diff --git a/SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch b/SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch index d06e1ac..35738b5 100644 --- a/SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch +++ b/SOURCES/0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch @@ -1,4 +1,4 @@ -From 719781346d87d2d268a71083b902761325559877 Mon Sep 17 00:00:00 2001 +From 678ef82dd5608439c9a4222c594ab66d69009f06 Mon Sep 17 00:00:00 2001 From: Sergio Correia Date: Fri, 29 Oct 2021 12:04:46 -0300 Subject: [PATCH 3/3] systemd: account for unlocking failures in diff --git a/SOURCES/0004-systemd-drop-ncat-dependency.patch b/SOURCES/0004-systemd-drop-ncat-dependency.patch new file mode 100644 index 0000000..fbd22de --- /dev/null +++ b/SOURCES/0004-systemd-drop-ncat-dependency.patch @@ -0,0 +1,101 @@ +From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Thu, 18 Nov 2021 16:45:58 -0300 +Subject: [PATCH 4/4] systemd: drop ncat dependency + +When using systemd, i.e., clevis-luks-askpass, we use ncat to send +the decrypted password to the systemd socket as per systemd's password +agents specification [1]. + +However, systemd itself has a utility that does exactly that, +systemd-reply-password. + +In this commit we drop the ncat dependency and instead use +systemd-reply-password in clevis-luks-askpass. + +[1] https://systemd.io/PASSWORD_AGENTS/ +--- + ...is-luks-askpass => clevis-luks-askpass.in} | 2 +- + .../systemd/dracut/clevis/module-setup.sh.in | 4 ++-- + src/luks/systemd/meson.build | 19 +++++++++++++++++-- + 3 files changed, 20 insertions(+), 5 deletions(-) + rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%) + +diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in +similarity index 97% +rename from src/luks/systemd/clevis-luks-askpass +rename to src/luks/systemd/clevis-luks-askpass.in +index f19671f..a6699c9 100755 +--- a/src/luks/systemd/clevis-luks-askpass ++++ b/src/luks/systemd/clevis-luks-askpass.in +@@ -58,7 +58,7 @@ while true; do + fi + + uuid="$(cryptsetup luksUUID "${d}")" +- if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then ++ if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then + echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2 + continue + fi +diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in +index ebf969f..d46c6e2 100755 +--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in ++++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in +@@ -36,6 +36,7 @@ install() { + + inst_multiple \ + /etc/services \ ++ @SYSTEMD_REPLY_PASS@ \ + @libexecdir@/clevis-luks-askpass \ + clevis-luks-common-functions \ + grep sed cut \ +@@ -45,8 +46,7 @@ install() { + luksmeta \ + clevis \ + mktemp \ +- jose \ +- ncat ++ jose + + dracut_need_initqueue + } +diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build +index 369e7f7..e3b3d91 100644 +--- a/src/luks/systemd/meson.build ++++ b/src/luks/systemd/meson.build +@@ -1,6 +1,15 @@ + systemd = dependency('systemd', required: false) + +-if systemd.found() ++sd_reply_pass = find_program( ++ join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'), ++ join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'), ++ join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'), ++ join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'), ++ required: false ++) ++ ++if systemd.found() and sd_reply_pass.found() ++ data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path()) + subdir('dracut') + + unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir') +@@ -12,8 +21,14 @@ if systemd.found() + configuration: data, + ) + ++ configure_file( ++ input: 'clevis-luks-askpass.in', ++ output: 'clevis-luks-askpass', ++ install_dir: libexecdir, ++ configuration: data ++ ) ++ + install_data('clevis-luks-askpass.path', install_dir: unitdir) +- install_data('clevis-luks-askpass', install_dir: libexecdir) + else + warning('Will not install systemd support due to missing dependencies!') + endif +-- +2.33.1 + diff --git a/SOURCES/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch b/SOURCES/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch new file mode 100644 index 0000000..e20b68b --- /dev/null +++ b/SOURCES/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch @@ -0,0 +1,26 @@ +From da17589f0706b27690a11484165fd58dea1a5eb1 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Thu, 25 Nov 2021 19:18:03 -0300 +Subject: [PATCH 5/5] Stop sending stderr to the void when decryption doesn't + happen + +--- + src/luks/clevis-luks-common-functions | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions +index 879ca4c..df8e16d 100644 +--- a/src/luks/clevis-luks-common-functions ++++ b/src/luks/clevis-luks-common-functions +@@ -323,7 +323,7 @@ clevis_luks_unlock_device_by_slot() { + return 1 + fi + +- if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt 2>/dev/null)" \ ++ if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt)" \ + || [ -z "${passphrase}" ]; then + return 1 + fi +-- +2.33.1 + diff --git a/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch b/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch new file mode 100644 index 0000000..e7df18a --- /dev/null +++ b/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch @@ -0,0 +1,45 @@ +From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= + <1163635+rmetrich@users.noreply.github.com> +Date: Wed, 1 Dec 2021 09:37:35 -0300 +Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is + set (#340) + +On Fedora/RHEL, the rd.debug kernel command line parameter controls +debugging. +By implementing the functionality inside clevis, troubleshooting will be +greatly eased. +See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742). +--- + src/luks/clevis-luks-common-functions | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions +index df8e16d..67ece72 100644 +--- a/src/luks/clevis-luks-common-functions ++++ b/src/luks/clevis-luks-common-functions +@@ -20,6 +20,21 @@ + + CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" + ++enable_debugging() { ++ # Automatically enable debugging if in initramfs phase and rd.debug ++ if [ -e /usr/lib/dracut-lib.sh ]; then ++ local bashopts=$- ++ # Because dracut is loosely written, disable hardening options temporarily ++ [[ $bashopts != *u* ]] || set +u ++ [[ $bashopts != *e* ]] || set +e ++ . /usr/lib/dracut-lib.sh ++ [[ $bashopts != *u* ]] || set -u ++ [[ $bashopts != *e* ]] || set -e ++ fi ++} ++ ++enable_debugging ++ + # valid_slot() will check whether a given slot is possibly valid, i.e., if it + # is a numeric value within the specified range. + valid_slot() { +-- +2.33.1 + diff --git a/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch b/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch new file mode 100644 index 0000000..18cee3b --- /dev/null +++ b/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch @@ -0,0 +1,83 @@ +From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001 +From: Renaud Metrich +Date: Fri, 7 Jan 2022 12:13:03 -0300 +Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup + +This fixes an Out of memory error when the system has not much memory, +such as a VM configured with 2GB currently being installed through the +network (hence having ~1GB free memory only). +See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256). +--- + src/luks/clevis-luks-bind.in | 7 +++++-- + src/luks/clevis-luks-common-functions | 7 ++++++- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in +index 4748c08..017f762 100755 +--- a/src/luks/clevis-luks-bind.in ++++ b/src/luks/clevis-luks-bind.in +@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \ + exit 1 + fi + ++pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + if [ "$luks_type" == "luks1" ]; then ++ pbkdf_args= + # In certain circumstances, we may have LUKSMeta slots "not in sync" with + # cryptsetup, which means we will try to save LUKSMeta metadata over an + # already used or partially used slot -- github issue #70. +@@ -184,7 +186,7 @@ fi + + # Add the new key. + if [ -n "$SLT" ]; then +- cryptsetup luksAddKey --key-slot "$SLT" --key-file \ ++ cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \ + <(echo -n "$existing_key") "$DEV" + else + if [ $luks_type == "luks2" ]; then +@@ -194,7 +196,8 @@ else + readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \ + | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p') + fi +- cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV" ++ cryptsetup luksAddKey ${pbkdf_args} \ ++ --key-file <(echo -n "${existing_key}") "$DEV" + fi < <(echo -n "${key}") + if [ $? -ne 0 ]; then + echo "Error while adding new key to LUKS header!" >&2 +diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions +index 67ece72..038cc37 100644 +--- a/src/luks/clevis-luks-common-functions ++++ b/src/luks/clevis-luks-common-functions +@@ -760,10 +760,12 @@ clevis_luks_add_key() { + extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi ++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + + printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ + --key-slot "${SLT}" \ + "${DEV}" \ ++ ${pbkdf_args} \ + ${extra_args} + } + +@@ -792,11 +794,14 @@ clevis_luks_update_key() { + extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi ++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + + if [ -n "${in_place}" ]; then + printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \ + --key-slot "${SLT}" \ +- --batch-mode ${extra_args} ++ --batch-mode \ ++ ${pbkdf_args} \ ++ ${extra_args} + return + fi + +-- +2.33.1 + diff --git a/SOURCES/0008-tang-dump-url-on-error-communication.patch b/SOURCES/0008-tang-dump-url-on-error-communication.patch new file mode 100644 index 0000000..e907694 --- /dev/null +++ b/SOURCES/0008-tang-dump-url-on-error-communication.patch @@ -0,0 +1,16 @@ +--- clevis-15-ori/src/pins/tang/clevis-decrypt-tang 2020-10-28 19:55:47.673228700 +0100 ++++ clevis-15/src/pins/tang/clevis-decrypt-tang 2022-01-21 10:37:40.327825491 +0100 +@@ -73,10 +73,10 @@ + + xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")" + +-url="$url/rec/$kid" ++rec_url="$url/rec/$kid" + ct="Content-Type: application/jwk+json" +-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then +- echo "Error communicating with the server!" >&2 ++if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then ++ echo "Error communicating with the server $url" >&2 + exit 1 + fi + diff --git a/SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch b/SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch new file mode 100644 index 0000000..deb5ad3 --- /dev/null +++ b/SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch @@ -0,0 +1,213 @@ +From 87d690e41621878f70a3f6f3305dd23746d1b857 Mon Sep 17 00:00:00 2001 +From: Antonio Murdaca +Date: Wed, 1 Dec 2021 14:17:53 +0100 +Subject: [PATCH 9/9] feat: rename the test pin to null pin + +Signed-off-by: Antonio Murdaca +--- + src/initramfs-tools/hooks/clevis.in | 1 + + .../dracut/clevis-pin-null/meson.build | 14 ++++++++++ + .../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++ + src/luks/systemd/dracut/meson.build | 1 + + ...levis-decrypt-test => clevis-decrypt-null} | 4 +-- + ...levis-encrypt-test => clevis-encrypt-null} | 4 +-- + src/pins/sss/meson.build | 5 +++- + src/pins/sss/{pin-test => pin-null} | 4 +-- + src/pins/sss/pin-sss | 12 ++++---- + 9 files changed, 60 insertions(+), 13 deletions(-) + create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build + create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in + rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%) + rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%) + rename src/pins/sss/{pin-test => pin-null} (53%) + +diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in +index cc3b492..448ba96 100755 +--- a/src/initramfs-tools/hooks/clevis.in ++++ b/src/initramfs-tools/hooks/clevis.in +@@ -58,6 +58,7 @@ fi + + copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found" + copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found" ++copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found" + copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found" + copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found" + copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found" +diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build +new file mode 100644 +index 0000000..107e3ba +--- /dev/null ++++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build +@@ -0,0 +1,14 @@ ++dracut = dependency('dracut', required: false) ++ ++if dracut.found() ++ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null' ++ ++ configure_file( ++ input: 'module-setup.sh.in', ++ output: 'module-setup.sh', ++ install_dir: dracutdir, ++ configuration: data, ++ ) ++else ++ warning('Will not install dracut module clevis-pin-null due to missing dependencies!') ++endif +diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in +new file mode 100755 +index 0000000..6a16078 +--- /dev/null ++++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in +@@ -0,0 +1,28 @@ ++#!/bin/bash ++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2016 Red Hat, Inc. ++# Author: Nathaniel McCallum ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++depends() { ++ echo clevis ++ return 0 ++} ++ ++install() { ++ inst clevis-decrypt-null ++} +diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build +index fdb264b..7ad5b14 100644 +--- a/src/luks/systemd/dracut/meson.build ++++ b/src/luks/systemd/dracut/meson.build +@@ -2,3 +2,4 @@ subdir('clevis') + subdir('clevis-pin-tang') + subdir('clevis-pin-tpm2') + subdir('clevis-pin-sss') ++subdir('clevis-pin-null') +diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null +similarity index 88% +rename from src/pins/sss/clevis-decrypt-test +rename to src/pins/sss/clevis-decrypt-null +index f0e9249..a6217ed 100755 +--- a/src/pins/sss/clevis-decrypt-test ++++ b/src/pins/sss/clevis-decrypt-null +@@ -22,11 +22,11 @@ + + read -r -d . hdr + +-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then ++if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then + echo "JWE pin mismatch!" >&2 + exit 1 + fi + +-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1 ++jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1 + + exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat) +diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null +similarity index 90% +rename from src/pins/sss/clevis-encrypt-test +rename to src/pins/sss/clevis-encrypt-null +index bd2d6ec..af182a5 100755 +--- a/src/pins/sss/clevis-encrypt-test ++++ b/src/pins/sss/clevis-encrypt-null +@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then + fi + + jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')" +-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}' ++jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}' + + if ! jose fmt -j "$cfg" -g fail -T; then +- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)" ++ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)" + fi + + exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat) +diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build +index 7f20eea..2a5295a 100644 +--- a/src/pins/sss/meson.build ++++ b/src/pins/sss/meson.build +@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found() + separator: ':' + ) + ++ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null') ++ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null') ++ + test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env) +- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env) ++ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env) + else + warning('Will not install sss pin due to missing dependencies!') + endif +diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null +similarity index 53% +rename from src/pins/sss/pin-test +rename to src/pins/sss/pin-null +index 50c8c67..b14ac63 100755 +--- a/src/pins/sss/pin-test ++++ b/src/pins/sss/pin-null +@@ -2,9 +2,9 @@ + + trap 'exit' ERR + +-e="$(echo -n hi | clevis encrypt test '{}')" ++e="$(echo -n hi | clevis encrypt null '{}')" + d="$(echo -n "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo -n hi | clevis encrypt test '{"fail":true}')" ++e="$(echo -n hi | clevis encrypt null '{"fail":true}')" + ! echo "$e" | clevis decrypt +diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss +index 5c0b8cf..24da052 100755 +--- a/src/pins/sss/pin-sss ++++ b/src/pins/sss/pin-sss +@@ -1,24 +1,24 @@ + #!/bin/bash -ex + +-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')" + d="$(echo "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')" + d="$(echo "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')" + ! echo "$e" | clevis decrypt + +-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')" + d="$(echo "$e" | clevis decrypt)" + test "$d" == "hi" + +-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')" + ! echo "$e" | clevis decrypt + +-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')" ++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')" + ! echo "$e" | clevis decrypt + + ! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')" +-- +2.33.1 + diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec index 6721d9f..df4282e 100644 --- a/SPECS/clevis.spec +++ b/SPECS/clevis.spec @@ -2,7 +2,7 @@ Name: clevis Version: 15 -Release: 1%{?dist}.1 +Release: 8%{?dist} Summary: Automated decryption framework License: GPLv3+ @@ -12,6 +12,12 @@ Source0: https://github.com/latchset/%{name}/releases/download/v%{version Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch +Patch0004: 0004-systemd-drop-ncat-dependency.patch +Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch +Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch +Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch +Patch0008: 0008-tang-dump-url-on-error-communication.patch +Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch BuildRequires: git BuildRequires: gcc @@ -35,7 +41,7 @@ BuildRequires: tang >= 6 BuildRequires: curl BuildRequires: luksmeta BuildRequires: cracklib-dicts -Buildrequires: jq +BuildRequires: jq BuildRequires: diffutils BuildRequires: expect BuildRequires: openssl @@ -86,7 +92,6 @@ Requires: systemd%{?_isa} >= 236 %endif %endif %endif -Requires: nc %description systemd Automatically unlocks clevis-bound LUKS block devices during boot. @@ -150,10 +155,12 @@ exit 0 %{_bindir}/%{name}-decrypt-tang %{_bindir}/%{name}-decrypt-tpm2 %{_bindir}/%{name}-decrypt-sss +%{_bindir}/%{name}-decrypt-null %{_bindir}/%{name}-decrypt %{_bindir}/%{name}-encrypt-tang %{_bindir}/%{name}-encrypt-tpm2 %{_bindir}/%{name}-encrypt-sss +%{_bindir}/%{name}-encrypt-null %{_bindir}/%{name} %{_mandir}/man1/%{name}-encrypt-tang.1* %{_mandir}/man1/%{name}-encrypt-tpm2.1* @@ -188,6 +195,7 @@ exit 0 %files dracut %{_prefix}/lib/dracut/modules.d/60%{name} +%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null %{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2 @@ -197,9 +205,33 @@ exit 0 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %changelog -* Thu Nov 18 2021 Sergio Correia - 15-1.1 +* Wed Jan 26 2022 Sergio Correia - 15-8 +- Support a null pin + Resolves: rhbz#2028096 + +* Fri Jan 21 2022 Sergio Arroutbi - 15-7 +- Dump server information on server error communication + Resolves: rhbz#2020193 + +* Tue Jan 04 2022 Sergio Correia - 15-6 +- Explicitly specify pbkdf iterations to cryptsetup + Resolves: rhbz#1979256 + +* Wed Dec 01 2021 Sergio Correia - 15-5 +- Enable debugging in clevis scripts when rd.debug is set + Resolves: rhbz#1980742 + +* Thu Nov 25 2021 Sergio Correia - 15-4 +- Stop sending stderr to the void when decryption doesn't happen + Resolves: rhbz#1976880 + +* Thu Nov 18 2021 Sergio Correia - 15-3 +- Drop ncat dependency + Resolves: rhbz#1949289 + +* Wed Nov 17 2021 Sergio Correia - 15-2 - Account for unlocking failures in clevis-luks-askpass - Resolves: rhbz#2023256 + Resolves: rhbz#2018292 * Mon Oct 26 2020 Sergio Correia - 15-1 - Update to latest upstream release, v15