rpms
/
clevis
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i10c-beta
rpms:c10-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
...
pull from: rpms:cs10
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i10c-beta
rpms:c10-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9

No commits in common. 'c9' and 'cs10' have entirely different histories.
c9 ... cs10

22 changed files with 675 additions and 1126 deletions
Show Stats

2
.clevis.metadata
Unescape View File

@ -1 +1 @@
dc2e95d0c0ce9118bc01b3872869657b0d43f1bc SOURCES/clevis-18.tar.xz 14f8ca6f130651b468c73568e236522839c104a7 SOURCES/clevis-21.tar.xz

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/clevis-18.tar.xz SOURCES/clevis-21.tar.xz

288
SOURCES/0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch
Unescape View File

@ -0,0 +1,288 @@
From 691b4136d6077ed7b079a38459b6844dbc584776 Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Mon, 30 Sep 2024 11:27:57 +0200
Subject: [PATCH] PKCS#11 pin: fix dracut for unconfigured device
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
---
.../clevis-pin-pkcs11/module-setup.sh.in | 2 +-
src/luks/systemd/clevis-luks-pkcs11-askpin.in | 72 +++++--------------
.../clevis-pkcs11-afunix-socket-unlock.c | 9 ++-
src/pins/pkcs11/clevis-pkcs11-common | 52 +++++++++++++-
4 files changed, 74 insertions(+), 61 deletions(-)
diff --git a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
index 39d06a0..a7a6d6b 100755
--- a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
+++ b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
@@ -23,7 +23,7 @@ depends() {
}
install() {
- inst_hook initqueue 60 "${moddir}/clevis-pkcs11-prehook.sh"
+ inst_hook pre-trigger 60 "${moddir}/clevis-pkcs11-prehook.sh"
inst_hook initqueue/settled 60 "${moddir}/clevis-pkcs11-hook.sh"
inst_hook initqueue/online 60 "${moddir}/clevis-pkcs11-hook.sh"
diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
index 8f4092f..b860efa 100755
--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in
+++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
@@ -52,6 +52,7 @@ get_pkcs11_error() {
return 0
}
+
if command -v pcscd; then
echo "clevis-pkcs11: starting pcscd if not available ..."
PCSCD_PID=$(ps auxf | grep "[p]cscd")
@@ -72,51 +73,6 @@ if [ "${dracut_mode}" != true ]; then
pkcs11-tool -L
fi
-if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \
- awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then
- echo "No PKCS11 device detected (without module option) / pkcs11-tool error"
- exit 1
-fi
-
-if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
- pkcs11_device=""
- echo "No objects in PKCS11 device detected"
-fi
-
-while [ -z "${pkcs11_device}" ]; do
- if [ "${dracut_mode}" != true ]; then
- module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab")
- if [ -n "${module_paths}" ]; then
- modules=$(echo ${module_paths} | tr ";" "\n")
- for module in $modules; do
- pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \
- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
- if [ -n "${pkcs11_device}" ]; then
- break;
- fi
- done
- fi
- fi
- if [ -z "${pkcs11_device}" ]; then
- if [ "${retry_mode}" == true ]; then
- option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]")
- if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then
- echo "Won't continue PKCS11 device detection"
- exit 0
- fi
- pkcs11_device=$(pkcs11-tool -L | grep "Slot" \
- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
- if ! pkcs11-tool -O 2>/dev/null; then
- pkcs11_device=""
- echo "No objects in PKCS11 device detected"
- fi
- else
- exit 0
- fi
- fi
-done
-echo "Detected PKCS11 device:${pkcs11_device}"
-
devices_array=()
# Let's analyze all entries from /etc/crypttab that contain clevis-pkcs11.sock entries
while read -r line;
@@ -126,6 +82,8 @@ do
next_device=0
errors=0
msg=""
+ # Store passphrases to send to control socket
+ systemd_device=$(echo "${line}" | awk '{print $1}')
while [ ${next_device} -ne 1 ]; do
uuid=$(echo "${line}" | awk '{print $2}')
if ! mapped_device=$(clevis_map_device "${uuid}"); then
@@ -141,15 +99,23 @@ do
fi
# If no PKCS#11 configuration, advance to next device
if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then
- echo "Device:${mapped_device} does not contain PKCS#11 configuration"
+ echo "Device:${mapped_device} does not contain PKCS#11 configuration" >&2
+ # Send a wrong passphrase
+ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock -
next_device=1
continue
fi
+ if ! pkcs11_device=$(clevis_detect_pkcs11_device "${dracut_mode}" "${retry_mode}"); then
+ echo "No PKCS11 device detected" >&2
+ exit 0
+ else
+ echo "Detected PKCS11 device:${pkcs11_device}" >&2
+ fi
# Get configuration PKCS#11 URI
uri=$(clevis luks list -d "${mapped_device}" | awk -F '"uri":' '{print $2}' | awk -F '"' '{print $2}' | awk -F '"' '{print $1}')
slot_opt=""
if ! slot=$(clevis_get_pkcs11_final_slot_from_uri "${uri}"); then
- echo "Could not find slot for uri:${uri}"
+ echo "Could not find slot for uri:${uri}" >&2
else
slot_opt="--slot-index ${slot}"
fi
@@ -159,8 +125,9 @@ do
module_opt="--module ${module}"
fi
echo "Device:${mapped_device}, slot_opt:${slot_opt}, module_opt:${module_opt}"
- if ! pkcs11-tool -O ${module_opt} ${slot_opt}; then
- echo "No objects on slot:${slot}, module_opt:${module_opt}"
+ if ! pkcs11-tool -O ${module_opt} ${slot_opt} 2>/dev/null 1>/dev/null; then
+ echo "No objects on slot:${slot}, module_opt:${module_opt}" >&2
+ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock -
next_device=1
continue
fi
@@ -175,22 +142,21 @@ do
# Get key from PKCS11 pin here and feed AF_UNIX socket program
echo "${pin}" > /run/systemd/clevis-pkcs11.pin
if ! passphrase=$(clevis_luks_unlock_device "${mapped_device}") || [ -z "${passphrase}" ]; then
- echo "Could not unlock device:${mapped_device}"
+ echo "Could not unlock device:${mapped_device}" >&2
msg="$(get_pkcs11_error)"
((errors++))
if [ ${errors} -eq ${too_many_errors} ]; then
- echo "Too many errors !!!" 1>&2
+ echo "Too many errors !!!" >&2
next_device=1
fi
continue
fi
next_device=1
- echo "Device:${mapped_device} unlocked successfully by clevis"
+ echo "Device:${mapped_device} unlocked successfully by clevis" >&2
if [ "${dracut_mode}" == true ]; then
echo "${mapped_device}" >> /run/systemd/clevis-pkcs11-dracut.devices
fi
# Store passphrases to send to control socket
- systemd_device=$(echo "${line}" | awk '{print $1}')
devices_array+=("${systemd_device},${passphrase}")
done
fi
diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
index a6ecc63..24bad83 100644
--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
+++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
@@ -146,7 +146,6 @@ static void* control_thread(void *targ) {
}
char* t = control_msg;
int is_device = 1;
- fprintf(logfile, "Received control message:[%s]\n", t);
while((t = strtok(t, ","))) {
if (is_device) {
fprintf(logfile, "Adding device:%s\n", t);
@@ -185,7 +184,7 @@ static void dump_wide_version(void) {
static void int_handler(int s) {
if(logfile) {
- fprintf(logfile, "Closing, signal:[%d]\n", s);
+ fprintf(logfile, "Closing, received signal:[%d]\n", s);
fclose(logfile);
}
exit(EXIT_FAILURE);
@@ -222,6 +221,7 @@ int main(int argc, char* argv[]) {
break;
case 'f':
strncpy(sock_file, optarg, MAX_PATH - 1);
+ unlink(sock_file);
break;
case 'k':
strncpy(key, optarg, MAX_KEY - 1);
@@ -275,7 +275,6 @@ int main(int argc, char* argv[]) {
memset(&sock_addr, 0, sizeof(sock_addr));
sock_addr.sun_family = AF_UNIX;
strncpy(sock_addr.sun_path, sock_file, sizeof(sock_addr.sun_path)-1);
- unlink(sock_file);
s = socket(AF_UNIX, SOCK_STREAM, 0);
if (s == -1) {
perror("socket");
@@ -346,8 +345,8 @@ int main(int argc, char* argv[]) {
perror("key entry send error");
goto efailure;
}
- fprintf(logfile, "Sending:[%s] to device:[%s]\n",
- entry_key, unlocking_device);
+ fprintf(logfile, "Sending passphrase to device:[%s]\n",
+ unlocking_device);
} else {
fprintf(logfile, "Device not found: [%s]\n", unlocking_device);
}
diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common
index 4c0629c..571a2be 100755
--- a/src/pins/pkcs11/clevis-pkcs11-common
+++ b/src/pins/pkcs11/clevis-pkcs11-common
@@ -27,6 +27,56 @@ serial_devices_array=""
URI_EXPECTED_FORMAT="pkcs11:"
DEFAULT_CRYPTTAB_FILE="/etc/crypttab"
+clevis_detect_pkcs11_device() {
+ dracut_mode="${1:false}"
+ retry_mode="${2:false}"
+ if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \
+ awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then
+ echo ""
+ return 1
+ fi
+
+ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
+ pkcs11_device=""
+ echo "No objects in PKCS11 device detected" >&2
+ fi
+
+ while [ -z "${pkcs11_device}" ]; do
+ if [ "${dracut_mode}" != true ]; then
+ module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab")
+ if [ -n "${module_paths}" ]; then
+ modules=$(echo ${module_paths} | tr ";" "\n")
+ for module in $modules; do
+ pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \
+ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
+ if [ -n "${pkcs11_device}" ]; then
+ break;
+ fi
+ done
+ fi
+ fi
+ if [ -z "${pkcs11_device}" ]; then
+ if [ "${retry_mode}" == true ]; then
+ option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]")
+ if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then
+ echo ""
+ # Straight Forward Mode
+ return 0
+ fi
+ pkcs11_device=$(pkcs11-tool -L | grep "Slot" \
+ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
+ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
+ pkcs11_device=""
+ echo "No objects in PKCS11 device detected" >&2
+ fi
+ else
+ echo "${pkcs11_device}"
+ return 0
+ fi
+ fi
+ done
+}
+
clevis_parse_devices_array() {
INPUT_ARRAY=$(pkcs11-tool -L | grep Slot)
counter=0
@@ -64,12 +114,10 @@ clevis_get_module_path_from_pkcs11_config() {
while read -r line; do
uuid=$(echo "${line}" | awk '{print $2}')
if ! mapped_device=$(clevis_map_device "${uuid}"); then
- echo "Could not check mapped device for UID:${uuid}"
continue
fi
# If no PKCS#11 configuration, advance to next device
if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then
- echo "Device:${mapped_device} does not contain PKCS#11 configuration"
continue
fi
# Get configuration PKCS#11 URI
--
2.46.2

47
SOURCES/0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
Unescape View File

@ -1,47 +0,0 @@
From 95f25c355fc13727410ccacaa618caf6af5d5eba Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Mon, 3 May 2021 22:36:36 -0300
Subject: [PATCH] sss: use BN_set_word(x, 0) instead of BN_zero()
Different OpenSSL versions define BN_zero() differently -- sometimes
returning an integer, sometimes as void --, so let's use instead
BN_set_word() instead, not to have issues when building with these
different versions.
---
src/pins/sss/sss.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/pins/sss/sss.c b/src/pins/sss/sss.c
index a37215d..7486d6c 100644
--- a/src/pins/sss/sss.c
+++ b/src/pins/sss/sss.c
@@ -214,7 +214,7 @@ sss_point(const json_t *sss, size_t *len)
if (BN_rand_range(xx, pp) <= 0)
return NULL;
- if (BN_zero(yy) <= 0)
+ if (BN_set_word(yy, 0) <= 0)
return NULL;
for (size_t i = 0; i < json_array_size(e); i++) {
@@ -272,7 +272,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
if (!ctx || !pp || !acc || !tmp || !k)
return NULL;
- if (BN_zero(k) <= 0)
+ if (BN_set_word(k, 0) <= 0)
return NULL;
len = jose_b64_dec(p, NULL, 0);
@@ -303,7 +303,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
/* acc *= (0 - xi) / (xo - xi) */
- if (BN_zero(tmp) <= 0)
+ if (BN_set_word(tmp, 0) <= 0)
return NULL;
if (BN_mod_sub(tmp, tmp, xi, pp, ctx) <= 0)
--
2.31.1

49
SOURCES/0002-Fix-potential-race-condition.patch
Unescape View File

@ -0,0 +1,49 @@
From 5feea5da42b98302006f2c82ab9c22d43779e0c8 Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Fri, 27 Sep 2024 12:12:48 +0200
Subject: [PATCH] Fix potential race condition
Guard the modification of "entry_counter" and the read
used to decide whether to modify "entry_counter" with the
same set of locks
Resolves: #478
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
---
src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
index a6ecc63..b1e2004 100644
--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
+++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
@@ -70,21 +70,23 @@ get_control_socket_name(const char* file_sock, char* control_sock, uint32_t cont
}
static void insert_device(const char* dev) {
+ pthread_mutex_lock(&mutex);
if(MAX_ENTRIES == entry_counter) {
+ pthread_mutex_unlock(&mutex);
perror("No more entries accepted\n");
return;
}
- pthread_mutex_lock(&mutex);
strncpy(keys[entry_counter].dev, dev, MAX_DEVICE);
pthread_mutex_unlock(&mutex);
}
static void insert_key(const char* key) {
+ pthread_mutex_lock(&mutex);
if(MAX_ENTRIES == entry_counter) {
+ pthread_mutex_unlock(&mutex);
perror("No more entries accepted\n");
return;
}
- pthread_mutex_lock(&mutex);
strncpy(keys[entry_counter++].key, key, MAX_KEY);
pthread_mutex_unlock(&mutex);
}
--
2.46.2

41
SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
Unescape View File

@ -1,41 +0,0 @@
From d3010c89a8f516a0c9695a939a8cccca0918da2b Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Fri, 29 Oct 2021 12:04:46 -0300
Subject: [PATCH 2/2] systemd: account for unlocking failures in
clevis-luks-askpass (#343)
As unlock may fail for some reason, e.g. the network is not up yet,
one way cause problems would be to add extra `rd.luks.uuid' params
to the cmdline, which would then cause such devices to be unlocked
in early boot. If the unlocking fail, those devices might not be
accounted for in the clevis_devices_to_unlock() check, as it is
based on crypttab.
Let's make sure there are no pending ask.* sockets waiting to be
answered, before exiting.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
---
src/luks/systemd/clevis-luks-askpass.in | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in
index 8f54859..a6699c9 100755
--- a/src/luks/systemd/clevis-luks-askpass.in
+++ b/src/luks/systemd/clevis-luks-askpass.in
@@ -67,8 +67,11 @@ while true; do
done
[ "${loop}" != true ] && break
+
# Checking for pending devices to be unlocked.
- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
+ remaining_crypttab=$(clevis_devices_to_unlock) ||:
+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
break;
fi
--
2.33.1

110
SOURCES/0003-Fix-to-start-pcscd-appropriately.patch
Unescape View File

@ -0,0 +1,110 @@
From c987b0a95d9ebcb310cc3b95609172a8fe31e81e Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Wed, 9 Oct 2024 12:15:18 +0200
Subject: [PATCH] Fix to start pcscd appropriately
diff --git a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
index 01a3062..9922bbc 100755
--- a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
+++ b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
@@ -16,9 +16,11 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+. /usr/bin/clevis-pkcs11-common
+
if [ ! -f /run/systemd/clevis-pkcs11.run ] && [ -d /run/systemd ];
then
- pcscd --disable-polkit
- echo "" > /run/systemd/clevis-pkcs11.run
- /usr/libexec/clevis-luks-pkcs11-askpin -d -r
+ clevis_start_pcscd_server
+ echo "" > /run/systemd/clevis-pkcs11.run
+ /usr/libexec/clevis-luks-pkcs11-askpin -d -r
fi
diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
index b860efa..468ca3c 100755
--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in
+++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
@@ -52,22 +52,7 @@ get_pkcs11_error() {
return 0
}
-
-if command -v pcscd; then
- echo "clevis-pkcs11: starting pcscd if not available ..."
- PCSCD_PID=$(ps auxf | grep "[p]cscd")
- echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n"
- if ! ps auxf | grep "[p]cscd";
- then
- if pcscd pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then
- echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..."
- pcscd --disable-polkit
- else
- echo "clevis-pkcs11: starting pcscd ..."
- pcscd
- fi
- fi
-fi
+clevis_start_pcscd_server
if [ "${dracut_mode}" != true ]; then
pkcs11-tool -L
diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common
index 571a2be..c7f2a58 100755
--- a/src/pins/pkcs11/clevis-pkcs11-common
+++ b/src/pins/pkcs11/clevis-pkcs11-common
@@ -77,6 +77,24 @@ clevis_detect_pkcs11_device() {
done
}
+clevis_start_pcscd_server() {
+ if command -v pcscd; then
+ echo "clevis-pkcs11: starting pcscd if not available ..."
+ PCSCD_PID=$(ps auxf | grep "[p]cscd")
+ echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n"
+ if ! ps auxf | grep "[p]cscd";
+ then
+ if pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then
+ echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..."
+ pcscd --disable-polkit
+ else
+ echo "clevis-pkcs11: starting pcscd ..."
+ pcscd
+ fi
+ fi
+ fi
+}
+
clevis_parse_devices_array() {
INPUT_ARRAY=$(pkcs11-tool -L | grep Slot)
counter=0
diff --git a/src/pins/pkcs11/tests/pin-pkcs11 b/src/pins/pkcs11/tests/pin-pkcs11
index 94e1548..c876ca4 100755
--- a/src/pins/pkcs11/tests/pin-pkcs11
+++ b/src/pins/pkcs11/tests/pin-pkcs11
@@ -20,6 +20,7 @@
. pkcs11-common-tests
. tests-common-functions
. clevis-luks-common-functions
+. clevis-pkcs11-common
on_exit() {
exit_status=$?
@@ -150,5 +151,16 @@ then
(${WRONGCFG})"
fi
+if command -v ps && command -v killall; then
+ if ! clevis_start_pcscd_server;
+ then
+ error "${TEST}: Could not start pcscd server"
+ fi
+ if ! killall -9 pcscd;
+ then
+ error "${TEST}: Could not kill pcscd server"
+ fi
+fi
+
softhsm_lib_cleanup
test "$?" == 0

49
SOURCES/0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
Unescape View File

@ -1,49 +0,0 @@
From 76ad9b21b61627a728bc9499821cf8e09446725d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Thu, 21 Oct 2021 13:58:52 +0200
Subject: [PATCH 4/4] luks: explicitly specify pbkdf iterations to cryptsetup
This fixes an Out of memory error when the system has not much memory,
such as a VM configured with 2GB currently being installed through the
network (hence having ~1GB free memory only).
See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
---
src/luks/clevis-luks-common-functions.in | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
index d53d2ab..360eb7e 100644
--- a/src/luks/clevis-luks-common-functions.in
+++ b/src/luks/clevis-luks-common-functions.in
@@ -760,10 +760,12 @@ clevis_luks_add_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
--key-slot "${SLT}" \
"${DEV}" \
+ ${pbkdf_args} \
${extra_args}
}
@@ -792,11 +794,14 @@ clevis_luks_update_key() {
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ -n "${in_place}" ]; then
printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
--key-slot "${SLT}" \
- --batch-mode ${extra_args}
+ --batch-mode \
+ ${pbkdf_args} \
+ ${extra_args}
return
fi
--
2.33.1

65
SOURCES/0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch
Unescape View File

@ -0,0 +1,65 @@
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2 2024-09-24 10:27:06.000000000 +0200
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2 2024-11-05 15:54:16.209993587 +0100
@@ -58,7 +58,7 @@
echo
echo " key: <string> Algorithm type for the generated key (default: ecc)"
echo
- echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: sha1)"
+ echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: first supported by TPM)"
echo
echo " pcr_ids: <string> PCR list used for policy. If not present, no policy is used"
echo
@@ -130,7 +130,15 @@
key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc"
-pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1"
+pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || {
+ if ! pcr_bank=$(tpm2_getcap pcrs |
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
+ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit}
+ END {exit !found}'); then
+ echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2
+ exit 1
+ fi
+}
# Trim the spaces from the config, so that we will not have issues parsing
# the PCR IDs.
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-09-24 10:27:06.000000000 +0200
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-11-05 15:54:16.209993587 +0100
@@ -91,13 +91,17 @@
- *symcipher*
* *pcr_bank* (string) :
- PCR algorithm bank to use for policy (default: sha1)
+ PCR algorithm bank to use for policy (default: first supported by TPM)
- It must be one of the following:
+ Examples of PCR algorithm banks, support depends on TPM chip:
- *sha1*
- *sha256*
+ For the full list of algorithms supported by the TPM chip check output of
+ `tpm2_getcap pcrs` and use the algorithm which shows non-empty list of PCR
+ numbers.
+
* *pcr_ids* (string) :
Comma separated list of PCR used for policy. If not present, no policy is used
--- clevis-21.old/src/pins/tpm2/pin-tpm2 2024-09-24 10:27:06.000000000 +0200
+++ clevis-21/src/pins/tpm2/pin-tpm2 2024-11-05 15:54:16.209993587 +0100
@@ -142,8 +142,10 @@
# arrays and check if we get the expected pcr_ids.
# Let's first make sure this would be a valid configuration.
-_default_pcr_bank="sha1"
-if validate_pcrs "${_default_pcr_bank}" "4,16"; then
+_default_pcr_bank=$(tpm2_getcap pcrs |
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
+ {split($0, m, /[-:[:space:]]+/); print m[2]; exit}')
+if [ -n "$_default_pcr_bank" ] && validate_pcrs "${_default_pcr_bank}" "4,16"; then
test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1
test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16" || exit 1
test_pcr_ids "${orig}" '{"pcr_ids": "4, 16"}' "4,16" || exit 1

36
SOURCES/0005-Include-tpm2_getcap-as-dracut-required-binary.patch
Unescape View File

@ -0,0 +1,36 @@
From fc371d25a72806109e9a5c0205d67ba2232a6f17 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 20 Nov 2024 18:45:56 +0100
Subject: [PATCH] Include tpm2_getcap as dracut required binary
---
src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in b/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in
index 5ff0640..723df7a 100755
--- a/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in
+++ b/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in
@@ -19,7 +19,8 @@
#
check() {
- require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext tpm2_load tpm2_unseal || return 1
+ require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext \
+ tpm2_load tpm2_unseal tpm2_pcrread tpm2_getcap || return 1
require_any_binary tpm2_pcrread tpm2_pcrlist || return 1
return 0
}
@@ -30,7 +31,8 @@ depends() {
}
install() {
- inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext tpm2_load tpm2_unseal
+ inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext \
+ tpm2_load tpm2_unseal tpm2_getcap
inst_multiple -o tpm2_pcrread tpm2_pcrlist
inst_libdir_file "libtss2-tcti-device.so*"
}
--
2.47.0

16
SOURCES/0005-tang-dump-url-on-error-communication.patch
Unescape View File

@ -1,16 +0,0 @@
--- clevis-18.ori/src/pins/tang/clevis-decrypt-tang 2021-04-15 13:00:19.969067600 +0200
+++ clevis-18/src/pins/tang/clevis-decrypt-tang 2022-01-20 17:29:21.859897964 +0100
@@ -99,10 +99,10 @@
xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"
-url="$url/rec/$kid"
+rec_url="$url/rec/$kid"
ct="Content-Type: application/jwk+json"
-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then
- echo "Error communicating with the server!" >&2
+if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then
+ echo "Error communicating with the server $url" >&2
exit 1
fi

213
SOURCES/0006-feat-rename-the-test-pin-to-null-pin.patch
Unescape View File

@ -1,213 +0,0 @@
From f668840e22e45ac8b16d770072b4395a155d089c Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@linux.com>
Date: Wed, 1 Dec 2021 14:17:53 +0100
Subject: [PATCH 6/6] feat: rename the test pin to null pin
Signed-off-by: Antonio Murdaca <runcom@linux.com>
---
src/initramfs-tools/hooks/clevis.in | 1 +
.../dracut/clevis-pin-null/meson.build | 14 ++++++++++
.../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++
src/luks/systemd/dracut/meson.build | 1 +
...levis-decrypt-test => clevis-decrypt-null} | 4 +--
...levis-encrypt-test => clevis-encrypt-null} | 4 +--
src/pins/sss/meson.build | 5 +++-
src/pins/sss/{pin-test => pin-null} | 4 +--
src/pins/sss/pin-sss | 12 ++++----
9 files changed, 60 insertions(+), 13 deletions(-)
create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build
create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%)
rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%)
rename src/pins/sss/{pin-test => pin-null} (53%)
diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
index 7e6d2b3..8d60d05 100755
--- a/src/initramfs-tools/hooks/clevis.in
+++ b/src/initramfs-tools/hooks/clevis.in
@@ -58,6 +58,7 @@ fi
copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
+copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found"
copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"
diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build
new file mode 100644
index 0000000..107e3ba
--- /dev/null
+++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build
@@ -0,0 +1,14 @@
+dracut = dependency('dracut', required: false)
+
+if dracut.found()
+ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null'
+
+ configure_file(
+ input: 'module-setup.sh.in',
+ output: 'module-setup.sh',
+ install_dir: dracutdir,
+ configuration: data,
+ )
+else
+ warning('Will not install dracut module clevis-pin-null due to missing dependencies!')
+endif
diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
new file mode 100755
index 0000000..6a16078
--- /dev/null
+++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
@@ -0,0 +1,28 @@
+#!/bin/bash
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Nathaniel McCallum <npmccallum@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+depends() {
+ echo clevis
+ return 0
+}
+
+install() {
+ inst clevis-decrypt-null
+}
diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build
index fdb264b..7ad5b14 100644
--- a/src/luks/systemd/dracut/meson.build
+++ b/src/luks/systemd/dracut/meson.build
@@ -2,3 +2,4 @@ subdir('clevis')
subdir('clevis-pin-tang')
subdir('clevis-pin-tpm2')
subdir('clevis-pin-sss')
+subdir('clevis-pin-null')
diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null
similarity index 88%
rename from src/pins/sss/clevis-decrypt-test
rename to src/pins/sss/clevis-decrypt-null
index f0e9249..a6217ed 100755
--- a/src/pins/sss/clevis-decrypt-test
+++ b/src/pins/sss/clevis-decrypt-null
@@ -22,11 +22,11 @@
read -r -d . hdr
-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then
+if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then
echo "JWE pin mismatch!" >&2
exit 1
fi
-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1
+jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1
exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null
similarity index 90%
rename from src/pins/sss/clevis-encrypt-test
rename to src/pins/sss/clevis-encrypt-null
index bd2d6ec..af182a5 100755
--- a/src/pins/sss/clevis-encrypt-test
+++ b/src/pins/sss/clevis-encrypt-null
@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
fi
jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"
-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}'
+jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}'
if ! jose fmt -j "$cfg" -g fail -T; then
- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)"
+ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)"
fi
exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build
index 7f20eea..2a5295a 100644
--- a/src/pins/sss/meson.build
+++ b/src/pins/sss/meson.build
@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found()
separator: ':'
)
+ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null')
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null')
+
test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env)
- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env)
+ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env)
else
warning('Will not install sss pin due to missing dependencies!')
endif
diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null
similarity index 53%
rename from src/pins/sss/pin-test
rename to src/pins/sss/pin-null
index 50c8c67..b14ac63 100755
--- a/src/pins/sss/pin-test
+++ b/src/pins/sss/pin-null
@@ -2,9 +2,9 @@
trap 'exit' ERR
-e="$(echo -n hi | clevis encrypt test '{}')"
+e="$(echo -n hi | clevis encrypt null '{}')"
d="$(echo -n "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo -n hi | clevis encrypt test '{"fail":true}')"
+e="$(echo -n hi | clevis encrypt null '{"fail":true}')"
! echo "$e" | clevis decrypt
diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss
index 5c0b8cf..24da052 100755
--- a/src/pins/sss/pin-sss
+++ b/src/pins/sss/pin-sss
@@ -1,24 +1,24 @@
#!/bin/bash -ex
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')"
d="$(echo "$e" | clevis decrypt)"
test "$d" == "hi"
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
! echo "$e" | clevis decrypt
! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')"
--
2.33.1

25
SOURCES/0007-avoid-clevis-invalid-msg.patch
Unescape View File

@ -1,25 +0,0 @@
--- clevis-18.ori/src/clevis 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/clevis 2022-06-20 14:29:50.148261656 +0200
@@ -27,6 +27,8 @@
}
cmd=clevis
+input_commands="$cmd $@"
+
while [ $# -gt 0 ]; do
[[ "$1" =~ ^- ]] && break
cmd="$cmd-$1"
@@ -36,8 +38,11 @@
done
exec >&2
-echo
-echo "Command '$cmd' is invalid"
+if [ "$cmd" != "clevis" ];
+then
+ echo
+ echo "Command '$input_commands' is invalid"
+fi
echo
echo "Usage: clevis COMMAND [OPTIONS]"
echo

54
SOURCES/0008-Improve-boot-performance-by-removing-key-check.patch
Unescape View File

@ -1,54 +0,0 @@
From da988dee93fd3171d41248fe884c627cdafa563e Mon Sep 17 00:00:00 2001
From: Sergio Arroutbi <sarroutb@redhat.com>
Date: Tue, 2 Aug 2022 09:25:54 -0300
Subject: [PATCH] Improve boot performance by removing key check
---
src/luks/clevis-luks-common-functions.in | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
index f018340..d059aae 100644
--- a/src/luks/clevis-luks-common-functions.in
+++ b/src/luks/clevis-luks-common-functions.in
@@ -313,6 +313,7 @@ clevis_luks_check_valid_key_or_keyfile() {
clevis_luks_unlock_device_by_slot() {
local DEV="${1}"
local SLT="${2}"
+ local SKIP_CHECK="${3}"
[ -z "${DEV}" ] && return 1
[ -z "${SLT}" ] && return 1
@@ -327,8 +328,9 @@ clevis_luks_unlock_device_by_slot() {
|| [ -z "${passphrase}" ]; then
return 1
fi
-
- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ if [ -z "${SKIP_CHECK}" ]; then
+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
+ fi
printf '%s' "${passphrase}"
}
@@ -336,6 +338,8 @@ clevis_luks_unlock_device_by_slot() {
# parameter and returns the decoded passphrase.
clevis_luks_unlock_device() {
local DEV="${1}"
+ local SKIP_CHECK="YES"
+
[ -z "${DEV}" ] && return 1
local used_slots
@@ -346,7 +350,7 @@ clevis_luks_unlock_device() {
local slt pt
for slt in ${used_slots}; do
- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \
+ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \
|| [ -z "${pt}" ]; then
continue
fi
--
2.35.1

45
SOURCES/0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
Unescape View File

@ -1,45 +0,0 @@
From 0654fd3f3fd1ebc080cb1140774120d8f392137b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?=
<1163635+rmetrich@users.noreply.github.com>
Date: Wed, 1 Dec 2021 09:37:35 -0300
Subject: [PATCH] luks: enable debugging in clevis scripts when rd.debug is set
(#340)
On Fedora/RHEL, the rd.debug kernel command line parameter controls
debugging.
By implementing the functionality inside clevis, troubleshooting will be
greatly eased.
See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742).
---
src/luks/clevis-luks-common-functions.in | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
index d059aae..87b370f 100644
--- a/src/luks/clevis-luks-common-functions.in
+++ b/src/luks/clevis-luks-common-functions.in
@@ -20,6 +20,21 @@
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+enable_debugging() {
+ # Automatically enable debugging if in initramfs phase and rd.debug
+ if [ -e /usr/lib/dracut-lib.sh ]; then
+ local bashopts=$-
+ # Because dracut is loosely written, disable hardening options temporarily
+ [[ $bashopts != *u* ]] || set +u
+ [[ $bashopts != *e* ]] || set +e
+ . /usr/lib/dracut-lib.sh
+ [[ $bashopts != *u* ]] || set -u
+ [[ $bashopts != *e* ]] || set -e
+ fi
+}
+
+enable_debugging
+
# valid_slot() will check whether a given slot is possibly valid, i.e., if it
# is a numeric value within the specified range.
valid_slot() {
--
2.35.1

385
SOURCES/0010-existing-luks2-token-id.patch
Unescape View File

@ -1,385 +0,0 @@
--- clevis-18.ori/src/luks/clevis-luks-bind 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/clevis-luks-bind 2022-11-24 12:53:59.613676320 +0100
@@ -25,7 +25,7 @@
usage() {
exec >&2
echo
- echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] -d DEV PIN CFG"
+ echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] [-e EXISTING_TOKEN_ID] -d DEV PIN CFG"
echo
echo "$SUMMARY":
echo
@@ -42,6 +42,8 @@
echo " -k KEY Non-interactively read LUKS password from KEY file"
echo " -k - Non-interactively read LUKS password from standard input"
echo
+ echo " -e E_TKN_ID Existing LUKS token ID for existing passphrase; only available for LUKS2"
+ echo
exit 2
}
@@ -52,13 +54,14 @@
FRC=
YES=
-while getopts ":hfyd:s:k:t:" o; do
+while getopts ":hfyd:s:k:t:e:" o; do
case "$o" in
f) FRC='-f';;
d) DEV="$OPTARG";;
s) SLT="$OPTARG";;
k) KEY="$OPTARG";;
t) TOKEN_ID="$OPTARG";;
+ e) EXISTING_TOKEN_ID="$OPTARG";;
y) FRC='-f'
YES='-y';;
*) usage;;
@@ -99,11 +102,20 @@
exit 1
fi
+if [ -n "${EXISTING_TOKEN_ID}" ] && ! clevis_luks_luks2_existing_token_id_supported; then
+ echo "Existing token ID not supported in this cryptsetup version" >&2
+ exit 1
+fi
+
# Get the existing passphrase/keyfile.
existing_key=
keyfile=
case "${KEY}" in
-"") IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2;;
+ "")
+ if [ -z "${EXISTING_TOKEN_ID}" ] ; then
+ IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2
+ fi
+ ;;
-) IFS= read -r -s -p "" existing_key ||:
if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}" \
&& [ -z "${FRC}" ]; then
@@ -119,6 +131,13 @@
;;
esac
+# Check if existing token id for keyring read is provided
+# If so, keyfile is not allowed
+if [ -n "${EXISTING_TOKEN_ID}" ] && [ -n "${keyfile}" ] ; then
+ echo "Cannot specify kernel keyring description together with key file" >&2
+ exit 1
+fi
+
# If necessary, initialize the LUKS volume.
if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}"; then
luksmeta init -d "${DEV}" ${FRC}
@@ -127,7 +146,7 @@
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "${TOKEN_ID}" \
"${PIN}" "${CFG}" \
"${YES}" "" \
- "${existing_key}" "${keyfile}"; then
+ "${existing_key}" "${keyfile}" "${EXISTING_TOKEN_ID}"; then
echo "Error adding new binding to ${DEV}" >&2
exit 1
fi
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2022-11-24 12:54:48.476829197 +0100
@@ -9,7 +9,7 @@
== SYNOPSIS
-*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] PIN CFG
+*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] [-e EXISTING_TOKEN_ID] PIN CFG
== OVERVIEW
@@ -54,6 +54,12 @@
* *-k* - :
Non-interactively read LUKS password from standard input
+* *-e* _E_TKN_ID_ :
+ LUKS token ID for existing passphrase; only available for LUKS2.
+ This parameter allows providing a configured token ID in LUKS2
+ containing the existing passphrase for this device, so that
+ existing passphrase is not prompted by clevis
+
== CAVEATS
This command does not change the LUKS master key. This implies that if you
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2022-11-24 12:46:09.130204312 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-11-24 13:01:57.087170193 +0100
@@ -307,9 +307,10 @@
local KEY="${2:-}"
local KEYFILE="${3:-}"
local SLT="${4:-}"
+ local EXISTING_TOKEN_ID="${5:-}"
[ -z "${DEV}" ] && return 1
- [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
local extra_args
extra_args="$([ -n "${SLT}" ] && printf -- '--key-slot %s' "${SLT}")"
@@ -318,6 +319,11 @@
${extra_args}
return
fi
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
+ cryptsetup open --test-passphrase "${DEV}" --token-id "${EXISTING_TOKEN_ID}" \
+ ${extra_args}
+ return
+ fi
printf '%s' "${KEY}" | cryptsetup open --test-passphrase "${DEV}" \
${extra_args}
@@ -753,10 +759,11 @@
local NEWKEY="${3}"
local KEY="${4}"
local KEYFILE="${5:-}"
+ local EXISTING_TOKEN_ID="${6:-}"
[ -z "${DEV}" ] && return 1
[ -z "${NEWKEY}" ] && return 1
- [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1
+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1
local extra_args='' input
input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
@@ -764,6 +771,10 @@
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
+ input="$(printf '%s' "${NEWKEY}")"
+ fi
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
@@ -780,6 +791,7 @@
local NEWKEY="${3}"
local KEY="${4}"
local KEYFILE="${5:-}"
+ local EXISTING_TOKEN_ID="${6:-}"
[ -z "${DEV}" ] && return 1
[ -z "${NEWKEY}" ] && return 1
@@ -789,7 +801,7 @@
local in_place
clevis_luks_check_valid_key_or_keyfile "${DEV}" \
"${KEY}" "${KEYFILE}" \
- "${SLT}" 2>/dev/null \
+ "${SLT}" "${EXISTING_TOKEN_ID}" 2>/dev/null \
&& in_place=true
local input extra_args=
@@ -798,6 +810,10 @@
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
+ input="$(printf '%s' "${NEWKEY}")"
+ fi
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
if [ -n "${in_place}" ]; then
@@ -844,13 +860,13 @@
[ -n "${OVERWRITE}" ] || return 1
clevis_luks_update_key "${DEV}" "${SLT}" \
- "${NEWKEY}" "${KEY}" "${KEYFILE}"
+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}"
return
fi
# Add a new key.
clevis_luks_add_key "${DEV}" "${SLT}" \
- "${NEWKEY}" "${KEY}" "${KEYFILE}"
+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}"
}
# clevis_luks_generate_key() generates a new key for use with clevis.
@@ -942,6 +958,7 @@
local OVERWRITE="${7:-}"
local KEY="${8:-}"
local KEYFILE="${9:-}"
+ local EXISTING_TOKEN_ID="${10:-}"
[ -z "${DEV}" ] && return 1
[ -z "${PIN}" ] && return 1
@@ -951,6 +968,8 @@
if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" \
"${KEY}" \
"${KEYFILE}" \
+ "" \
+ "${EXISTING_TOKEN_ID}" \
&& ! KEY="$(clevis_luks_get_existing_key "${DEV}" \
"Enter existing LUKS password: " \
"recover")"; then
@@ -995,7 +1014,7 @@
if ! clevis_luks_save_key_to_slot "${DEV}" "${SLT}" \
"${newkey}" "${KEY}" "${KEYFILE}" \
- "${OVERWRITE}"; then
+ "${OVERWRITE}" "${EXISTING_TOKEN_ID}"; then
echo "Unable to save/update key slot; operation cancelled" >&2
clevis_luks_restore_dev "${CLEVIS_TMP_DIR}" || :
rm -rf "${CLEVIS_TMP_DIR}"
@@ -1016,12 +1035,19 @@
}
# clevis_luks_luks2_supported() indicates whether we support LUKS2 devices.
-# Suppor is determined at build time.
+# Support is determined at build time.
function clevis_luks_luks2_supported() {
# We require cryptsetup >= 2.0.4 to fully support LUKSv2.
return @OLD_CRYPTSETUP@
}
+# clevis_luks_luks2_existing_token_id_supported() indicates whether
+# cryptsetup allows token id for passphrase providing
+function clevis_luks_luks2_existing_token_id_supported() {
+ # We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID
+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@
+}
+
# clevis_luks_type() returns the LUKS type of a device, e.g. "luks1".
clevis_luks_type() {
local DEV="${1}"
--- clevis-18.ori/src/luks/meson.build 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/meson.build 2022-11-24 13:02:39.118301695 +0100
@@ -14,6 +14,15 @@
endif
endif
+libcryptsetup_ext_token_id = dependency('libcryptsetup', version: '>=2.6.0', required: false)
+if libcryptsetup_ext_token_id.found()
+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '0')
+ message('cryptsetup version supports existing token id')
+else
+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '1')
+ warning('cryptsetup version does not support existing token id')
+endif
+
clevis_luks_common_functions = configure_file(
input: 'clevis-luks-common-functions.in',
output: 'clevis-luks-common-functions',
--- clevis-18.ori/src/luks/tests/bind-luks2-ext-token 1970-01-01 01:00:00.000000000 +0100
+++ clevis-18/src/luks/tests/bind-luks2-ext-token 2022-11-24 13:04:30.742650939 +0100
@@ -0,0 +1,74 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2022 Red Hat, Inc.
+# Author: Sergio Arroutbi <sarroutb@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+create_existing_token_id_from_keyring() {
+ local DEV="${1}"
+ local KEYDESC="${2}"
+ local TOKEN_ID="${3}"
+ local PASS="${4}"
+ if [[ -z "${DEV}" ]] || [[ -z "${KEYDESC}" ]] || [[ -z "${TOKEN_ID}" ]]; then
+ return 1
+ fi
+ KEYRING_ID=$(keyctl add user "${KEYDESC}" "${PASS}" @s)
+ keyctl print "${KEYRING_ID}" 2>/dev/null 1>/dev/null
+ cryptsetup token add --token-id "${TOKEN_ID}" --key-description "${KEYDESC}" "${DEV}"
+}
+
+if ! luks2_supported; then
+ skip_test "${TEST}: LUKS2 is not supported."
+fi
+
+if ! luks2_existing_token_id_supported; then
+ skip_test "${TEST}: Existing token ID not supported"
+fi
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+tang_create_adv "${TMP}" "${ADV}"
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
+
+EXISTING_TOKEN_ID=5
+KEYDESC="testkey"
+PASS="123exttokenid_"
+DEV="${TMP}/luks2-device-ext-token"
+new_device "luks2" "${DEV}" "${PASS}"
+
+create_existing_token_id_from_keyring "${DEV}" "${KEYDESC}" "${EXISTING_TOKEN_ID}" "${PASS}"
+
+if ! clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" tang "${CFG}"; then
+ error "${TEST}: Binding expected to succeed with existing token id:${EXISTING_TOKEN_ID}" >&2
+fi
+
+KEYFILE="${TMP}/keyfile.txt"
+touch "${KEYFILE}"
+if clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" -k "${KEYFILE}" tang "${CFG}"; then
+ error "${TEST}: Using existing token id and keyfile should dump an error" >&2
+fi
--- clevis-18.ori/src/luks/tests/meson.build 2021-04-15 13:00:19.967066500 +0200
+++ clevis-18/src/luks/tests/meson.build 2022-11-24 13:06:36.096043131 +0100
@@ -5,6 +5,15 @@
# given token slot.
cryptsetup = find_program('cryptsetup', required: true)
+# Use keyctl to check an existing token id can be created from
+# kernel keyring password
+keyutils = find_program('keyctl', required: false)
+if keyutils.found()
+ message('keyutils installed')
+else
+ warning('keyutils not installed, unable to test existing token id binding')
+endif
+
common_functions = configure_file(input: 'tests-common-functions.in',
output: 'tests-common-functions',
configuration: luksmeta_data,
@@ -69,6 +78,10 @@
test('unbind-unbound-slot-luks2', find_program('unbind-unbound-slot-luks2'), env: env)
test('unbind-luks2', find_program('unbind-luks2'), env: env, timeout: 60)
+ if keyutils.found() and luksmeta_data.get('OLD_CRYPTSETUP_EXISTING_TOKEN_ID') == '0'
+ test('bind-luks2-ext-token', find_program('bind-luks2-ext-token'), env: env, timeout: 60)
+ endif
+
if jq.found()
test('list-recursive-luks2', find_program('list-recursive-luks2'), env: env, timeout: 60)
test('list-tang-luks2', find_program('list-tang-luks2'), env: env, timeout: 60)
--- clevis-18.ori/src/luks/tests/tests-common-functions.in 2021-04-15 13:00:19.967066500 +0200
+++ clevis-18/src/luks/tests/tests-common-functions.in 2022-11-24 13:06:24.376006462 +0100
@@ -36,6 +36,12 @@
return @OLD_CRYPTSETUP@
}
+# We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID
+# Support is determined at build time.
+luks2_existing_token_id_supported() {
+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@
+}
+
# Creates a new LUKS1 or LUKS2 device to be used.
new_device() {
local LUKS="${1}"

16
SOURCES/0011-ignore-empty-and-comment-lines-in-crypttab.patch
Unescape View File

@ -1,16 +0,0 @@
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-12 11:00:00.927790464 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-12 11:05:53.528590215 +0100
@@ -418,7 +418,12 @@
clevis_devices=
# Build list of devices to unlock.
- while read -r _ crypt_device _; do
+ while read -r _volname_ crypt_device _; do
+ # skip empty lines and lines which begin with the '#' char, per
+ # crypttab(5)
+ case $_volname_ in
+ ''|\#*) continue ;;
+ esac
if ! dev=$(clevis_map_device "${crypt_device}") \
|| [ -z "${dev}" ]; then
# Unable to get the device - maybe it's not available, e.g. a

42
SOURCES/0012-luks-define-max-entropy-bits-for-pwmake.patch
Unescape View File

@ -1,42 +0,0 @@
--- clevis-18.ori/src/clevis.1.adoc 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/clevis.1.adoc 2023-01-13 12:08:31.162012856 +0100
@@ -101,7 +101,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:02:52.005243591 +0100
+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:08:05.873955501 +0100
@@ -20,7 +20,7 @@
This command performs four steps:
-1. Creates a new key with the same entropy as the LUKS master key.
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
2. Encrypts the new key with Clevis.
3. Stores the Clevis JWE in the LUKS header.
4. Enables the new key for use with LUKS.
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-13 12:02:52.005243591 +0100
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-13 12:06:29.233736316 +0100
@@ -875,6 +875,7 @@
[ -z "${DEV}" ] && return 1
local dump filter bits
+ local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
dump=$(cryptsetup luksDump "${DEV}")
if cryptsetup isLuks --type luks1 "${DEV}"; then
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
@@ -886,6 +887,9 @@
fi
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
+ bits="${MAX_ENTROPY_BITS}"
+ fi
pwmake "${bits}"
}

11
SOURCES/0013-luks-edit-remove-unnecessary-redirection.patch
Unescape View File

@ -1,11 +0,0 @@
--- clevis-18.ori/src/luks/clevis-luks-edit 2021-04-15 13:00:19.965065700 +0200
+++ clevis-18/src/luks/clevis-luks-edit 2023-01-16 10:24:18.555971552 +0100
@@ -173,7 +173,7 @@
echo "Updating binding..."
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
- "-y" "overwrite" 2>/dev/null; then
+ "-y" "overwrite"; then
echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
exit 1
fi

98
SOURCES/0014-remove-pwmake-for-password-generation.patch
Unescape View File

@ -1,98 +0,0 @@
--- clevis-18.ori/src/luks/meson.build 2023-06-01 15:28:51.615436832 +0200
+++ clevis-18/src/luks/meson.build 2023-06-01 15:31:02.420366592 +0200
@@ -1,7 +1,6 @@
luksmeta_data = configuration_data()
luksmeta = dependency('luksmeta', version: '>=8', required: false)
-pwmake = find_program('pwmake', required: false)
libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false)
if libcryptsetup.found()
@@ -33,7 +32,7 @@
output: 'clevis-luks-unbind',
configuration: luksmeta_data)
-if libcryptsetup.found() and luksmeta.found() and pwmake.found()
+if libcryptsetup.found() and luksmeta.found()
subdir('systemd')
subdir('udisks2')
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-06-01 15:28:51.656437123 +0200
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-06-02 17:31:52.430534483 +0200
@@ -20,6 +20,11 @@
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+# Length, in bytes, used for password generated for LUKS key
+# This value corresponds to an entropy of 256 bits if the password
+# was generated by pwmake or similar tool
+JOSE_PASSWORD_LENGTH=40
+
enable_debugging() {
# Automatically enable debugging if in initramfs phase and rd.debug
if [ -e /usr/lib/dracut-lib.sh ]; then
@@ -782,7 +787,7 @@
fi
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
- printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
+ printf '%s' "${input}" | cryptsetup luksAddKey --force-password --batch-mode \
--key-slot "${SLT}" \
"${DEV}" \
${pbkdf_args} \
@@ -812,11 +817,11 @@
local input extra_args=
input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
if [ -n "${KEYFILE}" ]; then
- extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
+ extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")"
input="$(printf '%s' "${NEWKEY}")"
fi
if [ -n "${EXISTING_TOKEN_ID}" ]; then
- extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
+ extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")"
input="$(printf '%s' "${NEWKEY}")"
fi
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
@@ -876,26 +881,10 @@
# clevis_luks_generate_key() generates a new key for use with clevis.
clevis_luks_generate_key() {
- local DEV="${1}"
- [ -z "${DEV}" ] && return 1
-
- local dump filter bits
- local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
- dump=$(cryptsetup luksDump "${DEV}")
- if cryptsetup isLuks --type luks1 "${DEV}"; then
- filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
- elif cryptsetup isLuks --type luks2 "${DEV}"; then
- filter="$(echo -n "${dump}" | \
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p')"
- else
- return 1
- fi
-
- bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
- if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
- bits="${MAX_ENTROPY_BITS}"
- fi
- pwmake "${bits}"
+ local input
+ input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}")
+ jose jwk gen --input="${input}" --output=- \
+ | jose fmt --json=- --object --get k --unquote=-
}
# clevis_luks_token_id_by_slot() returns the token ID linked to a
@@ -986,8 +975,8 @@
fi
local newkey jwe
- if ! newkey="$(clevis_luks_generate_key "${DEV}")" \
- || [ -z "${newkey}" ]; then
+
+ if ! newkey="$(clevis_luks_generate_key)" || [ -z "${newkey}" ]; then
echo "Unable to generate a new key" >&2
return 1
fi

2
SOURCES/clevis.sysusers
Unescape View File

@ -1 +1 @@
u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis /usr/sbin/nologin u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis -

205
SPECS/clevis.spec
Unescape View File

@ -1,26 +1,28 @@
## START: Set by rpmautospec
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 7;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec
Name: clevis Name: clevis
Version: 18 Version: 21
Release: 112%{?dist} Release: %autorelease
Summary: Automated decryption framework Summary: Automated decryption framework
License: GPLv3+ License: GPL-3.0-or-later
URL: https://github.com/latchset/%{name} URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
Source1: clevis.sysusers Source1: clevis.sysusers
Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch Patch0: 0001-PKCS-11-pin-fix-dracut-for-unconfigured-device.patch
Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch Patch1: 0002-Fix-potential-race-condition.patch
Patch0004: 0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch Patch2: 0003-Fix-to-start-pcscd-appropriately.patch
Patch0005: 0005-tang-dump-url-on-error-communication.patch Patch3: 0004-tpm2-use-first-pcr-algorithm-bank-supported-by.patch
Patch0006: 0006-feat-rename-the-test-pin-to-null-pin.patch Patch4: 0005-Include-tpm2_getcap-as-dracut-required-binary.patch
Patch0007: 0007-avoid-clevis-invalid-msg.patch
Patch0008: 0008-Improve-boot-performance-by-removing-key-check.patch
Patch0009: 0009-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
Patch0010: 0010-existing-luks2-token-id.patch
Patch0011: 0011-ignore-empty-and-comment-lines-in-crypttab.patch
Patch0012: 0012-luks-define-max-entropy-bits-for-pwmake.patch
Patch0013: 0013-luks-edit-remove-unnecessary-redirection.patch
Patch0014: 0014-remove-pwmake-for-password-generation.patch
BuildRequires: git-core BuildRequires: git-core
BuildRequires: gcc BuildRequires: gcc
@ -48,6 +50,8 @@ BuildRequires: openssl
BuildRequires: diffutils BuildRequires: diffutils
BuildRequires: cryptsetup BuildRequires: cryptsetup
BuildRequires: jq BuildRequires: jq
BuildRequires: pcsc-lite
BuildRequires: opensc
Requires: tpm2-tools >= 4.0.0 Requires: tpm2-tools >= 4.0.0
Requires: coreutils Requires: coreutils
@ -56,6 +60,7 @@ Requires: curl
Requires: jq Requires: jq
Requires(pre): shadow-utils Requires(pre): shadow-utils
Requires(post): systemd Requires(post): systemd
Requires: clevis-pin-tpm2
%description %description
Clevis is a framework for automated decryption. It allows you to encrypt Clevis is a framework for automated decryption. It allows you to encrypt
@ -65,8 +70,8 @@ occur automatically.
The clevis package provides basic encryption/decryption policy support. The clevis package provides basic encryption/decryption policy support.
Users can use this directly; but most commonly, it will be used as a Users can use this directly; but most commonly, it will be used as a
building block for other packages. For example, see the clevis-luks building block for other packages. For example, see the clevis-luks
and clevis-dracut packages for automatic root volume unlocking of LUKSv1 and clevis-dracut packages for automatic root volume unlocking of
volumes during early boot. LUKSv1/LUKSv2 volumes during early boot.
%package luks %package luks
Summary: LUKS integration for clevis Summary: LUKS integration for clevis
@ -115,6 +120,17 @@ Requires: %{name}-luks%{?_isa} = %{version}-%{release}
Automatically unlocks LUKS block devices in desktop environments that Automatically unlocks LUKS block devices in desktop environments that
use UDisks2 or storaged (like GNOME). use UDisks2 or storaged (like GNOME).
%package pin-pkcs11
Summary: PKCS#11 for clevis
Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
Requires: %{name}-luks%{?_isa} = %{version}-%{release}
Requires: %{name}-dracut%{?_isa} = %{version}-%{release}
Requires: pcsc-lite
Requires: opensc
%description pin-pkcs11
Automatically unlocks LUKS block devices through a PKCS#11 device.
%prep %prep
%autosetup -S git %autosetup -S git
@ -139,9 +155,6 @@ if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
fi fi
exit 0 exit 0
%post systemd
systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%files %files
%license COPYING %license COPYING
%{_datadir}/bash-completion/ %{_datadir}/bash-completion/
@ -184,6 +197,7 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%files systemd %files systemd
%{_libexecdir}/%{name}-luks-askpass %{_libexecdir}/%{name}-luks-askpass
%{_libexecdir}/%{name}-luks-unlocker
%{_unitdir}/%{name}-luks-askpass.path %{_unitdir}/%{name}-luks-askpass.path
%{_unitdir}/%{name}-luks-askpass.service %{_unitdir}/%{name}-luks-askpass.service
@ -194,93 +208,120 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh
%files pin-pkcs11
%{_libexecdir}/%{name}-luks-pkcs11-askpass
%{_libexecdir}/%{name}-luks-pkcs11-askpin
%{_bindir}/%{name}-decrypt-pkcs11
%{_bindir}/%{name}-encrypt-pkcs11
%{_bindir}/%{name}-pkcs11-afunix-socket-unlock
%{_bindir}/%{name}-pkcs11-common
%{_unitdir}/%{name}-luks-pkcs11-askpass.service
%{_unitdir}/%{name}-luks-pkcs11-askpass.socket
%{_mandir}/man1/%{name}-encrypt-pkcs11.1*
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/module-setup.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-prehook.sh
%{_prefix}/lib/dracut/modules.d/60%{name}-pin-pkcs11/%{name}-pkcs11-hook.sh
%files udisks2 %files udisks2
%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop %{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%post systemd
systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
%changelog %changelog
* Thu Jun 1 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-112 ## START: Generated by rpmautospec
- Remove pwmake for password generation * Fri Nov 22 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-7
Resolves: rhbz#2207488 - Include tpm2_getcap as dracut required binary
* Thu May 4 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-111 * Tue Nov 05 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-6
- Fix changelog to correct versions - TPM2 use first PCR algorithm bank supported by TPM
Resolves: rhbz#2180451
* Wed Jan 25 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-110 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 21-5
- luks-edit: remove unnecessary 2>/dev/null - Bump release for October 2024 mass rebuild:
Resolves: rhbz#2159738
* Fri Jan 13 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-109 * Fri Oct 18 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-4
- luks: define max entropy bits for pwmake - Split PKCS#11 files into clevis-pin-pkcs11 package
Resolves: rhbz#2159735
* Thu Jan 12 2023 Sergio Arroutbi <sarroutb@redhat.com> - 18-108 * Wed Oct 09 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-3
- Ignore empty & comment lines in crypttab - Fix clevis v21 tang functionality at boot time
Resolves: rhbz#2159728
* Tue Dec 13 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-107 * Tue Oct 01 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-2
- Add existing token id parameter - Fix clevis v21 tang functionality at boot time
Resolves: rhbz#2126533
* Tue Aug 02 2022 Sergio Correia <scorreia@redhat.com> - 18-106 * Thu Sep 26 2024 Sergio Arroutbi <sarroutb@redhat.com> - 21-1
- Enable debugging in clevis scripts when rd.debug is set - Rebase to clevis-21 upstream version
Resolves: rhbz#2022420
* Tue Aug 02 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-105 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 20-4
- Start clevis-luks-askpass.path service according to global policy - Bump release for June 2024 mass rebuild
Resolves: rhbz#2107078
* Thu Jul 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-104 * Wed May 22 2024 koncpa <pkoncity@redhat.com> - 20-3
- Improve boot performance by removing key check - Update name of passing set ot tests in gating
Resolves: rhbz#2099701
* Mon Jun 20 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-103 * Tue May 21 2024 koncpa <pkoncity@redhat.com> - 20-2
- Avoid invalid message for clevis command - Enable RHEL gating for clevis
Resolves: rhbz#2080281
* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 18-102 * Tue May 21 2024 Sergio Arroutbi <sarroutb@redhat.com> - 20-1
- Support a null pin - Rebase to clevis-20 upstream version
Resolves: rhbz#2028091
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 19-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 19-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 19-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed May 31 2023 Sergio Arroutbi <sarroutb@redhat.com> - 19-3
- Migrate to SPDX like licensing
* Tue Feb 28 2023 Sergio Arroutbi <sarroutb@redhat.com> - 19-2
- Include LUKSv2 volumes in description
* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 18-101 * Thu Feb 02 2023 Sergio Correia <scorreia@redhat.com> - 19-1
- Revert "Enable debugging in clevis scripts when rd.debug is set" - Update to latest upstream version, v19
Related: rhbz#2022420
* Thu Jan 20 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-100 * Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 18-16
- Dump server information on server error communication - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Resolves: rhbz#2022423
* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 18-7 * Fri Dec 16 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-15
- Explicitly specify pbkdf iterations to cryptsetup - Backport upstream fixes
Resolves: rhbz#2022416
* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 18-6 * Fri Aug 05 2022 Luca BRUNO <lucab@lucabruno.net> - 18-10
- Enable debugging in clevis scripts when rd.debug is set - Simplify sysusers.d fragment by using default 'nologin' shell
Resolves: rhbz#2022420
* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 18-5 * Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 18-9
- Account for unlocking failures in clevis-luks-askpass - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Resolves: rhbz#2022421
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 18-4 * Fri Jul 8 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Support a null pin
Related: rhbz#1991688
* Tue Jun 28 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-7
Start clevis-luks-askpass.patch service according to global policy
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 18-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 18-3 * Fri Oct 29 2021 Sergio Correia <scorreia@redhat.com> - 18-5
- Rebuilt for RHEL 9 BETA for openssl 3.0 Account for unlocking failures in clevis-luks-askpass
Related: rhbz#1971065 Resolves: rhbz#1878892
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 18-4
- Rebuilt with OpenSSL 3.0.0
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 18-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri May 07 2021 Sergio Correia <scorreia@redhat.com> - 18-2 * Fri May 07 2021 Sergio Correia <scorreia@redhat.com> - 18-2
- Port to OpenSSL 3 - Port to OpenSSL 3
Resolves: rhbz#1956760 Backport of upstream commit (ee1dfedb)
* Tue May 04 2021 Sergio Correia <scorreia@redhat.com> - 18-1 * Thu Apr 15 2021 Sergio Correia <scorreia@redhat.com> - 18-1
- Update to new clevis upstream release, v18 - Update to new clevis upstream release, v18.
Resolves: rhbz#1956760
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 16-3 * Wed Apr 14 2021 Sergio Correia <scorreia@redhat.com> - 17-1
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - Update to new clevis upstream release, v17.
* Tue Mar 16 2021 Sergio Correia <scorreia@redhat.com> - 16-2 * Tue Mar 16 2021 Sergio Correia <scorreia@redhat.com> - 16-2
- Fix for -t option in clevis luks bind - backport upstream commit ea0d0c20 - Fix for -t option in clevis luks bind - backport upstream commit ea0d0c20
@ -433,3 +474,5 @@ systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1 * Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
- First release - First release
## END: Generated by rpmautospec

Write Preview
Loading…
Cancel
Save