diff --git a/backport-Add-device-TCTI-library-to-the-initramfs.patch b/backport-Add-device-TCTI-library-to-the-initramfs.patch new file mode 100644 index 0000000..24dcb7b --- /dev/null +++ b/backport-Add-device-TCTI-library-to-the-initramfs.patch @@ -0,0 +1,34 @@ +From 6826e5d31d6323eac5137404f0194bf2183b561c Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 7 Nov 2018 16:48:47 +0100 +Subject: [PATCH] Add device TCTI library to the initramfs + +The tpm2-tools don't dynamically link against the TCTI libraries anymore, +but instead dlopen() the correct library depending on the TCTI used. + +So dracut isn't able anymore to figure out automatically using ldd what +libraries are needed by the tpm2-tools. Since clevis uses the device TCTI +to access the TPM directly, add the libtss2-tcti-device.so to the initrd. + +Suggested-by: Federico Chiacchiaretta + +Fixes: ##74 +--- + src/luks/systemd/dracut/module-setup.sh.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in +index 41e7d6c..990bf4a 100755 +--- a/src/luks/systemd/dracut/module-setup.sh.in ++++ b/src/luks/systemd/dracut/module-setup.sh.in +@@ -65,6 +65,7 @@ install() { + tpm2_pcrlist \ + tpm2_unseal \ + tpm2_load ++ inst_libdir_file "libtss2-tcti-device.so*" + fi + + dracut_need_initqueue +-- +2.27.0 + diff --git a/backport-Delete-remaining-references-to-the-removed-http-pin.patch b/backport-Delete-remaining-references-to-the-removed-http-pin.patch new file mode 100644 index 0000000..a07d924 --- /dev/null +++ b/backport-Delete-remaining-references-to-the-removed-http-pin.patch @@ -0,0 +1,132 @@ +From 1e344dbf6a60fcd2c60a4b8512be455e112d8398 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 7 Nov 2018 14:53:08 +0100 +Subject: [PATCH] Delete remaining references to the removed http pin + +Commit 800d73185d7f ("Remove HTTP pin") removed the clevis http pin, but +there are still references of it in the docs and also the dracut module. + +This was causing dracut to fail building the initramfs due the following: + +dracut-install: ERROR: installing 'clevis-decrypt-http' + +Suggested-by: Dominick Grift + +Fixes: #73 +--- + README.md | 21 --------------------- + src/clevis.1.adoc | 21 --------------------- + src/luks/clevis-luks-bind.1.adoc | 1 - + src/luks/systemd/dracut/module-setup.sh.in | 1 - + src/pins/sss/clevis-encrypt-sss.1.adoc | 1 - + 5 files changed, 45 deletions(-) + +diff --git a/README.md b/README.md +index ce8def1..d57339a 100644 +--- a/README.md ++++ b/README.md +@@ -58,27 +58,6 @@ advertisement is stored, or the JSON contents of the advertisment itself. When + the advertisment is specified manually like this, Clevis presumes that the + advertisement is trusted. + +-#### PIN: HTTP +- +-Clevis also ships a pin for performing escrow using HTTP. Please note that, +-at this time, this pin does not provide HTTPS support and is suitable only +-for use over local sockets. This provides integration with services like +-[Custodia](http://github.com/latchset/custodia). +- +-For example: +- +-```bash +-$ echo hi | clevis encrypt http '{"url": "http://server.local/key"}' > hi.jwe +-``` +- +-The HTTP pin generate a new (cryptographically-strong random) key and performs +-encryption using it. It then performs a PUT request to the URL specified. It is +-understood that the server will securely store this key for later retrieval. +-During decryption, the pin will perform a GET request to retrieve the key and +-perform decryption. +- +-Patches to provide support for HTTPS and authentication are welcome. +- + #### PIN: TPM2 + + Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2) +diff --git a/src/clevis.1.adoc b/src/clevis.1.adoc +index 756aba5..dea0a69 100644 +--- a/src/clevis.1.adoc ++++ b/src/clevis.1.adoc +@@ -21,26 +21,6 @@ take a policy as its first argument and plaintext on standard input and to + encrypt the data so that it can be automatically decrypted if the policy is + met. Lets walk through an example. + +-== HTTP ESCROW +- +-When using the HTTP pin, we create a new, cryptographically-strong, random key. +-This key is stored in a remote HTTP escrow server (using a simple PUT or POST). +-Then at decryption time, we attempt to fetch the key back again in order to +-decrypt our data. So, for our configuration we need to pass the URL to the key +-location: +- +- $ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE +- +-To decrypt the data, simply provide the ciphertext (JWE): +- +- $ clevis decrypt < JWE > PLAINTEXT +- +-Notice that we did not pass any configuration during decryption. The decrypt +-command extracted the URL (and possibly other configuration) from the JWE +-object, fetched the encryption key from the escrow and performed decryption. +- +-For more information, see link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)]. +- + == TANG BINDING + + Clevis provides support for the Tang network binding server. Tang provides +@@ -136,7 +116,6 @@ For more information, see link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)]. + + == SEE ALSO + +-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)], + link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], + link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)], + link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)], +diff --git a/src/luks/clevis-luks-bind.1.adoc b/src/luks/clevis-luks-bind.1.adoc +index 9f3a880..0d649e3 100644 +--- a/src/luks/clevis-luks-bind.1.adoc ++++ b/src/luks/clevis-luks-bind.1.adoc +@@ -61,7 +61,6 @@ The images cannot be shared without also sharing a master key. + == SEE ALSO + + link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)], +-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)], + link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], + link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)], + link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)] +diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in +index 119762e..48aea5b 100755 +--- a/src/luks/systemd/dracut/module-setup.sh.in ++++ b/src/luks/systemd/dracut/module-setup.sh.in +@@ -36,7 +36,6 @@ install() { + inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh" + + inst_multiple /etc/services \ +- clevis-decrypt-http \ + clevis-decrypt-tang \ + clevis-decrypt-sss \ + @libexecdir@/clevis-luks-askpass \ +diff --git a/src/pins/sss/clevis-encrypt-sss.1.adoc b/src/pins/sss/clevis-encrypt-sss.1.adoc +index d46498d..7144e7e 100644 +--- a/src/pins/sss/clevis-encrypt-sss.1.adoc ++++ b/src/pins/sss/clevis-encrypt-sss.1.adoc +@@ -54,6 +54,5 @@ receive key fragments. + + == SEE ALSO + +-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)], + link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], + link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)] +-- +2.27.0 + diff --git a/backport-Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch b/backport-Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch new file mode 100644 index 0000000..5f5fd50 --- /dev/null +++ b/backport-Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch @@ -0,0 +1,49 @@ +From 34658590e45ab85f6008379d9433406a5c7fd914 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Wed, 7 Nov 2018 15:12:17 +0100 +Subject: [PATCH] Install cryptsetup and tpm2_pcrlist in the initramfs + +The cryptsetup and tpm2_pcrlist are missing in the initramfs, this makes +automatic LUKS unlocking fail with the following errors: + +dracut-initqueue[382]: /usr/libexec/clevis-luks-askpass: line 52: cryptsetup: command not found +dracut-initqueue[382]: /usr/bin/clevis-decrypt-tpm2: line 40: tpm2_pcrlist: command not found + +Suggested-by: Federico Chiacchiaretta + +Fixes: #74 +--- + src/luks/systemd/dracut/module-setup.sh.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in +index 48aea5b..41e7d6c 100755 +--- a/src/luks/systemd/dracut/module-setup.sh.in ++++ b/src/luks/systemd/dracut/module-setup.sh.in +@@ -40,6 +40,7 @@ install() { + clevis-decrypt-sss \ + @libexecdir@/clevis-luks-askpass \ + clevis-decrypt \ ++ cryptsetup \ + luksmeta \ + clevis \ + mktemp \ +@@ -49,6 +50,7 @@ install() { + + for cmd in clevis-decrypt-tpm2 \ + tpm2_createprimary \ ++ tpm2_pcrlist \ + tpm2_unseal \ + tpm2_load; do + +@@ -60,6 +62,7 @@ install() { + if (($ret == 0)); then + inst_multiple clevis-decrypt-tpm2 \ + tpm2_createprimary \ ++ tpm2_pcrlist \ + tpm2_unseal \ + tpm2_load + fi +-- +2.27.0 + diff --git a/clevis.spec b/clevis.spec index 823dd43..859f9b0 100644 --- a/clevis.spec +++ b/clevis.spec @@ -1,12 +1,16 @@ Name: clevis Version: 11 -Release: 4 +Release: 5 Summary: A plugable framework for automated decryption License: GPLv3+ URL: https://github.com/latchset/%{name} Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz +Patch1: backport-Delete-remaining-references-to-the-removed-http-pin.patch +Patch2: backport-Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch +Patch3: backport-Add-device-TCTI-library-to-the-initramfs.patch + BuildRequires: meson cmake jansson jose pkgconfig libjose-devel gdb asciidoc gcc openssl-devel BuildRequires: desktop-file-utils libudisks2-devel audit-libs-devel tang dracut pkgconfig BuildRequires: bash-completion tpm2-tools luksmeta libluksmeta-devel ninja-build systemd curl @@ -93,6 +97,11 @@ desktop-file-validate %{buildroot}%{_sysconfdir}/xdg/autostart/%{name}-luks-udis %{_mandir}/man* %changelog +* Sat Dec 12 2020 Liquor - 11-5 +- Delete remaining references to the removed http pin + Install cryptsetup and tpm2_pcrlist in the initramfs + Add device TCTI library to the initramfs + * Mon May 25 2020 openEuler Buildteam - 11-4 - Rebuild for clevis