diff --git a/.clevis.metadata b/.clevis.metadata new file mode 100644 index 0000000..4602876 --- /dev/null +++ b/.clevis.metadata @@ -0,0 +1 @@ +086374814a4d71db8625d27a1719e03244a7cff0 SOURCES/clevis-11.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f017bbb --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/clevis-11.tar.xz diff --git a/SOURCES/Add-device-TCTI-library-to-the-initramfs.patch b/SOURCES/Add-device-TCTI-library-to-the-initramfs.patch new file mode 100644 index 0000000..6757e60 --- /dev/null +++ b/SOURCES/Add-device-TCTI-library-to-the-initramfs.patch @@ -0,0 +1,34 @@ +From 6826e5d31d6323eac5137404f0194bf2183b561c Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 7 Nov 2018 16:48:47 +0100 +Subject: [PATCH 3/3] Add device TCTI library to the initramfs + +The tpm2-tools don't dynamically link against the TCTI libraries anymore, +but instead dlopen() the correct library depending on the TCTI used. + +So dracut isn't able anymore to figure out automatically using ldd what +libraries are needed by the tpm2-tools. Since clevis uses the device TCTI +to access the TPM directly, add the libtss2-tcti-device.so to the initrd. + +Suggested-by: Federico Chiacchiaretta + +Fixes: ##74 +--- + src/luks/systemd/dracut/module-setup.sh.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in +index 41e7d6c9b002..990bf4aeed56 100755 +--- a/src/luks/systemd/dracut/module-setup.sh.in ++++ b/src/luks/systemd/dracut/module-setup.sh.in +@@ -65,6 +65,7 @@ install() { + tpm2_pcrlist \ + tpm2_unseal \ + tpm2_load ++ inst_libdir_file "libtss2-tcti-device.so*" + fi + + dracut_need_initqueue +-- +2.19.1 + diff --git a/SOURCES/Check-key-derivation-key-is-available.patch b/SOURCES/Check-key-derivation-key-is-available.patch new file mode 100644 index 0000000..bc1be6f --- /dev/null +++ b/SOURCES/Check-key-derivation-key-is-available.patch @@ -0,0 +1,30 @@ +From 8b707e8bfcbfd073579ee553b982b4784490f5ea Mon Sep 17 00:00:00 2001 +From: Daniel Kopecek +Date: Wed, 5 Dec 2018 13:18:59 +0100 +Subject: [PATCH] clevis-encrypt-tang: check key derivation key is available + before encryption + +--- + src/pins/tang/clevis-encrypt-tang | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/pins/tang/clevis-encrypt-tang b/src/pins/tang/clevis-encrypt-tang +index e65a7d1..7fc55ca 100755 +--- a/src/pins/tang/clevis-encrypt-tang ++++ b/src/pins/tang/clevis-encrypt-tang +@@ -114,7 +114,11 @@ elif [ "$thp" != "any" ] && \ + fi + + ### Perform encryption +-enc=`jose jwk use -i- -r -u deriveKey -o- <<< "$jwks"` ++if ! enc=`jose jwk use -i- -r -u deriveKey -o- <<< "$jwks"`; then ++ echo "Key derivation key not available!" >&2 ++ exit 1 ++fi ++ + jose fmt -j "$enc" -Og keys -A || enc="{\"keys\":[$enc]}" + + for jwk in `jose fmt -j- -Og keys -Af- <<< "$enc"`; do +-- +2.13.6 + diff --git a/SOURCES/Delete-remaining-references-to-the-removed-http-pin.patch b/SOURCES/Delete-remaining-references-to-the-removed-http-pin.patch new file mode 100644 index 0000000..36f1361 --- /dev/null +++ b/SOURCES/Delete-remaining-references-to-the-removed-http-pin.patch @@ -0,0 +1,132 @@ +From 1e344dbf6a60fcd2c60a4b8512be455e112d8398 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 7 Nov 2018 14:53:08 +0100 +Subject: [PATCH 1/3] Delete remaining references to the removed http pin + +Commit 800d73185d7f ("Remove HTTP pin") removed the clevis http pin, but +there are still references of it in the docs and also the dracut module. + +This was causing dracut to fail building the initramfs due the following: + +dracut-install: ERROR: installing 'clevis-decrypt-http' + +Suggested-by: Dominick Grift + +Fixes: #73 +--- + README.md | 21 --------------------- + src/clevis.1.adoc | 21 --------------------- + src/luks/clevis-luks-bind.1.adoc | 1 - + src/luks/systemd/dracut/module-setup.sh.in | 1 - + src/pins/sss/clevis-encrypt-sss.1.adoc | 1 - + 5 files changed, 45 deletions(-) + +diff --git a/README.md b/README.md +index ce8def12ec96..d57339aca5d9 100644 +--- a/README.md ++++ b/README.md +@@ -58,27 +58,6 @@ advertisement is stored, or the JSON contents of the advertisment itself. When + the advertisment is specified manually like this, Clevis presumes that the + advertisement is trusted. + +-#### PIN: HTTP +- +-Clevis also ships a pin for performing escrow using HTTP. Please note that, +-at this time, this pin does not provide HTTPS support and is suitable only +-for use over local sockets. This provides integration with services like +-[Custodia](http://github.com/latchset/custodia). +- +-For example: +- +-```bash +-$ echo hi | clevis encrypt http '{"url": "http://server.local/key"}' > hi.jwe +-``` +- +-The HTTP pin generate a new (cryptographically-strong random) key and performs +-encryption using it. It then performs a PUT request to the URL specified. It is +-understood that the server will securely store this key for later retrieval. +-During decryption, the pin will perform a GET request to retrieve the key and +-perform decryption. +- +-Patches to provide support for HTTPS and authentication are welcome. +- + #### PIN: TPM2 + + Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2) +diff --git a/src/clevis.1.adoc b/src/clevis.1.adoc +index 756aba57a4c8..dea0a696f5f7 100644 +--- a/src/clevis.1.adoc ++++ b/src/clevis.1.adoc +@@ -21,26 +21,6 @@ take a policy as its first argument and plaintext on standard input and to + encrypt the data so that it can be automatically decrypted if the policy is + met. Lets walk through an example. + +-== HTTP ESCROW +- +-When using the HTTP pin, we create a new, cryptographically-strong, random key. +-This key is stored in a remote HTTP escrow server (using a simple PUT or POST). +-Then at decryption time, we attempt to fetch the key back again in order to +-decrypt our data. So, for our configuration we need to pass the URL to the key +-location: +- +- $ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE +- +-To decrypt the data, simply provide the ciphertext (JWE): +- +- $ clevis decrypt < JWE > PLAINTEXT +- +-Notice that we did not pass any configuration during decryption. The decrypt +-command extracted the URL (and possibly other configuration) from the JWE +-object, fetched the encryption key from the escrow and performed decryption. +- +-For more information, see link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)]. +- + == TANG BINDING + + Clevis provides support for the Tang network binding server. Tang provides +@@ -136,7 +116,6 @@ For more information, see link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)]. + + == SEE ALSO + +-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)], + link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], + link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)], + link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)], +diff --git a/src/luks/clevis-luks-bind.1.adoc b/src/luks/clevis-luks-bind.1.adoc +index 9f3a880cfb0c..0d649e3ec28b 100644 +--- a/src/luks/clevis-luks-bind.1.adoc ++++ b/src/luks/clevis-luks-bind.1.adoc +@@ -61,7 +61,6 @@ The images cannot be shared without also sharing a master key. + == SEE ALSO + + link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)], +-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)], + link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], + link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)], + link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)] +diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in +index 119762e38326..48aea5b3f29a 100755 +--- a/src/luks/systemd/dracut/module-setup.sh.in ++++ b/src/luks/systemd/dracut/module-setup.sh.in +@@ -36,7 +36,6 @@ install() { + inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh" + + inst_multiple /etc/services \ +- clevis-decrypt-http \ + clevis-decrypt-tang \ + clevis-decrypt-sss \ + @libexecdir@/clevis-luks-askpass \ +diff --git a/src/pins/sss/clevis-encrypt-sss.1.adoc b/src/pins/sss/clevis-encrypt-sss.1.adoc +index d46498db328c..7144e7e9ea96 100644 +--- a/src/pins/sss/clevis-encrypt-sss.1.adoc ++++ b/src/pins/sss/clevis-encrypt-sss.1.adoc +@@ -54,6 +54,5 @@ receive key fragments. + + == SEE ALSO + +-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)], + link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], + link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)] +-- +2.19.1 + diff --git a/SOURCES/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch b/SOURCES/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch new file mode 100644 index 0000000..28082b7 --- /dev/null +++ b/SOURCES/Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch @@ -0,0 +1,49 @@ +From 34658590e45ab85f6008379d9433406a5c7fd914 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 7 Nov 2018 15:12:17 +0100 +Subject: [PATCH 2/3] Install cryptsetup and tpm2_pcrlist in the initramfs + +The cryptsetup and tpm2_pcrlist are missing in the initramfs, this makes +automatic LUKS unlocking fail with the following errors: + +dracut-initqueue[382]: /usr/libexec/clevis-luks-askpass: line 52: cryptsetup: command not found +dracut-initqueue[382]: /usr/bin/clevis-decrypt-tpm2: line 40: tpm2_pcrlist: command not found + +Suggested-by: Federico Chiacchiaretta + +Fixes: #74 +--- + src/luks/systemd/dracut/module-setup.sh.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in +index 48aea5b3f29a..41e7d6c9b002 100755 +--- a/src/luks/systemd/dracut/module-setup.sh.in ++++ b/src/luks/systemd/dracut/module-setup.sh.in +@@ -40,6 +40,7 @@ install() { + clevis-decrypt-sss \ + @libexecdir@/clevis-luks-askpass \ + clevis-decrypt \ ++ cryptsetup \ + luksmeta \ + clevis \ + mktemp \ +@@ -49,6 +50,7 @@ install() { + + for cmd in clevis-decrypt-tpm2 \ + tpm2_createprimary \ ++ tpm2_pcrlist \ + tpm2_unseal \ + tpm2_load; do + +@@ -60,6 +62,7 @@ install() { + if (($ret == 0)); then + inst_multiple clevis-decrypt-tpm2 \ + tpm2_createprimary \ ++ tpm2_pcrlist \ + tpm2_unseal \ + tpm2_load + fi +-- +2.19.1 + diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec new file mode 100644 index 0000000..d72e15d --- /dev/null +++ b/SPECS/clevis.spec @@ -0,0 +1,223 @@ +%global _hardened_build 1 + +Name: clevis +Version: 11 +Release: 2%{?dist} +Summary: Automated decryption framework + +License: GPLv3+ +URL: https://github.com/latchset/%{name} +Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz + +Patch0: Delete-remaining-references-to-the-removed-http-pin.patch +Patch1: Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch +Patch2: Add-device-TCTI-library-to-the-initramfs.patch +Patch3: Check-key-derivation-key-is-available.patch + +BuildRequires: gcc +BuildRequires: meson +BuildRequires: asciidoc +BuildRequires: ninja-build +BuildRequires: bash-completion + +BuildRequires: libjose-devel >= 8 +BuildRequires: libluksmeta-devel >= 8 +BuildRequires: audit-libs-devel +BuildRequires: libudisks2-devel +BuildRequires: openssl-devel + +BuildRequires: tpm2-tools >= 3.0.0 +BuildRequires: desktop-file-utils +BuildRequires: pkgconfig +BuildRequires: systemd +BuildRequires: dracut +BuildRequires: tang >= 6 +BuildRequires: curl + +Requires: tpm2-tools >= 3.0.0 +Requires: coreutils +Requires: jose >= 8 +Requires: curl +Requires(pre): shadow-utils + +%description +Clevis is a framework for automated decryption. It allows you to encrypt +data using sophisticated unlocking policies which enable decryption to +occur automatically. + +The clevis package provides basic encryption/decryption policy support. +Users can use this directly; but most commonly, it will be used as a +building block for other packages. For example, see the clevis-luks +and clevis-dracut packages for automatic root volume unlocking of LUKSv1 +volumes during early boot. + +%package luks +Summary: LUKSv1 integration for clevis +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: cryptsetup +Requires: luksmeta >= 8 + +%description luks +LUKSv1 integration for clevis. This package allows you to bind a LUKSv1 +volume to a clevis unlocking policy. For automated unlocking, an unlocker +will also be required. See, for example, clevis-dracut and clevis-udisks2. + +%package systemd +Summary: systemd integration for clevis +Requires: %{name}-luks%{?_isa} = %{version}-%{release} +%if 0%{?fedora} > 27 +Requires: systemd%{?_isa} >= 235-3 +%else +%if 0%{?fedora} == 27 +Requires: systemd%{?_isa} >= 234-9 +%else +%if 0%{?fedora} == 26 +Requires: systemd%{?_isa} >= 233-7 +%else +Requires: systemd%{?_isa} >= 236 +%endif +%endif +%endif +Requires: nc + +%description systemd +Automatically unlocks LUKSv1 _netdev block devices from /etc/crypttab. + +%package dracut +Summary: Dracut integration for clevis +Requires: %{name}-systemd%{?_isa} = %{version}-%{release} +Requires: dracut-network + +%description dracut +Automatically unlocks LUKSv1 block devices in early boot. + +%package udisks2 +Summary: UDisks2/Storaged integration for clevis +Requires: %{name}-luks%{?_isa} = %{version}-%{release} + +%description udisks2 +Automatically unlocks LUKSv1 block devices in desktop environments that +use UDisks2 or storaged (like GNOME). + +%prep +%autosetup -p1 + +%build +%meson -Duser=clevis -Dgroup=clevis +%meson_build + +%install +%meson_install + +%check +desktop-file-validate \ + %{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop +%meson_test + +%pre +getent group %{name} >/dev/null || groupadd -r %{name} +getent passwd %{name} >/dev/null || \ + useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s /sbin/nologin \ + -c "Clevis Decryption Framework unprivileged user" %{name} +exit 0 + +%files +%license COPYING +%{_datadir}/bash-completion/ +%{_bindir}/%{name}-decrypt-tang +%{_bindir}/%{name}-decrypt-tpm2 +%{_bindir}/%{name}-decrypt-sss +%{_bindir}/%{name}-decrypt +%{_bindir}/%{name}-encrypt-tang +%{_bindir}/%{name}-encrypt-tpm2 +%{_bindir}/%{name}-encrypt-sss +%{_bindir}/%{name} +%{_mandir}/man1/%{name}-encrypt-tang.1* +%{_mandir}/man1/%{name}-encrypt-tpm2.1* +%{_mandir}/man1/%{name}-encrypt-sss.1* +%{_mandir}/man1/%{name}-decrypt.1* +%{_mandir}/man1/%{name}.1* + +%files luks +%{_mandir}/man7/%{name}-luks-unlockers.7* +%{_mandir}/man1/%{name}-luks-unlock.1* +%{_mandir}/man1/%{name}-luks-unbind.1* +%{_mandir}/man1/%{name}-luks-bind.1* +%{_bindir}/%{name}-luks-unlock +%{_bindir}/%{name}-luks-unbind +%{_bindir}/%{name}-luks-bind + +%files systemd +%{_libexecdir}/%{name}-luks-askpass +%{_unitdir}/%{name}-luks-askpass.path +%{_unitdir}/%{name}-luks-askpass.service + +%files dracut +%{_prefix}/lib/dracut/modules.d/60%{name} + +%files udisks2 +%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop +%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 + +%changelog +* Fri Jan 04 2019 Daniel Kopecek - 11-2 +- Check that key derivation key is available +- Delete remaining references to the removed http pin +- Install cryptsetup and tpm2_pcrlist in the initramfs +- Add device TCTI library to the initramfs + Resolves: rhbz#1648004 + Resolves: rhbz#1650246 + +* Tue Aug 14 2018 Nathaniel McCallum - 11-1 +- Update to v11 + +* Thu Jul 12 2018 Fedora Release Engineering - 10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Mar 21 2018 Nathaniel McCallum - 10-1 +- Update to v10 + +* Tue Feb 13 2018 Nathaniel McCallum - 9-1 +- Update to v9 + +* Wed Feb 07 2018 Fedora Release Engineering - 8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Nov 13 2017 Nathaniel McCallum - 8-1 +- Update to v8 + +* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek - 7-2 +- Rebuild for cryptsetup-2.0.0 + +* Fri Oct 27 2017 Nathaniel McCallum - 7-1 +- Update to v7 + +* Wed Aug 02 2017 Fedora Release Engineering - 6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jun 27 2017 Nathaniel McCallum - 6-1 +- New upstream release +- Specify unprivileged user/group during configuration +- Move clevis user/group creation to base clevis package + +* Mon Jun 26 2017 Nathaniel McCallum - 5-1 +- New upstream release +- Run clevis decryption from udisks2 under an unprivileged user + +* Wed Jun 14 2017 Nathaniel McCallum - 4-1 +- New upstream release + +* Wed Jun 14 2017 Nathaniel McCallum - 3-1 +- New upstream release + +* Fri Feb 10 2017 Fedora Release Engineering - 2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Nov 18 2016 Nathaniel McCallum - 2-1 +- New upstream release + +* Mon Nov 14 2016 Nathaniel McCallum - 1-1 +- First release