|
 |
edfe8b |
--- clevis-15.ori/src/clevis.1.adoc 2020-10-28 19:55:47.663228800 +0100
|
|
|
edfe8b |
+++ clevis-15/src/clevis.1.adoc 2023-01-11 17:18:29.967295005 +0100
|
|
|
edfe8b |
@@ -101,7 +101,7 @@
|
|
|
edfe8b |
|
|
|
edfe8b |
This command performs four steps:
|
|
|
edfe8b |
|
|
|
edfe8b |
-1. Creates a new key with the same entropy as the LUKS master key.
|
|
|
edfe8b |
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
|
|
edfe8b |
2. Encrypts the new key with Clevis.
|
|
|
edfe8b |
3. Stores the Clevis JWE in the LUKS header.
|
|
|
edfe8b |
4. Enables the new key for use with LUKS.
|
|
|
edfe8b |
--- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc 2020-10-28 19:55:47.663228800 +0100
|
|
|
edfe8b |
+++ clevis-15/src/luks/clevis-luks-bind.1.adoc 2023-01-11 17:18:55.239351209 +0100
|
|
|
edfe8b |
@@ -20,7 +20,7 @@
|
|
|
edfe8b |
|
|
|
edfe8b |
This command performs four steps:
|
|
|
edfe8b |
|
|
|
edfe8b |
-1. Creates a new key with the same entropy as the LUKS master key.
|
|
|
edfe8b |
+1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
|
|
|
edfe8b |
2. Encrypts the new key with Clevis.
|
|
|
edfe8b |
3. Stores the Clevis JWE in the LUKS header.
|
|
|
edfe8b |
4. Enables the new key for use with LUKS.
|
|
|
edfe8b |
--- clevis-15.ori/src/luks/clevis-luks-common-functions 2023-01-11 17:15:44.984928070 +0100
|
|
|
edfe8b |
+++ clevis-15/src/luks/clevis-luks-common-functions 2023-01-11 17:20:53.238613637 +0100
|
|
|
edfe8b |
@@ -865,6 +865,7 @@
|
|
|
edfe8b |
[ -z "${DEV}" ] && return 1
|
|
|
edfe8b |
|
|
|
edfe8b |
local dump filter bits
|
|
|
edfe8b |
+ local MAX_ENTROPY_BITS=256
|
|
|
edfe8b |
dump=$(cryptsetup luksDump "${DEV}")
|
|
|
edfe8b |
if cryptsetup isLuks --type luks1 "${DEV}"; then
|
|
|
edfe8b |
filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
|
|
|
edfe8b |
@@ -876,6 +877,9 @@
|
|
|
edfe8b |
fi
|
|
|
edfe8b |
|
|
|
edfe8b |
bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
|
|
|
edfe8b |
+ if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
|
|
|
edfe8b |
+ bits="${MAX_ENTROPY_BITS}"
|
|
|
edfe8b |
+ fi
|
|
|
edfe8b |
pwmake "${bits}"
|
|
|
edfe8b |
}
|
|
|
edfe8b |
|
|
|
edfe8b |
--- clevis-15.ori/src/luks/clevis-luks-bind.in 2023-01-11 17:15:44.815927694 +0100
|
|
|
edfe8b |
+++ clevis-15/src/luks/clevis-luks-bind.in 2023-01-12 16:20:30.266404993 +0100
|
|
|
edfe8b |
@@ -19,6 +19,8 @@
|
|
|
edfe8b |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
edfe8b |
#
|
|
|
edfe8b |
|
|
|
edfe8b |
+. clevis-luks-common-functions
|
|
|
edfe8b |
+
|
|
|
edfe8b |
SUMMARY="Binds a LUKS device using the specified policy"
|
|
|
edfe8b |
UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
|
|
|
edfe8b |
|
|
|
edfe8b |
@@ -139,14 +141,11 @@
|
|
|
edfe8b |
fi
|
|
|
edfe8b |
|
|
|
edfe8b |
# Generate a key with the same entropy as the LUKS Master Key
|
|
|
edfe8b |
-key="$(pwmake "$(
|
|
|
edfe8b |
-cryptsetup luksDump "$DEV" \
|
|
|
edfe8b |
- | if [ "$luks_type" == "luks1" ]; then
|
|
|
edfe8b |
- sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p'
|
|
|
edfe8b |
- else
|
|
|
edfe8b |
- sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p'
|
|
|
edfe8b |
- fi | sort -n | tail -n 1
|
|
|
edfe8b |
-)")"
|
|
|
edfe8b |
+if ! key="$(clevis_luks_generate_key "${DEV}")" \
|
|
|
edfe8b |
+ || [ -z "${key}" ]; then
|
|
|
edfe8b |
+ echo "Unable to generate key for ${DEV}" >&2
|
|
|
edfe8b |
+ return 1
|
|
|
edfe8b |
+fi
|
|
|
edfe8b |
|
|
|
edfe8b |
# Encrypt the new key
|
|
|
edfe8b |
jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"
|