diff --git a/.fido-device-onboard.metadata b/.fido-device-onboard.metadata index ce4c98b..5812c83 100644 --- a/.fido-device-onboard.metadata +++ b/.fido-device-onboard.metadata @@ -1,2 +1,2 @@ -46520f8fc83e17f4f308e56e464413df14b0a30e SOURCES/fido-device-onboard-rs-0.4.7-vendor-patched.tar.xz -7a56d23875101202a44ad2a35d928be29263cf4d SOURCES/fido-device-onboard-rs-0.4.7.tar.gz +5bc51314a78eec68ea059ddae488aa020b1f295e SOURCES/fido-device-onboard-rs-0.4.12-vendor-patched.tar.xz +377c879cb56ed3324c3e5f170d5c315d07ed2989 SOURCES/fido-device-onboard-rs-0.4.12.tar.gz diff --git a/.gitignore b/.gitignore index 00a064b..a353867 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/fido-device-onboard-rs-0.4.7-vendor-patched.tar.xz -SOURCES/fido-device-onboard-rs-0.4.7.tar.gz +SOURCES/fido-device-onboard-rs-0.4.12-vendor-patched.tar.xz +SOURCES/fido-device-onboard-rs-0.4.12.tar.gz diff --git a/SOURCES/0001-fix-drop-unused-sha-crypt-dep.patch b/SOURCES/0001-fix-drop-unused-sha-crypt-dep.patch new file mode 100644 index 0000000..cc8c67e --- /dev/null +++ b/SOURCES/0001-fix-drop-unused-sha-crypt-dep.patch @@ -0,0 +1,30 @@ +From 8899817ceff3371649ed87b700fb81490fb258c8 Mon Sep 17 00:00:00 2001 +From: Peter Robinson +Date: Thu, 27 Jul 2023 10:36:58 +0100 +Subject: [PATCH] fix: drop unused sha-crypt dep + +The use of sha-crypt was dropped with commit 8d1d1b2 but one of the +Cargo.toml updates was missed so drop it there and update Cargo.lock +to match. + +Fixes: 8d1d1b2 ("chore: replace sha-crypt with openssl process calls") +Signed-off-by: Peter Robinson +--- + integration-tests/Cargo.toml | 3 +-- + 2 files changed, 1 insertion(+), 21 deletions(-) + +diff --git a/integration-tests/Cargo.toml b/integration-tests/Cargo.toml +index 451bc3f..e3b87a9 100644 +--- a/integration-tests/Cargo.toml ++++ b/integration-tests/Cargo.toml +@@ -35,7 +35,6 @@ + passwd = "0.0.1" + pem = "2.0" + users = "0.11.0" +-sha-crypt = "0.5.0" + + fdo-data-formats = { path = "../data-formats" } + fdo-util = { path = "../util" } +-- +2.41.0 + diff --git a/SOURCES/0001-fix-relabel-devcreds-before-onboarding.patch b/SOURCES/0001-fix-relabel-devcreds-before-onboarding.patch new file mode 100644 index 0000000..4462866 --- /dev/null +++ b/SOURCES/0001-fix-relabel-devcreds-before-onboarding.patch @@ -0,0 +1,25 @@ +From adb1d1055f85ae48b58252ca36ce00d861a27358 Mon Sep 17 00:00:00 2001 +From: Antonio Murdaca +Date: Tue, 15 Aug 2023 16:29:53 +0200 +Subject: [PATCH] fix: relabel devcreds before onboarding + +Signed-off-by: Antonio Murdaca +--- + examples/systemd/fdo-client-linuxapp.service | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/examples/systemd/fdo-client-linuxapp.service b/examples/systemd/fdo-client-linuxapp.service +index acfdc79..c0b3090 100644 +--- a/examples/systemd/fdo-client-linuxapp.service ++++ b/examples/systemd/fdo-client-linuxapp.service +@@ -6,6 +6,7 @@ After=network-online.target + Type=oneshot + EnvironmentFile=-/boot/fdo-client-env + Environment=LOG_LEVEL=info ++ExecStartPre=-/usr/sbin/restorecon /boot/device-credentials + ExecStart=/usr/libexec/fdo/fdo-client-linuxapp + ExecStartPost=-/usr/bin/mv /boot/device-credentials /etc/device-credentials + +-- +2.41.0 + diff --git a/SOURCES/0001-hack-drop-shadow.patch b/SOURCES/0001-hack-drop-shadow.patch new file mode 100644 index 0000000..23448c9 --- /dev/null +++ b/SOURCES/0001-hack-drop-shadow.patch @@ -0,0 +1,68 @@ +From 309c07aa5d43b3d126ccac640901f22afcc25b77 Mon Sep 17 00:00:00 2001 +From: Peter Robinson +Date: Thu, 27 Jul 2023 10:21:26 +0100 +Subject: [PATCH] hack; drop shadow + +Signed-off-by: Peter Robinson +--- + integration-tests/Cargo.toml | 3 +-- + integration-tests/tests/e2e.rs | 7 ------- + integration-tests/tests/service_info.rs | 7 ------- + 3 files changed, 1 insertion(+), 16 deletions(-) + +diff --git a/integration-tests/Cargo.toml b/integration-tests/Cargo.toml +index 451bc3f..3e19ebb 100644 +--- a/integration-tests/Cargo.toml ++++ b/integration-tests/Cargo.toml +@@ -33,10 +33,9 @@ serde_json = "1.0" + pretty_assertions = "1.0.0" + paste = "1.0" + passwd = "0.0.1" +-shadow = "0.0.1" + pem = "2.0" + users = "0.11.0" + sha-crypt = "0.5.0" + + fdo-data-formats = { path = "../data-formats" } +-fdo-util = { path = "../util" } +\ No newline at end of file ++fdo-util = { path = "../util" } +diff --git a/integration-tests/tests/e2e.rs b/integration-tests/tests/e2e.rs +index 9857ce0..611fc84 100644 +--- a/integration-tests/tests/e2e.rs ++++ b/integration-tests/tests/e2e.rs +@@ -406,13 +406,6 @@ ssh-ed25519 sshkey_default user@example2.com + "User: {} is not created during onboarding", + &new_user + ); +- if let Some(test_user) = shadow::Shadow::from_name(new_user) { +- pretty_assertions::assert_eq!( +- test_user.password.is_empty(), +- false, +- "Password not created during onboarding" +- ); +- } + } else { + L.l("Skipped create initial user validation + To validate set env variable FDO_PRIVILEGED and run test as superuser"); +diff --git a/integration-tests/tests/service_info.rs b/integration-tests/tests/service_info.rs +index 8a346cc..4d05107 100644 +--- a/integration-tests/tests/service_info.rs ++++ b/integration-tests/tests/service_info.rs +@@ -285,13 +285,6 @@ ssh-ed25519 sshkey_default user@example2.com + "User: {} is not created during onboarding", + &new_user + ); +- if let Some(test_user) = shadow::Shadow::from_name(new_user) { +- pretty_assertions::assert_eq!( +- test_user.password.is_empty(), +- false, +- "Password not created during onboarding" +- ); +- } + } else { + L.l("Skipped create initial user validation + To validate set env variable FDO_PRIVILEGED and run test as superuser"); +-- +2.41.0 + diff --git a/SOURCES/fix-devmapper-version.patch b/SOURCES/fix-devmapper-version.patch new file mode 100644 index 0000000..38062c0 --- /dev/null +++ b/SOURCES/fix-devmapper-version.patch @@ -0,0 +1,13 @@ +diff --git a/client-linuxapp/Cargo.toml b/client-linuxapp/Cargo.toml +index 423fec5..f4e3ad4 100644 +--- a/client-linuxapp/Cargo.toml ++++ b/client-linuxapp/Cargo.toml +@@ -19,7 +19,7 @@ uuid = "1.3" + thiserror = "1" + libcryptsetup-rs = { version = "0.8.0", features = ["mutex"] } + secrecy = "0.8" +-devicemapper = "0.33" ++devicemapper = "0.32.3" + openssl = "0.10.55" + + fdo-data-formats = { path = "../data-formats", version = "0.4.12" } diff --git a/SOURCES/make-vendored-tarfile.sh b/SOURCES/make-vendored-tarfile.sh deleted file mode 100644 index 314a2cd..0000000 --- a/SOURCES/make-vendored-tarfile.sh +++ /dev/null @@ -1,14 +0,0 @@ -#/bin/bash -set -x -ver=$1 -cargo vendor -# Various vendor cleanups -pushd vendor -# cleanup windows files -rm -rf winapi/src/* -touch winapi/src/lib.rs -rm -rf winapi-x86_64-pc-windows-gnu/lib/* -rm -rf winapi-i686-pc-windows-gnu/lib/* -rm -rf vcpkg/test-data -popd #vendor -tar cjf fido-device-onboard-rs-$ver-vendor-patched.tar.xz vendor/ diff --git a/SPECS/fido-device-onboard.spec b/SPECS/fido-device-onboard.spec index 39fc9d0..5790600 100644 --- a/SPECS/fido-device-onboard.spec +++ b/SPECS/fido-device-onboard.spec @@ -1,57 +1,33 @@ -%global debug_package %{nil} -%define dracutlibdir %{_prefix}/lib/dracut +%global dracutlibdir %{_prefix}/lib/dracut %bcond_without check -%global forgeurl https://github.com/fedora-iot/fido-device-onboard-rs - -Version: 0.4.7 - -%forgemeta +%global combined_license Apache-2.0 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR ISC OR MIT) AND (Apache-2.0 OR MIT) AND ((Apache-2.0 OR MIT) AND BSD-3-Clause) AND (Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT) AND BSD-2-Clause AND BSD-3-Clause AND (CC0-1.0 OR Apache-2.0) AND (CC0-1.0 OR MIT-0 OR Apache 2.0) AND ISC AND MIT AND ((MIT OR Apache-2.0) AND Unicode-DFS-2016) AND (Apache-2.0 OR MIT OR Zlib) AND MPL-2.0 AND (Unlicense OR MIT) Name: fido-device-onboard -Release: 3%{?dist} +Version: 0.4.12 +Release: 4%{?dist} Summary: A rust implementation of the FIDO Device Onboard Specification +License: BSD-3-Clause -# Apache-2.0 -# Apache-2.0 OR BSL-1.0 -# Apache-2.0 OR ISC OR MIT -# Apache-2.0 OR MIT -# (Apache-2.0 OR MIT) AND BSD-3-Clause -# Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT -# BSD-2-Clause -# BSD-3-Clause -# CC0-1.0 -# CC0-1.0 OR Apache-2.0 -# ISC -# MIT -# MIT OR Apache-2.0 -# MIT OR Apache-2.0 OR Zlib -# MPL-2.0 -# Unlicense OR MIT -# Zlib OR Apache-2.0 OR MIT - -License: Apache-2.0 and BSD and MIT -URL: %{forgeurl} - -Source0: %{forgesource} -# this is a basic script to generate the vendor tarfile. -Source1: make-vendored-tarfile.sh -%if "%{?commit}" != "" -Source2: %{name}-rs-%{commit}-vendor-patched.tar.xz -%else -Source2: %{name}-rs-%{version}-vendor-patched.tar.xz -%endif +URL: https://github.com/fedora-iot/fido-device-onboard-rs +Source0: %{url}/archive/v%{version}/%{name}-rs-%{version}.tar.gz +# See make-vendored-tarfile.sh in upstream repo +Source1: %{name}-rs-%{version}-vendor-patched.tar.xz +Patch0: 0001-hack-drop-shadow.patch +Patch1: 0001-fix-drop-unused-sha-crypt-dep.patch +Patch2: fix-devmapper-version.patch +Patch3: 0001-fix-relabel-devcreds-before-onboarding.patch -ExclusiveArch: %{rust_arches} -# Needs, at least, tss bindings regen -ExcludeArch: s390x i686 %{power64} +# Because nobody cares +ExcludeArch: %{ix86} -%if 0%{?rhel} && !0%{?eln} +%if 0%{?rhel} BuildRequires: rust-toolset %else BuildRequires: rust-packaging %endif BuildRequires: clang-devel BuildRequires: cryptsetup-devel +BuildRequires: device-mapper-devel BuildRequires: golang BuildRequires: openssl-devel >= 3.0.1-12 BuildRequires: systemd-rpm-macros @@ -61,24 +37,27 @@ BuildRequires: tpm2-tss-devel %{summary}. %prep -%forgesetup +%setup -q -n %{name}-rs-%{version} +%patch0 -p1 +%patch1 -p1 +%patch3 -p1 + +%if 0%{?rhel} +%patch2 -p1 +%cargo_prep -V 1 +%else %cargo_prep - -# Vendored crates -tar xf %{SOURCE2} -mkdir -p .cargo -cat >.cargo/config << EOF -[source.crates-io] -replace-with = "vendored-sources" - -[source.vendored-sources] -directory = "vendor" -EOF +%generate_buildrequires +%cargo_generate_buildrequires -a +%endif %build %cargo_build \ -F openssl-kdf/deny_custom +%{?cargo_license_summary} +%{?cargo_license} > LICENSE.dependencies + %install install -D -m 0755 -t %{buildroot}%{_libexecdir}/fdo target/release/fdo-client-linuxapp install -D -m 0755 -t %{buildroot}%{_libexecdir}/fdo target/release/fdo-manufacturing-client @@ -86,14 +65,28 @@ install -D -m 0755 -t %{buildroot}%{_libexecdir}/fdo target/release/fdo-manufact install -D -m 0755 -t %{buildroot}%{_libexecdir}/fdo target/release/fdo-owner-onboarding-server install -D -m 0755 -t %{buildroot}%{_libexecdir}/fdo target/release/fdo-rendezvous-server install -D -m 0755 -t %{buildroot}%{_libexecdir}/fdo target/release/fdo-serviceinfo-api-server -# duplicates as needed by AIO command -install -D -m 0755 -t %{buildroot}%{_libexecdir}/fdo target/release/fdo-owner-tool -install -D -m 0755 -t %{buildroot}%{_libexecdir}/fdo target/release/fdo-admin-tool install -D -m 0755 -t %{buildroot}%{_bindir} target/release/fdo-owner-tool install -D -m 0755 -t %{buildroot}%{_bindir} target/release/fdo-admin-tool install -D -m 0644 -t %{buildroot}%{_unitdir} examples/systemd/* install -D -m 0644 -t %{buildroot}%{_docdir}/fdo examples/config/* +# duplicates as needed by AIO command so link them +ln -s %{_bindir}/fdo-owner-tool %{buildroot}%{_libexecdir}/fdo/fdo-owner-tool +ln -s %{_bindir}/fdo-admin-tool %{buildroot}%{_libexecdir}/fdo/fdo-admin-tool +# Create directories needed by the various services so we own them mkdir -p %{buildroot}%{_sysconfdir}/fdo +mkdir -p %{buildroot}%{_sysconfdir}/fdo/keys +mkdir -p %{buildroot}%{_sysconfdir}/fdo/stores +mkdir -p %{buildroot}%{_sysconfdir}/fdo/stores/manufacturer_keys +mkdir -p %{buildroot}%{_sysconfdir}/fdo/stores/manufacturing_sessions +mkdir -p %{buildroot}%{_sysconfdir}/fdo/stores/owner_onboarding_sessions +mkdir -p %{buildroot}%{_sysconfdir}/fdo/stores/owner_vouchers +mkdir -p %{buildroot}%{_sysconfdir}/fdo/stores/rendezvous_registered +mkdir -p %{buildroot}%{_sysconfdir}/fdo/stores/rendezvous_sessions +mkdir -p %{buildroot}%{_sysconfdir}/fdo/manufacturing-server.conf.d +mkdir -p %{buildroot}%{_sysconfdir}/fdo/owner-onboarding-server.conf.d +mkdir -p %{buildroot}%{_sysconfdir}/fdo/rendezvous-server.conf.d +mkdir -p %{buildroot}%{_sysconfdir}/fdo/serviceinfo-api-server.conf.d +mkdir -p %{buildroot}%{_localstatedir}/lib/fdo # Dracut manufacturing service install -D -m 0755 -t %{buildroot}%{dracutlibdir}/modules.d/52fdo dracut/52fdo/module-setup.sh install -D -m 0755 -t %{buildroot}%{dracutlibdir}/modules.d/52fdo dracut/52fdo/manufacturing-client-generator @@ -102,28 +95,41 @@ install -D -m 0755 -t %{buildroot}%{dracutlibdir}/modules.d/52fdo dracut/52fdo/m %package -n fdo-init Summary: dracut module for device initialization +License: %combined_license Requires: openssl-libs >= 3.0.1-12 +Requires: dracut %description -n fdo-init %{summary} %files -n fdo-init -%license LICENSE -%{dracutlibdir}/modules.d/52fdo/* +%license LICENSE LICENSE.dependencies +%{dracutlibdir}/modules.d/52fdo/ %{_libexecdir}/fdo/fdo-manufacturing-client %package -n fdo-owner-onboarding-server Summary: FDO Owner Onboarding Server implementation +License: %combined_license Requires: openssl-libs >= 3.0.1-12 %description -n fdo-owner-onboarding-server %{summary} %files -n fdo-owner-onboarding-server -%license LICENSE +%license LICENSE LICENSE.dependencies +%dir %{_sysconfdir}/fdo +%dir %{_sysconfdir}/fdo/keys +%dir %{_sysconfdir}/fdo/owner-onboarding-server.conf.d +%dir %{_sysconfdir}/fdo/serviceinfo-api-server.conf.d +%dir %{_sysconfdir}/fdo/stores +%dir %{_sysconfdir}/fdo/stores/owner_onboarding_sessions +%dir %{_sysconfdir}/fdo/stores/owner_vouchers %{_libexecdir}/fdo/fdo-owner-onboarding-server %{_libexecdir}/fdo/fdo-serviceinfo-api-server +%dir %{_localstatedir}/lib/fdo +%dir %{_docdir}/fdo +%{_docdir}/fdo/device_specific_serviceinfo.yml %{_docdir}/fdo/serviceinfo-api-server.yml -%{_unitdir}/fdo-serviceinfo-api-server.service %{_docdir}/fdo/owner-onboarding-server.yml +%{_unitdir}/fdo-serviceinfo-api-server.service %{_unitdir}/fdo-owner-onboarding-server.service %post -n fdo-owner-onboarding-server @@ -140,12 +146,21 @@ Requires: openssl-libs >= 3.0.1-12 %package -n fdo-rendezvous-server Summary: FDO Rendezvous Server implementation +License: %combined_license %description -n fdo-rendezvous-server %{summary} %files -n fdo-rendezvous-server -%license LICENSE +%license LICENSE LICENSE.dependencies +%dir %{_sysconfdir}/fdo +%dir %{_sysconfdir}/fdo/keys +%dir %{_sysconfdir}/fdo/rendezvous-server.conf.d +%dir %{_sysconfdir}/fdo/stores +%dir %{_sysconfdir}/fdo/stores/rendezvous_registered +%dir %{_sysconfdir}/fdo/stores/rendezvous_sessions %{_libexecdir}/fdo/fdo-rendezvous-server +%dir %{_localstatedir}/lib/fdo +%dir %{_docdir}/fdo %{_docdir}/fdo/rendezvous-*.yml %{_unitdir}/fdo-rendezvous-server.service @@ -160,13 +175,23 @@ Summary: FDO Rendezvous Server implementation %package -n fdo-manufacturing-server Summary: FDO Manufacturing Server implementation +License: %combined_license Requires: openssl-libs >= 3.0.1-12 %description -n fdo-manufacturing-server %{summary} %files -n fdo-manufacturing-server -%license LICENSE +%license LICENSE LICENSE.dependencies +%dir %{_sysconfdir}/fdo +%dir %{_sysconfdir}/fdo/keys +%dir %{_sysconfdir}/fdo/manufacturing-server.conf.d +%dir %{_sysconfdir}/fdo/keys +%dir %{_sysconfdir}/fdo/stores +%dir %{_sysconfdir}/fdo/stores/manufacturer_keys +%dir %{_sysconfdir}/fdo/stores/manufacturing_sessions %{_libexecdir}/fdo/fdo-manufacturing-server +%dir %{_localstatedir}/lib/fdo +%dir %{_docdir}/fdo %{_docdir}/fdo/manufacturing-server.yml %{_unitdir}/fdo-manufacturing-server.service @@ -181,15 +206,17 @@ Requires: openssl-libs >= 3.0.1-12 %package -n fdo-client Summary: FDO Client implementation +License: %combined_license Requires: openssl-libs >= 3.0.1-12 Requires: clevis Requires: clevis-luks +Requires: clevis-pin-tpm2 Requires: cryptsetup %description -n fdo-client %{summary} %files -n fdo-client -%license LICENSE +%license LICENSE LICENSE.dependencies %{_libexecdir}/fdo/fdo-client-linuxapp %{_unitdir}/fdo-client-linuxapp.service @@ -204,31 +231,34 @@ Requires: cryptsetup %package -n fdo-owner-cli Summary: FDO Owner tools implementation +License: %combined_license %description -n fdo-owner-cli %{summary} %files -n fdo-owner-cli -%license LICENSE +%license LICENSE LICENSE.dependencies %{_bindir}/fdo-owner-tool %{_libexecdir}/fdo/fdo-owner-tool %package -n fdo-admin-cli Summary: FDO admin tools implementation -Requires: fdo-manufacturing-server -Requires: fdo-init -Requires: fdo-client -Requires: fdo-rendezvous-server -Requires: fdo-owner-onboarding-server -Requires: fdo-owner-cli +License: %combined_license +Requires: fdo-manufacturing-server = %{version}-%{release} +Requires: fdo-rendezvous-server = %{version}-%{release} +Requires: fdo-owner-onboarding-server = %{version}-%{release} +Requires: fdo-owner-cli = %{version}-%{release} +Requires: fdo-client = %{version}-%{release} +Requires: fdo-init = %{version}-%{release} %description -n fdo-admin-cli %{summary} %files -n fdo-admin-cli -%license LICENSE +%license LICENSE LICENSE.dependencies +%dir %{_sysconfdir}/fdo +%dir %{_sysconfdir}/fdo/keys %{_bindir}/fdo-admin-tool %{_libexecdir}/fdo/fdo-admin-tool %{_unitdir}/fdo-aio.service -%dir %{_sysconfdir}/fdo %post -n fdo-admin-cli %systemd_post fdo-aio.service @@ -240,6 +270,43 @@ Requires: fdo-owner-cli %systemd_postun_with_restart fdo-aio.service %changelog +* Wed Aug 23 2023 Peter Robinson - 0.4.12-4 +- Ensure client service fix is applied + +* Tue Aug 22 2023 Peter Robinson - 0.4.12-3 +- Own var/lib/fdo, SELinux fixes + +* Thu Aug 17 2023 Peter Robinson - 0.4.12-2 +- Add client/init deps to fdo-admin-cli + +* Thu Jul 27 2023 Peter Robinson - 0.4.12-1 +- Update to 0.4.12 + +* Wed Jul 19 2023 Fedora Release Engineering - 0.4.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Mon Jul 03 2023 Peter Robinson - 0.4.10-2 +- Updates for eln/c9s building + +* Fri Jun 23 2023 Peter Robinson - 0.4.10-1 +- Update to 0.4.10 + +* Wed Jun 14 2023 Peter Robinson - 0.4.9-5 +- More spec updates + +* Wed Jun 14 2023 Peter Robinson - 0.4.9-4 +- Add patch for libcryptsetup-rs 0.8 API changes + +* Tue Jun 13 2023 Peter Robinson - 0.4.9-3 +- Updates for licenses + +* Tue May 30 2023 Peter Robinson - 0.4.9-2 +- Review feedback +- Patch for libcryptsetup-rs 0.7 + +* Thu May 11 2023 Peter Robinson - 0.4.9-1 +- Update to 0.4.9 + * Mon Feb 20 2023 Peter Robinson - 0.4.7-3 - Fix services start