From f668840e22e45ac8b16d770072b4395a155d089c Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Wed, 1 Dec 2021 14:17:53 +0100 Subject: [PATCH 6/6] feat: rename the test pin to null pin Signed-off-by: Antonio Murdaca --- src/initramfs-tools/hooks/clevis.in | 1 + .../dracut/clevis-pin-null/meson.build | 14 ++++++++++ .../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++ src/luks/systemd/dracut/meson.build | 1 + ...levis-decrypt-test => clevis-decrypt-null} | 4 +-- ...levis-encrypt-test => clevis-encrypt-null} | 4 +-- src/pins/sss/meson.build | 5 +++- src/pins/sss/{pin-test => pin-null} | 4 +-- src/pins/sss/pin-sss | 12 ++++---- 9 files changed, 60 insertions(+), 13 deletions(-) create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%) rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%) rename src/pins/sss/{pin-test => pin-null} (53%) diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in index 7e6d2b3..8d60d05 100755 --- a/src/initramfs-tools/hooks/clevis.in +++ b/src/initramfs-tools/hooks/clevis.in @@ -58,6 +58,7 @@ fi copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found" copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found" +copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found" copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found" copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found" copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found" diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build new file mode 100644 index 0000000..107e3ba --- /dev/null +++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build @@ -0,0 +1,14 @@ +dracut = dependency('dracut', required: false) + +if dracut.found() + dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null' + + configure_file( + input: 'module-setup.sh.in', + output: 'module-setup.sh', + install_dir: dracutdir, + configuration: data, + ) +else + warning('Will not install dracut module clevis-pin-null due to missing dependencies!') +endif diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in new file mode 100755 index 0000000..6a16078 --- /dev/null +++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in @@ -0,0 +1,28 @@ +#!/bin/bash +# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: +# +# Copyright (c) 2016 Red Hat, Inc. +# Author: Nathaniel McCallum +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +depends() { + echo clevis + return 0 +} + +install() { + inst clevis-decrypt-null +} diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build index fdb264b..7ad5b14 100644 --- a/src/luks/systemd/dracut/meson.build +++ b/src/luks/systemd/dracut/meson.build @@ -2,3 +2,4 @@ subdir('clevis') subdir('clevis-pin-tang') subdir('clevis-pin-tpm2') subdir('clevis-pin-sss') +subdir('clevis-pin-null') diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null similarity index 88% rename from src/pins/sss/clevis-decrypt-test rename to src/pins/sss/clevis-decrypt-null index f0e9249..a6217ed 100755 --- a/src/pins/sss/clevis-decrypt-test +++ b/src/pins/sss/clevis-decrypt-null @@ -22,11 +22,11 @@ read -r -d . hdr -if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then +if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then echo "JWE pin mismatch!" >&2 exit 1 fi -jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1 +jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1 exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat) diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null similarity index 90% rename from src/pins/sss/clevis-encrypt-test rename to src/pins/sss/clevis-encrypt-null index bd2d6ec..af182a5 100755 --- a/src/pins/sss/clevis-encrypt-test +++ b/src/pins/sss/clevis-encrypt-null @@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then fi jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')" -jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}' +jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}' if ! jose fmt -j "$cfg" -g fail -T; then - jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)" + jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)" fi exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat) diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build index 7f20eea..2a5295a 100644 --- a/src/pins/sss/meson.build +++ b/src/pins/sss/meson.build @@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found() separator: ':' ) + bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null') + bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null') + test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env) - test('pin-test', find_program(join_paths(src, 'pin-test')), env: env) + test('pin-null', find_program(join_paths(src, 'pin-null')), env: env) else warning('Will not install sss pin due to missing dependencies!') endif diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null similarity index 53% rename from src/pins/sss/pin-test rename to src/pins/sss/pin-null index 50c8c67..b14ac63 100755 --- a/src/pins/sss/pin-test +++ b/src/pins/sss/pin-null @@ -2,9 +2,9 @@ trap 'exit' ERR -e="$(echo -n hi | clevis encrypt test '{}')" +e="$(echo -n hi | clevis encrypt null '{}')" d="$(echo -n "$e" | clevis decrypt)" test "$d" == "hi" -e="$(echo -n hi | clevis encrypt test '{"fail":true}')" +e="$(echo -n hi | clevis encrypt null '{"fail":true}')" ! echo "$e" | clevis decrypt diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss index 5c0b8cf..24da052 100755 --- a/src/pins/sss/pin-sss +++ b/src/pins/sss/pin-sss @@ -1,24 +1,24 @@ #!/bin/bash -ex -e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')" +e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')" d="$(echo "$e" | clevis decrypt)" test "$d" == "hi" -e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')" +e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')" d="$(echo "$e" | clevis decrypt)" test "$d" == "hi" -e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')" +e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')" ! echo "$e" | clevis decrypt -e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')" +e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')" d="$(echo "$e" | clevis decrypt)" test "$d" == "hi" -e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')" +e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')" ! echo "$e" | clevis decrypt -e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')" +e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')" ! echo "$e" | clevis decrypt ! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')" -- 2.33.1