diff --git a/SOURCES/0003-Fix-to-start-pcscd-appropriately.patch b/SOURCES/0003-Fix-to-start-pcscd-appropriately.patch new file mode 100644 index 0000000..ecc464d --- /dev/null +++ b/SOURCES/0003-Fix-to-start-pcscd-appropriately.patch @@ -0,0 +1,110 @@ +From c987b0a95d9ebcb310cc3b95609172a8fe31e81e Mon Sep 17 00:00:00 2001 +From: Sergio Arroutbi +Date: Wed, 9 Oct 2024 12:15:18 +0200 +Subject: [PATCH] Fix to start pcscd appropriately + +diff --git a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh +index 01a3062..9922bbc 100755 +--- a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh ++++ b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh +@@ -16,9 +16,11 @@ + # You should have received a copy of the GNU General Public License + # along with this program. If not, see . + # ++. /usr/bin/clevis-pkcs11-common ++ + if [ ! -f /run/systemd/clevis-pkcs11.run ] && [ -d /run/systemd ]; + then +- pcscd --disable-polkit +- echo "" > /run/systemd/clevis-pkcs11.run +- /usr/libexec/clevis-luks-pkcs11-askpin -d -r ++ clevis_start_pcscd_server ++ echo "" > /run/systemd/clevis-pkcs11.run ++ /usr/libexec/clevis-luks-pkcs11-askpin -d -r + fi +diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in +index b860efa..468ca3c 100755 +--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in ++++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in +@@ -52,22 +52,7 @@ get_pkcs11_error() { + return 0 + } + +- +-if command -v pcscd; then +- echo "clevis-pkcs11: starting pcscd if not available ..." +- PCSCD_PID=$(ps auxf | grep "[p]cscd") +- echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n" +- if ! ps auxf | grep "[p]cscd"; +- then +- if pcscd pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then +- echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..." +- pcscd --disable-polkit +- else +- echo "clevis-pkcs11: starting pcscd ..." +- pcscd +- fi +- fi +-fi ++clevis_start_pcscd_server + + if [ "${dracut_mode}" != true ]; then + pkcs11-tool -L +diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common +index 571a2be..c7f2a58 100755 +--- a/src/pins/pkcs11/clevis-pkcs11-common ++++ b/src/pins/pkcs11/clevis-pkcs11-common +@@ -77,6 +77,24 @@ clevis_detect_pkcs11_device() { + done + } + ++clevis_start_pcscd_server() { ++ if command -v pcscd; then ++ echo "clevis-pkcs11: starting pcscd if not available ..." ++ PCSCD_PID=$(ps auxf | grep "[p]cscd") ++ echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n" ++ if ! ps auxf | grep "[p]cscd"; ++ then ++ if pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then ++ echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..." ++ pcscd --disable-polkit ++ else ++ echo "clevis-pkcs11: starting pcscd ..." ++ pcscd ++ fi ++ fi ++ fi ++} ++ + clevis_parse_devices_array() { + INPUT_ARRAY=$(pkcs11-tool -L | grep Slot) + counter=0 +diff --git a/src/pins/pkcs11/tests/pin-pkcs11 b/src/pins/pkcs11/tests/pin-pkcs11 +index 94e1548..c876ca4 100755 +--- a/src/pins/pkcs11/tests/pin-pkcs11 ++++ b/src/pins/pkcs11/tests/pin-pkcs11 +@@ -20,6 +20,7 @@ + . pkcs11-common-tests + . tests-common-functions + . clevis-luks-common-functions ++. clevis-pkcs11-common + + on_exit() { + exit_status=$? +@@ -150,5 +151,16 @@ then + (${WRONGCFG})" + fi + ++if command -v ps && command -v killall; then ++ if ! clevis_start_pcscd_server; ++ then ++ error "${TEST}: Could not start pcscd server" ++ fi ++ if ! killall -9 pcscd; ++ then ++ error "${TEST}: Could not kill pcscd server" ++ fi ++fi ++ + softhsm_lib_cleanup + test "$?" == 0 diff --git a/SOURCES/0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch b/SOURCES/0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch new file mode 100644 index 0000000..5b0df2b --- /dev/null +++ b/SOURCES/0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch @@ -0,0 +1,65 @@ +--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2 2024-09-24 10:27:06.000000000 +0200 ++++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2 2024-11-05 15:54:16.209993587 +0100 +@@ -58,7 +58,7 @@ + echo + echo " key: Algorithm type for the generated key (default: ecc)" + echo +- echo " pcr_bank: PCR algorithm bank to use for policy (default: sha1)" ++ echo " pcr_bank: PCR algorithm bank to use for policy (default: first supported by TPM)" + echo + echo " pcr_ids: PCR list used for policy. If not present, no policy is used" + echo +@@ -130,7 +130,15 @@ + + key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc" + +-pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1" ++pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || { ++ if ! pcr_bank=$(tpm2_getcap pcrs | ++ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \ ++ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit} ++ END {exit !found}'); then ++ echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2 ++ exit 1 ++ fi ++} + + # Trim the spaces from the config, so that we will not have issues parsing + # the PCR IDs. +--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-09-24 10:27:06.000000000 +0200 ++++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-11-05 15:54:16.209993587 +0100 +@@ -91,13 +91,17 @@ + - *symcipher* + + * *pcr_bank* (string) : +- PCR algorithm bank to use for policy (default: sha1) ++ PCR algorithm bank to use for policy (default: first supported by TPM) + +- It must be one of the following: ++ Examples of PCR algorithm banks, support depends on TPM chip: + + - *sha1* + - *sha256* + ++ For the full list of algorithms supported by the TPM chip check output of ++ `tpm2_getcap pcrs` and use the algorithm which shows non-empty list of PCR ++ numbers. ++ + * *pcr_ids* (string) : + Comma separated list of PCR used for policy. If not present, no policy is used + +--- clevis-21.old/src/pins/tpm2/pin-tpm2 2024-09-24 10:27:06.000000000 +0200 ++++ clevis-21/src/pins/tpm2/pin-tpm2 2024-11-05 15:54:16.209993587 +0100 +@@ -142,8 +142,10 @@ + # arrays and check if we get the expected pcr_ids. + + # Let's first make sure this would be a valid configuration. +-_default_pcr_bank="sha1" +-if validate_pcrs "${_default_pcr_bank}" "4,16"; then ++_default_pcr_bank=$(tpm2_getcap pcrs | ++ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \ ++ {split($0, m, /[-:[:space:]]+/); print m[2]; exit}') ++if [ -n "$_default_pcr_bank" ] && validate_pcrs "${_default_pcr_bank}" "4,16"; then + test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1 + test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16" || exit 1 + test_pcr_ids "${orig}" '{"pcr_ids": "4, 16"}' "4,16" || exit 1 diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec index 2c72b33..3729e3f 100644 --- a/SPECS/clevis.spec +++ b/SPECS/clevis.spec @@ -2,7 +2,7 @@ ## (rpmautospec version 0.6.5) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 5; + release_number = 6; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} @@ -20,6 +20,8 @@ Source1: clevis.sysusers Patch0: 0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch Patch1: 0002-Fix-potential-race-condition.patch +Patch2: 0003-Fix-to-start-pcscd-appropriately.patch +Patch3: 0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch BuildRequires: git-core BuildRequires: gcc @@ -228,6 +230,9 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : %changelog ## START: Generated by rpmautospec +* Tue Nov 05 2024 Sergio Arroutbi - 21-6 +- TPM2 use first PCR algorithm bank supported by TPM + * Tue Oct 29 2024 Troy Dawson - 21-5 - Bump release for October 2024 mass rebuild: