From a85f50f789d69d9ca0a4096a64ac912f5967f97f Mon Sep 17 00:00:00 2001

From: Sergio Correia <scorreia@redhat.com>

Date: Sun, 10 May 2020 15:32:50 -0300

Subject: [PATCH 7/8] Add clevis luks report

---

 src/luks/clevis-luks-report         | 95 +++++++++++++++++++++++++++++

 src/luks/clevis-luks-report-compare | 71 +++++++++++++++++++++

 src/luks/clevis-luks-report-decode  | 59 ++++++++++++++++++

 src/luks/clevis-luks-report-sss     | 53 ++++++++++++++++

 src/luks/clevis-luks-report-tang    | 67 ++++++++++++++++++++

 src/luks/clevis-luks-report.1.adoc  | 41 +++++++++++++

 src/luks/meson.build                |  7 +++

 7 files changed, 393 insertions(+)

 create mode 100755 src/luks/clevis-luks-report

 create mode 100755 src/luks/clevis-luks-report-compare

 create mode 100755 src/luks/clevis-luks-report-decode

 create mode 100755 src/luks/clevis-luks-report-sss

 create mode 100755 src/luks/clevis-luks-report-tang

 create mode 100644 src/luks/clevis-luks-report.1.adoc

diff --git a/src/luks/clevis-luks-report b/src/luks/clevis-luks-report

new file mode 100755

index 0000000..f047256

--- /dev/null

+++ b/src/luks/clevis-luks-report

@@ -0,0 +1,95 @@

+#!/usr/bin/bash -e

+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:

+#

+# Copyright (c) 2018 Red Hat, Inc.

+# Author: Radovan Sroka <rsroka@redhat.com>

+#

+# This program is free software: you can redistribute it and/or modify

+# it under the terms of the GNU General Public License as published by

+# the Free Software Foundation, either version 3 of the License, or

+# (at your option) any later version.

+#

+# This program is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+# GNU General Public License for more details.

+#

+# You should have received a copy of the GNU General Public License

+# along with this program.  If not, see <http://www.gnu.org/licenses/>.

+#

+

+. clevis-luks-common-functions

+

+SUMMARY="Report any key rotation on the server side"

+

+if [ "$1" == "--summary" ]; then

+    echo "$SUMMARY"

+    exit 0

+fi

+

+function usage_and_exit () {

+    echo >&2

+    echo "Usage: clevis luks report [-qr] -d DEV -s SLOT" >&2

+    echo >&2

+    echo -e "  -q\t Quiet mode" >&2

+    echo -e "  -r\t Regenerate luks metadata with \"clevis luks regen -d DEV -s SLOT\"" >&2

+    echo >&2

+    echo "$SUMMARY" >&2

+    echo >&2

+    exit "$1"

+}

+

+while getopts "hd:s:rq" o; do

+    case "$o" in

+    d) DEV="$OPTARG";;

+    h) usage_and_exit 0;;

+    r) ROPT="regen";;

+    s) SLT="$OPTARG";;

+    q) QOPT="quiet";;

+    *) usage_and_exit 1;;

+    esac

+done

+

+### get luks metadata

+

+if [ -z "$DEV" ]; then

+    echo "Did not specify a device!" >&2

+    exit 1

+fi

+

+if [ -z "$SLT" ]; then

+    echo "Did not specify a slot!" >&2

+    exit 1

+fi

+

+if ! DATA_CODED=$(clevis_luks_read_slot "${DEV}" "${SLT}"); then

+    # Error message was already displayed by clevis_luks_read_slot(),

+    # at this point.

+    exit 1

+fi

+

+EXE="$(findexe clevis-luks-report-decode)"

+RESULT="$($EXE "${DATA_CODED}")"

+

+if [ -n "$RESULT" ]; then

+    echo "$RESULT"

+    echo "Report detected that some keys were rotated."

+    if [ -z "$QOPT" ]; then

+        if [ -z "$ROPT" ]; then

+            read -r -p "Do you want to regenerate luks metadata with \"clevis luks regen -d $DEV -s $SLT\"? [ynYN] " ans < /dev/tty

+            [[ "$ans" =~ ^[yY]$ ]] && ROPT="regen"

+        fi

+    fi

+else

+    exit 0

+fi

+

+if [ "$ROPT" = "regen" ]; then

+    EXE="$(findexe clevis-luks-regen)"

+    exec "$EXE" -d "$DEV" -s "$SLT"

+else

+    if [ -n "${RESULT}" ]; then

+        # Keys were rotated.

+        exit 1

+    fi

+fi

diff --git a/src/luks/clevis-luks-report-compare b/src/luks/clevis-luks-report-compare

new file mode 100755

index 0000000..2ba5132

--- /dev/null

+++ b/src/luks/clevis-luks-report-compare

@@ -0,0 +1,71 @@

+#!/usr/bin/bash -e

+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:

+#

+# Copyright (c) 2018 Red Hat, Inc.

+# Author: Radovan Sroka <rsroka@redhat.com>

+#

+# This program is free software: you can redistribute it and/or modify

+# it under the terms of the GNU General Public License as published by

+# the Free Software Foundation, either version 3 of the License, or

+# (at your option) any later version.

+#

+# This program is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+# GNU General Public License for more details.

+#

+# You should have received a copy of the GNU General Public License

+# along with this program.  If not, see <http://www.gnu.org/licenses/>.

+#

+

+SUMMARY="Compare two sets of keys"

+

+if [ "$1" == "--summary" ]; then

+    echo "$SUMMARY"

+    exit 1

+fi

+

+if [ -z "$1" ]; then

+    echo "$0 missing the first argument!"

+    exit 1

+fi

+

+if [ -z "$2" ]; then

+    echo "$0 missing the second argument!"

+    exit 1

+fi

+

+ADV_KEYS="$1" # keys from advertisement

+LUKS_KEYS="$2" # keys from luks metadata

+

+### iterate over adv keys and make thumbprints

+CNT=0

+declare -a ADV_KEYS_ARRAY

+while res="$(jose fmt -j- -g keys -g"$CNT" -o- <<< "$ADV_KEYS")"; do

+    thp="$(echo "$res" | jose jwk thp -i-)"

+    ADV_KEYS_ARRAY["$CNT"]="$thp"

+    CNT=$(( CNT + 1 ))

+done

+

+CNT=0

+while key="$(jose fmt -j- -g keys -g"$CNT" -o- <<< "$LUKS_KEYS")"; do

+    thp="$(echo "$key" | jose jwk thp -i-)"

+

+    FOUND=0

+    for k in "${ADV_KEYS_ARRAY[@]}"

+    do

+        if [ "$k" = "$thp" ]; then

+            FOUND=1

+            break

+        fi

+    done

+

+    if [ "$FOUND" -eq "0" ]; then

+        echo "Key \"$thp\" is not in the advertisement and was probably rotated!"

+        echo "$key"

+        echo

+    fi

+    CNT=$(( CNT + 1 ))

+done

+

+exit 0

diff --git a/src/luks/clevis-luks-report-decode b/src/luks/clevis-luks-report-decode

new file mode 100755

index 0000000..f39d1e9

--- /dev/null

+++ b/src/luks/clevis-luks-report-decode

@@ -0,0 +1,59 @@

+#!/usr/bin/bash -e

+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:

+#

+# Copyright (c) 2018 Red Hat, Inc.

+# Author: Radovan Sroka <rsroka@redhat.com>

+#

+# This program is free software: you can redistribute it and/or modify

+# it under the terms of the GNU General Public License as published by

+# the Free Software Foundation, either version 3 of the License, or

+# (at your option) any later version.

+#

+# This program is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+# GNU General Public License for more details.

+#

+# You should have received a copy of the GNU General Public License

+# along with this program.  If not, see <http://www.gnu.org/licenses/>.

+#

+

+. clevis-luks-common-functions

+

+SUMMARY="Decode luks header"

+

+if [ "$1" == "--summary" ]; then

+    echo "$SUMMARY"

+    exit 1

+fi

+

+if [ -z "$1" ]; then

+    echo "$0 missing the first argument!"

+    exit 1

+fi

+

+DATA_CODED="$1"

+

+if DATA_CODED="$(jose jwe fmt -i- <<< "$DATA_CODED")"; then

+    DATA_CODED="$(jose fmt -j- -g protected -u- <<< "$DATA_CODED")"

+    DATA_DECODED="$(jose b64 dec -i- <<< "$DATA_CODED")"

+else

+    echo "Error decoding JWE protected header!" >&2

+    exit 1

+fi

+

+### get pin and url

+

+if ! PIN="$(jose fmt -j- -g clevis -g pin -u- <<< "$DATA_DECODED")" || [ -z "$PIN" ]; then

+    echo "Pin wasn't found in luks metadata!" >&2

+    exit 1

+fi

+

+if ! CONTENT="$(jose fmt -j- -g clevis -g "$PIN" -o- <<< "$DATA_DECODED")" || [ -z "$CONTENT" ]; then

+    echo "Content wasn't found!" >&2

+    exit 1

+fi

+

+EXE="$(findexe clevis-luks-report-"$PIN")"

+

+exec "$EXE" "$CONTENT"

diff --git a/src/luks/clevis-luks-report-sss b/src/luks/clevis-luks-report-sss

new file mode 100755

index 0000000..1dba4c1

--- /dev/null

+++ b/src/luks/clevis-luks-report-sss

@@ -0,0 +1,53 @@

+#!/bin/bash -e

+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:

+#

+# Copyright (c) 2018 Red Hat, Inc.

+# Author: Radovan Sroka <rsroka@redhat.com>

+#

+# This program is free software: you can redistribute it and/or modify

+# it under the terms of the GNU General Public License as published by

+# the Free Software Foundation, either version 3 of the License, or

+# (at your option) any later version.

+#

+# This program is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+# GNU General Public License for more details.

+#

+# You should have received a copy of the GNU General Public License

+# along with this program.  If not, see <http://www.gnu.org/licenses/>.

+#

+

+. clevis-luks-common-functions

+

+SUMMARY="SSS report plugin"

+

+if [ "$1" == "--summary" ]; then

+    echo "$SUMMARY"

+    exit 1

+fi

+

+if [ -z "$1" ]; then

+    echo "$0 missing the first argument!" >&2

+    exit 1

+fi

+

+CONTENT="$1" # sss content

+

+CNT=0

+while DATA_CODED="$(jose fmt -j- -g jwe -g"$CNT" -u- <<< "$CONTENT")"; do

+    if [ -z "$DATA_CODED" ]; then

+        CNT=$(( CNT + 1 ))

+        continue # in some cases it can be empty string

+    fi

+

+    EXE="$(findexe clevis-luks-report-decode)"

+    if ! $EXE "$DATA_CODED"; then

+        echo "Failed" >&2

+        exit 1

+    fi

+

+    CNT=$(( CNT + 1 ))

+done

+

+exit 0

diff --git a/src/luks/clevis-luks-report-tang b/src/luks/clevis-luks-report-tang

new file mode 100755

index 0000000..07f2a72

--- /dev/null

+++ b/src/luks/clevis-luks-report-tang

@@ -0,0 +1,67 @@

+#!/usr/bin/bash -e

+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:

+#

+# Copyright (c) 2018 Red Hat, Inc.

+# Author: Radovan Sroka <rsroka@redhat.com>

+#

+# This program is free software: you can redistribute it and/or modify

+# it under the terms of the GNU General Public License as published by

+# the Free Software Foundation, either version 3 of the License, or

+# (at your option) any later version.

+#

+# This program is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+# GNU General Public License for more details.

+#

+# You should have received a copy of the GNU General Public License

+# along with this program.  If not, see <http://www.gnu.org/licenses/>.

+#

+

+. clevis-luks-common-functions

+

+SUMMARY="Tang report plugin"

+

+if [ "$1" == "--summary" ]; then

+    echo "$SUMMARY"

+    exit 1

+fi

+

+if [ -z "$1" ]; then

+    echo "$0 missing the first argument!"

+    exit 1

+fi

+

+CONTENT="$1"

+

+### Get the advertisement

+if ! URL="$(jose fmt -j- -g url -u- <<< "$CONTENT")" || [ -z "$URL" ]; then

+    echo "URL was not found!" >&2

+    exit 1

+fi

+

+if ! jws="$(curl -sfg "$URL/adv")"; then

+    echo "Unable to fetch advertisement: $URL/adv!" >&2

+    exit 1

+fi

+

+if ! TANG_KEYS="$(jose fmt -j- -Og payload -SyOg keys -AUo- <<< "$jws")"; then

+    echo "Advertisement is malformed!" >&2

+    exit 1

+fi

+

+### Check advertisement validity

+ver="$(jose jwk use -i- -r -u verify -o- <<< "$TANG_KEYS")"

+if ! jose jws ver -i "$jws" -k- -a <<< "$ver"; then

+    echo "Advertisement is missing signatures!" >&2

+    exit 1

+fi

+

+if ! LUKS_KEYS="$(jose fmt -j- -g adv -o- <<< "$CONTENT")" || [ -z "$LUKS_KEYS" ]; then

+    echo "LUKS keys from LUKS metadata were not found!" >&2

+    exit 1

+fi

+

+EXE="$(findexe clevis-luks-report-compare)"

+

+exec "$EXE" "$TANG_KEYS" "$LUKS_KEYS"

diff --git a/src/luks/clevis-luks-report.1.adoc b/src/luks/clevis-luks-report.1.adoc

new file mode 100644

index 0000000..cf42afe

--- /dev/null

+++ b/src/luks/clevis-luks-report.1.adoc

@@ -0,0 +1,41 @@

+CLEVIS-LUKS-REPORT(1)

+=====================

+:doctype: manpage

+

+

+== NAME

+

+clevis-luks-report - Reports whether a pin bound to a LUKS1 or LUKS2 volume has been rotated

+

+== SYNOPSIS

+

+*clevis luks report* -d DEV -s SLT

+

+== OVERVIEW

+

+The *clevis luks report* command checks a given slot of a LUKS device and reports whether the pin bound to it

+-- if any -- has been rotated.

+

+== OPTIONS

+

+* *-d* _DEV_ :

+  The bound LUKS device

+

+* *-s* _SLT_ :

+  The slot or key slot number for the pin to be verified

+

+* *-q* :

+  Quiet mode. If used, we will not prompt whether to regenerate data with *clevis luks regen*

+

+* *-r* :

+  Regenerates LUKS metadata with *clevis luks regen -d DEV -s SLOT*

+

+== EXAMPLE

+

+    Check whether the pin bound to slot 1 in /dev/sda1 has been rotated:

+

+    # clevis luks report -d /dev/sda1 -s 1

+

+== SEE ALSO

+

+link:clevis-luks-regen.1.adoc[*clevis-luks-regen*(1)]

diff --git a/src/luks/meson.build b/src/luks/meson.build

index f21388d..ee588c3 100644

--- a/src/luks/meson.build

+++ b/src/luks/meson.build

@@ -47,6 +47,13 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()

   bins += join_paths(meson.current_source_dir(), 'clevis-luks-regen')

   mans += join_paths(meson.current_source_dir(), 'clevis-luks-regen.1')

+

+  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report')

+  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-compare')

+  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-decode')

+  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-sss')

+  bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-tang')

+  mans += join_paths(meson.current_source_dir(), 'clevis-luks-report.1')

 else

   warning('Will not install LUKS support due to missing dependencies!')

 endif

-- 

2.18.4