diff --git a/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch b/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
new file mode 100644
index 0000000..e7df18a
--- /dev/null
+++ b/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
@@ -0,0 +1,45 @@
+From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Renaud=20M=C3=A9trich?=
+ <1163635+rmetrich@users.noreply.github.com>
+Date: Wed, 1 Dec 2021 09:37:35 -0300
+Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is
+ set (#340)
+
+On Fedora/RHEL, the rd.debug kernel command line parameter controls
+debugging.
+By implementing the functionality inside clevis, troubleshooting will be
+greatly eased.
+See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742).
+---
+ src/luks/clevis-luks-common-functions | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
+index df8e16d..67ece72 100644
+--- a/src/luks/clevis-luks-common-functions
++++ b/src/luks/clevis-luks-common-functions
+@@ -20,6 +20,21 @@
+
+ CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+
++enable_debugging() {
++ # Automatically enable debugging if in initramfs phase and rd.debug
++ if [ -e /usr/lib/dracut-lib.sh ]; then
++ local bashopts=$-
++ # Because dracut is loosely written, disable hardening options temporarily
++ [[ $bashopts != *u* ]] || set +u
++ [[ $bashopts != *e* ]] || set +e
++ . /usr/lib/dracut-lib.sh
++ [[ $bashopts != *u* ]] || set -u
++ [[ $bashopts != *e* ]] || set -e
++ fi
++}
++
++enable_debugging
++
+ # valid_slot() will check whether a given slot is possibly valid, i.e., if it
+ # is a numeric value within the specified range.
+ valid_slot() {
+--
+2.33.1
+
diff --git a/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch b/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
new file mode 100644
index 0000000..18cee3b
--- /dev/null
+++ b/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
@@ -0,0 +1,83 @@
+From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001
+From: Renaud Metrich <rmetrich@redhat.com>
+Date: Fri, 7 Jan 2022 12:13:03 -0300
+Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup
+
+This fixes an Out of memory error when the system has not much memory,
+such as a VM configured with 2GB currently being installed through the
+network (hence having ~1GB free memory only).
+See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
+---
+ src/luks/clevis-luks-bind.in | 7 +++++--
+ src/luks/clevis-luks-common-functions | 7 ++++++-
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
+index 4748c08..017f762 100755
+--- a/src/luks/clevis-luks-bind.in
++++ b/src/luks/clevis-luks-bind.in
+@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \
+ exit 1
+ fi
+
++pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+ if [ "$luks_type" == "luks1" ]; then
++ pbkdf_args=
+ # In certain circumstances, we may have LUKSMeta slots "not in sync" with
+ # cryptsetup, which means we will try to save LUKSMeta metadata over an
+ # already used or partially used slot -- github issue #70.
+@@ -184,7 +186,7 @@ fi
+
+ # Add the new key.
+ if [ -n "$SLT" ]; then
+- cryptsetup luksAddKey --key-slot "$SLT" --key-file \
++ cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \
+ <(echo -n "$existing_key") "$DEV"
+ else
+ if [ $luks_type == "luks2" ]; then
+@@ -194,7 +196,8 @@ else
+ readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
+ | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
+ fi
+- cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV"
++ cryptsetup luksAddKey ${pbkdf_args} \
++ --key-file <(echo -n "${existing_key}") "$DEV"
+ fi < <(echo -n "${key}")
+ if [ $? -ne 0 ]; then
+ echo "Error while adding new key to LUKS header!" >&2
+diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
+index 67ece72..038cc37 100644
+--- a/src/luks/clevis-luks-common-functions
++++ b/src/luks/clevis-luks-common-functions
+@@ -760,10 +760,12 @@ clevis_luks_add_key() {
+ extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
+ input="$(printf '%s' "${NEWKEY}")"
+ fi
++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+
+ printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
+ --key-slot "${SLT}" \
+ "${DEV}" \
++ ${pbkdf_args} \
+ ${extra_args}
+ }
+
+@@ -792,11 +794,14 @@ clevis_luks_update_key() {
+ extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
+ input="$(printf '%s' "${NEWKEY}")"
+ fi
++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+
+ if [ -n "${in_place}" ]; then
+ printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
+ --key-slot "${SLT}" \
+- --batch-mode ${extra_args}
++ --batch-mode \
++ ${pbkdf_args} \
++ ${extra_args}
+ return
+ fi
+
+--
+2.33.1
+
diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec
index 6160f23..0ea213e 100644
--- a/SPECS/clevis.spec
+++ b/SPECS/clevis.spec
@@ -2,7 +2,7 @@
Name: clevis
Version: 15
-Release: 4%{?dist}
+Release: 6%{?dist}
Summary: Automated decryption framework
License: GPLv3+
@@ -14,6 +14,8 @@ Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch
Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
Patch0004: 0004-systemd-drop-ncat-dependency.patch
Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch
+Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
+Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
BuildRequires: git
BuildRequires: gcc
@@ -198,6 +200,14 @@ exit 0
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog
+* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 15-6
+- Explicitly specify pbkdf iterations to cryptsetup
+ Resolves: rhbz#1979256
+
+* Wed Dec 01 2021 Sergio Correia <scorreia@redhat.com> - 15-5
+- Enable debugging in clevis scripts when rd.debug is set
+ Resolves: rhbz#1980742
+
* Thu Nov 25 2021 Sergio Correia <scorreia@redhat.com> - 15-4
- Stop sending stderr to the void when decryption doesn't happen
Resolves: rhbz#1976880