From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001

From: Sergio Correia <scorreia@redhat.com>

Date: Thu, 18 Nov 2021 16:45:58 -0300

Subject: [PATCH 4/4] systemd: drop ncat dependency

When using systemd, i.e., clevis-luks-askpass, we use ncat to send

the decrypted password to the systemd socket as per systemd's password

agents specification [1].

However, systemd itself has a utility that does exactly that,

systemd-reply-password.

In this commit we drop the ncat dependency and instead use

systemd-reply-password in clevis-luks-askpass.

[1] https://systemd.io/PASSWORD_AGENTS/

---

 ...is-luks-askpass => clevis-luks-askpass.in} |  2 +-

 .../systemd/dracut/clevis/module-setup.sh.in  |  4 ++--

 src/luks/systemd/meson.build                  | 19 +++++++++++++++++--

 3 files changed, 20 insertions(+), 5 deletions(-)

 rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%)

diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in

similarity index 97%

rename from src/luks/systemd/clevis-luks-askpass

rename to src/luks/systemd/clevis-luks-askpass.in

index f19671f..a6699c9 100755

--- a/src/luks/systemd/clevis-luks-askpass

+++ b/src/luks/systemd/clevis-luks-askpass.in

@@ -58,7 +58,7 @@ while true; do

         fi

         uuid="$(cryptsetup luksUUID "${d}")"

-        if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then

+        if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then

             echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2

             continue

         fi

diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in

index ebf969f..d46c6e2 100755

--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in

+++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in

@@ -36,6 +36,7 @@ install() {

     inst_multiple \

         /etc/services \

+        @SYSTEMD_REPLY_PASS@ \

         @libexecdir@/clevis-luks-askpass \

         clevis-luks-common-functions \

         grep sed cut \

@@ -45,8 +46,7 @@ install() {

         luksmeta \

         clevis \

         mktemp \

-        jose \

-        ncat

+        jose

     dracut_need_initqueue

 }

diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build

index 369e7f7..e3b3d91 100644

--- a/src/luks/systemd/meson.build

+++ b/src/luks/systemd/meson.build

@@ -1,6 +1,15 @@

 systemd = dependency('systemd', required: false)

-if systemd.found()

+sd_reply_pass = find_program(

+  join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),

+  join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),

+  join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),

+  join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),

+  required: false

+)

+

+if systemd.found() and sd_reply_pass.found()

+  data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())

   subdir('dracut')

   unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')

@@ -12,8 +21,14 @@ if systemd.found()

     configuration: data,

   )

+  configure_file(

+    input: 'clevis-luks-askpass.in',

+    output: 'clevis-luks-askpass',

+    install_dir: libexecdir,

+    configuration: data

+  )

+

   install_data('clevis-luks-askpass.path', install_dir: unitdir)

-  install_data('clevis-luks-askpass', install_dir: libexecdir)

 else

   warning('Will not install systemd support due to missing dependencies!')

 endif

-- 

2.33.1