From 972a32ed4d4d7253c82b8ce74718c771f1007c89 Mon Sep 17 00:00:00 2001
From: Liquor <1692257904@qq.com>
Date: Mon, 14 Dec 2020 19:25:46 +0800
Subject: [PATCH] Drop hard requirement on networking

---
 ...t-dracut-drop-rd.neednet-1-injection.patch | 74 +++++++++++++++++++
 ...temd-add-Documentation-keys-to-units.patch | 36 +++++++++
 ...-drop-hard-requirement-on-networking.patch | 59 +++++++++++++++
 ...-systemd-reword-Description-of-units.patch | 39 ++++++++++
 clevis.spec                                   |  9 ++-
 5 files changed, 216 insertions(+), 1 deletion(-)
 create mode 100644 backport-dracut-drop-rd.neednet-1-injection.patch
 create mode 100644 backport-systemd-add-Documentation-keys-to-units.patch
 create mode 100644 backport-systemd-drop-hard-requirement-on-networking.patch
 create mode 100644 backport-systemd-reword-Description-of-units.patch

diff --git a/backport-dracut-drop-rd.neednet-1-injection.patch b/backport-dracut-drop-rd.neednet-1-injection.patch
new file mode 100644
index 0000000..5d3d7bc
--- /dev/null
+++ b/backport-dracut-drop-rd.neednet-1-injection.patch
@@ -0,0 +1,74 @@
+From c52caeb438edb54c4c0559dfb8a349ed1f14400a Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Thu, 2 Jul 2020 11:08:56 -0400
+Subject: [PATCH] dracut: drop rd.neednet=1 injection
+
+By default, dracut builds generic initrds which by design shouldn't have
+any configuration specific to a host baked in (as opposed to so-called
+"hostonly" initrds). This property is leveraged with great success in
+immutable hosts like Fedora CoreOS and its downstream RHCOS where the
+initrd is created server-side.
+
+By unconditionally injecting `rd.neednet=1`, the clevis-pin-tang dracut
+module makes it impossible to be included into a truly generic initrd,
+where one cannot make assumptions about the network (or lack thereof,
+see #54) of the target hosts.
+
+So with a generic initrd, how can we make sure that networking is up at
+initrd time on a host which has been configured with root-on-LUKS with a
+Tang pin? By also configuring it with `rd.neednet=1` specified on the
+kernel command-line, and possibly `ip=...` to configure the network
+interfaces.
+
+This is no different from root-on-{NFS,iSCSI,NBD,...}, where one must
+use explicit kernel arguments like `root=nfs:<server>:...` or
+`root=iscsi:<server>:...` or `root=nbd:<server>:...`, all of which imply
+`rd.neednet=1` (one could imagine then a `root=tang:<luks2_uuid>` type
+karg in the future which would be roughly equivalent to
+`root=UUID=<luks2_uuid> rd.neednet=1`).
+
+Dracut also allows one to build host-specific initrds using the
+`-H`/`--hostonly` option, and further the ability to bake the
+command-line arguments when `--hostonly-cmdline` is provided.
+
+So a supplementary approach here would be for `install()` to only inject
+`rd.neednet=1` if using `--hostonly-cmdline` *and* somewhere along the
+root block device hierarchy, there is a Tang-pinned LUKS device. This is
+also analogous to what other dracut modules like 95nfs and 95iscsi do.
+
+However, optimizations for host-only initrds should not come before
+getting correct support for generic initrds.
+
+Closes: #54
+Closes: #206
+
+Conflict:
+Change path src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in
+to path src/luks/systemd/dracut/module-setup.sh.in
+---
+ src/luks/systemd/dracut/module-setup.sh.in | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
+index 990bf4a..b1bf9cc 100755
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -23,15 +23,9 @@ depends() {
+     return 0
+ }
+ 
+-cmdline() {
+-    echo "rd.neednet=1"
+-}
+-
+ install() {
+     local ret=0
+ 
+-    cmdline > "${initdir}/etc/cmdline.d/99clevis.conf"
+-
+     inst_hook initqueue/online 60 "$moddir/clevis-hook.sh"
+     inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
+ 
+-- 
+2.27.0
+
diff --git a/backport-systemd-add-Documentation-keys-to-units.patch b/backport-systemd-add-Documentation-keys-to-units.patch
new file mode 100644
index 0000000..17e048c
--- /dev/null
+++ b/backport-systemd-add-Documentation-keys-to-units.patch
@@ -0,0 +1,36 @@
+From b6d53c7279e71a6f5c47e32cb5f69944bf513055 Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Thu, 2 Jul 2020 11:08:57 -0400
+Subject: [PATCH] systemd: add Documentation keys to units
+
+To be nice to users who want to learn more about these units.
+---
+ src/luks/systemd/clevis-luks-askpass.path       | 1 +
+ src/luks/systemd/clevis-luks-askpass.service.in | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/luks/systemd/clevis-luks-askpass.path b/src/luks/systemd/clevis-luks-askpass.path
+index 5696786..89e0aed 100644
+--- a/src/luks/systemd/clevis-luks-askpass.path
++++ b/src/luks/systemd/clevis-luks-askpass.path
+@@ -1,5 +1,6 @@
+ [Unit]
+ Description=Clevis systemd-ask-password Watcher
++Documentation=man:clevis-luks-unlockers(7)
+ DefaultDependencies=no
+ Before=cryptsetup-pre.target
+ Wants=cryptsetup-pre.target
+diff --git a/src/luks/systemd/clevis-luks-askpass.service.in b/src/luks/systemd/clevis-luks-askpass.service.in
+index f1908d5..458389f 100644
+--- a/src/luks/systemd/clevis-luks-askpass.service.in
++++ b/src/luks/systemd/clevis-luks-askpass.service.in
+@@ -1,5 +1,6 @@
+ [Unit]
+ Description=Clevis LUKS systemd-ask-password Responder
++Documentation=man:clevis-luks-unlockers(7)
+ DefaultDependencies=no
+ 
+ [Service]
+-- 
+2.27.0
+
diff --git a/backport-systemd-drop-hard-requirement-on-networking.patch b/backport-systemd-drop-hard-requirement-on-networking.patch
new file mode 100644
index 0000000..2185ec1
--- /dev/null
+++ b/backport-systemd-drop-hard-requirement-on-networking.patch
@@ -0,0 +1,59 @@
+From ba8fab247cd075e4ef882171774f67f33ce17d76 Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Thu, 2 Jul 2020 11:08:55 -0400
+Subject: [PATCH] systemd: drop hard requirement on networking
+
+Whether we need networking or not for unlocking an encrypted block
+device is a property of the block device in question. This is expressed
+in `/etc/crypttab` via the `_netdev` option. For example, the systemd
+cryptsetup generator[1] picks up on this and correctly orders unlocking
+of devices that need networking after `remote-fs-pre.target`.
+
+Thus, we shouldn't need to unconditionally require and order ourselves
+after networking comes up. Let whatever interprets `/etc/crypttab` take
+care of this.
+
+Add `DefaultDependencies=no` because we need to be able to run well
+before `sysinit.target`.
+
+[1] https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html
+---
+ src/luks/systemd/clevis-luks-askpass.path       | 7 ++++---
+ src/luks/systemd/clevis-luks-askpass.service.in | 3 +--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/luks/systemd/clevis-luks-askpass.path b/src/luks/systemd/clevis-luks-askpass.path
+index a4d01ba..5696786 100644
+--- a/src/luks/systemd/clevis-luks-askpass.path
++++ b/src/luks/systemd/clevis-luks-askpass.path
+@@ -1,10 +1,11 @@
+ [Unit]
+ Description=Clevis systemd-ask-password Watcher
+-Before=remote-fs-pre.target
+-Wants=remote-fs-pre.target
++DefaultDependencies=no
++Before=cryptsetup-pre.target
++Wants=cryptsetup-pre.target
+ 
+ [Path]
+ PathChanged=/run/systemd/ask-password
+ 
+ [Install]
+-WantedBy=remote-fs.target
++WantedBy=cryptsetup.target
+diff --git a/src/luks/systemd/clevis-luks-askpass.service.in b/src/luks/systemd/clevis-luks-askpass.service.in
+index 2c6bbed..f1908d5 100644
+--- a/src/luks/systemd/clevis-luks-askpass.service.in
++++ b/src/luks/systemd/clevis-luks-askpass.service.in
+@@ -1,7 +1,6 @@
+ [Unit]
+ Description=Clevis LUKS systemd-ask-password Responder
+-Requires=network-online.target
+-After=network-online.target
++DefaultDependencies=no
+ 
+ [Service]
+ Type=oneshot
+-- 
+2.27.0
+
diff --git a/backport-systemd-reword-Description-of-units.patch b/backport-systemd-reword-Description-of-units.patch
new file mode 100644
index 0000000..a9235b3
--- /dev/null
+++ b/backport-systemd-reword-Description-of-units.patch
@@ -0,0 +1,39 @@
+From fa30660f4875adf4675faf3c1d8cff05fc79bafe Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Thu, 2 Jul 2020 11:08:58 -0400
+Subject: [PATCH] systemd: reword Description of units
+
+Let's match the description style that systemd itself uses for their
+password agents (see e.g. `systemd-ask-password-wall.{path,service}`).
+Keeping it uniform makes it more obvious that it's the exact same setup
+without having to look inside it.
+---
+ src/luks/systemd/clevis-luks-askpass.path       | 2 +-
+ src/luks/systemd/clevis-luks-askpass.service.in | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/luks/systemd/clevis-luks-askpass.path b/src/luks/systemd/clevis-luks-askpass.path
+index 89e0aed..910cf17 100644
+--- a/src/luks/systemd/clevis-luks-askpass.path
++++ b/src/luks/systemd/clevis-luks-askpass.path
+@@ -1,5 +1,5 @@
+ [Unit]
+-Description=Clevis systemd-ask-password Watcher
++Description=Forward Password Requests to Clevis Directory Watch
+ Documentation=man:clevis-luks-unlockers(7)
+ DefaultDependencies=no
+ Before=cryptsetup-pre.target
+diff --git a/src/luks/systemd/clevis-luks-askpass.service.in b/src/luks/systemd/clevis-luks-askpass.service.in
+index 458389f..6c8cb32 100644
+--- a/src/luks/systemd/clevis-luks-askpass.service.in
++++ b/src/luks/systemd/clevis-luks-askpass.service.in
+@@ -1,5 +1,5 @@
+ [Unit]
+-Description=Clevis LUKS systemd-ask-password Responder
++Description=Forward Password Requests to Clevis
+ Documentation=man:clevis-luks-unlockers(7)
+ DefaultDependencies=no
+ 
+-- 
+2.27.0
+
diff --git a/clevis.spec b/clevis.spec
index 859f9b0..8b01a77 100644
--- a/clevis.spec
+++ b/clevis.spec
@@ -1,6 +1,6 @@
 Name:          clevis
 Version:       11
-Release:       5
+Release:       6
 Summary:       A plugable framework for automated decryption
 
 License:       GPLv3+
@@ -10,6 +10,10 @@ Source0:       https://github.com/latchset/%{name}/releases/download/v%{version}
 Patch1:        backport-Delete-remaining-references-to-the-removed-http-pin.patch
 Patch2:        backport-Install-cryptsetup-and-tpm2_pcrlist-in-the-initramfs.patch
 Patch3:        backport-Add-device-TCTI-library-to-the-initramfs.patch
+Patch4:        backport-systemd-drop-hard-requirement-on-networking.patch
+Patch5:        backport-dracut-drop-rd.neednet-1-injection.patch
+Patch6:        backport-systemd-add-Documentation-keys-to-units.patch
+Patch7:        backport-systemd-reword-Description-of-units.patch
 
 BuildRequires: meson cmake jansson jose pkgconfig libjose-devel gdb asciidoc gcc openssl-devel
 BuildRequires: desktop-file-utils libudisks2-devel audit-libs-devel tang dracut pkgconfig
@@ -97,6 +101,9 @@ desktop-file-validate %{buildroot}%{_sysconfdir}/xdg/autostart/%{name}-luks-udis
 %{_mandir}/man*
 
 %changelog
+* Mon Dec 14 2020 Liquor <lirui130@huawei.com> - 11-6
+- Drop hard requirement on networking
+
 * Sat Dec 12 2020 Liquor <lirui130@huawei.com> - 11-5
 - Delete remaining references to the removed http pin
   Install cryptsetup and tpm2_pcrlist in the initramfs