commit ed3443b0c3e5b28ceff912fe03644d06d6eae319 Author: CentOS Sources Date: Tue May 16 06:11:42 2023 +0000 import clevis-15-14.el8 diff --git a/.clevis.metadata b/.clevis.metadata new file mode 100644 index 0000000..e096a61 --- /dev/null +++ b/.clevis.metadata @@ -0,0 +1 @@ +ce825a10c5aa885e001c963be4cc4a8dea2137b0 SOURCES/clevis-15.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2e87ac2 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/clevis-15.tar.xz diff --git a/SOURCES/0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch b/SOURCES/0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch new file mode 100644 index 0000000..23679bc --- /dev/null +++ b/SOURCES/0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch @@ -0,0 +1,176 @@ +From 16f667d9f3d649e33ca762afa1a8a7f909b953a8 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Sun, 25 Oct 2020 11:15:46 -0300 +Subject: [PATCH] Fixes for dealing with newer tang without tangd-update + +--- + src/luks/tests/meson.build | 11 +---------- + src/luks/tests/tests-common-functions.in | 19 +++++++++++-------- + src/pins/tang/meson.build | 11 +---------- + src/pins/tang/pin-tang | 11 ++++++++--- + 4 files changed, 21 insertions(+), 31 deletions(-) + +diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build +index ba5f6a2..c0f9dc3 100644 +--- a/src/luks/tests/meson.build ++++ b/src/luks/tests/meson.build +@@ -17,14 +17,6 @@ kgen = find_program( + join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'), + required: false + ) +-updt = find_program( +- join_paths(libexecdir, 'tangd-update'), +- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'), +- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'), +- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'), +- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'), +- required: false +-) + tang = find_program( + join_paths(libexecdir, 'tangd'), + join_paths(get_option('prefix'), get_option('libdir'), 'tangd'), +@@ -58,11 +50,10 @@ env.prepend('PATH', + ) + + has_tang = false +-if actv.found() and kgen.found() and updt.found() and tang.found() ++if actv.found() and kgen.found() and tang.found() + has_tang = true + env.set('SD_ACTIVATE', actv.path()) + env.set('TANGD_KEYGEN', kgen.path()) +- env.set('TANGD_UPDATE', updt.path()) + env.set('TANGD', tang.path()) + endif + +diff --git a/src/luks/tests/tests-common-functions.in b/src/luks/tests/tests-common-functions.in +index 8520715..318d007 100755 +--- a/src/luks/tests/tests-common-functions.in ++++ b/src/luks/tests/tests-common-functions.in +@@ -251,18 +251,19 @@ tang_remove_rotated_keys() { + return 1 + fi + +- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined." +- + local db="${basedir}/db" +- local cache="${basedir}/cache" + mkdir -p "${db}" +- mkdir -p "${cache}" ++ ++ if [ -n "${TANGD_UPDATE}" ]; then ++ local cache="${basedir}/cache" ++ mkdir -p "${cache}" ++ fi + + pushd "${db}" + find . -name ".*.jwk" -exec rm -f {} \; + popd + +- "${TANGD_UPDATE}" "${db}" "${cache}" ++ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}" + return 0 + } + +@@ -277,12 +278,12 @@ tang_new_keys() { + fi + + [ -z "${TANGD_KEYGEN}" ] && skip_test "WARNING: TANGD_KEYGEN is not defined." +- [ -z "${TANGD_UPDATE}" ] && skip_test "WARNING: TANGD_UPDATE is not defined." + + local db="${basedir}/db" +- local cache="${basedir}/cache" + mkdir -p "${db}" + ++ [ -n "${TANGD_UPDATE}" ] && local cache="${basedir}/cache" ++ + if [ -n "${rotate}" ]; then + pushd "${db}" + local k +@@ -296,7 +297,7 @@ tang_new_keys() { + fi + + "${TANGD_KEYGEN}" "${db}" +- "${TANGD_UPDATE}" "${db}" "${cache}" ++ [ -n "${TANGD_UPDATE}" ] && "${TANGD_UPDATE}" "${db}" "${cache}" + + return 0 + } +@@ -322,6 +323,8 @@ tang_run() { + fi + + local KEYS="${basedir}/cache" ++ [ -z "${TANGD_UPDATE}" ] && KEYS="${basedir}/db" ++ + local inetd='--inetd' + [ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd= + +diff --git a/src/pins/tang/meson.build b/src/pins/tang/meson.build +index f7d8226..ebcdd4a 100644 +--- a/src/pins/tang/meson.build ++++ b/src/pins/tang/meson.build +@@ -12,14 +12,6 @@ kgen = find_program( + join_paths('/', 'usr', get_option('libexecdir'), 'tangd-keygen'), + required: false + ) +-updt = find_program( +- join_paths(libexecdir, 'tangd-update'), +- join_paths(get_option('prefix'), get_option('libdir'), 'tangd-update'), +- join_paths(get_option('prefix'), get_option('libexecdir'), 'tangd-update'), +- join_paths('/', 'usr', get_option('libdir'), 'tangd-update'), +- join_paths('/', 'usr', get_option('libexecdir'), 'tangd-update'), +- required: false +-) + tang = find_program( + join_paths(libexecdir, 'tangd'), + join_paths(get_option('prefix'), get_option('libdir'), 'tangd'), +@@ -35,11 +27,10 @@ if curl.found() + bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang') + mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1') + +- if actv.found() and kgen.found() and updt.found() and tang.found() ++ if actv.found() and kgen.found() and tang.found() + env = environment() + env.set('SD_ACTIVATE', actv.path()) + env.set('TANGD_KEYGEN', kgen.path()) +- env.set('TANGD_UPDATE', updt.path()) + env.set('TANGD', tang.path()) + env.prepend('PATH', + join_paths(meson.source_root(), 'src'), +diff --git a/src/pins/tang/pin-tang b/src/pins/tang/pin-tang +index 98e5e4d..a63d0a2 100755 +--- a/src/pins/tang/pin-tang ++++ b/src/pins/tang/pin-tang +@@ -31,8 +31,12 @@ mkdir -p "$TMP"/db + mkdir -p "$TMP"/cache + + # Generate the server keys ++KEYS="$TMP"/db + "${TANGD_KEYGEN}" "$TMP"/db sig exc +-"${TANGD_UPDATE}" "$TMP"/db "$TMP"/cache ++if which tangd-update; then ++ tangd-update "$TMP"/db "$TMP"/cache ++ KEYS="$TMP"/cache ++fi + + # Start the server + port="$(shuf -i 1024-65536 -n 1)" +@@ -40,13 +44,14 @@ port="$(shuf -i 1024-65536 -n 1)" + inetd='--inetd' + [ "${SD_ACTIVATE##*/}" = "systemd-activate" ] && inetd= + +-"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$TMP"/cache & ++"$SD_ACTIVATE" $inetd -l 127.0.0.1:"$port" -a "$TANGD" "$KEYS" & + PID=$! + sleep 0.25 + + thp="$(jose jwk thp -i "$TMP/db/sig.jwk")" +-adv="$TMP/cache/default.jws" + url="http://localhost:${port}" ++adv="$TMP/adv" ++curl "$url/adv" -o "$adv" + + cfg="$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")" + enc="$(echo -n "hi" | clevis encrypt tang "$cfg")" +-- +2.18.4 + diff --git a/SOURCES/0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch b/SOURCES/0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch new file mode 100644 index 0000000..103911c --- /dev/null +++ b/SOURCES/0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch @@ -0,0 +1,309 @@ +From aa52396c35e76aabd085a819b08167d559042a20 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 3 Nov 2020 08:42:48 -0300 +Subject: [PATCH 2/2] Add the option to extract luks passphrase used for + binding + +Usage: + +clevis luks pass -d /dev/sda1 -s 1 + +--- + src/luks/clevis-luks-pass | 64 ++++++++++++++++++++++++++++++++ + src/luks/clevis-luks-pass.1.adoc | 43 +++++++++++++++++++++ + src/luks/meson.build | 3 ++ + src/luks/tests/meson.build | 2 + + src/luks/tests/pass-tang-luks1 | 59 +++++++++++++++++++++++++++++ + src/luks/tests/pass-tang-luks2 | 59 +++++++++++++++++++++++++++++ + 6 files changed, 230 insertions(+) + create mode 100755 src/luks/clevis-luks-pass + create mode 100644 src/luks/clevis-luks-pass.1.adoc + create mode 100755 src/luks/tests/pass-tang-luks1 + create mode 100755 src/luks/tests/pass-tang-luks2 + +diff --git a/src/luks/clevis-luks-pass b/src/luks/clevis-luks-pass +new file mode 100755 +index 0000000..1f59b39 +--- /dev/null ++++ b/src/luks/clevis-luks-pass +@@ -0,0 +1,64 @@ ++#!/bin/bash -e ++# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2019 Red Hat, Inc. ++# Author: Sergio Correia - LUKS2 support. ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++. clevis-luks-common-functions ++ ++SUMMARY="Returns the LUKS passphrase used for binding a particular slot." ++ ++usage() { ++ exec >&2 ++ echo "Usage: clevis luks pass -d DEV -s SLT" ++ echo ++ echo "$SUMMARY" ++ echo ++ echo " -d DEV The LUKS device to extract the LUKS passphrase used for binding" ++ echo ++ echo " -s SLOT The slot number to extract the LUKS passphrase" ++ echo ++ exit 1 ++} ++ ++if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then ++ echo "${SUMMARY}" ++ exit 0 ++fi ++ ++while getopts ":d:s:" o; do ++ case "$o" in ++ d) DEV=${OPTARG};; ++ s) SLT=${OPTARG};; ++ *) usage;; ++ esac ++done ++ ++if [ -z "${DEV}" ]; then ++ echo "Did not specify a device!" >&2 ++ usage ++fi ++ ++if [ -z "${SLT}" ]; then ++ echo "Did not specify a slot!" >&2 ++ usage ++fi ++ ++if ! clevis_luks_unlock_device_by_slot "${DEV}" "${SLT}"; then ++ echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in ${DEV}!" >&2 ++ exit 1 ++fi +diff --git a/src/luks/clevis-luks-pass.1.adoc b/src/luks/clevis-luks-pass.1.adoc +new file mode 100644 +index 0000000..fa9526a +--- /dev/null ++++ b/src/luks/clevis-luks-pass.1.adoc +@@ -0,0 +1,43 @@ ++CLEVIS-LUKS-PASS(1) ++=================== ++:doctype: manpage ++ ++ ++== NAME ++ ++clevis-luks-pass - Extracts the passphrase used for binding a particular slot in a LUKS device ++ ++== SYNOPSIS ++ ++*clevis luks pass* -d DEV -s SLT ++ ++== OVERVIEW ++ ++The *clevis luks pass* command extracts the passphrase used for binding a particular slot in a LUKS device. ++For example: ++ ++ clevis luks pass -d /dev/sda1 -s 1 ++ ++== OPTIONS ++ ++* *-d* _DEV_ : ++ The LUKS device on which to extract a passphrase from ++ ++* *-s* _SLT_ : ++ The slot to use for extracting the passphrase ++ ++== EXAMPLE ++ ++ clevis luks pass -d /dev/sda1 -s 1 ++ ++ ++Note that the output of *clevis luks pass* might be non-printable, in which case it would be better to redirect its output to a file and use it as a key ++file together with cryptsetup. For instance: ++ ++ clevis luks pass -d /dev/sda1 -s 1 > slot1-passphrase ++ ++And the file slot1-passphrase will contain the passphrase associated with slot #1 in /dev/sda1. ++ ++== SEE ALSO ++ ++link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)], +diff --git a/src/luks/meson.build b/src/luks/meson.build +index 12f5a0d..008736e 100644 +--- a/src/luks/meson.build ++++ b/src/luks/meson.build +@@ -50,6 +50,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found() + + bins += join_paths(meson.current_source_dir(), 'clevis-luks-edit') + mans += join_paths(meson.current_source_dir(), 'clevis-luks-edit.1') ++ ++ bins += join_paths(meson.current_source_dir(), 'clevis-luks-pass') ++ mans += join_paths(meson.current_source_dir(), 'clevis-luks-pass.1') + else + warning('Will not install LUKS support due to missing dependencies!') + endif +diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build +index c22a069..f4584aa 100644 +--- a/src/luks/tests/meson.build ++++ b/src/luks/tests/meson.build +@@ -84,6 +84,7 @@ if has_tang + test('report-tang-luks1', find_program('report-tang-luks1'), env: env, timeout: 90) + test('report-sss-luks1', find_program('report-sss-luks1'), env: env, timeout: 90) + test('edit-tang-luks1', find_program('edit-tang-luks1'), env: env, timeout: 150) ++ test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60) + endif + + test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60) +@@ -111,6 +112,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0' + test('report-tang-luks2', find_program('report-tang-luks2'), env: env, timeout: 120) + test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120) + test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210) ++ test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60) + endif + + test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120) +diff --git a/src/luks/tests/pass-tang-luks1 b/src/luks/tests/pass-tang-luks1 +new file mode 100755 +index 0000000..0d91e6c +--- /dev/null ++++ b/src/luks/tests/pass-tang-luks1 +@@ -0,0 +1,59 @@ ++#!/bin/bash -x ++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2019 Red Hat, Inc. ++# Author: Sergio Correia ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++TEST="${0}" ++. tests-common-functions ++. clevis-luks-common-functions ++ ++function on_exit() { ++ [ ! -d "${TMP}" ] && return 0 ++ tang_stop "${TMP}" ++ rm -rf "${TMP}" ++} ++ ++trap 'on_exit' EXIT ++ ++TMP=$(mktemp -d) ++ ++port=$(get_random_port) ++tang_run "${TMP}" "${port}" & ++tang_wait_until_ready "${port}" ++ ++url="http://localhost:${port}" ++adv="${TMP}/adv" ++tang_get_adv "${port}" "${adv}" ++ ++cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv") ++ ++# LUKS1. ++DEV="${TMP}/luks1-device" ++new_device "luks1" "${DEV}" ++ ++if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then ++ error "${TEST}: Bind should have succeeded." ++fi ++ ++# Now let's test the passphrase. ++SLT=1 ++PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}") ++echo $PASS >&2 ++if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then ++ error "Passphrase obtained from clevis luks pass failed." ++fi +diff --git a/src/luks/tests/pass-tang-luks2 b/src/luks/tests/pass-tang-luks2 +new file mode 100755 +index 0000000..2d50413 +--- /dev/null ++++ b/src/luks/tests/pass-tang-luks2 +@@ -0,0 +1,59 @@ ++#!/bin/bash -x ++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2019 Red Hat, Inc. ++# Author: Sergio Correia ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++TEST="${0}" ++. tests-common-functions ++. clevis-luks-common-functions ++ ++function on_exit() { ++ [ ! -d "${TMP}" ] && return 0 ++ tang_stop "${TMP}" ++ rm -rf "${TMP}" ++} ++ ++trap 'on_exit' EXIT ++ ++TMP=$(mktemp -d) ++ ++port=$(get_random_port) ++tang_run "${TMP}" "${port}" & ++tang_wait_until_ready "${port}" ++ ++url="http://localhost:${port}" ++adv="${TMP}/adv" ++tang_get_adv "${port}" "${adv}" ++ ++cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv") ++ ++# LUKS2. ++DEV="${TMP}/luks2-device" ++new_device "luks2" "${DEV}" ++ ++if ! clevis luks bind -f -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then ++ error "${TEST}: Bind should have succeeded." ++fi ++ ++# Now let's test the passphrase. ++SLT=1 ++PASS=$(clevis luks pass -d "${DEV}" -s "${SLT}") ++echo $PASS >&2 ++if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" "${PASS}" "" "${SLT}"; then ++ error "Passphrase obtained from clevis luks pass failed." ++fi +-- +2.29.2 + diff --git a/SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch b/SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch new file mode 100644 index 0000000..35738b5 --- /dev/null +++ b/SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch @@ -0,0 +1,41 @@ +From 678ef82dd5608439c9a4222c594ab66d69009f06 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Fri, 29 Oct 2021 12:04:46 -0300 +Subject: [PATCH 3/3] systemd: account for unlocking failures in + clevis-luks-askpass (#343) + +As unlock may fail for some reason, e.g. the network is not up yet, +one way cause problems would be to add extra `rd.luks.uuid' params +to the cmdline, which would then cause such devices to be unlocked +in early boot. If the unlocking fail, those devices might not be +accounted for in the clevis_devices_to_unlock() check, as it is +based on crypttab. + +Let's make sure there are no pending ask.* sockets waiting to be +answered, before exiting. + +Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892 +--- + src/luks/systemd/clevis-luks-askpass | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass +index 285bba4..f19671f 100755 +--- a/src/luks/systemd/clevis-luks-askpass ++++ b/src/luks/systemd/clevis-luks-askpass +@@ -67,8 +67,11 @@ while true; do + done + + [ "${loop}" != true ] && break ++ + # Checking for pending devices to be unlocked. +- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then ++ remaining_crypttab=$(clevis_devices_to_unlock) ||: ++ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||: ++ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then + break; + fi + +-- +2.33.1 + diff --git a/SOURCES/0004-systemd-drop-ncat-dependency.patch b/SOURCES/0004-systemd-drop-ncat-dependency.patch new file mode 100644 index 0000000..fbd22de --- /dev/null +++ b/SOURCES/0004-systemd-drop-ncat-dependency.patch @@ -0,0 +1,101 @@ +From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Thu, 18 Nov 2021 16:45:58 -0300 +Subject: [PATCH 4/4] systemd: drop ncat dependency + +When using systemd, i.e., clevis-luks-askpass, we use ncat to send +the decrypted password to the systemd socket as per systemd's password +agents specification [1]. + +However, systemd itself has a utility that does exactly that, +systemd-reply-password. + +In this commit we drop the ncat dependency and instead use +systemd-reply-password in clevis-luks-askpass. + +[1] https://systemd.io/PASSWORD_AGENTS/ +--- + ...is-luks-askpass => clevis-luks-askpass.in} | 2 +- + .../systemd/dracut/clevis/module-setup.sh.in | 4 ++-- + src/luks/systemd/meson.build | 19 +++++++++++++++++-- + 3 files changed, 20 insertions(+), 5 deletions(-) + rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%) + +diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in +similarity index 97% +rename from src/luks/systemd/clevis-luks-askpass +rename to src/luks/systemd/clevis-luks-askpass.in +index f19671f..a6699c9 100755 +--- a/src/luks/systemd/clevis-luks-askpass ++++ b/src/luks/systemd/clevis-luks-askpass.in +@@ -58,7 +58,7 @@ while true; do + fi + + uuid="$(cryptsetup luksUUID "${d}")" +- if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then ++ if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then + echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2 + continue + fi +diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in +index ebf969f..d46c6e2 100755 +--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in ++++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in +@@ -36,6 +36,7 @@ install() { + + inst_multiple \ + /etc/services \ ++ @SYSTEMD_REPLY_PASS@ \ + @libexecdir@/clevis-luks-askpass \ + clevis-luks-common-functions \ + grep sed cut \ +@@ -45,8 +46,7 @@ install() { + luksmeta \ + clevis \ + mktemp \ +- jose \ +- ncat ++ jose + + dracut_need_initqueue + } +diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build +index 369e7f7..e3b3d91 100644 +--- a/src/luks/systemd/meson.build ++++ b/src/luks/systemd/meson.build +@@ -1,6 +1,15 @@ + systemd = dependency('systemd', required: false) + +-if systemd.found() ++sd_reply_pass = find_program( ++ join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'), ++ join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'), ++ join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'), ++ join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'), ++ required: false ++) ++ ++if systemd.found() and sd_reply_pass.found() ++ data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path()) + subdir('dracut') + + unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir') +@@ -12,8 +21,14 @@ if systemd.found() + configuration: data, + ) + ++ configure_file( ++ input: 'clevis-luks-askpass.in', ++ output: 'clevis-luks-askpass', ++ install_dir: libexecdir, ++ configuration: data ++ ) ++ + install_data('clevis-luks-askpass.path', install_dir: unitdir) +- install_data('clevis-luks-askpass', install_dir: libexecdir) + else + warning('Will not install systemd support due to missing dependencies!') + endif +-- +2.33.1 + diff --git a/SOURCES/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch b/SOURCES/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch new file mode 100644 index 0000000..e20b68b --- /dev/null +++ b/SOURCES/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch @@ -0,0 +1,26 @@ +From da17589f0706b27690a11484165fd58dea1a5eb1 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Thu, 25 Nov 2021 19:18:03 -0300 +Subject: [PATCH 5/5] Stop sending stderr to the void when decryption doesn't + happen + +--- + src/luks/clevis-luks-common-functions | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions +index 879ca4c..df8e16d 100644 +--- a/src/luks/clevis-luks-common-functions ++++ b/src/luks/clevis-luks-common-functions +@@ -323,7 +323,7 @@ clevis_luks_unlock_device_by_slot() { + return 1 + fi + +- if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt 2>/dev/null)" \ ++ if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt)" \ + || [ -z "${passphrase}" ]; then + return 1 + fi +-- +2.33.1 + diff --git a/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch b/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch new file mode 100644 index 0000000..e7df18a --- /dev/null +++ b/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch @@ -0,0 +1,45 @@ +From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= + <1163635+rmetrich@users.noreply.github.com> +Date: Wed, 1 Dec 2021 09:37:35 -0300 +Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is + set (#340) + +On Fedora/RHEL, the rd.debug kernel command line parameter controls +debugging. +By implementing the functionality inside clevis, troubleshooting will be +greatly eased. +See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742). +--- + src/luks/clevis-luks-common-functions | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions +index df8e16d..67ece72 100644 +--- a/src/luks/clevis-luks-common-functions ++++ b/src/luks/clevis-luks-common-functions +@@ -20,6 +20,21 @@ + + CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" + ++enable_debugging() { ++ # Automatically enable debugging if in initramfs phase and rd.debug ++ if [ -e /usr/lib/dracut-lib.sh ]; then ++ local bashopts=$- ++ # Because dracut is loosely written, disable hardening options temporarily ++ [[ $bashopts != *u* ]] || set +u ++ [[ $bashopts != *e* ]] || set +e ++ . /usr/lib/dracut-lib.sh ++ [[ $bashopts != *u* ]] || set -u ++ [[ $bashopts != *e* ]] || set -e ++ fi ++} ++ ++enable_debugging ++ + # valid_slot() will check whether a given slot is possibly valid, i.e., if it + # is a numeric value within the specified range. + valid_slot() { +-- +2.33.1 + diff --git a/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch b/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch new file mode 100644 index 0000000..18cee3b --- /dev/null +++ b/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch @@ -0,0 +1,83 @@ +From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001 +From: Renaud Metrich +Date: Fri, 7 Jan 2022 12:13:03 -0300 +Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup + +This fixes an Out of memory error when the system has not much memory, +such as a VM configured with 2GB currently being installed through the +network (hence having ~1GB free memory only). +See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256). +--- + src/luks/clevis-luks-bind.in | 7 +++++-- + src/luks/clevis-luks-common-functions | 7 ++++++- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in +index 4748c08..017f762 100755 +--- a/src/luks/clevis-luks-bind.in ++++ b/src/luks/clevis-luks-bind.in +@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \ + exit 1 + fi + ++pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + if [ "$luks_type" == "luks1" ]; then ++ pbkdf_args= + # In certain circumstances, we may have LUKSMeta slots "not in sync" with + # cryptsetup, which means we will try to save LUKSMeta metadata over an + # already used or partially used slot -- github issue #70. +@@ -184,7 +186,7 @@ fi + + # Add the new key. + if [ -n "$SLT" ]; then +- cryptsetup luksAddKey --key-slot "$SLT" --key-file \ ++ cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \ + <(echo -n "$existing_key") "$DEV" + else + if [ $luks_type == "luks2" ]; then +@@ -194,7 +196,8 @@ else + readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \ + | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p') + fi +- cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV" ++ cryptsetup luksAddKey ${pbkdf_args} \ ++ --key-file <(echo -n "${existing_key}") "$DEV" + fi < <(echo -n "${key}") + if [ $? -ne 0 ]; then + echo "Error while adding new key to LUKS header!" >&2 +diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions +index 67ece72..038cc37 100644 +--- a/src/luks/clevis-luks-common-functions ++++ b/src/luks/clevis-luks-common-functions +@@ -760,10 +760,12 @@ clevis_luks_add_key() { + extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi ++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + + printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ + --key-slot "${SLT}" \ + "${DEV}" \ ++ ${pbkdf_args} \ + ${extra_args} + } + +@@ -792,11 +794,14 @@ clevis_luks_update_key() { + extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi ++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + + if [ -n "${in_place}" ]; then + printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \ + --key-slot "${SLT}" \ +- --batch-mode ${extra_args} ++ --batch-mode \ ++ ${pbkdf_args} \ ++ ${extra_args} + return + fi + +-- +2.33.1 + diff --git a/SOURCES/0008-tang-dump-url-on-error-communication.patch b/SOURCES/0008-tang-dump-url-on-error-communication.patch new file mode 100644 index 0000000..e907694 --- /dev/null +++ b/SOURCES/0008-tang-dump-url-on-error-communication.patch @@ -0,0 +1,16 @@ +--- clevis-15-ori/src/pins/tang/clevis-decrypt-tang 2020-10-28 19:55:47.673228700 +0100 ++++ clevis-15/src/pins/tang/clevis-decrypt-tang 2022-01-21 10:37:40.327825491 +0100 +@@ -73,10 +73,10 @@ + + xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")" + +-url="$url/rec/$kid" ++rec_url="$url/rec/$kid" + ct="Content-Type: application/jwk+json" +-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then +- echo "Error communicating with the server!" >&2 ++if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then ++ echo "Error communicating with the server $url" >&2 + exit 1 + fi + diff --git a/SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch b/SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch new file mode 100644 index 0000000..deb5ad3 --- /dev/null +++ b/SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch @@ -0,0 +1,213 @@ +From 87d690e41621878f70a3f6f3305dd23746d1b857 Mon Sep 17 00:00:00 2001 +From: Antonio Murdaca +Date: Wed, 1 Dec 2021 14:17:53 +0100 +Subject: [PATCH 9/9] feat: rename the test pin to null pin + +Signed-off-by: Antonio Murdaca +--- + src/initramfs-tools/hooks/clevis.in | 1 + + .../dracut/clevis-pin-null/meson.build | 14 ++++++++++ + .../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++ + src/luks/systemd/dracut/meson.build | 1 + + ...levis-decrypt-test => clevis-decrypt-null} | 4 +-- + ...levis-encrypt-test => clevis-encrypt-null} | 4 +-- + src/pins/sss/meson.build | 5 +++- + src/pins/sss/{pin-test => pin-null} | 4 +-- + src/pins/sss/pin-sss | 12 ++++---- + 9 files changed, 60 insertions(+), 13 deletions(-) + create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build + create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in + rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%) + rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%) + rename src/pins/sss/{pin-test => pin-null} (53%) + +diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in +index cc3b492..448ba96 100755 +--- a/src/initramfs-tools/hooks/clevis.in ++++ b/src/initramfs-tools/hooks/clevis.in +@@ -58,6 +58,7 @@ fi + + copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found" + copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found" ++copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found" + copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found" + copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found" + copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found" +diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build +new file mode 100644 +index 0000000..107e3ba +--- /dev/null ++++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build +@@ -0,0 +1,14 @@ ++dracut = dependency('dracut', required: false) ++ ++if dracut.found() ++ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null' ++ ++ configure_file( ++ input: 'module-setup.sh.in', ++ output: 'module-setup.sh', ++ install_dir: dracutdir, ++ configuration: data, ++ ) ++else ++ warning('Will not install dracut module clevis-pin-null due to missing dependencies!') ++endif +diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in +new file mode 100755 +index 0000000..6a16078 +--- /dev/null ++++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in +@@ -0,0 +1,28 @@ ++#!/bin/bash ++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2016 Red Hat, Inc. ++# Author: Nathaniel McCallum ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++depends() { ++ echo clevis ++ return 0 ++} ++ ++install() { ++ inst clevis-decrypt-null ++} +diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build +index fdb264b..7ad5b14 100644 +--- a/src/luks/systemd/dracut/meson.build ++++ b/src/luks/systemd/dracut/meson.build +@@ -2,3 +2,4 @@ subdir('clevis') + subdir('clevis-pin-tang') + subdir('clevis-pin-tpm2') + subdir('clevis-pin-sss') ++subdir('clevis-pin-null') +diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null +similarity index 88% +rename from src/pins/sss/clevis-decrypt-test +rename to src/pins/sss/clevis-decrypt-null +index f0e9249..a6217ed 100755 +--- a/src/pins/sss/clevis-decrypt-test ++++ b/src/pins/sss/clevis-decrypt-null +@@ -22,11 +22,11 @@ + + read -r -d . hdr + +-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then ++if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then + echo "JWE pin mismatch!" >&2 + exit 1 + fi + +-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1 ++jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1 + + exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat) +diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null +similarity index 90% +rename from src/pins/sss/clevis-encrypt-test +rename to src/pins/sss/clevis-encrypt-null +index bd2d6ec..af182a5 100755 +--- a/src/pins/sss/clevis-encrypt-test ++++ b/src/pins/sss/clevis-encrypt-null +@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then + fi + + jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')" +-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}' ++jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}' + + if ! jose fmt -j "$cfg" -g fail -T; then +- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)" ++ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)" + fi + + exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat) +diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build +index 7f20eea..2a5295a 100644 +--- a/src/pins/sss/meson.build ++++ b/src/pins/sss/meson.build +@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found() + separator: ':' + ) + ++ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null') ++ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null') ++ + test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env) +- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env) ++ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env) + else + warning('Will not install sss pin due to missing dependencies!') + endif +diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null +similarity index 53% +rename from src/pins/sss/pin-test +rename to src/pins/sss/pin-null +index 50c8c67..b14ac63 100755 +--- a/src/pins/sss/pin-test ++++ b/src/pins/sss/pin-null +@@ -2,9 +2,9 @@ + + trap 'exit' ERR + +-e="$(echo -n hi | clevis encrypt test '{}')" ++e="$(echo -n hi | clevis encrypt null '{}')" + d="$(echo -n "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo -n hi | clevis encrypt test '{"fail":true}')" ++e="$(echo -n hi | clevis encrypt null '{"fail":true}')" + ! echo "$e" | clevis decrypt +diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss +index 5c0b8cf..24da052 100755 +--- a/src/pins/sss/pin-sss ++++ b/src/pins/sss/pin-sss +@@ -1,24 +1,24 @@ + #!/bin/bash -ex + +-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')" + d="$(echo "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')" + d="$(echo "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')" + ! echo "$e" | clevis decrypt + +-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')" + d="$(echo "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')" + ! echo "$e" | clevis decrypt + +-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')" + ! echo "$e" | clevis decrypt + + ! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')" +-- +2.33.1 + diff --git a/SOURCES/0010-avoid-clevis-invalid-msg.patch b/SOURCES/0010-avoid-clevis-invalid-msg.patch new file mode 100644 index 0000000..bf86dec --- /dev/null +++ b/SOURCES/0010-avoid-clevis-invalid-msg.patch @@ -0,0 +1,24 @@ +--- clevis-15.ori/src/clevis 2020-10-28 19:55:47.663228800 +0100 ++++ clevis-15/src/clevis 2022-06-22 11:06:27.061230653 +0200 +@@ -27,6 +27,7 @@ + } + + cmd=clevis ++input_commands="$cmd $@" + while [ $# -gt 0 ]; do + [[ "$1" =~ ^- ]] && break + cmd="$cmd-$1" +@@ -36,8 +37,11 @@ + done + + exec >&2 +-echo +-echo "Command '$cmd' is invalid" ++if [ "$cmd" != "clevis" ]; ++then ++ echo ++ echo "Command '$input_commands' is invalid" ++fi + echo + echo "Usage: clevis COMMAND [OPTIONS]" + echo diff --git a/SOURCES/0011-Improve-boot-performance-by-removing-key-check.patch b/SOURCES/0011-Improve-boot-performance-by-removing-key-check.patch new file mode 100644 index 0000000..8d0a70a --- /dev/null +++ b/SOURCES/0011-Improve-boot-performance-by-removing-key-check.patch @@ -0,0 +1,53 @@ +From 51ae4f94a4955d9f06955ccd5a8b396b01c80d48 Mon Sep 17 00:00:00 2001 +From: Sergio Arroutbi +Date: Tue, 2 Aug 2022 11:07:00 -0300 +Subject: [PATCH] Improve boot performance by removing key check + +--- + src/luks/clevis-luks-common-functions | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions +index 038cc37..950f217 100644 +--- a/src/luks/clevis-luks-common-functions ++++ b/src/luks/clevis-luks-common-functions +@@ -328,6 +328,7 @@ clevis_luks_check_valid_key_or_keyfile() { + clevis_luks_unlock_device_by_slot() { + local DEV="${1}" + local SLT="${2}" ++ local SKIP_CHECK="${3}" + + [ -z "${DEV}" ] && return 1 + [ -z "${SLT}" ] && return 1 +@@ -343,7 +344,9 @@ clevis_luks_unlock_device_by_slot() { + return 1 + fi + +- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1 ++ if [ -z "${SKIP_CHECK}" ]; then ++ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1 ++ fi + printf '%s' "${passphrase}" + } + +@@ -351,6 +354,8 @@ clevis_luks_unlock_device_by_slot() { + # parameter and returns the decoded passphrase. + clevis_luks_unlock_device() { + local DEV="${1}" ++ local SKIP_CHECK="YES" ++ + [ -z "${DEV}" ] && return 1 + + local used_slots +@@ -361,7 +366,7 @@ clevis_luks_unlock_device() { + + local slt pt + for slt in ${used_slots}; do +- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \ ++ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \ + || [ -z "${pt}" ]; then + continue + fi +-- +2.35.1 + diff --git a/SOURCES/0012-ignore-empty-and-comment-lines-in-crypttab.patch b/SOURCES/0012-ignore-empty-and-comment-lines-in-crypttab.patch new file mode 100644 index 0000000..7dcd5ac --- /dev/null +++ b/SOURCES/0012-ignore-empty-and-comment-lines-in-crypttab.patch @@ -0,0 +1,16 @@ +--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 11:11:03.050262054 +0100 ++++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 11:19:16.004358405 +0100 +@@ -413,7 +413,12 @@ + clevis_devices= + + # Build list of devices to unlock. +- while read -r _ crypt_device _; do ++ while read -r _volname_ crypt_device _; do ++ # skip empty lines and lines which begin with the '#' char, per ++ # crypttab(5) ++ case $_volname_ in ++ ''|\#*) continue ;; ++ esac + if ! dev=$(clevis_map_device "${crypt_device}") \ + || [ -z "${dev}" ]; then + # Unable to get the device - maybe it's not available, e.g. a diff --git a/SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch b/SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch new file mode 100644 index 0000000..4b18e61 --- /dev/null +++ b/SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch @@ -0,0 +1,73 @@ +--- clevis-15.ori/src/clevis.1.adoc 2020-10-28 19:55:47.663228800 +0100 ++++ clevis-15/src/clevis.1.adoc 2023-01-11 17:18:29.967295005 +0100 +@@ -101,7 +101,7 @@ + + This command performs four steps: + +-1. Creates a new key with the same entropy as the LUKS master key. ++1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256. + 2. Encrypts the new key with Clevis. + 3. Stores the Clevis JWE in the LUKS header. + 4. Enables the new key for use with LUKS. +--- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc 2020-10-28 19:55:47.663228800 +0100 ++++ clevis-15/src/luks/clevis-luks-bind.1.adoc 2023-01-11 17:18:55.239351209 +0100 +@@ -20,7 +20,7 @@ + + This command performs four steps: + +-1. Creates a new key with the same entropy as the LUKS master key. ++1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256. + 2. Encrypts the new key with Clevis. + 3. Stores the Clevis JWE in the LUKS header. + 4. Enables the new key for use with LUKS. +--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 17:15:44.984928070 +0100 ++++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 17:20:53.238613637 +0100 +@@ -865,6 +865,7 @@ + [ -z "${DEV}" ] && return 1 + + local dump filter bits ++ local MAX_ENTROPY_BITS=256 + dump=$(cryptsetup luksDump "${DEV}") + if cryptsetup isLuks --type luks1 "${DEV}"; then + filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')" +@@ -876,6 +877,9 @@ + fi + + bits="$(echo -n "${filter}" | sort -n | tail -n 1)" ++ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then ++ bits="${MAX_ENTROPY_BITS}" ++ fi + pwmake "${bits}" + } + +--- clevis-15.ori/src/luks/clevis-luks-bind.in 2023-01-11 17:15:44.815927694 +0100 ++++ clevis-15/src/luks/clevis-luks-bind.in 2023-01-12 16:20:30.266404993 +0100 +@@ -19,6 +19,8 @@ + # along with this program. If not, see . + # + ++. clevis-luks-common-functions ++ + SUMMARY="Binds a LUKS device using the specified policy" + UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e + +@@ -139,14 +141,11 @@ + fi + + # Generate a key with the same entropy as the LUKS Master Key +-key="$(pwmake "$( +-cryptsetup luksDump "$DEV" \ +- | if [ "$luks_type" == "luks1" ]; then +- sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p' +- else +- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p' +- fi | sort -n | tail -n 1 +-)")" ++if ! key="$(clevis_luks_generate_key "${DEV}")" \ ++ || [ -z "${key}" ]; then ++ echo "Unable to generate key for ${DEV}" >&2 ++ return 1 ++fi + + # Encrypt the new key + jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")" diff --git a/SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch b/SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch new file mode 100644 index 0000000..0280ec5 --- /dev/null +++ b/SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch @@ -0,0 +1,11 @@ +--- clevis-15.ori/src/luks/clevis-luks-edit 2020-10-28 19:55:47.663228800 +0100 ++++ clevis-15/src/luks/clevis-luks-edit 2023-01-16 12:03:14.006998399 +0100 +@@ -173,7 +173,7 @@ + + echo "Updating binding..." + if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \ +- "-y" "overwrite" 2>/dev/null; then ++ "-y" "overwrite"; then + echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2 + exit 1 + fi diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec new file mode 100644 index 0000000..592ac6e --- /dev/null +++ b/SPECS/clevis.spec @@ -0,0 +1,370 @@ +%global _hardened_build 1 + +Name: clevis +Version: 15 +Release: 14%{?dist} +Summary: Automated decryption framework + +License: GPLv3+ +URL: https://github.com/latchset/%{name} +Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz + +Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch +Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch +Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch +Patch0004: 0004-systemd-drop-ncat-dependency.patch +Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch +Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch +Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch +Patch0008: 0008-tang-dump-url-on-error-communication.patch +Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch +Patch0010: 0010-avoid-clevis-invalid-msg.patch +Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch +Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch +Patch0013: 0013-luks-define-max-entropy-bits-for-pwmake.patch +Patch0014: 0014-luks-edit-remove-unnecessary-redirection.patch + +BuildRequires: git +BuildRequires: gcc +BuildRequires: meson +BuildRequires: asciidoc +BuildRequires: ninja-build +BuildRequires: bash-completion + +BuildRequires: libjose-devel >= 8 +BuildRequires: libluksmeta-devel >= 8 +BuildRequires: audit-libs-devel +BuildRequires: libudisks2-devel +BuildRequires: openssl-devel + +BuildRequires: tpm2-tools >= 3.0.0 +BuildRequires: desktop-file-utils +BuildRequires: pkgconfig +BuildRequires: systemd +BuildRequires: dracut +BuildRequires: tang >= 6 +BuildRequires: curl +BuildRequires: luksmeta +BuildRequires: cracklib-dicts +BuildRequires: jq +BuildRequires: diffutils +BuildRequires: expect +BuildRequires: openssl + +Requires: cracklib-dicts +Requires: tpm2-tools >= 3.0.0 +Requires: coreutils +Requires: jose >= 8 +Requires: curl +Requires: jq +Requires(pre): shadow-utils +Requires(post): systemd + +%description +Clevis is a framework for automated decryption. It allows you to encrypt +data using sophisticated unlocking policies which enable decryption to +occur automatically. + +The clevis package provides basic encryption/decryption policy support. +Users can use this directly; but most commonly, it will be used as a +building block for other packages. For example, see the clevis-luks +and clevis-dracut packages for automatic root volume unlocking of LUKS +volumes during early boot. + +%package luks +Summary: LUKS integration for clevis +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: cryptsetup +Requires: luksmeta >= 8 + +%description luks +LUKS integration for clevis. This package allows you to bind a LUKS +volume to a clevis unlocking policy. For automated unlocking, an unlocker +will also be required. See, for example, clevis-dracut and clevis-udisks2. + +%package systemd +Summary: systemd integration for clevis +Requires: %{name}-luks%{?_isa} = %{version}-%{release} +%if 0%{?fedora} > 27 +Requires: systemd%{?_isa} >= 235-3 +%else +%if 0%{?fedora} == 27 +Requires: systemd%{?_isa} >= 234-9 +%else +%if 0%{?fedora} == 26 +Requires: systemd%{?_isa} >= 233-7 +%else +Requires: systemd%{?_isa} >= 236 +%endif +%endif +%endif + +%description systemd +Automatically unlocks clevis-bound LUKS block devices during boot. + +%package dracut +Summary: Dracut integration for clevis +Requires: %{name}-systemd%{?_isa} = %{version}-%{release} +Requires: dracut-network + +%description dracut +Automatically unlocks LUKS block devices in early boot. + +%package udisks2 +Summary: UDisks2/Storaged integration for clevis +Requires: %{name}-luks%{?_isa} = %{version}-%{release} + +%description udisks2 +Automatically unlocks LUKS block devices in desktop environments that +use UDisks2 or storaged (like GNOME). + +%prep +%autosetup -S git + +%build +%meson -Duser=clevis -Dgroup=clevis +%meson_build + +%install +%meson_install + +%check +desktop-file-validate \ + %{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop +%meson_test + +%pre +getent group %{name} >/dev/null || groupadd -r %{name} &>/dev/null +getent passwd %{name} >/dev/null || \ + useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \ + -c "Clevis Decryption Framework unprivileged user" %{name} &>/dev/null +# Add clevis user to tss group. +if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then + usermod -a -G tss %{name} &>/dev/null +fi +exit 0 + +%post systemd +systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || : + +%files +%license COPYING +%{_datadir}/bash-completion/ +%{_bindir}/%{name}-decrypt-tang +%{_bindir}/%{name}-decrypt-tpm2 +%{_bindir}/%{name}-decrypt-sss +%{_bindir}/%{name}-decrypt-null +%{_bindir}/%{name}-decrypt +%{_bindir}/%{name}-encrypt-tang +%{_bindir}/%{name}-encrypt-tpm2 +%{_bindir}/%{name}-encrypt-sss +%{_bindir}/%{name}-encrypt-null +%{_bindir}/%{name} +%{_mandir}/man1/%{name}-encrypt-tang.1* +%{_mandir}/man1/%{name}-encrypt-tpm2.1* +%{_mandir}/man1/%{name}-encrypt-sss.1* +%{_mandir}/man1/%{name}-decrypt.1* +%{_mandir}/man1/%{name}.1* + +%files luks +%{_mandir}/man7/%{name}-luks-unlockers.7* +%{_mandir}/man1/%{name}-luks-unlock.1* +%{_mandir}/man1/%{name}-luks-unbind.1* +%{_mandir}/man1/%{name}-luks-bind.1* +%{_mandir}/man1/%{name}-luks-list.1* +%{_mandir}/man1/%{name}-luks-pass.1* +%{_mandir}/man1/%{name}-luks-regen.1* +%{_mandir}/man1/%{name}-luks-report.1* +%{_mandir}/man1/%{name}-luks-edit.1* +%{_bindir}/%{name}-luks-unlock +%{_bindir}/%{name}-luks-unbind +%{_bindir}/%{name}-luks-bind +%{_bindir}/%{name}-luks-common-functions +%{_bindir}/%{name}-luks-list +%{_bindir}/%{name}-luks-pass +%{_bindir}/%{name}-luks-regen +%{_bindir}/%{name}-luks-report +%{_bindir}/%{name}-luks-edit + +%files systemd +%{_libexecdir}/%{name}-luks-askpass +%{_unitdir}/%{name}-luks-askpass.path +%{_unitdir}/%{name}-luks-askpass.service + +%files dracut +%{_prefix}/lib/dracut/modules.d/60%{name} +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2 + +%files udisks2 +%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop +%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 + +%changelog +* Mon Jan 16 2023 Sergio Arroutbi - 15-14 +- luks-edit: remove unnecessary 2>/dev/null + Resolves: rhbz#2159739 + +* Wed Jan 11 2023 Sergio Arroutbi - 15-13 +- luks: define max entropy bits for pwmake + Resolves: rhbz#2159736 + +* Wed Jan 11 2023 Sergio Arroutbi - 15-12 +- Ignore empty & comment lines in crypttab + Resolves: rhbz#2159440 + +* Tue Aug 02 2022 Sergio Arroutbi - 15-11 +- Start clevis-luks-askpass.path service according to global policy + Resolves: rhbz#2107081 + +* Thu Jul 21 2022 Sergio Arroutbi - 15-10 +- Improve boot performance by removing key check + Resolves: rhbz#2099748 + +* Wed Jun 22 2022 Sergio Arroutbi - 15-9 +- Avoid invalid message for clevis command + Resolves: rhbz#2099325 + +* Wed Jan 26 2022 Sergio Correia - 15-8 +- Support a null pin + Resolves: rhbz#2028096 + +* Fri Jan 21 2022 Sergio Arroutbi - 15-7 +- Dump server information on server error communication + Resolves: rhbz#2020193 + +* Tue Jan 04 2022 Sergio Correia - 15-6 +- Explicitly specify pbkdf iterations to cryptsetup + Resolves: rhbz#1979256 + +* Wed Dec 01 2021 Sergio Correia - 15-5 +- Enable debugging in clevis scripts when rd.debug is set + Resolves: rhbz#1980742 + +* Thu Nov 25 2021 Sergio Correia - 15-4 +- Stop sending stderr to the void when decryption doesn't happen + Resolves: rhbz#1976880 + +* Thu Nov 18 2021 Sergio Correia - 15-3 +- Drop ncat dependency + Resolves: rhbz#1949289 + +* Wed Nov 17 2021 Sergio Correia - 15-2 +- Account for unlocking failures in clevis-luks-askpass + Resolves: rhbz#2018292 + +* Mon Oct 26 2020 Sergio Correia - 15-1 +- Update to latest upstream release, v15 + Resolves: rhbz#1887836 + Resolves: rhbz#1853651 + Resolves: rhbz#1874460 + +* Wed May 20 2020 Sergio Correia - 13-3 +- Add clevis luks edit command + Resolves: rhbz#1436735 + +* Mon May 18 2020 Sergio Correia - 13-2 +- Introduce -y (assume yes) argument to clevis luks bind + Resolves: rhbz#1819767 + +* Sun May 10 2020 Sergio Correia - 13-1 +- Update to new upstream release, v13 + Resolves: rhbz#1827225 + Resolves: rhbz#1827665 + Resolves: rhbz#1801556 + Resolves: rhbz#1784448 + Resolves: rhbz#1826917 + Resolves: rhbz#1812014 + +* Sun Feb 02 2020 Sergio Correia - 11-9 +- Improve clevis luks regen not to unbind+bind in every case + Resolves: rhbz#1795675 + +* Mon Jan 13 2020 Sergio Correia - 11-8 +- Use one clevis-luks-askpass per device + Resolves: rhbz#1784524 + +* Sat Nov 30 2019 Sergio Correia - 11-7 +- Add rd.neednet=1 to cmdline only if there are devices bound to tang + Resolves: rhbz#1762028 + +* Sat Nov 30 2019 Sergio Correia - 11-6 +- Add option to extract luks passphrase used for binding + Resolves: rhbz#1436780 + +* Thu Nov 28 2019 Sergio Correia - 11-5 +- Add support for listing existing PBD policies in place + Resolves: rhbz#1766526 + +* Fri Oct 18 2019 Sergio Correia - 11-4 +- Improve error message when bind is given an invalid PIN + Resolves: rhbz#1543380 + +* Wed Oct 16 2019 Sergio Correia - 11-3 +- Add clevis luks report and regen + Resolves: rhbz#1564566 + Resolves: rhbz#1564559 + +* Fri Jan 04 2019 Daniel Kopecek - 11-2 +- Check that key derivation key is available +- Delete remaining references to the removed http pin +- Install cryptsetup and tpm2_pcrlist in the initramfs +- Add device TCTI library to the initramfs + Resolves: rhbz#1648004 + Resolves: rhbz#1650246 + +* Tue Aug 14 2018 Nathaniel McCallum - 11-1 +- Update to v11 + +* Thu Jul 12 2018 Fedora Release Engineering - 10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Mar 21 2018 Nathaniel McCallum - 10-1 +- Update to v10 + +* Tue Feb 13 2018 Nathaniel McCallum - 9-1 +- Update to v9 + +* Wed Feb 07 2018 Fedora Release Engineering - 8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Nov 13 2017 Nathaniel McCallum - 8-1 +- Update to v8 + +* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek - 7-2 +- Rebuild for cryptsetup-2.0.0 + +* Fri Oct 27 2017 Nathaniel McCallum - 7-1 +- Update to v7 + +* Wed Aug 02 2017 Fedora Release Engineering - 6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jun 27 2017 Nathaniel McCallum - 6-1 +- New upstream release +- Specify unprivileged user/group during configuration +- Move clevis user/group creation to base clevis package + +* Mon Jun 26 2017 Nathaniel McCallum - 5-1 +- New upstream release +- Run clevis decryption from udisks2 under an unprivileged user + +* Wed Jun 14 2017 Nathaniel McCallum - 4-1 +- New upstream release + +* Wed Jun 14 2017 Nathaniel McCallum - 3-1 +- New upstream release + +* Fri Feb 10 2017 Fedora Release Engineering - 2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Nov 18 2016 Nathaniel McCallum - 2-1 +- New upstream release + +* Mon Nov 14 2016 Nathaniel McCallum - 1-1 +- First release