From e1ac9de1051c45a0af539d628f44337d0dc77811 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 14 Apr 2023 12:35:10 +0300 Subject: [PATCH] import clevis-18-110.el9 --- .clevis.metadata | 1 + .gitignore | 1 + ...e-BN_set_word-x-0-instead-of-BN_zero.patch | 47 ++ ...for-unlocking-failures-in-clevis-luk.patch | 41 ++ ...specify-pbkdf-iterations-to-cryptset.patch | 49 ++ ...tang-dump-url-on-error-communication.patch | 16 + ...feat-rename-the-test-pin-to-null-pin.patch | 213 +++++++++ SOURCES/0007-avoid-clevis-invalid-msg.patch | 25 + ...ot-performance-by-removing-key-check.patch | 54 +++ ...gging-in-clevis-scripts-when-rd.debu.patch | 45 ++ SOURCES/0010-existing-luks2-token-id.patch | 385 ++++++++++++++++ ...-empty-and-comment-lines-in-crypttab.patch | 16 + ...s-define-max-entropy-bits-for-pwmake.patch | 42 ++ ...-edit-remove-unnecessary-redirection.patch | 11 + SOURCES/clevis.sysusers | 1 + SPECS/clevis.spec | 431 ++++++++++++++++++ 16 files changed, 1378 insertions(+) create mode 100644 .clevis.metadata create mode 100644 .gitignore create mode 100644 SOURCES/0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch create mode 100644 SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch create mode 100644 SOURCES/0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch create mode 100644 SOURCES/0005-tang-dump-url-on-error-communication.patch create mode 100644 SOURCES/0006-feat-rename-the-test-pin-to-null-pin.patch create mode 100644 SOURCES/0007-avoid-clevis-invalid-msg.patch create mode 100644 SOURCES/0008-Improve-boot-performance-by-removing-key-check.patch create mode 100644 SOURCES/0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch create mode 100644 SOURCES/0010-existing-luks2-token-id.patch create mode 100644 SOURCES/0011-ignore-empty-and-comment-lines-in-crypttab.patch create mode 100644 SOURCES/0012-luks-define-max-entropy-bits-for-pwmake.patch create mode 100644 SOURCES/0013-luks-edit-remove-unnecessary-redirection.patch create mode 100644 SOURCES/clevis.sysusers create mode 100644 SPECS/clevis.spec diff --git a/.clevis.metadata b/.clevis.metadata new file mode 100644 index 0000000..ba8f886 --- /dev/null +++ b/.clevis.metadata @@ -0,0 +1 @@ +dc2e95d0c0ce9118bc01b3872869657b0d43f1bc SOURCES/clevis-18.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f29345d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/clevis-18.tar.xz diff --git a/SOURCES/0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch b/SOURCES/0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch new file mode 100644 index 0000000..6c865e2 --- /dev/null +++ b/SOURCES/0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch @@ -0,0 +1,47 @@ +From 95f25c355fc13727410ccacaa618caf6af5d5eba Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Mon, 3 May 2021 22:36:36 -0300 +Subject: [PATCH] sss: use BN_set_word(x, 0) instead of BN_zero() + +Different OpenSSL versions define BN_zero() differently -- sometimes +returning an integer, sometimes as void --, so let's use instead +BN_set_word() instead, not to have issues when building with these +different versions. +--- + src/pins/sss/sss.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/pins/sss/sss.c b/src/pins/sss/sss.c +index a37215d..7486d6c 100644 +--- a/src/pins/sss/sss.c ++++ b/src/pins/sss/sss.c +@@ -214,7 +214,7 @@ sss_point(const json_t *sss, size_t *len) + if (BN_rand_range(xx, pp) <= 0) + return NULL; + +- if (BN_zero(yy) <= 0) ++ if (BN_set_word(yy, 0) <= 0) + return NULL; + + for (size_t i = 0; i < json_array_size(e); i++) { +@@ -272,7 +272,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[]) + if (!ctx || !pp || !acc || !tmp || !k) + return NULL; + +- if (BN_zero(k) <= 0) ++ if (BN_set_word(k, 0) <= 0) + return NULL; + + len = jose_b64_dec(p, NULL, 0); +@@ -303,7 +303,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[]) + + /* acc *= (0 - xi) / (xo - xi) */ + +- if (BN_zero(tmp) <= 0) ++ if (BN_set_word(tmp, 0) <= 0) + return NULL; + + if (BN_mod_sub(tmp, tmp, xi, pp, ctx) <= 0) +-- +2.31.1 + diff --git a/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch b/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch new file mode 100644 index 0000000..1fc7016 --- /dev/null +++ b/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch @@ -0,0 +1,41 @@ +From d3010c89a8f516a0c9695a939a8cccca0918da2b Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Fri, 29 Oct 2021 12:04:46 -0300 +Subject: [PATCH 2/2] systemd: account for unlocking failures in + clevis-luks-askpass (#343) + +As unlock may fail for some reason, e.g. the network is not up yet, +one way cause problems would be to add extra `rd.luks.uuid' params +to the cmdline, which would then cause such devices to be unlocked +in early boot. If the unlocking fail, those devices might not be +accounted for in the clevis_devices_to_unlock() check, as it is +based on crypttab. + +Let's make sure there are no pending ask.* sockets waiting to be +answered, before exiting. + +Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892 +--- + src/luks/systemd/clevis-luks-askpass.in | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in +index 8f54859..a6699c9 100755 +--- a/src/luks/systemd/clevis-luks-askpass.in ++++ b/src/luks/systemd/clevis-luks-askpass.in +@@ -67,8 +67,11 @@ while true; do + done + + [ "${loop}" != true ] && break ++ + # Checking for pending devices to be unlocked. +- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then ++ remaining_crypttab=$(clevis_devices_to_unlock) ||: ++ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||: ++ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then + break; + fi + +-- +2.33.1 + diff --git a/SOURCES/0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch b/SOURCES/0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch new file mode 100644 index 0000000..be4608c --- /dev/null +++ b/SOURCES/0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch @@ -0,0 +1,49 @@ +From 76ad9b21b61627a728bc9499821cf8e09446725d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Thu, 21 Oct 2021 13:58:52 +0200 +Subject: [PATCH 4/4] luks: explicitly specify pbkdf iterations to cryptsetup + +This fixes an Out of memory error when the system has not much memory, +such as a VM configured with 2GB currently being installed through the +network (hence having ~1GB free memory only). +See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256). +--- + src/luks/clevis-luks-common-functions.in | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in +index d53d2ab..360eb7e 100644 +--- a/src/luks/clevis-luks-common-functions.in ++++ b/src/luks/clevis-luks-common-functions.in +@@ -760,10 +760,12 @@ clevis_luks_add_key() { + extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi ++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + + printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ + --key-slot "${SLT}" \ + "${DEV}" \ ++ ${pbkdf_args} \ + ${extra_args} + } + +@@ -792,11 +794,14 @@ clevis_luks_update_key() { + extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi ++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + + if [ -n "${in_place}" ]; then + printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \ + --key-slot "${SLT}" \ +- --batch-mode ${extra_args} ++ --batch-mode \ ++ ${pbkdf_args} \ ++ ${extra_args} + return + fi + +-- +2.33.1 + diff --git a/SOURCES/0005-tang-dump-url-on-error-communication.patch b/SOURCES/0005-tang-dump-url-on-error-communication.patch new file mode 100644 index 0000000..c8224bb --- /dev/null +++ b/SOURCES/0005-tang-dump-url-on-error-communication.patch @@ -0,0 +1,16 @@ +--- clevis-18.ori/src/pins/tang/clevis-decrypt-tang 2021-04-15 13:00:19.969067600 +0200 ++++ clevis-18/src/pins/tang/clevis-decrypt-tang 2022-01-20 17:29:21.859897964 +0100 +@@ -99,10 +99,10 @@ + + xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")" + +-url="$url/rec/$kid" ++rec_url="$url/rec/$kid" + ct="Content-Type: application/jwk+json" +-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then +- echo "Error communicating with the server!" >&2 ++if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then ++ echo "Error communicating with the server $url" >&2 + exit 1 + fi + diff --git a/SOURCES/0006-feat-rename-the-test-pin-to-null-pin.patch b/SOURCES/0006-feat-rename-the-test-pin-to-null-pin.patch new file mode 100644 index 0000000..811006f --- /dev/null +++ b/SOURCES/0006-feat-rename-the-test-pin-to-null-pin.patch @@ -0,0 +1,213 @@ +From f668840e22e45ac8b16d770072b4395a155d089c Mon Sep 17 00:00:00 2001 +From: Antonio Murdaca +Date: Wed, 1 Dec 2021 14:17:53 +0100 +Subject: [PATCH 6/6] feat: rename the test pin to null pin + +Signed-off-by: Antonio Murdaca +--- + src/initramfs-tools/hooks/clevis.in | 1 + + .../dracut/clevis-pin-null/meson.build | 14 ++++++++++ + .../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++ + src/luks/systemd/dracut/meson.build | 1 + + ...levis-decrypt-test => clevis-decrypt-null} | 4 +-- + ...levis-encrypt-test => clevis-encrypt-null} | 4 +-- + src/pins/sss/meson.build | 5 +++- + src/pins/sss/{pin-test => pin-null} | 4 +-- + src/pins/sss/pin-sss | 12 ++++---- + 9 files changed, 60 insertions(+), 13 deletions(-) + create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build + create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in + rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%) + rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%) + rename src/pins/sss/{pin-test => pin-null} (53%) + +diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in +index 7e6d2b3..8d60d05 100755 +--- a/src/initramfs-tools/hooks/clevis.in ++++ b/src/initramfs-tools/hooks/clevis.in +@@ -58,6 +58,7 @@ fi + + copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found" + copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found" ++copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found" + copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found" + copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found" + copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found" +diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build +new file mode 100644 +index 0000000..107e3ba +--- /dev/null ++++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build +@@ -0,0 +1,14 @@ ++dracut = dependency('dracut', required: false) ++ ++if dracut.found() ++ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null' ++ ++ configure_file( ++ input: 'module-setup.sh.in', ++ output: 'module-setup.sh', ++ install_dir: dracutdir, ++ configuration: data, ++ ) ++else ++ warning('Will not install dracut module clevis-pin-null due to missing dependencies!') ++endif +diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in +new file mode 100755 +index 0000000..6a16078 +--- /dev/null ++++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in +@@ -0,0 +1,28 @@ ++#!/bin/bash ++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2016 Red Hat, Inc. ++# Author: Nathaniel McCallum ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++depends() { ++ echo clevis ++ return 0 ++} ++ ++install() { ++ inst clevis-decrypt-null ++} +diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build +index fdb264b..7ad5b14 100644 +--- a/src/luks/systemd/dracut/meson.build ++++ b/src/luks/systemd/dracut/meson.build +@@ -2,3 +2,4 @@ subdir('clevis') + subdir('clevis-pin-tang') + subdir('clevis-pin-tpm2') + subdir('clevis-pin-sss') ++subdir('clevis-pin-null') +diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null +similarity index 88% +rename from src/pins/sss/clevis-decrypt-test +rename to src/pins/sss/clevis-decrypt-null +index f0e9249..a6217ed 100755 +--- a/src/pins/sss/clevis-decrypt-test ++++ b/src/pins/sss/clevis-decrypt-null +@@ -22,11 +22,11 @@ + + read -r -d . hdr + +-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then ++if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then + echo "JWE pin mismatch!" >&2 + exit 1 + fi + +-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1 ++jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1 + + exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat) +diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null +similarity index 90% +rename from src/pins/sss/clevis-encrypt-test +rename to src/pins/sss/clevis-encrypt-null +index bd2d6ec..af182a5 100755 +--- a/src/pins/sss/clevis-encrypt-test ++++ b/src/pins/sss/clevis-encrypt-null +@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then + fi + + jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')" +-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}' ++jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}' + + if ! jose fmt -j "$cfg" -g fail -T; then +- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)" ++ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)" + fi + + exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat) +diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build +index 7f20eea..2a5295a 100644 +--- a/src/pins/sss/meson.build ++++ b/src/pins/sss/meson.build +@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found() + separator: ':' + ) + ++ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null') ++ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null') ++ + test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env) +- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env) ++ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env) + else + warning('Will not install sss pin due to missing dependencies!') + endif +diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null +similarity index 53% +rename from src/pins/sss/pin-test +rename to src/pins/sss/pin-null +index 50c8c67..b14ac63 100755 +--- a/src/pins/sss/pin-test ++++ b/src/pins/sss/pin-null +@@ -2,9 +2,9 @@ + + trap 'exit' ERR + +-e="$(echo -n hi | clevis encrypt test '{}')" ++e="$(echo -n hi | clevis encrypt null '{}')" + d="$(echo -n "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo -n hi | clevis encrypt test '{"fail":true}')" ++e="$(echo -n hi | clevis encrypt null '{"fail":true}')" + ! echo "$e" | clevis decrypt +diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss +index 5c0b8cf..24da052 100755 +--- a/src/pins/sss/pin-sss ++++ b/src/pins/sss/pin-sss +@@ -1,24 +1,24 @@ + #!/bin/bash -ex + +-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')" + d="$(echo "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')" + d="$(echo "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')" + ! echo "$e" | clevis decrypt + +-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')" + d="$(echo "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')" + ! echo "$e" | clevis decrypt + +-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')" + ! echo "$e" | clevis decrypt + + ! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')" +-- +2.33.1 + diff --git a/SOURCES/0007-avoid-clevis-invalid-msg.patch b/SOURCES/0007-avoid-clevis-invalid-msg.patch new file mode 100644 index 0000000..3740d2b --- /dev/null +++ b/SOURCES/0007-avoid-clevis-invalid-msg.patch @@ -0,0 +1,25 @@ +--- clevis-18.ori/src/clevis 2021-04-15 13:00:19.965065700 +0200 ++++ clevis-18/src/clevis 2022-06-20 14:29:50.148261656 +0200 +@@ -27,6 +27,8 @@ + } + + cmd=clevis ++input_commands="$cmd $@" ++ + while [ $# -gt 0 ]; do + [[ "$1" =~ ^- ]] && break + cmd="$cmd-$1" +@@ -36,8 +38,11 @@ + done + + exec >&2 +-echo +-echo "Command '$cmd' is invalid" ++if [ "$cmd" != "clevis" ]; ++then ++ echo ++ echo "Command '$input_commands' is invalid" ++fi + echo + echo "Usage: clevis COMMAND [OPTIONS]" + echo diff --git a/SOURCES/0008-Improve-boot-performance-by-removing-key-check.patch b/SOURCES/0008-Improve-boot-performance-by-removing-key-check.patch new file mode 100644 index 0000000..325be7a --- /dev/null +++ b/SOURCES/0008-Improve-boot-performance-by-removing-key-check.patch @@ -0,0 +1,54 @@ +From da988dee93fd3171d41248fe884c627cdafa563e Mon Sep 17 00:00:00 2001 +From: Sergio Arroutbi +Date: Tue, 2 Aug 2022 09:25:54 -0300 +Subject: [PATCH] Improve boot performance by removing key check + +--- + src/luks/clevis-luks-common-functions.in | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in +index f018340..d059aae 100644 +--- a/src/luks/clevis-luks-common-functions.in ++++ b/src/luks/clevis-luks-common-functions.in +@@ -313,6 +313,7 @@ clevis_luks_check_valid_key_or_keyfile() { + clevis_luks_unlock_device_by_slot() { + local DEV="${1}" + local SLT="${2}" ++ local SKIP_CHECK="${3}" + + [ -z "${DEV}" ] && return 1 + [ -z "${SLT}" ] && return 1 +@@ -327,8 +328,9 @@ clevis_luks_unlock_device_by_slot() { + || [ -z "${passphrase}" ]; then + return 1 + fi +- +- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1 ++ if [ -z "${SKIP_CHECK}" ]; then ++ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1 ++ fi + printf '%s' "${passphrase}" + } + +@@ -336,6 +338,8 @@ clevis_luks_unlock_device_by_slot() { + # parameter and returns the decoded passphrase. + clevis_luks_unlock_device() { + local DEV="${1}" ++ local SKIP_CHECK="YES" ++ + [ -z "${DEV}" ] && return 1 + + local used_slots +@@ -346,7 +350,7 @@ clevis_luks_unlock_device() { + + local slt pt + for slt in ${used_slots}; do +- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \ ++ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \ + || [ -z "${pt}" ]; then + continue + fi +-- +2.35.1 + diff --git a/SOURCES/0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch b/SOURCES/0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch new file mode 100644 index 0000000..0be4271 --- /dev/null +++ b/SOURCES/0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch @@ -0,0 +1,45 @@ +From 0654fd3f3fd1ebc080cb1140774120d8f392137b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= + <1163635+rmetrich@users.noreply.github.com> +Date: Wed, 1 Dec 2021 09:37:35 -0300 +Subject: [PATCH] luks: enable debugging in clevis scripts when rd.debug is set + (#340) + +On Fedora/RHEL, the rd.debug kernel command line parameter controls +debugging. +By implementing the functionality inside clevis, troubleshooting will be +greatly eased. +See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742). +--- + src/luks/clevis-luks-common-functions.in | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in +index d059aae..87b370f 100644 +--- a/src/luks/clevis-luks-common-functions.in ++++ b/src/luks/clevis-luks-common-functions.in +@@ -20,6 +20,21 @@ + + CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" + ++enable_debugging() { ++ # Automatically enable debugging if in initramfs phase and rd.debug ++ if [ -e /usr/lib/dracut-lib.sh ]; then ++ local bashopts=$- ++ # Because dracut is loosely written, disable hardening options temporarily ++ [[ $bashopts != *u* ]] || set +u ++ [[ $bashopts != *e* ]] || set +e ++ . /usr/lib/dracut-lib.sh ++ [[ $bashopts != *u* ]] || set -u ++ [[ $bashopts != *e* ]] || set -e ++ fi ++} ++ ++enable_debugging ++ + # valid_slot() will check whether a given slot is possibly valid, i.e., if it + # is a numeric value within the specified range. + valid_slot() { +-- +2.35.1 + diff --git a/SOURCES/0010-existing-luks2-token-id.patch b/SOURCES/0010-existing-luks2-token-id.patch new file mode 100644 index 0000000..d257177 --- /dev/null +++ b/SOURCES/0010-existing-luks2-token-id.patch @@ -0,0 +1,385 @@ +--- clevis-18.ori/src/luks/clevis-luks-bind 2021-04-15 13:00:19.965065700 +0200 ++++ clevis-18/src/luks/clevis-luks-bind 2022-11-24 12:53:59.613676320 +0100 +@@ -25,7 +25,7 @@ + usage() { + exec >&2 + echo +- echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] -d DEV PIN CFG" ++ echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] [-e EXISTING_TOKEN_ID] -d DEV PIN CFG" + echo + echo "$SUMMARY": + echo +@@ -42,6 +42,8 @@ + echo " -k KEY Non-interactively read LUKS password from KEY file" + echo " -k - Non-interactively read LUKS password from standard input" + echo ++ echo " -e E_TKN_ID Existing LUKS token ID for existing passphrase; only available for LUKS2" ++ echo + exit 2 + } + +@@ -52,13 +54,14 @@ + + FRC= + YES= +-while getopts ":hfyd:s:k:t:" o; do ++while getopts ":hfyd:s:k:t:e:" o; do + case "$o" in + f) FRC='-f';; + d) DEV="$OPTARG";; + s) SLT="$OPTARG";; + k) KEY="$OPTARG";; + t) TOKEN_ID="$OPTARG";; ++ e) EXISTING_TOKEN_ID="$OPTARG";; + y) FRC='-f' + YES='-y';; + *) usage;; +@@ -99,11 +102,20 @@ + exit 1 + fi + ++if [ -n "${EXISTING_TOKEN_ID}" ] && ! clevis_luks_luks2_existing_token_id_supported; then ++ echo "Existing token ID not supported in this cryptsetup version" >&2 ++ exit 1 ++fi ++ + # Get the existing passphrase/keyfile. + existing_key= + keyfile= + case "${KEY}" in +-"") IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2;; ++ "") ++ if [ -z "${EXISTING_TOKEN_ID}" ] ; then ++ IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2 ++ fi ++ ;; + -) IFS= read -r -s -p "" existing_key ||: + if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}" \ + && [ -z "${FRC}" ]; then +@@ -119,6 +131,13 @@ + ;; + esac + ++# Check if existing token id for keyring read is provided ++# If so, keyfile is not allowed ++if [ -n "${EXISTING_TOKEN_ID}" ] && [ -n "${keyfile}" ] ; then ++ echo "Cannot specify kernel keyring description together with key file" >&2 ++ exit 1 ++fi ++ + # If necessary, initialize the LUKS volume. + if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}"; then + luksmeta init -d "${DEV}" ${FRC} +@@ -127,7 +146,7 @@ + if ! clevis_luks_do_bind "${DEV}" "${SLT}" "${TOKEN_ID}" \ + "${PIN}" "${CFG}" \ + "${YES}" "" \ +- "${existing_key}" "${keyfile}"; then ++ "${existing_key}" "${keyfile}" "${EXISTING_TOKEN_ID}"; then + echo "Error adding new binding to ${DEV}" >&2 + exit 1 + fi +--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2021-04-15 13:00:19.965065700 +0200 ++++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2022-11-24 12:54:48.476829197 +0100 +@@ -9,7 +9,7 @@ + + == SYNOPSIS + +-*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] PIN CFG ++*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] [-e EXISTING_TOKEN_ID] PIN CFG + + == OVERVIEW + +@@ -54,6 +54,12 @@ + * *-k* - : + Non-interactively read LUKS password from standard input + ++* *-e* _E_TKN_ID_ : ++ LUKS token ID for existing passphrase; only available for LUKS2. ++ This parameter allows providing a configured token ID in LUKS2 ++ containing the existing passphrase for this device, so that ++ existing passphrase is not prompted by clevis ++ + == CAVEATS + + This command does not change the LUKS master key. This implies that if you +--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2022-11-24 12:46:09.130204312 +0100 ++++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-11-24 13:01:57.087170193 +0100 +@@ -307,9 +307,10 @@ + local KEY="${2:-}" + local KEYFILE="${3:-}" + local SLT="${4:-}" ++ local EXISTING_TOKEN_ID="${5:-}" + + [ -z "${DEV}" ] && return 1 +- [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1 ++ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1 + + local extra_args + extra_args="$([ -n "${SLT}" ] && printf -- '--key-slot %s' "${SLT}")" +@@ -318,6 +319,11 @@ + ${extra_args} + return + fi ++ if [ -n "${EXISTING_TOKEN_ID}" ]; then ++ cryptsetup open --test-passphrase "${DEV}" --token-id "${EXISTING_TOKEN_ID}" \ ++ ${extra_args} ++ return ++ fi + + printf '%s' "${KEY}" | cryptsetup open --test-passphrase "${DEV}" \ + ${extra_args} +@@ -753,10 +759,11 @@ + local NEWKEY="${3}" + local KEY="${4}" + local KEYFILE="${5:-}" ++ local EXISTING_TOKEN_ID="${6:-}" + + [ -z "${DEV}" ] && return 1 + [ -z "${NEWKEY}" ] && return 1 +- [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1 ++ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1 + + local extra_args='' input + input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")" +@@ -764,6 +771,10 @@ + extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi ++ if [ -n "${EXISTING_TOKEN_ID}" ]; then ++ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")" ++ input="$(printf '%s' "${NEWKEY}")" ++ fi + local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + + printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ +@@ -780,6 +791,7 @@ + local NEWKEY="${3}" + local KEY="${4}" + local KEYFILE="${5:-}" ++ local EXISTING_TOKEN_ID="${6:-}" + + [ -z "${DEV}" ] && return 1 + [ -z "${NEWKEY}" ] && return 1 +@@ -789,7 +801,7 @@ + local in_place + clevis_luks_check_valid_key_or_keyfile "${DEV}" \ + "${KEY}" "${KEYFILE}" \ +- "${SLT}" 2>/dev/null \ ++ "${SLT}" "${EXISTING_TOKEN_ID}" 2>/dev/null \ + && in_place=true + + local input extra_args= +@@ -798,6 +810,10 @@ + extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi ++ if [ -n "${EXISTING_TOKEN_ID}" ]; then ++ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")" ++ input="$(printf '%s' "${NEWKEY}")" ++ fi + local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + + if [ -n "${in_place}" ]; then +@@ -844,13 +860,13 @@ + [ -n "${OVERWRITE}" ] || return 1 + + clevis_luks_update_key "${DEV}" "${SLT}" \ +- "${NEWKEY}" "${KEY}" "${KEYFILE}" ++ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}" + return + fi + + # Add a new key. + clevis_luks_add_key "${DEV}" "${SLT}" \ +- "${NEWKEY}" "${KEY}" "${KEYFILE}" ++ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}" + } + + # clevis_luks_generate_key() generates a new key for use with clevis. +@@ -942,6 +958,7 @@ + local OVERWRITE="${7:-}" + local KEY="${8:-}" + local KEYFILE="${9:-}" ++ local EXISTING_TOKEN_ID="${10:-}" + + [ -z "${DEV}" ] && return 1 + [ -z "${PIN}" ] && return 1 +@@ -951,6 +968,8 @@ + if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" \ + "${KEY}" \ + "${KEYFILE}" \ ++ "" \ ++ "${EXISTING_TOKEN_ID}" \ + && ! KEY="$(clevis_luks_get_existing_key "${DEV}" \ + "Enter existing LUKS password: " \ + "recover")"; then +@@ -995,7 +1014,7 @@ + + if ! clevis_luks_save_key_to_slot "${DEV}" "${SLT}" \ + "${newkey}" "${KEY}" "${KEYFILE}" \ +- "${OVERWRITE}"; then ++ "${OVERWRITE}" "${EXISTING_TOKEN_ID}"; then + echo "Unable to save/update key slot; operation cancelled" >&2 + clevis_luks_restore_dev "${CLEVIS_TMP_DIR}" || : + rm -rf "${CLEVIS_TMP_DIR}" +@@ -1016,12 +1035,19 @@ + } + + # clevis_luks_luks2_supported() indicates whether we support LUKS2 devices. +-# Suppor is determined at build time. ++# Support is determined at build time. + function clevis_luks_luks2_supported() { + # We require cryptsetup >= 2.0.4 to fully support LUKSv2. + return @OLD_CRYPTSETUP@ + } + ++# clevis_luks_luks2_existing_token_id_supported() indicates whether ++# cryptsetup allows token id for passphrase providing ++function clevis_luks_luks2_existing_token_id_supported() { ++ # We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID ++ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@ ++} ++ + # clevis_luks_type() returns the LUKS type of a device, e.g. "luks1". + clevis_luks_type() { + local DEV="${1}" +--- clevis-18.ori/src/luks/meson.build 2021-04-15 13:00:19.965065700 +0200 ++++ clevis-18/src/luks/meson.build 2022-11-24 13:02:39.118301695 +0100 +@@ -14,6 +14,15 @@ + endif + endif + ++libcryptsetup_ext_token_id = dependency('libcryptsetup', version: '>=2.6.0', required: false) ++if libcryptsetup_ext_token_id.found() ++ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '0') ++ message('cryptsetup version supports existing token id') ++else ++ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '1') ++ warning('cryptsetup version does not support existing token id') ++endif ++ + clevis_luks_common_functions = configure_file( + input: 'clevis-luks-common-functions.in', + output: 'clevis-luks-common-functions', +--- clevis-18.ori/src/luks/tests/bind-luks2-ext-token 1970-01-01 01:00:00.000000000 +0100 ++++ clevis-18/src/luks/tests/bind-luks2-ext-token 2022-11-24 13:04:30.742650939 +0100 +@@ -0,0 +1,74 @@ ++#!/bin/bash -ex ++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2022 Red Hat, Inc. ++# Author: Sergio Arroutbi ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++TEST=$(basename "${0}") ++. tests-common-functions ++ ++on_exit() { ++ [ -d "${TMP}" ] && rm -rf "${TMP}" ++} ++ ++create_existing_token_id_from_keyring() { ++ local DEV="${1}" ++ local KEYDESC="${2}" ++ local TOKEN_ID="${3}" ++ local PASS="${4}" ++ if [[ -z "${DEV}" ]] || [[ -z "${KEYDESC}" ]] || [[ -z "${TOKEN_ID}" ]]; then ++ return 1 ++ fi ++ KEYRING_ID=$(keyctl add user "${KEYDESC}" "${PASS}" @s) ++ keyctl print "${KEYRING_ID}" 2>/dev/null 1>/dev/null ++ cryptsetup token add --token-id "${TOKEN_ID}" --key-description "${KEYDESC}" "${DEV}" ++} ++ ++if ! luks2_supported; then ++ skip_test "${TEST}: LUKS2 is not supported." ++fi ++ ++if ! luks2_existing_token_id_supported; then ++ skip_test "${TEST}: Existing token ID not supported" ++fi ++ ++trap 'on_exit' EXIT ++trap 'exit' ERR ++ ++TMP="$(mktemp -d)" ++ ++ADV="${TMP}/adv.jws" ++tang_create_adv "${TMP}" "${ADV}" ++CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")" ++ ++EXISTING_TOKEN_ID=5 ++KEYDESC="testkey" ++PASS="123exttokenid_" ++DEV="${TMP}/luks2-device-ext-token" ++new_device "luks2" "${DEV}" "${PASS}" ++ ++create_existing_token_id_from_keyring "${DEV}" "${KEYDESC}" "${EXISTING_TOKEN_ID}" "${PASS}" ++ ++if ! clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" tang "${CFG}"; then ++ error "${TEST}: Binding expected to succeed with existing token id:${EXISTING_TOKEN_ID}" >&2 ++fi ++ ++KEYFILE="${TMP}/keyfile.txt" ++touch "${KEYFILE}" ++if clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" -k "${KEYFILE}" tang "${CFG}"; then ++ error "${TEST}: Using existing token id and keyfile should dump an error" >&2 ++fi +--- clevis-18.ori/src/luks/tests/meson.build 2021-04-15 13:00:19.967066500 +0200 ++++ clevis-18/src/luks/tests/meson.build 2022-11-24 13:06:36.096043131 +0100 +@@ -5,6 +5,15 @@ + # given token slot. + cryptsetup = find_program('cryptsetup', required: true) + ++# Use keyctl to check an existing token id can be created from ++# kernel keyring password ++keyutils = find_program('keyctl', required: false) ++if keyutils.found() ++ message('keyutils installed') ++else ++ warning('keyutils not installed, unable to test existing token id binding') ++endif ++ + common_functions = configure_file(input: 'tests-common-functions.in', + output: 'tests-common-functions', + configuration: luksmeta_data, +@@ -69,6 +78,10 @@ + test('unbind-unbound-slot-luks2', find_program('unbind-unbound-slot-luks2'), env: env) + test('unbind-luks2', find_program('unbind-luks2'), env: env, timeout: 60) + ++ if keyutils.found() and luksmeta_data.get('OLD_CRYPTSETUP_EXISTING_TOKEN_ID') == '0' ++ test('bind-luks2-ext-token', find_program('bind-luks2-ext-token'), env: env, timeout: 60) ++ endif ++ + if jq.found() + test('list-recursive-luks2', find_program('list-recursive-luks2'), env: env, timeout: 60) + test('list-tang-luks2', find_program('list-tang-luks2'), env: env, timeout: 60) +--- clevis-18.ori/src/luks/tests/tests-common-functions.in 2021-04-15 13:00:19.967066500 +0200 ++++ clevis-18/src/luks/tests/tests-common-functions.in 2022-11-24 13:06:24.376006462 +0100 +@@ -36,6 +36,12 @@ + return @OLD_CRYPTSETUP@ + } + ++# We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID ++# Support is determined at build time. ++luks2_existing_token_id_supported() { ++ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@ ++} ++ + # Creates a new LUKS1 or LUKS2 device to be used. + new_device() { + local LUKS="${1}" diff --git a/SOURCES/0011-ignore-empty-and-comment-lines-in-crypttab.patch b/SOURCES/0011-ignore-empty-and-comment-lines-in-crypttab.patch new file mode 100644 index 0000000..a92cb31 --- /dev/null +++ b/SOURCES/0011-ignore-empty-and-comment-lines-in-crypttab.patch @@ -0,0 +1,16 @@ +--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-12 11:00:00.927790464 +0100 ++++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-12 11:05:53.528590215 +0100 +@@ -418,7 +418,12 @@ + clevis_devices= + + # Build list of devices to unlock. +- while read -r _ crypt_device _; do ++ while read -r _volname_ crypt_device _; do ++ # skip empty lines and lines which begin with the '#' char, per ++ # crypttab(5) ++ case $_volname_ in ++ ''|\#*) continue ;; ++ esac + if ! dev=$(clevis_map_device "${crypt_device}") \ + || [ -z "${dev}" ]; then + # Unable to get the device - maybe it's not available, e.g. a diff --git a/SOURCES/0012-luks-define-max-entropy-bits-for-pwmake.patch b/SOURCES/0012-luks-define-max-entropy-bits-for-pwmake.patch new file mode 100644 index 0000000..68dc097 --- /dev/null +++ b/SOURCES/0012-luks-define-max-entropy-bits-for-pwmake.patch @@ -0,0 +1,42 @@ +--- clevis-18.ori/src/clevis.1.adoc 2021-04-15 13:00:19.965065700 +0200 ++++ clevis-18/src/clevis.1.adoc 2023-01-13 12:08:31.162012856 +0100 +@@ -101,7 +101,7 @@ + + This command performs four steps: + +-1. Creates a new key with the same entropy as the LUKS master key. ++1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256. + 2. Encrypts the new key with Clevis. + 3. Stores the Clevis JWE in the LUKS header. + 4. Enables the new key for use with LUKS. +--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:02:52.005243591 +0100 ++++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:08:05.873955501 +0100 +@@ -20,7 +20,7 @@ + + This command performs four steps: + +-1. Creates a new key with the same entropy as the LUKS master key. ++1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256. + 2. Encrypts the new key with Clevis. + 3. Stores the Clevis JWE in the LUKS header. + 4. Enables the new key for use with LUKS. +--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-13 12:02:52.005243591 +0100 ++++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-13 12:06:29.233736316 +0100 +@@ -875,6 +875,7 @@ + [ -z "${DEV}" ] && return 1 + + local dump filter bits ++ local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake. + dump=$(cryptsetup luksDump "${DEV}") + if cryptsetup isLuks --type luks1 "${DEV}"; then + filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')" +@@ -886,6 +887,9 @@ + fi + + bits="$(echo -n "${filter}" | sort -n | tail -n 1)" ++ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then ++ bits="${MAX_ENTROPY_BITS}" ++ fi + pwmake "${bits}" + } + diff --git a/SOURCES/0013-luks-edit-remove-unnecessary-redirection.patch b/SOURCES/0013-luks-edit-remove-unnecessary-redirection.patch new file mode 100644 index 0000000..ae1f82c --- /dev/null +++ b/SOURCES/0013-luks-edit-remove-unnecessary-redirection.patch @@ -0,0 +1,11 @@ +--- clevis-18.ori/src/luks/clevis-luks-edit 2021-04-15 13:00:19.965065700 +0200 ++++ clevis-18/src/luks/clevis-luks-edit 2023-01-16 10:24:18.555971552 +0100 +@@ -173,7 +173,7 @@ + + echo "Updating binding..." + if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \ +- "-y" "overwrite" 2>/dev/null; then ++ "-y" "overwrite"; then + echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2 + exit 1 + fi diff --git a/SOURCES/clevis.sysusers b/SOURCES/clevis.sysusers new file mode 100644 index 0000000..492bdeb --- /dev/null +++ b/SOURCES/clevis.sysusers @@ -0,0 +1 @@ +u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis /usr/sbin/nologin diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec new file mode 100644 index 0000000..4383b63 --- /dev/null +++ b/SPECS/clevis.spec @@ -0,0 +1,431 @@ +Name: clevis +Version: 18 +Release: 110%{?dist} +Summary: Automated decryption framework + +License: GPLv3+ +URL: https://github.com/latchset/%{name} +Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz +Source1: clevis.sysusers + +Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch +Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch +Patch0004: 0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch +Patch0005: 0005-tang-dump-url-on-error-communication.patch +Patch0006: 0006-feat-rename-the-test-pin-to-null-pin.patch +Patch0007: 0007-avoid-clevis-invalid-msg.patch +Patch0008: 0008-Improve-boot-performance-by-removing-key-check.patch +Patch0009: 0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch +Patch0010: 0010-existing-luks2-token-id.patch +Patch0011: 0011-ignore-empty-and-comment-lines-in-crypttab.patch +Patch0012: 0012-luks-define-max-entropy-bits-for-pwmake.patch +Patch0013: 0013-luks-edit-remove-unnecessary-redirection.patch + +BuildRequires: git-core +BuildRequires: gcc +BuildRequires: meson +BuildRequires: asciidoc +BuildRequires: ninja-build +BuildRequires: bash-completion + +BuildRequires: libjose-devel >= 8 +BuildRequires: libluksmeta-devel >= 8 +BuildRequires: audit-libs-devel +BuildRequires: libudisks2-devel +BuildRequires: openssl-devel + +BuildRequires: tpm2-tools >= 4.0.0 +BuildRequires: desktop-file-utils +BuildRequires: pkgconfig +BuildRequires: systemd +BuildRequires: systemd-rpm-macros +BuildRequires: dracut +BuildRequires: tang >= 6 +BuildRequires: curl +BuildRequires: cracklib-dicts +BuildRequires: luksmeta +BuildRequires: openssl +BuildRequires: diffutils +BuildRequires: cryptsetup +BuildRequires: jq + +Requires: tpm2-tools >= 4.0.0 +Requires: coreutils +Requires: jose >= 8 +Requires: curl +Requires: jq +Requires(pre): shadow-utils +Requires(post): systemd +Recommends: cracklib-dicts + +%description +Clevis is a framework for automated decryption. It allows you to encrypt +data using sophisticated unlocking policies which enable decryption to +occur automatically. + +The clevis package provides basic encryption/decryption policy support. +Users can use this directly; but most commonly, it will be used as a +building block for other packages. For example, see the clevis-luks +and clevis-dracut packages for automatic root volume unlocking of LUKSv1 +volumes during early boot. + +%package luks +Summary: LUKS integration for clevis +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: cryptsetup +Requires: luksmeta >= 8 + +%description luks +LUKS integration for clevis. This package allows you to bind a LUKS +volume to a clevis unlocking policy. For automated unlocking, an unlocker +will also be required. See, for example, clevis-dracut and clevis-udisks2. + +%package systemd +Summary: systemd integration for clevis +Requires: %{name}-luks%{?_isa} = %{version}-%{release} +%if 0%{?fedora} > 27 +Requires: systemd%{?_isa} >= 235-3 +%else +%if 0%{?fedora} == 27 +Requires: systemd%{?_isa} >= 234-9 +%else +%if 0%{?fedora} == 26 +Requires: systemd%{?_isa} >= 233-7 +%else +Requires: systemd%{?_isa} >= 236 +%endif +%endif +%endif + +%description systemd +Automatically unlocks LUKS _netdev block devices from /etc/crypttab. + +%package dracut +Summary: Dracut integration for clevis +Requires: %{name}-systemd%{?_isa} = %{version}-%{release} +Requires: dracut-network + +%description dracut +Automatically unlocks LUKS block devices in early boot. + +%package udisks2 +Summary: UDisks2/Storaged integration for clevis +Requires: %{name}-luks%{?_isa} = %{version}-%{release} + +%description udisks2 +Automatically unlocks LUKS block devices in desktop environments that +use UDisks2 or storaged (like GNOME). + +%prep +%autosetup -S git + +%build +%meson -Duser=clevis -Dgroup=clevis +%meson_build + +%install +%meson_install +install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/clevis.conf + +%check +desktop-file-validate \ + %{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop +%meson_test + +%pre +%sysusers_create_compat %{SOURCE1} +# Add clevis user to tss group. +if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then + usermod -a -G tss %{name} &>/dev/null +fi +exit 0 + +%post systemd +systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : + +%files +%license COPYING +%{_datadir}/bash-completion/ +%{_bindir}/%{name}-decrypt-tang +%{_bindir}/%{name}-decrypt-tpm2 +%{_bindir}/%{name}-decrypt-sss +%{_bindir}/%{name}-decrypt-null +%{_bindir}/%{name}-decrypt +%{_bindir}/%{name}-encrypt-tang +%{_bindir}/%{name}-encrypt-tpm2 +%{_bindir}/%{name}-encrypt-sss +%{_bindir}/%{name}-encrypt-null +%{_bindir}/%{name} +%{_mandir}/man1/%{name}-encrypt-tang.1* +%{_mandir}/man1/%{name}-encrypt-tpm2.1* +%{_mandir}/man1/%{name}-encrypt-sss.1* +%{_mandir}/man1/%{name}-decrypt.1* +%{_mandir}/man1/%{name}.1* +%{_sysusersdir}/clevis.conf + +%files luks +%{_mandir}/man7/%{name}-luks-unlockers.7* +%{_mandir}/man1/%{name}-luks-unlock.1* +%{_mandir}/man1/%{name}-luks-unbind.1* +%{_mandir}/man1/%{name}-luks-bind.1* +%{_mandir}/man1/%{name}-luks-list.1.* +%{_mandir}/man1/%{name}-luks-edit.1.* +%{_mandir}/man1/%{name}-luks-regen.1.* +%{_mandir}/man1/%{name}-luks-report.1.* +%{_mandir}/man1/%{name}-luks-pass.1.* +%{_bindir}/%{name}-luks-unlock +%{_bindir}/%{name}-luks-unbind +%{_bindir}/%{name}-luks-bind +%{_bindir}/%{name}-luks-common-functions +%{_bindir}/%{name}-luks-list +%{_bindir}/%{name}-luks-edit +%{_bindir}/%{name}-luks-regen +%{_bindir}/%{name}-luks-report +%{_bindir}/%{name}-luks-pass + +%files systemd +%{_libexecdir}/%{name}-luks-askpass +%{_unitdir}/%{name}-luks-askpass.path +%{_unitdir}/%{name}-luks-askpass.service + +%files dracut +%{_prefix}/lib/dracut/modules.d/60%{name} +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh + +%files udisks2 +%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop +%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 + +%changelog +* Fri Apr 14 2023 MSVSphere Packaging Team - 18-110 +- Rebuilt for MSVSphere 9.2 beta + +* Wed Jan 25 2023 Sergio Arroutbi - 15-110 +- luks-edit: remove unnecessary 2>/dev/null + Resolves: rhbz#2159738 + +* Fri Jan 13 2023 Sergio Arroutbi - 15-109 +- luks: define max entropy bits for pwmake + Resolves: rhbz#2159735 + +* Thu Jan 12 2023 Sergio Arroutbi - 15-108 +- Ignore empty & comment lines in crypttab + Resolves: rhbz#2159728 + +* Tue Dec 13 2022 Sergio Arroutbi - 18-107 +- Add existing token id parameter + Resolves: rhbz#2126533 + +* Tue Aug 02 2022 Sergio Correia - 18-106 +- Enable debugging in clevis scripts when rd.debug is set + Resolves: rhbz#2022420 + +* Tue Aug 02 2022 Sergio Arroutbi - 18-105 +- Start clevis-luks-askpass.path service according to global policy + Resolves: rhbz#2107078 + +* Thu Jul 21 2022 Sergio Arroutbi - 18-104 +- Improve boot performance by removing key check + Resolves: rhbz#2099701 + +* Mon Jun 20 2022 Sergio Arroutbi - 18-103 +- Avoid invalid message for clevis command + Resolves: rhbz#2080281 + +* Wed Jan 26 2022 Sergio Correia - 18-102 +- Support a null pin + Resolves: rhbz#2028091 + +* Wed Jan 26 2022 Sergio Correia - 18-101 +- Revert "Enable debugging in clevis scripts when rd.debug is set" + Related: rhbz#2022420 + +* Thu Jan 20 2022 Sergio Arroutbi - 18-100 +- Dump server information on server error communication + Resolves: rhbz#2022423 + +* Tue Jan 04 2022 Sergio Correia - 18-7 +- Explicitly specify pbkdf iterations to cryptsetup + Resolves: rhbz#2022416 + +* Tue Jan 04 2022 Sergio Correia - 18-6 +- Enable debugging in clevis scripts when rd.debug is set + Resolves: rhbz#2022420 + +* Wed Nov 17 2021 Sergio Correia - 18-5 +- Account for unlocking failures in clevis-luks-askpass + Resolves: rhbz#2022421 + +* Mon Aug 09 2021 Mohan Boddu - 18-4 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 16 2021 Mohan Boddu - 18-3 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Fri May 07 2021 Sergio Correia - 18-2 +- Port to OpenSSL 3 + Resolves: rhbz#1956760 + +* Tue May 04 2021 Sergio Correia - 18-1 +- Update to new clevis upstream release, v18 + Resolves: rhbz#1956760 + +* Thu Apr 15 2021 Mohan Boddu - 16-3 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Mar 16 2021 Sergio Correia - 16-2 +- Fix for -t option in clevis luks bind - backport upstream commit ea0d0c20 + +* Tue Feb 09 2021 Sergio Correia - 16-1 +- Update to new clevis upstream release, v16. + +* Tue Jan 26 2021 Fedora Release Engineering - 15-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Nov 23 08:14:40 GMT 2020 Peter Robinson - 15-3 +- Upstream patch for tpm-tools 5.0 support + +* Thu Oct 29 2020 Sergio Correia - 15-2 +- Add jq to dependencies + +* Wed Oct 28 2020 Sergio Correia - 15-1 +- Update to new clevis upstream release, v15. + +* Tue Sep 08 2020 Sergio Correia - 14-5 +- Suppress output in pre scriptlet when adjusting users/groups + Resolves: rhbz#1876729 + +* Tue Sep 08 2020 Sergio Correia - 14-4 +- Backport upstream PR#230 - clevis-luks-askpass now exits cleanly + when receives a SIGTERM + Resolves: rhbz#1876001 + +* Sat Sep 05 2020 Sergio Correia - 14-3 +- If clevis-luks-askpass is enabled, it may be using a wrong target, + since that changed in v14. Check and update it, if required. + +* Mon Aug 31 2020 Sergio Correia - 14-2 +- Update sources file with new v14 release. + +* Mon Aug 31 2020 Sergio Correia - 14-1 +- Update to new clevis upstream release, v14. + +* Sun Aug 02 2020 Benjamin Gilbert - 13-3 +- Downgrade cracklib-dicts to Recommends + +* Mon Jul 27 2020 Fedora Release Engineering - 13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sun May 10 2020 Sergio Correia - 13-1 +- Update to new clevis upstream release, v13. + +* Thu May 07 2020 Sergio Correia - 12-4 +- cracklib-dicts should be also listed as a build dependency, since + it's required for running some of the tests + +* Mon Apr 06 2020 Sergio Correia - 12-3 +- Make cracklib-dicts a regular dependency + +* Tue Jan 28 2020 Fedora Release Engineering - 12-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 20 2020 Sergio Correia - 12-1 +- Update to new clevis upstream release, v12. + +* Thu Dec 19 2019 Sergio Correia - 11-11 +- Backport upstream PR#70 - Handle case where we try to use a partially + used luksmeta slot + Resolves: rhbz#1672371 + +* Thu Dec 05 2019 Sergio Correia - 11-10 +- Disable LUKS2 tests for now, since they fail randomly in Koji + builders, killing the build + +* Wed Dec 04 2019 Sergio Correia - 11-9 +- Backport of upstream patches and the following fixes: + - Rework the logic for reading the existing key + - fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 ( + - pins/tang: check that key derivation key is available + +* Wed Oct 30 2019 Peter Robinson 11-8 +- Drop need network patch + +* Fri Sep 06 2019 Javier Martinez Canillas - 11-7 +- Add support for tpm2-tools 4.0 + +* Wed Jul 24 2019 Fedora Release Engineering - 11-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 11-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Dec 6 2018 Peter Robinson 11-4 +- Update patch for work around + +* Thu Dec 6 2018 Peter Robinson 11-3 +- Work around network requirement for early boot + +* Fri Nov 09 2018 Javier Martinez Canillas - 11-2 +- Delete remaining references to the removed http pin +- Install cryptsetup and tpm2_pcrlist in the initramfs +- Add device TCTI library to the initramfs + Resolves: rhbz#1644876 + +* Tue Aug 14 2018 Nathaniel McCallum - 11-1 +- Update to v11 + +* Thu Jul 12 2018 Fedora Release Engineering - 10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Mar 21 2018 Nathaniel McCallum - 10-1 +- Update to v10 + +* Tue Feb 13 2018 Nathaniel McCallum - 9-1 +- Update to v9 + +* Wed Feb 07 2018 Fedora Release Engineering - 8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Nov 13 2017 Nathaniel McCallum - 8-1 +- Update to v8 + +* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek - 7-2 +- Rebuild for cryptsetup-2.0.0 + +* Fri Oct 27 2017 Nathaniel McCallum - 7-1 +- Update to v7 + +* Wed Aug 02 2017 Fedora Release Engineering - 6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jun 27 2017 Nathaniel McCallum - 6-1 +- New upstream release +- Specify unprivileged user/group during configuration +- Move clevis user/group creation to base clevis package + +* Mon Jun 26 2017 Nathaniel McCallum - 5-1 +- New upstream release +- Run clevis decryption from udisks2 under an unprivileged user + +* Wed Jun 14 2017 Nathaniel McCallum - 4-1 +- New upstream release + +* Wed Jun 14 2017 Nathaniel McCallum - 3-1 +- New upstream release + +* Fri Feb 10 2017 Fedora Release Engineering - 2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Nov 18 2016 Nathaniel McCallum - 2-1 +- New upstream release + +* Mon Nov 14 2016 Nathaniel McCallum - 1-1 +- First release