[arch-commits] Commit in (6 files)
Jonas Witschel
diabonas at archlinux.org
Thu Oct 10 16:30:52 UTC 2019
Date: Thursday, October 10, 2019 @ 16:30:51
Author: diabonas
Revision: 514478
Move clevis 11 from the AUR to [community]
Added:
clevis/
clevis/repos/
clevis/trunk/
clevis/trunk/PKGBUILD
clevis/trunk/clevis-11-gh-114-tpm2-tools-4.patch
clevis/trunk/clevis-11-gh-115-ncat.patch
-------------------------------------+
PKGBUILD | 54 ++++++
clevis-11-gh-114-tpm2-tools-4.patch | 299 ++++++++++++++++++++++++++++++++++
clevis-11-gh-115-ncat.patch | 54 ++++++
3 files changed, 407 insertions(+)
Added: clevis/trunk/PKGBUILD
===================================================================
--- clevis/trunk/PKGBUILD (rev 0)
+++ clevis/trunk/PKGBUILD 2019-10-10 16:30:51 UTC (rev 514478)
@@ -0,0 +1,54 @@
+# Maintainer: Jonas Witschel <diabonas at archlinux.org>
+pkgname=clevis
+pkgver=11
+pkgrel=6
+pkgdesc='Automated Encryption Framework'
+arch=('x86_64')
+url='https://github.com/latchset/clevis'
+license=('GPL3')
+depends=('bash' 'jose')
+makedepends=('meson' 'asciidoc' 'bash-completion' 'dracut' 'libpwquality'
+ 'luksmeta' 'tpm2-tools' 'udisks2')
+checkdepends=('tang')
+optdepends=('cryptsetup: LUKS unlocker support'
+ 'curl: Tang pin support'
+ 'dracut: dracut unlocker support'
+ 'libpwquality: LUKS unlocker support'
+ 'luksmeta: LUKS and UDisks2 unlocker support'
+ 'nmap: dracut unlocker support'
+ 'tpm2-tools: TPM2 pin support'
+ 'udisks2: UDisks2 unlocker support')
+source=("$url/releases/download/v$pkgver/$pkgname-$pkgver.tar.xz"
+ "clevis-gh-81-dracut-fixes.patch::$url/pull/81.patch"
+ 'clevis-11-gh-115-ncat.patch'
+ 'clevis-11-gh-114-tpm2-tools-4.patch')
+sha512sums=('f15033a27f662986c48ca36390d3b0f127bc691b3cd7a35d437db2e2b123f8bbebd6385d799620b11f42db0d279a2030d5bf69e55e96a584800393bf47a00368'
+ 'ab159ff8de8bc6ffa804cb258e53a7960fbdb016d5b63d872e0e30ac3575765a1380e932fcfb8f694a0c9563bc8ee7d72bf2618eb854b4280b8dc88e65451f40'
+ 'f98e700fa33c86aa7589c18a13e8c1248c1d8346dc05c17eee5b5f284f6537d514f917d417e1e9e65242657d4f586122b33fc3666c9557b1f00d2f154791b91c'
+ '21298b8141dd437b7cf9dc8d095bde1f54995eb2f2fd15321b4eafef1a9c9efe95ea5f188e7d67e7c306f7f489d422a866ac7bec125e200df38631bc24502af4')
+
+prepare() {
+ cd "$pkgname-$pkgver"
+ # Fix dracut module-setup.sh (GitHub PR #81)
+ patch --strip=1 --input="$srcdir/clevis-gh-81-dracut-fixes.patch"
+ # Replace nc by ncat (backport of GitHub PR #115)
+ patch --strip=1 --input="$srcdir/clevis-11-gh-115-ncat.patch"
+ # Add support for tpm2-tools 4.0 (backport of GitHub PR #114)
+ patch --strip=1 --input="$srcdir/clevis-11-gh-114-tpm2-tools-4.patch"
+}
+
+build() {
+ cd "$pkgname-$pkgver"
+ meson --prefix=/usr --libexecdir=/usr/lib --buildtype=plain build
+ ninja -C build
+}
+
+check() {
+ cd "$pkgname-$pkgver"
+ ninja -C build test
+}
+
+package() {
+ cd "$pkgname-$pkgver"
+ DESTDIR="$pkgdir" ninja -C build install
+}
Added: clevis/trunk/clevis-11-gh-114-tpm2-tools-4.patch
===================================================================
--- clevis/trunk/clevis-11-gh-114-tpm2-tools-4.patch (rev 0)
+++ clevis/trunk/clevis-11-gh-114-tpm2-tools-4.patch 2019-10-10 16:30:51 UTC (rev 514478)
@@ -0,0 +1,299 @@
+From 90a926a4c60d8504057ddf8800cd45d99a250262 Mon Sep 17 00:00:00 2001
+From: Jonas Witschel <diabonas at gmx.de>
+Date: Sat, 24 Aug 2019 16:43:17 +0200
+Subject: [PATCH 1/2] clevis-encrypt-tpm2: fix TPM object attributes
+
+Fix two problems with the current specification of the object
+attributes:
+
+1. According to the Trusted Platform Module Library Family 2.0
+Specification - Part 2: Structures, Revision 1.38, Section 8.3.3.5,
+sensitiveDataOrigin shall not be set for data objects:
+
+NOTE 3 The inSensitive.sensitive.data.size parameter may not be zero for
+a data object so sensitiveDataOrigin is required to be CLEAR. A data
+object has type = TPM_ALG_KEYEDHASH and its sign and decrypt attributes
+are CLEAR.
+
+tpm2-tools 3.X silently removes the inconsistent 'sensitivedataorigin'
+attribute.
+
+2. If the key is sealed against a certain PCR configuration,
+'userwithauth' needs to be clear so that the key cannot be unsealed with
+the default empty authorisation password. On the other hand, if the key
+is not sealed against a specific PCR configuration, 'userwithauth' must
+be set because there is no PCR policy to fulfil.
+
+tpm2-tools 3.X silently adds 'userwithauth' if no policy is specified
+for tpm2_create.
+---
+ src/pins/tpm2/clevis-encrypt-tpm2 | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2
+index c70187d..a7f3332 100755
+--- a/src/pins/tpm2/clevis-encrypt-tpm2
++++ b/src/pins/tpm2/clevis-encrypt-tpm2
+@@ -24,7 +24,7 @@ auth="o"
+ # Algorithm type must be keyedhash for object with user provided sensitive data.
+ alg_create_key="keyedhash"
+ # Attributes for the created TPM2 object with the JWK as sensitive data.
+-obj_attr="fixedtpm|fixedparent|sensitivedataorigin|noda|adminwithpolicy"
++obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy"
+
+ function on_exit() {
+ if ! rm -rf $TMP; then
+@@ -130,6 +130,8 @@ if [ -n "$pcr_ids" ]; then
+ fi
+
+ policy_options="-L $TMP/pcr.policy"
++else
++ obj_attr="$obj_attr|userwithauth"
+ fi
+
+ if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \
+--
+2.23.0
+
+
+From 4cd9621c9f849d6ba9b5d175f661b242878ba43c Mon Sep 17 00:00:00 2001
+From: Jonas Witschel <diabonas at gmx.de>
+Date: Sat, 24 Aug 2019 17:01:07 +0200
+Subject: [PATCH 2/2] pins/tpm2: add support for tpm2-tools 4.X
+
+tpm2-tools renamed tpm2_pcrlist to tpm2_pcrread and changed a lot of
+option names. Only the new unified environment variable TPM2TOOLS_TCTI
+is supported, TPM2TOOLS_TCTI_NAME and TPM2TOOLS_DEVICE_FILE are no
+longer recognised. Determine the tpm2-tools version from the output of
+$(tpm2_createprimary -v) and switch accordingly.
+---
+ src/luks/systemd/dracut/module-setup.sh.in | 6 ++-
+ src/pins/tpm2/clevis-decrypt-tpm2 | 40 +++++++++++++-----
+ src/pins/tpm2/clevis-encrypt-tpm2 | 47 +++++++++++++++++-----
+ src/pins/tpm2/meson.build | 5 ++-
+ 4 files changed, 76 insertions(+), 22 deletions(-)
+
+diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
+index 79fd555..fe34b1a 100755
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -50,7 +50,6 @@ install() {
+
+ for cmd in clevis-decrypt-tpm2 \
+ tpm2_createprimary \
+- tpm2_pcrlist \
+ tpm2_unseal \
+ tpm2_load; do
+
+@@ -58,13 +57,16 @@ install() {
+ ((ret++))
+ fi
+ done
++ if ! find_binary tpm2_pcrread &>/dev/null && ! find_binary tpm2_pcrread &>/dev/null; then
++ ((ret++))
++ fi
+
+ if (($ret == 0)); then
+ inst_multiple clevis-decrypt-tpm2 \
+ tpm2_createprimary \
+- tpm2_pcrlist \
+ tpm2_unseal \
+ tpm2_load
++ inst_multiple -o tpm2_pcrread tpm2_pcrlist
+ inst_libdir_file "libtss2-tcti-device.so*"
+ fi
+
+diff --git a/src/pins/tpm2/clevis-decrypt-tpm2 b/src/pins/tpm2/clevis-decrypt-tpm2
+index 4fc1c58..78a07e8 100755
+--- a/src/pins/tpm2/clevis-decrypt-tpm2
++++ b/src/pins/tpm2/clevis-decrypt-tpm2
+@@ -37,16 +37,22 @@ if [ -t 0 ]; then
+ exit 1
+ fi
+
+-TPM2TOOLS_INFO=`tpm2_pcrlist -v`
++TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
+
+-if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then
+- echo "The tpm2 pin requires tpm2-tools version 3" >&2
++match='version="(.)\.'
++[[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
++if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
++ echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
+ exit 1
+ fi
+
++# Old environment variables for tpm2-tools 3.0
+ export TPM2TOOLS_TCTI_NAME=device
+ export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null`
+
++# New environment variable for tpm2-tools >= 3.1
++export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:$TPM2TOOLS_DEVICE_FILE"
++
+ if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then
+ echo "A TPM2 device with the in-kernel resource manager is needed!" >&2
+ exit 1
+@@ -98,9 +104,10 @@ trap 'on_exit' EXIT
+
+ pcr_ids=`jose fmt -j- -Og clevis -g tpm2 -g pcr_ids -Su- <<< "$jhd"` || true
+
++pcr_spec=''
+ if [ -n "$pcr_ids" ]; then
+ pcr_bank=`jose fmt -j- -Og clevis -g tpm2 -g pcr_bank -Su- <<< "$jhd"`
+- policy_options="-L $pcr_bank:$pcr_ids"
++ pcr_spec="$pcr_bank:$pcr_ids"
+ fi
+
+ if ! `jose b64 dec -i- -O $TMP/jwk.pub <<< "$jwk_pub"`; then
+@@ -113,19 +120,34 @@ if ! `jose b64 dec -i- -O $TMP/jwk.priv <<< "$jwk_priv"`; then
+ exit 1
+ fi
+
+-if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" \
+- -C $TMP/primary.context 2>/dev/null; then
++case "$TPM2TOOLS_VERSION" in
++ 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
++ 4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
++ *) fail=1;;
++esac
++if [ -n "$fail" ]; then
+ echo "Creating TPM2 primary key failed!" >&2
+ exit 1
+ fi
+
+-if ! tpm2_load -Q -c $TMP/primary.context -u $TMP/jwk.pub -r $TMP/jwk.priv \
+- -C $TMP/load.context 2>/dev/null; then
++case "$TPM2TOOLS_VERSION" in
++ 3) tpm2_load -Q -c "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
++ -C "$TMP"/load.context || fail=$?;;
++ 4) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
++ -c "$TMP"/load.context || fail=$?;;
++ *) fail=1;;
++esac
++if [ -n "$fail" ]; then
+ echo "Loading jwk to TPM2 failed!" >&2
+ exit 1
+ fi
+
+-if ! jwk=`tpm2_unseal -c $TMP/load.context $policy_options 2>/dev/null`; then
++case "$TPM2TOOLS_VERSION" in
++ 3) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-L $pcr_spec})" || fail=$?;;
++ 4) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
++ *) fail=1;;
++esac
++if [ -n "$fail" ]; then
+ echo "Unsealing jwk from TPM failed!" >&2
+ exit 1
+ fi
+diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2
+index a7f3332..d48806d 100755
+--- a/src/pins/tpm2/clevis-encrypt-tpm2
++++ b/src/pins/tpm2/clevis-encrypt-tpm2
+@@ -59,16 +59,22 @@ if [ -t 0 ]; then
+ exit 1
+ fi
+
+-TPM2TOOLS_INFO=`tpm2_pcrlist -v`
++TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
+
+-if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then
+- echo "The tpm2 pin requires tpm2-tools version 3" >&2
++match='version="(.)\.'
++[[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
++if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
++ echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
+ exit 1
+ fi
+
++# Old environment variables for tpm2-tools 3.0
+ export TPM2TOOLS_TCTI_NAME=device
+ export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null`
+
++# New environment variable for tpm2-tools >= 3.1
++export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:$TPM2TOOLS_DEVICE_FILE"
++
+ if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then
+ echo "A TPM2 device with the in-kernel resource manager is needed!" >&2
+ exit 1
+@@ -106,14 +112,24 @@ fi
+
+ trap 'on_exit' EXIT
+
+-if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C $TMP/primary.context; then
++case "$TPM2TOOLS_VERSION" in
++ 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
++ 4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
++ *) fail=1;;
++esac
++if [ -n "$fail" ]; then
+ echo "Creating TPM2 primary key failed!" >&2
+ exit 1
+ fi
+
+ if [ -n "$pcr_ids" ]; then
+ if [ -z "$pcr_digest" ]; then
+- if ! tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o $TMP/pcr.digest; then
++ case "$TPM2TOOLS_VERSION" in
++ 3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
++ 4) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
++ *) fail=1;;
++ esac
++ if [ -n "$fail" ]; then
+ echo "Creating PCR hashes file failed!" >&2
+ exit 1
+ fi
+@@ -124,18 +140,31 @@ if [ -n "$pcr_ids" ]; then
+ fi
+ fi
+
+- if ! tpm2_createpolicy -Q -P -L "$pcr_bank":"$pcr_ids" -F $TMP/pcr.digest -f $TMP/pcr.policy; then
++ case "$TPM2TOOLS_VERSION" in
++ 3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \
++ -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;;
++ 4) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
++ -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
++ *) fail=1;;
++ esac
++ if [ -n "$fail" ]; then
+ echo "create policy fail, please check the environment or parameters!"
+ exit 1
+ fi
+
+- policy_options="-L $TMP/pcr.policy"
++ policy_options+=(-L "$TMP/pcr.policy")
+ else
+ obj_attr="$obj_attr|userwithauth"
+ fi
+
+-if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \
+- -r $TMP/jwk.priv -A "$obj_attr" $policy_options -I- <<< "$jwk"; then
++case "$TPM2TOOLS_VERSION" in
++ 3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \
++ -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;;
++ 4) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
++ -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
++ *) fail=1;;
++esac
++if [ -n "$fail" ]; then
+ echo "Creating TPM2 object for jwk failed!" >&2
+ exit 1
+ fi
+diff --git a/src/pins/tpm2/meson.build b/src/pins/tpm2/meson.build
+index 8121ec4..4041a9a 100644
+--- a/src/pins/tpm2/meson.build
++++ b/src/pins/tpm2/meson.build
+@@ -1,8 +1,9 @@
+-cmds = ['createprimary', 'pcrlist', 'createpolicy', 'create', 'load', 'unseal']
++cmds = ['tpm2_createprimary', ['tpm2_pcrread', 'tpm2_pcrlist'],
++ 'tpm2_createpolicy', 'tpm2_create', 'tpm2_load', 'tpm2_unseal']
+
+ all = true
+ foreach cmd : cmds
+- all = all and find_program('tpm2_' + cmd, required: false).found()
++ all = all and find_program(cmd, required: false).found()
+ endforeach
+
+ if all
+--
+2.23.0
+
Added: clevis/trunk/clevis-11-gh-115-ncat.patch
===================================================================
--- clevis/trunk/clevis-11-gh-115-ncat.patch (rev 0)
+++ clevis/trunk/clevis-11-gh-115-ncat.patch 2019-10-10 16:30:51 UTC (rev 514478)
@@ -0,0 +1,54 @@
+From 78019b9ce50c84ac9511072a004fea533841ed01 Mon Sep 17 00:00:00 2001
+From: Jonas Witschel <diabonas at gmx.de>
+Date: Thu, 29 Aug 2019 11:22:47 +0200
+Subject: [PATCH] clevis-luks-askpass: replace nc by ncat
+
+nc is assumed to be ncat from Nmap for the --send-only option to work.
+This assumption holds true on Fedora, where nc is a symbolic link to
+ncat, while other distributions only ship the binary with the original
+upstream name. Replacing the name makes it clearer which version of nc
+is expected and improves compatibility with other distributions while
+retaining compatibility with Fedora.
+---
+ src/luks/systemd/clevis-luks-askpass | 4 ++--
+ src/luks/systemd/dracut/module-setup.sh.in | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass
+index b01d93a..0903cd0 100755
+--- a/src/luks/systemd/clevis-luks-askpass
++++ b/src/luks/systemd/clevis-luks-askpass
+@@ -59,7 +59,7 @@ while true; do
+ metadata=true
+
+ if pt="`luksmeta load -d $d -s $slot -u $UUID | clevis decrypt`"; then
+- echo -n "+$pt" | nc -U -u --send-only "$s"
++ echo -n "+$pt" | ncat -U -u --send-only "$s"
+ unlocked=true
+ break
+ fi
+@@ -72,7 +72,7 @@ while true; do
+ metadata=true
+
+ if pt=`echo -n "$jwe" | clevis decrypt`; then
+- echo -n "+$pt" | nc -U -u --send-only "$s"
++ echo -n "+$pt" | ncat -U -u --send-only "$s"
+ unlocked=true
+ break
+ fi
+diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
+index 990bf4a..79fd555 100755
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -46,7 +46,7 @@ install() {
+ mktemp \
+ curl \
+ jose \
+- nc
++ ncat
+
+ for cmd in clevis-decrypt-tpm2 \
+ tpm2_createprimary \
+--
+2.23.0
+
More information about the arch-commits
mailing list