git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
clevis
1
0
Fork 0
Files Pull Requests 0
Browse Source

Cherry-pick dropping of ncat

Christoph Biedl 3 years ago
parent
92e15fc9ac
commit
b308e0f7d4
4 changed files with 242 additions and 2 deletions
Split View Show Diff Stats
  1. 0 1
      debian/control
  2. 240 0
      debian/patches/cherry-pick.v15-5-g9cdd041.systemd-drop-ncat-dependency.patch
  3. 1 0
      debian/patches/series
  4. 1 1
      debian/patches/upstream.embed-more-programs-in-initram.patch

+ 0 - 1
debian/control
View File 

@@ -94,7 +94,6 @@ Package: clevis-systemd
 
 Architecture: linux-any
 
 Depends: ${misc:Depends},
 
     clevis-luks (= ${binary:Version}),
 
-    ncat,
 
     systemd,
 
 Description: systemd integration for clevis
 
  Clevis is a plugable framework for automated decryption. This package

+ 240 - 0
debian/patches/cherry-pick.v15-5-g9cdd041.systemd-drop-ncat-dependency.patch
View File 

@@ -0,0 +1,240 @@
 
+Subject: Systemd: drop ncat dependency
 
+Origin: v15-5-g9cdd041 <https://github.com/latchset/clevis/commit/v15-5-g9cdd041>
 
+Upstream-Author: Sergio Correia <scorreia@redhat.com>
 
+Date: Wed Dec 2 20:53:48 2020 -0300
 
+
 
+    When using systemd, i.e., clevis-luks-askpass, we use ncat to send
 
+    the decrypted password to the systemd socket as per systemd's password
 
+    agents specification [1].
 
+
 
+    However, systemd itself has a utility that does exactly that,
 
+    systemd-reply-password.
 
+
 
+    In this commit we drop the ncat dependency and instead use
 
+    systemd-reply-password in clevis-luks-askpass.
 
+
 
+    [1] https://systemd.io/PASSWORD_AGENTS/
 
+
 
+--- a/INSTALL.md
 
++++ b/INSTALL.md
 
+@@ -22,7 +22,6 @@
 
+ * [tang](https://github.com/latchset/tang)
 
+ * [curl](https://github.com/curl/curl)
 
+ * [tpm2-tools](https://github.com/tpm2-software/tpm2-tools)
 
+-* [ncat](https://nmap.org/ncat/) (for clevis-luks-askpass)
 
+ 
+ ### Fedora
 
+ 
+--- a/src/luks/systemd/clevis-luks-askpass
 
++++ /dev/null
 
+@@ -1,76 +0,0 @@
 
+-#!/bin/bash
 
+-set -eu
 
+-# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 
+-#
 
+-# Copyright (c) 2016 Red Hat, Inc.
 
+-# Author: Harald Hoyer <harald@redhat.com>
 
+-# Author: Nathaniel McCallum <npmccallum@redhat.com>
 
+-#
 
+-# This program is free software: you can redistribute it and/or modify
 
+-# it under the terms of the GNU General Public License as published by
 
+-# the Free Software Foundation, either version 3 of the License, or
 
+-# (at your option) any later version.
 
+-#
 
+-# This program is distributed in the hope that it will be useful,
 
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of
 
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 
+-# GNU General Public License for more details.
 
+-#
 
+-# You should have received a copy of the GNU General Public License
 
+-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+-#
 
+-
 
+-. clevis-luks-common-functions
 
+-
 
+-# Make sure to exit cleanly if SIGTERM is received.
 
+-trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
 
+-
 
+-loop=
 
+-path=/run/systemd/ask-password
 
+-while getopts ":lp:" o; do
 
+-    case "${o}" in
 
+-    l) loop=true;;
 
+-    p) path="${OPTARG}";;
 
+-    *) ;;
 
+-    esac
 
+-done
 
+-
 
+-while true; do
 
+-    for question in "${path}"/ask.*; do
 
+-        # question will expand to itself, in case no files match, so we verify
 
+-        # whether it actually exists, before proceeding.
 
+-        [ ! -e "${question}" ] && continue
 
+-
 
+-        d=
 
+-        s=
 
+-        while read -r line; do
 
+-            case "$line" in
 
+-                Id=cryptsetup:*) d="${line##Id=cryptsetup:}";;
 
+-                Socket=*) s="${line##Socket=}";;
 
+-            esac
 
+-        done < "$question"
 
+-
 
+-        [ -b "${d}" ] || continue
 
+-        [ -S "${s}" ] || continue
 
+-
 
+-        if ! pt="$(clevis_luks_unlock_device "${d}")" || [ -z "${pt}" ]; then
 
+-            continue
 
+-        fi
 
+-
 
+-        uuid="$(cryptsetup luksUUID "${d}")"
 
+-        if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
 
+-            echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
 
+-            continue
 
+-        fi
 
+-
 
+-        echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
 
+-    done
 
+-
 
+-    [ "${loop}" != true ] && break
 
+-    # Checking for pending devices to be unlocked.
 
+-    if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
 
+-        break;
 
+-    fi
 
+-
 
+-    sleep 0.5
 
+-done
 
+--- /dev/null
 
++++ b/src/luks/systemd/clevis-luks-askpass.in
 
+@@ -0,0 +1,76 @@
 
++#!/bin/bash
 
++set -eu
 
++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
 
++#
 
++# Copyright (c) 2016 Red Hat, Inc.
 
++# Author: Harald Hoyer <harald@redhat.com>
 
++# Author: Nathaniel McCallum <npmccallum@redhat.com>
 
++#
 
++# This program is free software: you can redistribute it and/or modify
 
++# it under the terms of the GNU General Public License as published by
 
++# the Free Software Foundation, either version 3 of the License, or
 
++# (at your option) any later version.
 
++#
 
++# This program is distributed in the hope that it will be useful,
 
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
 
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 
++# GNU General Public License for more details.
 
++#
 
++# You should have received a copy of the GNU General Public License
 
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
++#
 
++
 
++. clevis-luks-common-functions
 
++
 
++# Make sure to exit cleanly if SIGTERM is received.
 
++trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
 
++
 
++loop=
 
++path=/run/systemd/ask-password
 
++while getopts ":lp:" o; do
 
++    case "${o}" in
 
++    l) loop=true;;
 
++    p) path="${OPTARG}";;
 
++    *) ;;
 
++    esac
 
++done
 
++
 
++while true; do
 
++    for question in "${path}"/ask.*; do
 
++        # question will expand to itself, in case no files match, so we verify
 
++        # whether it actually exists, before proceeding.
 
++        [ ! -e "${question}" ] && continue
 
++
 
++        d=
 
++        s=
 
++        while read -r line; do
 
++            case "$line" in
 
++                Id=cryptsetup:*) d="${line##Id=cryptsetup:}";;
 
++                Socket=*) s="${line##Socket=}";;
 
++            esac
 
++        done < "$question"
 
++
 
++        [ -b "${d}" ] || continue
 
++        [ -S "${s}" ] || continue
 
++
 
++        if ! pt="$(clevis_luks_unlock_device "${d}")" || [ -z "${pt}" ]; then
 
++            continue
 
++        fi
 
++
 
++        uuid="$(cryptsetup luksUUID "${d}")"
 
++        if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
 
++            echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
 
++            continue
 
++        fi
 
++
 
++        echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
 
++    done
 
++
 
++    [ "${loop}" != true ] && break
 
++    # Checking for pending devices to be unlocked.
 
++    if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
 
++        break;
 
++    fi
 
++
 
++    sleep 0.5
 
++done
 
+--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
 
++++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
 
+@@ -36,6 +36,7 @@
 
+ 
+     inst_multiple \
 
+         /etc/services \
 
++        @SYSTEMD_REPLY_PASS@ \
 
+         @libexecdir@/clevis-luks-askpass \
 
+         clevis-luks-common-functions \
 
+         grep sed cut \
 
+@@ -45,8 +46,7 @@
 
+         luksmeta \
 
+         clevis \
 
+         mktemp \
 
+-        jose \
 
+-        ncat
 
++        jose
 
+ 
+     dracut_need_initqueue
 
+ }
 
+--- a/src/luks/systemd/meson.build
 
++++ b/src/luks/systemd/meson.build
 
+@@ -1,6 +1,15 @@
 
+ systemd = dependency('systemd', required: false)
 
+ 
+-if systemd.found()
 
++sd_reply_pass = find_program(
 
++  join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
 
++  join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
 
++  join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
 
++  join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
 
++  required: false
 
++)
 
++
 
++if systemd.found() and sd_reply_pass.found()
 
++  data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
 
+   subdir('dracut')
 
+ 
+   unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
 
+@@ -12,8 +21,14 @@
 
+     configuration: data,
 
+   )
 
+ 
++  configure_file(
 
++    input: 'clevis-luks-askpass.in',
 
++    output: 'clevis-luks-askpass',
 
++    install_dir: libexecdir,
 
++    configuration: data
 
++  )
 
++
 
+   install_data('clevis-luks-askpass.path', install_dir: unitdir)
 
+-  install_data('clevis-luks-askpass', install_dir: libexecdir)
 
+ else
 
+   warning('Will not install systemd support due to missing dependencies!')
 
+ endif

+ 1 - 0
debian/patches/series
View File 

@@ -1,5 +1,6 @@
 
 # cherry-picked commits. Keep in upstream's chronological order
 
 cherry-pick.v15-1-gef76951.pins-tpm2-add-support-for-tpm2-tools-5-x.patch
 
+cherry-pick.v15-5-g9cdd041.systemd-drop-ncat-dependency.patch
 
 
 # patches for upstream
 
 upstream.use-asciidoctor-to-build-manpages.patch

+ 1 - 1
debian/patches/upstream.embed-more-programs-in-initram.patch
View File 

@@ -16,7 +16,7 @@ Last-Update: 2020-11-22
 
      tpm2_creatprimary_bin=$(find_binary "tpm2_createprimary")
 
 --- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
 
 +++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
 
-@@ -41,6 +41,7 @@
 
+@@ -42,6 +42,7 @@
 
          grep sed cut \
 
          clevis-decrypt \
 
          clevis-luks-list \