From 26095133483bbda5823e37634db227944696b526 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 07 2021 17:15:18 +0000 Subject: import clevis-18-5.el9 --- diff --git a/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch b/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch new file mode 100644 index 0000000..1fc7016 --- /dev/null +++ b/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch @@ -0,0 +1,41 @@ +From d3010c89a8f516a0c9695a939a8cccca0918da2b Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Fri, 29 Oct 2021 12:04:46 -0300 +Subject: [PATCH 2/2] systemd: account for unlocking failures in + clevis-luks-askpass (#343) + +As unlock may fail for some reason, e.g. the network is not up yet, +one way cause problems would be to add extra `rd.luks.uuid' params +to the cmdline, which would then cause such devices to be unlocked +in early boot. If the unlocking fail, those devices might not be +accounted for in the clevis_devices_to_unlock() check, as it is +based on crypttab. + +Let's make sure there are no pending ask.* sockets waiting to be +answered, before exiting. + +Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892 +--- + src/luks/systemd/clevis-luks-askpass.in | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in +index 8f54859..a6699c9 100755 +--- a/src/luks/systemd/clevis-luks-askpass.in ++++ b/src/luks/systemd/clevis-luks-askpass.in +@@ -67,8 +67,11 @@ while true; do + done + + [ "${loop}" != true ] && break ++ + # Checking for pending devices to be unlocked. +- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then ++ remaining_crypttab=$(clevis_devices_to_unlock) ||: ++ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||: ++ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then + break; + fi + +-- +2.33.1 + diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec index 20f1b4c..cf9ef41 100644 --- a/SPECS/clevis.spec +++ b/SPECS/clevis.spec @@ -1,6 +1,6 @@ Name: clevis Version: 18 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Automated decryption framework License: GPLv3+ @@ -9,6 +9,7 @@ Source0: https://github.com/latchset/%{name}/releases/download/v%{version Source1: clevis.sysusers Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch +Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch BuildRequires: git-core BuildRequires: gcc @@ -193,6 +194,10 @@ exit 0 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %changelog +* Wed Nov 17 2021 Sergio Correia - 18-5 +- Account for unlocking failures in clevis-luks-askpass + Resolves: rhbz#2022421 + * Mon Aug 09 2021 Mohan Boddu - 18-4 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688