clevis/SOURCES/0007-Add-clevis-luks-report.patch

From a85f50f789d69d9ca0a4096a64ac912f5967f97f Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Sun, 10 May 2020 15:32:50 -0300
Subject: [PATCH 7/8] Add clevis luks report

---
 src/luks/clevis-luks-report         | 95 +++++++++++++++++++++++++++++
 src/luks/clevis-luks-report-compare | 71 +++++++++++++++++++++
 src/luks/clevis-luks-report-decode  | 59 ++++++++++++++++++
 src/luks/clevis-luks-report-sss     | 53 ++++++++++++++++
 src/luks/clevis-luks-report-tang    | 67 ++++++++++++++++++++
 src/luks/clevis-luks-report.1.adoc  | 41 +++++++++++++
 src/luks/meson.build                |  7 +++
 7 files changed, 393 insertions(+)
 create mode 100755 src/luks/clevis-luks-report
 create mode 100755 src/luks/clevis-luks-report-compare
 create mode 100755 src/luks/clevis-luks-report-decode
 create mode 100755 src/luks/clevis-luks-report-sss
 create mode 100755 src/luks/clevis-luks-report-tang
 create mode 100644 src/luks/clevis-luks-report.1.adoc

diff --git a/src/luks/clevis-luks-report b/src/luks/clevis-luks-report
new file mode 100755
index 0000000..f047256
--- /dev/null
+++ b/src/luks/clevis-luks-report
@@ -0,0 +1,95 @@
+#!/usr/bin/bash -e
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2018 Red Hat, Inc.
+# Author: Radovan Sroka <rsroka@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+. clevis-luks-common-functions
+
+SUMMARY="Report any key rotation on the server side"
+
+if [ "$1" == "--summary" ]; then
+    echo "$SUMMARY"
+    exit 0
+fi
+
+function usage_and_exit () {
+    echo >&2
+    echo "Usage: clevis luks report [-qr] -d DEV -s SLOT" >&2
+    echo >&2
+    echo -e "  -q\t Quiet mode" >&2
+    echo -e "  -r\t Regenerate luks metadata with \"clevis luks regen -d DEV -s SLOT\"" >&2
+    echo >&2
+    echo "$SUMMARY" >&2
+    echo >&2
+    exit "$1"
+}
+
+while getopts "hd:s:rq" o; do
+    case "$o" in
+    d) DEV="$OPTARG";;
+    h) usage_and_exit 0;;
+    r) ROPT="regen";;
+    s) SLT="$OPTARG";;
+    q) QOPT="quiet";;
+    *) usage_and_exit 1;;
+    esac
+done
+
+### get luks metadata
+
+if [ -z "$DEV" ]; then
+    echo "Did not specify a device!" >&2
+    exit 1
+fi
+
+if [ -z "$SLT" ]; then
+    echo "Did not specify a slot!" >&2
+    exit 1
+fi
+
+if ! DATA_CODED=$(clevis_luks_read_slot "${DEV}" "${SLT}"); then
+    # Error message was already displayed by clevis_luks_read_slot(),
+    # at this point.
+    exit 1
+fi
+
+EXE="$(findexe clevis-luks-report-decode)"
+RESULT="$($EXE "${DATA_CODED}")"
+
+if [ -n "$RESULT" ]; then
+    echo "$RESULT"
+    echo "Report detected that some keys were rotated."
+    if [ -z "$QOPT" ]; then
+        if [ -z "$ROPT" ]; then
+            read -r -p "Do you want to regenerate luks metadata with \"clevis luks regen -d $DEV -s $SLT\"? [ynYN] " ans < /dev/tty
+            [[ "$ans" =~ ^[yY]$ ]] && ROPT="regen"
+        fi
+    fi
+else
+    exit 0
+fi
+
+if [ "$ROPT" = "regen" ]; then
+    EXE="$(findexe clevis-luks-regen)"
+    exec "$EXE" -d "$DEV" -s "$SLT"
+else
+    if [ -n "${RESULT}" ]; then
+        # Keys were rotated.
+        exit 1
+    fi
+fi
diff --git a/src/luks/clevis-luks-report-compare b/src/luks/clevis-luks-report-compare
new file mode 100755
index 0000000..2ba5132
--- /dev/null
+++ b/src/luks/clevis-luks-report-compare
@@ -0,0 +1,71 @@
+#!/usr/bin/bash -e
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2018 Red Hat, Inc.
+# Author: Radovan Sroka <rsroka@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+SUMMARY="Compare two sets of keys"
+
+if [ "$1" == "--summary" ]; then
+    echo "$SUMMARY"
+    exit 1
+fi
+
+if [ -z "$1" ]; then
+    echo "$0 missing the first argument!"
+    exit 1
+fi
+
+if [ -z "$2" ]; then
+    echo "$0 missing the second argument!"
+    exit 1
+fi
+
+ADV_KEYS="$1" # keys from advertisement
+LUKS_KEYS="$2" # keys from luks metadata
+
+### iterate over adv keys and make thumbprints
+CNT=0
+declare -a ADV_KEYS_ARRAY
+while res="$(jose fmt -j- -g keys -g"$CNT" -o- <<< "$ADV_KEYS")"; do
+    thp="$(echo "$res" | jose jwk thp -i-)"
+    ADV_KEYS_ARRAY["$CNT"]="$thp"
+    CNT=$(( CNT + 1 ))
+done
+
+CNT=0
+while key="$(jose fmt -j- -g keys -g"$CNT" -o- <<< "$LUKS_KEYS")"; do
+    thp="$(echo "$key" | jose jwk thp -i-)"
+
+    FOUND=0
+    for k in "${ADV_KEYS_ARRAY[@]}"
+    do
+        if [ "$k" = "$thp" ]; then
+            FOUND=1
+            break
+        fi
+    done
+
+    if [ "$FOUND" -eq "0" ]; then
+        echo "Key \"$thp\" is not in the advertisement and was probably rotated!"
+        echo "$key"
+        echo
+    fi
+    CNT=$(( CNT + 1 ))
+done
+
+exit 0
diff --git a/src/luks/clevis-luks-report-decode b/src/luks/clevis-luks-report-decode
new file mode 100755
index 0000000..f39d1e9
--- /dev/null
+++ b/src/luks/clevis-luks-report-decode
@@ -0,0 +1,59 @@
+#!/usr/bin/bash -e
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2018 Red Hat, Inc.
+# Author: Radovan Sroka <rsroka@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+. clevis-luks-common-functions
+
+SUMMARY="Decode luks header"
+
+if [ "$1" == "--summary" ]; then
+    echo "$SUMMARY"
+    exit 1
+fi
+
+if [ -z "$1" ]; then
+    echo "$0 missing the first argument!"
+    exit 1
+fi
+
+DATA_CODED="$1"
+
+if DATA_CODED="$(jose jwe fmt -i- <<< "$DATA_CODED")"; then
+    DATA_CODED="$(jose fmt -j- -g protected -u- <<< "$DATA_CODED")"
+    DATA_DECODED="$(jose b64 dec -i- <<< "$DATA_CODED")"
+else
+    echo "Error decoding JWE protected header!" >&2
+    exit 1
+fi
+
+### get pin and url
+
+if ! PIN="$(jose fmt -j- -g clevis -g pin -u- <<< "$DATA_DECODED")" || [ -z "$PIN" ]; then
+    echo "Pin wasn't found in luks metadata!" >&2
+    exit 1
+fi
+
+if ! CONTENT="$(jose fmt -j- -g clevis -g "$PIN" -o- <<< "$DATA_DECODED")" || [ -z "$CONTENT" ]; then
+    echo "Content wasn't found!" >&2
+    exit 1
+fi
+
+EXE="$(findexe clevis-luks-report-"$PIN")"
+
+exec "$EXE" "$CONTENT"
diff --git a/src/luks/clevis-luks-report-sss b/src/luks/clevis-luks-report-sss
new file mode 100755
index 0000000..1dba4c1
--- /dev/null
+++ b/src/luks/clevis-luks-report-sss
@@ -0,0 +1,53 @@
+#!/bin/bash -e
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2018 Red Hat, Inc.
+# Author: Radovan Sroka <rsroka@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+. clevis-luks-common-functions
+
+SUMMARY="SSS report plugin"
+
+if [ "$1" == "--summary" ]; then
+    echo "$SUMMARY"
+    exit 1
+fi
+
+if [ -z "$1" ]; then
+    echo "$0 missing the first argument!" >&2
+    exit 1
+fi
+
+CONTENT="$1" # sss content
+
+CNT=0
+while DATA_CODED="$(jose fmt -j- -g jwe -g"$CNT" -u- <<< "$CONTENT")"; do
+    if [ -z "$DATA_CODED" ]; then
+        CNT=$(( CNT + 1 ))
+        continue # in some cases it can be empty string
+    fi
+
+    EXE="$(findexe clevis-luks-report-decode)"
+    if ! $EXE "$DATA_CODED"; then
+        echo "Failed" >&2
+        exit 1
+    fi
+
+    CNT=$(( CNT + 1 ))
+done
+
+exit 0
diff --git a/src/luks/clevis-luks-report-tang b/src/luks/clevis-luks-report-tang
new file mode 100755
index 0000000..07f2a72
--- /dev/null
+++ b/src/luks/clevis-luks-report-tang
@@ -0,0 +1,67 @@
+#!/usr/bin/bash -e
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2018 Red Hat, Inc.
+# Author: Radovan Sroka <rsroka@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+. clevis-luks-common-functions
+
+SUMMARY="Tang report plugin"
+
+if [ "$1" == "--summary" ]; then
+    echo "$SUMMARY"
+    exit 1
+fi
+
+if [ -z "$1" ]; then
+    echo "$0 missing the first argument!"
+    exit 1
+fi
+
+CONTENT="$1"
+
+### Get the advertisement
+if ! URL="$(jose fmt -j- -g url -u- <<< "$CONTENT")" || [ -z "$URL" ]; then
+    echo "URL was not found!" >&2
+    exit 1
+fi
+
+if ! jws="$(curl -sfg "$URL/adv")"; then
+    echo "Unable to fetch advertisement: $URL/adv!" >&2
+    exit 1
+fi
+
+if ! TANG_KEYS="$(jose fmt -j- -Og payload -SyOg keys -AUo- <<< "$jws")"; then
+    echo "Advertisement is malformed!" >&2
+    exit 1
+fi
+
+### Check advertisement validity
+ver="$(jose jwk use -i- -r -u verify -o- <<< "$TANG_KEYS")"
+if ! jose jws ver -i "$jws" -k- -a <<< "$ver"; then
+    echo "Advertisement is missing signatures!" >&2
+    exit 1
+fi
+
+if ! LUKS_KEYS="$(jose fmt -j- -g adv -o- <<< "$CONTENT")" || [ -z "$LUKS_KEYS" ]; then
+    echo "LUKS keys from LUKS metadata were not found!" >&2
+    exit 1
+fi
+
+EXE="$(findexe clevis-luks-report-compare)"
+
+exec "$EXE" "$TANG_KEYS" "$LUKS_KEYS"
diff --git a/src/luks/clevis-luks-report.1.adoc b/src/luks/clevis-luks-report.1.adoc
new file mode 100644
index 0000000..cf42afe
--- /dev/null
+++ b/src/luks/clevis-luks-report.1.adoc
@@ -0,0 +1,41 @@
+CLEVIS-LUKS-REPORT(1)
+=====================
+:doctype: manpage
+
+
+== NAME
+
+clevis-luks-report - Reports whether a pin bound to a LUKS1 or LUKS2 volume has been rotated
+
+== SYNOPSIS
+
+*clevis luks report* -d DEV -s SLT
+
+== OVERVIEW
+
+The *clevis luks report* command checks a given slot of a LUKS device and reports whether the pin bound to it
+-- if any -- has been rotated.
+
+== OPTIONS
+
+* *-d* _DEV_ :
+  The bound LUKS device
+
+* *-s* _SLT_ :
+  The slot or key slot number for the pin to be verified
+
+* *-q* :
+  Quiet mode. If used, we will not prompt whether to regenerate data with *clevis luks regen*
+
+* *-r* :
+  Regenerates LUKS metadata with *clevis luks regen -d DEV -s SLOT*
+
+== EXAMPLE
+
+    Check whether the pin bound to slot 1 in /dev/sda1 has been rotated:
+
+    # clevis luks report -d /dev/sda1 -s 1
+
+== SEE ALSO
+
+link:clevis-luks-regen.1.adoc[*clevis-luks-regen*(1)]
diff --git a/src/luks/meson.build b/src/luks/meson.build
index f21388d..ee588c3 100644
--- a/src/luks/meson.build
+++ b/src/luks/meson.build
@@ -47,6 +47,13 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
 
   bins += join_paths(meson.current_source_dir(), 'clevis-luks-regen')
   mans += join_paths(meson.current_source_dir(), 'clevis-luks-regen.1')
+
+  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report')
+  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-compare')
+  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-decode')
+  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-sss')
+  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-tang')
+  mans += join_paths(meson.current_source_dir(), 'clevis-luks-report.1')
 else
   warning('Will not install LUKS support due to missing dependencies!')
 endif
-- 
2.18.4