diff --git a/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch b/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch new file mode 100644 index 0000000..e7df18a --- /dev/null +++ b/SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch @@ -0,0 +1,45 @@ +From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= + <1163635+rmetrich@users.noreply.github.com> +Date: Wed, 1 Dec 2021 09:37:35 -0300 +Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is + set (#340) + +On Fedora/RHEL, the rd.debug kernel command line parameter controls +debugging. +By implementing the functionality inside clevis, troubleshooting will be +greatly eased. +See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742). +--- + src/luks/clevis-luks-common-functions | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions +index df8e16d..67ece72 100644 +--- a/src/luks/clevis-luks-common-functions ++++ b/src/luks/clevis-luks-common-functions +@@ -20,6 +20,21 @@ + + CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" + ++enable_debugging() { ++ # Automatically enable debugging if in initramfs phase and rd.debug ++ if [ -e /usr/lib/dracut-lib.sh ]; then ++ local bashopts=$- ++ # Because dracut is loosely written, disable hardening options temporarily ++ [[ $bashopts != *u* ]] || set +u ++ [[ $bashopts != *e* ]] || set +e ++ . /usr/lib/dracut-lib.sh ++ [[ $bashopts != *u* ]] || set -u ++ [[ $bashopts != *e* ]] || set -e ++ fi ++} ++ ++enable_debugging ++ + # valid_slot() will check whether a given slot is possibly valid, i.e., if it + # is a numeric value within the specified range. + valid_slot() { +-- +2.33.1 + diff --git a/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch b/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch new file mode 100644 index 0000000..18cee3b --- /dev/null +++ b/SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch @@ -0,0 +1,83 @@ +From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001 +From: Renaud Metrich +Date: Fri, 7 Jan 2022 12:13:03 -0300 +Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup + +This fixes an Out of memory error when the system has not much memory, +such as a VM configured with 2GB currently being installed through the +network (hence having ~1GB free memory only). +See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256). +--- + src/luks/clevis-luks-bind.in | 7 +++++-- + src/luks/clevis-luks-common-functions | 7 ++++++- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in +index 4748c08..017f762 100755 +--- a/src/luks/clevis-luks-bind.in ++++ b/src/luks/clevis-luks-bind.in +@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \ + exit 1 + fi + ++pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + if [ "$luks_type" == "luks1" ]; then ++ pbkdf_args= + # In certain circumstances, we may have LUKSMeta slots "not in sync" with + # cryptsetup, which means we will try to save LUKSMeta metadata over an + # already used or partially used slot -- github issue #70. +@@ -184,7 +186,7 @@ fi + + # Add the new key. + if [ -n "$SLT" ]; then +- cryptsetup luksAddKey --key-slot "$SLT" --key-file \ ++ cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \ + <(echo -n "$existing_key") "$DEV" + else + if [ $luks_type == "luks2" ]; then +@@ -194,7 +196,8 @@ else + readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \ + | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p') + fi +- cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV" ++ cryptsetup luksAddKey ${pbkdf_args} \ ++ --key-file <(echo -n "${existing_key}") "$DEV" + fi < <(echo -n "${key}") + if [ $? -ne 0 ]; then + echo "Error while adding new key to LUKS header!" >&2 +diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions +index 67ece72..038cc37 100644 +--- a/src/luks/clevis-luks-common-functions ++++ b/src/luks/clevis-luks-common-functions +@@ -760,10 +760,12 @@ clevis_luks_add_key() { + extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi ++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + + printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \ + --key-slot "${SLT}" \ + "${DEV}" \ ++ ${pbkdf_args} \ + ${extra_args} + } + +@@ -792,11 +794,14 @@ clevis_luks_update_key() { + extra_args="$(printf -- '--key-file %s' "${KEYFILE}")" + input="$(printf '%s' "${NEWKEY}")" + fi ++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" + + if [ -n "${in_place}" ]; then + printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \ + --key-slot "${SLT}" \ +- --batch-mode ${extra_args} ++ --batch-mode \ ++ ${pbkdf_args} \ ++ ${extra_args} + return + fi + +-- +2.33.1 + diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec index 6160f23..0ea213e 100644 --- a/SPECS/clevis.spec +++ b/SPECS/clevis.spec @@ -2,7 +2,7 @@ Name: clevis Version: 15 -Release: 4%{?dist} +Release: 6%{?dist} Summary: Automated decryption framework License: GPLv3+ @@ -14,6 +14,8 @@ Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch Patch0004: 0004-systemd-drop-ncat-dependency.patch Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch +Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch +Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch BuildRequires: git BuildRequires: gcc @@ -198,6 +200,14 @@ exit 0 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2 %changelog +* Tue Jan 04 2022 Sergio Correia - 15-6 +- Explicitly specify pbkdf iterations to cryptsetup + Resolves: rhbz#1979256 + +* Wed Dec 01 2021 Sergio Correia - 15-5 +- Enable debugging in clevis scripts when rd.debug is set + Resolves: rhbz#1980742 + * Thu Nov 25 2021 Sergio Correia - 15-4 - Stop sending stderr to the void when decryption doesn't happen Resolves: rhbz#1976880