup open --test-passphrase "${DEV}" --token-id "${EXISTING_TOKEN_ID}" \
+ ${extra_args}
+ return
+ fi
printf '%s' "${KEY}" | cryptsetup open --test-passphrase "${DEV}" \
${extra_args}
@@ -753,10 +759,11 @@
local NEWKEY="${3}"
local KEY="${4}"
local KEYFILE="${5:-}"
+ local EXISTING_TOKEN_ID="${6:-}"
[ -z "${DEV}" ] && return 1
[ -z "${NEWKEY}" ] && return 1
- [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1
+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1
local extra_args='' input
input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
@@ -764,6 +771,10 @@
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
+ input="$(printf '%s' "${NEWKEY}")"
+ fi
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
@@ -780,6 +791,7 @@
local NEWKEY="${3}"
local KEY="${4}"
local KEYFILE="${5:-}"
+ local EXISTING_TOKEN_ID="${6:-}"
[ -z "${DEV}" ] && return 1
[ -z "${NEWKEY}" ] && return 1
@@ -789,7 +801,7 @@
local in_place
clevis_luks_check_valid_key_or_keyfile "${DEV}" \
"${KEY}" "${KEYFILE}" \
- "${SLT}" 2>/dev/null \
+ "${SLT}" "${EXISTING_TOKEN_ID}" 2>/dev/null \
&& in_place=true
local input extra_args=
@@ -798,6 +810,10 @@
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
+ input="$(printf '%s' "${NEWKEY}")"
+ fi
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ -n "${in_place}" ]; then
@@ -844,13 +860,13 @@
[ -n "${OVERWRITE}" ] || return 1
clevis_luks_update_key "${DEV}" "${SLT}" \
- "${NEWKEY}" "${KEY}" "${KEYFILE}"
+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}"
return
fi
# Add a new key.
clevis_luks_add_key "${DEV}" "${SLT}" \
- "${NEWKEY}" "${KEY}" "${KEYFILE}"
+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}"
}
# clevis_luks_generate_key() generates a new key for use with clevis.
@@ -942,6 +958,7 @@
local OVERWRITE="${7:-}"
local KEY="${8:-}"
local KEYFILE="${9:-}"
+ local EXISTING_TOKEN_ID="${10:-}"
[ -z "${DEV}" ] && return 1
[ -z "${PIN}" ] && return 1
@@ -951,6 +968,8 @@
if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" \
"${KEY}" \
"${KEYFILE}" \
+ "" \
+ "${EXISTING_TOKEN_ID}" \
&& ! KEY="$(clevis_luks_get_existing_key "${DEV}" \
"Enter existing LUKS password: " \
"recover")"; then
@@ -995,7 +1014,7 @@
if ! clevis_luks_save_key_to_slot "${DEV}" "${SLT}" \
"${newkey}" "${KEY}" "${KEYFILE}" \
- "${OVERWRITE}"; then
+ "${OVERWRITE}" "${EXISTING_TOKEN_ID}"; then
echo "Unable to save/update key slot; operation cancelled" >&2
clevis_luks_restore_dev "${CLEVIS_TMP_DIR}" || :
rm -rf "${CLEVIS_TMP_DIR}"
@@ -1016,12 +1035,19 @@
}
# clevis_luks_luks2_supported() indicates whether we support LUKS2 devices.
-# Suppor is determined at build time.
+# Support is determined at build time.
function clevis_luks_luks2_supported() {
# We require cryptsetup >= 2.0.4 to fully support LUKSv2.
return @OLD_CRYPTSETUP@
}
+# clevis_luks_luks2_existing_token_id_supported() indicates whether
+# cryptsetup allows token id for passphrase providing
+function clevis_luks_luks2_existing_token_id_supported() {
+ # We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID
+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@
+}
+
# clevis_luks_type() returns the LUKS type of a device, e.g. "luks1".
clevis_luks_type() {
local DEV="${1}"
--- clevis-18.ori/src/luks/meson.build 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/meson.build 2022-11-24 13:02:39.118301695 +0100
@@ -14,6 +14,15 @@
endif
endif
+libcryptsetup_ext_token_id = dependency('libcryptsetup', version: '>=2.6.0', required: false)
+if libcryptsetup_ext_token_id.found()
+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '0')
+ message('cryptsetup version supports existing token id')
+else
+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '1')
+ warning('cryptsetup version does not support existing token id')
+endif
+
clevis_luks_common_functions = configure_file(
input: 'clevis-luks-common-functions.in',
output: 'clevis-luks-common-functions',
--- clevis-18.ori/src/luks/tests/bind-luks2-ext-token 1970-01-01 01:00:00.000000000 +0100
+++ clevis-18/src/luks/tests/bind-luks2-ext-token 2022-11-24 13:04:30.742650939 +0100
@@ -0,0 +1,74 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2022 Red Hat, Inc.
+# Author: Sergio Arroutbi <sarroutb@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+create_existing_token_id_from_keyring() {
+ local DEV="${1}"
+ local KEYDESC="${2}"
+ local TOKEN_ID="${3}"
+ local PASS="${4}"
+ if [[ -z "${DEV}" ]] || [[ -z "${KEYDESC}" ]] || [[ -z "${TOKEN_ID}" ]]; then
+ return 1
+ fi
+ KEYRING_ID=$(keyctl add user "${KEYDESC}" "${PASS}" @s)
+ keyctl print "${KEYRING_ID}" 2>/dev/null 1>/dev/null
+ cryptsetup token add --token-id "${TOKEN_ID}" --key-description "${KEYDESC}" "${DEV}"
+}
+
+if ! luks2_supported; then
+ skip_test "${TEST}: LUKS2 is not supported."
+fi
+
+if ! luks2_existing_token_id_supported; then
+ skip_test "${TEST}: Existing token ID not supported"
+fi
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+tang_create_adv "${TMP}" "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+
+EXISTING_TOKEN_ID=5
+KEYDESC="testkey"
+PASS="123exttokenid_"
+DEV="${TMP}/luks2-device-ext-token"
+new_device "luks2" "${DEV}" "${PASS}"
+
+create_existing_token_id_from_keyring "${DEV}" "${KEYDESC}" "${EXISTING_TOKEN_ID}" "${PASS}"
+
+if ! clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" tang "${CFG}"; then
+ error "${TEST}: Binding expected to succeed with existing token id:${EXISTING_TOKEN_ID}" >&2
+fi
+
+KEYFILE="${TMP}/keyfile.txt"
+touch "${KEYFILE}"
+if clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" -k "${KEYFILE}" tang "${CFG}"; then
+ error "${TEST}: Using existing token id and keyfile should dump an error" >&2
+fi
--- clevis-18.ori/src/luks/tests/meson.build 2021-04-15 13:00:19.967066500 +0200
+++ clevis-18/src/luks/tests/meson.build 2022-11-24 13:06:36.096043131 +0100
@@ -5,6 +5,15 @@
# given token slot.
cryptsetup = find_program('cryptsetup', required: true)
+# Use keyctl to check an existing token id can be created from
+# kernel keyring password
+keyutils = find_program('keyctl', required: false)
+if keyutils.found()
+ message('keyutils installed')
+else
+ warning('keyutils not installed, unable to test existing token id binding')
+endif
+
common_functions = configure_file(input: 'tests-common-functions.in',
output: 'tests-common-functions',
configuration: luksmeta_data,
@@ -69,6 +78,10 @@
test('unbind-unbound-slot-luks2', find_program('unbind-unbound-slot-luks2'), env: env)
test('unbind-luks2', find_program('unbind-luks2'), env: env, timeout: 60)
+ if keyutils.found() and luksmeta_data.get('OLD_CRYPTSETUP_EXISTING_TOKEN_ID') == '0'
+ test('bind-luks2-ext-token', find_program('bind-luks2-ext-token'), env: env, timeout: 60)
+ endif
+
if jq.found()
test('list-recursive-luks2', find_program('list-recursive-luks2'), env: env, timeout: 60)
test('list-tang-luks2', find_program('list-tang-luks2'), env: env, timeout: 60)
--- clevis-18.ori/src/luks/tests/tests-common-functions.in 2021-04-15 13:00:19.967066500 +0200
+++ clevis-18/src/luks/tests/tests-common-functions.in 2022-11-24 13:06:24.376006462 +0100
@@ -36,6 +36,12 @@
return @OLD_CRYPTSETUP@
}
+# We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID
+# Support is determined at build time.
+luks2_existing_token_id_supported() {
+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@
+}
+
# Creates a new LUKS1 or LUKS2 device to be used.
new_device() {
local LUKS="${1}"

27
SOURCES/0008-Improve-boot-performance-by-removing-key-check.patch → SOURCES/0011-Improve-boot-performance-by-removing-key-check.patch
View File

@ -1,17 +1,17 @@
From da988dee93fd3171d41248fe884c627cdafa563e Mon Sep 17 00:00:00 2001
From 51ae4f94a4955d9f06955ccd5a8b396b01c80d48 Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Tue, 2 Aug 2022 09:25:54 -0300
Date: Tue, 2 Aug 2022 11:07:00 -0300
Subject: [PATCH] Improve boot performance by removing key check
---
src/luks/clevis-luks-common-functions.in | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
src/luks/clevis-luks-common-functions | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
index f018340..d059aae 100644
--- a/src/luks/clevis-luks-common-functions.in
+++ b/src/luks/clevis-luks-common-functions.in
@@ -313,6 +313,7 @@ clevis_luks_check_valid_key_or_keyfile() {
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index 038cc37..950f217 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -328,6 +328,7 @@ clevis_luks_check_valid_key_or_keyfile() {
clevis_luks_unlock_device_by_slot() {
local DEV="${1}"
local SLT="${2}"
@ -19,11 +19,10 @@ index f018340..d059aae 100644
[ -z "${DEV}" ] && return 1
[ -z "${SLT}" ] && return 1
@@ -327,8 +328,9 @@ clevis_luks_unlock_device_by_slot() {
|| [ -z "${passphrase}" ]; then
@@ -343,7 +344,9 @@ clevis_luks_unlock_device_by_slot() {
return 1
fi
-
- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ if [ -z "${SKIP_CHECK}" ]; then
+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
@ -31,7 +30,7 @@ index f018340..d059aae 100644
printf '%s' "${passphrase}"
}
@@ -336,6 +338,8 @@ clevis_luks_unlock_device_by_slot() {
@@ -351,6 +354,8 @@ clevis_luks_unlock_device_by_slot() {
# parameter and returns the decoded passphrase.
clevis_luks_unlock_device() {
local DEV="${1}"
@ -40,7 +39,7 @@ index f018340..d059aae 100644
[ -z "${DEV}" ] && return 1
local used_slots
@@ -346,7 +350,7 @@ clevis_luks_unlock_device() {
@@ -361,7 +366,7 @@ clevis_luks_unlock_device() {
local slt pt
for slt in ${used_slots}; do

6
SOURCES/0011-ignore-empty-and-comment-lines-in-crypttab.patch → SOURCES/0012-ignore-empty-and-comment-lines-in-crypttab.patch
View File

@ -1,6 +1,6 @@
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-12 11:00:00.927790464 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-12 11:05:53.528590215 +0100
@@ -418,7 +418,12 @@
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 11:11:03.050262054 +0100
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 11:19:16.004358405 +0100
@@ -413,7 +413,12 @@
clevis_devices=
# Build list of devices to unlock.

42
SOURCES/0012-luks-define-max-entropy-bits-for-pwmake.patch
View File

@ -1,42 +0,0 @@
--- clevis-18.ori/src/clevis.1.adoc 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/clevis.1.adoc 2023-01-13 12:08:31.162012856 +0100
@@ -101,7 +101,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:02:52.005243591 +0100
+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:08:05.873955501 +0100
@@ -20,7 +20,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-13 12:02:52.005243591 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-13 12:06:29.233736316 +0100
@@ -875,6 +875,7 @@
[ -z "${DEV}" ] && return 1
local dump filter bits
+ local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
dump=$(cryptsetup luksDump "${DEV}")
if cryptsetup isLuks --type luks1 "${DEV}"; then
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
@@ -886,6 +887,9 @@
fi
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
+ bits="${MAX_ENTROPY_BITS}"
+ fi
pwmake "${bits}"
}

73
SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch Normal file
View File

@ -0,0 +1,73 @@
--- clevis-15.ori/src/clevis.1.adoc 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/clevis.1.adoc 2023-01-11 17:18:29.967295005 +0100
@@ -101,7 +101,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/luks/clevis-luks-bind.1.adoc 2023-01-11 17:18:55.239351209 +0100
@@ -20,7 +20,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 17:15:44.984928070 +0100
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 17:20:53.238613637 +0100
@@ -865,6 +865,7 @@
[ -z "${DEV}" ] && return 1
local dump filter bits
+ local MAX_ENTROPY_BITS=256
dump=$(cryptsetup luksDump "${DEV}")
if cryptsetup isLuks --type luks1 "${DEV}"; then
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
@@ -876,6 +877,9 @@
fi
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
+ bits="${MAX_ENTROPY_BITS}"
+ fi
pwmake "${bits}"
}
--- clevis-15.ori/src/luks/clevis-luks-bind.in 2023-01-11 17:15:44.815927694 +0100
+++ clevis-15/src/luks/clevis-luks-bind.in 2023-01-12 16:20:30.266404993 +0100
@@ -19,6 +19,8 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+. clevis-luks-common-functions
+
SUMMARY="Binds a LUKS device using the specified policy"
UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
@@ -139,14 +141,11 @@
fi
# Generate a key with the same entropy as the LUKS Master Key
-key="$(pwmake "$(
-cryptsetup luksDump "$DEV" \
- | if [ "$luks_type" == "luks1" ]; then
- sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p'
- else
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p'
- fi | sort -n | tail -n 1
-)")"
+if ! key="$(clevis_luks_generate_key "${DEV}")" \
+ || [ -z "${key}" ]; then
+ echo "Unable to generate key for ${DEV}" >&2
+ return 1
+fi
# Encrypt the new key
jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"

4
SOURCES/0013-luks-edit-remove-unnecessary-redirection.patch → SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch
View File

@ -1,5 +1,5 @@
--- clevis-18.ori/src/luks/clevis-luks-edit 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/clevis-luks-edit 2023-01-16 10:24:18.555971552 +0100
--- clevis-15.ori/src/luks/clevis-luks-edit 2020-10-28 19:55:47.663228800 +0100
+++ clevis-15/src/luks/clevis-luks-edit 2023-01-16 12:03:14.006998399 +0100
@@ -173,7 +173,7 @@
echo "Updating binding..."

219
SOURCES/0015-support-sha256-algorithm.patch Normal file
View File

@ -0,0 +1,219 @@
--- clevis-15.ori/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:29:59.717465656 +0200
+++ clevis-15/src/pins/tang/clevis-decrypt-tang 2023-05-23 11:49:02.950511503 +0200
@@ -50,12 +50,30 @@
exit 1
fi
-if ! srv="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "$jhd" \
- | jose jwk thp -i- -f "$kid")"; then
+if ! keys="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "${jhd}")"; then
echo "JWE missing required 'clevis.tang.adv' header parameter!" >&2
exit 1
fi
+# Check if the thumbprint we have in `kid' is in the advertised keys.
+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1
+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
+
+if ! srv="$(jose jwk thp -i- -f "${kid}" -a "${CLEVIS_DEFAULT_THP_ALG}" \
+ <<< "${keys}")"; then
+ # `kid' thumprint not in the advertised keys, but it's possible it was
+ # generated using a different algorithm than the default one.
+ # Let us try the alternative supported algorithms to make sure `kid'
+ # really is not part of the advertised keys.
+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
+ srv="$(jose jwk thp -i- -f "$kid" -a "${alg}" <<< "${keys}")" && break
+ done
+ if [ -z "${srv}" ]; then
+ echo "JWE header validation of 'clevis.tang.adv' failed: key thumbprint does not match" >&2
+ exit 1
+ fi
+fi
+
if ! url="$(jose fmt -j- -Og clevis -g tang -g url -Su- <<< "$jhd")"; then
echo "JWE missing required 'clevis.tang.url' header parameter!" >&2
exit 1
--- clevis-15.ori/src/pins/tang/clevis-encrypt-tang 2020-10-28 19:55:47.673228700 +0100
+++ clevis-15/src/pins/tang/clevis-encrypt-tang 2023-05-23 15:15:18.440099403 +0200
@@ -64,6 +64,9 @@
exit 1
fi
+CLEVIS_DEFAULT_THP_ALG=S1 # SHA-1
+CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
+
trust=
[ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes
@@ -111,15 +114,24 @@
if [ -z "$thp" ]; then
echo "The advertisement contains the following signing keys:" >&2
echo >&2
- jose jwk thp -i- <<< "$ver" >&2
+ jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$ver" >&2
echo >&2
read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
[[ "$ans" =~ ^[yY]$ ]] || exit 1
-
elif [ "$thp" != "any" ] && \
- ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
- echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
- exit 1
+ ! jose jwk thp -i- -f "${thp}" -o /dev/null -a "${CLEVIS_DEFAULT_THP_ALG}" \
+ <<< "$ver"; then
+ # Thumbprint of trusted JWK did not match the signature. Let's check
+ # alternative thumbprints generated with clevis supported hash
+ # algorithms to be sure.
+ for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
+ srv="$(jose jwk thp -i- -f "${thp}" -a "${alg}" <<< "${ver}")" \
+ && break
+ done
+ if [ -z "${srv}" ]; then
+ echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
+ exit 1
+ fi
fi
fi
@@ -138,7 +150,7 @@
jwk="$(jose fmt -j- -Od key_ops -o- <<< "$jwk")"
jwk="$(jose fmt -j- -Od alg -o- <<< "$jwk")"
-kid="$(jose jwk thp -i- <<< "$jwk")"
+kid="$(jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$jwk")"
jwe='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
jwe="$(jose fmt -j "$jwe" -g protected -q "$kid" -s kid -UUo-)"
jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tang -q "$url" -s url -UUUUo-)"
--- clevis-15.ori/src/luks/tests/meson.build 2023-05-23 11:29:59.594464890 +0200
+++ clevis-15/src/luks/tests/meson.build 2023-05-23 12:00:10.811482757 +0200
@@ -113,6 +113,7 @@
test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
+ test('default-thp-alg', find_program('default-thp-alg'), env: env)
endif
test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
--- clevis-15.ori/src/luks/tests/default-thp-alg 1970-01-01 01:00:00.000000000 +0100
+++ clevis-15/src/luks/tests/default-thp-alg 2023-05-23 16:09:21.920385994 +0200
@@ -0,0 +1,120 @@
+#!/bin/bash
+set -exo pipefail
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2020 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+
+. tests-common-functions
+
+TEST=$(basename "${0}")
+
+on_exit() {
+ exit_status=$?
+ tang_stop "${TMP}"
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+ exit "${exit_status}"
+}
+
+trap 'on_exit' EXIT
+
+TMP="$(mktemp -d)"
+
+port=$(get_random_port)
+tang_run "${TMP}" "${port}"
+
+url="http://localhost:${port}"
+data="just a sample text"
+
+adv="${TMP}/adv"
+# Get the advertisement and extract the keys.
+tang_get_adv "${port}" "${adv}"
+
+jwks="$(jose fmt --json="${adv}" --get payload --b64load --output=-)"
+enc="$(printf '%s' "${jwks}" | jose jwk use --input=- --required \
+ --use deriveKey --output=-)"
+
+jose fmt --json="${enc}" --get keys --array \
+ || enc="$(printf '{"keys": [%s]}' "${enc}")"
+
+jwk="$(jose fmt --json="${enc}" --get keys --array --foreach=- \
+ | jose fmt --json=- --delete key_ops --delete alg --output=-)"
+
+jwe_t='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
+jwe_t="$(jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --quote "${url}" --set url -UUUUo-)"
+jwe_t="$(printf '%s' "${jwks}" | jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --json=- --set adv -UUUUo-)"
+
+# We currently support SHA-1 (legacy) and SHA-256.
+CLEVIS_SUPPORTED_THP_ALGS="S1 S256"
+# Now we will use every hash algorithm supported by jose to create a thumbprint
+# for `kid', then we do the encoding and verify clevis decrypt can decode it
+# correctly.
+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
+ kid="$(printf '%s' "${jwk}" | jose jwk thp -a "${alg}" --input=-)"
+ jwe="$(jose fmt --json="${jwe_t}" --get protected --quote "${kid}" -s kid -UUo-)"
+
+ encoded=$(printf '%s%s' "${jwk}" "${data}" \
+ | jose jwe enc --input="${jwe}" --key=- --detached=- --compact)
+
+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
+ tang_error "${TEST}: decoding is expected to work (alg = ${alg})"
+ fi
+
+ if [ "${decoded}" != "${data}" ]; then
+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
+ fi
+done
+
+# Now let's test encryption providing the thp in the configuration.
+data="just another test"
+for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \
+ | jose jwk use -i- -r -u verify -o- \
+ | jose jwk thp -i- -a "${alg}")"
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
+ if ! encoded=$(printf '%s' "${data}" | clevis encrypt tang "${cfg}"); then
+ tang_error "${TEST}: tang encryption should have succeeded when providing the thp (${thp}) with any supported algorithm (${alg})"
+ fi
+
+ if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
+ tang_error "${TEST}: decoding is expected to work (thp alg = ${alg})"
+ fi
+
+ if [ "${decoded}" != "${data}" ]; then
+ tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
+ fi
+done
+
+# Let's also try some unsupported thp hash algorithms.
+UNSUPPORTED="S224 S384 S512" # SHA-224, SHA-384, SHA-512.
+for alg in ${UNSUPPORTED}; do
+ thp="$(jose fmt --json="${adv}" -g payload -y -o- \
+ | jose jwk use -i- -r -u verify -o- \
+ | jose jwk thp -i- -a "${alg}")"
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
+ tang_error "${TEST}: tang encryption should have failed when providing the thp (${thp}) with an unsupported algorithm (${alg})"
+ fi
+done
+
+# Now let's try some bad values for thp.
+for thp in "" "foo" "invalid"; do
+ cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
+ if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
+ tang_error "${TEST}: tang encryption expected to fail when providing a bad thp"
+ fi
+done

1
SOURCES/clevis.sysusers
View File

@ -1 +0,0 @@
u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis /usr/sbin/nologin

297
SPECS/clevis.spec
View File

@ -1,27 +1,31 @@
%global _hardened_build 1
Name: clevis
Version: 18
Release: 110%{?dist}
Version: 15
Release: 15%{?dist}
Summary: Automated decryption framework
License: GPLv3+
URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Source1: clevis.sysusers
Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
Patch0004: 0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
Patch0005: 0005-tang-dump-url-on-error-communication.patch
Patch0006: 0006-feat-rename-the-test-pin-to-null-pin.patch
Patch0007: 0007-avoid-clevis-invalid-msg.patch
Patch0008: 0008-Improve-boot-performance-by-removing-key-check.patch
Patch0009: 0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
Patch0010: 0010-existing-luks2-token-id.patch
Patch0011: 0011-ignore-empty-and-comment-lines-in-crypttab.patch
Patch0012: 0012-luks-define-max-entropy-bits-for-pwmake.patch
Patch0013: 0013-luks-edit-remove-unnecessary-redirection.patch
Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch
Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch
Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
Patch0004: 0004-systemd-drop-ncat-dependency.patch
Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch
Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
Patch0008: 0008-tang-dump-url-on-error-communication.patch
Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch
Patch0010: 0010-avoid-clevis-invalid-msg.patch
Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch
Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch
Patch0013: 0013-luks-define-max-entropy-bits-for-pwmake.patch
Patch0014: 0014-luks-edit-remove-unnecessary-redirection.patch
Patch0015: 0015-support-sha256-algorithm.patch
BuildRequires: git-core
BuildRequires: git
BuildRequires: gcc
BuildRequires: meson
BuildRequires: asciidoc
@ -34,29 +38,28 @@ BuildRequires: audit-libs-devel
BuildRequires: libudisks2-devel
BuildRequires: openssl-devel
BuildRequires: tpm2-tools >= 4.0.0
BuildRequires: tpm2-tools >= 3.0.0
BuildRequires: desktop-file-utils
BuildRequires: pkgconfig
BuildRequires: systemd
BuildRequires: systemd-rpm-macros
BuildRequires: dracut
BuildRequires: tang >= 6
BuildRequires: curl
BuildRequires: cracklib-dicts
BuildRequires: luksmeta
BuildRequires: openssl
BuildRequires: diffutils
BuildRequires: cryptsetup
BuildRequires: cracklib-dicts
BuildRequires: jq
BuildRequires: diffutils
BuildRequires: expect
BuildRequires: openssl
Requires: tpm2-tools >= 4.0.0
Requires: cracklib-dicts
Requires: tpm2-tools >= 3.0.0
Requires: coreutils
Requires: jose >= 8
Requires: curl
Requires: jq
Requires(pre): shadow-utils
Requires(post): systemd
Recommends: cracklib-dicts
%description
Clevis is a framework for automated decryption. It allows you to encrypt
@ -66,7 +69,7 @@ occur automatically.
The clevis package provides basic encryption/decryption policy support.
Users can use this directly; but most commonly, it will be used as a
building block for other packages. For example, see the clevis-luks
and clevis-dracut packages for automatic root volume unlocking of LUKSv1
and clevis-dracut packages for automatic root volume unlocking of LUKS
volumes during early boot.
%package luks
@ -98,7 +101,7 @@ Requires: systemd%{?_isa} >= 236
%endif
%description systemd
Automatically unlocks LUKS _netdev block devices from /etc/crypttab.
Automatically unlocks clevis-bound LUKS block devices during boot.
%package dracut
Summary: Dracut integration for clevis
@ -125,7 +128,6 @@ use UDisks2 or storaged (like GNOME).
%install
%meson_install
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/clevis.conf
%check
desktop-file-validate \
@ -133,7 +135,10 @@ desktop-file-validate \
%meson_test
%pre
%sysusers_create_compat %{SOURCE1}
getent group %{name} >/dev/null || groupadd -r %{name} &>/dev/null
getent passwd %{name} >/dev/null || \
useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \
-c "Clevis Decryption Framework unprivileged user" %{name} &>/dev/null
# Add clevis user to tss group.
if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
usermod -a -G tss %{name} &>/dev/null
@ -161,27 +166,26 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%{_mandir}/man1/%{name}-encrypt-sss.1*
%{_mandir}/man1/%{name}-decrypt.1*
%{_mandir}/man1/%{name}.1*
%{_sysusersdir}/clevis.conf
%files luks
%{_mandir}/man7/%{name}-luks-unlockers.7*
%{_mandir}/man1/%{name}-luks-unlock.1*
%{_mandir}/man1/%{name}-luks-unbind.1*
%{_mandir}/man1/%{name}-luks-bind.1*
%{_mandir}/man1/%{name}-luks-list.1.*
%{_mandir}/man1/%{name}-luks-edit.1.*
%{_mandir}/man1/%{name}-luks-regen.1.*
%{_mandir}/man1/%{name}-luks-report.1.*
%{_mandir}/man1/%{name}-luks-pass.1.*
%{_mandir}/man1/%{name}-luks-list.1*
%{_mandir}/man1/%{name}-luks-pass.1*
%{_mandir}/man1/%{name}-luks-regen.1*
%{_mandir}/man1/%{name}-luks-report.1*
%{_mandir}/man1/%{name}-luks-edit.1*
%{_bindir}/%{name}-luks-unlock
%{_bindir}/%{name}-luks-unbind
%{_bindir}/%{name}-luks-bind
%{_bindir}/%{name}-luks-common-functions
%{_bindir}/%{name}-luks-list
%{_bindir}/%{name}-luks-edit
%{_bindir}/%{name}-luks-pass
%{_bindir}/%{name}-luks-regen
%{_bindir}/%{name}-luks-report
%{_bindir}/%{name}-luks-pass
%{_bindir}/%{name}-luks-edit
%files systemd
%{_libexecdir}/%{name}-luks-askpass
@ -190,188 +194,131 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%files dracut
%{_prefix}/lib/dracut/modules.d/60%{name}
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2
%files udisks2
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog
* Wed Jan 25 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-110
* Tue May 23 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-15
- Include SHA-256 thumbprints clevis support
Resolves: rhbz#2209058
* Mon Jan 16 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-14
- luks-edit: remove unnecessary 2>/dev/null
Resolves: rhbz#2159738
Resolves: rhbz#2159739
* Fri Jan 13 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-109
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-13
- luks: define max entropy bits for pwmake
Resolves: rhbz#2159735
Resolves: rhbz#2159736
* Thu Jan 12 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-108
* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-12
- Ignore empty & comment lines in crypttab
Resolves: rhbz#2159728
Resolves: rhbz#2159440
* Tue Dec 13 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-107
- Add existing token id parameter
Resolves: rhbz#2126533
* Tue Aug 02 2022 Sergio Correia <scorreia@redhat.com> - 18-106
- Enable debugging in clevis scripts when rd.debug is set
Resolves: rhbz#2022420
* Tue Aug 02 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-105
* Tue Aug 02 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-11
- Start clevis-luks-askpass.path service according to global policy
Resolves: rhbz#2107078
Resolves: rhbz#2107081
* Thu Jul 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-104
* Thu Jul 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-10
- Improve boot performance by removing key check
Resolves: rhbz#2099701
Resolves: rhbz#2099748
* Mon Jun 20 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-103
* Wed Jun 22 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-9
- Avoid invalid message for clevis command
Resolves: rhbz#2080281
Resolves: rhbz#2099325
* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 18-102
* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 15-8
- Support a null pin
Resolves: rhbz#2028091
Resolves: rhbz#2028096
* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 18-101
- Revert "Enable debugging in clevis scripts when rd.debug is set"
Related: rhbz#2022420
* Thu Jan 20 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-100
* Fri Jan 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-7
- Dump server information on server error communication
Resolves: rhbz#2022423
Resolves: rhbz#2020193
* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 18-7
* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 15-6
- Explicitly specify pbkdf iterations to cryptsetup
Resolves: rhbz#2022416
Resolves: rhbz#1979256
* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 18-6
* Wed Dec 01 2021 Sergio Correia <scorreia@redhat.com> - 15-5
- Enable debugging in clevis scripts when rd.debug is set
Resolves: rhbz#2022420
Resolves: rhbz#1980742
* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 18-5
* Thu Nov 25 2021 Sergio Correia <scorreia@redhat.com> - 15-4
- Stop sending stderr to the void when decryption doesn't happen
Resolves: rhbz#1976880
* Thu Nov 18 2021 Sergio Correia <scorreia@redhat.com> - 15-3
- Drop ncat dependency
Resolves: rhbz#1949289
* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 15-2
- Account for unlocking failures in clevis-luks-askpass
Resolves: rhbz#2022421
Resolves: rhbz#2018292
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 18-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Oct 26 2020 Sergio Correia <scorreia@redhat.com> - 15-1
- Update to latest upstream release, v15
Resolves: rhbz#1887836
Resolves: rhbz#1853651
Resolves: rhbz#1874460
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 18-3
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Wed May 20 2020 Sergio Correia <scorreia@redhat.com> - 13-3
- Add clevis luks edit command
Resolves: rhbz#1436735
* Fri May 07 2021 Sergio Correia <scorreia@redhat.com> - 18-2
- Port to OpenSSL 3
Resolves: rhbz#1956760
* Tue May 04 2021 Sergio Correia <scorreia@redhat.com> - 18-1
- Update to new clevis upstream release, v18
Resolves: rhbz#1956760
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 16-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Mar 16 2021 Sergio Correia <scorreia@redhat.com> - 16-2
- Fix for -t option in clevis luks bind - backport upstream commit ea0d0c20
* Tue Feb 09 2021 Sergio Correia <scorreia@redhat.com> - 16-1
- Update to new clevis upstream release, v16.
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 15-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Nov 23 08:14:40 GMT 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 15-3
- Upstream patch for tpm-tools 5.0 support
* Thu Oct 29 2020 Sergio Correia <scorreia@redhat.com> - 15-2
- Add jq to dependencies
* Wed Oct 28 2020 Sergio Correia <scorreia@redhat.com> - 15-1
- Update to new clevis upstream release, v15.
* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-5
- Suppress output in pre scriptlet when adjusting users/groups
Resolves: rhbz#1876729
* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-4
- Backport upstream PR#230 - clevis-luks-askpass now exits cleanly
when receives a SIGTERM
Resolves: rhbz#1876001
* Sat Sep 05 2020 Sergio Correia <scorreia@redhat.com> - 14-3
- If clevis-luks-askpass is enabled, it may be using a wrong target,
since that changed in v14. Check and update it, if required.
* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-2
- Update sources file with new v14 release.
* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-1
- Update to new clevis upstream release, v14.
* Sun Aug 02 2020 Benjamin Gilbert <bgilbert@redhat.com> - 13-3
- Downgrade cracklib-dicts to Recommends
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 13-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon May 18 2020 Sergio Correia <scorreia@redhat.com> - 13-2
- Introduce -y (assume yes) argument to clevis luks bind
Resolves: rhbz#1819767
* Sun May 10 2020 Sergio Correia <scorreia@redhat.com> - 13-1
- Update to new clevis upstream release, v13.
- Update to new upstream release, v13
Resolves: rhbz#1827225
Resolves: rhbz#1827665
Resolves: rhbz#1801556
Resolves: rhbz#1784448
Resolves: rhbz#1826917
Resolves: rhbz#1812014
* Thu May 07 2020 Sergio Correia <scorreia@redhat.com> - 12-4
- cracklib-dicts should be also listed as a build dependency, since
it's required for running some of the tests
* Sun Feb 02 2020 Sergio Correia <scorreia@redhat.com> - 11-9
- Improve clevis luks regen not to unbind+bind in every case
Resolves: rhbz#1795675
* Mon Apr 06 2020 Sergio Correia <scorreia@redhat.com> - 12-3
- Make cracklib-dicts a regular dependency
* Mon Jan 13 2020 Sergio Correia <scorreia@redhat.com> - 11-8
- Use one clevis-luks-askpass per device
Resolves: rhbz#1784524
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 12-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 11-7
- Add rd.neednet=1 to cmdline only if there are devices bound to tang
Resolves: rhbz#1762028
* Mon Jan 20 2020 Sergio Correia <scorreia@redhat.com> - 12-1
- Update to new clevis upstream release, v12.
* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 11-6
- Add option to extract luks passphrase used for binding
Resolves: rhbz#1436780
* Thu Dec 19 2019 Sergio Correia <scorreia@redhat.com> - 11-11
- Backport upstream PR#70 - Handle case where we try to use a partially
used luksmeta slot
Resolves: rhbz#1672371
* Thu Nov 28 2019 Sergio Correia <scorreia@redhat.com> - 11-5
- Add support for listing existing PBD policies in place
Resolves: rhbz#1766526
* Thu Dec 05 2019 Sergio Correia <scorreia@redhat.com> - 11-10
- Disable LUKS2 tests for now, since they fail randomly in Koji
builders, killing the build
* Fri Oct 18 2019 Sergio Correia <scorreia@redhat.com> - 11-4
- Improve error message when bind is given an invalid PIN
Resolves: rhbz#1543380
* Wed Dec 04 2019 Sergio Correia <scorreia@redhat.com> - 11-9
- Backport of upstream patches and the following fixes:
- Rework the logic for reading the existing key
- fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 (
- pins/tang: check that key derivation key is available
* Wed Oct 16 2019 Sergio Correia <scorreia@redhat.com> - 11-3
- Add clevis luks report and regen
Resolves: rhbz#1564566
Resolves: rhbz#1564559
* Wed Oct 30 2019 Peter Robinson <pbrobinson@fedoraproject.org> 11-8
- Drop need network patch
* Fri Sep 06 2019 Javier Martinez Canillas <javierm@redhat.com> - 11-7
- Add support for tpm2-tools 4.0
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-4
- Update patch for work around
* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-3
- Work around network requirement for early boot
* Fri Nov 09 2018 Javier Martinez Canillas <javierm@redhat.com> - 11-2
* Fri Jan 04 2019 Daniel Kopecek <dkopecek@redhat.com> - 11-2
- Check that key derivation key is available
- Delete remaining references to the removed http pin
- Install cryptsetup and tpm2_pcrlist in the initramfs
- Add device TCTI library to the initramfs
Resolves: rhbz#1644876
Resolves: rhbz#1648004
Resolves: rhbz#1650246
* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
- Update to v11