[arch-commits] Commit in clevis/trunk (3 files)
Jonas Witschel
diabonas at archlinux.org
Mon Jan 20 13:27:37 UTC 2020
Date: Monday, January 20, 2020 @ 13:27:36
Author: diabonas
Revision: 553212
upgpkg: clevis 12-1: upstream release
Modified:
clevis/trunk/PKGBUILD
Deleted:
clevis/trunk/clevis-11-gh-114-tpm2-tools-4.patch
clevis/trunk/clevis-11-gh-115-ncat.patch
-------------------------------------+
PKGBUILD | 28 ---
clevis-11-gh-114-tpm2-tools-4.patch | 299 ----------------------------------
clevis-11-gh-115-ncat.patch | 54 ------
3 files changed, 7 insertions(+), 374 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-01-20 13:13:59 UTC (rev 553211)
+++ PKGBUILD 2020-01-20 13:27:36 UTC (rev 553212)
@@ -1,7 +1,7 @@
# Maintainer: Jonas Witschel <diabonas at archlinux.org>
pkgname=clevis
-pkgver=11
-pkgrel=6
+pkgver=12
+pkgrel=1
pkgdesc='Automated Encryption Framework'
arch=('x86_64')
url='https://github.com/latchset/clevis'
@@ -18,25 +18,9 @@
'nmap: dracut unlocker support'
'tpm2-tools: TPM2 pin support'
'udisks2: UDisks2 unlocker support')
-source=("$url/releases/download/v$pkgver/$pkgname-$pkgver.tar.xz"
- "clevis-gh-81-dracut-fixes.patch::$url/pull/81.patch"
- 'clevis-11-gh-115-ncat.patch'
- 'clevis-11-gh-114-tpm2-tools-4.patch')
-sha512sums=('f15033a27f662986c48ca36390d3b0f127bc691b3cd7a35d437db2e2b123f8bbebd6385d799620b11f42db0d279a2030d5bf69e55e96a584800393bf47a00368'
- 'ab159ff8de8bc6ffa804cb258e53a7960fbdb016d5b63d872e0e30ac3575765a1380e932fcfb8f694a0c9563bc8ee7d72bf2618eb854b4280b8dc88e65451f40'
- 'f98e700fa33c86aa7589c18a13e8c1248c1d8346dc05c17eee5b5f284f6537d514f917d417e1e9e65242657d4f586122b33fc3666c9557b1f00d2f154791b91c'
- '21298b8141dd437b7cf9dc8d095bde1f54995eb2f2fd15321b4eafef1a9c9efe95ea5f188e7d67e7c306f7f489d422a866ac7bec125e200df38631bc24502af4')
+source=("$url/releases/download/v$pkgver/$pkgname-$pkgver.tar.xz")
+sha512sums=('c71144590cf2528d20892d3ef49b2b1ea948286410385b15f6a3eda01539846c7154b6396b78c0ed8a28f3056b4c3f88ff043978e5483b2ac360ee0f156f78e7')
-prepare() {
- cd "$pkgname-$pkgver"
- # Fix dracut module-setup.sh (GitHub PR #81)
- patch --strip=1 --input="$srcdir/clevis-gh-81-dracut-fixes.patch"
- # Replace nc by ncat (backport of GitHub PR #115)
- patch --strip=1 --input="$srcdir/clevis-11-gh-115-ncat.patch"
- # Add support for tpm2-tools 4.0 (backport of GitHub PR #114)
- patch --strip=1 --input="$srcdir/clevis-11-gh-114-tpm2-tools-4.patch"
-}
-
build() {
cd "$pkgname-$pkgver"
meson --prefix=/usr --libexecdir=/usr/lib --buildtype=plain build
@@ -45,7 +29,9 @@
check() {
cd "$pkgname-$pkgver"
- ninja -C build test
+ # The LUKS tests are skipped when not running as root but work fine without
+ # actual root privileges, so use fakeroot to bypass the root check
+ fakeroot ninja -C build test
}
package() {
Deleted: clevis-11-gh-114-tpm2-tools-4.patch
===================================================================
--- clevis-11-gh-114-tpm2-tools-4.patch 2020-01-20 13:13:59 UTC (rev 553211)
+++ clevis-11-gh-114-tpm2-tools-4.patch 2020-01-20 13:27:36 UTC (rev 553212)
@@ -1,299 +0,0 @@
-From 90a926a4c60d8504057ddf8800cd45d99a250262 Mon Sep 17 00:00:00 2001
-From: Jonas Witschel <diabonas at gmx.de>
-Date: Sat, 24 Aug 2019 16:43:17 +0200
-Subject: [PATCH 1/2] clevis-encrypt-tpm2: fix TPM object attributes
-
-Fix two problems with the current specification of the object
-attributes:
-
-1. According to the Trusted Platform Module Library Family 2.0
-Specification - Part 2: Structures, Revision 1.38, Section 8.3.3.5,
-sensitiveDataOrigin shall not be set for data objects:
-
-NOTE 3 The inSensitive.sensitive.data.size parameter may not be zero for
-a data object so sensitiveDataOrigin is required to be CLEAR. A data
-object has type = TPM_ALG_KEYEDHASH and its sign and decrypt attributes
-are CLEAR.
-
-tpm2-tools 3.X silently removes the inconsistent 'sensitivedataorigin'
-attribute.
-
-2. If the key is sealed against a certain PCR configuration,
-'userwithauth' needs to be clear so that the key cannot be unsealed with
-the default empty authorisation password. On the other hand, if the key
-is not sealed against a specific PCR configuration, 'userwithauth' must
-be set because there is no PCR policy to fulfil.
-
-tpm2-tools 3.X silently adds 'userwithauth' if no policy is specified
-for tpm2_create.
----
- src/pins/tpm2/clevis-encrypt-tpm2 | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2
-index c70187d..a7f3332 100755
---- a/src/pins/tpm2/clevis-encrypt-tpm2
-+++ b/src/pins/tpm2/clevis-encrypt-tpm2
-@@ -24,7 +24,7 @@ auth="o"
- # Algorithm type must be keyedhash for object with user provided sensitive data.
- alg_create_key="keyedhash"
- # Attributes for the created TPM2 object with the JWK as sensitive data.
--obj_attr="fixedtpm|fixedparent|sensitivedataorigin|noda|adminwithpolicy"
-+obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy"
-
- function on_exit() {
- if ! rm -rf $TMP; then
-@@ -130,6 +130,8 @@ if [ -n "$pcr_ids" ]; then
- fi
-
- policy_options="-L $TMP/pcr.policy"
-+else
-+ obj_attr="$obj_attr|userwithauth"
- fi
-
- if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \
---
-2.23.0
-
-
-From 4cd9621c9f849d6ba9b5d175f661b242878ba43c Mon Sep 17 00:00:00 2001
-From: Jonas Witschel <diabonas at gmx.de>
-Date: Sat, 24 Aug 2019 17:01:07 +0200
-Subject: [PATCH 2/2] pins/tpm2: add support for tpm2-tools 4.X
-
-tpm2-tools renamed tpm2_pcrlist to tpm2_pcrread and changed a lot of
-option names. Only the new unified environment variable TPM2TOOLS_TCTI
-is supported, TPM2TOOLS_TCTI_NAME and TPM2TOOLS_DEVICE_FILE are no
-longer recognised. Determine the tpm2-tools version from the output of
-$(tpm2_createprimary -v) and switch accordingly.
----
- src/luks/systemd/dracut/module-setup.sh.in | 6 ++-
- src/pins/tpm2/clevis-decrypt-tpm2 | 40 +++++++++++++-----
- src/pins/tpm2/clevis-encrypt-tpm2 | 47 +++++++++++++++++-----
- src/pins/tpm2/meson.build | 5 ++-
- 4 files changed, 76 insertions(+), 22 deletions(-)
-
-diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
-index 79fd555..fe34b1a 100755
---- a/src/luks/systemd/dracut/module-setup.sh.in
-+++ b/src/luks/systemd/dracut/module-setup.sh.in
-@@ -50,7 +50,6 @@ install() {
-
- for cmd in clevis-decrypt-tpm2 \
- tpm2_createprimary \
-- tpm2_pcrlist \
- tpm2_unseal \
- tpm2_load; do
-
-@@ -58,13 +57,16 @@ install() {
- ((ret++))
- fi
- done
-+ if ! find_binary tpm2_pcrread &>/dev/null && ! find_binary tpm2_pcrread &>/dev/null; then
-+ ((ret++))
-+ fi
-
- if (($ret == 0)); then
- inst_multiple clevis-decrypt-tpm2 \
- tpm2_createprimary \
-- tpm2_pcrlist \
- tpm2_unseal \
- tpm2_load
-+ inst_multiple -o tpm2_pcrread tpm2_pcrlist
- inst_libdir_file "libtss2-tcti-device.so*"
- fi
-
-diff --git a/src/pins/tpm2/clevis-decrypt-tpm2 b/src/pins/tpm2/clevis-decrypt-tpm2
-index 4fc1c58..78a07e8 100755
---- a/src/pins/tpm2/clevis-decrypt-tpm2
-+++ b/src/pins/tpm2/clevis-decrypt-tpm2
-@@ -37,16 +37,22 @@ if [ -t 0 ]; then
- exit 1
- fi
-
--TPM2TOOLS_INFO=`tpm2_pcrlist -v`
-+TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
-
--if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then
-- echo "The tpm2 pin requires tpm2-tools version 3" >&2
-+match='version="(.)\.'
-+[[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
-+if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
-+ echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
- exit 1
- fi
-
-+# Old environment variables for tpm2-tools 3.0
- export TPM2TOOLS_TCTI_NAME=device
- export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null`
-
-+# New environment variable for tpm2-tools >= 3.1
-+export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:$TPM2TOOLS_DEVICE_FILE"
-+
- if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then
- echo "A TPM2 device with the in-kernel resource manager is needed!" >&2
- exit 1
-@@ -98,9 +104,10 @@ trap 'on_exit' EXIT
-
- pcr_ids=`jose fmt -j- -Og clevis -g tpm2 -g pcr_ids -Su- <<< "$jhd"` || true
-
-+pcr_spec=''
- if [ -n "$pcr_ids" ]; then
- pcr_bank=`jose fmt -j- -Og clevis -g tpm2 -g pcr_bank -Su- <<< "$jhd"`
-- policy_options="-L $pcr_bank:$pcr_ids"
-+ pcr_spec="$pcr_bank:$pcr_ids"
- fi
-
- if ! `jose b64 dec -i- -O $TMP/jwk.pub <<< "$jwk_pub"`; then
-@@ -113,19 +120,34 @@ if ! `jose b64 dec -i- -O $TMP/jwk.priv <<< "$jwk_priv"`; then
- exit 1
- fi
-
--if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" \
-- -C $TMP/primary.context 2>/dev/null; then
-+case "$TPM2TOOLS_VERSION" in
-+ 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
-+ 4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
-+ *) fail=1;;
-+esac
-+if [ -n "$fail" ]; then
- echo "Creating TPM2 primary key failed!" >&2
- exit 1
- fi
-
--if ! tpm2_load -Q -c $TMP/primary.context -u $TMP/jwk.pub -r $TMP/jwk.priv \
-- -C $TMP/load.context 2>/dev/null; then
-+case "$TPM2TOOLS_VERSION" in
-+ 3) tpm2_load -Q -c "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
-+ -C "$TMP"/load.context || fail=$?;;
-+ 4) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
-+ -c "$TMP"/load.context || fail=$?;;
-+ *) fail=1;;
-+esac
-+if [ -n "$fail" ]; then
- echo "Loading jwk to TPM2 failed!" >&2
- exit 1
- fi
-
--if ! jwk=`tpm2_unseal -c $TMP/load.context $policy_options 2>/dev/null`; then
-+case "$TPM2TOOLS_VERSION" in
-+ 3) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-L $pcr_spec})" || fail=$?;;
-+ 4) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
-+ *) fail=1;;
-+esac
-+if [ -n "$fail" ]; then
- echo "Unsealing jwk from TPM failed!" >&2
- exit 1
- fi
-diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2
-index a7f3332..d48806d 100755
---- a/src/pins/tpm2/clevis-encrypt-tpm2
-+++ b/src/pins/tpm2/clevis-encrypt-tpm2
-@@ -59,16 +59,22 @@ if [ -t 0 ]; then
- exit 1
- fi
-
--TPM2TOOLS_INFO=`tpm2_pcrlist -v`
-+TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
-
--if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then
-- echo "The tpm2 pin requires tpm2-tools version 3" >&2
-+match='version="(.)\.'
-+[[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
-+if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
-+ echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
- exit 1
- fi
-
-+# Old environment variables for tpm2-tools 3.0
- export TPM2TOOLS_TCTI_NAME=device
- export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null`
-
-+# New environment variable for tpm2-tools >= 3.1
-+export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:$TPM2TOOLS_DEVICE_FILE"
-+
- if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then
- echo "A TPM2 device with the in-kernel resource manager is needed!" >&2
- exit 1
-@@ -106,14 +112,24 @@ fi
-
- trap 'on_exit' EXIT
-
--if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C $TMP/primary.context; then
-+case "$TPM2TOOLS_VERSION" in
-+ 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
-+ 4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
-+ *) fail=1;;
-+esac
-+if [ -n "$fail" ]; then
- echo "Creating TPM2 primary key failed!" >&2
- exit 1
- fi
-
- if [ -n "$pcr_ids" ]; then
- if [ -z "$pcr_digest" ]; then
-- if ! tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o $TMP/pcr.digest; then
-+ case "$TPM2TOOLS_VERSION" in
-+ 3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
-+ 4) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
-+ *) fail=1;;
-+ esac
-+ if [ -n "$fail" ]; then
- echo "Creating PCR hashes file failed!" >&2
- exit 1
- fi
-@@ -124,18 +140,31 @@ if [ -n "$pcr_ids" ]; then
- fi
- fi
-
-- if ! tpm2_createpolicy -Q -P -L "$pcr_bank":"$pcr_ids" -F $TMP/pcr.digest -f $TMP/pcr.policy; then
-+ case "$TPM2TOOLS_VERSION" in
-+ 3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \
-+ -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;;
-+ 4) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
-+ -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
-+ *) fail=1;;
-+ esac
-+ if [ -n "$fail" ]; then
- echo "create policy fail, please check the environment or parameters!"
- exit 1
- fi
-
-- policy_options="-L $TMP/pcr.policy"
-+ policy_options+=(-L "$TMP/pcr.policy")
- else
- obj_attr="$obj_attr|userwithauth"
- fi
-
--if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \
-- -r $TMP/jwk.priv -A "$obj_attr" $policy_options -I- <<< "$jwk"; then
-+case "$TPM2TOOLS_VERSION" in
-+ 3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \
-+ -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;;
-+ 4) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
-+ -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
-+ *) fail=1;;
-+esac
-+if [ -n "$fail" ]; then
- echo "Creating TPM2 object for jwk failed!" >&2
- exit 1
- fi
-diff --git a/src/pins/tpm2/meson.build b/src/pins/tpm2/meson.build
-index 8121ec4..4041a9a 100644
---- a/src/pins/tpm2/meson.build
-+++ b/src/pins/tpm2/meson.build
-@@ -1,8 +1,9 @@
--cmds = ['createprimary', 'pcrlist', 'createpolicy', 'create', 'load', 'unseal']
-+cmds = ['tpm2_createprimary', ['tpm2_pcrread', 'tpm2_pcrlist'],
-+ 'tpm2_createpolicy', 'tpm2_create', 'tpm2_load', 'tpm2_unseal']
-
- all = true
- foreach cmd : cmds
-- all = all and find_program('tpm2_' + cmd, required: false).found()
-+ all = all and find_program(cmd, required: false).found()
- endforeach
-
- if all
---
-2.23.0
-
Deleted: clevis-11-gh-115-ncat.patch
===================================================================
--- clevis-11-gh-115-ncat.patch 2020-01-20 13:13:59 UTC (rev 553211)
+++ clevis-11-gh-115-ncat.patch 2020-01-20 13:27:36 UTC (rev 553212)
@@ -1,54 +0,0 @@
-From 78019b9ce50c84ac9511072a004fea533841ed01 Mon Sep 17 00:00:00 2001
-From: Jonas Witschel <diabonas at gmx.de>
-Date: Thu, 29 Aug 2019 11:22:47 +0200
-Subject: [PATCH] clevis-luks-askpass: replace nc by ncat
-
-nc is assumed to be ncat from Nmap for the --send-only option to work.
-This assumption holds true on Fedora, where nc is a symbolic link to
-ncat, while other distributions only ship the binary with the original
-upstream name. Replacing the name makes it clearer which version of nc
-is expected and improves compatibility with other distributions while
-retaining compatibility with Fedora.
----
- src/luks/systemd/clevis-luks-askpass | 4 ++--
- src/luks/systemd/dracut/module-setup.sh.in | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass
-index b01d93a..0903cd0 100755
---- a/src/luks/systemd/clevis-luks-askpass
-+++ b/src/luks/systemd/clevis-luks-askpass
-@@ -59,7 +59,7 @@ while true; do
- metadata=true
-
- if pt="`luksmeta load -d $d -s $slot -u $UUID | clevis decrypt`"; then
-- echo -n "+$pt" | nc -U -u --send-only "$s"
-+ echo -n "+$pt" | ncat -U -u --send-only "$s"
- unlocked=true
- break
- fi
-@@ -72,7 +72,7 @@ while true; do
- metadata=true
-
- if pt=`echo -n "$jwe" | clevis decrypt`; then
-- echo -n "+$pt" | nc -U -u --send-only "$s"
-+ echo -n "+$pt" | ncat -U -u --send-only "$s"
- unlocked=true
- break
- fi
-diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in
-index 990bf4a..79fd555 100755
---- a/src/luks/systemd/dracut/module-setup.sh.in
-+++ b/src/luks/systemd/dracut/module-setup.sh.in
-@@ -46,7 +46,7 @@ install() {
- mktemp \
- curl \
- jose \
-- nc
-+ ncat
-
- for cmd in clevis-decrypt-tpm2 \
- tpm2_createprimary \
---
-2.23.0
-
More information about the arch-commits
mailing list