|
@@ -1,95 +0,0 @@
|
|
|
-Subject: Avoid luksmeta corruption on clevis bind (#319)
|
|
|
-Origin: v18-5-gd8a25e3 <https://github.com/latchset/clevis/commit/v18-5-gd8a25e3>
|
|
|
-Upstream-Author: Sergio Arroutbi <sarroutb@redhat.com>
|
|
|
-Date: Tue Jun 15 12:51:23 2021 +0200
|
|
|
-
|
|
|
- When using long key information to be stored in luks metadata,
|
|
|
- luksmeta save is not reporting the corruption of LUKs meta.
|
|
|
- This change detects if issue occurs after luksmeta metadata save
|
|
|
- and, in that case, restores the device. Fixes #181
|
|
|
-
|
|
|
- Signed-off-by: Sergio Arroutbi Braojos <sarroutb@redhat.com>
|
|
|
-
|
|
|
---- a/src/luks/clevis-luks-common-functions.in
|
|
|
-+++ b/src/luks/clevis-luks-common-functions.in
|
|
|
-@@ -448,6 +448,12 @@
|
|
|
- echo "Error saving metadata to LUKSMeta slot ${SLOT} from ${DEV}" >&2
|
|
|
- return 1
|
|
|
- fi
|
|
|
-+
|
|
|
-+ if ! luksmeta test -d "${DEV}" 2>/dev/null >/dev/null ; then
|
|
|
-+ echo "Error detected after saving metadata to LUKSMeta slot ${SLOT}, device ${DEV}" >&2
|
|
|
-+ return 1
|
|
|
-+ fi
|
|
|
-+
|
|
|
- return 0
|
|
|
- }
|
|
|
-
|
|
|
---- /dev/null
|
|
|
-+++ b/src/luks/tests/bind-luks1-avoid-luksmeta-corruption
|
|
|
-@@ -0,0 +1,55 @@
|
|
|
-+#!/bin/bash -ex
|
|
|
-+#
|
|
|
-+# Copyright (c) 2021 Red Hat, Inc.
|
|
|
-+# Author: Sergio Arroutbi Braojos <sarroutb@redhat.com>
|
|
|
-+#
|
|
|
-+# This program is free software: you can redistribute it and/or modify
|
|
|
-+# it under the terms of the GNU General Public License as published by
|
|
|
-+# the Free Software Foundation, either version 3 of the License, or
|
|
|
-+# (at your option) any later version.
|
|
|
-+#
|
|
|
-+# This program is distributed in the hope that it will be useful,
|
|
|
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
-+# GNU General Public License for more details.
|
|
|
-+#
|
|
|
-+# You should have received a copy of the GNU General Public License
|
|
|
-+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
-+#
|
|
|
-+
|
|
|
-+TEST=$(basename "${0}")
|
|
|
-+. tests-common-functions
|
|
|
-+
|
|
|
-+on_exit() {
|
|
|
-+ [ ! -d "${TMP}" ] && return 0
|
|
|
-+ tang_stop "${TMP}"
|
|
|
-+ rm -rf "${TMP}"
|
|
|
-+}
|
|
|
-+
|
|
|
-+trap 'on_exit' EXIT
|
|
|
-+
|
|
|
-+TMP="$(mktemp -d)"
|
|
|
-+
|
|
|
-+ADV_AMOUNT=50
|
|
|
-+
|
|
|
-+# Create LUKS1 device
|
|
|
-+DEV="${TMP}/luks1-device"
|
|
|
-+new_device "luks1" "${DEV}"
|
|
|
-+
|
|
|
-+# TANG server specifics
|
|
|
-+port=$(tang_new_random_port)
|
|
|
-+tang_run "${TMP}" "${port}"
|
|
|
-+url="http://localhost:${port}"
|
|
|
-+
|
|
|
-+# Initial binding to ensure luksmeta gets corrupted
|
|
|
-+for ADV_NU in $(seq 0 ${ADV_AMOUNT}); do
|
|
|
-+ "${TANGD_KEYGEN}" "${TMP}/db"
|
|
|
-+done
|
|
|
-+tang_new_keys "${TMP}"
|
|
|
-+
|
|
|
-+CFG=$(printf '{"url":"%s"}' "${url}")
|
|
|
-+
|
|
|
-+# At this point, luks bind must return an error. If not, test fails
|
|
|
-+if clevis luks bind -y -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
|
|
|
-+ error "${TEST}: Binding is expected to fail when given a too long adv"
|
|
|
-+fi
|
|
|
---- a/src/luks/tests/meson.build
|
|
|
-+++ b/src/luks/tests/meson.build
|
|
|
-@@ -59,6 +59,7 @@
|
|
|
-
|
|
|
- test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60)
|
|
|
- test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60)
|
|
|
-+test('bind-luks1-avoid-luksmeta-corruption', find_program('bind-luks1-avoid-luksmeta-corruption'), env: env, timeout: 60)
|
|
|
-
|
|
|
- # LUKS2 tests go here, and they get included if we get support for it, based
|
|
|
- # on the cryptsetup version.
|