Compare commits
No commits in common. 'cs10' and 'c9' have entirely different histories.
@ -1 +1 @@
|
||||
14f8ca6f130651b468c73568e236522839c104a7 SOURCES/clevis-21.tar.xz
|
||||
dc2e95d0c0ce9118bc01b3872869657b0d43f1bc SOURCES/clevis-18.tar.xz
|
||||
|
||||
@ -1 +1 @@
|
||||
SOURCES/clevis-21.tar.xz
|
||||
SOURCES/clevis-18.tar.xz
|
||||
|
||||
@ -1,288 +0,0 @@
|
||||
From 691b4136d6077ed7b079a38459b6844dbc584776 Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Arroutbi <sarroutb@redhat.com>
|
||||
Date: Mon, 30 Sep 2024 11:27:57 +0200
|
||||
Subject: [PATCH] PKCS#11 pin: fix dracut for unconfigured device
|
||||
|
||||
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
|
||||
---
|
||||
.../clevis-pin-pkcs11/module-setup.sh.in | 2 +-
|
||||
src/luks/systemd/clevis-luks-pkcs11-askpin.in | 72 +++++--------------
|
||||
.../clevis-pkcs11-afunix-socket-unlock.c | 9 ++-
|
||||
src/pins/pkcs11/clevis-pkcs11-common | 52 +++++++++++++-
|
||||
4 files changed, 74 insertions(+), 61 deletions(-)
|
||||
|
||||
diff --git a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
|
||||
index 39d06a0..a7a6d6b 100755
|
||||
--- a/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
|
||||
+++ b/src/luks/dracut/clevis-pin-pkcs11/module-setup.sh.in
|
||||
@@ -23,7 +23,7 @@ depends() {
|
||||
}
|
||||
|
||||
install() {
|
||||
- inst_hook initqueue 60 "${moddir}/clevis-pkcs11-prehook.sh"
|
||||
+ inst_hook pre-trigger 60 "${moddir}/clevis-pkcs11-prehook.sh"
|
||||
inst_hook initqueue/settled 60 "${moddir}/clevis-pkcs11-hook.sh"
|
||||
inst_hook initqueue/online 60 "${moddir}/clevis-pkcs11-hook.sh"
|
||||
|
||||
diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
|
||||
index 8f4092f..b860efa 100755
|
||||
--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in
|
||||
+++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
|
||||
@@ -52,6 +52,7 @@ get_pkcs11_error() {
|
||||
return 0
|
||||
}
|
||||
|
||||
+
|
||||
if command -v pcscd; then
|
||||
echo "clevis-pkcs11: starting pcscd if not available ..."
|
||||
PCSCD_PID=$(ps auxf | grep "[p]cscd")
|
||||
@@ -72,51 +73,6 @@ if [ "${dracut_mode}" != true ]; then
|
||||
pkcs11-tool -L
|
||||
fi
|
||||
|
||||
-if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \
|
||||
- awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then
|
||||
- echo "No PKCS11 device detected (without module option) / pkcs11-tool error"
|
||||
- exit 1
|
||||
-fi
|
||||
-
|
||||
-if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
|
||||
- pkcs11_device=""
|
||||
- echo "No objects in PKCS11 device detected"
|
||||
-fi
|
||||
-
|
||||
-while [ -z "${pkcs11_device}" ]; do
|
||||
- if [ "${dracut_mode}" != true ]; then
|
||||
- module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab")
|
||||
- if [ -n "${module_paths}" ]; then
|
||||
- modules=$(echo ${module_paths} | tr ";" "\n")
|
||||
- for module in $modules; do
|
||||
- pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \
|
||||
- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
|
||||
- if [ -n "${pkcs11_device}" ]; then
|
||||
- break;
|
||||
- fi
|
||||
- done
|
||||
- fi
|
||||
- fi
|
||||
- if [ -z "${pkcs11_device}" ]; then
|
||||
- if [ "${retry_mode}" == true ]; then
|
||||
- option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]")
|
||||
- if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then
|
||||
- echo "Won't continue PKCS11 device detection"
|
||||
- exit 0
|
||||
- fi
|
||||
- pkcs11_device=$(pkcs11-tool -L | grep "Slot" \
|
||||
- | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
|
||||
- if ! pkcs11-tool -O 2>/dev/null; then
|
||||
- pkcs11_device=""
|
||||
- echo "No objects in PKCS11 device detected"
|
||||
- fi
|
||||
- else
|
||||
- exit 0
|
||||
- fi
|
||||
- fi
|
||||
-done
|
||||
-echo "Detected PKCS11 device:${pkcs11_device}"
|
||||
-
|
||||
devices_array=()
|
||||
# Let's analyze all entries from /etc/crypttab that contain clevis-pkcs11.sock entries
|
||||
while read -r line;
|
||||
@@ -126,6 +82,8 @@ do
|
||||
next_device=0
|
||||
errors=0
|
||||
msg=""
|
||||
+ # Store passphrases to send to control socket
|
||||
+ systemd_device=$(echo "${line}" | awk '{print $1}')
|
||||
while [ ${next_device} -ne 1 ]; do
|
||||
uuid=$(echo "${line}" | awk '{print $2}')
|
||||
if ! mapped_device=$(clevis_map_device "${uuid}"); then
|
||||
@@ -141,15 +99,23 @@ do
|
||||
fi
|
||||
# If no PKCS#11 configuration, advance to next device
|
||||
if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then
|
||||
- echo "Device:${mapped_device} does not contain PKCS#11 configuration"
|
||||
+ echo "Device:${mapped_device} does not contain PKCS#11 configuration" >&2
|
||||
+ # Send a wrong passphrase
|
||||
+ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock -
|
||||
next_device=1
|
||||
continue
|
||||
fi
|
||||
+ if ! pkcs11_device=$(clevis_detect_pkcs11_device "${dracut_mode}" "${retry_mode}"); then
|
||||
+ echo "No PKCS11 device detected" >&2
|
||||
+ exit 0
|
||||
+ else
|
||||
+ echo "Detected PKCS11 device:${pkcs11_device}" >&2
|
||||
+ fi
|
||||
# Get configuration PKCS#11 URI
|
||||
uri=$(clevis luks list -d "${mapped_device}" | awk -F '"uri":' '{print $2}' | awk -F '"' '{print $2}' | awk -F '"' '{print $1}')
|
||||
slot_opt=""
|
||||
if ! slot=$(clevis_get_pkcs11_final_slot_from_uri "${uri}"); then
|
||||
- echo "Could not find slot for uri:${uri}"
|
||||
+ echo "Could not find slot for uri:${uri}" >&2
|
||||
else
|
||||
slot_opt="--slot-index ${slot}"
|
||||
fi
|
||||
@@ -159,8 +125,9 @@ do
|
||||
module_opt="--module ${module}"
|
||||
fi
|
||||
echo "Device:${mapped_device}, slot_opt:${slot_opt}, module_opt:${module_opt}"
|
||||
- if ! pkcs11-tool -O ${module_opt} ${slot_opt}; then
|
||||
- echo "No objects on slot:${slot}, module_opt:${module_opt}"
|
||||
+ if ! pkcs11-tool -O ${module_opt} ${slot_opt} 2>/dev/null 1>/dev/null; then
|
||||
+ echo "No objects on slot:${slot}, module_opt:${module_opt}" >&2
|
||||
+ echo -n "${systemd_device},NOPASSWORDFOR${systemd_device}" | socat UNIX-CONNECT:/run/systemd/clevis-pkcs11.control.sock -
|
||||
next_device=1
|
||||
continue
|
||||
fi
|
||||
@@ -175,22 +142,21 @@ do
|
||||
# Get key from PKCS11 pin here and feed AF_UNIX socket program
|
||||
echo "${pin}" > /run/systemd/clevis-pkcs11.pin
|
||||
if ! passphrase=$(clevis_luks_unlock_device "${mapped_device}") || [ -z "${passphrase}" ]; then
|
||||
- echo "Could not unlock device:${mapped_device}"
|
||||
+ echo "Could not unlock device:${mapped_device}" >&2
|
||||
msg="$(get_pkcs11_error)"
|
||||
((errors++))
|
||||
if [ ${errors} -eq ${too_many_errors} ]; then
|
||||
- echo "Too many errors !!!" 1>&2
|
||||
+ echo "Too many errors !!!" >&2
|
||||
next_device=1
|
||||
fi
|
||||
continue
|
||||
fi
|
||||
next_device=1
|
||||
- echo "Device:${mapped_device} unlocked successfully by clevis"
|
||||
+ echo "Device:${mapped_device} unlocked successfully by clevis" >&2
|
||||
if [ "${dracut_mode}" == true ]; then
|
||||
echo "${mapped_device}" >> /run/systemd/clevis-pkcs11-dracut.devices
|
||||
fi
|
||||
# Store passphrases to send to control socket
|
||||
- systemd_device=$(echo "${line}" | awk '{print $1}')
|
||||
devices_array+=("${systemd_device},${passphrase}")
|
||||
done
|
||||
fi
|
||||
diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
|
||||
index a6ecc63..24bad83 100644
|
||||
--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
|
||||
+++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
|
||||
@@ -146,7 +146,6 @@ static void* control_thread(void *targ) {
|
||||
}
|
||||
char* t = control_msg;
|
||||
int is_device = 1;
|
||||
- fprintf(logfile, "Received control message:[%s]\n", t);
|
||||
while((t = strtok(t, ","))) {
|
||||
if (is_device) {
|
||||
fprintf(logfile, "Adding device:%s\n", t);
|
||||
@@ -185,7 +184,7 @@ static void dump_wide_version(void) {
|
||||
|
||||
static void int_handler(int s) {
|
||||
if(logfile) {
|
||||
- fprintf(logfile, "Closing, signal:[%d]\n", s);
|
||||
+ fprintf(logfile, "Closing, received signal:[%d]\n", s);
|
||||
fclose(logfile);
|
||||
}
|
||||
exit(EXIT_FAILURE);
|
||||
@@ -222,6 +221,7 @@ int main(int argc, char* argv[]) {
|
||||
break;
|
||||
case 'f':
|
||||
strncpy(sock_file, optarg, MAX_PATH - 1);
|
||||
+ unlink(sock_file);
|
||||
break;
|
||||
case 'k':
|
||||
strncpy(key, optarg, MAX_KEY - 1);
|
||||
@@ -275,7 +275,6 @@ int main(int argc, char* argv[]) {
|
||||
memset(&sock_addr, 0, sizeof(sock_addr));
|
||||
sock_addr.sun_family = AF_UNIX;
|
||||
strncpy(sock_addr.sun_path, sock_file, sizeof(sock_addr.sun_path)-1);
|
||||
- unlink(sock_file);
|
||||
s = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||
if (s == -1) {
|
||||
perror("socket");
|
||||
@@ -346,8 +345,8 @@ int main(int argc, char* argv[]) {
|
||||
perror("key entry send error");
|
||||
goto efailure;
|
||||
}
|
||||
- fprintf(logfile, "Sending:[%s] to device:[%s]\n",
|
||||
- entry_key, unlocking_device);
|
||||
+ fprintf(logfile, "Sending passphrase to device:[%s]\n",
|
||||
+ unlocking_device);
|
||||
} else {
|
||||
fprintf(logfile, "Device not found: [%s]\n", unlocking_device);
|
||||
}
|
||||
diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common
|
||||
index 4c0629c..571a2be 100755
|
||||
--- a/src/pins/pkcs11/clevis-pkcs11-common
|
||||
+++ b/src/pins/pkcs11/clevis-pkcs11-common
|
||||
@@ -27,6 +27,56 @@ serial_devices_array=""
|
||||
URI_EXPECTED_FORMAT="pkcs11:"
|
||||
DEFAULT_CRYPTTAB_FILE="/etc/crypttab"
|
||||
|
||||
+clevis_detect_pkcs11_device() {
|
||||
+ dracut_mode="${1:false}"
|
||||
+ retry_mode="${2:false}"
|
||||
+ if ! pkcs11_device=$(pkcs11-tool -L 2>/dev/null | grep "Slot" | head -1 | \
|
||||
+ awk -F ":" '{print $2}' | sed -e 's@^ *@@g'); then
|
||||
+ echo ""
|
||||
+ return 1
|
||||
+ fi
|
||||
+
|
||||
+ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
|
||||
+ pkcs11_device=""
|
||||
+ echo "No objects in PKCS11 device detected" >&2
|
||||
+ fi
|
||||
+
|
||||
+ while [ -z "${pkcs11_device}" ]; do
|
||||
+ if [ "${dracut_mode}" != true ]; then
|
||||
+ module_paths=$(clevis_get_module_path_from_pkcs11_config "/etc/crypttab")
|
||||
+ if [ -n "${module_paths}" ]; then
|
||||
+ modules=$(echo ${module_paths} | tr ";" "\n")
|
||||
+ for module in $modules; do
|
||||
+ pkcs11_device=$(pkcs11-tool -L --module ${module} | grep "Slot" \
|
||||
+ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
|
||||
+ if [ -n "${pkcs11_device}" ]; then
|
||||
+ break;
|
||||
+ fi
|
||||
+ done
|
||||
+ fi
|
||||
+ fi
|
||||
+ if [ -z "${pkcs11_device}" ]; then
|
||||
+ if [ "${retry_mode}" == true ]; then
|
||||
+ option=$(systemd-ask-password --echo "Detected no PKCS#11 device, retry PKCS#11 detection? [yY/nN]")
|
||||
+ if [ "${option}" == "N" ] || [ "${option}" == "n" ] ; then
|
||||
+ echo ""
|
||||
+ # Straight Forward Mode
|
||||
+ return 0
|
||||
+ fi
|
||||
+ pkcs11_device=$(pkcs11-tool -L | grep "Slot" \
|
||||
+ | head -1 | awk -F ":" '{print $2}' | sed -e 's@^ *@@g')
|
||||
+ if ! pkcs11-tool -O 2>/dev/null 1>/dev/null; then
|
||||
+ pkcs11_device=""
|
||||
+ echo "No objects in PKCS11 device detected" >&2
|
||||
+ fi
|
||||
+ else
|
||||
+ echo "${pkcs11_device}"
|
||||
+ return 0
|
||||
+ fi
|
||||
+ fi
|
||||
+ done
|
||||
+}
|
||||
+
|
||||
clevis_parse_devices_array() {
|
||||
INPUT_ARRAY=$(pkcs11-tool -L | grep Slot)
|
||||
counter=0
|
||||
@@ -64,12 +114,10 @@ clevis_get_module_path_from_pkcs11_config() {
|
||||
while read -r line; do
|
||||
uuid=$(echo "${line}" | awk '{print $2}')
|
||||
if ! mapped_device=$(clevis_map_device "${uuid}"); then
|
||||
- echo "Could not check mapped device for UID:${uuid}"
|
||||
continue
|
||||
fi
|
||||
# If no PKCS#11 configuration, advance to next device
|
||||
if ! clevis luks list -d "${mapped_device}" | grep pkcs11 >/dev/null 2>&1; then
|
||||
- echo "Device:${mapped_device} does not contain PKCS#11 configuration"
|
||||
continue
|
||||
fi
|
||||
# Get configuration PKCS#11 URI
|
||||
--
|
||||
2.46.2
|
||||
|
||||
@ -0,0 +1,47 @@
|
||||
From 95f25c355fc13727410ccacaa618caf6af5d5eba Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Correia <scorreia@redhat.com>
|
||||
Date: Mon, 3 May 2021 22:36:36 -0300
|
||||
Subject: [PATCH] sss: use BN_set_word(x, 0) instead of BN_zero()
|
||||
|
||||
Different OpenSSL versions define BN_zero() differently -- sometimes
|
||||
returning an integer, sometimes as void --, so let's use instead
|
||||
BN_set_word() instead, not to have issues when building with these
|
||||
different versions.
|
||||
---
|
||||
src/pins/sss/sss.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/pins/sss/sss.c b/src/pins/sss/sss.c
|
||||
index a37215d..7486d6c 100644
|
||||
--- a/src/pins/sss/sss.c
|
||||
+++ b/src/pins/sss/sss.c
|
||||
@@ -214,7 +214,7 @@ sss_point(const json_t *sss, size_t *len)
|
||||
if (BN_rand_range(xx, pp) <= 0)
|
||||
return NULL;
|
||||
|
||||
- if (BN_zero(yy) <= 0)
|
||||
+ if (BN_set_word(yy, 0) <= 0)
|
||||
return NULL;
|
||||
|
||||
for (size_t i = 0; i < json_array_size(e); i++) {
|
||||
@@ -272,7 +272,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
|
||||
if (!ctx || !pp || !acc || !tmp || !k)
|
||||
return NULL;
|
||||
|
||||
- if (BN_zero(k) <= 0)
|
||||
+ if (BN_set_word(k, 0) <= 0)
|
||||
return NULL;
|
||||
|
||||
len = jose_b64_dec(p, NULL, 0);
|
||||
@@ -303,7 +303,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
|
||||
|
||||
/* acc *= (0 - xi) / (xo - xi) */
|
||||
|
||||
- if (BN_zero(tmp) <= 0)
|
||||
+ if (BN_set_word(tmp, 0) <= 0)
|
||||
return NULL;
|
||||
|
||||
if (BN_mod_sub(tmp, tmp, xi, pp, ctx) <= 0)
|
||||
--
|
||||
2.31.1
|
||||
|
||||
@ -1,49 +0,0 @@
|
||||
From 5feea5da42b98302006f2c82ab9c22d43779e0c8 Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Arroutbi <sarroutb@redhat.com>
|
||||
Date: Fri, 27 Sep 2024 12:12:48 +0200
|
||||
Subject: [PATCH] Fix potential race condition
|
||||
|
||||
Guard the modification of "entry_counter" and the read
|
||||
used to decide whether to modify "entry_counter" with the
|
||||
same set of locks
|
||||
|
||||
Resolves: #478
|
||||
|
||||
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
|
||||
---
|
||||
src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
|
||||
index a6ecc63..b1e2004 100644
|
||||
--- a/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
|
||||
+++ b/src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c
|
||||
@@ -70,21 +70,23 @@ get_control_socket_name(const char* file_sock, char* control_sock, uint32_t cont
|
||||
}
|
||||
|
||||
static void insert_device(const char* dev) {
|
||||
+ pthread_mutex_lock(&mutex);
|
||||
if(MAX_ENTRIES == entry_counter) {
|
||||
+ pthread_mutex_unlock(&mutex);
|
||||
perror("No more entries accepted\n");
|
||||
return;
|
||||
}
|
||||
- pthread_mutex_lock(&mutex);
|
||||
strncpy(keys[entry_counter].dev, dev, MAX_DEVICE);
|
||||
pthread_mutex_unlock(&mutex);
|
||||
}
|
||||
|
||||
static void insert_key(const char* key) {
|
||||
+ pthread_mutex_lock(&mutex);
|
||||
if(MAX_ENTRIES == entry_counter) {
|
||||
+ pthread_mutex_unlock(&mutex);
|
||||
perror("No more entries accepted\n");
|
||||
return;
|
||||
}
|
||||
- pthread_mutex_lock(&mutex);
|
||||
strncpy(keys[entry_counter++].key, key, MAX_KEY);
|
||||
pthread_mutex_unlock(&mutex);
|
||||
}
|
||||
--
|
||||
2.46.2
|
||||
|
||||
@ -0,0 +1,41 @@
|
||||
From d3010c89a8f516a0c9695a939a8cccca0918da2b Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Correia <scorreia@redhat.com>
|
||||
Date: Fri, 29 Oct 2021 12:04:46 -0300
|
||||
Subject: [PATCH 2/2] systemd: account for unlocking failures in
|
||||
clevis-luks-askpass (#343)
|
||||
|
||||
As unlock may fail for some reason, e.g. the network is not up yet,
|
||||
one way cause problems would be to add extra `rd.luks.uuid' params
|
||||
to the cmdline, which would then cause such devices to be unlocked
|
||||
in early boot. If the unlocking fail, those devices might not be
|
||||
accounted for in the clevis_devices_to_unlock() check, as it is
|
||||
based on crypttab.
|
||||
|
||||
Let's make sure there are no pending ask.* sockets waiting to be
|
||||
answered, before exiting.
|
||||
|
||||
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
|
||||
---
|
||||
src/luks/systemd/clevis-luks-askpass.in | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in
|
||||
index 8f54859..a6699c9 100755
|
||||
--- a/src/luks/systemd/clevis-luks-askpass.in
|
||||
+++ b/src/luks/systemd/clevis-luks-askpass.in
|
||||
@@ -67,8 +67,11 @@ while true; do
|
||||
done
|
||||
|
||||
[ "${loop}" != true ] && break
|
||||
+
|
||||
# Checking for pending devices to be unlocked.
|
||||
- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
|
||||
+ remaining_crypttab=$(clevis_devices_to_unlock) ||:
|
||||
+ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
|
||||
+ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
|
||||
break;
|
||||
fi
|
||||
|
||||
--
|
||||
2.33.1
|
||||
|
||||
@ -1,110 +0,0 @@
|
||||
From c987b0a95d9ebcb310cc3b95609172a8fe31e81e Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Arroutbi <sarroutb@redhat.com>
|
||||
Date: Wed, 9 Oct 2024 12:15:18 +0200
|
||||
Subject: [PATCH] Fix to start pcscd appropriately
|
||||
|
||||
diff --git a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
|
||||
index 01a3062..9922bbc 100755
|
||||
--- a/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
|
||||
+++ b/src/luks/dracut/clevis-pin-pkcs11/clevis-pkcs11-hook.sh
|
||||
@@ -16,9 +16,11 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
+. /usr/bin/clevis-pkcs11-common
|
||||
+
|
||||
if [ ! -f /run/systemd/clevis-pkcs11.run ] && [ -d /run/systemd ];
|
||||
then
|
||||
- pcscd --disable-polkit
|
||||
- echo "" > /run/systemd/clevis-pkcs11.run
|
||||
- /usr/libexec/clevis-luks-pkcs11-askpin -d -r
|
||||
+ clevis_start_pcscd_server
|
||||
+ echo "" > /run/systemd/clevis-pkcs11.run
|
||||
+ /usr/libexec/clevis-luks-pkcs11-askpin -d -r
|
||||
fi
|
||||
diff --git a/src/luks/systemd/clevis-luks-pkcs11-askpin.in b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
|
||||
index b860efa..468ca3c 100755
|
||||
--- a/src/luks/systemd/clevis-luks-pkcs11-askpin.in
|
||||
+++ b/src/luks/systemd/clevis-luks-pkcs11-askpin.in
|
||||
@@ -52,22 +52,7 @@ get_pkcs11_error() {
|
||||
return 0
|
||||
}
|
||||
|
||||
-
|
||||
-if command -v pcscd; then
|
||||
- echo "clevis-pkcs11: starting pcscd if not available ..."
|
||||
- PCSCD_PID=$(ps auxf | grep "[p]cscd")
|
||||
- echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n"
|
||||
- if ! ps auxf | grep "[p]cscd";
|
||||
- then
|
||||
- if pcscd pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then
|
||||
- echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..."
|
||||
- pcscd --disable-polkit
|
||||
- else
|
||||
- echo "clevis-pkcs11: starting pcscd ..."
|
||||
- pcscd
|
||||
- fi
|
||||
- fi
|
||||
-fi
|
||||
+clevis_start_pcscd_server
|
||||
|
||||
if [ "${dracut_mode}" != true ]; then
|
||||
pkcs11-tool -L
|
||||
diff --git a/src/pins/pkcs11/clevis-pkcs11-common b/src/pins/pkcs11/clevis-pkcs11-common
|
||||
index 571a2be..c7f2a58 100755
|
||||
--- a/src/pins/pkcs11/clevis-pkcs11-common
|
||||
+++ b/src/pins/pkcs11/clevis-pkcs11-common
|
||||
@@ -77,6 +77,24 @@ clevis_detect_pkcs11_device() {
|
||||
done
|
||||
}
|
||||
|
||||
+clevis_start_pcscd_server() {
|
||||
+ if command -v pcscd; then
|
||||
+ echo "clevis-pkcs11: starting pcscd if not available ..."
|
||||
+ PCSCD_PID=$(ps auxf | grep "[p]cscd")
|
||||
+ echo -e "clevis-pkcs11: pcscd running?:[${PCSCD_PID}]\n"
|
||||
+ if ! ps auxf | grep "[p]cscd";
|
||||
+ then
|
||||
+ if pcscd --help | grep disable-polkit 1>/dev/null 2>/dev/null; then
|
||||
+ echo "clevis-pkcs11: starting pcscd with --disable-polkit option ..."
|
||||
+ pcscd --disable-polkit
|
||||
+ else
|
||||
+ echo "clevis-pkcs11: starting pcscd ..."
|
||||
+ pcscd
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi
|
||||
+}
|
||||
+
|
||||
clevis_parse_devices_array() {
|
||||
INPUT_ARRAY=$(pkcs11-tool -L | grep Slot)
|
||||
counter=0
|
||||
diff --git a/src/pins/pkcs11/tests/pin-pkcs11 b/src/pins/pkcs11/tests/pin-pkcs11
|
||||
index 94e1548..c876ca4 100755
|
||||
--- a/src/pins/pkcs11/tests/pin-pkcs11
|
||||
+++ b/src/pins/pkcs11/tests/pin-pkcs11
|
||||
@@ -20,6 +20,7 @@
|
||||
. pkcs11-common-tests
|
||||
. tests-common-functions
|
||||
. clevis-luks-common-functions
|
||||
+. clevis-pkcs11-common
|
||||
|
||||
on_exit() {
|
||||
exit_status=$?
|
||||
@@ -150,5 +151,16 @@ then
|
||||
(${WRONGCFG})"
|
||||
fi
|
||||
|
||||
+if command -v ps && command -v killall; then
|
||||
+ if ! clevis_start_pcscd_server;
|
||||
+ then
|
||||
+ error "${TEST}: Could not start pcscd server"
|
||||
+ fi
|
||||
+ if ! killall -9 pcscd;
|
||||
+ then
|
||||
+ error "${TEST}: Could not kill pcscd server"
|
||||
+ fi
|
||||
+fi
|
||||
+
|
||||
softhsm_lib_cleanup
|
||||
test "$?" == 0
|
||||
@ -0,0 +1,49 @@
|
||||
From 76ad9b21b61627a728bc9499821cf8e09446725d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
|
||||
Date: Thu, 21 Oct 2021 13:58:52 +0200
|
||||
Subject: [PATCH 4/4] luks: explicitly specify pbkdf iterations to cryptsetup
|
||||
|
||||
This fixes an Out of memory error when the system has not much memory,
|
||||
such as a VM configured with 2GB currently being installed through the
|
||||
network (hence having ~1GB free memory only).
|
||||
See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
|
||||
---
|
||||
src/luks/clevis-luks-common-functions.in | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
|
||||
index d53d2ab..360eb7e 100644
|
||||
--- a/src/luks/clevis-luks-common-functions.in
|
||||
+++ b/src/luks/clevis-luks-common-functions.in
|
||||
@@ -760,10 +760,12 @@ clevis_luks_add_key() {
|
||||
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
||||
input="$(printf '%s' "${NEWKEY}")"
|
||||
fi
|
||||
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
|
||||
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
|
||||
--key-slot "${SLT}" \
|
||||
"${DEV}" \
|
||||
+ ${pbkdf_args} \
|
||||
${extra_args}
|
||||
}
|
||||
|
||||
@@ -792,11 +794,14 @@ clevis_luks_update_key() {
|
||||
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
||||
input="$(printf '%s' "${NEWKEY}")"
|
||||
fi
|
||||
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
|
||||
if [ -n "${in_place}" ]; then
|
||||
printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
|
||||
--key-slot "${SLT}" \
|
||||
- --batch-mode ${extra_args}
|
||||
+ --batch-mode \
|
||||
+ ${pbkdf_args} \
|
||||
+ ${extra_args}
|
||||
return
|
||||
fi
|
||||
|
||||
--
|
||||
2.33.1
|
||||
|
||||
@ -1,65 +0,0 @@
|
||||
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2 2024-09-24 10:27:06.000000000 +0200
|
||||
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2 2024-11-05 15:54:16.209993587 +0100
|
||||
@@ -58,7 +58,7 @@
|
||||
echo
|
||||
echo " key: <string> Algorithm type for the generated key (default: ecc)"
|
||||
echo
|
||||
- echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: sha1)"
|
||||
+ echo " pcr_bank: <string> PCR algorithm bank to use for policy (default: first supported by TPM)"
|
||||
echo
|
||||
echo " pcr_ids: <string> PCR list used for policy. If not present, no policy is used"
|
||||
echo
|
||||
@@ -130,7 +130,15 @@
|
||||
|
||||
key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc"
|
||||
|
||||
-pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1"
|
||||
+pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || {
|
||||
+ if ! pcr_bank=$(tpm2_getcap pcrs |
|
||||
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
|
||||
+ {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit}
|
||||
+ END {exit !found}'); then
|
||||
+ echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2
|
||||
+ exit 1
|
||||
+ fi
|
||||
+}
|
||||
|
||||
# Trim the spaces from the config, so that we will not have issues parsing
|
||||
# the PCR IDs.
|
||||
--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-09-24 10:27:06.000000000 +0200
|
||||
+++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-11-05 15:54:16.209993587 +0100
|
||||
@@ -91,13 +91,17 @@
|
||||
- *symcipher*
|
||||
|
||||
* *pcr_bank* (string) :
|
||||
- PCR algorithm bank to use for policy (default: sha1)
|
||||
+ PCR algorithm bank to use for policy (default: first supported by TPM)
|
||||
|
||||
- It must be one of the following:
|
||||
+ Examples of PCR algorithm banks, support depends on TPM chip:
|
||||
|
||||
- *sha1*
|
||||
- *sha256*
|
||||
|
||||
+ For the full list of algorithms supported by the TPM chip check output of
|
||||
+ `tpm2_getcap pcrs` and use the algorithm which shows non-empty list of PCR
|
||||
+ numbers.
|
||||
+
|
||||
* *pcr_ids* (string) :
|
||||
Comma separated list of PCR used for policy. If not present, no policy is used
|
||||
|
||||
--- clevis-21.old/src/pins/tpm2/pin-tpm2 2024-09-24 10:27:06.000000000 +0200
|
||||
+++ clevis-21/src/pins/tpm2/pin-tpm2 2024-11-05 15:54:16.209993587 +0100
|
||||
@@ -142,8 +142,10 @@
|
||||
# arrays and check if we get the expected pcr_ids.
|
||||
|
||||
# Let's first make sure this would be a valid configuration.
|
||||
-_default_pcr_bank="sha1"
|
||||
-if validate_pcrs "${_default_pcr_bank}" "4,16"; then
|
||||
+_default_pcr_bank=$(tpm2_getcap pcrs |
|
||||
+ awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \
|
||||
+ {split($0, m, /[-:[:space:]]+/); print m[2]; exit}')
|
||||
+if [ -n "$_default_pcr_bank" ] && validate_pcrs "${_default_pcr_bank}" "4,16"; then
|
||||
test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1
|
||||
test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16" || exit 1
|
||||
test_pcr_ids "${orig}" '{"pcr_ids": "4, 16"}' "4,16" || exit 1
|
||||
@ -1,36 +0,0 @@
|
||||
From fc371d25a72806109e9a5c0205d67ba2232a6f17 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 20 Nov 2024 18:45:56 +0100
|
||||
Subject: [PATCH] Include tpm2_getcap as dracut required binary
|
||||
|
||||
---
|
||||
src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in b/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in
|
||||
index 5ff0640..723df7a 100755
|
||||
--- a/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in
|
||||
+++ b/src/luks/dracut/clevis-pin-tpm2/module-setup.sh.in
|
||||
@@ -19,7 +19,8 @@
|
||||
#
|
||||
|
||||
check() {
|
||||
- require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext tpm2_load tpm2_unseal || return 1
|
||||
+ require_binaries clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext \
|
||||
+ tpm2_load tpm2_unseal tpm2_pcrread tpm2_getcap || return 1
|
||||
require_any_binary tpm2_pcrread tpm2_pcrlist || return 1
|
||||
return 0
|
||||
}
|
||||
@@ -30,7 +31,8 @@ depends() {
|
||||
}
|
||||
|
||||
install() {
|
||||
- inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext tpm2_load tpm2_unseal
|
||||
+ inst_multiple clevis-decrypt-tpm2 tpm2_createprimary tpm2_flushcontext \
|
||||
+ tpm2_load tpm2_unseal tpm2_getcap
|
||||
inst_multiple -o tpm2_pcrread tpm2_pcrlist
|
||||
inst_libdir_file "libtss2-tcti-device.so*"
|
||||
}
|
||||
--
|
||||
2.47.0
|
||||
|
||||
@ -0,0 +1,16 @@
|
||||
--- clevis-18.ori/src/pins/tang/clevis-decrypt-tang 2021-04-15 13:00:19.969067600 +0200
|
||||
+++ clevis-18/src/pins/tang/clevis-decrypt-tang 2022-01-20 17:29:21.859897964 +0100
|
||||
@@ -99,10 +99,10 @@
|
||||
|
||||
xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"
|
||||
|
||||
-url="$url/rec/$kid"
|
||||
+rec_url="$url/rec/$kid"
|
||||
ct="Content-Type: application/jwk+json"
|
||||
-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then
|
||||
- echo "Error communicating with the server!" >&2
|
||||
+if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then
|
||||
+ echo "Error communicating with the server $url" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@ -0,0 +1,213 @@
|
||||
From f668840e22e45ac8b16d770072b4395a155d089c Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Murdaca <runcom@linux.com>
|
||||
Date: Wed, 1 Dec 2021 14:17:53 +0100
|
||||
Subject: [PATCH 6/6] feat: rename the test pin to null pin
|
||||
|
||||
Signed-off-by: Antonio Murdaca <runcom@linux.com>
|
||||
---
|
||||
src/initramfs-tools/hooks/clevis.in | 1 +
|
||||
.../dracut/clevis-pin-null/meson.build | 14 ++++++++++
|
||||
.../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++
|
||||
src/luks/systemd/dracut/meson.build | 1 +
|
||||
...levis-decrypt-test => clevis-decrypt-null} | 4 +--
|
||||
...levis-encrypt-test => clevis-encrypt-null} | 4 +--
|
||||
src/pins/sss/meson.build | 5 +++-
|
||||
src/pins/sss/{pin-test => pin-null} | 4 +--
|
||||
src/pins/sss/pin-sss | 12 ++++----
|
||||
9 files changed, 60 insertions(+), 13 deletions(-)
|
||||
create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build
|
||||
create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
|
||||
rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%)
|
||||
rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%)
|
||||
rename src/pins/sss/{pin-test => pin-null} (53%)
|
||||
|
||||
diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
|
||||
index 7e6d2b3..8d60d05 100755
|
||||
--- a/src/initramfs-tools/hooks/clevis.in
|
||||
+++ b/src/initramfs-tools/hooks/clevis.in
|
||||
@@ -58,6 +58,7 @@ fi
|
||||
|
||||
copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
|
||||
copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
|
||||
+copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found"
|
||||
copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
|
||||
copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
|
||||
copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"
|
||||
diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build
|
||||
new file mode 100644
|
||||
index 0000000..107e3ba
|
||||
--- /dev/null
|
||||
+++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build
|
||||
@@ -0,0 +1,14 @@
|
||||
+dracut = dependency('dracut', required: false)
|
||||
+
|
||||
+if dracut.found()
|
||||
+ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null'
|
||||
+
|
||||
+ configure_file(
|
||||
+ input: 'module-setup.sh.in',
|
||||
+ output: 'module-setup.sh',
|
||||
+ install_dir: dracutdir,
|
||||
+ configuration: data,
|
||||
+ )
|
||||
+else
|
||||
+ warning('Will not install dracut module clevis-pin-null due to missing dependencies!')
|
||||
+endif
|
||||
diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
|
||||
new file mode 100755
|
||||
index 0000000..6a16078
|
||||
--- /dev/null
|
||||
+++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
|
||||
@@ -0,0 +1,28 @@
|
||||
+#!/bin/bash
|
||||
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||
+#
|
||||
+# Copyright (c) 2016 Red Hat, Inc.
|
||||
+# Author: Nathaniel McCallum <npmccallum@redhat.com>
|
||||
+#
|
||||
+# This program is free software: you can redistribute it and/or modify
|
||||
+# it under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation, either version 3 of the License, or
|
||||
+# (at your option) any later version.
|
||||
+#
|
||||
+# This program is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+# GNU General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+#
|
||||
+
|
||||
+depends() {
|
||||
+ echo clevis
|
||||
+ return 0
|
||||
+}
|
||||
+
|
||||
+install() {
|
||||
+ inst clevis-decrypt-null
|
||||
+}
|
||||
diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build
|
||||
index fdb264b..7ad5b14 100644
|
||||
--- a/src/luks/systemd/dracut/meson.build
|
||||
+++ b/src/luks/systemd/dracut/meson.build
|
||||
@@ -2,3 +2,4 @@ subdir('clevis')
|
||||
subdir('clevis-pin-tang')
|
||||
subdir('clevis-pin-tpm2')
|
||||
subdir('clevis-pin-sss')
|
||||
+subdir('clevis-pin-null')
|
||||
diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null
|
||||
similarity index 88%
|
||||
rename from src/pins/sss/clevis-decrypt-test
|
||||
rename to src/pins/sss/clevis-decrypt-null
|
||||
index f0e9249..a6217ed 100755
|
||||
--- a/src/pins/sss/clevis-decrypt-test
|
||||
+++ b/src/pins/sss/clevis-decrypt-null
|
||||
@@ -22,11 +22,11 @@
|
||||
|
||||
read -r -d . hdr
|
||||
|
||||
-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then
|
||||
+if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then
|
||||
echo "JWE pin mismatch!" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1
|
||||
+jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1
|
||||
|
||||
exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
|
||||
diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null
|
||||
similarity index 90%
|
||||
rename from src/pins/sss/clevis-encrypt-test
|
||||
rename to src/pins/sss/clevis-encrypt-null
|
||||
index bd2d6ec..af182a5 100755
|
||||
--- a/src/pins/sss/clevis-encrypt-test
|
||||
+++ b/src/pins/sss/clevis-encrypt-null
|
||||
@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
|
||||
fi
|
||||
|
||||
jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"
|
||||
-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}'
|
||||
+jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}'
|
||||
|
||||
if ! jose fmt -j "$cfg" -g fail -T; then
|
||||
- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)"
|
||||
+ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)"
|
||||
fi
|
||||
|
||||
exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
|
||||
diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build
|
||||
index 7f20eea..2a5295a 100644
|
||||
--- a/src/pins/sss/meson.build
|
||||
+++ b/src/pins/sss/meson.build
|
||||
@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found()
|
||||
separator: ':'
|
||||
)
|
||||
|
||||
+ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null')
|
||||
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null')
|
||||
+
|
||||
test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env)
|
||||
- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env)
|
||||
+ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env)
|
||||
else
|
||||
warning('Will not install sss pin due to missing dependencies!')
|
||||
endif
|
||||
diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null
|
||||
similarity index 53%
|
||||
rename from src/pins/sss/pin-test
|
||||
rename to src/pins/sss/pin-null
|
||||
index 50c8c67..b14ac63 100755
|
||||
--- a/src/pins/sss/pin-test
|
||||
+++ b/src/pins/sss/pin-null
|
||||
@@ -2,9 +2,9 @@
|
||||
|
||||
trap 'exit' ERR
|
||||
|
||||
-e="$(echo -n hi | clevis encrypt test '{}')"
|
||||
+e="$(echo -n hi | clevis encrypt null '{}')"
|
||||
d="$(echo -n "$e" | clevis decrypt)"
|
||||
test "$d" == "hi"
|
||||
|
||||
-e="$(echo -n hi | clevis encrypt test '{"fail":true}')"
|
||||
+e="$(echo -n hi | clevis encrypt null '{"fail":true}')"
|
||||
! echo "$e" | clevis decrypt
|
||||
diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss
|
||||
index 5c0b8cf..24da052 100755
|
||||
--- a/src/pins/sss/pin-sss
|
||||
+++ b/src/pins/sss/pin-sss
|
||||
@@ -1,24 +1,24 @@
|
||||
#!/bin/bash -ex
|
||||
|
||||
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')"
|
||||
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')"
|
||||
d="$(echo "$e" | clevis decrypt)"
|
||||
test "$d" == "hi"
|
||||
|
||||
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')"
|
||||
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')"
|
||||
d="$(echo "$e" | clevis decrypt)"
|
||||
test "$d" == "hi"
|
||||
|
||||
-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
|
||||
+e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
|
||||
! echo "$e" | clevis decrypt
|
||||
|
||||
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')"
|
||||
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')"
|
||||
d="$(echo "$e" | clevis decrypt)"
|
||||
test "$d" == "hi"
|
||||
|
||||
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')"
|
||||
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')"
|
||||
! echo "$e" | clevis decrypt
|
||||
|
||||
-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
|
||||
+e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
|
||||
! echo "$e" | clevis decrypt
|
||||
|
||||
! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')"
|
||||
--
|
||||
2.33.1
|
||||
|
||||
@ -0,0 +1,25 @@
|
||||
--- clevis-18.ori/src/clevis 2021-04-15 13:00:19.965065700 +0200
|
||||
+++ clevis-18/src/clevis 2022-06-20 14:29:50.148261656 +0200
|
||||
@@ -27,6 +27,8 @@
|
||||
}
|
||||
|
||||
cmd=clevis
|
||||
+input_commands="$cmd $@"
|
||||
+
|
||||
while [ $# -gt 0 ]; do
|
||||
[[ "$1" =~ ^- ]] && break
|
||||
cmd="$cmd-$1"
|
||||
@@ -36,8 +38,11 @@
|
||||
done
|
||||
|
||||
exec >&2
|
||||
-echo
|
||||
-echo "Command '$cmd' is invalid"
|
||||
+if [ "$cmd" != "clevis" ];
|
||||
+then
|
||||
+ echo
|
||||
+ echo "Command '$input_commands' is invalid"
|
||||
+fi
|
||||
echo
|
||||
echo "Usage: clevis COMMAND [OPTIONS]"
|
||||
echo
|
||||
@ -0,0 +1,54 @@
|
||||
From da988dee93fd3171d41248fe884c627cdafa563e Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Arroutbi <sarroutb@redhat.com>
|
||||
Date: Tue, 2 Aug 2022 09:25:54 -0300
|
||||
Subject: [PATCH] Improve boot performance by removing key check
|
||||
|
||||
---
|
||||
src/luks/clevis-luks-common-functions.in | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
|
||||
index f018340..d059aae 100644
|
||||
--- a/src/luks/clevis-luks-common-functions.in
|
||||
+++ b/src/luks/clevis-luks-common-functions.in
|
||||
@@ -313,6 +313,7 @@ clevis_luks_check_valid_key_or_keyfile() {
|
||||
clevis_luks_unlock_device_by_slot() {
|
||||
local DEV="${1}"
|
||||
local SLT="${2}"
|
||||
+ local SKIP_CHECK="${3}"
|
||||
|
||||
[ -z "${DEV}" ] && return 1
|
||||
[ -z "${SLT}" ] && return 1
|
||||
@@ -327,8 +328,9 @@ clevis_luks_unlock_device_by_slot() {
|
||||
|| [ -z "${passphrase}" ]; then
|
||||
return 1
|
||||
fi
|
||||
-
|
||||
- clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
|
||||
+ if [ -z "${SKIP_CHECK}" ]; then
|
||||
+ clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
|
||||
+ fi
|
||||
printf '%s' "${passphrase}"
|
||||
}
|
||||
|
||||
@@ -336,6 +338,8 @@ clevis_luks_unlock_device_by_slot() {
|
||||
# parameter and returns the decoded passphrase.
|
||||
clevis_luks_unlock_device() {
|
||||
local DEV="${1}"
|
||||
+ local SKIP_CHECK="YES"
|
||||
+
|
||||
[ -z "${DEV}" ] && return 1
|
||||
|
||||
local used_slots
|
||||
@@ -346,7 +350,7 @@ clevis_luks_unlock_device() {
|
||||
|
||||
local slt pt
|
||||
for slt in ${used_slots}; do
|
||||
- if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \
|
||||
+ if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \
|
||||
|| [ -z "${pt}" ]; then
|
||||
continue
|
||||
fi
|
||||
--
|
||||
2.35.1
|
||||
|
||||
@ -0,0 +1,45 @@
|
||||
From 0654fd3f3fd1ebc080cb1140774120d8f392137b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Renaud=20M=C3=A9trich?=
|
||||
<1163635+rmetrich@users.noreply.github.com>
|
||||
Date: Wed, 1 Dec 2021 09:37:35 -0300
|
||||
Subject: [PATCH] luks: enable debugging in clevis scripts when rd.debug is set
|
||||
(#340)
|
||||
|
||||
On Fedora/RHEL, the rd.debug kernel command line parameter controls
|
||||
debugging.
|
||||
By implementing the functionality inside clevis, troubleshooting will be
|
||||
greatly eased.
|
||||
See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742).
|
||||
---
|
||||
src/luks/clevis-luks-common-functions.in | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
|
||||
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
|
||||
index d059aae..87b370f 100644
|
||||
--- a/src/luks/clevis-luks-common-functions.in
|
||||
+++ b/src/luks/clevis-luks-common-functions.in
|
||||
@@ -20,6 +20,21 @@
|
||||
|
||||
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
||||
|
||||
+enable_debugging() {
|
||||
+ # Automatically enable debugging if in initramfs phase and rd.debug
|
||||
+ if [ -e /usr/lib/dracut-lib.sh ]; then
|
||||
+ local bashopts=$-
|
||||
+ # Because dracut is loosely written, disable hardening options temporarily
|
||||
+ [[ $bashopts != *u* ]] || set +u
|
||||
+ [[ $bashopts != *e* ]] || set +e
|
||||
+ . /usr/lib/dracut-lib.sh
|
||||
+ [[ $bashopts != *u* ]] || set -u
|
||||
+ [[ $bashopts != *e* ]] || set -e
|
||||
+ fi
|
||||
+}
|
||||
+
|
||||
+enable_debugging
|
||||
+
|
||||
# valid_slot() will check whether a given slot is possibly valid, i.e., if it
|
||||
# is a numeric value within the specified range.
|
||||
valid_slot() {
|
||||
--
|
||||
2.35.1
|
||||
|
||||
@ -0,0 +1,385 @@
|
||||
--- clevis-18.ori/src/luks/clevis-luks-bind 2021-04-15 13:00:19.965065700 +0200
|
||||
+++ clevis-18/src/luks/clevis-luks-bind 2022-11-24 12:53:59.613676320 +0100
|
||||
@@ -25,7 +25,7 @@
|
||||
usage() {
|
||||
exec >&2
|
||||
echo
|
||||
- echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] -d DEV PIN CFG"
|
||||
+ echo "Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] [-e EXISTING_TOKEN_ID] -d DEV PIN CFG"
|
||||
echo
|
||||
echo "$SUMMARY":
|
||||
echo
|
||||
@@ -42,6 +42,8 @@
|
||||
echo " -k KEY Non-interactively read LUKS password from KEY file"
|
||||
echo " -k - Non-interactively read LUKS password from standard input"
|
||||
echo
|
||||
+ echo " -e E_TKN_ID Existing LUKS token ID for existing passphrase; only available for LUKS2"
|
||||
+ echo
|
||||
exit 2
|
||||
}
|
||||
|
||||
@@ -52,13 +54,14 @@
|
||||
|
||||
FRC=
|
||||
YES=
|
||||
-while getopts ":hfyd:s:k:t:" o; do
|
||||
+while getopts ":hfyd:s:k:t:e:" o; do
|
||||
case "$o" in
|
||||
f) FRC='-f';;
|
||||
d) DEV="$OPTARG";;
|
||||
s) SLT="$OPTARG";;
|
||||
k) KEY="$OPTARG";;
|
||||
t) TOKEN_ID="$OPTARG";;
|
||||
+ e) EXISTING_TOKEN_ID="$OPTARG";;
|
||||
y) FRC='-f'
|
||||
YES='-y';;
|
||||
*) usage;;
|
||||
@@ -99,11 +102,20 @@
|
||||
exit 1
|
||||
fi
|
||||
|
||||
+if [ -n "${EXISTING_TOKEN_ID}" ] && ! clevis_luks_luks2_existing_token_id_supported; then
|
||||
+ echo "Existing token ID not supported in this cryptsetup version" >&2
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
# Get the existing passphrase/keyfile.
|
||||
existing_key=
|
||||
keyfile=
|
||||
case "${KEY}" in
|
||||
-"") IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2;;
|
||||
+ "")
|
||||
+ if [ -z "${EXISTING_TOKEN_ID}" ] ; then
|
||||
+ IFS= read -r -s -p "Enter existing LUKS password: " existing_key; echo >&2
|
||||
+ fi
|
||||
+ ;;
|
||||
-) IFS= read -r -s -p "" existing_key ||:
|
||||
if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}" \
|
||||
&& [ -z "${FRC}" ]; then
|
||||
@@ -119,6 +131,13 @@
|
||||
;;
|
||||
esac
|
||||
|
||||
+# Check if existing token id for keyring read is provided
|
||||
+# If so, keyfile is not allowed
|
||||
+if [ -n "${EXISTING_TOKEN_ID}" ] && [ -n "${keyfile}" ] ; then
|
||||
+ echo "Cannot specify kernel keyring description together with key file" >&2
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
# If necessary, initialize the LUKS volume.
|
||||
if [ "${luks_type}" = "luks1" ] && ! luksmeta test -d "${DEV}"; then
|
||||
luksmeta init -d "${DEV}" ${FRC}
|
||||
@@ -127,7 +146,7 @@
|
||||
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "${TOKEN_ID}" \
|
||||
"${PIN}" "${CFG}" \
|
||||
"${YES}" "" \
|
||||
- "${existing_key}" "${keyfile}"; then
|
||||
+ "${existing_key}" "${keyfile}" "${EXISTING_TOKEN_ID}"; then
|
||||
echo "Error adding new binding to ${DEV}" >&2
|
||||
exit 1
|
||||
fi
|
||||
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2021-04-15 13:00:19.965065700 +0200
|
||||
+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2022-11-24 12:54:48.476829197 +0100
|
||||
@@ -9,7 +9,7 @@
|
||||
|
||||
== SYNOPSIS
|
||||
|
||||
-*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] PIN CFG
|
||||
+*clevis luks bind* [-f] [-y] -d DEV [-t TKN_ID] [-s SLT] [-k KEY] [-e EXISTING_TOKEN_ID] PIN CFG
|
||||
|
||||
== OVERVIEW
|
||||
|
||||
@@ -54,6 +54,12 @@
|
||||
* *-k* - :
|
||||
Non-interactively read LUKS password from standard input
|
||||
|
||||
+* *-e* _E_TKN_ID_ :
|
||||
+ LUKS token ID for existing passphrase; only available for LUKS2.
|
||||
+ This parameter allows providing a configured token ID in LUKS2
|
||||
+ containing the existing passphrase for this device, so that
|
||||
+ existing passphrase is not prompted by clevis
|
||||
+
|
||||
== CAVEATS
|
||||
|
||||
This command does not change the LUKS master key. This implies that if you
|
||||
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2022-11-24 12:46:09.130204312 +0100
|
||||
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2022-11-24 13:01:57.087170193 +0100
|
||||
@@ -307,9 +307,10 @@
|
||||
local KEY="${2:-}"
|
||||
local KEYFILE="${3:-}"
|
||||
local SLT="${4:-}"
|
||||
+ local EXISTING_TOKEN_ID="${5:-}"
|
||||
|
||||
[ -z "${DEV}" ] && return 1
|
||||
- [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
|
||||
+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
|
||||
|
||||
local extra_args
|
||||
extra_args="$([ -n "${SLT}" ] && printf -- '--key-slot %s' "${SLT}")"
|
||||
@@ -318,6 +319,11 @@
|
||||
${extra_args}
|
||||
return
|
||||
fi
|
||||
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
|
||||
+ cryptsetup open --test-passphrase "${DEV}" --token-id "${EXISTING_TOKEN_ID}" \
|
||||
+ ${extra_args}
|
||||
+ return
|
||||
+ fi
|
||||
|
||||
printf '%s' "${KEY}" | cryptsetup open --test-passphrase "${DEV}" \
|
||||
${extra_args}
|
||||
@@ -753,10 +759,11 @@
|
||||
local NEWKEY="${3}"
|
||||
local KEY="${4}"
|
||||
local KEYFILE="${5:-}"
|
||||
+ local EXISTING_TOKEN_ID="${6:-}"
|
||||
|
||||
[ -z "${DEV}" ] && return 1
|
||||
[ -z "${NEWKEY}" ] && return 1
|
||||
- [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1
|
||||
+ [ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEY}" ] && [ -z "${KEYFILE}" ] && return 1
|
||||
|
||||
local extra_args='' input
|
||||
input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
|
||||
@@ -764,6 +771,10 @@
|
||||
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
||||
input="$(printf '%s' "${NEWKEY}")"
|
||||
fi
|
||||
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
|
||||
+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
|
||||
+ input="$(printf '%s' "${NEWKEY}")"
|
||||
+ fi
|
||||
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
|
||||
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
|
||||
@@ -780,6 +791,7 @@
|
||||
local NEWKEY="${3}"
|
||||
local KEY="${4}"
|
||||
local KEYFILE="${5:-}"
|
||||
+ local EXISTING_TOKEN_ID="${6:-}"
|
||||
|
||||
[ -z "${DEV}" ] && return 1
|
||||
[ -z "${NEWKEY}" ] && return 1
|
||||
@@ -789,7 +801,7 @@
|
||||
local in_place
|
||||
clevis_luks_check_valid_key_or_keyfile "${DEV}" \
|
||||
"${KEY}" "${KEYFILE}" \
|
||||
- "${SLT}" 2>/dev/null \
|
||||
+ "${SLT}" "${EXISTING_TOKEN_ID}" 2>/dev/null \
|
||||
&& in_place=true
|
||||
|
||||
local input extra_args=
|
||||
@@ -798,6 +810,10 @@
|
||||
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
||||
input="$(printf '%s' "${NEWKEY}")"
|
||||
fi
|
||||
+ if [ -n "${EXISTING_TOKEN_ID}" ]; then
|
||||
+ extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
|
||||
+ input="$(printf '%s' "${NEWKEY}")"
|
||||
+ fi
|
||||
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
|
||||
if [ -n "${in_place}" ]; then
|
||||
@@ -844,13 +860,13 @@
|
||||
[ -n "${OVERWRITE}" ] || return 1
|
||||
|
||||
clevis_luks_update_key "${DEV}" "${SLT}" \
|
||||
- "${NEWKEY}" "${KEY}" "${KEYFILE}"
|
||||
+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}"
|
||||
return
|
||||
fi
|
||||
|
||||
# Add a new key.
|
||||
clevis_luks_add_key "${DEV}" "${SLT}" \
|
||||
- "${NEWKEY}" "${KEY}" "${KEYFILE}"
|
||||
+ "${NEWKEY}" "${KEY}" "${KEYFILE}" "${EXISTING_TOKEN_ID}"
|
||||
}
|
||||
|
||||
# clevis_luks_generate_key() generates a new key for use with clevis.
|
||||
@@ -942,6 +958,7 @@
|
||||
local OVERWRITE="${7:-}"
|
||||
local KEY="${8:-}"
|
||||
local KEYFILE="${9:-}"
|
||||
+ local EXISTING_TOKEN_ID="${10:-}"
|
||||
|
||||
[ -z "${DEV}" ] && return 1
|
||||
[ -z "${PIN}" ] && return 1
|
||||
@@ -951,6 +968,8 @@
|
||||
if ! clevis_luks_check_valid_key_or_keyfile "${DEV}" \
|
||||
"${KEY}" \
|
||||
"${KEYFILE}" \
|
||||
+ "" \
|
||||
+ "${EXISTING_TOKEN_ID}" \
|
||||
&& ! KEY="$(clevis_luks_get_existing_key "${DEV}" \
|
||||
"Enter existing LUKS password: " \
|
||||
"recover")"; then
|
||||
@@ -995,7 +1014,7 @@
|
||||
|
||||
if ! clevis_luks_save_key_to_slot "${DEV}" "${SLT}" \
|
||||
"${newkey}" "${KEY}" "${KEYFILE}" \
|
||||
- "${OVERWRITE}"; then
|
||||
+ "${OVERWRITE}" "${EXISTING_TOKEN_ID}"; then
|
||||
echo "Unable to save/update key slot; operation cancelled" >&2
|
||||
clevis_luks_restore_dev "${CLEVIS_TMP_DIR}" || :
|
||||
rm -rf "${CLEVIS_TMP_DIR}"
|
||||
@@ -1016,12 +1035,19 @@
|
||||
}
|
||||
|
||||
# clevis_luks_luks2_supported() indicates whether we support LUKS2 devices.
|
||||
-# Suppor is determined at build time.
|
||||
+# Support is determined at build time.
|
||||
function clevis_luks_luks2_supported() {
|
||||
# We require cryptsetup >= 2.0.4 to fully support LUKSv2.
|
||||
return @OLD_CRYPTSETUP@
|
||||
}
|
||||
|
||||
+# clevis_luks_luks2_existing_token_id_supported() indicates whether
|
||||
+# cryptsetup allows token id for passphrase providing
|
||||
+function clevis_luks_luks2_existing_token_id_supported() {
|
||||
+ # We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID
|
||||
+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@
|
||||
+}
|
||||
+
|
||||
# clevis_luks_type() returns the LUKS type of a device, e.g. "luks1".
|
||||
clevis_luks_type() {
|
||||
local DEV="${1}"
|
||||
--- clevis-18.ori/src/luks/meson.build 2021-04-15 13:00:19.965065700 +0200
|
||||
+++ clevis-18/src/luks/meson.build 2022-11-24 13:02:39.118301695 +0100
|
||||
@@ -14,6 +14,15 @@
|
||||
endif
|
||||
endif
|
||||
|
||||
+libcryptsetup_ext_token_id = dependency('libcryptsetup', version: '>=2.6.0', required: false)
|
||||
+if libcryptsetup_ext_token_id.found()
|
||||
+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '0')
|
||||
+ message('cryptsetup version supports existing token id')
|
||||
+else
|
||||
+ luksmeta_data.set('OLD_CRYPTSETUP_EXISTING_TOKEN_ID', '1')
|
||||
+ warning('cryptsetup version does not support existing token id')
|
||||
+endif
|
||||
+
|
||||
clevis_luks_common_functions = configure_file(
|
||||
input: 'clevis-luks-common-functions.in',
|
||||
output: 'clevis-luks-common-functions',
|
||||
--- clevis-18.ori/src/luks/tests/bind-luks2-ext-token 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ clevis-18/src/luks/tests/bind-luks2-ext-token 2022-11-24 13:04:30.742650939 +0100
|
||||
@@ -0,0 +1,74 @@
|
||||
+#!/bin/bash -ex
|
||||
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
||||
+#
|
||||
+# Copyright (c) 2022 Red Hat, Inc.
|
||||
+# Author: Sergio Arroutbi <sarroutb@redhat.com>
|
||||
+#
|
||||
+# This program is free software: you can redistribute it and/or modify
|
||||
+# it under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation, either version 3 of the License, or
|
||||
+# (at your option) any later version.
|
||||
+#
|
||||
+# This program is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+# GNU General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+#
|
||||
+
|
||||
+TEST=$(basename "${0}")
|
||||
+. tests-common-functions
|
||||
+
|
||||
+on_exit() {
|
||||
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
||||
+}
|
||||
+
|
||||
+create_existing_token_id_from_keyring() {
|
||||
+ local DEV="${1}"
|
||||
+ local KEYDESC="${2}"
|
||||
+ local TOKEN_ID="${3}"
|
||||
+ local PASS="${4}"
|
||||
+ if [[ -z "${DEV}" ]] || [[ -z "${KEYDESC}" ]] || [[ -z "${TOKEN_ID}" ]]; then
|
||||
+ return 1
|
||||
+ fi
|
||||
+ KEYRING_ID=$(keyctl add user "${KEYDESC}" "${PASS}" @s)
|
||||
+ keyctl print "${KEYRING_ID}" 2>/dev/null 1>/dev/null
|
||||
+ cryptsetup token add --token-id "${TOKEN_ID}" --key-description "${KEYDESC}" "${DEV}"
|
||||
+}
|
||||
+
|
||||
+if ! luks2_supported; then
|
||||
+ skip_test "${TEST}: LUKS2 is not supported."
|
||||
+fi
|
||||
+
|
||||
+if ! luks2_existing_token_id_supported; then
|
||||
+ skip_test "${TEST}: Existing token ID not supported"
|
||||
+fi
|
||||
+
|
||||
+trap 'on_exit' EXIT
|
||||
+trap 'exit' ERR
|
||||
+
|
||||
+TMP="$(mktemp -d)"
|
||||
+
|
||||
+ADV="${TMP}/adv.jws"
|
||||
+tang_create_adv "${TMP}" "${ADV}"
|
||||
+CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
|
||||
+
|
||||
+EXISTING_TOKEN_ID=5
|
||||
+KEYDESC="testkey"
|
||||
+PASS="123exttokenid_"
|
||||
+DEV="${TMP}/luks2-device-ext-token"
|
||||
+new_device "luks2" "${DEV}" "${PASS}"
|
||||
+
|
||||
+create_existing_token_id_from_keyring "${DEV}" "${KEYDESC}" "${EXISTING_TOKEN_ID}" "${PASS}"
|
||||
+
|
||||
+if ! clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" tang "${CFG}"; then
|
||||
+ error "${TEST}: Binding expected to succeed with existing token id:${EXISTING_TOKEN_ID}" >&2
|
||||
+fi
|
||||
+
|
||||
+KEYFILE="${TMP}/keyfile.txt"
|
||||
+touch "${KEYFILE}"
|
||||
+if clevis luks bind -y -d "${DEV}" -e "${EXISTING_TOKEN_ID}" -k "${KEYFILE}" tang "${CFG}"; then
|
||||
+ error "${TEST}: Using existing token id and keyfile should dump an error" >&2
|
||||
+fi
|
||||
--- clevis-18.ori/src/luks/tests/meson.build 2021-04-15 13:00:19.967066500 +0200
|
||||
+++ clevis-18/src/luks/tests/meson.build 2022-11-24 13:06:36.096043131 +0100
|
||||
@@ -5,6 +5,15 @@
|
||||
# given token slot.
|
||||
cryptsetup = find_program('cryptsetup', required: true)
|
||||
|
||||
+# Use keyctl to check an existing token id can be created from
|
||||
+# kernel keyring password
|
||||
+keyutils = find_program('keyctl', required: false)
|
||||
+if keyutils.found()
|
||||
+ message('keyutils installed')
|
||||
+else
|
||||
+ warning('keyutils not installed, unable to test existing token id binding')
|
||||
+endif
|
||||
+
|
||||
common_functions = configure_file(input: 'tests-common-functions.in',
|
||||
output: 'tests-common-functions',
|
||||
configuration: luksmeta_data,
|
||||
@@ -69,6 +78,10 @@
|
||||
test('unbind-unbound-slot-luks2', find_program('unbind-unbound-slot-luks2'), env: env)
|
||||
test('unbind-luks2', find_program('unbind-luks2'), env: env, timeout: 60)
|
||||
|
||||
+ if keyutils.found() and luksmeta_data.get('OLD_CRYPTSETUP_EXISTING_TOKEN_ID') == '0'
|
||||
+ test('bind-luks2-ext-token', find_program('bind-luks2-ext-token'), env: env, timeout: 60)
|
||||
+ endif
|
||||
+
|
||||
if jq.found()
|
||||
test('list-recursive-luks2', find_program('list-recursive-luks2'), env: env, timeout: 60)
|
||||
test('list-tang-luks2', find_program('list-tang-luks2'), env: env, timeout: 60)
|
||||
--- clevis-18.ori/src/luks/tests/tests-common-functions.in 2021-04-15 13:00:19.967066500 +0200
|
||||
+++ clevis-18/src/luks/tests/tests-common-functions.in 2022-11-24 13:06:24.376006462 +0100
|
||||
@@ -36,6 +36,12 @@
|
||||
return @OLD_CRYPTSETUP@
|
||||
}
|
||||
|
||||
+# We require cryptsetup >= 2.6.0 to fully support LUKSv2 addkey/open by token ID
|
||||
+# Support is determined at build time.
|
||||
+luks2_existing_token_id_supported() {
|
||||
+ return @OLD_CRYPTSETUP_EXISTING_TOKEN_ID@
|
||||
+}
|
||||
+
|
||||
# Creates a new LUKS1 or LUKS2 device to be used.
|
||||
new_device() {
|
||||
local LUKS="${1}"
|
||||
@ -0,0 +1,16 @@
|
||||
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-12 11:00:00.927790464 +0100
|
||||
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-12 11:05:53.528590215 +0100
|
||||
@@ -418,7 +418,12 @@
|
||||
clevis_devices=
|
||||
|
||||
# Build list of devices to unlock.
|
||||
- while read -r _ crypt_device _; do
|
||||
+ while read -r _volname_ crypt_device _; do
|
||||
+ # skip empty lines and lines which begin with the '#' char, per
|
||||
+ # crypttab(5)
|
||||
+ case $_volname_ in
|
||||
+ ''|\#*) continue ;;
|
||||
+ esac
|
||||
if ! dev=$(clevis_map_device "${crypt_device}") \
|
||||
|| [ -z "${dev}" ]; then
|
||||
# Unable to get the device - maybe it's not available, e.g. a
|
||||
@ -0,0 +1,42 @@
|
||||
--- clevis-18.ori/src/clevis.1.adoc 2021-04-15 13:00:19.965065700 +0200
|
||||
+++ clevis-18/src/clevis.1.adoc 2023-01-13 12:08:31.162012856 +0100
|
||||
@@ -101,7 +101,7 @@
|
||||
|
||||
This command performs four steps:
|
||||
|
||||
-1. Creates a new key with the same entropy as the LUKS master key.
|
||||
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
||||
2. Encrypts the new key with Clevis.
|
||||
3. Stores the Clevis JWE in the LUKS header.
|
||||
4. Enables the new key for use with LUKS.
|
||||
--- clevis-18.ori/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:02:52.005243591 +0100
|
||||
+++ clevis-18/src/luks/clevis-luks-bind.1.adoc 2023-01-13 12:08:05.873955501 +0100
|
||||
@@ -20,7 +20,7 @@
|
||||
|
||||
This command performs four steps:
|
||||
|
||||
-1. Creates a new key with the same entropy as the LUKS master key.
|
||||
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
||||
2. Encrypts the new key with Clevis.
|
||||
3. Stores the Clevis JWE in the LUKS header.
|
||||
4. Enables the new key for use with LUKS.
|
||||
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-01-13 12:02:52.005243591 +0100
|
||||
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-01-13 12:06:29.233736316 +0100
|
||||
@@ -875,6 +875,7 @@
|
||||
[ -z "${DEV}" ] && return 1
|
||||
|
||||
local dump filter bits
|
||||
+ local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
|
||||
dump=$(cryptsetup luksDump "${DEV}")
|
||||
if cryptsetup isLuks --type luks1 "${DEV}"; then
|
||||
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
|
||||
@@ -886,6 +887,9 @@
|
||||
fi
|
||||
|
||||
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
|
||||
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
|
||||
+ bits="${MAX_ENTROPY_BITS}"
|
||||
+ fi
|
||||
pwmake "${bits}"
|
||||
}
|
||||
|
||||
@ -0,0 +1,11 @@
|
||||
--- clevis-18.ori/src/luks/clevis-luks-edit 2021-04-15 13:00:19.965065700 +0200
|
||||
+++ clevis-18/src/luks/clevis-luks-edit 2023-01-16 10:24:18.555971552 +0100
|
||||
@@ -173,7 +173,7 @@
|
||||
|
||||
echo "Updating binding..."
|
||||
if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
|
||||
- "-y" "overwrite" 2>/dev/null; then
|
||||
+ "-y" "overwrite"; then
|
||||
echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
|
||||
exit 1
|
||||
fi
|
||||
@ -0,0 +1,98 @@
|
||||
--- clevis-18.ori/src/luks/meson.build 2023-06-01 15:28:51.615436832 +0200
|
||||
+++ clevis-18/src/luks/meson.build 2023-06-01 15:31:02.420366592 +0200
|
||||
@@ -1,7 +1,6 @@
|
||||
|
||||
luksmeta_data = configuration_data()
|
||||
luksmeta = dependency('luksmeta', version: '>=8', required: false)
|
||||
-pwmake = find_program('pwmake', required: false)
|
||||
|
||||
libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false)
|
||||
if libcryptsetup.found()
|
||||
@@ -33,7 +32,7 @@
|
||||
output: 'clevis-luks-unbind',
|
||||
configuration: luksmeta_data)
|
||||
|
||||
-if libcryptsetup.found() and luksmeta.found() and pwmake.found()
|
||||
+if libcryptsetup.found() and luksmeta.found()
|
||||
subdir('systemd')
|
||||
subdir('udisks2')
|
||||
|
||||
--- clevis-18.ori/src/luks/clevis-luks-common-functions.in 2023-06-01 15:28:51.656437123 +0200
|
||||
+++ clevis-18/src/luks/clevis-luks-common-functions.in 2023-06-02 17:31:52.430534483 +0200
|
||||
@@ -20,6 +20,11 @@
|
||||
|
||||
CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
||||
|
||||
+# Length, in bytes, used for password generated for LUKS key
|
||||
+# This value corresponds to an entropy of 256 bits if the password
|
||||
+# was generated by pwmake or similar tool
|
||||
+JOSE_PASSWORD_LENGTH=40
|
||||
+
|
||||
enable_debugging() {
|
||||
# Automatically enable debugging if in initramfs phase and rd.debug
|
||||
if [ -e /usr/lib/dracut-lib.sh ]; then
|
||||
@@ -782,7 +787,7 @@
|
||||
fi
|
||||
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
|
||||
- printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
|
||||
+ printf '%s' "${input}" | cryptsetup luksAddKey --force-password --batch-mode \
|
||||
--key-slot "${SLT}" \
|
||||
"${DEV}" \
|
||||
${pbkdf_args} \
|
||||
@@ -812,11 +817,11 @@
|
||||
local input extra_args=
|
||||
input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
|
||||
if [ -n "${KEYFILE}" ]; then
|
||||
- extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
||||
+ extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")"
|
||||
input="$(printf '%s' "${NEWKEY}")"
|
||||
fi
|
||||
if [ -n "${EXISTING_TOKEN_ID}" ]; then
|
||||
- extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
|
||||
+ extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")"
|
||||
input="$(printf '%s' "${NEWKEY}")"
|
||||
fi
|
||||
local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
||||
@@ -876,26 +881,10 @@
|
||||
|
||||
# clevis_luks_generate_key() generates a new key for use with clevis.
|
||||
clevis_luks_generate_key() {
|
||||
- local DEV="${1}"
|
||||
- [ -z "${DEV}" ] && return 1
|
||||
-
|
||||
- local dump filter bits
|
||||
- local MAX_ENTROPY_BITS=256 # Maximum allowed by pwmake.
|
||||
- dump=$(cryptsetup luksDump "${DEV}")
|
||||
- if cryptsetup isLuks --type luks1 "${DEV}"; then
|
||||
- filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
|
||||
- elif cryptsetup isLuks --type luks2 "${DEV}"; then
|
||||
- filter="$(echo -n "${dump}" | \
|
||||
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p')"
|
||||
- else
|
||||
- return 1
|
||||
- fi
|
||||
-
|
||||
- bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
|
||||
- if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
|
||||
- bits="${MAX_ENTROPY_BITS}"
|
||||
- fi
|
||||
- pwmake "${bits}"
|
||||
+ local input
|
||||
+ input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}")
|
||||
+ jose jwk gen --input="${input}" --output=- \
|
||||
+ | jose fmt --json=- --object --get k --unquote=-
|
||||
}
|
||||
|
||||
# clevis_luks_token_id_by_slot() returns the token ID linked to a
|
||||
@@ -986,8 +975,8 @@
|
||||
fi
|
||||
|
||||
local newkey jwe
|
||||
- if ! newkey="$(clevis_luks_generate_key "${DEV}")" \
|
||||
- || [ -z "${newkey}" ]; then
|
||||
+
|
||||
+ if ! newkey="$(clevis_luks_generate_key)" || [ -z "${newkey}" ]; then
|
||||
echo "Unable to generate a new key" >&2
|
||||
return 1
|
||||
fi
|
||||
@ -1 +1 @@
|
||||
u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis -
|
||||
u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis /usr/sbin/nologin
|
||||
|
||||
Loading…
Reference in new issue