From 5536f15b9235cb6ae1b79a5ad1d96a8ea97b3113 Mon Sep 17 00:00:00 2001

From: Sergio Correia <scorreia@redhat.com>

Date: Wed, 29 Jan 2020 06:29:32 -0500

Subject: [PATCH] Improve clevis luks regen; no unbind in every case

When updating the metadata -- likely due to a tang key rotation --,

clevis will not do unbind + bind in every case.

Now we have 2 cases to be handled:

1) we have the key for the slot being rotated; in this case, the

   rotation happens in-place

2) we don't have the key for the slot being rotated; in this case,

   we have to re-add the keyslot with updated info.

Added also mechanisms for backup + restore of the LUKS header/slots,

so that we can revert back to the original state if clevis luks regen

fails.

---

 src/luks/clevis-luks-common-functions  | 202 ++++++++++++++++++++++

 src/luks/clevis-luks-pass              |   5 +-

 src/luks/clevis-luks-regen             | 223 ++++++++++++-------------

 src/luks/tests/backup-restore-luks1    | 114 +++++++++++++

 src/luks/tests/backup-restore-luks2    | 115 +++++++++++++

 src/luks/tests/meson.build             |   7 +

 src/luks/tests/regen-inplace-luks1     |  98 +++++++++++

 src/luks/tests/regen-inplace-luks2     |  99 +++++++++++

 src/luks/tests/regen-not-inplace-luks1 |  95 +++++++++++

 src/luks/tests/regen-not-inplace-luks2 |  96 +++++++++++

 src/luks/tests/tests-common-functions  |  27 ++-

 11 files changed, 966 insertions(+), 115 deletions(-)

 create mode 100755 src/luks/tests/backup-restore-luks1

 create mode 100755 src/luks/tests/backup-restore-luks2

 create mode 100755 src/luks/tests/regen-inplace-luks1

 create mode 100755 src/luks/tests/regen-inplace-luks2

 create mode 100755 src/luks/tests/regen-not-inplace-luks1

 create mode 100755 src/luks/tests/regen-not-inplace-luks2

diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions

index 9ba1812..2a1af26 100644

--- a/src/luks/clevis-luks-common-functions

+++ b/src/luks/clevis-luks-common-functions

@@ -314,3 +314,205 @@ clevis_luks_read_pins_from_slot() {

     fi

     printf "%s: %s\n" "${SLOT}" "${cfg}"

 }

+

+# clevis_luks1_save_slot() works with LUKS1 devices and it saves a given JWE

+# to a specific device and slot. The last parameter indicates whether we

+# should overwrite existing metadata.

+clevis_luks1_save_slot() {

+    local DEV="${1}"

+    local SLOT="${2}"

+    local JWE="${3}"

+    local OVERWRITE="${4}"

+

+    ! luksmeta test -d "${DEV}" && return 1

+

+    local UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"

+    if luksmeta load -d "${DEV}" -s "${SLOT}" -u "${UUID}" >/dev/null 2>/dev/null; then

+        [ -z "${OVERWRITE}" ] && return 1

+        if ! luksmeta wipe -f -d "${DEV}" -s "${SLOT}" -u "${UUID}"; then

+            echo "Error wiping slot ${SLOT} from ${DEV}" >&2

+            return 1

+        fi

+    fi

+

+    if ! echo -n "${jwe}" | luksmeta save -d "${DEV}" -s "${SLOT}" -u "${UUID}"; then

+        echo "Error saving metadata to LUKSMeta slot ${SLOT} from ${DEV}" >&2

+        return 1

+    fi

+    return 0

+}

+

+# clevis_luks2_save_slot() works with LUKS2 devices and it saves a given JWE

+# to a specific device and slot. The last parameter indicates whether we

+# should overwrite existing metadata.

+clevis_luks2_save_slot() {

+    local DEV="${1}"

+    local SLOT="${2}"

+    local JWE="${3}"

+    local OVERWRITE="${4}"

+

+    local dump token

+    dump="$(cryptsetup luksDump "${DEV}")"

+    if ! token="$(grep -E -B1 "^\s+Keyslot:\s+${SLOT}$" <<< "${dump}" \

+            | sed -rn 's|^\s+([0-9]+): clevis|\1|p')"; then

+        echo "Error trying to read token from LUKS2 device ${DEV}, slot ${SLOT}" >&2

+        return 1

+    fi

+

+    if [ -n "${token}" ]; then

+        [ -z "${OVERWRITE}" ] && return 1

+        if ! cryptsetup token remove --token-id "${token}" "${DEV}"; then

+            echo "Error while removing token ${token} from LUKS2 device ${DEV}" >&2

+            return 1

+        fi

+    fi

+

+    local metadata

+    metadata=$(printf '{"type":"clevis","keyslots":["%s"],"jwe":%s}' \

+               "${SLOT}" "$(jose jwe fmt -i- <<< "${JWE}")")

+    if ! cryptsetup token import "${DEV}" <<< "${metadata}"; then

+        echo "Error saving metadata to LUKS2 header in device ${DEV}" >&2

+        return 1

+    fi

+    return 0

+}

+

+# clevis_luks_save_slot() saves a given JWE to a LUKS device+slot. It can also

+# overwrite existing metadata.

+clevis_luks_save_slot() {

+    local DEV="${1}"

+    local SLOT="${2}"

+    local JWE="${3}"

+    local OVERWRITE="${4}"

+

+    if cryptsetup isLuks --type luks1 "${DEV}"; then

+        ! clevis_luks1_save_slot "${DEV}" "${SLOT}" "${JWE}" "${OVERWRITE}" \

+            && return 1

+    elif cryptsetup isLuks --type luks2 "${DEV}"; then

+        ! clevis_luks2_save_slot "${DEV}" "${SLOT}" "${JWE}" "${OVERWRITE}" \

+            && return 1

+    else

+        return 1

+    fi

+    return 0

+}

+

+# clevis_luks1_backup_dev() backups the LUKSMeta slots from a LUKS device,

+# which can be restored with clevis_luks1_restore_dev().

+clevis_luks1_backup_dev() {

+    local DEV="${1}"

+    local TMP="${2}"

+

+    [ -z "${DEV}" ] && return 1

+    [ -z "${TMP}" ] && return 1

+

+    local slots slt uuid jwe fname

+    readarray -t slots < <(cryptsetup luksDump "${DEV}" \

+                           | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')

+

+    for slt in "${slots[@]}"; do

+        if ! uuid=$(luksmeta show -d "${DEV}" -s "${slt}") \

+                    || [ -z "${uuid}" ]; then

+            continue

+        fi

+        if ! jwe=$(luksmeta load -d "${DEV}" -s "${slt}") \

+                   || [ -z "${jwe}" ]; then

+            continue

+        fi

+

+        fname=$(printf "slot_%s_%s" "${slt}" "${uuid}")

+        printf "%s" "${jwe}" > "${TMP}/${fname}"

+    done

+    return 0

+}

+

+# clevis_luks1_restore_dev() takes care of restoring the LUKSMeta slots from

+# a LUKS device that was backup'ed by clevis_luks1_backup_dev().

+clevis_luks1_restore_dev() {

+    local DEV="${1}"

+    local TMP="${2}"

+

+    [ -z "${DEV}" ] && return 1

+    [ -z "${TMP}" ] && return 1

+

+    local slt uuid jwe fname

+    for fname in "${TMP}"/slot_*; do

+        [ -f "${fname}" ] || break

+        if ! slt=$(echo "${fname}" | cut -d '_' -f 2) \

+                   || [ -z "${slt}" ]; then

+            continue

+        fi

+        if ! uuid=$(echo "${fname}" | cut -d '_' -f 3) \

+                    || [ -z "${uuid}" ]; then

+            continue

+        fi

+        if ! jwe=$(< "${fname}") || [ -z "${jwe}" ]; then

+            continue

+        fi

+        if ! clevis_luks1_save_slot "${DEV}" "${slt}" \

+                                    "${jwe}" "overwrite"; then

+            echo "Error restoring LUKSmeta slot ${slt} from ${DEV}" >&2

+            return 1

+        fi

+    done

+    return 0

+}

+

+# clevis_luks_backup_dev() backups a particular LUKS device, which can then

+# be restored with clevis_luks_restore_dev().

+clevis_luks_backup_dev() {

+    local DEV="${1}"

+    local TMP="${2}"

+

+    [ -z "${DEV}" ] && return 1

+    [ -z "${TMP}" ] && return 1

+

+    local HDR="${TMP}/$(basename "${DEV}").header"

+    if ! cryptsetup luksHeaderBackup "${DEV}" --batch-mode \

+            --header-backup-file "${HDR}"; then

+        echo "Error backing up LUKS header from ${DEV}" >&2

+        return 1

+    fi

+

+    # If LUKS1, we need to manually back up (and later restore) the

+    # LUKSmeta slots. For LUKS2, simply saving the header also saves

+    # the associated tokens.

+    if cryptsetup isLuks --type luks1 "${DEV}"; then

+        if ! clevis_luks1_backup_dev "${DEV}" "${TMP}"; then

+            return 1

+        fi

+    fi

+    return 0

+}

+

+# clevis_luks_restore_dev() restores a given device that was backup'ed by

+# clevis_luks_backup_dev().

+clevis_luks_restore_dev() {

+    local DEV="${1}"

+    local TMP="${2}"

+

+    [ -z "${DEV}" ] && return 1

+    [ -z "${TMP}" ] && return 1

+

+    local HDR="${TMP}/$(basename "${DEV}").header"

+    if [ ! -e "${HDR}" ]; then

+        echo "LUKS header backup does not exist" >&2

+        return 1

+    fi

+

+    if ! cryptsetup luksHeaderRestore "${DEV}" --batch-mode \

+            --header-backup-file "${HDR}"; then

+        echo "Error restoring LUKS header from ${DEV}" >&2

+        return 1

+    fi

+

+    # If LUKS1, we need to manually back up (and later restore) the

+    # LUKSmeta slots. For LUKS2, simply saving the header also saves

+    # the associated tokens.

+    if cryptsetup isLuks --type luks1 "${DEV}"; then

+        if ! clevis_luks1_restore_dev "${DEV}" "${TMP}"; then

+            return 1

+        fi

+    fi

+    return 0

+}

diff --git a/src/luks/clevis-luks-pass b/src/luks/clevis-luks-pass

index 1ce8c4c..d31bc17 100755

--- a/src/luks/clevis-luks-pass

+++ b/src/luks/clevis-luks-pass

@@ -63,7 +63,8 @@ if ! jwe=$(clevis_luks_read_slot "${DEV}" "${SLT}" 2>/dev/null); then

     exit 1

 fi

-if ! clevis decrypt < <(echo -n "${jwe}"); then

-    echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in {DEV}!" >&2

+if ! passphrase=$(clevis decrypt < <(echo -n "${jwe}") 2>/dev/null); then

+    echo "It was not possible to decrypt the passphrase associated to slot ${SLT} in ${DEV}!" >&2

     exit 1

 fi

+echo -n "${passphrase}"

diff --git a/src/luks/clevis-luks-regen b/src/luks/clevis-luks-regen

index 9535ba3..44fd673 100755

--- a/src/luks/clevis-luks-regen

+++ b/src/luks/clevis-luks-regen

@@ -1,8 +1,9 @@

-#!/usr/bin/env bash

+#!/usr/bin/bash

 # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:

 #

 # Copyright (c) 2018 Red Hat, Inc.

 # Author: Radovan Sroka <rsroka@redhat.com>

+# Author: Sergio Correia <scorreia@redhat.com>

 #

 # This program is free software: you can redistribute it and/or modify

 # it under the terms of the GNU General Public License as published by

@@ -28,19 +29,27 @@ if [ "$1" == "--summary" ]; then

 fi

 function usage_and_exit () {

-    echo >&2

-    echo "Usage: clevis luks regen -d DEV -s SLOT" >&2

-    echo >&2

-    echo "$SUMMARY" >&2

-    echo >&2

-    exit "$1"

+    exec >&2

+    echo "Usage: clevis luks regen -d DEV -s SLOT"

+    echo

+    echo "$SUMMARY"

+    echo

+    echo "  -d DEV  The LUKS device on which to perform rebinding"

+    echo

+    echo "  -s SLT  The LUKS slot to use"

+    echo

+    exit "${1}"

 }

-if [ "$#" -ne "4" ]; then

-    usage_and_exit 1

-fi

+on_exit() {

+    if [ ! -d "${TMP}" ] || ! rm -rf "${TMP}"; then

+        echo "Delete temporary files failed!" >&2

+        echo "You need to clean up: ${TMP}" >&2

+        exit 1

+    fi

+}

-while getopts "hd:s:" o; do

+while getopts ":hfd:s:" o; do

     case "$o" in

     d) DEV="$OPTARG";;

     h) usage_and_exit 0;;

@@ -49,88 +58,6 @@ while getopts "hd:s:" o; do

     esac

 done

-function decode_luks_header () {

-    if DATA_CODED="$(jose jwe fmt -i- <<< "$1")"; then

-        DATA_CODED="$(jose fmt -j- -g protected -u- <<< "$DATA_CODED")"

-        DATA_DECODED="$(jose b64 dec -i- <<< "$DATA_CODED")"

-    else

-        echo "Error decoding JWE protected header!" >&2

-        exit 1

-    fi

-

-    echo "$DATA_DECODED"

-}

-

-function generate_cfg () {

-    echo -n "{"

-    DATA="$(decode_luks_header "$1")"

-

-    if ! P="$(jose fmt -j- -g clevis -g pin -u- <<< "$DATA")" || [ -z "$P" ]; then

-        echo "Pin wasn't found in LUKS metadata!" >&2

-        exit 1

-    fi

-

-    if ! CONTENT="$(jose fmt -j- -g clevis -g "$P" -o- <<< "$DATA")" || [ -z "$CONTENT" ]; then

-        echo "Content was not found!" >&2

-    fi

-

-    # echo -n "\"$P\": ["

-

-    if [ "$P" = "tang" ] || [ "$P" = "http" ]; then

-        URL="$(jose fmt -j- -g url -u- <<< "$CONTENT")"

-        echo -n "\"url\":\"$URL\""

-    elif [ "$P" = "sss" ]; then

-        THRESHOLD="$(jose fmt -j- -g t -o- <<< "$CONTENT")"

-        if [ -n "$THRESHOLD" ]; then

-            echo -n "\"t\":$THRESHOLD,"

-        fi

-

-        echo -n "\"pins\":{"

-

-        CNT=0

-        PREV=""

-        while ITEM="$(jose fmt -j- -g jwe -g"$CNT" -u- <<< "$CONTENT")"; do

-            if [ -z "$ITEM" ]; then

-                CNT=$(( CNT + 1 ))

-                continue # in some cases it can be empty string

-            fi

-

-            DD="$(decode_luks_header "$ITEM")"

-

-            if ! PP="$(jose fmt -j- -g clevis -g pin -u- <<< "$DD")" || [ -z "$PP" ]; then

-                echo "Pin wasn't found in LUKS metadata!" >&2

-                exit 1

-            fi

-

-            if [ "$CNT" -eq 0 ]; then

-                PREV="$PP"

-                echo -n "\"$PP\":["

-                echo -n "$(generate_cfg "$ITEM")"

-            else

-                if ! [ "$PREV" = "$PP" ]; then

-                    echo -n "],\"$PP\":["

-                    echo -n "$(generate_cfg "$ITEM")"

-                else

-                    echo -n ",$(generate_cfg "$ITEM")"

-                fi

-            fi

-

-            PREV="$PP"

-            CNT=$(( CNT + 1 ))

-        done

-

-        echo -n "]}"

-

-    else

-        echo "Unknown pin $P!" >&2

-        exit 1

-    fi

-

-    echo -n "}"

-}

-

-### get luks metadata

-

 if [ -z "$DEV" ]; then

     echo "Did not specify a device!" >&2

     exit 1

@@ -141,23 +68,14 @@ if [ -z "$SLT" ]; then

     exit 1

 fi

-if ! OLD_LUKS_CODED="$(clevis_luks_read_slot "$DEV" "$SLT")"; then

-    echo "Error reading metadata from LUKS device!" >&2

-    exit 1

-fi

-

 ### ----------------------------------------------------------------------

-

-DECODED="$(decode_luks_header "$OLD_LUKS_CODED")"

-

-if ! PIN="$(jose fmt -j- -g clevis -g pin -u- <<< "$DECODED")" || [ -z "$PIN" ]; then

-    echo "Pin wasn't found in LUKS metadata!" >&2

+if ! pin_cfg=$(clevis luks list -d "${DEV}" -s "${SLT}" 2>/dev/null); then

+    echo "Error obtaining current configuration of device ${DEV}:${SLT}" >&2

     exit 1

 fi

-CFG="$(generate_cfg "$OLD_LUKS_CODED")"

-

-### ----------------------------------------------------------------------

+PIN=$(echo "${pin_cfg}" | awk '{ print $2 }')

+CFG=$(echo "${pin_cfg}" | awk '{ print $3 }' | tr -d "'")

 echo "Regenerating with:"

 echo "PIN: $PIN"

@@ -166,20 +84,101 @@ echo "CONFIG: $CFG"

 trap 'echo "Ignoring CONTROL-C!"' INT TERM

 # Get the existing key.

-read -r -s -p "Enter existing LUKS password: " existing_key; echo

+if ! existing_key=$(clevis luks pass -d "${DEV}" -s "${SLT}" 2>/dev/null); then

+    # We failed to obtain the passphrase for the slot -- perhaps

+    # it was rotated? --, so let's request user input.

+    read -r -s -p "Enter existing LUKS password: " existing_key; echo

+fi

 # Check if the key is valid.

-if ! cryptsetup luksOpen --test-passphrase "${DEV}" <<< "${existing_key}"; then

+if ! cryptsetup open --test-passphrase "${DEV}" <<< "${existing_key}"; then

+    exit 1

+fi

+

+# Check if we can do the update in-place, i.e., if the key we got is the one

+# for the slot we are interested in.

+in_place=

+if cryptsetup open --test-passphrase --key-slot "${SLT}" "${DEV}" \

+        <<< "${existing_key}"; then

+    in_place=true

+fi

+

+# Create new key.

+if ! new_passphrase=$(generate_key "${DEV}"); then

+    echo "Error generating new key for device ${DEV}" >&2

+    exit 1

+fi

+

+# Reencrypt the new password.

+if ! jwe=$(clevis encrypt "${PIN}" "${CFG}" <<< "${new_passphrase}"); then

+    echo "Error using pin '${PIN}' with config '${CFG}'" >&2

+    exit 1

+fi

+

+# Updating the metadata and the actual passphrase are destructive operations,

+# hence we will do a backup of the LUKS header and restore it later in case

+# we have issues performing these operations.

+if ! TMP="$(mktemp -d)"; then

+    echo "Creating a temporary dir for device backup/restore failed!" >&2

+    exit 1

+fi

+trap 'on_exit' EXIT

+

+# Backup LUKS header.

+if ! clevis_luks_backup_dev "${DEV}" "${TMP}"; then

+    echo "Error while trying to back up LUKS header from ${DEV}" >&2

     exit 1

 fi

-if ! clevis luks unbind -d "${DEV}" -s "${SLT}" -f; then

-    echo "Error during unbind of rotated key from slot:$SLT in $DEV" >&2

+restore_device() {

+    local DEV="${1}"

+    local TMP="${2}"

+

+    if ! clevis_luks_restore_dev "${DEV}" "${TMP}"; then

+        echo "Error while trying to restore LUKS header from ${DEV}." >&2

+    else

+        echo "LUKS header restored successfully." >&2

+    fi

+}

+

+# Update the key slot with the new key. If we have the key for this slot,

+# the change happens in-place. Otherwise, we kill the slot and re-add it.

+if [ -n "${in_place}" ]; then

+    if ! cryptsetup luksChangeKey "${DEV}" --key-slot "${SLT}" \

+            <(echo -n "${new_passphrase}") <<< "${existing_key}"; then

+        echo "Error updating LUKS passphrase in ${DEV}:${SLT}" >&2

+        restore_device "${DEV}" "${TMP}"

+        exit 1

+    fi

+else

+    if ! cryptsetup luksKillSlot --batch-mode "${DEV}" "${SLT}"; then

+        echo "Error wiping slot ${SLT} from ${DEV}" >&2

+        restore_device "${DEV}" "${TMP}"

+        exit 1

+    fi

+

+    if ! echo -n "${new_passphrase}" \

+            | cryptsetup luksAddKey --key-slot "${SLT}" \

+                         --key-file <(echo -n "${existing_key}") "${DEV}"; then

+        echo "Error updating LUKS passphrase in ${DEV}:${SLT}." >&2

+        restore_device "${DEV}" "${TMP}"

+        exit 1

+    fi

+fi

+

+# Update the metadata.

+if ! clevis_luks_save_slot "${DEV}" "${SLT}" "${jwe}" "overwrite"; then

+    echo "Error updating metadata in ${DEV}:${SLT}" >&2

+    restore_device "${DEV}" "${TMP}"

     exit 1

 fi

-if ! clevis luks bind -d "${DEV}" -s "${SLT}" "${PIN}" "${CFG}" -k - <<< "${existing_key}"; then

-    echo "Error during bind of new key from slot:$SLT in $DEV" >&2

+# Now make sure that we can unlock this device after the change.

+# If we can't, undo the changes.

+if ! cryptsetup open --test-passphrase --key-slot "${SLT}" "${DEV}" 2>/dev/null \

+        <<< $(clevis luks pass -d "${DEV}" -s "${SLT}" 2>/dev/null); then

+    echo "Invalid configuration detected after rebinding. Reverting changes."

+    restore_device "${DEV}" "${TMP}"

     exit 1

 fi

diff --git a/src/luks/tests/backup-restore-luks1 b/src/luks/tests/backup-restore-luks1

new file mode 100755

index 0000000..733a4b6

--- /dev/null

+++ b/src/luks/tests/backup-restore-luks1

@@ -0,0 +1,114 @@

+#!/bin/bash -x

+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:

+#

+# Copyright (c) 2020 Red Hat, Inc.

+# Author: Sergio Correia <scorreia@redhat.com>

+#

+# This program is free software: you can redistribute it and/or modify

+# it under the terms of the GNU General Public License as published by

+# the Free Software Foundation, either version 3 of the License, or

+# (at your option) any later version.

+#

+# This program is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+# GNU General Public License for more details.

+#

+# You should have received a copy of the GNU General Public License

+# along with this program.  If not, see <http://www.gnu.org/licenses/>.

+#

+

+TEST="${0}"

+. tests-common-functions

+. clevis-luks-common-functions

+

+function on_exit() {

+    if [ "$PID" ]; then kill $PID; wait $PID || true; fi

+    [ -d "$TMP" ] && rm -rf $TMP

+}

+

+trap 'on_exit' EXIT

+trap 'exit' ERR

+

+export TMP=$(mktemp -d)

+mkdir -p "${TMP}/db"

+

+# Generate the server keys

+KEYS="$TMP/db"

+tangd-keygen $TMP/db sig exc

+if which tangd-update; then

+    mkdir -p "${TMP}/cache"

+    tangd-update "${TMP}/db" "${TMP}/cache"

+    KEYS="${TMP}/cache"

+fi

+

+# Start the server.

+port=$(shuf -i 1024-65536 -n 1)

+"${SD_ACTIVATE}" --inetd -l 127.0.0.1:"${port}" -a tangd "${KEYS}" &

+export PID=$!

+sleep 0.25

+

+url="http://localhost:${port}"

+adv="${TMP}/adv"

+curl "${url}/adv" -o "${adv}"

+

+cfg=$(printf '{"url":"%s","adv":"%s"}' "$url" "$adv")

+

+# LUKS1.

+DEV="${TMP}/luks1-device"

+new_device "luks1" "${DEV}"

+

+SLT=5

+if ! clevis luks bind -f -s "${SLT}" -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then

+    error "${TEST}: Bind should have succeeded."

+fi

+

+ORIG_DEV="${TMP}/device.orig"

+# Let's save it for comparison later.

+cp -f "${DEV}" "${ORIG_DEV}"

+

+# Now let's backup and restore.

+if ! clevis_luks_backup_dev "${DEV}" "${TMP}"; then

+    error "${TEST}: backup of ${DEV} failed."

+fi

+

+# Now let's remove both the binding and the initial passphrase.

+if ! clevis luks unbind -f -s "${SLT}" -d "${DEV}" <<< "${DEFAULT_PASS}"; then

+    error "${TEST}: unbind of slot ${SLT} in ${DEV} failed."

+fi

+

+if ! cryptsetup luksRemoveKey --batch-mode "${DEV}" <<< "${DEFAULT_PASS}"; then

+    error "${TEST}: error removing the default password from ${DEV}."

+fi

+

+# Making sure we have no slots enabled.

+enabled=$(cryptsetup luksDump "${DEV}" | grep ENABLED | wc -l)

+if [ "${enabled}" -ne 0 ]; then

+    error "${TEST}: we should not have any enabled (${enabled}) slots."

+fi

+

+# Now we can restore it.

+if ! clevis_luks_restore_dev "${DEV}" "${TMP}"; then

+    error "${TEST}: error restoring ${DEV}."

+fi

+

+# And compare whether they are the same.

+if ! cmp --silent "${ORIG_DEV}" "${DEV}"; then

+    error "${TEST}: the device differs from the original one after the restore."

+fi

+

+# And making sure both the default passphrase and the binding work.

+if ! cryptsetup open --test-passphrase "${DEV}" <<< "${DEFAULT_PASS}"; then

+    error "${TEST}: the default passphrase for ${DEV} did no work."

+fi

+

+TEST_DEV="test-device-${RANDOM}"

+if ! clevis luks unlock -d "${DEV}" -n "${TEST_DEV}"; then

+    error "${TEST}: we were unable to unlock ${DEV}."

+fi

+

+cryptsetup close "${TEST_DEV}"

+

+kill -9 "${PID}"

+! wait "${PID}"

+unset PID

diff --git a/src/luks/tests/backup-restore-luks2 b/src/luks/tests/backup-restore-luks2

new file mode 100755

index 0000000..a3b8608

--- /dev/null

+++ b/src/luks/tests/backup-restore-luks2

@@ -0,0 +1,115 @@

+#!/bin/bash -x

+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:

+#

+# Copyright (c) 2020 Red Hat, Inc.

+# Author: Sergio Correia <scorreia@redhat.com>

+#

+# This program is free software: you can redistribute it and/or modify

+# it under the terms of the GNU General Public License as published by

+# the Free Software Foundation, either version 3 of the License, or

+# (at your option) any later version.

+#

+# This program is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+# GNU General Public License for more details.

+#

+# You should have received a copy of the GNU General Public License

+# along with this program.  If not, see <http://www.gnu.org/licenses/>.

+#

+

+TEST="${0}"

+. tests-common-functions

+. clevis-luks-common-functions

+

+function on_exit() {

+    if [ "$PID" ]; then kill $PID; wait $PID || true; fi

+    [ -d "$TMP" ] && rm -rf $TMP

+}

+

+trap 'on_exit' EXIT

+trap 'exit' ERR

+

+export TMP=$(mktemp -d)

+mkdir -p "${TMP}/db"

+

+# Generate the server keys

+KEYS="$TMP/db"

+tangd-keygen $TMP/db sig exc

+if which tangd-update; then

+    mkdir -p "${TMP}/cache"

+    tangd-update "${TMP}/db" "${TMP}/cache"

+    KEYS="${TMP}/cache"

+fi

+

+# Start the server.

+port=$(shuf -i 1024-65536 -n 1)

+"${SD_ACTIVATE}" --inetd -l 127.0.0.1:"${port}" -a tangd "${KEYS}" &

+export PID=$!

+sleep 0.25

+

+url="http://localhost:${port}"

+adv="${TMP}/adv"