Browse Source

Import upstream version 10

Nathaniel McCallum 2 years ago
parent
commit
ba74221dd9

+ 6 - 1
Makefile.am

@@ -8,12 +8,17 @@ EXTRA_DIST = COPYING
 dist_man1_MANS = \
     doc/clevis-encrypt-tang.1 \
     doc/clevis-encrypt-http.1 \
-    doc/clevis-encrypt-tpm2.1 \
     doc/clevis-encrypt-sss.1 \
     doc/clevis-luks-unlock.1 \
     doc/clevis-luks-bind.1 \
+    doc/clevis-luks-unbind.1 \
     doc/clevis-decrypt.1 \
     doc/clevis.1
 
+if HAVE_TPM2_TOOLS
+    dist_man1_MANS += \
+    doc/clevis-encrypt-tpm2.1
+endif
+
 dist_man7_MANS = \
     doc/clevis-luks-unlockers.7

+ 8 - 10
Makefile.in

@@ -88,6 +88,9 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 target_triplet = @target@
+@HAVE_TPM2_TOOLS_TRUE@am__append_1 = \
+@HAVE_TPM2_TOOLS_TRUE@    doc/clevis-encrypt-tpm2.1
+
 subdir = .
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/configure.ac
@@ -284,6 +287,7 @@ SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
+TPM2_TOOLS = @TPM2_TOOLS@
 VERSION = @VERSION@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
@@ -363,16 +367,10 @@ DISTCHECK_CONFIGURE_FLAGS = \
 
 SUBDIRS = . src tests
 EXTRA_DIST = COPYING
-dist_man1_MANS = \
-    doc/clevis-encrypt-tang.1 \
-    doc/clevis-encrypt-http.1 \
-    doc/clevis-encrypt-tpm2.1 \
-    doc/clevis-encrypt-sss.1 \
-    doc/clevis-luks-unlock.1 \
-    doc/clevis-luks-bind.1 \
-    doc/clevis-decrypt.1 \
-    doc/clevis.1
-
+dist_man1_MANS = doc/clevis-encrypt-tang.1 doc/clevis-encrypt-http.1 \
+	doc/clevis-encrypt-sss.1 doc/clevis-luks-unlock.1 \
+	doc/clevis-luks-bind.1 doc/clevis-luks-unbind.1 \
+	doc/clevis-decrypt.1 doc/clevis.1 $(am__append_1)
 dist_man7_MANS = \
     doc/clevis-luks-unlockers.7
 

+ 72 - 10
configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for clevis 9.
+# Generated by GNU Autoconf 2.69 for clevis 10.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -577,8 +577,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='clevis'
 PACKAGE_TARNAME='clevis'
-PACKAGE_VERSION='9'
-PACKAGE_STRING='clevis 9'
+PACKAGE_VERSION='10'
+PACKAGE_STRING='clevis 10'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -589,6 +589,9 @@ LIBOBJS
 CLEVIS_CFLAGS
 CLEVIS_GROUP
 CLEVIS_USER
+HAVE_TPM2_TOOLS_FALSE
+HAVE_TPM2_TOOLS_TRUE
+TPM2_TOOLS
 SD_ACTIVATE
 systemdsystemunitdir
 dracutmodulesdir
@@ -1285,7 +1288,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures clevis 9 to adapt to many kinds of systems.
+\`configure' configures clevis 10 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1356,7 +1359,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of clevis 9:";;
+     short | recursive ) echo "Configuration of clevis 10:";;
    esac
   cat <<\_ACEOF
 
@@ -1489,7 +1492,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-clevis configure 9
+clevis configure 10
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1544,7 +1547,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by clevis $as_me 9, which was
+It was created by clevis $as_me 10, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3768,7 +3771,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='clevis'
- VERSION='9'
+ VERSION='10'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -4998,6 +5001,61 @@ fi
 
 
 
+for ac_prog in createprimary pcrlist createpolicy create load unseal; do
+    unset TPM2_TOOLS
+    unset ac_cv_prog_TPM2_TOOLS
+    # Extract the first word of "tpm2_$ac_prog", so it can be a program name with args.
+set dummy tpm2_$ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_TPM2_TOOLS+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$TPM2_TOOLS"; then
+  ac_cv_prog_TPM2_TOOLS="$TPM2_TOOLS" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_TPM2_TOOLS="yes"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+fi
+fi
+TPM2_TOOLS=$ac_cv_prog_TPM2_TOOLS
+if test -n "$TPM2_TOOLS"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $TPM2_TOOLS" >&5
+$as_echo "$TPM2_TOOLS" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+    test -z "$TPM2_TOOLS" && break
+done
+
+test -n "$TPM2_TOOLS" || { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: tpm2_$ac_prog not found, tpm2 pin won't be installed" >&5
+$as_echo "$as_me: WARNING: tpm2_$ac_prog not found, tpm2 pin won't be installed" >&2;}
+
+ if test -n "$TPM2_TOOLS"; then
+  HAVE_TPM2_TOOLS_TRUE=
+  HAVE_TPM2_TOOLS_FALSE='#'
+else
+  HAVE_TPM2_TOOLS_TRUE='#'
+  HAVE_TPM2_TOOLS_FALSE=
+fi
+
+
 # Check whether --enable-user was given.
 if test "${enable_user+set}" = set; then :
   enableval=$enable_user; CLEVIS_USER="${enableval}"
@@ -5206,6 +5264,10 @@ else
   am__EXEEXT_FALSE=
 fi
 
+if test -z "${HAVE_TPM2_TOOLS_TRUE}" && test -z "${HAVE_TPM2_TOOLS_FALSE}"; then
+  as_fn_error $? "conditional \"HAVE_TPM2_TOOLS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 
 : "${CONFIG_STATUS=./config.status}"
 ac_write_fail=0
@@ -5603,7 +5665,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by clevis $as_me 9, which was
+This file was extended by clevis $as_me 10, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -5660,7 +5722,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-clevis config.status 9
+clevis config.status 10
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

+ 12 - 1
configure.ac

@@ -1,5 +1,5 @@
 AC_PREREQ(2.59)
-AC_INIT(clevis, 9)
+AC_INIT(clevis, 10)
 AC_CANONICAL_SYSTEM
 AC_PROG_CC_C99
 AC_PROG_RANLIB
@@ -54,6 +54,17 @@ fi
 
 AC_SUBST(SD_ACTIVATE)
 
+for ac_prog in createprimary pcrlist createpolicy create load unseal; do
+    unset TPM2_TOOLS
+    unset ac_cv_prog_TPM2_TOOLS
+    AC_CHECK_PROG([TPM2_TOOLS], [tpm2_$ac_prog], [yes])
+    test -z "$TPM2_TOOLS" && break
+done
+
+test -n "$TPM2_TOOLS" || AC_MSG_WARN([tpm2_$ac_prog not found, tpm2 pin won't be installed])
+
+AM_CONDITIONAL([HAVE_TPM2_TOOLS], [test -n "$TPM2_TOOLS"])
+
 AC_ARG_ENABLE([user],
               AS_HELP_STRING([--enable-user=USER],
                              [Set unprivileged user (default: root)]),

+ 1 - 1
doc/clevis-encrypt-tpm2.1

@@ -26,7 +26,7 @@ $\ clevis\ encrypt\ tpm2\ \[aq]{}\[aq]\ <\ PT\ >\ JWE
 .fi
 .PP
 The pin has reasonable defaults for its configuration, but a different
-hierarchy, hash, and key algorithms can be choosen if the defaults used
+hierarchy, hash, and key algorithms can be chosen if the defaults used
 are not suitable:
 .IP
 .nf

+ 34 - 0
doc/clevis-luks-unbind.1

@@ -0,0 +1,34 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "CLEVIS\-LUKS\-UNBIND" "1" "February 2018" "" ""
+.hy
+.SH NAME
+.PP
+clevis\-luks\-unbind \-\- Unbinds a pin bound to a LUKSv1 volume
+.SH SYNOPSIS
+.PP
+\f[C]clevis\ luks\ unbind\f[] \-d DEV \-s SLT
+.SH OVERVIEW
+.PP
+The \f[C]clevis\ luks\ unbind\f[] command unbinds a pin bound to a
+LUKSv1 volume.
+For example:
+.IP
+.nf
+\f[C]
+$\ clevis\ luks\ unbind\ \-d\ /dev/sda\ \-s\ 1
+\f[]
+.fi
+.SH OPTIONS
+.IP \[bu] 2
+\f[C]\-d\f[] \f[I]DEV\f[] : The bound LUKS device
+.IP \[bu] 2
+\f[C]\-s\f[] \f[I]SLT\f[] : The LUKSMeta slot number for the pin to
+unbind
+.IP \[bu] 2
+\f[C]\-f\f[] : Do not ask for confirmation and wipe slot in batch\-mode
+.SH SEE ALSO
+.PP
+\f[C]clevis\-luks\-bind\f[](1)
+.SH AUTHORS
+Javier Martinez Canillas <javierm@redhat.com>.

+ 1 - 1
doc/clevis.1

@@ -98,7 +98,7 @@ $\ clevis\ encrypt\ tpm2\ \[aq]{}\[aq]\ <\ PT\ >\ JWE
 .fi
 .PP
 The pin has reasonable defaults for its configuration, but a different
-hierarchy, hash, and key algorithms can be choosen if the defaults used
+hierarchy, hash, and key algorithms can be chosen if the defaults used
 are not suitable.
 .PP
 Decryption also works similar to other pins, only the JWE needs to be

+ 7 - 2
src/Makefile.am

@@ -17,16 +17,21 @@ bin_PROGRAMS = \
 dist_bin_SCRIPTS = \
     clevis-encrypt-http \
     clevis-encrypt-tang \
-    clevis-encrypt-tpm2 \
     clevis-decrypt-http \
     clevis-decrypt-tang \
-    clevis-decrypt-tpm2 \
     clevis-bind-luks \
     clevis-luks-unlock \
     clevis-luks-bind \
+    clevis-luks-unbind \
     clevis-decrypt \
     clevis
 
+if HAVE_TPM2_TOOLS
+    dist_bin_SCRIPTS += \
+    clevis-encrypt-tpm2 \
+    clevis-decrypt-tpm2
+endif
+
 clevis_encrypt_sss_SOURCES = clevis-encrypt-sss.c sss.c sss.h
 clevis_decrypt_sss_SOURCES = clevis-decrypt-sss.c sss.c sss.h
 clevis_encrypt_sss_LDADD = @jose_LIBS@ @libcrypto_LIBS@

+ 14 - 14
src/Makefile.in

@@ -91,12 +91,16 @@ build_triplet = @build@
 host_triplet = @host@
 target_triplet = @target@
 bin_PROGRAMS = clevis-encrypt-sss$(EXEEXT) clevis-decrypt-sss$(EXEEXT)
+@HAVE_TPM2_TOOLS_TRUE@am__append_1 = \
+@HAVE_TPM2_TOOLS_TRUE@    clevis-encrypt-tpm2 \
+@HAVE_TPM2_TOOLS_TRUE@    clevis-decrypt-tpm2
+
 subdir = src
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(dist_bin_SCRIPTS) \
+DIST_COMMON = $(srcdir)/Makefile.am $(am__dist_bin_SCRIPTS_DIST) \
 	$(dist_check_SCRIPTS) $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
@@ -111,6 +115,10 @@ am_clevis_encrypt_sss_OBJECTS = clevis-encrypt-sss.$(OBJEXT) \
 	sss.$(OBJEXT)
 clevis_encrypt_sss_OBJECTS = $(am_clevis_encrypt_sss_OBJECTS)
 clevis_encrypt_sss_DEPENDENCIES =
+am__dist_bin_SCRIPTS_DIST = clevis-encrypt-http clevis-encrypt-tang \
+	clevis-decrypt-http clevis-decrypt-tang clevis-bind-luks \
+	clevis-luks-unlock clevis-luks-bind clevis-luks-unbind \
+	clevis-decrypt clevis clevis-encrypt-tpm2 clevis-decrypt-tpm2
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -289,6 +297,7 @@ SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
+TPM2_TOOLS = @TPM2_TOOLS@
 VERSION = @VERSION@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
@@ -373,19 +382,10 @@ dist_check_SCRIPTS = \
     clevis-encrypt-test \
     clevis-decrypt-test
 
-dist_bin_SCRIPTS = \
-    clevis-encrypt-http \
-    clevis-encrypt-tang \
-    clevis-encrypt-tpm2 \
-    clevis-decrypt-http \
-    clevis-decrypt-tang \
-    clevis-decrypt-tpm2 \
-    clevis-bind-luks \
-    clevis-luks-unlock \
-    clevis-luks-bind \
-    clevis-decrypt \
-    clevis
-
+dist_bin_SCRIPTS = clevis-encrypt-http clevis-encrypt-tang \
+	clevis-decrypt-http clevis-decrypt-tang clevis-bind-luks \
+	clevis-luks-unlock clevis-luks-bind clevis-luks-unbind \
+	clevis-decrypt clevis $(am__append_1)
 clevis_encrypt_sss_SOURCES = clevis-encrypt-sss.c sss.c sss.h
 clevis_decrypt_sss_SOURCES = clevis-decrypt-sss.c sss.c sss.h
 clevis_encrypt_sss_LDADD = @jose_LIBS@ @libcrypto_LIBS@

+ 1 - 1
src/clevis-decrypt-tpm2

@@ -82,7 +82,7 @@ if ! jwk_priv=`jose fmt -j- -Og clevis -g tpm2 -g jwk_priv -Su- <<< "$jhd"`; the
     exit 1
 fi
 
-if ! TMP=`mktemp -d -p ~`; then
+if ! TMP=`mktemp -d`; then
     echo "Creating a temporary dir for TPM files failed!" >&2
     exit 1
 fi

+ 1 - 1
src/clevis-encrypt-tpm2

@@ -92,7 +92,7 @@ if ! jwk=`jose jwk gen -i '{"alg":"A256GCM"}'`; then
     exit 1
 fi
 
-if ! TMP=`mktemp -d -p ~`; then
+if ! TMP=`mktemp -d`; then
     echo "Creating a temporary dir for TPM files failed!" >&2
     exit 1
 fi

+ 94 - 0
src/clevis-luks-unbind

@@ -0,0 +1,94 @@
+#!/bin/bash -e
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2017 Red Hat, Inc.
+# Author: Javier Martinez Canillas <javierm@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+SUMMARY="Unbinds a pin bound to a LUKSv1 volume"
+UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
+
+function usage() {
+    echo >&2
+    echo "Usage: clevis luks unbind -d DEV -s SLT" >&2
+    echo >&2
+    echo "$SUMMARY": >&2
+    echo >&2
+    echo "  -d DEV  The bound LUKS device" >&2
+    echo >&2
+    echo "  -s SLOT The LUKSMeta slot number for the pin unbind" >&2
+    echo >&2
+    echo "  -f      Do not ask for confirmation and wipe slot in batch-mode" >&2
+    echo >&2
+    exit 1
+}
+
+if [ $# -eq 1 -a "$1" == "--summary" ]; then
+    echo "$SUMMARY"
+    exit 0
+fi
+
+while getopts ":d:s:f" o; do
+    case "$o" in
+    f) FRC=-q;;
+    d) DEV=$OPTARG;;
+    s) SLT=$OPTARG;;
+    *) usage;;
+    esac
+done
+
+if [ -z "$DEV" ]; then
+    echo "Did not specify a device!" >&2
+    usage
+fi
+
+if [ -z "$SLT" ]; then
+    echo "Did not specify a slot!" >&2
+    usage
+fi
+
+if ! luksmeta test -d $DEV 2>/dev/null; then
+    echo "The $DEV device is not valid!" >&2
+    exit 1
+fi
+
+read -r slot active uuid <<< $(luksmeta show -d "$DEV" | grep "^$SLT *")
+
+if [ "$uuid" = "empty" ]; then
+   echo "The LUKSMeta slot $SLT on device $DEV is already empty." >&2
+   exit 1
+fi
+
+if [ "$active" = "active" ]; then
+    if ! cryptsetup luksKillSlot "$DEV" "$SLT" $FRC; then
+	echo "LUKSv1 slot $SLT for device $DEV couldn't be deleted"
+	exit 1
+    fi
+else
+   echo "LUKSv1 slot $SLT not present on $DEV, only LUKSMeta slot will be cleared." >&2
+   if [ -z "$FRC" ]; then
+       echo "The unbind operation will wipe a slot. This operation is unrecoverable." >&2
+       read -r -p "Do you wish to erase LUKSMeta slot $SLT on $DEV? [ynYN] " ans < /dev/tty
+       [[ "$ans" =~ ^[yY]$ ]] || exit 0
+   fi
+fi
+
+if ! luksmeta wipe -f -d "$DEV" -u "$UUID" -s "$SLT"; then
+    echo "LUKSMeta slot $SLT for device $DEV couldn't be deleted"
+    exit 1
+fi
+
+exit 0

+ 2 - 2
src/clevis-luks-unlock

@@ -54,7 +54,7 @@ fi
 
 NAME=${NAME:-luks-`cryptsetup luksUUID $DEV`}
 
-luksmeta show -d "$DEV" | while read -r slot state uuid; do
+while read -r slot state uuid; do
     [ "$state" != "active" ] && continue
     [ "$uuid" != "$UUID" ] && continue
 
@@ -62,6 +62,6 @@ luksmeta show -d "$DEV" | while read -r slot state uuid; do
         echo -n "$pt" | cryptsetup open -d- "$DEV" "$NAME"
         exit 0
     fi
-done
+done <<< $(luksmeta show -d "$DEV")
 
 exit 1

+ 1 - 0
src/dracut/Makefile.in

@@ -200,6 +200,7 @@ SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
+TPM2_TOOLS = @TPM2_TOOLS@
 VERSION = @VERSION@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@

+ 19 - 5
src/dracut/module-setup.sh.in

@@ -28,6 +28,8 @@ cmdline() {
 }
 
 install() {
+    local ret=0
+
     cmdline > "${initdir}/etc/cmdline.d/99clevis.conf"
 
     inst_hook initqueue/online 60 "$moddir/clevis-hook.sh"
@@ -36,13 +38,9 @@ install() {
     inst_multiple /etc/services \
         clevis-decrypt-http \
         clevis-decrypt-tang \
-        clevis-decrypt-tpm2 \
         clevis-decrypt-sss \
         @libexecdir@/clevis-luks-askpass \
         clevis-decrypt \
-        tpm2_createprimary \
-        tpm2_unseal \
-        tpm2_load \
         luksmeta \
         clevis \
         mktemp \
@@ -50,10 +48,26 @@ install() {
         jose \
         nc
 
+    for cmd in clevis-decrypt-tpm2 \
+	tpm2_createprimary \
+	tpm2_unseal \
+	tpm2_load; do
+
+	if ! find_binary "$cmd" &>/dev/null; then
+	    ((ret++))
+	fi
+    done
+
+    if (($ret == 0)); then
+	inst_multiple clevis-decrypt-tpm2 \
+	    tpm2_createprimary \
+	    tpm2_unseal \
+	    tpm2_load
+    fi
+
     dracut_need_initqueue
 }
 
 installkernel() {
     hostonly='' instmods =drivers/char/tpm
 }
-

+ 1 - 0
src/systemd/Makefile.in

@@ -205,6 +205,7 @@ SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
+TPM2_TOOLS = @TPM2_TOOLS@
 VERSION = @VERSION@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@

+ 1 - 0
src/udisks2/Makefile.in

@@ -241,6 +241,7 @@ SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
+TPM2_TOOLS = @TPM2_TOOLS@
 VERSION = @VERSION@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@

+ 1 - 0
tests/Makefile.in

@@ -375,6 +375,7 @@ SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
+TPM2_TOOLS = @TPM2_TOOLS@
 VERSION = @VERSION@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@