diff --git a/.clevis.metadata b/.clevis.metadata index bf45872..0964fdd 100644 --- a/.clevis.metadata +++ b/.clevis.metadata @@ -1 +1 @@ -42dba83266ab4b9e882f6f33c541aa3679b5a956 SOURCES/clevis-6.tar.bz2 +70cc377c0976fb32fd55a3033f2374080b713b5d SOURCES/clevis-7.tar.bz2 diff --git a/.gitignore b/.gitignore index 0fc7979..695fe37 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/clevis-6.tar.bz2 +SOURCES/clevis-7.tar.bz2 diff --git a/SOURCES/clevis-7-dracut.patch b/SOURCES/clevis-7-dracut.patch new file mode 100644 index 0000000..beb8941 --- /dev/null +++ b/SOURCES/clevis-7-dracut.patch @@ -0,0 +1,61 @@ +From bcb46fe1e40b390cb39353b75806bf3e05177ef0 Mon Sep 17 00:00:00 2001 +From: Nathaniel McCallum +Date: Mon, 13 Nov 2017 11:28:14 -0500 +Subject: [PATCH] Fix dracut unlocker + +We weren't generating the path to clevis-luks-askpass correctly in the +dracut module. + +Fixes: #23 +--- + src/dracut/Makefile.am | 10 ++++------ + src/dracut/clevis-hook.sh.in | 2 +- + src/dracut/{module-setup.sh => module-setup.sh.in} | 2 +- + 3 files changed, 6 insertions(+), 8 deletions(-) + rename src/dracut/{module-setup.sh => module-setup.sh.in} (96%) + +diff --git a/src/dracut/Makefile.am b/src/dracut/Makefile.am +index 5a3a0f4..e26b61f 100644 +--- a/src/dracut/Makefile.am ++++ b/src/dracut/Makefile.am +@@ -1,12 +1,10 @@ + dracutdir = @dracutmodulesdir@/60$(PACKAGE_NAME) +-nodist_dracut_SCRIPTS = clevis-hook.sh +-dist_dracut_SCRIPTS = module-setup.sh +- +-CLEANFILES=clevis-hook.sh +-EXTRA_DIST=clevis-hook.sh.in ++nodist_dracut_SCRIPTS = clevis-hook.sh module-setup.sh ++EXTRA_DIST=clevis-hook.sh.in module-setup.sh.in ++CLEANFILES=clevis-hook.sh module-setup.sh + + %: %.in + $(AM_V_GEN)mkdir -p $(dir $@) + $(AM_V_GEN)$(SED) \ +- -e 's,@libexedir\@,$(libexecdir),g' \ ++ -e 's,@libexecdir\@,$(libexecdir),g' \ + $(srcdir)/$@.in > $@ +diff --git a/src/dracut/clevis-hook.sh.in b/src/dracut/clevis-hook.sh.in +index 5d0c814..cb257c9 100755 +--- a/src/dracut/clevis-hook.sh.in ++++ b/src/dracut/clevis-hook.sh.in +@@ -1,2 +1,2 @@ + #!/bin/bash +-@libexec@/clevis-luks-askpass ++@libexecdir@/clevis-luks-askpass +diff --git a/src/dracut/module-setup.sh b/src/dracut/module-setup.sh.in +similarity index 96% +rename from src/dracut/module-setup.sh +rename to src/dracut/module-setup.sh.in +index 92fe08e..5087d56 100755 +--- a/src/dracut/module-setup.sh ++++ b/src/dracut/module-setup.sh.in +@@ -37,7 +37,7 @@ install() { + clevis-decrypt-http \ + clevis-decrypt-tang \ + clevis-decrypt-sss \ +- clevis-luks-askpass \ ++ @libexecdir@/clevis-luks-askpass \ + clevis-decrypt \ + luksmeta \ + clevis \ diff --git a/SOURCES/clevis-7-retry.patch b/SOURCES/clevis-7-retry.patch new file mode 100644 index 0000000..2826d72 --- /dev/null +++ b/SOURCES/clevis-7-retry.patch @@ -0,0 +1,103 @@ +From 2a82ba4040c8dc10dcbe7e2c3ae6646c2778f0b1 Mon Sep 17 00:00:00 2001 +From: Nathaniel McCallum +Date: Tue, 16 Jan 2018 13:29:54 -0500 +Subject: [PATCH] Retry until success during systemd boot + +With dracut, we just try once because we're being called in a loop. But with +systemd, there might be a race condition for network to come up. So when +running under systemd, we loop until success. This should not change the dracut +behavior. +--- + src/systemd/clevis-luks-askpass | 66 ++++++++++++++++++++---------- + src/systemd/clevis-luks-askpass.service.in | 2 +- + 2 files changed, 46 insertions(+), 22 deletions(-) + +diff --git a/src/systemd/clevis-luks-askpass b/src/systemd/clevis-luks-askpass +index 2fadd5c..6fe5269 100755 +--- a/src/systemd/clevis-luks-askpass ++++ b/src/systemd/clevis-luks-askpass +@@ -23,26 +23,50 @@ UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e + + shopt -s nullglob + +-for question in /run/systemd/ask-password/ask.*; do +- d= +- s= +- +- while read line; do +- case "$line" in +- Id=cryptsetup:*) d="${line##Id=cryptsetup:}";; +- Socket=*) s="${line##Socket=}";; +- esac +- done < "$question" +- +- [ -z "$d" -o -z "$s" ] && continue +- +- luksmeta show -d "$d" | while read -r slot state uuid; do +- [ "$state" != "active" ] && continue +- [ "$uuid" != "$UUID" ] && continue +- +- if pt="`luksmeta load -d $d -s $slot -u $UUID | clevis decrypt`"; then +- echo -n "+$pt" | nc -U -u --send-only "$s" +- break +- fi ++while getopts ":l" o; do ++ case "$o" in ++ l) loop=true;; ++ esac ++done ++ ++while true; do ++ todo=0 ++ ++ for question in /run/systemd/ask-password/ask.*; do ++ metadata=false ++ unlocked=false ++ d= ++ s= ++ ++ while read line; do ++ case "$line" in ++ Id=cryptsetup:*) d="${line##Id=cryptsetup:}";; ++ Socket=*) s="${line##Socket=}";; ++ esac ++ done < "$question" ++ ++ [ -z "$d" -o -z "$s" ] && continue ++ ++ while read -r slot state uuid; do ++ [ "$state" != "active" ] && continue ++ [ "$uuid" != "$UUID" ] && continue ++ metadata=true ++ ++ if pt="`luksmeta load -d $d -s $slot -u $UUID | clevis decrypt`"; then ++ echo -n "+$pt" | nc -U -u --send-only "$s" ++ unlocked=true ++ break ++ fi ++ done < <(luksmeta show -d "$d") ++ ++ [ $metadata == true ] || continue ++ [ $unlocked == true ] && continue ++ todo=$((todo + 1)) + done ++ ++ if [ $todo -eq 0 ] || [ "$loop" != "true" ]; then ++ break; ++ fi ++ ++ sleep 0.5 + done +diff --git a/src/systemd/clevis-luks-askpass.service.in b/src/systemd/clevis-luks-askpass.service.in +index aa38a5b..2c6bbed 100644 +--- a/src/systemd/clevis-luks-askpass.service.in ++++ b/src/systemd/clevis-luks-askpass.service.in +@@ -5,4 +5,4 @@ After=network-online.target + + [Service] + Type=oneshot +-ExecStart=@libexecdir@/clevis-luks-askpass ++ExecStart=@libexecdir@/clevis-luks-askpass -l +-- +2.14.3 + diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec index e086bf9..c80b6d3 100644 --- a/SPECS/clevis.spec +++ b/SPECS/clevis.spec @@ -1,21 +1,26 @@ %global _hardened_build 1 Name: clevis -Version: 6 -Release: 1%{?dist} +Version: 7 +Release: 4%{?dist} Summary: Automated decryption framework License: GPLv3+ URL: https://github.com/latchset/%{name} Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2 +Patch0: clevis-7-dracut.patch +Patch1: clevis-7-retry.patch BuildRequires: libjose-devel >= 8 -BuildRequires: libluksmeta-devel +BuildRequires: libluksmeta-devel >= 8 +BuildRequires: audit-libs-devel >= 2.8.1 BuildRequires: libudisks2-devel BuildRequires: openssl-devel BuildRequires: desktop-file-utils BuildRequires: pkgconfig +BuildRequires: autoconf +BuildRequires: automake BuildRequires: systemd BuildRequires: dracut BuildRequires: tang >= 6 @@ -41,18 +46,26 @@ volumes during early boot. Summary: LUKSv1 integration for clevis Requires: %{name}%{?_isa} = %{version}-%{release} Requires: cryptsetup -Requires: luksmeta +Requires: luksmeta >= 8 %description luks LUKSv1 integration for clevis. This package allows you to bind a LUKSv1 volume to a clevis unlocking policy. For automated unlocking, an unlocker will also be required. See, for example, clevis-dracut and clevis-udisks2. +%package systemd +Summary: systemd integration for clevis +Requires: %{name}-luks%{?_isa} = %{version}-%{release} +Requires: systemd%{?_isa} >= 219-45.20171030 +Requires: nc + +%description systemd +Automatically unlocks LUKSv1 _netdev block devices from /etc/crypttab. + %package dracut Summary: Dracut integration for clevis -Requires: %{name}-luks%{?_isa} = %{version}-%{release} +Requires: %{name}-systemd%{?_isa} = %{version}-%{release} Requires: dracut-network -Requires: nc %description dracut Automatically unlocks LUKSv1 block devices in early boot. @@ -66,14 +79,16 @@ Automatically unlocks LUKSv1 block devices in desktop environments that use UDisks2 or storaged (like GNOME). %prep -%setup -q +%autosetup -p1 %build +autoreconf -if %configure --enable-user=clevis --enable-group=clevis %make_build V=1 %install %make_install +ln -sf %{name}-luks-bind.1.gz %{buildroot}/%{_mandir}/man1/%{name}-bind-luks.1.gz %check desktop-file-validate \ @@ -104,8 +119,18 @@ exit 0 %{_mandir}/man1/%{name}.1* %files luks -%{_bindir}/%{name}-bind-luks +%{_mandir}/man1/%{name}-luks-unlockers.1* +%{_mandir}/man1/%{name}-luks-unlock.1* +%{_mandir}/man1/%{name}-luks-bind.1* %{_mandir}/man1/%{name}-bind-luks.1* +%{_bindir}/%{name}-luks-unlock +%{_bindir}/%{name}-luks-bind +%{_bindir}/%{name}-bind-luks + +%files systemd +%{_libexecdir}/%{name}-luks-askpass +%{_unitdir}/%{name}-luks-askpass.path +%{_unitdir}/%{name}-luks-askpass.service %files dracut %{_prefix}/lib/dracut/modules.d/60%{name} @@ -115,6 +140,26 @@ exit 0 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %changelog +* Mon Nov 13 2017 Nathaniel McCallum - 7-4 +- Retry unlocking under systemd. This prevents a race condition. +- Resolves: rhbz#1475406 + +* Mon Nov 13 2017 Nathaniel McCallum - 7-3 +- Add patch to fix path generation issues with dracut +- Resolves: rhbz#1512638 + +* Fri Nov 03 2017 Nathaniel McCallum - 7-2 +- Add man page symlink for the clevis-bind-luks => clevis-luks-bind +- Related: rhbz#1475406 + +* Fri Oct 27 2017 Nathaniel McCallum - 7-1 +- Update to v7 +- Resolves: rhbz#1467907 +- Resolves: rhbz#1467908 +- Resolves: rhbz#1475406 +- Resolves: rhbz#1500975 +- Resolves: rhbz#1478888 + * Tue Jun 27 2017 Nathaniel McCallum - 6-1 - New upstream release - Specify unprivileged user/group during configuration