--- clevis-18.ori/src/luks/meson.build 2023-06-01 15:28:51.615436832 +0200 +++ clevis-18/src/luks/meson.build 2023-06-01 15:31:02.420366592 +0200 @@ -1,7 +1,6 @@ luksmeta_data = configuration_data() luksmeta = dependency('luksmeta', version: '>=8', required: false) -pwmake = find_program('pwmake', required: false) libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false) if libcryptsetup.found() @@ -33,7 +32,7 @@ output: 'clevis-luks-unbind', configuration: luksmeta_data) -if libcryptsetup.found() and luksmeta.found() and pwmake.found() +if libcryptsetup.found() and luksmeta.found() subdir('systemd') subdir('udisks2') --- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-06-01 15:28:51.656437123 +0200 +++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-06-02 17:31:52.430534483 +0200 @@ -20,6 +20,11 @@ CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" +# Length, in bytes, used for password generated for LUKS key +# This value corresponds to an entropy of 256 bits if the password +# was generated by pwmake or similar tool +JOSE_PASSWORD_LENGTH=40 + enable_debugging() { # Automatically enable debugging if in initramfs phase and rd.debug if [ -e /usr/lib/dracut-lib.sh ]; then @@ -782,7 +787,7 @@ fi local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" - printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ + printf '%s' "${input}" | cryptsetup luksAddKey --force-password --batch-mode \ --key-slot "${SLT}" \ "${DEV}" \ ${pbkdf_args} \ @@ -812,11 +817,11 @@ local input extra_args= input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")" if [ -n "${KEYFILE}" ]; then - extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")" input="$(printf '%s' "${NEWKEY}")" fi if [ -n "${EXISTING_TOKEN_ID}" ]; then - extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")" + extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")" input="$(printf '%s' "${NEWKEY}")" fi local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" @@ -876,26 +881,10 @@ # clevis_luks_generate_key() generates a new key for use with clevis. clevis_luks_generate_key() { - local DEV="${1}" - [ -z "${DEV}" ] && return 1 - - local dump filter bits - local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake. - dump=$(cryptsetup luksDump "${DEV}") - if cryptsetup isLuks --type luks1 "${DEV}"; then - filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')" - elif cryptsetup isLuks --type luks2 "${DEV}"; then - filter="$(echo -n "${dump}" | \ - sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p')" - else - return 1 - fi - - bits="$(echo -n "${filter}" | sort -n | tail -n 1)" - if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then - bits="${MAX_ENTROPY_BITS}" - fi - pwmake "${bits}" + local input + input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}") + jose jwk gen --input="${input}" --output=- \ + | jose fmt --json=- --object --get k --unquote=- } # clevis_luks_token_id_by_slot() returns the token ID linked to a @@ -986,8 +975,8 @@ fi local newkey jwe - if ! newkey="$(clevis_luks_generate_key "${DEV}")" \ - || [ -z "${newkey}" ]; then + + if ! newkey="$(clevis_luks_generate_key)" || [ -z "${newkey}" ]; then echo "Unable to generate a new key" >&2 return 1 fi