From e3aff8a77f15d6c69aa1bf769f3280706ddf9467 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 25 Oct 2024 14:12:16 +0300 Subject: [PATCH] import clevis-21-4.el10 --- .clevis.metadata | 1 + .gitignore | 1 + ...n-fix-dracut-for-unconfigured-device.patch | 288 +++++++++++ .../0002-Fix-potential-race-condition.patch | 49 ++ SOURCES/clevis.sysusers | 1 + SPECS/clevis.spec | 466 ++++++++++++++++++ 6 files changed, 806 insertions(+) create mode 100644 .clevis.metadata create mode 100644 .gitignore create mode 100644 SOURCES/0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch create mode 100644 SOURCES/0002-Fix-potential-race-condition.patch create mode 100644 SOURCES/clevis.sysusers create mode 100644 SPECS/clevis.spec diff --git a/.clevis.metadata b/.clevis.metadata new file mode 100644 index 0000000..8d0a0c5 --- /dev/null +++ b/.clevis.metadata @@ -0,0 +1 @@ +14f8ca6f130651b468c73568e236522839c104a7 SOURCES/clevis-21.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..76ba17b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/clevis-21.tar.xz diff --git a/SOURCES/0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch b/SOURCES/0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch new file mode 100644 index 0000000..a80fe03 --- /dev/null +++ b/SOURCES/0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch @@ -0,0 +1,288 @@ +From 691b4136d6077ed7b079a38459b6844dbc584776 Mon Sep 17 00:00:00 2001 +From: Sergio Arroutbi +Date: Mon, 30 Sep 2024 11:27:57 +0200 +Subject: [PATCH] PKCS#11 pin: fix dracut for unconfigured device + +Signed-off-by: Sergio Arroutbi +--- + .../clevis-pin-pkcs11/module-setup.sh.in | 2 +- + src/luks/systemd/clevis-luks-pkcs11-askpin.in | 72 +++++-------------- + .../clevis-pkcs11-afunix-socket-unlock.c | 9 ++- + src/pins/pkcs11/clevis-pkcs11-common | 52 +++++++++++++- + 4 files changed, 74 insertions(+), 61 deletions(-) + +diff --git a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in +index 39d06a0..a7a6d6b 100755 +--- a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in ++++ b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in +@@ -23,7 +23,7 @@ depends() { + } + + install() { +- inst_hook initqueue 60 "${moddir}/clevis-pkcs11-prehook.sh" ++ inst_hook pre-trigger 60 "${moddir}/clevis-pkcs11-prehook.sh" + inst_hook initqueue/settled 60 "${moddir}/clevis-pkcs11-hook.sh" + inst_hook initqueue/online 60 "${moddir}/clevis-pkcs11-hook.sh" + +diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in +index 8f4092f..b860efa 100755 +--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in ++++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in +@@ -52,6 +52,7 @@ get_pkcs11_error() { + return 0 + } + ++ + if command -v pcscd; then + echo "clevis-pkcs11: starting pcscd if not available ..." + PCSCD_PID=$(ps auxf | grep "[p]cscd") +@@ -72,51 +73,6 @@ if [ "${dracut_mode}" != true ]; then + pkcs11-tool -L + fi + +-if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \ +- awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then +- echo "No PKCS11 device detected (without module option) / pkcs11-tool error" +- exit 1 +-fi +- +-if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then +- pkcs11_device="" +- echo "No objects in PKCS11 device detected" +-fi +- +-while [ -z "${pkcs11_device}" ]; do +- if [ "${dracut_mode}" != true ]; then +- module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab") +- if [ -n "${module_paths}" ]; then +- modules=$(echo ${module_paths} | tr ";" "\n") +- for module in $modules; do +- pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \ +- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g') +- if [ -n "${pkcs11_device}" ]; then +- break; +- fi +- done +- fi +- fi +- if [ -z "${pkcs11_device}" ]; then +- if [ "${retry_mode}" == true ]; then +- option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]") +- if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then +- echo "Won't continue PKCS11 device detection" +- exit 0 +- fi +- pkcs11_device=$(pkcs11-tool -L | grep "Slot" \ +- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g') +- if ! pkcs11-tool -O 2>/dev/null; then +- pkcs11_device="" +- echo "No objects in PKCS11 device detected" +- fi +- else +- exit 0 +- fi +- fi +-done +-echo "Detected PKCS11 device:${pkcs11_device}" +- + devices_array=() + # Let's analyze all entries from /etc/crypttab that contain clevis-pkcs11.sock entries + while read -r line; +@@ -126,6 +82,8 @@ do + next_device=0 + errors=0 + msg="" ++ # Store passphrases to send to control socket ++ systemd_device=$(echo "${line}" | awk '{print $1}') + while [ ${next_device} -ne 1 ]; do + uuid=$(echo "${line}" | awk '{print $2}') + if ! mapped_device=$(clevis_map_device "${uuid}"); then +@@ -141,15 +99,23 @@ do + fi + # If no PKCS#11 configuration, advance to next device + if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then +- echo "Device:${mapped_device} does not contain PKCS#11 configuration" ++ echo "Device:${mapped_device} does not contain PKCS#11 configuration" >&2 ++ # Send a wrong passphrase ++ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock - + next_device=1 + continue + fi ++ if ! pkcs11_device=$(clevis_detect_pkcs11_device "${dracut_mode}" "${retry_mode}"); then ++ echo "No PKCS11 device detected" >&2 ++ exit 0 ++ else ++ echo "Detected PKCS11 device:${pkcs11_device}" >&2 ++ fi + # Get configuration PKCS#11 URI + uri=$(clevis luks list -d "${mapped_device}" | awk -F '"uri":' '{print $2}' | awk -F '"' '{print $2}' | awk -F '"' '{print $1}') + slot_opt="" + if ! slot=$(clevis_get_pkcs11_final_slot_from_uri "${uri}"); then +- echo "Could not find slot for uri:${uri}" ++ echo "Could not find slot for uri:${uri}" >&2 + else + slot_opt="--slot-index ${slot}" + fi +@@ -159,8 +125,9 @@ do + module_opt="--module ${module}" + fi + echo "Device:${mapped_device}, slot_opt:${slot_opt}, module_opt:${module_opt}" +- if ! pkcs11-tool -O ${module_opt} ${slot_opt}; then +- echo "No objects on slot:${slot}, module_opt:${module_opt}" ++ if ! pkcs11-tool -O ${module_opt} ${slot_opt} 2>/dev/null 1>/dev/null; then ++ echo "No objects on slot:${slot}, module_opt:${module_opt}" >&2 ++ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock - + next_device=1 + continue + fi +@@ -175,22 +142,21 @@ do + # Get key from PKCS11 pin here and feed AF_UNIX socket program + echo "${pin}" > /run/systemd/clevis-pkcs11.pin + if ! passphrase=$(clevis_luks_unlock_device "${mapped_device}") || [ -z "${passphrase}" ]; then +- echo "Could not unlock device:${mapped_device}" ++ echo "Could not unlock device:${mapped_device}" >&2 + msg="$(get_pkcs11_error)" + ((errors++)) + if [ ${errors} -eq ${too_many_errors} ]; then +- echo "Too many errors !!!" 1>&2 ++ echo "Too many errors !!!" >&2 + next_device=1 + fi + continue + fi + next_device=1 +- echo "Device:${mapped_device} unlocked successfully by clevis" ++ echo "Device:${mapped_device} unlocked successfully by clevis" >&2 + if [ "${dracut_mode}" == true ]; then + echo "${mapped_device}" >> /run/systemd/clevis-pkcs11-dracut.devices + fi + # Store passphrases to send to control socket +- systemd_device=$(echo "${line}" | awk '{print $1}') + devices_array+=("${systemd_device},${passphrase}") + done + fi +diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c +index a6ecc63..24bad83 100644 +--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c ++++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c +@@ -146,7 +146,6 @@ static void* control_thread(void *targ) { + } + char* t = control_msg; + int is_device = 1; +- fprintf(logfile, "Received control message:[%s]\n", t); + while((t = strtok(t, ","))) { + if (is_device) { + fprintf(logfile, "Adding device:%s\n", t); +@@ -185,7 +184,7 @@ static void dump_wide_version(void) { + + static void int_handler(int s) { + if(logfile) { +- fprintf(logfile, "Closing, signal:[%d]\n", s); ++ fprintf(logfile, "Closing, received signal:[%d]\n", s); + fclose(logfile); + } + exit(EXIT_FAILURE); +@@ -222,6 +221,7 @@ int main(int argc, char* argv[]) { + break; + case 'f': + strncpy(sock_file, optarg, MAX_PATH - 1); ++ unlink(sock_file); + break; + case 'k': + strncpy(key, optarg, MAX_KEY - 1); +@@ -275,7 +275,6 @@ int main(int argc, char* argv[]) { + memset(&sock_addr, 0, sizeof(sock_addr)); + sock_addr.sun_family = AF_UNIX; + strncpy(sock_addr.sun_path, sock_file, sizeof(sock_addr.sun_path)-1); +- unlink(sock_file); + s = socket(AF_UNIX, SOCK_STREAM, 0); + if (s == -1) { + perror("socket"); +@@ -346,8 +345,8 @@ int main(int argc, char* argv[]) { + perror("key entry send error"); + goto efailure; + } +- fprintf(logfile, "Sending:[%s] to device:[%s]\n", +- entry_key, unlocking_device); ++ fprintf(logfile, "Sending passphrase to device:[%s]\n", ++ unlocking_device); + } else { + fprintf(logfile, "Device not found: [%s]\n", unlocking_device); + } +diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common +index 4c0629c..571a2be 100755 +--- a/src/pins/pkcs11/clevis-pkcs11-common ++++ b/src/pins/pkcs11/clevis-pkcs11-common +@@ -27,6 +27,56 @@ serial_devices_array="" + URI_EXPECTED_FORMAT="pkcs11:" + DEFAULT_CRYPTTAB_FILE="/etc/crypttab" + ++clevis_detect_pkcs11_device() { ++ dracut_mode="${1:false}" ++ retry_mode="${2:false}" ++ if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \ ++ awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then ++ echo "" ++ return 1 ++ fi ++ ++ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then ++ pkcs11_device="" ++ echo "No objects in PKCS11 device detected" >&2 ++ fi ++ ++ while [ -z "${pkcs11_device}" ]; do ++ if [ "${dracut_mode}" != true ]; then ++ module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab") ++ if [ -n "${module_paths}" ]; then ++ modules=$(echo ${module_paths} | tr ";" "\n") ++ for module in $modules; do ++ pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \ ++ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g') ++ if [ -n "${pkcs11_device}" ]; then ++ break; ++ fi ++ done ++ fi ++ fi ++ if [ -z "${pkcs11_device}" ]; then ++ if [ "${retry_mode}" == true ]; then ++ option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]") ++ if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then ++ echo "" ++ # Straight Forward Mode ++ return 0 ++ fi ++ pkcs11_device=$(pkcs11-tool -L | grep "Slot" \ ++ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g') ++ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then ++ pkcs11_device="" ++ echo "No objects in PKCS11 device detected" >&2 ++ fi ++ else ++ echo "${pkcs11_device}" ++ return 0 ++ fi ++ fi ++ done ++} ++ + clevis_parse_devices_array() { + INPUT_ARRAY=$(pkcs11-tool -L | grep Slot) + counter=0 +@@ -64,12 +114,10 @@ clevis_get_module_path_from_pkcs11_config() { + while read -r line; do + uuid=$(echo "${line}" | awk '{print $2}') + if ! mapped_device=$(clevis_map_device "${uuid}"); then +- echo "Could not check mapped device for UID:${uuid}" + continue + fi + # If no PKCS#11 configuration, advance to next device + if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then +- echo "Device:${mapped_device} does not contain PKCS#11 configuration" + continue + fi + # Get configuration PKCS#11 URI +-- +2.46.2 + diff --git a/SOURCES/0002-Fix-potential-race-condition.patch b/SOURCES/0002-Fix-potential-race-condition.patch new file mode 100644 index 0000000..029ea36 --- /dev/null +++ b/SOURCES/0002-Fix-potential-race-condition.patch @@ -0,0 +1,49 @@ +From 5feea5da42b98302006f2c82ab9c22d43779e0c8 Mon Sep 17 00:00:00 2001 +From: Sergio Arroutbi +Date: Fri, 27 Sep 2024 12:12:48 +0200 +Subject: [PATCH] Fix potential race condition + +Guard the modification of "entry_counter" and the read +used to decide whether to modify "entry_counter" with the +same set of locks + +Resolves: #478 + +Signed-off-by: Sergio Arroutbi +--- + src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c +index a6ecc63..b1e2004 100644 +--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c ++++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c +@@ -70,21 +70,23 @@ get_control_socket_name(const char* file_sock, char* control_sock, uint32_t cont + } + + static void insert_device(const char* dev) { ++ pthread_mutex_lock(&mutex); + if(MAX_ENTRIES == entry_counter) { ++ pthread_mutex_unlock(&mutex); + perror("No more entries accepted\n"); + return; + } +- pthread_mutex_lock(&mutex); + strncpy(keys[entry_counter].dev, dev, MAX_DEVICE); + pthread_mutex_unlock(&mutex); + } + + static void insert_key(const char* key) { ++ pthread_mutex_lock(&mutex); + if(MAX_ENTRIES == entry_counter) { ++ pthread_mutex_unlock(&mutex); + perror("No more entries accepted\n"); + return; + } +- pthread_mutex_lock(&mutex); + strncpy(keys[entry_counter++].key, key, MAX_KEY); + pthread_mutex_unlock(&mutex); + } +-- +2.46.2 + diff --git a/SOURCES/clevis.sysusers b/SOURCES/clevis.sysusers new file mode 100644 index 0000000..daad762 --- /dev/null +++ b/SOURCES/clevis.sysusers @@ -0,0 +1 @@ +u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis - diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec new file mode 100644 index 0000000..e615b86 --- /dev/null +++ b/SPECS/clevis.spec @@ -0,0 +1,466 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.6.5) +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 4; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + +Name: clevis +Version: 21 +Release: %autorelease +Summary: Automated decryption framework + +License: GPL-3.0-or-later +URL: https://github.com/latchset/%{name} +Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz +Source1: clevis.sysusers + +Patch0: 0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch +Patch1: 0002-Fix-potential-race-condition.patch + +BuildRequires: git-core +BuildRequires: gcc +BuildRequires: meson +BuildRequires: asciidoc +BuildRequires: ninja-build +BuildRequires: bash-completion + +BuildRequires: libjose-devel >= 8 +BuildRequires: libluksmeta-devel >= 8 +BuildRequires: audit-libs-devel +BuildRequires: libudisks2-devel +BuildRequires: openssl-devel + +BuildRequires: tpm2-tools >= 4.0.0 +BuildRequires: desktop-file-utils +BuildRequires: pkgconfig +BuildRequires: systemd +BuildRequires: systemd-rpm-macros +BuildRequires: dracut +BuildRequires: tang >= 6 +BuildRequires: curl +BuildRequires: luksmeta +BuildRequires: openssl +BuildRequires: diffutils +BuildRequires: cryptsetup +BuildRequires: jq +BuildRequires: pcsc-lite +BuildRequires: opensc + +Requires: tpm2-tools >= 4.0.0 +Requires: coreutils +Requires: jose >= 8 +Requires: curl +Requires: jq +Requires(pre): shadow-utils +Requires(post): systemd +Requires: clevis-pin-tpm2 + +%description +Clevis is a framework for automated decryption. It allows you to encrypt +data using sophisticated unlocking policies which enable decryption to +occur automatically. + +The clevis package provides basic encryption/decryption policy support. +Users can use this directly; but most commonly, it will be used as a +building block for other packages. For example, see the clevis-luks +and clevis-dracut packages for automatic root volume unlocking of +LUKSv1/LUKSv2 volumes during early boot. + +%package luks +Summary: LUKS integration for clevis +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: cryptsetup +Requires: luksmeta >= 8 + +%description luks +LUKS integration for clevis. This package allows you to bind a LUKS +volume to a clevis unlocking policy. For automated unlocking, an unlocker +will also be required. See, for example, clevis-dracut and clevis-udisks2. + +%package systemd +Summary: systemd integration for clevis +Requires: %{name}-luks%{?_isa} = %{version}-%{release} +%if 0%{?fedora} > 27 +Requires: systemd%{?_isa} >= 235-3 +%else +%if 0%{?fedora} == 27 +Requires: systemd%{?_isa} >= 234-9 +%else +%if 0%{?fedora} == 26 +Requires: systemd%{?_isa} >= 233-7 +%else +Requires: systemd%{?_isa} >= 236 +%endif +%endif +%endif + +%description systemd +Automatically unlocks LUKS _netdev block devices from /etc/crypttab. + +%package dracut +Summary: Dracut integration for clevis +Requires: %{name}-systemd%{?_isa} = %{version}-%{release} +Requires: dracut-network + +%description dracut +Automatically unlocks LUKS block devices in early boot. + +%package udisks2 +Summary: UDisks2/Storaged integration for clevis +Requires: %{name}-luks%{?_isa} = %{version}-%{release} + +%description udisks2 +Automatically unlocks LUKS block devices in desktop environments that +use UDisks2 or storaged (like GNOME). + +%package pin-pkcs11 +Summary: PKCS#11 for clevis +Requires: %{name}-systemd%{?_isa} = %{version}-%{release} +Requires: %{name}-luks%{?_isa} = %{version}-%{release} +Requires: %{name}-dracut%{?_isa} = %{version}-%{release} +Requires: pcsc-lite +Requires: opensc + +%description pin-pkcs11 +Automatically unlocks LUKS block devices through a PKCS#11 device. + +%prep +%autosetup -S git + +%build +%meson -Duser=clevis -Dgroup=clevis +%meson_build + +%install +%meson_install +install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/clevis.conf + +%check +desktop-file-validate \ + %{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop +%meson_test + +%pre +%sysusers_create_compat %{SOURCE1} +# Add clevis user to tss group. +if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then + usermod -a -G tss %{name} &>/dev/null +fi +exit 0 + +%files +%license COPYING +%{_datadir}/bash-completion/ +%{_bindir}/%{name}-decrypt-tang +%{_bindir}/%{name}-decrypt-tpm2 +%{_bindir}/%{name}-decrypt-sss +%{_bindir}/%{name}-decrypt-null +%{_bindir}/%{name}-decrypt +%{_bindir}/%{name}-encrypt-tang +%{_bindir}/%{name}-encrypt-tpm2 +%{_bindir}/%{name}-encrypt-sss +%{_bindir}/%{name}-encrypt-null +%{_bindir}/%{name} +%{_mandir}/man1/%{name}-encrypt-tang.1* +%{_mandir}/man1/%{name}-encrypt-tpm2.1* +%{_mandir}/man1/%{name}-encrypt-sss.1* +%{_mandir}/man1/%{name}-decrypt.1* +%{_mandir}/man1/%{name}.1* +%{_sysusersdir}/clevis.conf + +%files luks +%{_mandir}/man7/%{name}-luks-unlockers.7* +%{_mandir}/man1/%{name}-luks-unlock.1* +%{_mandir}/man1/%{name}-luks-unbind.1* +%{_mandir}/man1/%{name}-luks-bind.1* +%{_mandir}/man1/%{name}-luks-list.1.* +%{_mandir}/man1/%{name}-luks-edit.1.* +%{_mandir}/man1/%{name}-luks-regen.1.* +%{_mandir}/man1/%{name}-luks-report.1.* +%{_mandir}/man1/%{name}-luks-pass.1.* +%{_bindir}/%{name}-luks-unlock +%{_bindir}/%{name}-luks-unbind +%{_bindir}/%{name}-luks-bind +%{_bindir}/%{name}-luks-common-functions +%{_bindir}/%{name}-luks-list +%{_bindir}/%{name}-luks-edit +%{_bindir}/%{name}-luks-regen +%{_bindir}/%{name}-luks-report +%{_bindir}/%{name}-luks-pass + +%files systemd +%{_libexecdir}/%{name}-luks-askpass +%{_libexecdir}/%{name}-luks-unlocker +%{_unitdir}/%{name}-luks-askpass.path +%{_unitdir}/%{name}-luks-askpass.service + +%files dracut +%{_prefix}/lib/dracut/modules.d/60%{name} +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh + +%files pin-pkcs11 +%{_libexecdir}/%{name}-luks-pkcs11-askpass +%{_libexecdir}/%{name}-luks-pkcs11-askpin +%{_bindir}/%{name}-decrypt-pkcs11 +%{_bindir}/%{name}-encrypt-pkcs11 +%{_bindir}/%{name}-pkcs11-afunix-socket-unlock +%{_bindir}/%{name}-pkcs11-common +%{_unitdir}/%{name}-luks-pkcs11-askpass.service +%{_unitdir}/%{name}-luks-pkcs11-askpass.socket +%{_mandir}/man1/%{name}-encrypt-pkcs11.1* +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/module-setup.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-prehook.sh +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-hook.sh + +%files udisks2 +%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop +%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 + +%post systemd +systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : + +%changelog +## START: Generated by rpmautospec +* Fri Oct 18 2024 Sergio Arroutbi - 21-4 +- Split PKCS#11 files into clevis-pin-pkcs11 package + +* Wed Oct 09 2024 Sergio Arroutbi - 21-3 +- Fix clevis v21 tang functionality at boot time + +* Tue Oct 01 2024 Sergio Arroutbi - 21-2 +- Fix clevis v21 tang functionality at boot time + +* Thu Sep 26 2024 Sergio Arroutbi - 21-1 +- Rebase to clevis-21 upstream version + +* Mon Jun 24 2024 Troy Dawson - 20-4 +- Bump release for June 2024 mass rebuild + +* Wed May 22 2024 koncpa - 20-3 +- Update name of passing set ot tests in gating + +* Tue May 21 2024 koncpa - 20-2 +- Enable RHEL gating for clevis + +* Tue May 21 2024 Sergio Arroutbi - 20-1 +- Rebase to clevis-20 upstream version + +* Wed Jan 24 2024 Fedora Release Engineering - 19-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 19-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Jul 19 2023 Fedora Release Engineering - 19-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed May 31 2023 Sergio Arroutbi - 19-3 +- Migrate to SPDX like licensing + +* Tue Feb 28 2023 Sergio Arroutbi - 19-2 +- Include LUKSv2 volumes in description + +* Thu Feb 02 2023 Sergio Correia - 19-1 +- Update to latest upstream version, v19 + +* Wed Jan 18 2023 Fedora Release Engineering - 18-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Dec 16 2022 Sergio Arroutbi - 18-15 +- Backport upstream fixes + +* Fri Aug 05 2022 Luca BRUNO - 18-10 +- Simplify sysusers.d fragment by using default 'nologin' shell + +* Wed Jul 20 2022 Fedora Release Engineering - 18-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Fri Jul 8 2022 Sergio Arroutbi - 18-8 +- Support a null pin + +* Tue Jun 28 2022 Sergio Arroutbi - 18-7 + Start clevis-luks-askpass.patch service according to global policy + +* Wed Jan 19 2022 Fedora Release Engineering - 18-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Fri Oct 29 2021 Sergio Correia - 18-5 + Account for unlocking failures in clevis-luks-askpass + Resolves: rhbz#1878892 + +* Tue Sep 14 2021 Sahana Prasad - 18-4 +- Rebuilt with OpenSSL 3.0.0 + +* Wed Jul 21 2021 Fedora Release Engineering - 18-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri May 07 2021 Sergio Correia - 18-2 +- Port to OpenSSL 3 + Backport of upstream commit (ee1dfedb) + +* Thu Apr 15 2021 Sergio Correia - 18-1 +- Update to new clevis upstream release, v18. + +* Wed Apr 14 2021 Sergio Correia - 17-1 +- Update to new clevis upstream release, v17. + +* Tue Mar 16 2021 Sergio Correia - 16-2 +- Fix for -t option in clevis luks bind - backport upstream commit ea0d0c20 + +* Tue Feb 09 2021 Sergio Correia - 16-1 +- Update to new clevis upstream release, v16. + +* Tue Jan 26 2021 Fedora Release Engineering - 15-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Nov 23 08:14:40 GMT 2020 Peter Robinson - 15-3 +- Upstream patch for tpm-tools 5.0 support + +* Thu Oct 29 2020 Sergio Correia - 15-2 +- Add jq to dependencies + +* Wed Oct 28 2020 Sergio Correia - 15-1 +- Update to new clevis upstream release, v15. + +* Tue Sep 08 2020 Sergio Correia - 14-5 +- Suppress output in pre scriptlet when adjusting users/groups + Resolves: rhbz#1876729 + +* Tue Sep 08 2020 Sergio Correia - 14-4 +- Backport upstream PR#230 - clevis-luks-askpass now exits cleanly + when receives a SIGTERM + Resolves: rhbz#1876001 + +* Sat Sep 05 2020 Sergio Correia - 14-3 +- If clevis-luks-askpass is enabled, it may be using a wrong target, + since that changed in v14. Check and update it, if required. + +* Mon Aug 31 2020 Sergio Correia - 14-2 +- Update sources file with new v14 release. + +* Mon Aug 31 2020 Sergio Correia - 14-1 +- Update to new clevis upstream release, v14. + +* Sun Aug 02 2020 Benjamin Gilbert - 13-3 +- Downgrade cracklib-dicts to Recommends + +* Mon Jul 27 2020 Fedora Release Engineering - 13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sun May 10 2020 Sergio Correia - 13-1 +- Update to new clevis upstream release, v13. + +* Thu May 07 2020 Sergio Correia - 12-4 +- cracklib-dicts should be also listed as a build dependency, since + it's required for running some of the tests + +* Mon Apr 06 2020 Sergio Correia - 12-3 +- Make cracklib-dicts a regular dependency + +* Tue Jan 28 2020 Fedora Release Engineering - 12-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 20 2020 Sergio Correia - 12-1 +- Update to new clevis upstream release, v12. + +* Thu Dec 19 2019 Sergio Correia - 11-11 +- Backport upstream PR#70 - Handle case where we try to use a partially + used luksmeta slot + Resolves: rhbz#1672371 + +* Thu Dec 05 2019 Sergio Correia - 11-10 +- Disable LUKS2 tests for now, since they fail randomly in Koji + builders, killing the build + +* Wed Dec 04 2019 Sergio Correia - 11-9 +- Backport of upstream patches and the following fixes: + - Rework the logic for reading the existing key + - fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 ( + - pins/tang: check that key derivation key is available + +* Wed Oct 30 2019 Peter Robinson 11-8 +- Drop need network patch + +* Fri Sep 06 2019 Javier Martinez Canillas - 11-7 +- Add support for tpm2-tools 4.0 + +* Wed Jul 24 2019 Fedora Release Engineering - 11-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 11-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Dec 6 2018 Peter Robinson 11-4 +- Update patch for work around + +* Thu Dec 6 2018 Peter Robinson 11-3 +- Work around network requirement for early boot + +* Fri Nov 09 2018 Javier Martinez Canillas - 11-2 +- Delete remaining references to the removed http pin +- Install cryptsetup and tpm2_pcrlist in the initramfs +- Add device TCTI library to the initramfs + Resolves: rhbz#1644876 + +* Tue Aug 14 2018 Nathaniel McCallum - 11-1 +- Update to v11 + +* Thu Jul 12 2018 Fedora Release Engineering - 10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Mar 21 2018 Nathaniel McCallum - 10-1 +- Update to v10 + +* Tue Feb 13 2018 Nathaniel McCallum - 9-1 +- Update to v9 + +* Wed Feb 07 2018 Fedora Release Engineering - 8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Nov 13 2017 Nathaniel McCallum - 8-1 +- Update to v8 + +* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek - 7-2 +- Rebuild for cryptsetup-2.0.0 + +* Fri Oct 27 2017 Nathaniel McCallum - 7-1 +- Update to v7 + +* Wed Aug 02 2017 Fedora Release Engineering - 6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jun 27 2017 Nathaniel McCallum - 6-1 +- New upstream release +- Specify unprivileged user/group during configuration +- Move clevis user/group creation to base clevis package + +* Mon Jun 26 2017 Nathaniel McCallum - 5-1 +- New upstream release +- Run clevis decryption from udisks2 under an unprivileged user + +* Wed Jun 14 2017 Nathaniel McCallum - 4-1 +- New upstream release + +* Wed Jun 14 2017 Nathaniel McCallum - 3-1 +- New upstream release + +* Fri Feb 10 2017 Fedora Release Engineering - 2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Nov 18 2016 Nathaniel McCallum - 2-1 +- New upstream release + +* Mon Nov 14 2016 Nathaniel McCallum - 1-1 +- First release + +## END: Generated by rpmautospec