|
@@ -0,0 +1,95 @@
|
|
|
+Subject: Avoid luksmeta corruption on clevis bind (#319)
|
|
|
+Origin: v18-5-gd8a25e3 <https://github.com/latchset/clevis/commit/v18-5-gd8a25e3>
|
|
|
+Upstream-Author: Sergio Arroutbi <sarroutb@redhat.com>
|
|
|
+Date: Tue Jun 15 12:51:23 2021 +0200
|
|
|
+
|
|
|
+ When using long key information to be stored in luks metadata,
|
|
|
+ luksmeta save is not reporting the corruption of LUKs meta.
|
|
|
+ This change detects if issue occurs after luksmeta metadata save
|
|
|
+ and, in that case, restores the device. Fixes #181
|
|
|
+
|
|
|
+ Signed-off-by: Sergio Arroutbi Braojos <sarroutb@redhat.com>
|
|
|
+
|
|
|
+--- a/src/luks/clevis-luks-common-functions.in
|
|
|
++++ b/src/luks/clevis-luks-common-functions.in
|
|
|
+@@ -448,6 +448,12 @@
|
|
|
+ echo "Error saving metadata to LUKSMeta slot ${SLOT} from ${DEV}" >&2
|
|
|
+ return 1
|
|
|
+ fi
|
|
|
++
|
|
|
++ if ! luksmeta test -d "${DEV}" 2>/dev/null >/dev/null ; then
|
|
|
++ echo "Error detected after saving metadata to LUKSMeta slot ${SLOT}, device ${DEV}" >&2
|
|
|
++ return 1
|
|
|
++ fi
|
|
|
++
|
|
|
+ return 0
|
|
|
+ }
|
|
|
+
|
|
|
+--- /dev/null
|
|
|
++++ b/src/luks/tests/bind-luks1-avoid-luksmeta-corruption
|
|
|
+@@ -0,0 +1,55 @@
|
|
|
++#!/bin/bash -ex
|
|
|
++#
|
|
|
++# Copyright (c) 2021 Red Hat, Inc.
|
|
|
++# Author: Sergio Arroutbi Braojos <sarroutb@redhat.com>
|
|
|
++#
|
|
|
++# This program is free software: you can redistribute it and/or modify
|
|
|
++# it under the terms of the GNU General Public License as published by
|
|
|
++# the Free Software Foundation, either version 3 of the License, or
|
|
|
++# (at your option) any later version.
|
|
|
++#
|
|
|
++# This program is distributed in the hope that it will be useful,
|
|
|
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
++# GNU General Public License for more details.
|
|
|
++#
|
|
|
++# You should have received a copy of the GNU General Public License
|
|
|
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
++#
|
|
|
++
|
|
|
++TEST=$(basename "${0}")
|
|
|
++. tests-common-functions
|
|
|
++
|
|
|
++on_exit() {
|
|
|
++ [ ! -d "${TMP}" ] && return 0
|
|
|
++ tang_stop "${TMP}"
|
|
|
++ rm -rf "${TMP}"
|
|
|
++}
|
|
|
++
|
|
|
++trap 'on_exit' EXIT
|
|
|
++
|
|
|
++TMP="$(mktemp -d)"
|
|
|
++
|
|
|
++ADV_AMOUNT=50
|
|
|
++
|
|
|
++# Create LUKS1 device
|
|
|
++DEV="${TMP}/luks1-device"
|
|
|
++new_device "luks1" "${DEV}"
|
|
|
++
|
|
|
++# TANG server specifics
|
|
|
++port=$(tang_new_random_port)
|
|
|
++tang_run "${TMP}" "${port}"
|
|
|
++url="http://localhost:${port}"
|
|
|
++
|
|
|
++# Initial binding to ensure luksmeta gets corrupted
|
|
|
++for ADV_NU in $(seq 0 ${ADV_AMOUNT}); do
|
|
|
++ "${TANGD_KEYGEN}" "${TMP}/db"
|
|
|
++done
|
|
|
++tang_new_keys "${TMP}"
|
|
|
++
|
|
|
++CFG=$(printf '{"url":"%s"}' "${url}")
|
|
|
++
|
|
|
++# At this point, luks bind must return an error. If not, test fails
|
|
|
++if clevis luks bind -y -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
|
|
|
++ error "${TEST}: Binding is expected to fail when given a too long adv"
|
|
|
++fi
|
|
|
+--- a/src/luks/tests/meson.build
|
|
|
++++ b/src/luks/tests/meson.build
|
|
|
+@@ -59,6 +59,7 @@
|
|
|
+
|
|
|
+ test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60)
|
|
|
+ test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60)
|
|
|
++test('bind-luks1-avoid-luksmeta-corruption', find_program('bind-luks1-avoid-luksmeta-corruption'), env: env, timeout: 60)
|
|
|
+
|
|
|
+ # LUKS2 tests go here, and they get included if we get support for it, based
|
|
|
+ # on the cryptsetup version.
|