Browse Source

Import upstream version 11

Nathaniel McCallum 5 years ago
parent
commit
f320836e1a
87 changed files with 1471 additions and 19015 deletions
  1. 13 0
      COPYING.openssl
  2. 70 0
      INSTALL.md
  3. 0 24
      Makefile.am
  4. 0 922
      Makefile.in
  5. 213 0
      README.md
  6. 0 1496
      aclocal.m4
  7. 0 348
      compile
  8. 0 1476
      config.guess
  9. 0 1836
      config.sub
  10. 0 6409
      configure
  11. 0 109
      configure.ac
  12. 0 791
      depcomp
  13. 0 22
      doc/clevis-decrypt.1
  14. 0 61
      doc/clevis-encrypt-http.1
  15. 0 71
      doc/clevis-encrypt-sss.1
  16. 0 95
      doc/clevis-encrypt-tang.1
  17. 0 142
      doc/clevis-encrypt-tpm2.1
  18. 0 71
      doc/clevis-luks-bind.1
  19. 0 34
      doc/clevis-luks-unbind.1
  20. 0 32
      doc/clevis-luks-unlock.1
  21. 0 75
      doc/clevis-luks-unlockers.7
  22. 0 193
      doc/clevis.1
  23. 0 501
      install-sh
  24. 60 0
      meson.build
  25. 3 0
      meson_options.txt
  26. 0 215
      missing
  27. 0 38
      src/Makefile.am
  28. 0 822
      src/Makefile.in
  29. 26 0
      src/bash/clevis
  30. 8 0
      src/bash/meson.build
  31. 4 0
      src/clevis
  32. 0 22
      src/clevis-bind-luks
  33. 1 1
      src/clevis-decrypt
  34. 0 69
      src/clevis-decrypt-http
  35. 21 0
      src/clevis-decrypt.1.adoc
  36. 0 107
      src/clevis-encrypt-http
  37. 144 0
      src/clevis.1.adoc
  38. 0 10
      src/dracut/Makefile.am
  39. 0 514
      src/dracut/Makefile.in
  40. 53 40
      src/clevis-luks-bind
  41. 67 0
      src/luks/clevis-luks-bind.1.adoc
  42. 43 25
      src/clevis-luks-unbind
  43. 34 0
      src/luks/clevis-luks-unbind.1.adoc
  44. 22 9
      src/clevis-luks-unlock
  45. 31 0
      src/luks/clevis-luks-unlock.1.adoc
  46. 64 0
      src/luks/clevis-luks-unlockers.7.adoc
  47. 21 0
      src/luks/meson.build
  48. 31 14
      src/systemd/clevis-luks-askpass
  49. 0 0
      src/luks/systemd/clevis-luks-askpass.path
  50. 0 0
      src/luks/systemd/clevis-luks-askpass.service.in
  51. 0 0
      src/luks/systemd/dracut/clevis-hook.sh.in
  52. 21 0
      src/luks/systemd/dracut/meson.build
  53. 0 0
      src/luks/systemd/dracut/module-setup.sh.in
  54. 19 0
      src/luks/systemd/meson.build
  55. 105 34
      src/udisks2/clevis-luks-udisks2.c
  56. 0 0
      src/luks/udisks2/clevis-luks-udisks2.desktop.in
  57. 19 0
      src/luks/udisks2/meson.build
  58. 9 0
      src/meson.build
  59. 3 0
      src/pins/meson.build
  60. 0 0
      src/pins/sss/clevis-decrypt-sss.c
  61. 1 1
      src/clevis-decrypt-test
  62. 59 0
      src/pins/sss/clevis-encrypt-sss.1.adoc
  63. 0 0
      src/pins/sss/clevis-encrypt-sss.c
  64. 1 1
      src/clevis-encrypt-test
  65. 34 0
      src/pins/sss/meson.build
  66. 0 0
      src/pins/sss/pin-sss
  67. 1 1
      tests/pin-test
  68. 0 0
      src/pins/sss/sss.c
  69. 0 0
      src/pins/sss/sss.h
  70. 1 1
      src/clevis-decrypt-tang
  71. 1 1
      src/clevis-encrypt-tang
  72. 81 0
      src/pins/tang/clevis-encrypt-tang.1.adoc
  73. 45 0
      src/pins/tang/meson.build
  74. 3 3
      tests/pin-tang
  75. 8 1
      src/clevis-decrypt-tpm2
  76. 8 1
      src/clevis-encrypt-tpm2
  77. 109 0
      src/pins/tpm2/clevis-encrypt-tpm2.1.adoc
  78. 14 0
      src/pins/tpm2/meson.build
  79. 0 12
      src/systemd/Makefile.am
  80. 0 569
      src/systemd/Makefile.in
  81. 0 26
      src/udisks2/Makefile.am
  82. 0 676
      src/udisks2/Makefile.in
  83. 0 148
      test-driver
  84. 0 7
      tests/Makefile.am
  85. 0 836
      tests/Makefile.in
  86. 0 29
      tests/pin-http
  87. 0 74
      tests/pin-httpd

+ 13 - 0
COPYING.openssl

@@ -0,0 +1,13 @@
+In addition, as a special exception, the copyright holders give
+permission to link the code of portions of this program with the
+OpenSSL library under certain conditions as described in each
+individual source file, and distribute linked combinations
+including the two.
+
+You must obey the GNU General Public License in all respects
+for all of the code used other than OpenSSL.  If you modify
+file(s) with this exception, you may extend this exception to your
+version of the file(s), but you are not obligated to do so.  If you
+do not wish to do so, delete this exception statement from your
+version.  If you delete this exception statement from all source
+files in the program, then also delete it here.

+ 70 - 0
INSTALL.md

@@ -0,0 +1,70 @@
+This file contains instructions to build and install Clevis from source
+
+# Dependencies
+To build and install the Clevis software the following software packages
+are required. In many cases dependencies are platform specific and so the
+following sections describe them for the supported platforms.
+
+## Linux:
+* Meson
+* Ninja
+* C compiler
+* C Library Development Libraries and Header Files
+* [jose](https://github.com/latchset/jose)
+* [luksmeta](https://github.com/latchset/luksmeta)
+* [audit-libs](https://github.com/linux-audit/audit-userspace)
+* [udisks2](https://github.com/storaged-project/udisks)
+* [OpenSSL](https://github.com/openssl/openssl)
+* [desktop-file-utils](https://cgit.freedesktop.org/xdg/desktop-file-utils)
+* [pkg-config](https://cgit.freedesktop.org/pkg-config)
+* [systemd](https://github.com/systemd)
+* [dracut](https://github.com/dracutdevs/dracut)
+* [tang](https://github.com/latchset/tang)
+* [curl](https://github.com/curl/curl)
+* [tpm2-tools](https://github.com/tpm2-software/tpm2-tools)
+
+### Fedora
+
+There is a package already, so the package build dependencies information can be
+used to make sure that the needed packages to compile from source are installed:
+
+```
+$ sudo dnf builddep clevis
+```
+
+# Building From Source
+
+## Configuring the Build
+To configure Clevis, run `meson` which generates the build files:
+
+```
+$ meson build
+```
+
+## Compiling
+Then compile the code using `ninja`:
+
+```
+$ ninja -C build -j$(nproc)
+```
+
+## Installing
+Once you've built the Clevis software it can be installed with:
+
+```
+$ sudo ninja -C build install
+```
+
+This will install Clevis to a location determined at configure time.
+
+See the output of `meson --help` for the available options. Typically
+much won't be needed besides providing an alternative --prefix option at
+configure time, and maybe DESTDIR at install time if you're packaging for
+a distro.
+
+After is installed, the dracut and systemd hooks can be added to the
+initramfs with:
+
+```
+$ sudo dracut -f
+```

+ 0 - 24
Makefile.am

@@ -1,24 +0,0 @@
-DISTCHECK_CONFIGURE_FLAGS = \
-    --with-systemdsystemunitdir=$$dc_install_base/$(systemdsystemunitdir) \
-    --with-dracutmodulesdir=$$dc_install_base/$(dracutmodulesdir)
-
-SUBDIRS = . src tests
-EXTRA_DIST = COPYING
-
-dist_man1_MANS = \
-    doc/clevis-encrypt-tang.1 \
-    doc/clevis-encrypt-http.1 \
-    doc/clevis-encrypt-sss.1 \
-    doc/clevis-luks-unlock.1 \
-    doc/clevis-luks-bind.1 \
-    doc/clevis-luks-unbind.1 \
-    doc/clevis-decrypt.1 \
-    doc/clevis.1
-
-if HAVE_TPM2_TOOLS
-    dist_man1_MANS += \
-    doc/clevis-encrypt-tpm2.1
-endif
-
-dist_man7_MANS = \
-    doc/clevis-luks-unlockers.7

+ 0 - 922
Makefile.in

@@ -1,922 +0,0 @@
-# Makefile.in generated by automake 1.15.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2017 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-VPATH = @srcdir@
-am__is_gnu_make = { \
-  if test -z '$(MAKELEVEL)'; then \
-    false; \
-  elif test -n '$(MAKE_HOST)'; then \
-    true; \
-  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
-    true; \
-  else \
-    false; \
-  fi; \
-}
-am__make_running_with_option = \
-  case $${target_option-} in \
-      ?) ;; \
-      *) echo "am__make_running_with_option: internal error: invalid" \
-              "target option '$${target_option-}' specified" >&2; \
-         exit 1;; \
-  esac; \
-  has_opt=no; \
-  sane_makeflags=$$MAKEFLAGS; \
-  if $(am__is_gnu_make); then \
-    sane_makeflags=$$MFLAGS; \
-  else \
-    case $$MAKEFLAGS in \
-      *\\[\ \	]*) \
-        bs=\\; \
-        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
-          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
-    esac; \
-  fi; \
-  skip_next=no; \
-  strip_trailopt () \
-  { \
-    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
-  }; \
-  for flg in $$sane_makeflags; do \
-    test $$skip_next = yes && { skip_next=no; continue; }; \
-    case $$flg in \
-      *=*|--*) continue;; \
-        -*I) strip_trailopt 'I'; skip_next=yes;; \
-      -*I?*) strip_trailopt 'I';; \
-        -*O) strip_trailopt 'O'; skip_next=yes;; \
-      -*O?*) strip_trailopt 'O';; \
-        -*l) strip_trailopt 'l'; skip_next=yes;; \
-      -*l?*) strip_trailopt 'l';; \
-      -[dEDm]) skip_next=yes;; \
-      -[JT]) skip_next=yes;; \
-    esac; \
-    case $$flg in \
-      *$$target_option*) has_opt=yes; break;; \
-    esac; \
-  done; \
-  test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-target_triplet = @target@
-@HAVE_TPM2_TOOLS_TRUE@am__append_1 = \
-@HAVE_TPM2_TOOLS_TRUE@    doc/clevis-encrypt-tpm2.1
-
-subdir = .
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(top_srcdir)/configure \
-	$(am__configure_deps) $(am__DIST_COMMON)
-am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
- configure.lineno config.status.lineno
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-AM_V_P = $(am__v_P_@AM_V@)
-am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN     " $@;
-am__v_GEN_1 = 
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 = 
-SOURCES =
-DIST_SOURCES =
-RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
-	ctags-recursive dvi-recursive html-recursive info-recursive \
-	install-data-recursive install-dvi-recursive \
-	install-exec-recursive install-html-recursive \
-	install-info-recursive install-pdf-recursive \
-	install-ps-recursive install-recursive installcheck-recursive \
-	installdirs-recursive pdf-recursive ps-recursive \
-	tags-recursive uninstall-recursive
-am__can_run_installinfo = \
-  case $$AM_UPDATE_INFO_DIR in \
-    n|no|NO) false;; \
-    *) (install-info --version) >/dev/null 2>&1;; \
-  esac
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-man1dir = $(mandir)/man1
-am__installdirs = "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man7dir)"
-man7dir = $(mandir)/man7
-NROFF = nroff
-MANS = $(dist_man1_MANS) $(dist_man7_MANS)
-RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
-  distclean-recursive maintainer-clean-recursive
-am__recursive_targets = \
-  $(RECURSIVE_TARGETS) \
-  $(RECURSIVE_CLEAN_TARGETS) \
-  $(am__extra_recursive_targets)
-AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
-	cscope distdir dist dist-all distcheck
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-# Read a list of newline-separated strings from the standard input,
-# and print each of them once, without duplicates.  Input order is
-# *not* preserved.
-am__uniquify_input = $(AWK) '\
-  BEGIN { nonempty = 0; } \
-  { items[$$0] = 1; nonempty = 1; } \
-  END { if (nonempty) { for (i in items) print i; }; } \
-'
-# Make sure the list of sources is unique.  This is necessary because,
-# e.g., the same source file might be shared among _SOURCES variables
-# for different programs/libraries.
-am__define_uniq_tagged_files = \
-  list='$(am__tagged_files)'; \
-  unique=`for i in $$list; do \
-    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-  done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
-CSCOPE = cscope
-DIST_SUBDIRS = $(SUBDIRS)
-am__DIST_COMMON = $(dist_man1_MANS) $(dist_man7_MANS) \
-	$(srcdir)/Makefile.in COPYING compile config.guess config.sub \
-	depcomp install-sh missing
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-distdir = $(PACKAGE)-$(VERSION)
-top_distdir = $(distdir)
-am__remove_distdir = \
-  if test -d "$(distdir)"; then \
-    find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
-      && rm -rf "$(distdir)" \
-      || { sleep 5 && rm -rf "$(distdir)"; }; \
-  else :; fi
-am__post_remove_distdir = $(am__remove_distdir)
-am__relativize = \
-  dir0=`pwd`; \
-  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
-  sed_rest='s,^[^/]*/*,,'; \
-  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
-  sed_butlast='s,/*[^/]*$$,,'; \
-  while test -n "$$dir1"; do \
-    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
-    if test "$$first" != "."; then \
-      if test "$$first" = ".."; then \
-        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
-        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
-      else \
-        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
-        if test "$$first2" = "$$first"; then \
-          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
-        else \
-          dir2="../$$dir2"; \
-        fi; \
-        dir0="$$dir0"/"$$first"; \
-      fi; \
-    fi; \
-    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
-  done; \
-  reldir="$$dir2"
-GZIP_ENV = --best
-DIST_ARCHIVES = $(distdir).tar.bz2
-DIST_TARGETS = dist-bzip2
-distuninstallcheck_listfiles = find . -type f -print
-am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
-  | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
-distcleancheck_listfiles = find . -type f -print
-ACLOCAL = @ACLOCAL@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CLEVIS_CFLAGS = @CLEVIS_CFLAGS@
-CLEVIS_GROUP = @CLEVIS_GROUP@
-CLEVIS_USER = @CLEVIS_USER@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EXEEXT = @EXEEXT@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LDFLAGS = @LDFLAGS@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-OBJEXT = @OBJEXT@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PWMAKE = @PWMAKE@
-RANLIB = @RANLIB@
-SD_ACTIVATE = @SD_ACTIVATE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-STRIP = @STRIP@
-TPM2_TOOLS = @TPM2_TOOLS@
-VERSION = @VERSION@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-audit_CFLAGS = @audit_CFLAGS@
-audit_LIBS = @audit_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dracut_CFLAGS = @dracut_CFLAGS@
-dracut_LIBS = @dracut_LIBS@
-dracutmodulesdir = @dracutmodulesdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-jansson_CFLAGS = @jansson_CFLAGS@
-jansson_LIBS = @jansson_LIBS@
-jose_CFLAGS = @jose_CFLAGS@
-jose_LIBS = @jose_LIBS@
-libcrypto_CFLAGS = @libcrypto_CFLAGS@
-libcrypto_LIBS = @libcrypto_LIBS@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-luksmeta_CFLAGS = @luksmeta_CFLAGS@
-luksmeta_LIBS = @luksmeta_LIBS@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-sysconfdir = @sysconfdir@
-systemd_CFLAGS = @systemd_CFLAGS@
-systemd_LIBS = @systemd_LIBS@
-systemdsystemunitdir = @systemdsystemunitdir@
-target = @target@
-target_alias = @target_alias@
-target_cpu = @target_cpu@
-target_os = @target_os@
-target_vendor = @target_vendor@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-udisks2_CFLAGS = @udisks2_CFLAGS@
-udisks2_LIBS = @udisks2_LIBS@
-DISTCHECK_CONFIGURE_FLAGS = \
-    --with-systemdsystemunitdir=$$dc_install_base/$(systemdsystemunitdir) \
-    --with-dracutmodulesdir=$$dc_install_base/$(dracutmodulesdir)
-
-SUBDIRS = . src tests
-EXTRA_DIST = COPYING
-dist_man1_MANS = doc/clevis-encrypt-tang.1 doc/clevis-encrypt-http.1 \
-	doc/clevis-encrypt-sss.1 doc/clevis-luks-unlock.1 \
-	doc/clevis-luks-bind.1 doc/clevis-luks-unbind.1 \
-	doc/clevis-decrypt.1 doc/clevis.1 $(am__append_1)
-dist_man7_MANS = \
-    doc/clevis-luks-unlockers.7
-
-all: all-recursive
-
-.SUFFIXES:
-am--refresh: Makefile
-	@:
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      echo ' cd $(srcdir) && $(AUTOMAKE) --foreign'; \
-	      $(am__cd) $(srcdir) && $(AUTOMAKE) --foreign \
-		&& exit 0; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --foreign Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    echo ' $(SHELL) ./config.status'; \
-	    $(SHELL) ./config.status;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	$(SHELL) ./config.status --recheck
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	$(am__cd) $(srcdir) && $(AUTOCONF)
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	$(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
-$(am__aclocal_m4_deps):
-install-man1: $(dist_man1_MANS)
-	@$(NORMAL_INSTALL)
-	@list1='$(dist_man1_MANS)'; \
-	list2=''; \
-	test -n "$(man1dir)" \
-	  && test -n "`echo $$list1$$list2`" \
-	  || exit 0; \
-	echo " $(MKDIR_P) '$(DESTDIR)$(man1dir)'"; \
-	$(MKDIR_P) "$(DESTDIR)$(man1dir)" || exit 1; \
-	{ for i in $$list1; do echo "$$i"; done;  \
-	if test -n "$$list2"; then \
-	  for i in $$list2; do echo "$$i"; done \
-	    | sed -n '/\.1[a-z]*$$/p'; \
-	fi; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man1dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man1dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man1:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dist_man1_MANS)'; test -n "$(man1dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir)
-install-man7: $(dist_man7_MANS)
-	@$(NORMAL_INSTALL)
-	@list1='$(dist_man7_MANS)'; \
-	list2=''; \
-	test -n "$(man7dir)" \
-	  && test -n "`echo $$list1$$list2`" \
-	  || exit 0; \
-	echo " $(MKDIR_P) '$(DESTDIR)$(man7dir)'"; \
-	$(MKDIR_P) "$(DESTDIR)$(man7dir)" || exit 1; \
-	{ for i in $$list1; do echo "$$i"; done;  \
-	if test -n "$$list2"; then \
-	  for i in $$list2; do echo "$$i"; done \
-	    | sed -n '/\.7[a-z]*$$/p'; \
-	fi; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man7dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man7dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man7dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man7dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man7:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dist_man7_MANS)'; test -n "$(man7dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	dir='$(DESTDIR)$(man7dir)'; $(am__uninstall_files_from_dir)
-
-# This directory's subdirectories are mostly independent; you can cd
-# into them and run 'make' without going through this Makefile.
-# To change the values of 'make' variables: instead of editing Makefiles,
-# (1) if the variable is set in 'config.status', edit 'config.status'
-#     (which will cause the Makefiles to be regenerated when you run 'make');
-# (2) otherwise, pass the desired values on the 'make' command line.
-$(am__recursive_targets):
-	@fail=; \
-	if $(am__make_keepgoing); then \
-	  failcom='fail=yes'; \
-	else \
-	  failcom='exit 1'; \
-	fi; \
-	dot_seen=no; \
-	target=`echo $@ | sed s/-recursive//`; \
-	case "$@" in \
-	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
-	  *) list='$(SUBDIRS)' ;; \
-	esac; \
-	for subdir in $$list; do \
-	  echo "Making $$target in $$subdir"; \
-	  if test "$$subdir" = "."; then \
-	    dot_seen=yes; \
-	    local_target="$$target-am"; \
-	  else \
-	    local_target="$$target"; \
-	  fi; \
-	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	  || eval $$failcom; \
-	done; \
-	if test "$$dot_seen" = "no"; then \
-	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
-	fi; test -z "$$fail"
-
-ID: $(am__tagged_files)
-	$(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-recursive
-TAGS: tags
-
-tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	set x; \
-	here=`pwd`; \
-	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
-	  include_option=--etags-include; \
-	  empty_fix=.; \
-	else \
-	  include_option=--include; \
-	  empty_fix=; \
-	fi; \
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    test ! -f $$subdir/TAGS || \
-	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
-	  fi; \
-	done; \
-	$(am__define_uniq_tagged_files); \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: ctags-recursive
-
-CTAGS: ctags
-ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	$(am__define_uniq_tagged_files); \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-cscope: cscope.files
-	test ! -s cscope.files \
-	  || $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS)
-clean-cscope:
-	-rm -f cscope.files
-cscope.files: clean-cscope cscopelist
-cscopelist: cscopelist-recursive
-
-cscopelist-am: $(am__tagged_files)
-	list='$(am__tagged_files)'; \
-	case "$(srcdir)" in \
-	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
-	  *) sdir=$(subdir)/$(srcdir) ;; \
-	esac; \
-	for i in $$list; do \
-	  if test -f "$$i"; then \
-	    echo "$(subdir)/$$i"; \
-	  else \
-	    echo "$$sdir/$$i"; \
-	  fi; \
-	done >> $(top_builddir)/cscope.files
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-	-rm -f cscope.out cscope.in.out cscope.po.out cscope.files
-
-distdir: $(DISTFILES)
-	$(am__remove_distdir)
-	test -d "$(distdir)" || mkdir "$(distdir)"
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    $(am__make_dryrun) \
-	      || test -d "$(distdir)/$$subdir" \
-	      || $(MKDIR_P) "$(distdir)/$$subdir" \
-	      || exit 1; \
-	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
-	    $(am__relativize); \
-	    new_distdir=$$reldir; \
-	    dir1=$$subdir; dir2="$(top_distdir)"; \
-	    $(am__relativize); \
-	    new_top_distdir=$$reldir; \
-	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
-	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
-	    ($(am__cd) $$subdir && \
-	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="$$new_top_distdir" \
-	        distdir="$$new_distdir" \
-		am__remove_distdir=: \
-		am__skip_length_check=: \
-		am__skip_mode_fix=: \
-	        distdir) \
-	      || exit 1; \
-	  fi; \
-	done
-	-test -n "$(am__skip_mode_fix)" \
-	|| find "$(distdir)" -type d ! -perm -755 \
-		-exec chmod u+rwx,go+rx {} \; -o \
-	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
-	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
-	  ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
-	|| chmod -R a+r "$(distdir)"
-dist-gzip: distdir
-	tardir=$(distdir) && $(am__tar) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).tar.gz
-	$(am__post_remove_distdir)
-dist-bzip2: distdir
-	tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
-	$(am__post_remove_distdir)
-
-dist-lzip: distdir
-	tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
-	$(am__post_remove_distdir)
-
-dist-xz: distdir
-	tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
-	$(am__post_remove_distdir)
-
-dist-tarZ: distdir
-	@echo WARNING: "Support for distribution archives compressed with" \
-		       "legacy program 'compress' is deprecated." >&2
-	@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
-	tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
-	$(am__post_remove_distdir)
-
-dist-shar: distdir
-	@echo WARNING: "Support for shar distribution archives is" \
-	               "deprecated." >&2
-	@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
-	shar $(distdir) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).shar.gz
-	$(am__post_remove_distdir)
-
-dist-zip: distdir
-	-rm -f $(distdir).zip
-	zip -rq $(distdir).zip $(distdir)
-	$(am__post_remove_distdir)
-
-dist dist-all:
-	$(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:'
-	$(am__post_remove_distdir)
-
-# This target untars the dist file and tries a VPATH configuration.  Then
-# it guarantees that the distribution is self-contained by making another
-# tarfile.
-distcheck: dist
-	case '$(DIST_ARCHIVES)' in \
-	*.tar.gz*) \
-	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).tar.gz | $(am__untar) ;;\
-	*.tar.bz2*) \
-	  bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
-	*.tar.lz*) \
-	  lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
-	*.tar.xz*) \
-	  xz -dc $(distdir).tar.xz | $(am__untar) ;;\
-	*.tar.Z*) \
-	  uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
-	*.shar.gz*) \
-	  eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\
-	*.zip*) \
-	  unzip $(distdir).zip ;;\
-	esac
-	chmod -R a-w $(distdir)
-	chmod u+w $(distdir)
-	mkdir $(distdir)/_build $(distdir)/_build/sub $(distdir)/_inst
-	chmod a-w $(distdir)
-	test -d $(distdir)/_build || exit 0; \
-	dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
-	  && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
-	  && am__cwd=`pwd` \
-	  && $(am__cd) $(distdir)/_build/sub \
-	  && ../../configure \
-	    $(AM_DISTCHECK_CONFIGURE_FLAGS) \
-	    $(DISTCHECK_CONFIGURE_FLAGS) \
-	    --srcdir=../.. --prefix="$$dc_install_base" \
-	  && $(MAKE) $(AM_MAKEFLAGS) \
-	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
-	  && $(MAKE) $(AM_MAKEFLAGS) check \
-	  && $(MAKE) $(AM_MAKEFLAGS) install \
-	  && $(MAKE) $(AM_MAKEFLAGS) installcheck \
-	  && $(MAKE) $(AM_MAKEFLAGS) uninstall \
-	  && $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \
-	        distuninstallcheck \
-	  && chmod -R a-w "$$dc_install_base" \
-	  && ({ \
-	       (cd ../.. && umask 077 && mkdir "$$dc_destdir") \
-	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \
-	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \
-	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \
-	            distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \
-	      } || { rm -rf "$$dc_destdir"; exit 1; }) \
-	  && rm -rf "$$dc_destdir" \
-	  && $(MAKE) $(AM_MAKEFLAGS) dist \
-	  && rm -rf $(DIST_ARCHIVES) \
-	  && $(MAKE) $(AM_MAKEFLAGS) distcleancheck \
-	  && cd "$$am__cwd" \
-	  || exit 1
-	$(am__post_remove_distdir)
-	@(echo "$(distdir) archives ready for distribution: "; \
-	  list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
-	  sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
-distuninstallcheck:
-	@test -n '$(distuninstallcheck_dir)' || { \
-	  echo 'ERROR: trying to run $@ with an empty' \
-	       '$$(distuninstallcheck_dir)' >&2; \
-	  exit 1; \
-	}; \
-	$(am__cd) '$(distuninstallcheck_dir)' || { \
-	  echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \
-	  exit 1; \
-	}; \
-	test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \
-	   || { echo "ERROR: files left after uninstall:" ; \
-	        if test -n "$(DESTDIR)"; then \
-	          echo "  (check DESTDIR support)"; \
-	        fi ; \
-	        $(distuninstallcheck_listfiles) ; \
-	        exit 1; } >&2
-distcleancheck: distclean
-	@if test '$(srcdir)' = . ; then \
-	  echo "ERROR: distcleancheck can only run from a VPATH build" ; \
-	  exit 1 ; \
-	fi
-	@test `$(distcleancheck_listfiles) | wc -l` -eq 0 \
-	  || { echo "ERROR: files left in build directory after distclean:" ; \
-	       $(distcleancheck_listfiles) ; \
-	       exit 1; } >&2
-check-am: all-am
-check: check-recursive
-all-am: Makefile $(MANS)
-installdirs: installdirs-recursive
-installdirs-am:
-	for dir in "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man7dir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-recursive
-install-exec: install-exec-recursive
-install-data: install-data-recursive
-uninstall: uninstall-recursive
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-recursive
-install-strip:
-	if test -z '$(STRIP)'; then \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	      install; \
-	else \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
-	fi
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-recursive
-
-clean-am: clean-generic mostlyclean-am
-
-distclean: distclean-recursive
-	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
-	-rm -f Makefile
-distclean-am: clean-am distclean-generic distclean-tags
-
-dvi: dvi-recursive
-
-dvi-am:
-
-html: html-recursive
-
-html-am:
-
-info: info-recursive
-
-info-am:
-
-install-data-am: install-man
-
-install-dvi: install-dvi-recursive
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-recursive
-
-install-html-am:
-
-install-info: install-info-recursive
-
-install-info-am:
-
-install-man: install-man1 install-man7
-
-install-pdf: install-pdf-recursive
-
-install-pdf-am:
-
-install-ps: install-ps-recursive
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-recursive
-	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
-	-rm -rf $(top_srcdir)/autom4te.cache
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-recursive
-
-mostlyclean-am: mostlyclean-generic
-
-pdf: pdf-recursive
-
-pdf-am:
-
-ps: ps-recursive
-
-ps-am:
-
-uninstall-am: uninstall-man
-
-uninstall-man: uninstall-man1 uninstall-man7
-
-.MAKE: $(am__recursive_targets) install-am install-strip
-
-.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \
-	am--refresh check check-am clean clean-cscope clean-generic \
-	cscope cscopelist-am ctags ctags-am dist dist-all dist-bzip2 \
-	dist-gzip dist-lzip dist-shar dist-tarZ dist-xz dist-zip \
-	distcheck distclean distclean-generic distclean-tags \
-	distcleancheck distdir distuninstallcheck dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-man1 install-man7 \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	installdirs-am maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-generic pdf pdf-am ps ps-am tags \
-	tags-am uninstall uninstall-am uninstall-man uninstall-man1 \
-	uninstall-man7
-
-.PRECIOUS: Makefile
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:

+ 213 - 0
README.md

@@ -0,0 +1,213 @@
+# Clevis
+
+## Welcome to Clevis!
+Clevis is a plugable framework for automated decryption. It can be used to
+provide automated decryption of data or even automated unlocking of LUKS
+volumes.
+
+### Encrypting Data
+
+What does this look like? Well, the first step is encrypting some data. We do
+this with a simple command:
+
+    $ clevis encrypt PIN CONFIG < PLAINTEXT > CIPHERTEXT.jwe
+
+This command takes plaintext on standard input and produces an encrypted JWE
+object on standard output. Besides the plaintext, we need to specify two
+additional input parameters.
+
+First, is the pin. In clevis terminology, a pin is a plugin which implements
+automated decryption. We simply pass the name of a pin here.
+
+Second, is the config. The config is a JSON object which will be passed
+directly to the pin. It contains all the necessary configuration to perform
+encryption and setup automated decryption.
+
+To decrypt our JWE, we simply perform the following:
+
+```bash
+$ clevis decrypt < CIPHERTEXT.jwe > PLAINTEXT
+```
+
+Notice that no additional input or interaction is required for the decrypt
+command. Let's look at some more concrete examples.
+
+#### PIN: Tang
+
+[Tang](http://github.com/latchset/tang) is a server implementation which
+provides cryptographic binding services without the need for an escrow.
+Clevis has full support for Tang. Here is an example of how to use Clevis with
+Tang:
+
+```bash
+$ echo hi | clevis encrypt tang '{"url": "http://tang.local"}' > hi.jwe
+The advertisement is signed with the following keys:
+        kWwirxc5PhkFIH0yE28nc-EvjDY
+
+Do you wish to trust the advertisement? [yN] y
+```
+
+In this example, we encrypt the message "hi" using the Tang pin. The only
+parameter needed in this case is the URL of the Tang server. During the
+encryption process, the Tang pin requests the key advertisement from the
+server and asks you to trust the keys. This works similarly to SSH.
+
+Alternatively, you can manually load the advertisment using the `adv`
+parameter. This parameter takes either a string referencing the file where the
+advertisement is stored, or the JSON contents of the advertisment itself. When
+the advertisment is specified manually like this, Clevis presumes that the
+advertisement is trusted.
+
+#### PIN: HTTP
+
+Clevis also ships a pin for performing escrow using HTTP. Please note that,
+at this time, this pin does not provide HTTPS support and is suitable only
+for use over local sockets. This provides integration with services like
+[Custodia](http://github.com/latchset/custodia).
+
+For example:
+
+```bash
+$ echo hi | clevis encrypt http '{"url": "http://server.local/key"}' > hi.jwe
+```
+
+The HTTP pin generate a new (cryptographically-strong random) key and performs
+encryption using it. It then performs a PUT request to the URL specified. It is
+understood that the server will securely store this key for later retrieval.
+During decryption, the pin will perform a GET request to retrieve the key and
+perform decryption.
+
+Patches to provide support for HTTPS and authentication are welcome.
+
+#### PIN: TPM2
+
+Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2)
+chip. The cryptographically-strong, random key used for encryption is encrypted
+using the TPM2 chip, and then at decryption time is decrypted using the TPM2 to
+allow clevis to decrypt the secret stored in the JWE.
+
+For example:
+
+```bash
+$ echo hi | clevis encrypt tpm2 '{}' > hi.jwe
+```
+
+Clevis store the public and private keys of the encrypted key in the JWE object,
+so those can be fetched on decryption to unseal the key encrypted using the TPM2.
+
+#### PIN: Shamir Secret Sharing
+
+Clevis provides a way to mix pins together to provide sophisticated unlocking
+policies. This is accomplished by using an algorithm called Shamir Secret
+Sharing (SSS).
+
+SSS is a thresholding scheme. It creates a key and divides it into a number of
+pieces. Each piece is encrypted using another pin (possibly even SSS
+recursively). Additionally, you define the threshold `t`. If at least `t`
+pieces can be decrypted, then the encryption key can be recovered and
+decryption can succeed.
+
+Here is an example where we use the SSS pin with both the Tang and HTTP pins:
+
+```bash
+$ echo hi | clevis encrypt sss \
+'{"t": 2, "pins": {"http": {"url": "http://server.local/key"}, "tang": {"url": "http://tang.local"}}}' \
+> hi.jwe
+```
+
+In the above example, we define two child pins and have a threshold of 2.
+This means that during decryption **both** child pins must succeed in order for
+SSS itself to succeed.
+
+Here is another example where we use just the HTTP pin:
+
+```bash
+$ echo hi | clevis encrypt sss \
+'{"t": 1, "pins": {"http": [{"url": "http://server1.local/key"}, {"url": "http://server1.local/key"}]}}' \
+> hi.jwe
+```
+
+In this example, we define two child instances of the HTTP pin - each with its
+own configuration. Since we have a threshold of 1, if **either** of the HTTP
+pin instances succeed during decryption, SSS will succeed.
+
+### Binding LUKS Volumes
+
+Clevis can be used to bind a LUKS volume using a pin so that it can be
+automatically unlocked.
+
+How this works is rather simple. We generate a new, cryptographically strong
+key. This key is added to LUKS as an additional passphrase. We then encrypt
+this key using Clevis, and store the output JWE inside the LUKS header using
+[LUKSMeta](http://github.com/latchset/luksmeta).
+
+Here is an example where we bind `/dev/sda1` using the Tang ping:
+
+```bash
+$ sudo clevis luks bind -d /dev/sda1 tang '{"url": "http://tang.local"}'
+The advertisement is signed with the following keys:
+        kWwirxc5PhkFIH0yE28nc-EvjDY
+
+Do you wish to trust the advertisement? [yN] y
+Enter existing LUKS password:
+```
+
+Upon successful completion of this binding process, the disk can be unlocked
+using one of the provided unlockers.
+
+#### Unlocker: Dracut
+
+The Dracut unlocker attempts to automatically unlock volumes during early
+boot. This permits automated root volume encryption. Enabling the Dracut
+unlocker is easy. Just rebuild your initramfs after installing Clevis:
+
+```bash
+$ sudo dracut -f
+```
+
+Upon reboot, you will be prompted to unlock the volume using a password. In
+the background, Clevis will attempt to unlock the volume automatically. If it
+succeeds, the password prompt will be cancelled and boot will continue.
+
+#### Unlocker: UDisks2
+
+Our UDisks2 unlocker runs in your desktop session. You should not need to
+manually enable it; just install the Clevis UDisks2 unlocker and restart your
+desktop session. The unlocker should be started automatically.
+
+This unlocker works almost exactly the same as the Dracut unlocker. If you
+insert a removable storage device that has been bound with Clevis, we will
+attempt to unlock it automatically in parallel with a desktop password prompt.
+If automatic unlocking succeeds, the password prompt will be dissmissed without
+user intervention.
+
+#### Unlocker: Clevis command
+
+A LUKSv1 device bound to a Clevis policy can also be unlocked by using the clevis
+luks unlock command.
+
+```bash
+$ sudo clevis luks unlock -d /dev/sda1
+```
+
+#### Unbinding LUKS volumes
+
+LUKS volumes can be unbound using the clevis luks unbind command. For example:
+
+```bash
+$ sudo clevis luks unbind -d /dev/sda1 -s 1
+```
+
+## Installing Clevis
+
+Please don't install Clevis directly. Instead, use your preferred
+distribution's packages.
+
+### Fedora 24+
+
+This command installs the core Clevis commands, the Dracut unlocker and the
+UDisks2 unlocker, respectively.
+
+```bash
+$ sudo dnf install clevis clevis-dracut clevis-udisks2
+```

File diff suppressed because it is too large
+ 0 - 1496
aclocal.m4


+ 0 - 348
compile

@@ -1,348 +0,0 @@
-#! /bin/sh
-# Wrapper for compilers which do not understand '-c -o'.
-
-scriptversion=2016-01-11.22; # UTC
-
-# Copyright (C) 1999-2017 Free Software Foundation, Inc.
-# Written by Tom Tromey <tromey@cygnus.com>.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# This file is maintained in Automake, please report
-# bugs to <bug-automake@gnu.org> or send patches to
-# <automake-patches@gnu.org>.
-
-nl='
-'
-
-# We need space, tab and new line, in precisely that order.  Quoting is
-# there to prevent tools from complaining about whitespace usage.
-IFS=" ""	$nl"
-
-file_conv=
-
-# func_file_conv build_file lazy
-# Convert a $build file to $host form and store it in $file
-# Currently only supports Windows hosts. If the determined conversion
-# type is listed in (the comma separated) LAZY, no conversion will
-# take place.
-func_file_conv ()
-{
-  file=$1
-  case $file in
-    / | /[!/]*) # absolute file, and not a UNC file
-      if test -z "$file_conv"; then
-	# lazily determine how to convert abs files
-	case `uname -s` in
-	  MINGW*)
-	    file_conv=mingw
-	    ;;
-	  CYGWIN*)
-	    file_conv=cygwin
-	    ;;
-	  *)
-	    file_conv=wine
-	    ;;
-	esac
-      fi
-      case $file_conv/,$2, in
-	*,$file_conv,*)
-	  ;;
-	mingw/*)
-	  file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
-	  ;;
-	cygwin/*)
-	  file=`cygpath -m "$file" || echo "$file"`
-	  ;;
-	wine/*)
-	  file=`winepath -w "$file" || echo "$file"`
-	  ;;
-      esac
-      ;;
-  esac
-}
-
-# func_cl_dashL linkdir
-# Make cl look for libraries in LINKDIR
-func_cl_dashL ()
-{
-  func_file_conv "$1"
-  if test -z "$lib_path"; then
-    lib_path=$file
-  else
-    lib_path="$lib_path;$file"
-  fi
-  linker_opts="$linker_opts -LIBPATH:$file"
-}
-
-# func_cl_dashl library
-# Do a library search-path lookup for cl
-func_cl_dashl ()
-{
-  lib=$1
-  found=no
-  save_IFS=$IFS
-  IFS=';'
-  for dir in $lib_path $LIB
-  do
-    IFS=$save_IFS
-    if $shared && test -f "$dir/$lib.dll.lib"; then
-      found=yes
-      lib=$dir/$lib.dll.lib
-      break
-    fi
-    if test -f "$dir/$lib.lib"; then
-      found=yes
-      lib=$dir/$lib.lib
-      break
-    fi
-    if test -f "$dir/lib$lib.a"; then
-      found=yes
-      lib=$dir/lib$lib.a
-      break
-    fi
-  done
-  IFS=$save_IFS
-
-  if test "$found" != yes; then
-    lib=$lib.lib
-  fi
-}
-
-# func_cl_wrapper cl arg...
-# Adjust compile command to suit cl
-func_cl_wrapper ()
-{
-  # Assume a capable shell
-  lib_path=
-  shared=:
-  linker_opts=
-  for arg
-  do
-    if test -n "$eat"; then
-      eat=
-    else
-      case $1 in
-	-o)
-	  # configure might choose to run compile as 'compile cc -o foo foo.c'.
-	  eat=1
-	  case $2 in
-	    *.o | *.[oO][bB][jJ])
-	      func_file_conv "$2"
-	      set x "$@" -Fo"$file"
-	      shift
-	      ;;
-	    *)
-	      func_file_conv "$2"
-	      set x "$@" -Fe"$file"
-	      shift
-	      ;;
-	  esac
-	  ;;
-	-I)
-	  eat=1
-	  func_file_conv "$2" mingw
-	  set x "$@" -I"$file"
-	  shift
-	  ;;
-	-I*)
-	  func_file_conv "${1#-I}" mingw
-	  set x "$@" -I"$file"
-	  shift
-	  ;;
-	-l)
-	  eat=1
-	  func_cl_dashl "$2"
-	  set x "$@" "$lib"
-	  shift
-	  ;;
-	-l*)
-	  func_cl_dashl "${1#-l}"
-	  set x "$@" "$lib"
-	  shift
-	  ;;
-	-L)
-	  eat=1
-	  func_cl_dashL "$2"
-	  ;;
-	-L*)
-	  func_cl_dashL "${1#-L}"
-	  ;;
-	-static)
-	  shared=false
-	  ;;
-	-Wl,*)
-	  arg=${1#-Wl,}
-	  save_ifs="$IFS"; IFS=','
-	  for flag in $arg; do
-	    IFS="$save_ifs"
-	    linker_opts="$linker_opts $flag"
-	  done
-	  IFS="$save_ifs"
-	  ;;
-	-Xlinker)
-	  eat=1
-	  linker_opts="$linker_opts $2"
-	  ;;
-	-*)
-	  set x "$@" "$1"
-	  shift
-	  ;;
-	*.cc | *.CC | *.cxx | *.CXX | *.[cC]++)
-	  func_file_conv "$1"
-	  set x "$@" -Tp"$file"
-	  shift
-	  ;;
-	*.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO])
-	  func_file_conv "$1" mingw
-	  set x "$@" "$file"
-	  shift
-	  ;;
-	*)
-	  set x "$@" "$1"
-	  shift
-	  ;;
-      esac
-    fi
-    shift
-  done
-  if test -n "$linker_opts"; then
-    linker_opts="-link$linker_opts"
-  fi
-  exec "$@" $linker_opts
-  exit 1
-}
-
-eat=
-
-case $1 in
-  '')
-     echo "$0: No command.  Try '$0 --help' for more information." 1>&2
-     exit 1;
-     ;;
-  -h | --h*)
-    cat <<\EOF
-Usage: compile [--help] [--version] PROGRAM [ARGS]
-
-Wrapper for compilers which do not understand '-c -o'.
-Remove '-o dest.o' from ARGS, run PROGRAM with the remaining
-arguments, and rename the output as expected.
-
-If you are trying to build a whole package this is not the
-right script to run: please start by reading the file 'INSTALL'.
-
-Report bugs to <bug-automake@gnu.org>.
-EOF
-    exit $?
-    ;;
-  -v | --v*)
-    echo "compile $scriptversion"
-    exit $?
-    ;;
-  cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \
-  icl | *[/\\]icl | icl.exe | *[/\\]icl.exe )
-    func_cl_wrapper "$@"      # Doesn't return...
-    ;;
-esac
-
-ofile=
-cfile=
-
-for arg
-do
-  if test -n "$eat"; then
-    eat=
-  else
-    case $1 in
-      -o)
-	# configure might choose to run compile as 'compile cc -o foo foo.c'.
-	# So we strip '-o arg' only if arg is an object.
-	eat=1
-	case $2 in
-	  *.o | *.obj)
-	    ofile=$2
-	    ;;
-	  *)
-	    set x "$@" -o "$2"
-	    shift
-	    ;;
-	esac
-	;;
-      *.c)
-	cfile=$1
-	set x "$@" "$1"
-	shift
-	;;
-      *)
-	set x "$@" "$1"
-	shift
-	;;
-    esac
-  fi
-  shift
-done
-
-if test -z "$ofile" || test -z "$cfile"; then
-  # If no '-o' option was seen then we might have been invoked from a
-  # pattern rule where we don't need one.  That is ok -- this is a
-  # normal compilation that the losing compiler can handle.  If no
-  # '.c' file was seen then we are probably linking.  That is also
-  # ok.
-  exec "$@"
-fi
-
-# Name of file we expect compiler to create.
-cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
-
-# Create the lock directory.
-# Note: use '[/\\:.-]' here to ensure that we don't use the same name
-# that we are using for the .o file.  Also, base the name on the expected
-# object file name, since that is what matters with a parallel build.
-lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d
-while true; do
-  if mkdir "$lockdir" >/dev/null 2>&1; then
-    break
-  fi
-  sleep 1
-done
-# FIXME: race condition here if user kills between mkdir and trap.
-trap "rmdir '$lockdir'; exit 1" 1 2 15
-
-# Run the compile.
-"$@"
-ret=$?
-
-if test -f "$cofile"; then
-  test "$cofile" = "$ofile" || mv "$cofile" "$ofile"
-elif test -f "${cofile}bj"; then
-  test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile"
-fi
-
-rmdir "$lockdir"
-exit $ret
-
-# Local Variables:
-# mode: shell-script
-# sh-indentation: 2
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC0"
-# time-stamp-end: "; # UTC"
-# End:

File diff suppressed because it is too large
+ 0 - 1476
config.guess


File diff suppressed because it is too large
+ 0 - 1836
config.sub


File diff suppressed because it is too large
+ 0 - 6409
configure


+ 0 - 109
configure.ac

@@ -1,109 +0,0 @@
-AC_PREREQ(2.59)
-AC_INIT(clevis, 10)
-AC_CANONICAL_SYSTEM
-AC_PROG_CC_C99
-AC_PROG_RANLIB
-AC_PROG_SED
-
-AM_INIT_AUTOMAKE([subdir-objects foreign no-dist-gzip dist-bzip2 parallel-tests])
-AM_SILENT_RULES([yes])
-AM_PROG_CC_C_O
-
-PKG_PROG_PKG_CONFIG([0.25])
-
-PKG_CHECK_MODULES([luksmeta], [luksmeta >= 8])
-PKG_CHECK_MODULES([libcrypto], [libcrypto])
-PKG_CHECK_MODULES([jansson], [jansson >= 2.10])
-PKG_CHECK_MODULES([udisks2], [udisks2])
-PKG_CHECK_MODULES([jose], [jose >= 8])
-PKG_CHECK_MODULES([systemd], [systemd])
-PKG_CHECK_MODULES([dracut], [dracut])
-PKG_CHECK_MODULES([audit], [audit >= 2.7.8])
-
-AC_CHECK_PROG([PWMAKE], [pwmake], [yes])
-test -n "$PWMAKE" || AC_MSG_ERROR([pwmake required!])
-
-AC_ARG_WITH([dracutmodulesdir],
-	    [AS_HELP_STRING([--with-dracutmodulesdir=DIR], [Directory for dracut modules])],
-	    [],
-	    [with_dracutmodulesdir=$($PKG_CONFIG --variable=dracutmodulesdir dracut)])
-AC_SUBST([dracutmodulesdir], [$with_dracutmodulesdir])
-
-AC_ARG_WITH([systemdsystemunitdir],
-            [AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd unit files])],
-            [],
-            [with_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)])
-
-AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir])
-
-for ac_prog in systemd-socket-activate systemd-activate; do
-    AC_CHECK_PROG([SD_ACTIVATE], [$ac_prog], [$as_dir/$ac_prog], [],
-		  [$PATH$PATH_SEPARATOR$($PKG_CONFIG --variable=systemdutildir systemd)])
-    test -n "$SD_ACTIVATE" && break
-done
-
-test -n "$SD_ACTIVATE" || AC_MSG_ERROR([systemd-socket-activate required!])
-
-AC_MSG_CHECKING([systemd-socket-activate inetd flag])
-if $SD_ACTIVATE --help | grep -q inetd; then
-    SD_ACTIVATE="$SD_ACTIVATE --inetd"
-    AC_MSG_RESULT([--inetd])
-else
-    AC_MSG_RESULT([(default)])
-fi
-
-AC_SUBST(SD_ACTIVATE)
-
-for ac_prog in createprimary pcrlist createpolicy create load unseal; do
-    unset TPM2_TOOLS
-    unset ac_cv_prog_TPM2_TOOLS
-    AC_CHECK_PROG([TPM2_TOOLS], [tpm2_$ac_prog], [yes])
-    test -z "$TPM2_TOOLS" && break
-done
-
-test -n "$TPM2_TOOLS" || AC_MSG_WARN([tpm2_$ac_prog not found, tpm2 pin won't be installed])
-
-AM_CONDITIONAL([HAVE_TPM2_TOOLS], [test -n "$TPM2_TOOLS"])
-
-AC_ARG_ENABLE([user],
-              AS_HELP_STRING([--enable-user=USER],
-                             [Set unprivileged user (default: root)]),
-              [CLEVIS_USER="${enableval}"],
-              [CLEVIS_USER="root"])
-AC_ARG_ENABLE([group],
-              AS_HELP_STRING([--enable-group=GROUP],
-                             [Set unprivileged group (default: root)]),
-              [CLEVIS_GROUP="${enableval}"],
-              [CLEVIS_GROUP="root"])
-AC_SUBST([CLEVIS_USER])
-AC_SUBST([CLEVIS_GROUP])
-
-CLEVIS_CFLAGS="\
--Wall \
--Wextra \
--Werror \
--Wstrict-aliasing \
--Wchar-subscripts \
--Wformat-security \
--Wmissing-declarations \
--Wmissing-prototypes \
--Wnested-externs \
--Wpointer-arith \
--Wshadow \
--Wsign-compare \
--Wstrict-prototypes \
--Wtype-limits \
--Wno-missing-field-initializers \
--Wno-unused-parameter \
-"
-AC_SUBST([CLEVIS_CFLAGS])
-
-AC_CONFIG_FILES([
-    src/systemd/Makefile
-    src/udisks2/Makefile
-    src/dracut/Makefile
-    tests/Makefile
-    src/Makefile
-    Makefile
-])
-AC_OUTPUT

+ 0 - 791
depcomp

@@ -1,791 +0,0 @@
-#! /bin/sh
-# depcomp - compile a program generating dependencies as side-effects
-
-scriptversion=2016-01-11.22; # UTC
-
-# Copyright (C) 1999-2017 Free Software Foundation, Inc.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# Originally written by Alexandre Oliva <oliva@dcc.unicamp.br>.
-
-case $1 in
-  '')
-    echo "$0: No command.  Try '$0 --help' for more information." 1>&2
-    exit 1;
-    ;;
-  -h | --h*)
-    cat <<\EOF
-Usage: depcomp [--help] [--version] PROGRAM [ARGS]
-
-Run PROGRAMS ARGS to compile a file, generating dependencies
-as side-effects.
-
-Environment variables:
-  depmode     Dependency tracking mode.
-  source      Source file read by 'PROGRAMS ARGS'.
-  object      Object file output by 'PROGRAMS ARGS'.
-  DEPDIR      directory where to store dependencies.
-  depfile     Dependency file to output.
-  tmpdepfile  Temporary file to use when outputting dependencies.
-  libtool     Whether libtool is used (yes/no).
-
-Report bugs to <bug-automake@gnu.org>.
-EOF
-    exit $?
-    ;;
-  -v | --v*)
-    echo "depcomp $scriptversion"
-    exit $?
-    ;;
-esac
-
-# Get the directory component of the given path, and save it in the
-# global variables '$dir'.  Note that this directory component will
-# be either empty or ending with a '/' character.  This is deliberate.
-set_dir_from ()
-{
-  case $1 in
-    */*) dir=`echo "$1" | sed -e 's|/[^/]*$|/|'`;;
-      *) dir=;;
-  esac
-}
-
-# Get the suffix-stripped basename of the given path, and save it the
-# global variable '$base'.
-set_base_from ()
-{
-  base=`echo "$1" | sed -e 's|^.*/||' -e 's/\.[^.]*$//'`
-}
-
-# If no dependency file was actually created by the compiler invocation,
-# we still have to create a dummy depfile, to avoid errors with the
-# Makefile "include basename.Plo" scheme.
-make_dummy_depfile ()
-{
-  echo "#dummy" > "$depfile"
-}
-
-# Factor out some common post-processing of the generated depfile.
-# Requires the auxiliary global variable '$tmpdepfile' to be set.
-aix_post_process_depfile ()
-{
-  # If the compiler actually managed to produce a dependency file,
-  # post-process it.
-  if test -f "$tmpdepfile"; then
-    # Each line is of the form 'foo.o: dependency.h'.
-    # Do two passes, one to just change these to
-    #   $object: dependency.h
-    # and one to simply output
-    #   dependency.h:
-    # which is needed to avoid the deleted-header problem.
-    { sed -e "s,^.*\.[$lower]*:,$object:," < "$tmpdepfile"
-      sed -e "s,^.*\.[$lower]*:[$tab ]*,," -e 's,$,:,' < "$tmpdepfile"
-    } > "$depfile"
-    rm -f "$tmpdepfile"
-  else
-    make_dummy_depfile
-  fi
-}
-
-# A tabulation character.
-tab='	'
-# A newline character.
-nl='
-'
-# Character ranges might be problematic outside the C locale.
-# These definitions help.
-upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ
-lower=abcdefghijklmnopqrstuvwxyz
-digits=0123456789
-alpha=${upper}${lower}
-
-if test -z "$depmode" || test -z "$source" || test -z "$object"; then
-  echo "depcomp: Variables source, object and depmode must be set" 1>&2
-  exit 1
-fi
-
-# Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po.
-depfile=${depfile-`echo "$object" |
-  sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`}
-tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
-
-rm -f "$tmpdepfile"
-
-# Avoid interferences from the environment.
-gccflag= dashmflag=
-
-# Some modes work just like other modes, but use different flags.  We
-# parameterize here, but still list the modes in the big case below,
-# to make depend.m4 easier to write.  Note that we *cannot* use a case
-# here, because this file can only contain one case statement.
-if test "$depmode" = hp; then
-  # HP compiler uses -M and no extra arg.
-  gccflag=-M
-  depmode=gcc
-fi
-
-if test "$depmode" = dashXmstdout; then
-  # This is just like dashmstdout with a different argument.
-  dashmflag=-xM
-  depmode=dashmstdout
-fi
-
-cygpath_u="cygpath -u -f -"
-if test "$depmode" = msvcmsys; then
-  # This is just like msvisualcpp but w/o cygpath translation.
-  # Just convert the backslash-escaped backslashes to single forward
-  # slashes to satisfy depend.m4
-  cygpath_u='sed s,\\\\,/,g'
-  depmode=msvisualcpp
-fi
-
-if test "$depmode" = msvc7msys; then
-  # This is just like msvc7 but w/o cygpath translation.
-  # Just convert the backslash-escaped backslashes to single forward
-  # slashes to satisfy depend.m4
-  cygpath_u='sed s,\\\\,/,g'
-  depmode=msvc7
-fi
-
-if test "$depmode" = xlc; then
-  # IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information.
-  gccflag=-qmakedep=gcc,-MF
-  depmode=gcc
-fi
-
-case "$depmode" in
-gcc3)
-## gcc 3 implements dependency tracking that does exactly what
-## we want.  Yay!  Note: for some reason libtool 1.4 doesn't like
-## it if -MD -MP comes after the -MF stuff.  Hmm.
-## Unfortunately, FreeBSD c89 acceptance of flags depends upon
-## the command line argument order; so add the flags where they
-## appear in depend2.am.  Note that the slowdown incurred here
-## affects only configure: in makefiles, %FASTDEP% shortcuts this.
-  for arg
-  do
-    case $arg in
-    -c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;;
-    *)  set fnord "$@" "$arg" ;;
-    esac
-    shift # fnord
-    shift # $arg
-  done
-  "$@"
-  stat=$?
-  if test $stat -ne 0; then
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  mv "$tmpdepfile" "$depfile"
-  ;;
-
-gcc)
-## Note that this doesn't just cater to obsosete pre-3.x GCC compilers.
-## but also to in-use compilers like IMB xlc/xlC and the HP C compiler.
-## (see the conditional assignment to $gccflag above).
-## There are various ways to get dependency output from gcc.  Here's
-## why we pick this rather obscure method:
-## - Don't want to use -MD because we'd like the dependencies to end
-##   up in a subdir.  Having to rename by hand is ugly.
-##   (We might end up doing this anyway to support other compilers.)
-## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
-##   -MM, not -M (despite what the docs say).  Also, it might not be
-##   supported by the other compilers which use the 'gcc' depmode.
-## - Using -M directly means running the compiler twice (even worse
-##   than renaming).
-  if test -z "$gccflag"; then
-    gccflag=-MD,
-  fi
-  "$@" -Wp,"$gccflag$tmpdepfile"
-  stat=$?
-  if test $stat -ne 0; then
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  rm -f "$depfile"
-  echo "$object : \\" > "$depfile"
-  # The second -e expression handles DOS-style file names with drive
-  # letters.
-  sed -e 's/^[^:]*: / /' \
-      -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
-## This next piece of magic avoids the "deleted header file" problem.
-## The problem is that when a header file which appears in a .P file
-## is deleted, the dependency causes make to die (because there is
-## typically no way to rebuild the header).  We avoid this by adding
-## dummy dependencies for each header file.  Too bad gcc doesn't do
-## this for us directly.
-## Some versions of gcc put a space before the ':'.  On the theory
-## that the space means something, we add a space to the output as
-## well.  hp depmode also adds that space, but also prefixes the VPATH
-## to the object.  Take care to not repeat it in the output.
-## Some versions of the HPUX 10.20 sed can't process this invocation
-## correctly.  Breaking it into two sed invocations is a workaround.
-  tr ' ' "$nl" < "$tmpdepfile" \
-    | sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \
-    | sed -e 's/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-hp)
-  # This case exists only to let depend.m4 do its work.  It works by
-  # looking at the text of this script.  This case will never be run,
-  # since it is checked for above.
-  exit 1
-  ;;
-
-sgi)
-  if test "$libtool" = yes; then
-    "$@" "-Wp,-MDupdate,$tmpdepfile"
-  else
-    "$@" -MDupdate "$tmpdepfile"
-  fi
-  stat=$?
-  if test $stat -ne 0; then
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  rm -f "$depfile"
-
-  if test -f "$tmpdepfile"; then  # yes, the sourcefile depend on other files
-    echo "$object : \\" > "$depfile"
-    # Clip off the initial element (the dependent).  Don't try to be
-    # clever and replace this with sed code, as IRIX sed won't handle
-    # lines with more than a fixed number of characters (4096 in
-    # IRIX 6.2 sed, 8192 in IRIX 6.5).  We also remove comment lines;
-    # the IRIX cc adds comments like '#:fec' to the end of the
-    # dependency line.
-    tr ' ' "$nl" < "$tmpdepfile" \
-      | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' \
-      | tr "$nl" ' ' >> "$depfile"
-    echo >> "$depfile"
-    # The second pass generates a dummy entry for each header file.
-    tr ' ' "$nl" < "$tmpdepfile" \
-      | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
-      >> "$depfile"
-  else
-    make_dummy_depfile
-  fi
-  rm -f "$tmpdepfile"
-  ;;
-
-xlc)
-  # This case exists only to let depend.m4 do its work.  It works by
-  # looking at the text of this script.  This case will never be run,
-  # since it is checked for above.
-  exit 1
-  ;;
-
-aix)
-  # The C for AIX Compiler uses -M and outputs the dependencies
-  # in a .u file.  In older versions, this file always lives in the
-  # current directory.  Also, the AIX compiler puts '$object:' at the
-  # start of each line; $object doesn't have directory information.
-  # Version 6 uses the directory in both cases.
-  set_dir_from "$object"
-  set_base_from "$object"
-  if test "$libtool" = yes; then
-    tmpdepfile1=$dir$base.u
-    tmpdepfile2=$base.u
-    tmpdepfile3=$dir.libs/$base.u
-    "$@" -Wc,-M
-  else
-    tmpdepfile1=$dir$base.u
-    tmpdepfile2=$dir$base.u
-    tmpdepfile3=$dir$base.u
-    "$@" -M
-  fi
-  stat=$?
-  if test $stat -ne 0; then
-    rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
-    exit $stat
-  fi
-
-  for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
-  do
-    test -f "$tmpdepfile" && break
-  done
-  aix_post_process_depfile
-  ;;
-
-tcc)
-  # tcc (Tiny C Compiler) understand '-MD -MF file' since version 0.9.26
-  # FIXME: That version still under development at the moment of writing.
-  #        Make that this statement remains true also for stable, released
-  #        versions.
-  # It will wrap lines (doesn't matter whether long or short) with a
-  # trailing '\', as in:
-  #
-  #   foo.o : \
-  #    foo.c \
-  #    foo.h \
-  #
-  # It will put a trailing '\' even on the last line, and will use leading
-  # spaces rather than leading tabs (at least since its commit 0394caf7
-  # "Emit spaces for -MD").
-  "$@" -MD -MF "$tmpdepfile"
-  stat=$?
-  if test $stat -ne 0; then
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  rm -f "$depfile"
-  # Each non-empty line is of the form 'foo.o : \' or ' dep.h \'.
-  # We have to change lines of the first kind to '$object: \'.
-  sed -e "s|.*:|$object :|" < "$tmpdepfile" > "$depfile"
-  # And for each line of the second kind, we have to emit a 'dep.h:'
-  # dummy dependency, to avoid the deleted-header problem.
-  sed -n -e 's|^  *\(.*\) *\\$|\1:|p' < "$tmpdepfile" >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-## The order of this option in the case statement is important, since the
-## shell code in configure will try each of these formats in the order
-## listed in this file.  A plain '-MD' option would be understood by many
-## compilers, so we must ensure this comes after the gcc and icc options.
-pgcc)
-  # Portland's C compiler understands '-MD'.
-  # Will always output deps to 'file.d' where file is the root name of the
-  # source file under compilation, even if file resides in a subdirectory.
-  # The object file name does not affect the name of the '.d' file.
-  # pgcc 10.2 will output
-  #    foo.o: sub/foo.c sub/foo.h
-  # and will wrap long lines using '\' :
-  #    foo.o: sub/foo.c ... \
-  #     sub/foo.h ... \
-  #     ...
-  set_dir_from "$object"
-  # Use the source, not the object, to determine the base name, since
-  # that's sadly what pgcc will do too.
-  set_base_from "$source"
-  tmpdepfile=$base.d
-
-  # For projects that build the same source file twice into different object
-  # files, the pgcc approach of using the *source* file root name can cause
-  # problems in parallel builds.  Use a locking strategy to avoid stomping on
-  # the same $tmpdepfile.
-  lockdir=$base.d-lock
-  trap "
-    echo '$0: caught signal, cleaning up...' >&2
-    rmdir '$lockdir'
-    exit 1
-  " 1 2 13 15
-  numtries=100
-  i=$numtries
-  while test $i -gt 0; do
-    # mkdir is a portable test-and-set.
-    if mkdir "$lockdir" 2>/dev/null; then
-      # This process acquired the lock.
-      "$@" -MD
-      stat=$?
-      # Release the lock.
-      rmdir "$lockdir"
-      break
-    else
-      # If the lock is being held by a different process, wait
-      # until the winning process is done or we timeout.
-      while test -d "$lockdir" && test $i -gt 0; do
-        sleep 1
-        i=`expr $i - 1`
-      done
-    fi
-    i=`expr $i - 1`
-  done
-  trap - 1 2 13 15
-  if test $i -le 0; then
-    echo "$0: failed to acquire lock after $numtries attempts" >&2
-    echo "$0: check lockdir '$lockdir'" >&2
-    exit 1
-  fi
-
-  if test $stat -ne 0; then
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  rm -f "$depfile"
-  # Each line is of the form `foo.o: dependent.h',
-  # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
-  # Do two passes, one to just change these to
-  # `$object: dependent.h' and one to simply `dependent.h:'.
-  sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
-  # Some versions of the HPUX 10.20 sed can't process this invocation
-  # correctly.  Breaking it into two sed invocations is a workaround.
-  sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \
-    | sed -e 's/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-hp2)
-  # The "hp" stanza above does not work with aCC (C++) and HP's ia64
-  # compilers, which have integrated preprocessors.  The correct option
-  # to use with these is +Maked; it writes dependencies to a file named
-  # 'foo.d', which lands next to the object file, wherever that
-  # happens to be.
-  # Much of this is similar to the tru64 case; see comments there.
-  set_dir_from  "$object"
-  set_base_from "$object"
-  if test "$libtool" = yes; then
-    tmpdepfile1=$dir$base.d
-    tmpdepfile2=$dir.libs/$base.d
-    "$@" -Wc,+Maked
-  else
-    tmpdepfile1=$dir$base.d
-    tmpdepfile2=$dir$base.d
-    "$@" +Maked
-  fi
-  stat=$?
-  if test $stat -ne 0; then
-     rm -f "$tmpdepfile1" "$tmpdepfile2"
-     exit $stat
-  fi
-
-  for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2"
-  do
-    test -f "$tmpdepfile" && break
-  done
-  if test -f "$tmpdepfile"; then
-    sed -e "s,^.*\.[$lower]*:,$object:," "$tmpdepfile" > "$depfile"
-    # Add 'dependent.h:' lines.
-    sed -ne '2,${
-               s/^ *//
-               s/ \\*$//
-               s/$/:/
-               p
-             }' "$tmpdepfile" >> "$depfile"
-  else
-    make_dummy_depfile
-  fi
-  rm -f "$tmpdepfile" "$tmpdepfile2"
-  ;;
-
-tru64)
-  # The Tru64 compiler uses -MD to generate dependencies as a side
-  # effect.  'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'.
-  # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
-  # dependencies in 'foo.d' instead, so we check for that too.
-  # Subdirectories are respected.
-  set_dir_from  "$object"
-  set_base_from "$object"
-
-  if test "$libtool" = yes; then
-    # Libtool generates 2 separate objects for the 2 libraries.  These
-    # two compilations output dependencies in $dir.libs/$base.o.d and
-    # in $dir$base.o.d.  We have to check for both files, because
-    # one of the two compilations can be disabled.  We should prefer
-    # $dir$base.o.d over $dir.libs/$base.o.d because the latter is
-    # automatically cleaned when .libs/ is deleted, while ignoring
-    # the former would cause a distcleancheck panic.
-    tmpdepfile1=$dir$base.o.d          # libtool 1.5
-    tmpdepfile2=$dir.libs/$base.o.d    # Likewise.
-    tmpdepfile3=$dir.libs/$base.d      # Compaq CCC V6.2-504
-    "$@" -Wc,-MD
-  else
-    tmpdepfile1=$dir$base.d
-    tmpdepfile2=$dir$base.d
-    tmpdepfile3=$dir$base.d
-    "$@" -MD
-  fi
-
-  stat=$?
-  if test $stat -ne 0; then
-    rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
-    exit $stat
-  fi
-
-  for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
-  do
-    test -f "$tmpdepfile" && break
-  done
-  # Same post-processing that is required for AIX mode.
-  aix_post_process_depfile
-  ;;
-
-msvc7)
-  if test "$libtool" = yes; then
-    showIncludes=-Wc,-showIncludes
-  else
-    showIncludes=-showIncludes
-  fi
-  "$@" $showIncludes > "$tmpdepfile"
-  stat=$?
-  grep -v '^Note: including file: ' "$tmpdepfile"
-  if test $stat -ne 0; then
-    rm -f "$tmpdepfile"
-    exit $stat
-  fi
-  rm -f "$depfile"
-  echo "$object : \\" > "$depfile"
-  # The first sed program below extracts the file names and escapes
-  # backslashes for cygpath.  The second sed program outputs the file
-  # name when reading, but also accumulates all include files in the
-  # hold buffer in order to output them again at the end.  This only
-  # works with sed implementations that can handle large buffers.
-  sed < "$tmpdepfile" -n '
-/^Note: including file:  *\(.*\)/ {
-  s//\1/
-  s/\\/\\\\/g
-  p
-}' | $cygpath_u | sort -u | sed -n '
-s/ /\\ /g
-s/\(.*\)/'"$tab"'\1 \\/p
-s/.\(.*\) \\/\1:/
-H
-$ {
-  s/.*/'"$tab"'/
-  G
-  p
-}' >> "$depfile"
-  echo >> "$depfile" # make sure the fragment doesn't end with a backslash
-  rm -f "$tmpdepfile"
-  ;;
-
-msvc7msys)
-  # This case exists only to let depend.m4 do its work.  It works by
-  # looking at the text of this script.  This case will never be run,
-  # since it is checked for above.
-  exit 1
-  ;;
-
-#nosideeffect)
-  # This comment above is used by automake to tell side-effect
-  # dependency tracking mechanisms from slower ones.
-
-dashmstdout)
-  # Important note: in order to support this mode, a compiler *must*
-  # always write the preprocessed file to stdout, regardless of -o.
-  "$@" || exit $?
-
-  # Remove the call to Libtool.
-  if test "$libtool" = yes; then
-    while test "X$1" != 'X--mode=compile'; do
-      shift
-    done
-    shift
-  fi
-
-  # Remove '-o $object'.
-  IFS=" "
-  for arg
-  do
-    case $arg in
-    -o)
-      shift
-      ;;
-    $object)
-      shift
-      ;;
-    *)
-      set fnord "$@" "$arg"
-      shift # fnord
-      shift # $arg
-      ;;
-    esac
-  done
-
-  test -z "$dashmflag" && dashmflag=-M
-  # Require at least two characters before searching for ':'
-  # in the target name.  This is to cope with DOS-style filenames:
-  # a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise.
-  "$@" $dashmflag |
-    sed "s|^[$tab ]*[^:$tab ][^:][^:]*:[$tab ]*|$object: |" > "$tmpdepfile"
-  rm -f "$depfile"
-  cat < "$tmpdepfile" > "$depfile"
-  # Some versions of the HPUX 10.20 sed can't process this sed invocation
-  # correctly.  Breaking it into two sed invocations is a workaround.
-  tr ' ' "$nl" < "$tmpdepfile" \
-    | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
-    | sed -e 's/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-dashXmstdout)
-  # This case only exists to satisfy depend.m4.  It is never actually
-  # run, as this mode is specially recognized in the preamble.
-  exit 1
-  ;;
-
-makedepend)
-  "$@" || exit $?
-  # Remove any Libtool call
-  if test "$libtool" = yes; then
-    while test "X$1" != 'X--mode=compile'; do
-      shift
-    done
-    shift
-  fi
-  # X makedepend
-  shift
-  cleared=no eat=no
-  for arg
-  do
-    case $cleared in
-    no)
-      set ""; shift
-      cleared=yes ;;
-    esac
-    if test $eat = yes; then
-      eat=no
-      continue
-    fi
-    case "$arg" in
-    -D*|-I*)
-      set fnord "$@" "$arg"; shift ;;
-    # Strip any option that makedepend may not understand.  Remove
-    # the object too, otherwise makedepend will parse it as a source file.
-    -arch)
-      eat=yes ;;
-    -*|$object)
-      ;;
-    *)
-      set fnord "$@" "$arg"; shift ;;
-    esac
-  done
-  obj_suffix=`echo "$object" | sed 's/^.*\././'`
-  touch "$tmpdepfile"
-  ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
-  rm -f "$depfile"
-  # makedepend may prepend the VPATH from the source file name to the object.
-  # No need to regex-escape $object, excess matching of '.' is harmless.
-  sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile"
-  # Some versions of the HPUX 10.20 sed can't process the last invocation
-  # correctly.  Breaking it into two sed invocations is a workaround.
-  sed '1,2d' "$tmpdepfile" \
-    | tr ' ' "$nl" \
-    | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
-    | sed -e 's/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile" "$tmpdepfile".bak
-  ;;
-
-cpp)
-  # Important note: in order to support this mode, a compiler *must*
-  # always write the preprocessed file to stdout.
-  "$@" || exit $?
-
-  # Remove the call to Libtool.
-  if test "$libtool" = yes; then
-    while test "X$1" != 'X--mode=compile'; do
-      shift
-    done
-    shift
-  fi
-
-  # Remove '-o $object'.
-  IFS=" "
-  for arg
-  do
-    case $arg in
-    -o)
-      shift
-      ;;
-    $object)
-      shift
-      ;;
-    *)
-      set fnord "$@" "$arg"
-      shift # fnord
-      shift # $arg
-      ;;
-    esac
-  done
-
-  "$@" -E \
-    | sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
-             -e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
-    | sed '$ s: \\$::' > "$tmpdepfile"
-  rm -f "$depfile"
-  echo "$object : \\" > "$depfile"
-  cat < "$tmpdepfile" >> "$depfile"
-  sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-msvisualcpp)
-  # Important note: in order to support this mode, a compiler *must*
-  # always write the preprocessed file to stdout.
-  "$@" || exit $?
-
-  # Remove the call to Libtool.
-  if test "$libtool" = yes; then
-    while test "X$1" != 'X--mode=compile'; do
-      shift
-    done
-    shift
-  fi
-
-  IFS=" "
-  for arg
-  do
-    case "$arg" in
-    -o)
-      shift
-      ;;
-    $object)
-      shift
-      ;;
-    "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
-        set fnord "$@"
-        shift
-        shift
-        ;;
-    *)
-        set fnord "$@" "$arg"
-        shift
-        shift
-        ;;
-    esac
-  done
-  "$@" -E 2>/dev/null |
-  sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile"
-  rm -f "$depfile"
-  echo "$object : \\" > "$depfile"
-  sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile"
-  echo "$tab" >> "$depfile"
-  sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile"
-  rm -f "$tmpdepfile"
-  ;;
-
-msvcmsys)
-  # This case exists only to let depend.m4 do its work.  It works by
-  # looking at the text of this script.  This case will never be run,
-  # since it is checked for above.
-  exit 1
-  ;;
-
-none)
-  exec "$@"
-  ;;
-
-*)
-  echo "Unknown depmode $depmode" 1>&2
-  exit 1
-  ;;
-esac
-
-exit 0
-
-# Local Variables:
-# mode: shell-script
-# sh-indentation: 2
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC0"
-# time-stamp-end: "; # UTC"
-# End:

+ 0 - 22
doc/clevis-decrypt.1

@@ -1,22 +0,0 @@
-.\" Automatically generated by Pandoc 1.19.1
-.\"
-.TH "CLEVIS\-DECRYPT" "1" "September 2017" "" ""
-.hy
-.SH NAME
-.PP
-clevis\-decrypt \-\- Decrypts using the policy defined at encryption
-time
-.SH SYNOPSIS
-.PP
-\f[C]clevis\ decrypt\f[] CONFIG < JWE > PT
-.SH OVERVIEW
-.PP
-The \f[C]clevis\ decrypt\f[] command decrypts data using the policy
-defined at encryption time.
-The specific decryption pin is inferred during decryption.
-There are no parameters.
-.SH SEE ALSO
-.PP
-\f[C]clevis\-decrypt\f[](1)
-.SH AUTHORS
-Nathaniel McCallum <npmccallum@redhat.com>.

+ 0 - 61
doc/clevis-encrypt-http.1

@@ -1,61 +0,0 @@
-.\" Automatically generated by Pandoc 1.19.1
-.\"
-.TH "CLEVIS\-ENCRYPT\-HTTP" "1" "September 2017" "" ""
-.hy
-.SH NAME
-.PP
-clevis\-encrypt\-http \-\- Encrypts using a REST HTTP escrow server
-policy
-.SH SYNOPSIS
-.PP
-\f[C]clevis\ encrypt\ http\f[] CONFIG < PT > JWE
-.SH OVERVIEW
-.PP
-The \f[C]clevis\ encrypt\ http\f[] command encrypts using a REST HTTP
-escrow server policy.
-Its only argument is the JSON configuration object.
-.PP
-When using the HTTP pin, we create a new, cryptographically\-strong,
-random key.
-This key is stored in a remote HTTP escrow server (using a simple PUT or
-POST).
-Then at decryption time, we attempt to fetch the key back again in order
-to decrypt our data.
-So, for our configuration we need to pass the URL to the key location:
-.IP
-.nf
-\f[C]
-$\ clevis\ encrypt\ http\ \[aq]{"url":"https://escrow.srv/1234"}\[aq]\ <\ PT\ >\ JWE
-\f[]
-.fi
-.PP
-To decrypt the data, simply provide the ciphertext (JWE):
-.IP
-.nf
-\f[C]
-$\ clevis\ decrypt\ <\ JWE\ >\ PT
-\f[]
-.fi
-.PP
-Notice that we did not pass any configuration during decryption.
-The decrypt command extracted the URL (and possibly other configuration)
-from the JWE object, fetched the encryption key from the escrow and
-performed decryption.
-.SH CONFIG
-.PP
-This command uses the following configuration properties:
-.IP \[bu] 2
-\f[C]url\f[] (string) : The URL where the key is stored (REQUIRED)
-.IP \[bu] 2
-\f[C]http\f[] (boolean) : Allow or disallow non\-TLS HTTP (default:
-false)
-.IP \[bu] 2
-\f[C]type\f[] (string) : The type of key to store (default:
-octet\-stream)
-.IP \[bu] 2
-\f[C]method\f[] (string) : The HTTP method to use (default: PUT)
-.SH SEE ALSO
-.PP
-\f[C]clevis\-decrypt\f[](1)
-.SH AUTHORS
-Nathaniel McCallum <npmccallum@redhat.com>.

+ 0 - 71
doc/clevis-encrypt-sss.1

@@ -1,71 +0,0 @@
-.\" Automatically generated by Pandoc 1.19.1
-.\"
-.TH "CLEVIS\-ENCRYPT\-SSS" "1" "September 2017" "" ""
-.hy
-.SH NAME
-.PP
-clevis\-encrypt\-sss \-\- Encrypts using a Shamir\[aq]s Secret Sharing
-policy
-.SH SYNOPSIS
-.PP
-\f[C]clevis\ encrypt\ sss\f[] CONFIG < PT > JWE
-.SH OVERVIEW
-.PP
-The \f[C]clevis\ encrypt\ sss\f[] command encrypts using a Shamir\[aq]s
-Secret Sharing policy.
-Its only argument is the JSON configuration object.
-.PP
-Shamir\[aq]s Secret Sharing (SSS) provides a way to mix pins together to
-create sophisticated unlocking and high availability policies.
-SSS is a thresholding scheme.
-It creates a key and divides it into a number of pieces.
-Each piece is encrypted using another pin (possibly even SSS
-recursively).
-Additionally, you define the threshold \f[C]t\f[].
-If at least \f[C]t\f[] pieces can be decrypted, then the encryption key
-can be recovered and decryption can succeed.
-.PP
-For example, let\[aq]s create a high\-availability setup using Tang:
-.IP
-.nf
-\f[C]
-$\ cfg=\[aq]{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}\[aq]
-$\ clevis\ encrypt\ sss\ "$cfg"\ <\ PT\ >\ JWE
-\f[]
-.fi
-.PP
-In this policy, we are declaring that we have a threshold of 1, but that
-there are multiple key fragments encrypted using different Tang servers.
-Since our threshold is 1, so long as any of the Tang servers are
-available, decryption will succeed.
-As always, decryption is simply:
-.IP
-.nf
-\f[C]
-$\ clevis\ decrypt\ <\ JWE\ >\ PT
-\f[]
-.fi
-.SH CONFIG
-.PP
-This command uses the following configuration properties:
-.IP \[bu] 2
-\f[C]t\f[] (integer) : Number of pins required for decryption (REQUIRED)
-.IP \[bu] 2
-\f[C]pins\f[] (object) : Pins used for encrypting fragments (REQUIRED)
-.PP
-The format of the \f[C]pins\f[] property is as follows:
-.IP
-.nf
-\f[C]
-{PIN:CFG,...}\ OR\ {PIN:[CFG,CFG,...],...}
-\f[]
-.fi
-.PP
-When the list version of the format is used, multiple pins of that type
-will receive key fragments.
-.SH SEE ALSO
-.PP
-\f[C]clevis\-encrypt\-http\f[](1), \f[C]clevis\-encrypt\-tang\f[](1),
-\f[C]clevis\-decrypt\f[](1)
-.SH AUTHORS
-Nathaniel McCallum <npmccallum@redhat.com>.

+ 0 - 95
doc/clevis-encrypt-tang.1

@@ -1,95 +0,0 @@
-.\" Automatically generated by Pandoc 1.19.1
-.\"
-.TH "CLEVIS\-ENCRYPT\-TANG" "1" "September 2017" "" ""
-.hy
-.SH NAME
-.PP
-clevis\-encrypt\-tang \-\- Encrypts using a Tang binding server policy
-.SH SYNOPSIS
-.PP
-\f[C]clevis\ encrypt\ tang\f[] CONFIG < PT > JWE
-.SH OVERVIEW
-.PP
-The \f[C]clevis\ encrypt\ tang\f[] command encrypts using a Tang binding
-server policy.
-Its only argument is the JSON configuration object.
-.PP
-Clevis provides support for the Tang network binding server.
-Tang provides a stateless, lightweight alternative to escrows.
-Encrypting data using the Tang pin works like this:
-.IP
-.nf
-\f[C]
-$\ clevis\ encrypt\ tang\ \[aq]{"url":"http://tang.srv"}\[aq]\ <\ PT\ >\ JWE
-The\ advertisement\ contains\ the\ following\ signing\ keys:
-
-_OsIk0T\-E2l6qjfdDiwVmidoZjA
-
-Do\ you\ wish\ to\ trust\ these\ keys?\ [ynYN]\ y
-\f[]
-.fi
-.PP
-To decrypt the data, just pass it to the \f[C]clevis\ decrypt\f[]
-command:
-.IP
-.nf
-\f[C]
-$\ clevis\ decrypt\ <\ JWE\ >\ PT
-\f[]
-.fi
-.PP
-As you can see above, Tang utilizes a trust\-on\-first\-use workflow.
-If you already know the thumbprint of a trusted key, you can specify it
-in the configuration at encryption time:
-.IP
-.nf
-\f[C]
-$\ cfg=\[aq]{"url":"http://tang.srv","thp":"_OsIk0T\-E2l6qjfdDiwVmidoZjA"}\[aq]
-$\ clevis\ encrypt\ tang\ "$cfg"\ <\ PT\ >\ JWE
-\f[]
-.fi
-.PP
-Obtaining the thumbprint of a trusted signing key is easy.
-If you have access to the Tang server\[aq]s database directory, simply
-do:
-.IP
-.nf
-\f[C]
-$\ jose\ jwk\ thp\ \-i\ $DBDIR/$SIG.jwk\ 
-\f[]
-.fi
-.PP
-Tang can also perform entirely offline encryption if you pre\-share the
-server advertisement.
-You can fetch the advertisement with a simple command (just be careful
-your network isn\[aq]t compromised!):
-.IP
-.nf
-\f[C]
-$\ curl\ \-f\ $URL/adv\ >\ adv.jws
-\f[]
-.fi
-.PP
-Once you have the advertisement file, just provide it:
-.IP
-.nf
-\f[C]
-$\ clevis\ encrypt\ tang\ \[aq]{"url":...,"adv":"adv.jws"}\[aq]\ <\ PT\ >\ JWE
-\f[]
-.fi
-.SH CONFIG
-.PP
-This command uses the following configuration properties:
-.IP \[bu] 2
-\f[C]url\f[] (string) : The base URL of the Tang server (REQUIRED)
-.IP \[bu] 2
-\f[C]thp\f[] (string) : The thumbprint of a trusted signing key
-.IP \[bu] 2
-\f[C]adv\f[] (string) : A filename containing a trusted advertisement
-.IP \[bu] 2
-\f[C]adv\f[] (object) : A trusted advertisement (raw JSON)
-.SH SEE ALSO
-.PP
-\f[C]clevis\-decrypt\f[](1)
-.SH AUTHORS
-Nathaniel McCallum <npmccallum@redhat.com>.

+ 0 - 142
doc/clevis-encrypt-tpm2.1

@@ -1,142 +0,0 @@
-.\" Automatically generated by Pandoc 1.19.1
-.\"
-.TH "CLEVIS\-ENCRYPT\-TPM2" "1" "November 2017" "" ""
-.hy
-.SH NAME
-.PP
-clevis\-encrypt\-tpm2 \-\- Encrypts using a TPM2.0 chip binding policy
-.SH SYNOPSIS
-.PP
-\f[C]clevis\ encrypt\ tpm2\f[] CONFIG < PT > JWE
-.SH OVERVIEW
-.PP
-The \f[C]clevis\ encrypt\ tpm2\f[] command encrypts using a Trusted
-Platform Module 2.0 (TPM2) chip.
-Its only argument is the JSON configuration object.
-.PP
-When using the tpm2 pin, we create a new, cryptographically\-strong,
-random key.
-This key is encrypted using the TPM2 chip.
-Then at decryption time, the key is decrypted again using the TPM2 chip.
-.IP
-.nf
-\f[C]
-$\ clevis\ encrypt\ tpm2\ \[aq]{}\[aq]\ <\ PT\ >\ JWE
-\f[]
-.fi
-.PP
-The pin has reasonable defaults for its configuration, but a different
-hierarchy, hash, and key algorithms can be chosen if the defaults used
-are not suitable:
-.IP
-.nf
-\f[C]
-$\ clevis\ encrypt\ tpm2\ \[aq]{"hash":"sha1","key":"rsa"}\[aq]\ <\ PT\ >\ JWE
-\f[]
-.fi
-.PP
-To decrypt the data, simply provide the ciphertext (JWE):
-.IP
-.nf
-\f[C]
-$\ clevis\ decrypt\ <\ JWE\ >\ PT
-\f[]
-.fi
-.PP
-Note that like other pins no configuration is used for decryption, this
-is due clevis storing the public and private keys to unseal the TPM2
-encrypted object in the JWE so clevis can fetch that information from
-there.
-.PP
-The pin also supports sealing data to a Platform Configuration Registers
-(PCR) state.
-That way the data can only be unsealed if the PCRs hashes values match
-the policy used when sealing.
-.PP
-For example, to seal the data to the PCR with index 0 and 1 for the SHA1
-bank:
-.IP
-.nf
-\f[C]
-$\ clevis\ encrypt\ tpm2\ \[aq]{"pcr_bank":"sha1","pcr_ids":"0,1"}\[aq]\ <\ PT\ >\ JWE
-\f[]
-.fi
-.PP
-The PCR digest values are looked up from the current hash values for the
-PCRs, but a digest can also be provided if the data needs to be sealed
-with values different to the current ones, by passing the binary hash
-encoded in base64:
-.IP
-.nf
-\f[C]
-$\ clevis\ encrypt\ tpm2\ \[aq]{"pcr_ids":"0","pcr_digest":"xy7J5svCtqlfM03d1lE5gdoA8MI"}\[aq]\ <\ PT\ >\ JWE
-\f[]
-.fi
-.SH Threat model
-.PP
-The Clevis security model relies in the fact that an attacker will not
-be able to access both the encrypted data and the decryption key.
-.PP
-For most Clevis pins, the decryption key is not locally stored, so the
-decryption policy is only satisfied if the decryption key can be
-remotely accessed.
-It could for example be stored in a remote server or in a hardware
-authentication device that has to be plugged into the machine.
-.PP
-The tpm2 pin is different in this regard, since a key is wrapped by a
-TPM2 chip that is always present in the machine.
-This does not mean that there are not use cases for this pin, but it is
-important to understand the fact that an attacker that has access to
-both the encrypted data and the local TPM2 chip will be able to decrypt
-the data.
-.SH CONFIG
-.PP
-This command uses the following configuration properties:
-.IP \[bu] 2
-\f[C]hash\f[] (string) : Hash algorithm used in the computation of the
-object name (default: sha256)
-.PP
-It must be one of the following:
-.IP \[bu] 2
-\f[C]sha1\f[]
-.IP \[bu] 2
-\f[C]sha256\f[]
-.IP \[bu] 2
-\f[C]sha384\f[]
-.IP \[bu] 2
-\f[C]sha512\f[]
-.IP \[bu] 2
-\f[C]sm3_256\f[]
-.IP \[bu] 2
-\f[C]key\f[] (string) : Algorithm type for the generated key (default:
-ecc)
-.PP
-It must be one of the following:
-.IP \[bu] 2
-\f[C]rsa\f[]
-.IP \[bu] 2
-\f[C]keyedhash\f[]
-.IP \[bu] 2
-\f[C]ecc\f[]
-.IP \[bu] 2
-\f[C]symcipher\f[]
-.IP \[bu] 2
-\f[C]pcr_bank\f[] (string) : PCR algorithm bank to use for policy
-(default: sha1)
-.PP
-It must be one of the following:
-.IP \[bu] 2
-\f[C]sha1\f[]
-.IP \[bu] 2
-\f[C]sha256\f[]
-.IP \[bu] 2
-\f[C]pcr_ids\f[] (string) : Comma separated list of PCR used for policy.
-If not present, no policy is used
-.IP \[bu] 2
-\f[C]pcr_digest\f[] (string) : Binary PCR hashes encoded in base64.
-If not present, the hash values are looked up
-.SH SEE ALSO
-.PP
-\f[C]clevis\-decrypt\f[](1)
-.SH AUTHORS
-Javier Martinez Canillas <javierm@redhat.com>.

+ 0 - 71
doc/clevis-luks-bind.1

@@ -1,71 +0,0 @@
-.\" Automatically generated by Pandoc 1.19.1
-.\"
-.TH "CLEVIS\-LUKS\-BIND" "1" "September 2017" "" ""
-.hy
-.SH NAME
-.PP
-clevis\-luks\-bind \-\- Bind a LUKSv1 device using the specified policy
-.SH SYNOPSIS
-.PP
-\f[C]clevis\ luks\ bind\f[] [\-f] \-d DEV [\-s SLT] [\-k KEY] PIN CFG
-.SH OVERVIEW
-.PP
-The \f[C]clevis\ luks\ bind\f[] command binds a LUKSv1 device using the
-specified policy.
-This is accomplished with a simple command:
-.IP
-.nf
-\f[C]
-$\ clevis\ luks\ bind\ \-d\ /dev/sda\ tang\ \[aq]{"url":...}\[aq]
-\f[]
-.fi
-.PP
-This command performs four steps:
-.IP "1." 3
-Creates a new key with the same entropy as the LUKS master key.
-.IP "2." 3
-Encrypts the new key with Clevis.
-.IP "3." 3
-Stores the Clevis JWE in the LUKS header with LUKSMeta.
-.IP "4." 3
-Enables the new key for use with LUKS.
-.PP
-This disk can now be unlocked with your existing password as well as
-with the Clevis policy.
-You will additionally need to enable one or more of the Clevis LUKS
-unlockers.
-See \f[C]clevis\-luks\-unlockers\f[](7).
-.SH OPTIONS
-.IP \[bu] 2
-\f[C]\-f\f[] : Do not prompt for LUKSMeta initialization
-.IP \[bu] 2
-\f[C]\-d\f[] \f[I]DEV\f[] : The LUKS device on which to perform binding
-.IP \[bu] 2
-\f[C]\-s\f[] \f[I]SLT\f[] : The LUKSMeta slot to use for metadata
-storage
-.IP \[bu] 2
-\f[C]\-k\f[] \f[I]KEY\f[] : Non\-interactively read LUKS password from
-KEY file
-.IP \[bu] 2
-\f[C]\-k\f[] \- : Non\-interactively read LUKS password from standard
-input
-.SH CAVEATS
-.PP
-This command does not change the LUKS master key.
-This implies that if you create a LUKS\-encrypted image for use in a
-Virtual Machine or Cloud environment, all the instances that run this
-image will share a master key.
-This is extremely dangerous and should be avoided at all cost.
-.PP
-This is not a limitation of Clevis but a design principle of LUKS.
-If you wish to have encrypted root volumes in the cloud, you will need
-to make sure that you perform the OS install method for each instance in
-the cloud as well.
-The images cannot be shared without also sharing a master key.
-.SH SEE ALSO
-.PP
-\f[C]clevis\-luks\-unlockers\f[](7), \f[C]clevis\-encrypt\-http\f[](1),
-\f[C]clevis\-encrypt\-tang\f[](1), \f[C]clevis\-encrypt\-sss\f[](1),
-\f[C]clevis\-decrypt\f[](1)
-.SH AUTHORS
-Nathaniel McCallum <npmccallum@redhat.com>.

+ 0 - 34
doc/clevis-luks-unbind.1

@@ -1,34 +0,0 @@
-.\" Automatically generated by Pandoc 1.19.1
-.\"
-.TH "CLEVIS\-LUKS\-UNBIND" "1" "February 2018" "" ""
-.hy
-.SH NAME
-.PP
-clevis\-luks\-unbind \-\- Unbinds a pin bound to a LUKSv1 volume
-.SH SYNOPSIS
-.PP
-\f[C]clevis\ luks\ unbind\f[] \-d DEV \-s SLT
-.SH OVERVIEW
-.PP
-The \f[C]clevis\ luks\ unbind\f[] command unbinds a pin bound to a
-LUKSv1 volume.
-For example:
-.IP
-.nf
-\f[C]
-$\ clevis\ luks\ unbind\ \-d\ /dev/sda\ \-s\ 1
-\f[]
-.fi
-.SH OPTIONS
-.IP \[bu] 2
-\f[C]\-d\f[] \f[I]DEV\f[] : The bound LUKS device
-.IP \[bu] 2
-\f[C]\-s\f[] \f[I]SLT\f[] : The LUKSMeta slot number for the pin to
-unbind
-.IP \[bu] 2
-\f[C]\-f\f[] : Do not ask for confirmation and wipe slot in batch\-mode
-.SH SEE ALSO
-.PP
-\f[C]clevis\-luks\-bind\f[](1)
-.SH AUTHORS
-Javier Martinez Canillas <javierm@redhat.com>.

+ 0 - 32
doc/clevis-luks-unlock.1

@@ -1,32 +0,0 @@
-.\" Automatically generated by Pandoc 1.19.1
-.\"
-.TH "CLEVIS\-LUKS\-UNLOCK" "1" "September 2017" "" ""
-.hy
-.SH NAME
-.PP
-clevis\-luks\-unlock \-\- Unlocks a LUKSv1 device bound with a Clevis
-policy
-.SH SYNOPSIS
-.PP
-\f[C]clevis\ luks\ unlock\f[] \-d DEV [\-n NAME]
-.SH OVERVIEW
-.PP
-The \f[C]clevis\ luks\ unlock\f[] command unlocks a LUKSv1 device using
-its already provisioned Clevis policy.
-For example:
-.IP
-.nf
-\f[C]
-$\ clevis\ luks\ unlock\ \-d\ /dev/sda
-\f[]
-.fi
-.SH OPTIONS
-.IP \[bu] 2
-\f[C]\-d\f[] \f[I]DEV\f[] : The LUKS device to unlock
-.IP \[bu] 2
-\f[C]\-n\f[] \f[I]NAME\f[] : The name to give the unlocked device node
-.SH SEE ALSO
-.PP
-\f[C]clevis\-luks\-bind\f[](1)
-.SH AUTHORS
-Nathaniel McCallum <npmccallum@redhat.com>.

+ 0 - 75
doc/clevis-luks-unlockers.7

@@ -1,75 +0,0 @@
-.\" Automatically generated by Pandoc 1.19.1
-.\"
-.TH "CLEVIS\-LUKS\-UNLOCKERS" "7" "October 2017" "" ""
-.hy
-.SH OVERVIEW
-.PP
-Clevis provides unlockers for LUKS volumes which can use LUKS policy:
-.IP \[bu] 2
-clevis\-luks\-unlock \- Unlocks manually using the command line.
-.IP \[bu] 2
-dracut \- Unlocks automatically during early boot.
-.IP \[bu] 2
-systemd \- Unlocks automatically during late boot.
-.IP \[bu] 2
-udisks2 \- Unlocks automatically in a GNOME desktop session.
-.PP
-Once a LUKS volume is bound using \f[C]clevis\ luks\ bind\f[], it can be
-unlocked using any of the above unlockers without using a password.
-.SH MANUAL UNLOCKING
-.PP
-You can unlock a LUKS volume manually using the following command:
-.IP
-.nf
-\f[C]
-$\ sudo\ clevis\ luks\ unlock\ \-d\ /dev/sda
-\f[]
-.fi
-.PP
-For more information, see \f[C]clevis\-luks\-unlock\f[](1).
-.SH EARLY BOOT UNLOCKING
-.PP
-If Clevis integration does not already ship in your initramfs, you may
-need to rebuild your initramfs with this command:
-.IP
-.nf
-\f[C]
-$\ sudo\ dracut\ \-f
-\f[]
-.fi
-.PP
-Once Clevis is integrated into your initramfs, a simple reboot should
-unlock your root volume.
-Note, however, that early boot integration only works for the root
-volume.
-Non\-root volumes should use the late boot unlocker.
-.PP
-Dracut will bring up your network using DHCP by default.
-If you need to specify additional network parameters, such as static IP
-configuration, please consult the dracut documentation.
-.SH LATE BOOT UNLOCKING
-.PP
-You can enable late boot unlocking by executing the following command:
-.IP
-.nf
-\f[C]
-$\ sudo\ systemctl\ enable\ clevis\-luks\-askpass.path
-\f[]
-.fi
-.PP
-After a reboot, Clevis will attempt to unlock all \f[C]_netdev\f[]
-devices listed in \f[C]/etc/crypttab\f[] when systemd prompts for their
-passwords.
-This implies that systemd support for \f[C]_netdev\f[] is required.
-.SH DESKTOP UNLOCKING
-.PP
-When the udisks2 unlocker is installed, your GNOME desktop session
-should unlock LUKS removable devices configured with Clevis
-automatically.
-You may need to restart your desktop session after installation for the
-unlocker to be loaded.
-.SH SEE ALSO
-.PP
-\f[C]clevis\-luks\-unlock\f[](1) \f[C]clevis\-luks\-bind\f[](1)
-.SH AUTHORS
-Nathaniel McCallum <npmccallum@redhat.com>.

+ 0 - 193
doc/clevis.1

@@ -1,193 +0,0 @@
-.\" Automatically generated by Pandoc 1.19.1
-.\"
-.TH "CLEVIS" "1" "September 2017" "" ""
-.hy
-.SH NAME
-.PP
-clevis \-\- Automated decryption policy framework
-.SH SYNOPSIS
-.PP
-\f[C]clevis\f[] COMMAND [OPTIONS]
-.SH OVERVIEW
-.PP
-Clevis is a framework for automated decryption policy.
-It allows you to define a policy at encryption time that must be
-satisfied for the data to decrypt.
-Once this policy is met, the data is decrypted.
-.PP
-Clevis is pluggable.
-Our plugins are called pins.
-The job of a pin is to take a policy as its first argument and plaintext
-on standard input and to encrypt the data so that it can be
-automatically decrypted if the policy is met.
-Lets walk through an example.
-.SH HTTP ESCROW
-.PP
-When using the HTTP pin, we create a new, cryptographically\-strong,
-random key.
-This key is stored in a remote HTTP escrow server (using a simple PUT or
-POST).
-Then at decryption time, we attempt to fetch the key back again in order
-to decrypt our data.
-So, for our configuration we need to pass the URL to the key location:
-.IP
-.nf
-\f[C]
-$\ clevis\ encrypt\ http\ \[aq]{"url":"https://escrow.srv/1234"}\[aq]\ <\ PT\ >\ JWE
-\f[]
-.fi
-.PP
-To decrypt the data, simply provide the ciphertext (JWE):
-.IP
-.nf
-\f[C]
-$\ clevis\ decrypt\ <\ JWE\ >\ PLAINTEXT
-\f[]
-.fi
-.PP
-Notice that we did not pass any configuration during decryption.
-The decrypt command extracted the URL (and possibly other configuration)
-from the JWE object, fetched the encryption key from the escrow and
-performed decryption.
-.PP
-For more information, see \f[C]clevis\-encrypt\-http\f[](1).
-.SH TANG BINDING
-.PP
-Clevis provides support for the Tang network binding server.
-Tang provides a stateless, lightweight alternative to escrows.
-Encrypting data using the Tang pin works much like our HTTP pin above:
-.IP
-.nf
-\f[C]
-$\ clevis\ encrypt\ tang\ \[aq]{"url":"http://tang.srv"}\[aq]\ <\ PT\ >\ JWE
-The\ advertisement\ contains\ the\ following\ signing\ keys:
-
-_OsIk0T\-E2l6qjfdDiwVmidoZjA
-
-Do\ you\ wish\ to\ trust\ these\ keys?\ [ynYN]\ y
-\f[]
-.fi
-.PP
-As you can see above, Tang utilizes a trust\-on\-first\-use workflow.
-Alternatively, Tang can perform entirely offline encryption if you
-pre\-share the server advertisement.
-Decryption, too works like our first example:
-.IP
-.nf
-\f[C]
-$\ clevis\ decrypt\ <\ JWE\ >\ PT
-\f[]
-.fi
-.PP
-For more information, see \f[C]clevis\-encrypt\-tang\f[](1).
-.SH TPM2 BINDING
-.PP
-Clevis provides support to encrypt a key in a Trusted Platform Module
-2.0 (TPM2) chip.
-The cryptographically\-strong, random key used for encryption is
-encrypted using the TPM2 chip, and then at decryption time is decrypted
-using the TPM2 to allow clevis to decrypt the secret stored in the JWE.
-.PP
-Encrypting data using the tpm2 pin works the same than the pins
-mentioned above:
-.IP
-.nf
-\f[C]
-$\ clevis\ encrypt\ tpm2\ \[aq]{}\[aq]\ <\ PT\ >\ JWE
-\f[]
-.fi
-.PP
-The pin has reasonable defaults for its configuration, but a different
-hierarchy, hash, and key algorithms can be chosen if the defaults used
-are not suitable.
-.PP
-Decryption also works similar to other pins, only the JWE needs to be
-provided:
-.IP
-.nf
-\f[C]
-$\ clevis\ decrypt\ <\ JWE\ >\ PT
-\f[]
-.fi
-.PP
-Note that like other pins no configuration is used for decryption, this
-is due clevis storing the public and private keys to unseal the TPM2
-encrypted object in the JWE so clevis can fetch that information from
-there.
-.PP
-For more information see \f[C]clevis\-encrypt\-tpm2\f[](1).
-.SH SHAMIR\[aq]S SECRET SHARING
-.PP
-Clevis provides a way to mix pins together to create sophisticated
-unlocking and high availability policies.
-This is accomplished by using an algorithm called Shamir\[aq]s Secret
-Sharing (SSS).
-.PP
-SSS is a thresholding scheme.
-It creates a key and divides it into a number of pieces.
-Each piece is encrypted using another pin (possibly even SSS
-recursively).
-Additionally, you define the threshold \f[C]t\f[].
-If at least \f[C]t\f[] pieces can be decrypted, then the encryption key
-can be recovered and decryption can succeed.
-.PP
-For example, let\[aq]s create a high\-availability setup using Tang:
-.IP
-.nf
-\f[C]
-$\ cfg=\[aq]{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}\[aq]
-$\ clevis\ encrypt\ sss\ "$cfg"\ <\ PT\ >\ JWE
-\f[]
-.fi
-.PP
-In this policy, we are declaring that we have a threshold of 1, but that
-there are multiple key fragments encrypted using different Tang servers.
-Since our threshold is 1, so long as any of the Tang servers are
-available, decryption will succeed.
-As always, decryption is simply:
-.IP
-.nf
-\f[C]
-$\ clevis\ decrypt\ <\ JWE\ >\ PT
-\f[]
-.fi
-.PP
-For more information, see \f[C]clevis\-encrypt\-tang\f[](1).
-.SH LUKS BINDING
-.PP
-Clevis can be used to bind an existing LUKS volume to its automation
-policy.
-This is accomplished with a simple command:
-.IP
-.nf
-\f[C]
-$\ clevis\ luks\ bind\ \-d\ /dev/sda\ tang\ \[aq]{"url":...}\[aq]
-\f[]
-.fi
-.PP
-This command performs four steps:
-.IP "1." 3
-Creates a new key with the same entropy as the LUKS master key.
-.IP "2." 3
-Encrypts the new key with Clevis.
-.IP "3." 3
-Stores the Clevis JWE in the LUKS header with LUKSMeta.
-.IP "4." 3
-Enables the new key for use with LUKS.
-.PP
-This disk can now be unlocked with your existing password as well as
-with the Clevis policy.
-Clevis provides two unlockers for LUKS volumes.
-First, we provide integration with Dracut to automatically unlock your
-root volume during early boot.
-Second, we provide integration with UDisks2 to automatically unlock your
-removable media in your desktop session.
-.PP
-For more information, see \f[C]clevis\-luks\-bind\f[](1).
-.SH SEE ALSO
-.PP
-\f[C]clevis\-encrypt\-http\f[](1), \f[C]clevis\-encrypt\-tang\f[](1),
-\f[C]clevis\-encrypt\-tpm2\f[](1), \f[C]clevis\-encrypt\-sss\f[](1),
-\f[C]clevis\-luks\-bind\f[](1), \f[C]clevis\-decrypt\f[](1)
-.SH AUTHORS
-Nathaniel McCallum <npmccallum@redhat.com>.

+ 0 - 501
install-sh

@@ -1,501 +0,0 @@
-#!/bin/sh
-# install - install a program, script, or datafile
-
-scriptversion=2016-01-11.22; # UTC
-
-# This originates from X11R5 (mit/util/scripts/install.sh), which was
-# later released in X11R6 (xc/config/util/install.sh) with the
-# following copyright and license.
-#
-# Copyright (C) 1994 X Consortium
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to
-# deal in the Software without restriction, including without limitation the
-# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-# sell copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
-# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
-# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
-# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-# Except as contained in this notice, the name of the X Consortium shall not
-# be used in advertising or otherwise to promote the sale, use or other deal-
-# ings in this Software without prior written authorization from the X Consor-
-# tium.
-#
-#
-# FSF changes to this file are in the public domain.
-#
-# Calling this script install-sh is preferred over install.sh, to prevent
-# 'make' implicit rules from creating a file called install from it
-# when there is no Makefile.
-#
-# This script is compatible with the BSD install script, but was written
-# from scratch.
-
-tab='	'
-nl='
-'
-IFS=" $tab$nl"
-
-# Set DOITPROG to "echo" to test this script.
-
-doit=${DOITPROG-}
-doit_exec=${doit:-exec}
-
-# Put in absolute file names if you don't have them in your path;
-# or use environment vars.
-
-chgrpprog=${CHGRPPROG-chgrp}
-chmodprog=${CHMODPROG-chmod}
-chownprog=${CHOWNPROG-chown}
-cmpprog=${CMPPROG-cmp}
-cpprog=${CPPROG-cp}
-mkdirprog=${MKDIRPROG-mkdir}
-mvprog=${MVPROG-mv}
-rmprog=${RMPROG-rm}
-stripprog=${STRIPPROG-strip}
-
-posix_mkdir=
-
-# Desired mode of installed file.
-mode=0755
-
-chgrpcmd=
-chmodcmd=$chmodprog
-chowncmd=
-mvcmd=$mvprog
-rmcmd="$rmprog -f"
-stripcmd=
-
-src=
-dst=
-dir_arg=
-dst_arg=
-
-copy_on_change=false
-is_target_a_directory=possibly
-
-usage="\
-Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
-   or: $0 [OPTION]... SRCFILES... DIRECTORY
-   or: $0 [OPTION]... -t DIRECTORY SRCFILES...
-   or: $0 [OPTION]... -d DIRECTORIES...
-
-In the 1st form, copy SRCFILE to DSTFILE.
-In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
-In the 4th, create DIRECTORIES.
-
-Options:
-     --help     display this help and exit.
-     --version  display version info and exit.
-
-  -c            (ignored)
-  -C            install only if different (preserve the last data modification time)
-  -d            create directories instead of installing files.
-  -g GROUP      $chgrpprog installed files to GROUP.
-  -m MODE       $chmodprog installed files to MODE.
-  -o USER       $chownprog installed files to USER.
-  -s            $stripprog installed files.
-  -t DIRECTORY  install into DIRECTORY.
-  -T            report an error if DSTFILE is a directory.
-
-Environment variables override the default commands:
-  CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
-  RMPROG STRIPPROG
-"
-
-while test $# -ne 0; do
-  case $1 in
-    -c) ;;
-
-    -C) copy_on_change=true;;
-
-    -d) dir_arg=true;;
-
-    -g) chgrpcmd="$chgrpprog $2"
-        shift;;
-
-    --help) echo "$usage"; exit $?;;
-
-    -m) mode=$2
-        case $mode in
-          *' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*)
-            echo "$0: invalid mode: $mode" >&2
-            exit 1;;
-        esac
-        shift;;
-
-    -o) chowncmd="$chownprog $2"
-        shift;;
-
-    -s) stripcmd=$stripprog;;
-
-    -t)
-        is_target_a_directory=always
-        dst_arg=$2
-        # Protect names problematic for 'test' and other utilities.
-        case $dst_arg in
-          -* | [=\(\)!]) dst_arg=./$dst_arg;;
-        esac
-        shift;;
-
-    -T) is_target_a_directory=never;;
-
-    --version) echo "$0 $scriptversion"; exit $?;;
-
-    --) shift
-        break;;
-
-    -*) echo "$0: invalid option: $1" >&2
-        exit 1;;
-
-    *)  break;;
-  esac
-  shift
-done
-
-# We allow the use of options -d and -T together, by making -d
-# take the precedence; this is for compatibility with GNU install.
-
-if test -n "$dir_arg"; then
-  if test -n "$dst_arg"; then
-    echo "$0: target directory not allowed when installing a directory." >&2
-    exit 1
-  fi
-fi
-
-if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
-  # When -d is used, all remaining arguments are directories to create.
-  # When -t is used, the destination is already specified.
-  # Otherwise, the last argument is the destination.  Remove it from $@.
-  for arg
-  do
-    if test -n "$dst_arg"; then
-      # $@ is not empty: it contains at least $arg.
-      set fnord "$@" "$dst_arg"
-      shift # fnord
-    fi
-    shift # arg
-    dst_arg=$arg
-    # Protect names problematic for 'test' and other utilities.
-    case $dst_arg in
-      -* | [=\(\)!]) dst_arg=./$dst_arg;;
-    esac
-  done
-fi
-
-if test $# -eq 0; then
-  if test -z "$dir_arg"; then
-    echo "$0: no input file specified." >&2
-    exit 1
-  fi
-  # It's OK to call 'install-sh -d' without argument.
-  # This can happen when creating conditional directories.
-  exit 0
-fi
-
-if test -z "$dir_arg"; then
-  if test $# -gt 1 || test "$is_target_a_directory" = always; then
-    if test ! -d "$dst_arg"; then
-      echo "$0: $dst_arg: Is not a directory." >&2
-      exit 1
-    fi
-  fi
-fi
-
-if test -z "$dir_arg"; then
-  do_exit='(exit $ret); exit $ret'
-  trap "ret=129; $do_exit" 1
-  trap "ret=130; $do_exit" 2
-  trap "ret=141; $do_exit" 13
-  trap "ret=143; $do_exit" 15
-
-  # Set umask so as not to create temps with too-generous modes.
-  # However, 'strip' requires both read and write access to temps.
-  case $mode in
-    # Optimize common cases.
-    *644) cp_umask=133;;
-    *755) cp_umask=22;;
-
-    *[0-7])
-      if test -z "$stripcmd"; then
-        u_plus_rw=
-      else
-        u_plus_rw='% 200'
-      fi
-      cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
-    *)
-      if test -z "$stripcmd"; then
-        u_plus_rw=
-      else
-        u_plus_rw=,u+rw
-      fi
-      cp_umask=$mode$u_plus_rw;;
-  esac
-fi
-
-for src
-do
-  # Protect names problematic for 'test' and other utilities.
-  case $src in
-    -* | [=\(\)!]) src=./$src;;
-  esac
-
-  if test -n "$dir_arg"; then
-    dst=$src
-    dstdir=$dst
-    test -d "$dstdir"
-    dstdir_status=$?
-  else
-
-    # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
-    # might cause directories to be created, which would be especially bad
-    # if $src (and thus $dsttmp) contains '*'.
-    if test ! -f "$src" && test ! -d "$src"; then
-      echo "$0: $src does not exist." >&2
-      exit 1
-    fi
-
-    if test -z "$dst_arg"; then
-      echo "$0: no destination specified." >&2
-      exit 1
-    fi
-    dst=$dst_arg
-
-    # If destination is a directory, append the input filename; won't work
-    # if double slashes aren't ignored.
-    if test -d "$dst"; then
-      if test "$is_target_a_directory" = never; then
-        echo "$0: $dst_arg: Is a directory" >&2
-        exit 1
-      fi
-      dstdir=$dst
-      dst=$dstdir/`basename "$src"`
-      dstdir_status=0
-    else
-      dstdir=`dirname "$dst"`
-      test -d "$dstdir"
-      dstdir_status=$?
-    fi
-  fi
-
-  obsolete_mkdir_used=false
-
-  if test $dstdir_status != 0; then
-    case $posix_mkdir in
-      '')
-        # Create intermediate dirs using mode 755 as modified by the umask.
-        # This is like FreeBSD 'install' as of 1997-10-28.
-        umask=`umask`
-        case $stripcmd.$umask in
-          # Optimize common cases.
-          *[2367][2367]) mkdir_umask=$umask;;
-          .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
-
-          *[0-7])
-            mkdir_umask=`expr $umask + 22 \
-              - $umask % 100 % 40 + $umask % 20 \
-              - $umask % 10 % 4 + $umask % 2
-            `;;
-          *) mkdir_umask=$umask,go-w;;
-        esac
-
-        # With -d, create the new directory with the user-specified mode.
-        # Otherwise, rely on $mkdir_umask.
-        if test -n "$dir_arg"; then
-          mkdir_mode=-m$mode
-        else
-          mkdir_mode=
-        fi
-
-        posix_mkdir=false
-        case $umask in
-          *[123567][0-7][0-7])
-            # POSIX mkdir -p sets u+wx bits regardless of umask, which
-            # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
-            ;;
-          *)
-            tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
-            trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
-
-            if (umask $mkdir_umask &&
-                exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
-            then
-              if test -z "$dir_arg" || {
-                   # Check for POSIX incompatibilities with -m.
-                   # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
-                   # other-writable bit of parent directory when it shouldn't.
-                   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
-                   ls_ld_tmpdir=`ls -ld "$tmpdir"`
-                   case $ls_ld_tmpdir in
-                     d????-?r-*) different_mode=700;;
-                     d????-?--*) different_mode=755;;
-                     *) false;;
-                   esac &&
-                   $mkdirprog -m$different_mode -p -- "$tmpdir" && {
-                     ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
-                     test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
-                   }
-                 }
-              then posix_mkdir=:
-              fi
-              rmdir "$tmpdir/d" "$tmpdir"
-            else
-              # Remove any dirs left behind by ancient mkdir implementations.
-              rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
-            fi
-            trap '' 0;;
-        esac;;
-    esac
-
-    if
-      $posix_mkdir && (
-        umask $mkdir_umask &&
-        $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
-      )
-    then :
-    else
-
-      # The umask is ridiculous, or mkdir does not conform to POSIX,
-      # or it failed possibly due to a race condition.  Create the
-      # directory the slow way, step by step, checking for races as we go.
-
-      case $dstdir in
-        /*) prefix='/';;
-        [-=\(\)!]*) prefix='./';;
-        *)  prefix='';;
-      esac
-
-      oIFS=$IFS
-      IFS=/
-      set -f
-      set fnord $dstdir
-      shift
-      set +f
-      IFS=$oIFS
-
-      prefixes=
-
-      for d
-      do
-        test X"$d" = X && continue
-
-        prefix=$prefix$d
-        if test -d "$prefix"; then
-          prefixes=
-        else
-          if $posix_mkdir; then
-            (umask=$mkdir_umask &&
-             $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
-            # Don't fail if two instances are running concurrently.
-            test -d "$prefix" || exit 1
-          else
-            case $prefix in
-              *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
-              *) qprefix=$prefix;;
-            esac
-            prefixes="$prefixes '$qprefix'"
-          fi
-        fi
-        prefix=$prefix/
-      done
-
-      if test -n "$prefixes"; then
-        # Don't fail if two instances are running concurrently.
-        (umask $mkdir_umask &&
-         eval "\$doit_exec \$mkdirprog $prefixes") ||
-          test -d "$dstdir" || exit 1
-        obsolete_mkdir_used=true
-      fi
-    fi
-  fi
-
-  if test -n "$dir_arg"; then
-    { test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
-    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
-    { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
-      test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
-  else
-
-    # Make a couple of temp file names in the proper directory.
-    dsttmp=$dstdir/_inst.$$_
-    rmtmp=$dstdir/_rm.$$_
-
-    # Trap to clean up those temp files at exit.
-    trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
-
-    # Copy the file name to the temp name.
-    (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
-
-    # and set any options; do chmod last to preserve setuid bits.
-    #
-    # If any of these fail, we abort the whole thing.  If we want to
-    # ignore errors from any of these, just make sure not to ignore
-    # errors from the above "$doit $cpprog $src $dsttmp" command.
-    #
-    { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
-    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
-    { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
-    { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
-
-    # If -C, don't bother to copy if it wouldn't change the file.
-    if $copy_on_change &&
-       old=`LC_ALL=C ls -dlL "$dst"     2>/dev/null` &&
-       new=`LC_ALL=C ls -dlL "$dsttmp"  2>/dev/null` &&
-       set -f &&
-       set X $old && old=:$2:$4:$5:$6 &&
-       set X $new && new=:$2:$4:$5:$6 &&
-       set +f &&
-       test "$old" = "$new" &&
-       $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
-    then
-      rm -f "$dsttmp"
-    else
-      # Rename the file to the real destination.
-      $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
-
-      # The rename failed, perhaps because mv can't rename something else
-      # to itself, or perhaps because mv is so ancient that it does not
-      # support -f.
-      {
-        # Now remove or move aside any old file at destination location.
-        # We try this two ways since rm can't unlink itself on some
-        # systems and the destination file might be busy for other
-        # reasons.  In this case, the final cleanup might fail but the new
-        # file should still install successfully.
-        {
-          test ! -f "$dst" ||
-          $doit $rmcmd -f "$dst" 2>/dev/null ||
-          { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
-            { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
-          } ||
-          { echo "$0: cannot unlink or rename $dst" >&2
-            (exit 1); exit 1
-          }
-        } &&
-
-        # Now rename the file to the real destination.
-        $doit $mvcmd "$dsttmp" "$dst"
-      }
-    fi || exit 1
-
-    trap '' 0
-  fi
-done
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC0"
-# time-stamp-end: "; # UTC"
-# End:

+ 60 - 0
meson.build

@@ -0,0 +1,60 @@
+project('clevis', 'c', license: 'GPL3+', version: '11',
+        default_options: 'c_std=c99')
+
+libexecdir = join_paths(get_option('prefix'), get_option('libexecdir'))
+sysconfdir = join_paths(get_option('prefix'), get_option('sysconfdir'))
+bindir = join_paths(get_option('prefix'), get_option('bindir'))
+
+data = configuration_data()
+data.set('libexecdir', libexecdir)
+data.set('sysconfdir', sysconfdir)
+data.set('bindir', bindir)
+
+add_project_arguments(
+  '-Wall',
+  '-Wextra',
+  '-Werror',
+  '-Wstrict-aliasing',
+  '-Wchar-subscripts',
+  '-Wformat-security',
+  '-Wmissing-declarations',
+  '-Wmissing-prototypes',
+  '-Wnested-externs',
+  '-Wpointer-arith',
+  '-Wshadow',
+  '-Wsign-compare',
+  '-Wstrict-prototypes',
+  '-Wtype-limits',
+  '-Wunused-function',
+  '-Wno-missing-field-initializers',
+  '-Wno-unused-parameter',
+  '-Wno-unknown-pragmas',
+  '-D_POSIX_C_SOURCE=200112L',
+  '-DBINDIR="' + bindir + '"',
+  '-DCLEVIS_USER="' + get_option('user') + '"',
+  '-DCLEVIS_GROUP="' + get_option('group') + '"',
+  language: 'c'
+)
+
+jansson = dependency('jansson', version: '>=2.10', required: false)
+jose = dependency('jose', version: '>=8')
+a2x = find_program('a2x', required: false)
+
+bins = []
+mans = []
+
+subdir('src')
+
+install_data(bins, install_dir: bindir)
+
+if a2x.found()
+  foreach m : mans
+    custom_target(m.split('/')[-1], input: m + '.adoc', output: m.split('/')[-1],
+      command: [a2x, '-f', 'manpage', '-D', meson.current_build_dir(), '@INPUT@'],
+      install_dir: join_paths(get_option('mandir'), 'man' + m.split('.')[-1]),
+      install: true
+    )
+  endforeach
+else
+  warning('Will not build man pages due to missing dependencies!')
+endif

+ 3 - 0
meson_options.txt

@@ -0,0 +1,3 @@
+option('user', type: 'string', value: 'clevis', description: 'Unprivileged user for secure clevis operations')
+option('group', type: 'string', value: 'clevis', description: 'Unprivileged group for secure clevis operations')
+

+ 0 - 215
missing

@@ -1,215 +0,0 @@
-#! /bin/sh
-# Common wrapper for a few potentially missing GNU programs.
-
-scriptversion=2016-01-11.22; # UTC
-
-# Copyright (C) 1996-2017 Free Software Foundation, Inc.
-# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
-
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-if test $# -eq 0; then
-  echo 1>&2 "Try '$0 --help' for more information"
-  exit 1
-fi
-
-case $1 in
-
-  --is-lightweight)
-    # Used by our autoconf macros to check whether the available missing
-    # script is modern enough.
-    exit 0
-    ;;
-
-  --run)
-    # Back-compat with the calling convention used by older automake.
-    shift
-    ;;
-
-  -h|--h|--he|--hel|--help)
-    echo "\
-$0 [OPTION]... PROGRAM [ARGUMENT]...
-
-Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due
-to PROGRAM being missing or too old.
-
-Options:
-  -h, --help      display this help and exit
-  -v, --version   output version information and exit
-
-Supported PROGRAM values:
-  aclocal   autoconf  autoheader   autom4te  automake  makeinfo
-  bison     yacc      flex         lex       help2man
-
-Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and
-'g' are ignored when checking the name.
-
-Send bug reports to <bug-automake@gnu.org>."
-    exit $?
-    ;;
-
-  -v|--v|--ve|--ver|--vers|--versi|--versio|--version)
-    echo "missing $scriptversion (GNU Automake)"
-    exit $?
-    ;;
-
-  -*)
-    echo 1>&2 "$0: unknown '$1' option"
-    echo 1>&2 "Try '$0 --help' for more information"
-    exit 1
-    ;;
-
-esac
-
-# Run the given program, remember its exit status.
-"$@"; st=$?
-
-# If it succeeded, we are done.
-test $st -eq 0 && exit 0
-
-# Also exit now if we it failed (or wasn't found), and '--version' was
-# passed; such an option is passed most likely to detect whether the
-# program is present and works.
-case $2 in --version|--help) exit $st;; esac
-
-# Exit code 63 means version mismatch.  This often happens when the user
-# tries to use an ancient version of a tool on a file that requires a
-# minimum version.
-if test $st -eq 63; then
-  msg="probably too old"
-elif test $st -eq 127; then
-  # Program was missing.
-  msg="missing on your system"
-else
-  # Program was found and executed, but failed.  Give up.
-  exit $st
-fi
-
-perl_URL=http://www.perl.org/
-flex_URL=http://flex.sourceforge.net/
-gnu_software_URL=http://www.gnu.org/software
-
-program_details ()
-{
-  case $1 in
-    aclocal|automake)
-      echo "The '$1' program is part of the GNU Automake package:"
-      echo "<$gnu_software_URL/automake>"
-      echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:"
-      echo "<$gnu_software_URL/autoconf>"
-      echo "<$gnu_software_URL/m4/>"
-      echo "<$perl_URL>"
-      ;;
-    autoconf|autom4te|autoheader)
-      echo "The '$1' program is part of the GNU Autoconf package:"
-      echo "<$gnu_software_URL/autoconf/>"
-      echo "It also requires GNU m4 and Perl in order to run:"
-      echo "<$gnu_software_URL/m4/>"
-      echo "<$perl_URL>"
-      ;;
-  esac
-}
-
-give_advice ()
-{
-  # Normalize program name to check for.
-  normalized_program=`echo "$1" | sed '
-    s/^gnu-//; t
-    s/^gnu//; t
-    s/^g//; t'`
-
-  printf '%s\n' "'$1' is $msg."
-
-  configure_deps="'configure.ac' or m4 files included by 'configure.ac'"
-  case $normalized_program in
-    autoconf*)
-      echo "You should only need it if you modified 'configure.ac',"
-      echo "or m4 files included by it."
-      program_details 'autoconf'
-      ;;
-    autoheader*)
-      echo "You should only need it if you modified 'acconfig.h' or"
-      echo "$configure_deps."
-      program_details 'autoheader'
-      ;;
-    automake*)
-      echo "You should only need it if you modified 'Makefile.am' or"
-      echo "$configure_deps."
-      program_details 'automake'
-      ;;
-    aclocal*)
-      echo "You should only need it if you modified 'acinclude.m4' or"
-      echo "$configure_deps."
-      program_details 'aclocal'
-      ;;
-   autom4te*)
-      echo "You might have modified some maintainer files that require"
-      echo "the 'autom4te' program to be rebuilt."
-      program_details 'autom4te'
-      ;;
-    bison*|yacc*)
-      echo "You should only need it if you modified a '.y' file."
-      echo "You may want to install the GNU Bison package:"
-      echo "<$gnu_software_URL/bison/>"
-      ;;
-    lex*|flex*)
-      echo "You should only need it if you modified a '.l' file."
-      echo "You may want to install the Fast Lexical Analyzer package:"
-      echo "<$flex_URL>"
-      ;;
-    help2man*)
-      echo "You should only need it if you modified a dependency" \
-           "of a man page."
-      echo "You may want to install the GNU Help2man package:"
-      echo "<$gnu_software_URL/help2man/>"
-    ;;
-    makeinfo*)
-      echo "You should only need it if you modified a '.texi' file, or"
-      echo "any other file indirectly affecting the aspect of the manual."
-      echo "You might want to install the Texinfo package:"
-      echo "<$gnu_software_URL/texinfo/>"
-      echo "The spurious makeinfo call might also be the consequence of"
-      echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might"
-      echo "want to install GNU make:"
-      echo "<$gnu_software_URL/make/>"
-      ;;
-    *)
-      echo "You might have modified some files without having the proper"
-      echo "tools for further handling them.  Check the 'README' file, it"
-      echo "often tells you about the needed prerequisites for installing"
-      echo "this package.  You may also peek at any GNU archive site, in"
-      echo "case some other package contains this missing '$1' program."
-      ;;
-  esac
-}
-
-give_advice "$1" | sed -e '1s/^/WARNING: /' \
-                       -e '2,$s/^/         /' >&2
-
-# Propagate the correct exit status (expected to be 127 for a program
-# not found, 63 for a program that failed due to version mismatch).
-exit $st
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC0"
-# time-stamp-end: "; # UTC"
-# End:

+ 0 - 38
src/Makefile.am

@@ -1,38 +0,0 @@
-SUBDIRS=dracut systemd udisks2 .
-
-AM_CFLAGS = \
-    @CLEVIS_CFLAGS@ \
-    @jansson_CFLAGS@ \
-    @libcrypto_CFLAGS@ \
-    @jose_CFLAGS@
-
-dist_check_SCRIPTS = \
-    clevis-encrypt-test \
-    clevis-decrypt-test
-
-bin_PROGRAMS = \
-    clevis-encrypt-sss \
-    clevis-decrypt-sss
-
-dist_bin_SCRIPTS = \
-    clevis-encrypt-http \
-    clevis-encrypt-tang \
-    clevis-decrypt-http \
-    clevis-decrypt-tang \
-    clevis-bind-luks \
-    clevis-luks-unlock \
-    clevis-luks-bind \
-    clevis-luks-unbind \
-    clevis-decrypt \
-    clevis
-
-if HAVE_TPM2_TOOLS
-    dist_bin_SCRIPTS += \
-    clevis-encrypt-tpm2 \
-    clevis-decrypt-tpm2
-endif
-
-clevis_encrypt_sss_SOURCES = clevis-encrypt-sss.c sss.c sss.h
-clevis_decrypt_sss_SOURCES = clevis-decrypt-sss.c sss.c sss.h
-clevis_encrypt_sss_LDADD = @jose_LIBS@ @libcrypto_LIBS@
-clevis_decrypt_sss_LDADD = @jose_LIBS@ @libcrypto_LIBS@

+ 0 - 822
src/Makefile.in

@@ -1,822 +0,0 @@
-# Makefile.in generated by automake 1.15.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2017 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-
-VPATH = @srcdir@
-am__is_gnu_make = { \
-  if test -z '$(MAKELEVEL)'; then \
-    false; \
-  elif test -n '$(MAKE_HOST)'; then \
-    true; \
-  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
-    true; \
-  else \
-    false; \
-  fi; \
-}
-am__make_running_with_option = \
-  case $${target_option-} in \
-      ?) ;; \
-      *) echo "am__make_running_with_option: internal error: invalid" \
-              "target option '$${target_option-}' specified" >&2; \
-         exit 1;; \
-  esac; \
-  has_opt=no; \
-  sane_makeflags=$$MAKEFLAGS; \
-  if $(am__is_gnu_make); then \
-    sane_makeflags=$$MFLAGS; \
-  else \
-    case $$MAKEFLAGS in \
-      *\\[\ \	]*) \
-        bs=\\; \
-        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
-          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
-    esac; \
-  fi; \
-  skip_next=no; \
-  strip_trailopt () \
-  { \
-    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
-  }; \
-  for flg in $$sane_makeflags; do \
-    test $$skip_next = yes && { skip_next=no; continue; }; \
-    case $$flg in \
-      *=*|--*) continue;; \
-        -*I) strip_trailopt 'I'; skip_next=yes;; \
-      -*I?*) strip_trailopt 'I';; \
-        -*O) strip_trailopt 'O'; skip_next=yes;; \
-      -*O?*) strip_trailopt 'O';; \
-        -*l) strip_trailopt 'l'; skip_next=yes;; \
-      -*l?*) strip_trailopt 'l';; \
-      -[dEDm]) skip_next=yes;; \
-      -[JT]) skip_next=yes;; \
-    esac; \
-    case $$flg in \
-      *$$target_option*) has_opt=yes; break;; \
-    esac; \
-  done; \
-  test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-target_triplet = @target@
-bin_PROGRAMS = clevis-encrypt-sss$(EXEEXT) clevis-decrypt-sss$(EXEEXT)
-@HAVE_TPM2_TOOLS_TRUE@am__append_1 = \
-@HAVE_TPM2_TOOLS_TRUE@    clevis-encrypt-tpm2 \
-@HAVE_TPM2_TOOLS_TRUE@    clevis-decrypt-tpm2
-
-subdir = src
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(am__dist_bin_SCRIPTS_DIST) \
-	$(dist_check_SCRIPTS) $(am__DIST_COMMON)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(bindir)"
-PROGRAMS = $(bin_PROGRAMS)
-am_clevis_decrypt_sss_OBJECTS = clevis-decrypt-sss.$(OBJEXT) \
-	sss.$(OBJEXT)
-clevis_decrypt_sss_OBJECTS = $(am_clevis_decrypt_sss_OBJECTS)
-clevis_decrypt_sss_DEPENDENCIES =
-am_clevis_encrypt_sss_OBJECTS = clevis-encrypt-sss.$(OBJEXT) \
-	sss.$(OBJEXT)
-clevis_encrypt_sss_OBJECTS = $(am_clevis_encrypt_sss_OBJECTS)
-clevis_encrypt_sss_DEPENDENCIES =
-am__dist_bin_SCRIPTS_DIST = clevis-encrypt-http clevis-encrypt-tang \
-	clevis-decrypt-http clevis-decrypt-tang clevis-bind-luks \
-	clevis-luks-unlock clevis-luks-bind clevis-luks-unbind \
-	clevis-decrypt clevis clevis-encrypt-tpm2 clevis-decrypt-tpm2
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-SCRIPTS = $(dist_bin_SCRIPTS)
-AM_V_P = $(am__v_P_@AM_V@)
-am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN     " $@;
-am__v_GEN_1 = 
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 = 
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_@AM_V@)
-am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
-am__v_CC_0 = @echo "  CC      " $@;
-am__v_CC_1 = 
-CCLD = $(CC)
-LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_@AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo "  CCLD    " $@;
-am__v_CCLD_1 = 
-SOURCES = $(clevis_decrypt_sss_SOURCES) $(clevis_encrypt_sss_SOURCES)
-DIST_SOURCES = $(clevis_decrypt_sss_SOURCES) \
-	$(clevis_encrypt_sss_SOURCES)
-RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
-	ctags-recursive dvi-recursive html-recursive info-recursive \
-	install-data-recursive install-dvi-recursive \
-	install-exec-recursive install-html-recursive \
-	install-info-recursive install-pdf-recursive \
-	install-ps-recursive install-recursive installcheck-recursive \
-	installdirs-recursive pdf-recursive ps-recursive \
-	tags-recursive uninstall-recursive
-am__can_run_installinfo = \
-  case $$AM_UPDATE_INFO_DIR in \
-    n|no|NO) false;; \
-    *) (install-info --version) >/dev/null 2>&1;; \
-  esac
-RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
-  distclean-recursive maintainer-clean-recursive
-am__recursive_targets = \
-  $(RECURSIVE_TARGETS) \
-  $(RECURSIVE_CLEAN_TARGETS) \
-  $(am__extra_recursive_targets)
-AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
-	distdir
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-# Read a list of newline-separated strings from the standard input,
-# and print each of them once, without duplicates.  Input order is
-# *not* preserved.
-am__uniquify_input = $(AWK) '\
-  BEGIN { nonempty = 0; } \
-  { items[$$0] = 1; nonempty = 1; } \
-  END { if (nonempty) { for (i in items) print i; }; } \
-'
-# Make sure the list of sources is unique.  This is necessary because,
-# e.g., the same source file might be shared among _SOURCES variables
-# for different programs/libraries.
-am__define_uniq_tagged_files = \
-  list='$(am__tagged_files)'; \
-  unique=`for i in $$list; do \
-    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-  done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
-DIST_SUBDIRS = $(SUBDIRS)
-am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-am__relativize = \
-  dir0=`pwd`; \
-  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
-  sed_rest='s,^[^/]*/*,,'; \
-  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
-  sed_butlast='s,/*[^/]*$$,,'; \
-  while test -n "$$dir1"; do \
-    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
-    if test "$$first" != "."; then \
-      if test "$$first" = ".."; then \
-        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
-        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
-      else \
-        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
-        if test "$$first2" = "$$first"; then \
-          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
-        else \
-          dir2="../$$dir2"; \
-        fi; \
-        dir0="$$dir0"/"$$first"; \
-      fi; \
-    fi; \
-    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
-  done; \
-  reldir="$$dir2"
-ACLOCAL = @ACLOCAL@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CLEVIS_CFLAGS = @CLEVIS_CFLAGS@
-CLEVIS_GROUP = @CLEVIS_GROUP@
-CLEVIS_USER = @CLEVIS_USER@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EXEEXT = @EXEEXT@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LDFLAGS = @LDFLAGS@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-OBJEXT = @OBJEXT@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PWMAKE = @PWMAKE@
-RANLIB = @RANLIB@
-SD_ACTIVATE = @SD_ACTIVATE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-STRIP = @STRIP@
-TPM2_TOOLS = @TPM2_TOOLS@
-VERSION = @VERSION@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-audit_CFLAGS = @audit_CFLAGS@
-audit_LIBS = @audit_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dracut_CFLAGS = @dracut_CFLAGS@
-dracut_LIBS = @dracut_LIBS@
-dracutmodulesdir = @dracutmodulesdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-jansson_CFLAGS = @jansson_CFLAGS@
-jansson_LIBS = @jansson_LIBS@
-jose_CFLAGS = @jose_CFLAGS@
-jose_LIBS = @jose_LIBS@
-libcrypto_CFLAGS = @libcrypto_CFLAGS@
-libcrypto_LIBS = @libcrypto_LIBS@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-luksmeta_CFLAGS = @luksmeta_CFLAGS@
-luksmeta_LIBS = @luksmeta_LIBS@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-sysconfdir = @sysconfdir@
-systemd_CFLAGS = @systemd_CFLAGS@
-systemd_LIBS = @systemd_LIBS@
-systemdsystemunitdir = @systemdsystemunitdir@
-target = @target@
-target_alias = @target_alias@
-target_cpu = @target_cpu@
-target_os = @target_os@
-target_vendor = @target_vendor@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-udisks2_CFLAGS = @udisks2_CFLAGS@
-udisks2_LIBS = @udisks2_LIBS@
-SUBDIRS = dracut systemd udisks2 .
-AM_CFLAGS = \
-    @CLEVIS_CFLAGS@ \
-    @jansson_CFLAGS@ \
-    @libcrypto_CFLAGS@ \
-    @jose_CFLAGS@
-
-dist_check_SCRIPTS = \
-    clevis-encrypt-test \
-    clevis-decrypt-test
-
-dist_bin_SCRIPTS = clevis-encrypt-http clevis-encrypt-tang \
-	clevis-decrypt-http clevis-decrypt-tang clevis-bind-luks \
-	clevis-luks-unlock clevis-luks-bind clevis-luks-unbind \
-	clevis-decrypt clevis $(am__append_1)
-clevis_encrypt_sss_SOURCES = clevis-encrypt-sss.c sss.c sss.h
-clevis_decrypt_sss_SOURCES = clevis-decrypt-sss.c sss.c sss.h
-clevis_encrypt_sss_LDADD = @jose_LIBS@ @libcrypto_LIBS@
-clevis_decrypt_sss_LDADD = @jose_LIBS@ @libcrypto_LIBS@
-all: all-recursive
-
-.SUFFIXES:
-.SUFFIXES: .c .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --foreign src/Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-binPROGRAMS: $(bin_PROGRAMS)
-	@$(NORMAL_INSTALL)
-	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
-	fi; \
-	for p in $$list; do echo "$$p $$p"; done | \
-	sed 's/$(EXEEXT)$$//' | \
-	while read p p1; do if test -f $$p \
-	  ; then echo "$$p"; echo "$$p"; else :; fi; \
-	done | \
-	sed -e 'p;s,.*/,,;n;h' \
-	    -e 's|.*|.|' \
-	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
-	sed 'N;N;N;s,\n, ,g' | \
-	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
-	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
-	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
-	    else { print "f", $$3 "/" $$4, $$1; } } \
-	  END { for (d in files) print "f", d, files[d] }' | \
-	while read type dir files; do \
-	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
-	    test -z "$$files" || { \
-	      echo " $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
-	      $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
-	    } \
-	; done
-
-uninstall-binPROGRAMS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
-	files=`for p in $$list; do echo "$$p"; done | \
-	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-	      -e 's/$$/$(EXEEXT)/' \
-	`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(bindir)" && rm -f $$files
-
-clean-binPROGRAMS:
-	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
-
-clevis-decrypt-sss$(EXEEXT): $(clevis_decrypt_sss_OBJECTS) $(clevis_decrypt_sss_DEPENDENCIES) $(EXTRA_clevis_decrypt_sss_DEPENDENCIES) 
-	@rm -f clevis-decrypt-sss$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(clevis_decrypt_sss_OBJECTS) $(clevis_decrypt_sss_LDADD) $(LIBS)
-
-clevis-encrypt-sss$(EXEEXT): $(clevis_encrypt_sss_OBJECTS) $(clevis_encrypt_sss_DEPENDENCIES) $(EXTRA_clevis_encrypt_sss_DEPENDENCIES) 
-	@rm -f clevis-encrypt-sss$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(clevis_encrypt_sss_OBJECTS) $(clevis_encrypt_sss_LDADD) $(LIBS)
-install-dist_binSCRIPTS: $(dist_bin_SCRIPTS)
-	@$(NORMAL_INSTALL)
-	@list='$(dist_bin_SCRIPTS)'; test -n "$(bindir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
-	fi; \
-	for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
-	done | \
-	sed -e 'p;s,.*/,,;n' \
-	    -e 'h;s|.*|.|' \
-	    -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
-	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
-	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
-	    if ($$2 == $$4) { files[d] = files[d] " " $$1; \
-	      if (++n[d] == $(am__install_max)) { \
-		print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
-	    else { print "f", d "/" $$4, $$1 } } \
-	  END { for (d in files) print "f", d, files[d] }' | \
-	while read type dir files; do \
-	     if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
-	     test -z "$$files" || { \
-	       echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(bindir)$$dir'"; \
-	       $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
-	     } \
-	; done
-
-uninstall-dist_binSCRIPTS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dist_bin_SCRIPTS)'; test -n "$(bindir)" || exit 0; \
-	files=`for p in $$list; do echo "$$p"; done | \
-	       sed -e 's,.*/,,;$(transform)'`; \
-	dir='$(DESTDIR)$(bindir)'; $(am__uninstall_files_from_dir)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/clevis-decrypt-sss.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/clevis-encrypt-sss.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sss.Po@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
-@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
-@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-# This directory's subdirectories are mostly independent; you can cd
-# into them and run 'make' without going through this Makefile.
-# To change the values of 'make' variables: instead of editing Makefiles,
-# (1) if the variable is set in 'config.status', edit 'config.status'
-#     (which will cause the Makefiles to be regenerated when you run 'make');
-# (2) otherwise, pass the desired values on the 'make' command line.
-$(am__recursive_targets):
-	@fail=; \
-	if $(am__make_keepgoing); then \
-	  failcom='fail=yes'; \
-	else \
-	  failcom='exit 1'; \
-	fi; \
-	dot_seen=no; \
-	target=`echo $@ | sed s/-recursive//`; \
-	case "$@" in \
-	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
-	  *) list='$(SUBDIRS)' ;; \
-	esac; \
-	for subdir in $$list; do \
-	  echo "Making $$target in $$subdir"; \
-	  if test "$$subdir" = "."; then \
-	    dot_seen=yes; \
-	    local_target="$$target-am"; \
-	  else \
-	    local_target="$$target"; \
-	  fi; \
-	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	  || eval $$failcom; \
-	done; \
-	if test "$$dot_seen" = "no"; then \
-	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
-	fi; test -z "$$fail"
-
-ID: $(am__tagged_files)
-	$(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-recursive
-TAGS: tags
-
-tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	set x; \
-	here=`pwd`; \
-	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
-	  include_option=--etags-include; \
-	  empty_fix=.; \
-	else \
-	  include_option=--include; \
-	  empty_fix=; \
-	fi; \
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    test ! -f $$subdir/TAGS || \
-	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
-	  fi; \
-	done; \
-	$(am__define_uniq_tagged_files); \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: ctags-recursive
-
-CTAGS: ctags
-ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	$(am__define_uniq_tagged_files); \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-recursive
-
-cscopelist-am: $(am__tagged_files)
-	list='$(am__tagged_files)'; \
-	case "$(srcdir)" in \
-	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
-	  *) sdir=$(subdir)/$(srcdir) ;; \
-	esac; \
-	for i in $$list; do \
-	  if test -f "$$i"; then \
-	    echo "$(subdir)/$$i"; \
-	  else \
-	    echo "$$sdir/$$i"; \
-	  fi; \
-	done >> $(top_builddir)/cscope.files
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    $(am__make_dryrun) \
-	      || test -d "$(distdir)/$$subdir" \
-	      || $(MKDIR_P) "$(distdir)/$$subdir" \
-	      || exit 1; \
-	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
-	    $(am__relativize); \
-	    new_distdir=$$reldir; \
-	    dir1=$$subdir; dir2="$(top_distdir)"; \
-	    $(am__relativize); \
-	    new_top_distdir=$$reldir; \
-	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
-	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
-	    ($(am__cd) $$subdir && \
-	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="$$new_top_distdir" \
-	        distdir="$$new_distdir" \
-		am__remove_distdir=: \
-		am__skip_length_check=: \
-		am__skip_mode_fix=: \
-	        distdir) \
-	      || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-	$(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS)
-check: check-recursive
-all-am: Makefile $(PROGRAMS) $(SCRIPTS)
-installdirs: installdirs-recursive
-installdirs-am:
-	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(bindir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-recursive
-install-exec: install-exec-recursive
-install-data: install-data-recursive
-uninstall: uninstall-recursive
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-recursive
-install-strip:
-	if test -z '$(STRIP)'; then \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	      install; \
-	else \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
-	fi
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-recursive
-
-clean-am: clean-binPROGRAMS clean-generic mostlyclean-am
-
-distclean: distclean-recursive
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-recursive
-
-dvi-am:
-
-html: html-recursive
-
-html-am:
-
-info: info-recursive
-
-info-am:
-
-install-data-am:
-
-install-dvi: install-dvi-recursive
-
-install-dvi-am:
-
-install-exec-am: install-binPROGRAMS install-dist_binSCRIPTS
-
-install-html: install-html-recursive
-
-install-html-am:
-
-install-info: install-info-recursive
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-recursive
-
-install-pdf-am:
-
-install-ps: install-ps-recursive
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-recursive
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-recursive
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic
-
-pdf: pdf-recursive
-
-pdf-am:
-
-ps: ps-recursive
-
-ps-am:
-
-uninstall-am: uninstall-binPROGRAMS uninstall-dist_binSCRIPTS
-
-.MAKE: $(am__recursive_targets) check-am install-am install-strip
-
-.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \
-	check-am clean clean-binPROGRAMS clean-generic cscopelist-am \
-	ctags ctags-am distclean distclean-compile distclean-generic \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-binPROGRAMS install-data \
-	install-data-am install-dist_binSCRIPTS install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am install-man \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	installdirs-am maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-compile mostlyclean-generic pdf pdf-am \
-	ps ps-am tags tags-am uninstall uninstall-am \
-	uninstall-binPROGRAMS uninstall-dist_binSCRIPTS
-
-.PRECIOUS: Makefile
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:

+ 26 - 0
src/bash/clevis

@@ -0,0 +1,26 @@
+# bash completion support for clevis
+
+_clevis()
+{
+    dir=$(dirname $(which clevis))
+    cur=${COMP_WORDS[COMP_CWORD]}
+    field=$(($COMP_CWORD + 1))
+
+    if [[ ${COMP_WORDS[COMP_CWORD-1]} == "clevis" ]]; then
+       name=clevis-*
+    fi
+
+    if [[ ${COMP_WORDS[COMP_CWORD-2]} == "clevis" ]]; then
+       name=clevis-${COMP_WORDS[COMP_CWORD-1]}-*
+    fi
+
+    suggestions=$(find $dir -name $name | cut -d '-' -f$field | sort | uniq)
+
+    if [[ -n $cur ]]; then
+       suggestions=$(for word in ${suggestions[@]}; do echo $word | grep $cur; done)
+    fi
+
+    COMPREPLY=($(compgen -W "$suggestions" -- "$cur"))
+}
+
+complete -F _clevis clevis

+ 8 - 0
src/bash/meson.build

@@ -0,0 +1,8 @@
+bashcomp = dependency('bash-completion', required: false)
+
+if bashcomp.found()
+  bashcompdir = bashcomp.get_pkgconfig_variable('completionsdir')
+  install_data('clevis', install_dir: bashcompdir)
+else
+  warning('Will not install bash completion due to missing dependencies!')
+endif

+ 4 - 0
src/clevis

@@ -35,6 +35,8 @@ while [ $# -gt 0 ]; do
 done
 
 echo >&2
+echo "Command '$cmd' is invalid" >&2
+echo >&2
 echo "Usage: clevis COMMAND [OPTIONS]" >&2
 echo >&2
 
@@ -53,3 +55,5 @@ for f in $0-*; do
 done
 
 echo >&2
+
+exit 1

+ 0 - 22
src/clevis-bind-luks

@@ -1,22 +0,0 @@
-#!/bin/bash -e
-# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
-#
-# Copyright (c) 2017 Red Hat, Inc.
-# Author: Nathaniel McCallum <npmccallum@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-[ $# -eq 1 -a "$1" == "--summary" ] && exit 1
-exec ${0%%/clevis-bind-luks}/clevis-luks-bind "$@"

+ 1 - 1
src/clevis-decrypt

@@ -45,7 +45,7 @@ if ! [ -t 0 ]; then
         exit 1
     fi
 
-    exec "$cmd" < <(echo -n "$hdr."; cat)
+    exec "$cmd" < <(echo -n "$hdr."; /bin/cat)
 fi
 
 echo >&2

+ 0 - 69
src/clevis-decrypt-http

@@ -1,69 +0,0 @@
-#!/bin/bash -e
-# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
-#
-# Copyright (c) 2017 Red Hat, Inc.
-# Author: Nathaniel McCallum <npmccallum@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-[ $# -eq 1 -a "$1" == "--summary" ] && exit 1
-
-if [ -t 0 ]; then
-    echo >&2
-    echo "Usage: clevis decrypt http < JWE > PLAINTEXT" >&2
-    echo >&2
-    exit 1
-fi
-
-read -d . hdr
-
-if [ "`jose fmt -q "$hdr" -SyOg clevis -g pin -u-`" != "http" ]; then
-    echo "JWE pin mismatch!" >&2
-    exit 1
-fi
-
-if ! url=`jose fmt -q "$hdr" -SyOg clevis -g http -g url -u-`; then
-    echo "JWE missing 'clevis.http.url' header parameter!" >&2
-    exit 1
-fi
-
-if ! typ=`jose fmt -q "$hdr" -SyOg clevis -g http -g type -u-`; then
-    echo "JWE missing 'clevis.http.url' header parameter!" >&2
-    exit 1
-fi
-
-if ! rep=`curl -sfg -H "Accept: $typ" "$url"`; then
-    echo "Key transfer failed!" >&2
-    exit 1
-fi
-
-case $typ in
-application/jwk+json)
-    if ! rep=`curl -sfg -H "Accept: $typ" "$url" \
-            | jose fmt -j- -Og kty -q oct -EUUo-`; then
-        echo "Key transfer failed!" >&2
-        exit 1
-    fi
-    ;;
-application/octet-stream)
-    if ! key=`curl -sfg -H "Accept: $typ" "$url" | jose b64 enc -I-`; then
-        echo "Key transfer failed!" >&2
-        exit 1
-    fi
-    jwk="{\"kty\":\"oct\",\"k\":\"$key\"}"
-    ;;
-esac
-
-exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; cat)

+ 21 - 0
src/clevis-decrypt.1.adoc

@@ -0,0 +1,21 @@
+CLEVIS-DECRYPT(1)
+=================
+:doctype: manpage
+
+== NAME
+
+clevis-decrypt - Decrypts using the policy defined at encryption time
+
+== SYNOPSIS
+
+*clevis decrypt* CONFIG < JWE > PT
+
+== OVERVIEW
+
+The *clevis decrypt* command decrypts data using the policy defined at
+encryption time. The specific decryption pin is inferred during decryption.
+There are no parameters.
+
+== SEE ALSO
+
+link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]

+ 0 - 107
src/clevis-encrypt-http

@@ -1,107 +0,0 @@
-#!/bin/bash -e
-# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
-#
-# Copyright (c) 2017 Red Hat, Inc.
-# Author: Nathaniel McCallum <npmccallum@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-SUMMARY="Encrypts using a REST HTTP escrow server policy"
-
-function http() {
-    curl -sfg -X "$1" -H "Content-Type: $2" --data-binary @- "$3"
-}
-
-if [ "$1" == "--summary" ]; then
-    echo "$SUMMARY"
-    exit 0
-fi
-
-if [ -t 0 ]; then
-    echo >&2
-    echo "Usage: clevis encrypt http CONFIG < PLAINTEXT > JWE" >&2
-    echo >&2
-    echo "$SUMMARY" >&2
-    echo >&2
-    echo "This command uses the following configuration properties:" >&2
-    echo >&2
-    echo "     url: <string>   The URL where the key is stored (REQUIRED)" >&2
-    echo >&2
-    echo "    http: <boolean>  Allow or disallow non-TLS HTTP (default: false)" >&2
-    echo >&2
-    echo "    type: <string>   The type of key to store (default: octet-stream)" >&2
-    echo >&2
-    echo "  method: <string>   The HTTP method to use (default: PUT)" >&2
-    echo >&2
-    exit 1
-fi
-
-if ! cfg=`jose fmt -j "$1" -Oo- 2>/dev/null`; then
-    echo "Configuration is malformed!" >&2
-    exit 1
-fi
-
-if ! url=`jose fmt -j "$cfg" -g url -u-`; then
-    echo "Configuration is missing required 'url' property!" >&2
-    exit 1
-fi
-
-case $url in
-http:*)
-    if ! jose fmt -j "$cfg" -g http -T; then
-        echo "HTTP is not allowed (see 'http' config property)!" >&2
-        exit 1
-    fi ;;
-https:*) ;;
-*) echo "URL '$url' not supported!" >&2; exit 1;;
-esac
-
-typ=`jose fmt -j "$cfg" -Og type -u-` || typ="octet-stream"
-case $typ in
-jwk+json) typ="application/jwk+json" ;;
-octet-stream) typ="application/octet-stream" ;;
-application/jwk+json) ;;
-application/octet-stream) ;;
-*) echo "Type '$typ' not supported!" >&2; exit 1;;
-esac
-
-mth=`jose fmt -j "$cfg" -Og method -u-` || mth=PUT
-case $mth in
-PUT) ;;
-POST) ;;
-*) echo "Method '$mth' not supported!" >&2; exit 1;;
-esac
-
-jwk=`jose jwk gen -i '{"alg":"A256GCM"}'`
-jwe='{"protected":{"clevis":{"pin":"http","http":{}}}}'
-jwe=`jose fmt -j "$jwe" -g protected -g clevis -g http -q "$url" -s url  -UUUUo-`
-jwe=`jose fmt -j "$jwe" -g protected -g clevis -g http -q "$typ" -s type -UUUUo-`
-
-case $typ in
-application/jwk+json)
-    if ! http "$mth" "$typ" "$url" <<< "$jwk"; then
-        echo "Key transfer failed!" >&2
-        exit 1
-    fi
-    ;;
-application/octet-stream)
-    if ! jose fmt -j- -g k -u- <<< "$jwk" | jose b64 dec -i- | http "$mth" "$typ" "$url"; then
-        echo "Key transfer failed!" >&2
-        exit 1
-    fi
-    ;;
-esac
-
-exec jose jwe enc -i "$jwe" -k- -I- -c < <(echo -n "$jwk"; cat)

+ 144 - 0
src/clevis.1.adoc

@@ -0,0 +1,144 @@
+CLEVIS(1)
+=========
+:doctype: manpage
+
+== NAME
+
+clevis - Automated decryption policy framework
+
+== SYNOPSIS
+
+*clevis* COMMAND [OPTIONS]
+
+== OVERVIEW
+
+Clevis is a framework for automated decryption policy. It allows you to define
+a policy at encryption time that must be satisfied for the data to decrypt.
+Once this policy is met, the data is decrypted.
+
+Clevis is pluggable. Our plugins are called pins. The job of a pin is to
+take a policy as its first argument and plaintext on standard input and to
+encrypt the data so that it can be automatically decrypted if the policy is
+met. Lets walk through an example.
+
+== HTTP ESCROW
+
+When using the HTTP pin, we create a new, cryptographically-strong, random key.
+This key is stored in a remote HTTP escrow server (using a simple PUT or POST).
+Then at decryption time, we attempt to fetch the key back again in order to
+decrypt our data. So, for our configuration we need to pass the URL to the key
+location:
+
+    $ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE
+
+To decrypt the data, simply provide the ciphertext (JWE):
+
+    $ clevis decrypt < JWE > PLAINTEXT
+
+Notice that we did not pass any configuration during decryption. The decrypt
+command extracted the URL (and possibly other configuration) from the JWE
+object, fetched the encryption key from the escrow and performed decryption.
+
+For more information, see link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)].
+
+== TANG BINDING
+
+Clevis provides support for the Tang network binding server. Tang provides
+a stateless, lightweight alternative to escrows. Encrypting data using the Tang
+pin works much like our HTTP pin above:
+
+    $ clevis encrypt tang '{"url":"http://tang.srv"}' < PT > JWE
+    The advertisement contains the following signing keys:
+
+    _OsIk0T-E2l6qjfdDiwVmidoZjA
+
+    Do you wish to trust these keys? [ynYN] y
+
+As you can see above, Tang utilizes a trust-on-first-use workflow.
+Alternatively, Tang can perform entirely offline encryption if you pre-share
+the server advertisement. Decryption, too works like our first example:
+
+    $ clevis decrypt < JWE > PT
+
+For more information, see link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)].
+
+== TPM2 BINDING
+
+Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2)
+chip. The cryptographically-strong, random key used for encryption is encrypted
+using the TPM2 chip, and then at decryption time is decrypted using the TPM2 to
+allow clevis to decrypt the secret stored in the JWE.
+
+Encrypting data using the tpm2 pin works the same than the pins mentioned above:
+
+    $ clevis encrypt tpm2 '{}' < PT > JWE
+
+The pin has reasonable defaults for its configuration, but a different hierarchy,
+hash, and key algorithms can be chosen if the defaults used are not suitable.
+
+Decryption also works similar to other pins, only the JWE needs to be provided:
+
+    $ clevis decrypt < JWE > PT
+
+Note that like other pins no configuration is used for decryption, this is due
+clevis storing the public and private keys to unseal the TPM2 encrypted object
+in the JWE so clevis can fetch that information from there.
+
+For more information see link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)].
+
+== SHAMIR'S SECRET SHARING
+
+Clevis provides a way to mix pins together to create sophisticated unlocking
+and high availability policies. This is accomplished by using an algorithm
+called Shamir's Secret Sharing (SSS).
+
+SSS is a thresholding scheme. It creates a key and divides it into a number of
+pieces. Each piece is encrypted using another pin (possibly even SSS
+recursively). Additionally, you define the threshold *t*. If at least *t*
+pieces can be decrypted, then the encryption key can be recovered and
+decryption can succeed.
+
+For example, let's create a high-availability setup using Tang:
+
+    $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}'
+    $ clevis encrypt sss "$cfg" < PT > JWE
+
+In this policy, we are declaring that we have a threshold of 1, but that there
+are multiple key fragments encrypted using different Tang servers. Since our
+threshold is 1, so long as any of the Tang servers are available, decryption
+will succeed. As always, decryption is simply:
+
+    $ clevis decrypt < JWE > PT
+
+For more information, see link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)].
+
+== LUKS BINDING
+
+Clevis can be used to bind an existing LUKS volume to its automation policy.
+This is accomplished with a simple command:
+
+    $ clevis luks bind -d /dev/sda tang '{"url":...}'
+
+This command performs four steps:
+
+1. Creates a new key with the same entropy as the LUKS master key.
+2. Encrypts the new key with Clevis.
+3. Stores the Clevis JWE in the LUKS header with LUKSMeta.
+4. Enables the new key for use with LUKS.
+
+This disk can now be unlocked with your existing password as well as with
+the Clevis policy. Clevis provides two unlockers for LUKS volumes. First,
+we provide integration with Dracut to automatically unlock your root volume
+during early boot. Second, we provide integration with UDisks2 to
+automatically unlock your removable media in your desktop session.
+
+For more information, see link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)].
+
+== SEE ALSO
+
+link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)],
+link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
+link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)],
+link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]

+ 0 - 10
src/dracut/Makefile.am

@@ -1,10 +0,0 @@
-dracutdir = @dracutmodulesdir@/60$(PACKAGE_NAME)
-nodist_dracut_SCRIPTS = clevis-hook.sh module-setup.sh
-EXTRA_DIST=clevis-hook.sh.in module-setup.sh.in
-CLEANFILES=clevis-hook.sh module-setup.sh
-
-%: %.in
-	$(AM_V_GEN)mkdir -p $(dir $@)
-	$(AM_V_GEN)$(SED) \
-		-e 's,@libexecdir\@,$(libexecdir),g' \
-		$(srcdir)/$@.in > $@

+ 0 - 514
src/dracut/Makefile.in

@@ -1,514 +0,0 @@
-# Makefile.in generated by automake 1.15.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2017 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-am__is_gnu_make = { \
-  if test -z '$(MAKELEVEL)'; then \
-    false; \
-  elif test -n '$(MAKE_HOST)'; then \
-    true; \
-  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
-    true; \
-  else \
-    false; \
-  fi; \
-}
-am__make_running_with_option = \
-  case $${target_option-} in \
-      ?) ;; \
-      *) echo "am__make_running_with_option: internal error: invalid" \
-              "target option '$${target_option-}' specified" >&2; \
-         exit 1;; \
-  esac; \
-  has_opt=no; \
-  sane_makeflags=$$MAKEFLAGS; \
-  if $(am__is_gnu_make); then \
-    sane_makeflags=$$MFLAGS; \
-  else \
-    case $$MAKEFLAGS in \
-      *\\[\ \	]*) \
-        bs=\\; \
-        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
-          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
-    esac; \
-  fi; \
-  skip_next=no; \
-  strip_trailopt () \
-  { \
-    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
-  }; \
-  for flg in $$sane_makeflags; do \
-    test $$skip_next = yes && { skip_next=no; continue; }; \
-    case $$flg in \
-      *=*|--*) continue;; \
-        -*I) strip_trailopt 'I'; skip_next=yes;; \
-      -*I?*) strip_trailopt 'I';; \
-        -*O) strip_trailopt 'O'; skip_next=yes;; \
-      -*O?*) strip_trailopt 'O';; \
-        -*l) strip_trailopt 'l'; skip_next=yes;; \
-      -*l?*) strip_trailopt 'l';; \
-      -[dEDm]) skip_next=yes;; \
-      -[JT]) skip_next=yes;; \
-    esac; \
-    case $$flg in \
-      *$$target_option*) has_opt=yes; break;; \
-    esac; \
-  done; \
-  test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-target_triplet = @target@
-subdir = src/dracut
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-am__installdirs = "$(DESTDIR)$(dracutdir)"
-SCRIPTS = $(nodist_dracut_SCRIPTS)
-AM_V_P = $(am__v_P_@AM_V@)
-am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN     " $@;
-am__v_GEN_1 = 
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 = 
-SOURCES =
-DIST_SOURCES =
-am__can_run_installinfo = \
-  case $$AM_UPDATE_INFO_DIR in \
-    n|no|NO) false;; \
-    *) (install-info --version) >/dev/null 2>&1;; \
-  esac
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-am__DIST_COMMON = $(srcdir)/Makefile.in
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CLEVIS_CFLAGS = @CLEVIS_CFLAGS@
-CLEVIS_GROUP = @CLEVIS_GROUP@
-CLEVIS_USER = @CLEVIS_USER@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EXEEXT = @EXEEXT@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LDFLAGS = @LDFLAGS@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-OBJEXT = @OBJEXT@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PWMAKE = @PWMAKE@
-RANLIB = @RANLIB@
-SD_ACTIVATE = @SD_ACTIVATE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-STRIP = @STRIP@
-TPM2_TOOLS = @TPM2_TOOLS@
-VERSION = @VERSION@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-audit_CFLAGS = @audit_CFLAGS@
-audit_LIBS = @audit_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dracut_CFLAGS = @dracut_CFLAGS@
-dracut_LIBS = @dracut_LIBS@
-dracutmodulesdir = @dracutmodulesdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-jansson_CFLAGS = @jansson_CFLAGS@
-jansson_LIBS = @jansson_LIBS@
-jose_CFLAGS = @jose_CFLAGS@
-jose_LIBS = @jose_LIBS@
-libcrypto_CFLAGS = @libcrypto_CFLAGS@
-libcrypto_LIBS = @libcrypto_LIBS@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-luksmeta_CFLAGS = @luksmeta_CFLAGS@
-luksmeta_LIBS = @luksmeta_LIBS@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-sysconfdir = @sysconfdir@
-systemd_CFLAGS = @systemd_CFLAGS@
-systemd_LIBS = @systemd_LIBS@
-systemdsystemunitdir = @systemdsystemunitdir@
-target = @target@
-target_alias = @target_alias@
-target_cpu = @target_cpu@
-target_os = @target_os@
-target_vendor = @target_vendor@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-udisks2_CFLAGS = @udisks2_CFLAGS@
-udisks2_LIBS = @udisks2_LIBS@
-dracutdir = @dracutmodulesdir@/60$(PACKAGE_NAME)
-nodist_dracut_SCRIPTS = clevis-hook.sh module-setup.sh
-EXTRA_DIST = clevis-hook.sh.in module-setup.sh.in
-CLEANFILES = clevis-hook.sh module-setup.sh
-all: all-am
-
-.SUFFIXES:
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/dracut/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --foreign src/dracut/Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-nodist_dracutSCRIPTS: $(nodist_dracut_SCRIPTS)
-	@$(NORMAL_INSTALL)
-	@list='$(nodist_dracut_SCRIPTS)'; test -n "$(dracutdir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(dracutdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(dracutdir)" || exit 1; \
-	fi; \
-	for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
-	done | \
-	sed -e 'p;s,.*/,,;n' \
-	    -e 'h;s|.*|.|' \
-	    -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
-	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
-	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
-	    if ($$2 == $$4) { files[d] = files[d] " " $$1; \
-	      if (++n[d] == $(am__install_max)) { \
-		print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
-	    else { print "f", d "/" $$4, $$1 } } \
-	  END { for (d in files) print "f", d, files[d] }' | \
-	while read type dir files; do \
-	     if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
-	     test -z "$$files" || { \
-	       echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(dracutdir)$$dir'"; \
-	       $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(dracutdir)$$dir" || exit $$?; \
-	     } \
-	; done
-
-uninstall-nodist_dracutSCRIPTS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(nodist_dracut_SCRIPTS)'; test -n "$(dracutdir)" || exit 0; \
-	files=`for p in $$list; do echo "$$p"; done | \
-	       sed -e 's,.*/,,;$(transform)'`; \
-	dir='$(DESTDIR)$(dracutdir)'; $(am__uninstall_files_from_dir)
-tags TAGS:
-
-ctags CTAGS:
-
-cscope cscopelist:
-
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(SCRIPTS)
-installdirs:
-	for dir in "$(DESTDIR)$(dracutdir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	if test -z '$(STRIP)'; then \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	      install; \
-	else \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
-	fi
-mostlyclean-generic:
-
-clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic mostlyclean-am
-
-distclean: distclean-am
-	-rm -f Makefile
-distclean-am: clean-am distclean-generic
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-nodist_dracutSCRIPTS
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-generic
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-nodist_dracutSCRIPTS
-
-.MAKE: install-am install-strip
-
-.PHONY: all all-am check check-am clean clean-generic cscopelist-am \
-	ctags-am distclean distclean-generic distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-nodist_dracutSCRIPTS \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-generic pdf pdf-am ps ps-am tags-am uninstall \
-	uninstall-am uninstall-nodist_dracutSCRIPTS
-
-.PRECIOUS: Makefile
-
-
-%: %.in
-	$(AM_V_GEN)mkdir -p $(dir $@)
-	$(AM_V_GEN)$(SED) \
-		-e 's,@libexecdir\@,$(libexecdir),g' \
-		$(srcdir)/$@.in > $@
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:

+ 53 - 40
src/clevis-luks-bind

@@ -19,20 +19,9 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-SUMMARY="Binds a LUKSv1 device using the specified policy"
+SUMMARY="Binds a LUKS device using the specified policy"
 UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
 
-function onerr() {
-    if [ -n "$DEV" -a -n "$SLT" ]; then
-        luksmeta wipe -f -d "$DEV" -u "$UUID" -s "$SLT"
-        SLT=
-    fi
-    stty echo
-    exit 1
-}
-
-trap 'onerr' ERR HUP INT QUIT PIPE TERM
-
 function usage() {
     echo >&2
     echo "Usage: clevis luks bind [-f] [-s SLT] [-k KEY] -d DEV PIN CFG" >&2
@@ -43,7 +32,7 @@ function usage() {
     echo >&2
     echo "  -d DEV  The LUKS device on which to perform binding" >&2
     echo >&2
-    echo "  -s SLT  The LUKSMeta slot to use for metadata storage" >&2
+    echo "  -s SLT  The LUKS slot to use" >&2
     echo >&2
     echo "  -k KEY  Non-interactively read LUKS password from KEY file" >&2
     echo "  -k -    Non-interactively read LUKS password from standard input" >&2
@@ -59,7 +48,7 @@ fi
 while getopts ":hfd:s:k:" o; do
     case "$o" in
     f) FRC=-f;;
-    d) DEV=$OPTARG;;
+    d) export DEV=$OPTARG;;
     s) SLT=$OPTARG;;
     k) KEY=$OPTARG;;
     *) usage;;
@@ -71,6 +60,11 @@ if [ -z "$DEV" ]; then
     usage
 fi
 
+if ! cryptsetup isLuks "$DEV"; then
+    echo "$DEV is not a LUKS device!" >&2
+    exit 1
+fi
+
 if ! PIN=${@:$((OPTIND++)):1} || [ -z "$PIN" ]; then
     echo "Did not specify a pin!" >&2
     usage
@@ -83,9 +77,11 @@ fi
 
 if [ -n "$KEY" ]; then
     if [ "$KEY" == "-" ]; then
-        if ! luksmeta test -d $DEV && [ -z "$FRC" ]; then
-            echo "Cannot use '-k-' without '-f' unless already initialized!" >&2
-            usage
+        if cryptsetup isLuks --type luks1 "$DEV"; then
+            if ! luksmeta test -d $DEV && [ -z "$FRC" ]; then
+                echo "Cannot use '-k-' without '-f' unless already initialized!" >&2
+                usage
+            fi
         fi
     elif ! [ -f "$KEY" ]; then
         echo "Key file '$KEY' not found!" >&2
@@ -95,38 +91,55 @@ fi
 
 # Generate a key with the same entropy as the LUKS Master Key
 dump=`cryptsetup luksDump $DEV`
-bits=`sed -r -n 's|MK bits:[ \t]*([0-9]+)|\1|p' <<< "$dump"`
-key=`pwmake $bits`
+if cryptsetup isLuks --type luks1 "$DEV"; then
+    filt=`sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p' <<< "$dump"`
+else
+    filt=`sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p' <<< "$dump"`
+fi
+bits=`sort -n <<<"$filt" | tail -n 1`
+export key=`pwmake $bits`
 
 # Encrypt the new key
 jwe=`echo -n "$key" | clevis encrypt "$PIN" "$CFG"`
 
 # If necessary, initialize the LUKS volume
-if ! luksmeta test -d $DEV; then
-    luksmeta init -d $DEV $FRC
+if cryptsetup isLuks --type luks1 "$DEV" && ! luksmeta test -d "$DEV"; then
+    luksmeta init -d "$DEV" $FRC
 fi
 
-# Write the JWE into the specified slot. Or, if no slot is given, ...
+# Get the old key
+case "$KEY" in
+"") read -s -p "Enter existing LUKS password: " old; echo;;
+ -) old=`/bin/cat`;;
+ *) old=`/bin/cat "$KEY"`;;
+esac
+
+# Add the new key
 if [ -n "$SLT" ]; then
-    if ! echo -n $jwe | luksmeta save -d "$DEV" -u "$UUID" -s $SLT 2>/dev/null; then
-        echo "Error while saving Clevis metadata in LUKS header!" >&2
-        false
+    if ! echo -e "$old\n$key" | cryptsetup luksAddKey --key-slot $SLT $DEV; then
+        echo "Error while adding new key to LUKS header!" >&2
+        exit 1
     fi
-
-# ... write the JWE to the first slot unused by both LUKS and LUKSMeta
-elif ! SLT=`echo -n $jwe | luksmeta save -d "$DEV" -u "$UUID" 2>/dev/null`; then
-    echo "Error while saving Clevis metadata in LUKS header!" >&2
-    false
+elif ! SLT=`echo -e "$old\n$key" \
+        | cryptsetup luksAddKey -v $DEV \
+        | sed -rn 's|^Key slot ([0-9]+) created\.$|\1|p'`; then
+    echo "Error while adding new key to LUKS header!" >&2
+    exit 1
 fi
 
-export DEV
-export SLT
-
-# Add the new key to the LUKS slot that matches the LUKSMeta slot
-case "$KEY" in
-"") read -s -p "Enter existing LUKS password: " old; echo;;
- -) old=`cat`;;
- *) old=`cat "$KEY"`;;
-esac
+if cryptsetup isLuks --type luks1 "$DEV"; then
+    if ! echo -n $jwe | luksmeta save -d "$DEV" -u "$UUID" -s $SLT 2>/dev/null; then
+        echo "Error while saving Clevis metadata in LUKSMeta!" >&2
+        cryptsetup luksRemoveKey "$DEV" <<<"$key"
+        exit 1
+    fi
+else
+    jwe=`jose jwe fmt -i- <<<"$jwe"` # Convert to JSON Serialization
+    tok="{\"type\":\"clevis\",\"keyslots\":[\"$SLT\"],\"jwe\":$jwe}"
 
-echo -e "$old\n$key" | cryptsetup luksAddKey -S $SLT $DEV
+    if ! cryptsetup token import "$DEV" <<<"$tok" ; then
+        echo "Error while saving Clevis metadata as a LUKS token!" >&2
+        cryptsetup luksRemoveKey "$DEV" <<<"$key"
+        exit 1
+    fi
+fi

+ 67 - 0
src/luks/clevis-luks-bind.1.adoc

@@ -0,0 +1,67 @@
+CLEVIS-LUKS-BIND(1)
+===================
+:doctype: manpage
+
+
+== NAME
+
+clevis-luks-bind - Bind a LUKSv1 device using the specified policy
+
+== SYNOPSIS
+
+*clevis luks bind* [-f] -d DEV [-s SLT] [-k KEY] PIN CFG
+
+== OVERVIEW
+
+The *clevis luks bind* command binds a LUKSv1 device using the specified
+policy. This is accomplished with a simple command:
+
+    $ clevis luks bind -d /dev/sda tang '{"url":...}'
+
+This command performs four steps:
+
+1. Creates a new key with the same entropy as the LUKS master key.
+2. Encrypts the new key with Clevis.
+3. Stores the Clevis JWE in the LUKS header with LUKSMeta.
+4. Enables the new key for use with LUKS.
+
+This disk can now be unlocked with your existing password as well as with
+the Clevis policy. You will additionally need to enable one or more of the
+Clevis LUKS unlockers. See link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)].
+
+== OPTIONS
+
+* *-f* :
+  Do not prompt for LUKSMeta initialization
+
+* *-d* _DEV_ :
+  The LUKS device on which to perform binding
+
+* *-s* _SLT_ :
+  The LUKSMeta slot to use for metadata storage
+
+* *-k* _KEY_ :
+  Non-interactively read LUKS password from KEY file
+
+* *-k* - :
+  Non-interactively read LUKS password from standard input
+
+== CAVEATS
+
+This command does not change the LUKS master key. This implies that if you
+create a LUKS-encrypted image for use in a Virtual Machine or Cloud
+environment, all the instances that run this image will share a master key.
+This is extremely dangerous and should be avoided at all cost.
+
+This is not a limitation of Clevis but a design principle of LUKS. If you wish
+to have encrypted root volumes in the cloud, you will need to make sure that
+you perform the OS install method for each instance in the cloud as well.
+The images cannot be shared without also sharing a master key.
+
+== SEE ALSO
+
+link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)],
+link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
+link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]

+ 43 - 25
src/clevis-luks-unbind

@@ -18,7 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-SUMMARY="Unbinds a pin bound to a LUKSv1 volume"
+SUMMARY="Unbinds a pin bound to a LUKS volume"
 UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
 
 function usage() {
@@ -29,7 +29,7 @@ function usage() {
     echo >&2
     echo "  -d DEV  The bound LUKS device" >&2
     echo >&2
-    echo "  -s SLOT The LUKSMeta slot number for the pin unbind" >&2
+    echo "  -s SLOT The LUKS slot number for the pin unbind" >&2
     echo >&2
     echo "  -f      Do not ask for confirmation and wipe slot in batch-mode" >&2
     echo >&2
@@ -60,35 +60,53 @@ if [ -z "$SLT" ]; then
     usage
 fi
 
-if ! luksmeta test -d $DEV 2>/dev/null; then
-    echo "The $DEV device is not valid!" >&2
+if cryptsetup isLuks --type luks1 "$DEV"; then
+    if ! luksmeta test -d $DEV 2>/dev/null; then
+        echo "The $DEV device does not contain a LUKSMeta header!" >&2
+        exit 1
+    fi
+
+    read -r slot active uuid <<< $(luksmeta show -d "$DEV" | grep "^$SLT *")
+
+    if [ "$uuid" == "empty" ]; then
+        echo "The LUKSMeta slot $SLT on device $DEV is already empty." >&2
+        exit 1
+    fi
+
+    [ "$active" == "active" ] && KILL=true
+
+elif cryptsetup isLuks --type luks2 "$DEV"; then
+    dump=`cryptsetup luksDump "$DEV"`
+    grep -q "^\s*$SLT: luks2" <<<"$dump" && KILL=true
+    TOK=`grep -E -B1 "^\s+Keyslot:\s+$SLT$" <<<"$dump" \
+        | sed -rn 's|^\s+([0-9]+): clevis|\1|p'`
+
+else
+    echo "$DEV is not a supported LUKS device!" >&2
     exit 1
 fi
 
-read -r slot active uuid <<< $(luksmeta show -d "$DEV" | grep "^$SLT *")
-
-if [ "$uuid" = "empty" ]; then
-   echo "The LUKSMeta slot $SLT on device $DEV is already empty." >&2
-   exit 1
+if [ -z "$FRC" ]; then
+    echo "The unbind operation will wipe a slot. This operation is unrecoverable." >&2
+    read -r -p "Do you wish to erase LUKS slot $SLT on $DEV? [ynYN] " ans < /dev/tty
+    [[ "$ans" =~ ^[yY]$ ]] || exit 0
 fi
 
-if [ "$active" = "active" ]; then
+if [ -n "$KILL" ]; then
     if ! cryptsetup luksKillSlot "$DEV" "$SLT" $FRC; then
-	echo "LUKSv1 slot $SLT for device $DEV couldn't be deleted"
-	exit 1
+        echo "LUKS slot $SLT for device $DEV couldn't be deleted"
+        exit 1
     fi
-else
-   echo "LUKSv1 slot $SLT not present on $DEV, only LUKSMeta slot will be cleared." >&2
-   if [ -z "$FRC" ]; then
-       echo "The unbind operation will wipe a slot. This operation is unrecoverable." >&2
-       read -r -p "Do you wish to erase LUKSMeta slot $SLT on $DEV? [ynYN] " ans < /dev/tty
-       [[ "$ans" =~ ^[yY]$ ]] || exit 0
-   fi
 fi
 
-if ! luksmeta wipe -f -d "$DEV" -u "$UUID" -s "$SLT"; then
-    echo "LUKSMeta slot $SLT for device $DEV couldn't be deleted"
-    exit 1
-fi
-
-exit 0
+if cryptsetup isLuks --type luks1 "$DEV"; then
+    if ! luksmeta wipe -f -d "$DEV" -u "$UUID" -s "$SLT"; then
+        echo "LUKSMeta slot $SLT for device $DEV couldn't be deleted"
+        exit 1
+    fi
+elif cryptsetup isLuks --type luks2 "$DEV" && [ -n "$TOK" ]; then
+    if ! cryptsetup token remove --token-id "$TOK" "$DEV"; then
+        echo "Error while removing token $TOK from LUKS device $DEV!" >&2
+        exit 1
+    fi
+fi

+ 34 - 0
src/luks/clevis-luks-unbind.1.adoc

@@ -0,0 +1,34 @@
+CLEVIS-LUKS-UNBIND(1)
+=====================
+:doctype: manpage
+
+
+== NAME
+
+clevis-luks-unbind - Unbinds a pin bound to a LUKSv1 volume
+
+== SYNOPSIS
+
+*clevis luks unbind* -d DEV -s SLT
+
+== OVERVIEW
+
+The *clevis luks unbind* command unbinds a pin bound to a LUKSv1 volume.
+For example:
+
+    $ clevis luks unbind -d /dev/sda -s 1
+
+== OPTIONS
+
+* *-d* _DEV_ :
+  The bound LUKS device
+
+* *-s* _SLT_ :
+  The LUKSMeta slot number for the pin to unbind
+
+* *-f* :
+  Do not ask for confirmation and wipe slot in batch-mode
+
+== SEE ALSO
+
+link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)]

+ 22 - 9
src/clevis-luks-unlock

@@ -18,7 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-SUMMARY="Unlocks a LUKSv1 volume"
+SUMMARY="Unlocks a LUKS volume"
 UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
 
 function usage() {
@@ -54,14 +54,27 @@ fi
 
 NAME=${NAME:-luks-`cryptsetup luksUUID $DEV`}
 
-while read -r slot state uuid; do
-    [ "$state" != "active" ] && continue
-    [ "$uuid" != "$UUID" ] && continue
+if cryptsetup isLuks --type luks1 "$DEV"; then
+    while read -r slot state uuid; do
+        [ "$state" != "active" ] && continue
+        [ "$uuid" != "$UUID" ] && continue
 
-    if pt="`luksmeta load -d $DEV -s $slot -u $UUID | clevis decrypt`"; then
-        echo -n "$pt" | cryptsetup open -d- "$DEV" "$NAME"
-        exit 0
-    fi
-done <<< $(luksmeta show -d "$DEV")
+        if pt=`luksmeta load -d $DEV -s $slot -u $UUID | clevis decrypt`; then
+            echo -n "$pt" | cryptsetup open -d- "$DEV" "$NAME"
+            exit 0
+        fi
+    done <<< "$(luksmeta show -d "$DEV")"
+
+elif cryptsetup isLuks --type luks2 "$DEV"; then
+    for id in `cryptsetup luksDump "$DEV" | sed -rn 's|^\s+([0-9]+): clevis|\1|p'`; do
+        tok=`cryptsetup token export --token-id "$id" "$DEV"`
+        jwe=`jose fmt -j- -Og jwe -o- <<<"$tok" | jose jwe fmt -i- -c`
+
+        if pt=`echo -n "$jwe" | clevis decrypt`; then
+            echo -n "$pt" | cryptsetup open -d- "$DEV" "$NAME"
+            exit 0
+        fi
+    done
+fi
 
 exit 1

+ 31 - 0
src/luks/clevis-luks-unlock.1.adoc

@@ -0,0 +1,31 @@
+CLEVIS-LUKS-UNLOCK(1)
+=====================
+:doctype: manpage
+
+
+== NAME
+
+clevis-luks-unlock - Unlocks a LUKSv1 device bound with a Clevis policy
+
+== SYNOPSIS
+
+*clevis luks unlock* -d DEV [-n NAME]
+
+== OVERVIEW
+
+The *clevis luks unlock* command unlocks a LUKSv1 device using its already
+provisioned Clevis policy. For example:
+
+    $ clevis luks unlock -d /dev/sda
+
+== OPTIONS
+
+* *-d* _DEV_ :
+  The LUKS device to unlock
+
+* *-n* _NAME_ :
+  The name to give the unlocked device node
+
+== SEE ALSO
+
+link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)]

+ 64 - 0
src/luks/clevis-luks-unlockers.7.adoc

@@ -0,0 +1,64 @@
+CLEVIS-LUKS-UNLOCKERS(7)
+========================
+:doctype: manpage
+
+== NAME
+
+clevis-luks-unlockers - Overview of clevis luks unlockers
+
+== OVERVIEW
+
+Clevis provides unlockers for LUKS volumes which can use LUKS policy:
+
+  * clevis-luks-unlock - Unlocks manually using the command line.
+  * dracut - Unlocks automatically during early boot.
+  * systemd - Unlocks automatically during late boot.
+  * udisks2 - Unlocks automatically in a GNOME desktop session.
+
+Once a LUKS volume is bound using *clevis luks bind*, it can be unlocked using
+any of the above unlockers without using a password.
+
+== MANUAL UNLOCKING
+
+You can unlock a LUKS volume manually using the following command:
+
+    $ sudo clevis luks unlock -d /dev/sda
+
+For more information, see link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)].
+
+== EARLY BOOT UNLOCKING
+
+If Clevis integration does not already ship in your initramfs, you may need to
+rebuild your initramfs with this command:
+
+    $ sudo dracut -f
+
+Once Clevis is integrated into your initramfs, a simple reboot should unlock
+your root volume. Note, however, that early boot integration only works for the
+root volume. Non-root volumes should use the late boot unlocker.
+
+Dracut will bring up your network using DHCP by default. If you need to specify
+additional network parameters, such as static IP configuration, please consult
+the dracut documentation.
+
+== LATE BOOT UNLOCKING
+
+You can enable late boot unlocking by executing the following command:
+
+    $ sudo systemctl enable clevis-luks-askpass.path
+
+After a reboot, Clevis will attempt to unlock all *_netdev* devices listed in
+*/etc/crypttab* when systemd prompts for their passwords. This implies that
+systemd support for *_netdev* is required.
+
+== DESKTOP UNLOCKING
+
+When the udisks2 unlocker is installed, your GNOME desktop session should
+unlock LUKS removable devices configured with Clevis automatically. You may
+need to restart your desktop session after installation for the unlocker to be
+loaded.
+
+== SEE ALSO
+
+link:clevis-luks-unlock.1.adoc[*clevis-luks-unlock*(1)]
+link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)]

+ 21 - 0
src/luks/meson.build

@@ -0,0 +1,21 @@
+libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false)
+luksmeta = dependency('luksmeta', version: '>=8', required: false)
+pwmake = find_program('pwmake', required: false)
+
+if libcryptsetup.found() and luksmeta.found() and pwmake.found()
+  subdir('systemd')
+  subdir('udisks2')
+
+  bins += join_paths(meson.current_source_dir(), 'clevis-luks-unbind')
+  mans += join_paths(meson.current_source_dir(), 'clevis-luks-unbind.1')
+
+  bins += join_paths(meson.current_source_dir(), 'clevis-luks-unlock')
+  mans += join_paths(meson.current_source_dir(), 'clevis-luks-unlock.1')
+
+  bins += join_paths(meson.current_source_dir(), 'clevis-luks-bind')
+  mans += join_paths(meson.current_source_dir(), 'clevis-luks-bind.1')
+
+  mans += join_paths(meson.current_source_dir(), 'clevis-luks-unlockers.7')
+else
+  warning('Will not install LUKS support due to missing dependencies!')
+endif

+ 31 - 14
src/systemd/clevis-luks-askpass

@@ -23,16 +23,18 @@ UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
 
 shopt -s nullglob
 
-while getopts ":l" o; do
+path=/run/systemd/ask-password
+while getopts ":lp:" o; do
     case "$o" in
     l) loop=true;;
+    p) path=$OPTARG;;
     esac
 done
 
 while true; do
     todo=0
 
-    for question in /run/systemd/ask-password/ask.*; do
+    for question in $path/ask.*; do
         metadata=false
         unlocked=false
         d=
@@ -47,20 +49,35 @@ while true; do
 
         [ -z "$d" -o -z "$s" ] && continue
 
-        # If the device is not initialized, sliently skip it.
-        luksmeta test -d "$d" || continue
+        if cryptsetup isLuks --type luks1 "$d"; then
+            # If the device is not initialized, sliently skip it.
+            luksmeta test -d "$d" || continue
 
-        while read -r slot state uuid; do
-            [ "$state" != "active" ] && continue
-            [ "$uuid" != "$UUID" ] && continue
-            metadata=true
+            while read -r slot state uuid; do
+                [ "$state" != "active" ] && continue
+                [ "$uuid" != "$UUID" ] && continue
+                metadata=true
 
-            if pt="`luksmeta load -d $d -s $slot -u $UUID | clevis decrypt`"; then
-                echo -n "+$pt" | nc -U -u --send-only "$s"
-                unlocked=true
-                break
-            fi
-        done < <(luksmeta show -d "$d")
+                if pt="`luksmeta load -d $d -s $slot -u $UUID | clevis decrypt`"; then
+                    echo -n "+$pt" | nc -U -u --send-only "$s"
+                    unlocked=true
+                    break
+                fi
+            done < <(luksmeta show -d "$d")
+        elif cryptsetup isLuks --type luks2 "$d"; then
+            ids=`cryptsetup luksDump "$d" | sed -rn 's|^\s+([0-9]+): clevis|\1|p'`
+            for id in $ids; do
+                tok=`cryptsetup token export --token-id "$id" "$d"`
+                jwe=`jose fmt -j- -Og jwe -o- <<<"$tok" | jose jwe fmt -i- -c`
+                metadata=true
+
+                if pt=`echo -n "$jwe" | clevis decrypt`; then
+                    echo -n "+$pt" | nc -U -u --send-only "$s"
+                    unlocked=true
+                    break
+                fi
+            done
+        fi
 
         [ $metadata == true ] || continue
         [ $unlocked == true ] && continue

src/systemd/clevis-luks-askpass.path → src/luks/systemd/clevis-luks-askpass.path


src/systemd/clevis-luks-askpass.service.in → src/luks/systemd/clevis-luks-askpass.service.in


src/dracut/clevis-hook.sh.in → src/luks/systemd/dracut/clevis-hook.sh.in


+ 21 - 0
src/luks/systemd/dracut/meson.build

@@ -0,0 +1,21 @@
+dracut = dependency('dracut', required: false)
+
+if dracut.found()
+  dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name()
+
+  configure_file(
+    input: 'module-setup.sh.in',
+    output: 'module-setup.sh',
+    install_dir: dracutdir,
+    configuration: data,
+  )
+
+  configure_file(
+    input: 'clevis-hook.sh.in',
+    output: 'clevis-hook.sh',
+    install_dir: dracutdir,
+    configuration: data,
+  )
+else
+  warning('Will not install dracut module due to missing dependencies!')
+endif

src/dracut/module-setup.sh.in → src/luks/systemd/dracut/module-setup.sh.in


+ 19 - 0
src/luks/systemd/meson.build

@@ -0,0 +1,19 @@
+systemd = dependency('systemd', required: false)
+
+if systemd.found()
+  subdir('dracut')
+
+  unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
+
+  configure_file(
+    input: 'clevis-luks-askpass.service.in',
+    output: 'clevis-luks-askpass.service',
+    install_dir: unitdir,
+    configuration: data,
+  )
+
+  install_data('clevis-luks-askpass.path', install_dir: unitdir)
+  install_data('clevis-luks-askpass', install_dir: libexecdir)
+else
+  warning('Will not install systemd support due to missing dependencies!')
+endif

+ 105 - 34
src/udisks2/clevis-luks-udisks2.c

@@ -20,6 +20,7 @@
 #include <udisks/udisks.h>
 #include <glib-unix.h>
 #include <luksmeta.h>
+#include <jansson.h>
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -40,6 +41,15 @@
 #define UERR ((uid_t) -1)
 #define GERR ((gid_t) -1)
 
+#define UUID_TMPL \
+    "%02hhx%02hhx%02hhx%02hhx-" \
+    "%02hhx%02hhx-%02hhx%02hhx-%02hhx%02hhx-" \
+    "%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx"
+
+#define UUID_ARGS(u) \
+    u[0x0], u[0x1], u[0x2], u[0x3], u[0x4], u[0x5], u[0x6], u[0x7], \
+    u[0x8], u[0x9], u[0xa], u[0xb], u[0xc], u[0xd], u[0xe], u[0xf]
+
 typedef struct {
     ssize_t used;
     char data[MAX_UDP];
@@ -401,21 +411,55 @@ static const struct option lopts[] = {
 };
 
 static uid_t
-usr2uid(const char *usr) {
+usr2uid(const char *usr)
+{
     const struct passwd *tmp = getpwnam(usr);
     return tmp ? tmp->pw_uid : UERR;
 }
 
 static gid_t
-grp2gid(const char *grp) {
+grp2gid(const char *grp)
+{
     const struct group *tmp = getgrnam(grp);
     return tmp ? tmp->gr_gid : GERR;
 }
 
+static bool
+token_to_jwe(const char *json, pkt_t *pkt)
+{
+    json_auto_t *tokn = NULL;
+    const json_t *jwe = NULL;
+    const char *prt = NULL;
+    const char *key = NULL;
+    const char *tag = NULL;
+    const char *iv = NULL;
+    const char *ct = NULL;
+
+    tokn = json_loads(json, 0, NULL);
+    if (!tokn)
+        return false;
+
+    jwe = json_object_get(tokn, "jwe");
+    if (!jwe)
+        return false;
+
+    if (json_unpack((json_t *) jwe, "{s:s,s:s,s:s,s:s,s:s}",
+                    "protected", &prt, "encrypted_key", &key, "iv", &iv,
+                    "ciphertext", &ct, "tag", &tag) < 0)
+        return false;
+
+    pkt->used = snprintf(pkt->data, sizeof(pkt->data),
+                         "%s.%s.%s.%s.%s", prt, key, iv, ct, tag);
+    if (pkt->used < 0 || (size_t) pkt->used > sizeof(pkt->data))
+        return false;
+
+    pkt->used--; /* Remove null terminator. */
+    return true;
+}
+
 int
 main(int argc, char *const argv[])
 {
-    const int slotlen = crypt_keyslot_max(CRYPT_LUKS1);
     gid_t recg = grp2gid(CLEVIS_GROUP); /* Recovery group */
     uid_t recu = usr2uid(CLEVIS_USER);  /* Recovery user */
     gid_t unlg = getgid();              /* Unlock group */
@@ -519,46 +563,73 @@ main(int argc, char *const argv[])
 
     for (pkt_t req = {}, jwe = {}, key = {}; ; key = (pkt_t) {}) {
         struct crypt_device *cd = NULL;
-        luksmeta_uuid_t uuid = {};
-        int r = 0;
 
         /* Receive a request. Ensure that it is null terminated. */
         req.used = recv(pair[0], req.data, sizeof(req.data), 0);
         if (req.used < 1 || req.data[req.used - 1])
             break;
 
-        r = crypt_init(&cd, req.data);
-        if (r < 0)
-            goto next;
-
-        r = crypt_load(cd, CRYPT_LUKS1, NULL);
-        if (r < 0)
+        if (crypt_init(&cd, req.data) < 0)
             goto next;
 
-        for (uint8_t s = 0; s < slotlen && key.used <= 0; s++) {
-            fprintf(stderr, "%s\tSLOT\t%hhu\n", req.data, s);
-            switch (crypt_keyslot_status(cd, s)) {
-            case CRYPT_SLOT_ACTIVE:
-            case CRYPT_SLOT_ACTIVE_LAST:
-                break;
-            default:
-                continue;
+        if (crypt_load(cd, CRYPT_LUKS1, NULL) >= 0) {
+            const int slotlen = crypt_keyslot_max(CRYPT_LUKS1);
+            luksmeta_uuid_t uuid = {};
+
+            for (uint8_t s = 0; s < slotlen && key.used <= 0; s++) {
+                fprintf(stderr, "%s\tSLOT\t%hhu\n", req.data, s);
+                switch (crypt_keyslot_status(cd, s)) {
+                case CRYPT_SLOT_ACTIVE:
+                case CRYPT_SLOT_ACTIVE_LAST:
+                    break;
+                default:
+                    continue;
+                }
+
+                jwe.used = luksmeta_load(cd, s, uuid, jwe.data, sizeof(jwe.data));
+                fprintf(stderr, "%s\tMETA\t%s\n",
+                        req.data, strerror(jwe.used < 0 ? -jwe.used : 0));
+                if (jwe.used <= 0)
+                    continue;
+
+                fprintf(stderr, "%s\tUUID\t" UUID_TMPL "\n",
+                        req.data, UUID_ARGS(uuid));
+                if (memcmp(uuid, CLEVIS_LUKS_UUID, sizeof(uuid)) != 0)
+                    continue;
+
+                /* Recover the key from the JWE. */
+                key.used = recover_key(&jwe, key.data, sizeof(key.data), recu, recg);
+                fprintf(stderr, "%s\tRCVR\t%s (%zd)\n", req.data,
+                        strerror(key.used < 0 ? -key.used : 0), key.used);
+            }
+        } else if (crypt_load(cd, CRYPT_LUKS2, NULL) >= 0) {
+            for (int t = 0; key.used <= 0; t++) {
+                const char *json = NULL;
+                const char *type = NULL;
+                int r = 0;
+
+                r = crypt_token_status(cd, t, &type);
+                if (r == CRYPT_TOKEN_INVALID)
+                    break;
+                else if (r != CRYPT_TOKEN_EXTERNAL_UNKNOWN)
+                    continue;
+
+                fprintf(stderr, "%s\tTOKN\t%d\t%s\n", req.data, t, type);
+                if (strcmp(type, "clevis") != 0)
+                    continue;
+
+                r = crypt_token_json_get(cd, t, &json);
+                fprintf(stderr, "%s\tMETA\t%s\n",
+                        req.data, strerror(r < 0 ? -r : 0));
+
+                if (!token_to_jwe(json, &jwe))
+                    continue;
+
+                /* Recover the key from the JWE. */
+                key.used = recover_key(&jwe, key.data, sizeof(key.data), recu, recg);
+                fprintf(stderr, "%s\tRCVR\t%s (%zd)\n", req.data,
+                        strerror(key.used < 0 ? -key.used : 0), key.used);
             }
-
-            jwe.used = luksmeta_load(cd, s, uuid, jwe.data, sizeof(jwe.data));
-            if (jwe.used <= 0)
-                continue;
-
-            if (memcmp(uuid, CLEVIS_LUKS_UUID, sizeof(uuid)) != 0)
-                continue;
-
-            fprintf(stderr, "%s\tMETA\t%s\n", req.data,
-                    strerror(jwe.used < 0 ? -jwe.used : 0));
-
-            /* Recover the key from the JWE. */
-            key.used = recover_key(&jwe, key.data, sizeof(key.data), recu, recg);
-            fprintf(stderr, "%s\tRCVR\t%s (%zd)\n", req.data,
-                    strerror(key.used < 0 ? -key.used : 0), key.used);
         }
 
         if (key.used < 0)

src/udisks2/clevis-luks-udisks2.desktop.in → src/luks/udisks2/clevis-luks-udisks2.desktop.in


+ 19 - 0
src/luks/udisks2/meson.build

@@ -0,0 +1,19 @@
+audit = dependency('audit', version: '>=2.7.8', required: false)
+udisks2 = dependency('udisks2', required: false)
+
+if udisks2.found() and audit.found()
+  autostartdir = join_paths(sysconfdir, 'xdg', 'autostart')
+
+  configure_file(
+    input: 'clevis-luks-udisks2.desktop.in',
+    output: 'clevis-luks-udisks2.desktop',
+    install_dir: autostartdir,
+    configuration: data,
+  )
+
+  executable('clevis-luks-udisks2', 'clevis-luks-udisks2.c',
+    dependencies: [udisks2, luksmeta, audit, jansson],
+    install_dir: libexecdir,
+    install: true,
+  )
+endif

+ 9 - 0
src/meson.build

@@ -0,0 +1,9 @@
+subdir('bash')
+subdir('luks')
+subdir('pins')
+
+bins += join_paths(meson.current_source_dir(), 'clevis-decrypt')
+mans += join_paths(meson.current_source_dir(), 'clevis-decrypt.1')
+
+bins += join_paths(meson.current_source_dir(), 'clevis')
+mans += join_paths(meson.current_source_dir(), 'clevis.1')

+ 3 - 0
src/pins/meson.build

@@ -0,0 +1,3 @@
+subdir('sss')
+subdir('tang')
+subdir('tpm2')

src/clevis-decrypt-sss.c → src/pins/sss/clevis-decrypt-sss.c


+ 1 - 1
src/clevis-decrypt-test

@@ -29,4 +29,4 @@ fi
 
 jwk=`jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-` || exit 1
 
-jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; cat)
+jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)

+ 59 - 0
src/pins/sss/clevis-encrypt-sss.1.adoc

@@ -0,0 +1,59 @@
+CLEVIS-ENCRYPT-SSS(1)
+=====================
+:doctype: manpage
+
+
+== NAME
+
+clevis-encrypt-sss - Encrypts using a Shamir's Secret Sharing policy 
+
+== SYNOPSIS
+
+*clevis encrypt sss* CONFIG < PT > JWE
+
+== OVERVIEW
+
+The *clevis encrypt sss* command encrypts using a Shamir's Secret Sharing
+policy. Its only argument is the JSON configuration object.
+
+Shamir's Secret Sharing (SSS) provides a way to mix pins together to create
+sophisticated unlocking and high availability policies. SSS is a thresholding
+scheme. It creates a key and divides it into a number of pieces. Each piece is
+encrypted using another pin (possibly even SSS recursively). Additionally,
+you define the threshold *t*. If at least *t* pieces can be decrypted, then
+the encryption key can be recovered and decryption can succeed.
+
+For example, let's create a high-availability setup using Tang:
+
+    $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}'
+    $ clevis encrypt sss "$cfg" < PT > JWE
+
+In this policy, we are declaring that we have a threshold of 1, but that there
+are multiple key fragments encrypted using different Tang servers. Since our
+threshold is 1, so long as any of the Tang servers are available, decryption
+will succeed. As always, decryption is simply:
+
+    $ clevis decrypt < JWE > PT
+
+== CONFIG
+
+This command uses the following configuration properties:
+
+* *t* (integer) :
+  Number of pins required for decryption (REQUIRED)
+
+* *pins* (object) :
+  Pins used for encrypting fragments (REQUIRED)
+
+The format of the *pins* property is as follows:
+
+    {PIN:CFG,...} OR {PIN:[CFG,CFG,...],...}
+
+When the list version of the format is used, multiple pins of that type will
+receive key fragments.
+
+== SEE ALSO
+
+link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]

src/clevis-encrypt-sss.c → src/pins/sss/clevis-encrypt-sss.c


+ 1 - 1
src/clevis-encrypt-test

@@ -32,4 +32,4 @@ if ! jose fmt -j "$cfg" -g fail -T; then
     jwe=`jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-`
 fi
 
-exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; cat)
+exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)

+ 34 - 0
src/pins/sss/meson.build

@@ -0,0 +1,34 @@
+libcrypto = dependency('libcrypto', required: false)
+
+if jansson.found() and libcrypto.found()
+  executable('clevis-decrypt-sss', ['clevis-decrypt-sss.c', 'sss.c', 'sss.h'],
+    dependencies: [jansson, libcrypto, jose],
+    install_dir: bindir,
+    install: true,
+  )
+
+  executable('clevis-encrypt-sss', ['clevis-encrypt-sss.c', 'sss.c', 'sss.h'],
+    dependencies: [jansson, libcrypto, jose],
+    install_dir: bindir,
+    install: true,
+  )
+
+  src = meson.current_source_dir()
+
+  mans += join_paths(src, 'clevis-encrypt-sss.1')
+
+  env = environment()
+  env.append('PATH',
+    join_paths(meson.source_root(), 'src'),
+    meson.current_build_dir(),
+    '/usr/libexec',
+    libexecdir,
+    src,
+    separator: ':'
+  )
+
+  test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env)
+  test('pin-test', find_program(join_paths(src, 'pin-test')), env: env)
+else
+  warning('Will not install sss pin due to missing dependencies!')
+endif

tests/pin-sss → src/pins/sss/pin-sss


+ 1 - 1
tests/pin-test

@@ -7,4 +7,4 @@ d=`echo -n "$e" | clevis decrypt`
 test "$d" == "hi"
 
 e=`echo -n hi | clevis encrypt test '{"fail":true}'`
-! echo "$e" | decrypt
+! echo "$e" | clevis decrypt

src/sss.c → src/pins/sss/sss.c


src/sss.h → src/pins/sss/sss.h


+ 1 - 1
src/clevis-decrypt-tang

@@ -87,4 +87,4 @@ fi
 tmp=`jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$eph$srv"`
 rep=`jose jwk pub -i- <<< "$rep"`
 jwk=`jose jwk exc -l- -r- <<< "$rep$tmp"`
-exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; cat)
+exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)

+ 1 - 1
src/clevis-encrypt-tang

@@ -125,7 +125,7 @@ for jwk in `jose fmt -j- -Og keys -Af- <<< "$enc"`; do
     jwe=`jose fmt -j "$jwe" -g protected -q "$kid" -s kid -UUo-`
     jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tang -q "$url" -s url -UUUUo-`
     jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tang -j- -s adv -UUUUo- <<< "$jwks"`
-    exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; cat)
+    exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
 done
 
 echo "No exchange keys found!" >&2

+ 81 - 0
src/pins/tang/clevis-encrypt-tang.1.adoc

@@ -0,0 +1,81 @@
+CLEVIS-ENCRYPT-TANG(1)
+======================
+:doctype: manpage
+
+
+== NAME
+
+clevis-encrypt-tang - Encrypts using a Tang binding server policy
+
+== SYNOPSIS
+
+*clevis encrypt tang* CONFIG < PT > JWE
+
+== OVERVIEW
+
+The *clevis encrypt tang* command encrypts using a Tang binding server policy.
+Its only argument is the JSON configuration object.
+
+Clevis provides support for the Tang network binding server. Tang provides
+a stateless, lightweight alternative to escrows. Encrypting data using the
+Tang pin works like this:
+
+    $ clevis encrypt tang '{"url":"http://tang.srv"}' < PT > JWE
+    The advertisement contains the following signing keys:
+
+    _OsIk0T-E2l6qjfdDiwVmidoZjA
+
+    Do you wish to trust these keys? [ynYN] y
+
+To decrypt the data, just pass it to the *clevis decrypt* command:
+
+    $ clevis decrypt < JWE > PT
+
+As you can see above, Tang utilizes a trust-on-first-use workflow. If you
+already know the thumbprint of a trusted key, you can specify it in the
+configuration at encryption time:
+
+    $ cfg='{"url":"http://tang.srv","thp":"_OsIk0T-E2l6qjfdDiwVmidoZjA"}'
+    $ clevis encrypt tang "$cfg" < PT > JWE
+
+Obtaining the thumbprint of a trusted signing key is easy. If you
+have access to the Tang server, simply execute:
+
+    $ tang-show-keys <PORT>
+
+where <PORT> is the port that the Tang server is listening on.
+
+If *tang-show-keys* is not available, but you have access to the Tang
+server's database directory, you can execute this instead:
+
+    $ jose jwk thp -i $DBDIR/$SIG.jwk
+
+Tang can also perform entirely offline encryption if you pre-share the server
+advertisement. You can fetch the advertisement with a simple command (just be
+careful your network isn't compromised!):
+
+    $ curl -f $URL/adv > adv.jws
+
+Once you have the advertisement file, just provide it:
+
+    $ clevis encrypt tang '{"url":...,"adv":"adv.jws"}' < PT > JWE
+
+== CONFIG
+
+This command uses the following configuration properties:
+
+* *url* (string) :
+  The base URL of the Tang server (REQUIRED)
+
+* *thp* (string) :
+  The thumbprint of a trusted signing key
+
+* *adv* (string) :
+  A filename containing a trusted advertisement
+
+* *adv* (object) :
+  A trusted advertisement (raw JSON)
+
+== SEE ALSO
+
+link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]

+ 45 - 0
src/pins/tang/meson.build

@@ -0,0 +1,45 @@
+actv = find_program(
+  'systemd-socket-activate',
+  'systemd-activate',
+  required: false
+)
+kgen = find_program(
+  join_paths(libexecdir, 'tangd-keygen'),
+  '/usr/libexec/tangd-keygen',
+  required: false
+)
+updt = find_program(
+  join_paths(libexecdir, 'tangd-update'),
+  '/usr/libexec/tangd-update',
+  required: false
+)
+tang = find_program(
+  join_paths(libexecdir, 'tangd'),
+  '/usr/libexec/tangd',
+  required: false
+)
+curl = find_program('curl', required: false)
+
+if curl.found()
+  bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-tang')
+  bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang')
+  mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tang.1')
+
+  if actv.found() and kgen.found() and updt.found() and tang.found()
+    env = environment()
+    env.set('SD_ACTIVATE', actv.path())
+    env.append('PATH',
+      join_paths(meson.source_root(), 'src'),
+      meson.current_source_dir(),
+      '/usr/libexec',
+      libexecdir,
+      separator: ':'
+    )
+
+    test('pin-tang', find_program('./pin-tang'), env: env)
+  else
+    warning('Will not run tang tests due to missing dependencies!')
+  endif
+else
+  warning('Will not install tang pin due to missing dependencies!')
+endif

+ 3 - 3
tests/pin-tang

@@ -31,12 +31,12 @@ mkdir -p $TMP/db
 mkdir -p $TMP/cache
 
 # Generate the server keys
-/usr/libexec/tangd-keygen $TMP/db sig exc
-/usr/libexec/tangd-update $TMP/db $TMP/cache
+tangd-keygen $TMP/db sig exc
+tangd-update $TMP/db $TMP/cache
 
 # Start the server
 port=`shuf -i 1024-65536 -n 1`
-$SD_ACTIVATE -l 127.0.0.1:$port -a /usr/libexec/tangd $TMP/cache &
+$SD_ACTIVATE --inetd -l 127.0.0.1:$port -a tangd $TMP/cache &
 export PID=$!
 sleep 0.25
 

+ 8 - 1
src/clevis-decrypt-tpm2

@@ -37,6 +37,13 @@ if [ -t 0 ]; then
     exit 1
 fi
 
+TPM2TOOLS_INFO=`tpm2_pcrlist -v`
+
+if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then
+    echo "The tpm2 pin requires tpm2-tools version 3" >&2
+    exit 1
+fi
+
 export TPM2TOOLS_TCTI_NAME=device
 export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null`
 
@@ -123,4 +130,4 @@ if ! jwk=`tpm2_unseal -c $TMP/load.context $policy_options 2>/dev/null`; then
     exit 1
 fi
 
-jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; cat)
+jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)

+ 8 - 1
src/clevis-encrypt-tpm2

@@ -59,6 +59,13 @@ if [ -t 0 ]; then
     exit 1
 fi
 
+TPM2TOOLS_INFO=`tpm2_pcrlist -v`
+
+if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then
+    echo "The tpm2 pin requires tpm2-tools version 3" >&2
+    exit 1
+fi
+
 export TPM2TOOLS_TCTI_NAME=device
 export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null`
 
@@ -153,4 +160,4 @@ fi
 jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-`
 jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-`
 
-jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; cat)
+jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)

+ 109 - 0
src/pins/tpm2/clevis-encrypt-tpm2.1.adoc

@@ -0,0 +1,109 @@
+CLEVIS-ENCRYPT-TPM2(1)
+======================
+:doctype: manpage
+
+
+== NAME
+
+clevis-encrypt-tpm2 - Encrypts using a TPM2.0 chip binding policy
+
+== SYNOPSIS
+
+*clevis encrypt tpm2* CONFIG < PT > JWE
+
+== OVERVIEW
+
+The *clevis encrypt tpm2* command encrypts using a Trusted Platform Module 2.0
+(TPM2) chip. Its only argument is the JSON configuration object.
+
+When using the tpm2 pin, we create a new, cryptographically-strong, random key.
+This key is encrypted using the TPM2 chip.
+Then at decryption time, the key is decrypted again using the TPM2 chip.
+
+    $ clevis encrypt tpm2 '{}' < PT > JWE
+
+The pin has reasonable defaults for its configuration, but a different hierarchy,
+hash, and key algorithms can be chosen if the defaults used are not suitable:
+
+    $ clevis encrypt tpm2 '{"hash":"sha1","key":"rsa"}' < PT > JWE
+
+To decrypt the data, simply provide the ciphertext (JWE):
+
+    $ clevis decrypt < JWE > PT
+
+Note that like other pins no configuration is used for decryption, this is due
+clevis storing the public and private keys to unseal the TPM2 encrypted object
+in the JWE so clevis can fetch that information from there.
+
+The pin also supports sealing data to a Platform Configuration Registers (PCR)
+state. That way the data can only be unsealed if the PCRs hashes values match
+the policy used when sealing.
+
+For example, to seal the data to the PCR with index 0 and 1 for the SHA1 bank:
+
+    $ clevis encrypt tpm2 '{"pcr_bank":"sha1","pcr_ids":"0,1"}' < PT > JWE
+
+The PCR digest values are looked up from the current hash values for the PCRs,
+but a digest can also be provided if the data needs to be sealed with values
+different to the current ones, by passing the binary hash encoded in base64:
+
+    $ clevis encrypt tpm2 '{"pcr_ids":"0","pcr_digest":"xy7J5svCtqlfM03d1lE5gdoA8MI"}' < PT > JWE
+
+== Threat model
+
+The Clevis security model relies in the fact that an attacker will not be able to
+access both the encrypted data and the decryption key.
+
+For most Clevis pins, the decryption key is not locally stored, so the decryption
+policy is only satisfied if the decryption key can be remotely accessed. It could
+for example be stored in a remote server or in a hardware authentication device
+that has to be plugged into the machine.
+
+The tpm2 pin is different in this regard, since a key is wrapped by a TPM2 chip
+that is always present in the machine. This does not mean that there are not use
+cases for this pin, but it is important to understand the fact that an attacker
+that has access to both the encrypted data and the local TPM2 chip will be able
+to decrypt the data.
+
+== CONFIG
+
+This command uses the following configuration properties:
+
+* *hash*  (string) :
+  Hash algorithm used in the computation of the object name (default: sha256)
+
+  It must be one of the following:
+
+  - *sha1*
+  - *sha256*
+  - *sha384*
+  - *sha512*
+  - *sm3_256*
+
+* *key*  (string) :
+  Algorithm type for the generated key (default: ecc)
+
+  It must be one of the following:
+
+  - *rsa*
+  - *keyedhash*
+  - *ecc*
+  - *symcipher*
+
+* *pcr_bank*  (string) :
+  PCR algorithm bank to use for policy (default: sha1)
+
+  It must be one of the following:
+
+  - *sha1*
+  - *sha256*
+
+* *pcr_ids*  (string) :
+  Comma separated list of PCR used for policy. If not present, no policy is used
+
+* *pcr_digest*  (string) :
+  Binary PCR hashes encoded in base64. If not present, the hash values are looked up
+
+== SEE ALSO
+
+link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]

+ 14 - 0
src/pins/tpm2/meson.build

@@ -0,0 +1,14 @@
+cmds = ['createprimary', 'pcrlist', 'createpolicy', 'create', 'load', 'unseal']
+
+all = true
+foreach cmd : cmds
+  all = all and find_program('tpm2_' + cmd, required: false).found()
+endforeach
+
+if all
+  bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-tpm2')
+  bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-tpm2')
+  mans += join_paths(meson.current_source_dir(), 'clevis-encrypt-tpm2.1')
+else
+  warning('Will not install tpm2 pin due to missing dependencies!')
+endif

+ 0 - 12
src/systemd/Makefile.am

@@ -1,12 +0,0 @@
-nodist_systemdsystemunit_DATA = clevis-luks-askpass.service
-dist_systemdsystemunit_DATA = clevis-luks-askpass.path
-dist_libexec_SCRIPTS = clevis-luks-askpass
-
-CLEANFILES=clevis-luks-askpass.service
-EXTRA_DIST=clevis-luks-askpass.service.in
-
-%: %.in
-	$(AM_V_GEN)mkdir -p $(dir $@)
-	$(AM_V_GEN)$(SED) \
-		-e 's,@libexecdir\@,$(libexecdir),g' \
-		$(srcdir)/$@.in > $@

+ 0 - 569
src/systemd/Makefile.in

@@ -1,569 +0,0 @@
-# Makefile.in generated by automake 1.15.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2017 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-
-VPATH = @srcdir@
-am__is_gnu_make = { \
-  if test -z '$(MAKELEVEL)'; then \
-    false; \
-  elif test -n '$(MAKE_HOST)'; then \
-    true; \
-  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
-    true; \
-  else \
-    false; \
-  fi; \
-}
-am__make_running_with_option = \
-  case $${target_option-} in \
-      ?) ;; \
-      *) echo "am__make_running_with_option: internal error: invalid" \
-              "target option '$${target_option-}' specified" >&2; \
-         exit 1;; \
-  esac; \
-  has_opt=no; \
-  sane_makeflags=$$MAKEFLAGS; \
-  if $(am__is_gnu_make); then \
-    sane_makeflags=$$MFLAGS; \
-  else \
-    case $$MAKEFLAGS in \
-      *\\[\ \	]*) \
-        bs=\\; \
-        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
-          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
-    esac; \
-  fi; \
-  skip_next=no; \
-  strip_trailopt () \
-  { \
-    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
-  }; \
-  for flg in $$sane_makeflags; do \
-    test $$skip_next = yes && { skip_next=no; continue; }; \
-    case $$flg in \
-      *=*|--*) continue;; \
-        -*I) strip_trailopt 'I'; skip_next=yes;; \
-      -*I?*) strip_trailopt 'I';; \
-        -*O) strip_trailopt 'O'; skip_next=yes;; \
-      -*O?*) strip_trailopt 'O';; \
-        -*l) strip_trailopt 'l'; skip_next=yes;; \
-      -*l?*) strip_trailopt 'l';; \
-      -[dEDm]) skip_next=yes;; \
-      -[JT]) skip_next=yes;; \
-    esac; \
-    case $$flg in \
-      *$$target_option*) has_opt=yes; break;; \
-    esac; \
-  done; \
-  test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-target_triplet = @target@
-subdir = src/systemd
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(dist_libexec_SCRIPTS) \
-	$(dist_systemdsystemunit_DATA) $(am__DIST_COMMON)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-am__installdirs = "$(DESTDIR)$(libexecdir)" \
-	"$(DESTDIR)$(systemdsystemunitdir)" \
-	"$(DESTDIR)$(systemdsystemunitdir)"
-SCRIPTS = $(dist_libexec_SCRIPTS)
-AM_V_P = $(am__v_P_@AM_V@)
-am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN     " $@;
-am__v_GEN_1 = 
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 = 
-SOURCES =
-DIST_SOURCES =
-am__can_run_installinfo = \
-  case $$AM_UPDATE_INFO_DIR in \
-    n|no|NO) false;; \
-    *) (install-info --version) >/dev/null 2>&1;; \
-  esac
-DATA = $(dist_systemdsystemunit_DATA) $(nodist_systemdsystemunit_DATA)
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-am__DIST_COMMON = $(srcdir)/Makefile.in
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CLEVIS_CFLAGS = @CLEVIS_CFLAGS@
-CLEVIS_GROUP = @CLEVIS_GROUP@
-CLEVIS_USER = @CLEVIS_USER@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EXEEXT = @EXEEXT@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LDFLAGS = @LDFLAGS@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-OBJEXT = @OBJEXT@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PWMAKE = @PWMAKE@
-RANLIB = @RANLIB@
-SD_ACTIVATE = @SD_ACTIVATE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-STRIP = @STRIP@
-TPM2_TOOLS = @TPM2_TOOLS@
-VERSION = @VERSION@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-audit_CFLAGS = @audit_CFLAGS@
-audit_LIBS = @audit_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dracut_CFLAGS = @dracut_CFLAGS@
-dracut_LIBS = @dracut_LIBS@
-dracutmodulesdir = @dracutmodulesdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-jansson_CFLAGS = @jansson_CFLAGS@
-jansson_LIBS = @jansson_LIBS@
-jose_CFLAGS = @jose_CFLAGS@
-jose_LIBS = @jose_LIBS@
-libcrypto_CFLAGS = @libcrypto_CFLAGS@
-libcrypto_LIBS = @libcrypto_LIBS@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-luksmeta_CFLAGS = @luksmeta_CFLAGS@
-luksmeta_LIBS = @luksmeta_LIBS@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-sysconfdir = @sysconfdir@
-systemd_CFLAGS = @systemd_CFLAGS@
-systemd_LIBS = @systemd_LIBS@
-systemdsystemunitdir = @systemdsystemunitdir@
-target = @target@
-target_alias = @target_alias@
-target_cpu = @target_cpu@
-target_os = @target_os@
-target_vendor = @target_vendor@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-udisks2_CFLAGS = @udisks2_CFLAGS@
-udisks2_LIBS = @udisks2_LIBS@
-nodist_systemdsystemunit_DATA = clevis-luks-askpass.service
-dist_systemdsystemunit_DATA = clevis-luks-askpass.path
-dist_libexec_SCRIPTS = clevis-luks-askpass
-CLEANFILES = clevis-luks-askpass.service
-EXTRA_DIST = clevis-luks-askpass.service.in
-all: all-am
-
-.SUFFIXES:
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/systemd/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --foreign src/systemd/Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-dist_libexecSCRIPTS: $(dist_libexec_SCRIPTS)
-	@$(NORMAL_INSTALL)
-	@list='$(dist_libexec_SCRIPTS)'; test -n "$(libexecdir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(libexecdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(libexecdir)" || exit 1; \
-	fi; \
-	for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
-	done | \
-	sed -e 'p;s,.*/,,;n' \
-	    -e 'h;s|.*|.|' \
-	    -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
-	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
-	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
-	    if ($$2 == $$4) { files[d] = files[d] " " $$1; \
-	      if (++n[d] == $(am__install_max)) { \
-		print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
-	    else { print "f", d "/" $$4, $$1 } } \
-	  END { for (d in files) print "f", d, files[d] }' | \
-	while read type dir files; do \
-	     if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
-	     test -z "$$files" || { \
-	       echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(libexecdir)$$dir'"; \
-	       $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(libexecdir)$$dir" || exit $$?; \
-	     } \
-	; done
-
-uninstall-dist_libexecSCRIPTS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dist_libexec_SCRIPTS)'; test -n "$(libexecdir)" || exit 0; \
-	files=`for p in $$list; do echo "$$p"; done | \
-	       sed -e 's,.*/,,;$(transform)'`; \
-	dir='$(DESTDIR)$(libexecdir)'; $(am__uninstall_files_from_dir)
-install-dist_systemdsystemunitDATA: $(dist_systemdsystemunit_DATA)
-	@$(NORMAL_INSTALL)
-	@list='$(dist_systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(systemdsystemunitdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(systemdsystemunitdir)" || exit 1; \
-	fi; \
-	for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; \
-	done | $(am__base_list) | \
-	while read files; do \
-	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(systemdsystemunitdir)'"; \
-	  $(INSTALL_DATA) $$files "$(DESTDIR)$(systemdsystemunitdir)" || exit $$?; \
-	done
-
-uninstall-dist_systemdsystemunitDATA:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dist_systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
-	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	dir='$(DESTDIR)$(systemdsystemunitdir)'; $(am__uninstall_files_from_dir)
-install-nodist_systemdsystemunitDATA: $(nodist_systemdsystemunit_DATA)
-	@$(NORMAL_INSTALL)
-	@list='$(nodist_systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(systemdsystemunitdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(systemdsystemunitdir)" || exit 1; \
-	fi; \
-	for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; \
-	done | $(am__base_list) | \
-	while read files; do \
-	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(systemdsystemunitdir)'"; \
-	  $(INSTALL_DATA) $$files "$(DESTDIR)$(systemdsystemunitdir)" || exit $$?; \
-	done
-
-uninstall-nodist_systemdsystemunitDATA:
-	@$(NORMAL_UNINSTALL)
-	@list='$(nodist_systemdsystemunit_DATA)'; test -n "$(systemdsystemunitdir)" || list=; \
-	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	dir='$(DESTDIR)$(systemdsystemunitdir)'; $(am__uninstall_files_from_dir)
-tags TAGS:
-
-ctags CTAGS:
-
-cscope cscopelist:
-
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(SCRIPTS) $(DATA)
-installdirs:
-	for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(systemdsystemunitdir)" "$(DESTDIR)$(systemdsystemunitdir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	if test -z '$(STRIP)'; then \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	      install; \
-	else \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
-	fi
-mostlyclean-generic:
-
-clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic mostlyclean-am
-
-distclean: distclean-am
-	-rm -f Makefile
-distclean-am: clean-am distclean-generic
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-dist_systemdsystemunitDATA \
-	install-nodist_systemdsystemunitDATA
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am: install-dist_libexecSCRIPTS
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-generic
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-dist_libexecSCRIPTS \
-	uninstall-dist_systemdsystemunitDATA \
-	uninstall-nodist_systemdsystemunitDATA
-
-.MAKE: install-am install-strip
-
-.PHONY: all all-am check check-am clean clean-generic cscopelist-am \
-	ctags-am distclean distclean-generic distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dist_libexecSCRIPTS \
-	install-dist_systemdsystemunitDATA install-dvi install-dvi-am \
-	install-exec install-exec-am install-html install-html-am \
-	install-info install-info-am install-man \
-	install-nodist_systemdsystemunitDATA install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-generic pdf \
-	pdf-am ps ps-am tags-am uninstall uninstall-am \
-	uninstall-dist_libexecSCRIPTS \
-	uninstall-dist_systemdsystemunitDATA \
-	uninstall-nodist_systemdsystemunitDATA
-
-.PRECIOUS: Makefile
-
-
-%: %.in
-	$(AM_V_GEN)mkdir -p $(dir $@)
-	$(AM_V_GEN)$(SED) \
-		-e 's,@libexecdir\@,$(libexecdir),g' \
-		$(srcdir)/$@.in > $@
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:

+ 0 - 26
src/udisks2/Makefile.am

@@ -1,26 +0,0 @@
-AM_CFLAGS = \
-    @CLEVIS_CFLAGS@ \
-    @jansson_CFLAGS@ \
-    @libcrypto_CFLAGS@ \
-    @jose_CFLAGS@ \
-    @udisks2_CFLAGS@ \
-    @audit_CFLAGS@ \
-    -D BINDIR='"@bindir@"' \
-    -D CLEVIS_USER='"@CLEVIS_USER@"' \
-    -D CLEVIS_GROUP='"@CLEVIS_GROUP@"'
-
-autostartdir = $(sysconfdir)/xdg/autostart
-
-nodist_autostart_DATA = clevis-luks-udisks2.desktop
-libexec_PROGRAMS = clevis-luks-udisks2
-
-clevis_luks_udisks2_LDADD = @luksmeta_LIBS@ @udisks2_LIBS@ @audit_LIBS@
-
-CLEANFILES=clevis-luks-udisks2.desktop
-EXTRA_DIST=clevis-luks-udisks2.desktop.in
-
-%: %.in
-	$(AM_V_GEN)mkdir -p $(dir $@)
-	$(AM_V_GEN)$(SED) \
-		-e 's,@libexecdir\@,$(libexecdir),g' \
-		$(srcdir)/$@.in > $@

+ 0 - 676
src/udisks2/Makefile.in

@@ -1,676 +0,0 @@
-# Makefile.in generated by automake 1.15.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2017 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-
-VPATH = @srcdir@
-am__is_gnu_make = { \
-  if test -z '$(MAKELEVEL)'; then \
-    false; \
-  elif test -n '$(MAKE_HOST)'; then \
-    true; \
-  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
-    true; \
-  else \
-    false; \
-  fi; \
-}
-am__make_running_with_option = \
-  case $${target_option-} in \
-      ?) ;; \
-      *) echo "am__make_running_with_option: internal error: invalid" \
-              "target option '$${target_option-}' specified" >&2; \
-         exit 1;; \
-  esac; \
-  has_opt=no; \
-  sane_makeflags=$$MAKEFLAGS; \
-  if $(am__is_gnu_make); then \
-    sane_makeflags=$$MFLAGS; \
-  else \
-    case $$MAKEFLAGS in \
-      *\\[\ \	]*) \
-        bs=\\; \
-        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
-          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
-    esac; \
-  fi; \
-  skip_next=no; \
-  strip_trailopt () \
-  { \
-    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
-  }; \
-  for flg in $$sane_makeflags; do \
-    test $$skip_next = yes && { skip_next=no; continue; }; \
-    case $$flg in \
-      *=*|--*) continue;; \
-        -*I) strip_trailopt 'I'; skip_next=yes;; \
-      -*I?*) strip_trailopt 'I';; \
-        -*O) strip_trailopt 'O'; skip_next=yes;; \
-      -*O?*) strip_trailopt 'O';; \
-        -*l) strip_trailopt 'l'; skip_next=yes;; \
-      -*l?*) strip_trailopt 'l';; \
-      -[dEDm]) skip_next=yes;; \
-      -[JT]) skip_next=yes;; \
-    esac; \
-    case $$flg in \
-      *$$target_option*) has_opt=yes; break;; \
-    esac; \
-  done; \
-  test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-target_triplet = @target@
-libexec_PROGRAMS = clevis-luks-udisks2$(EXEEXT)
-subdir = src/udisks2
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(libexecdir)" \
-	"$(DESTDIR)$(autostartdir)"
-PROGRAMS = $(libexec_PROGRAMS)
-clevis_luks_udisks2_SOURCES = clevis-luks-udisks2.c
-clevis_luks_udisks2_OBJECTS = clevis-luks-udisks2.$(OBJEXT)
-clevis_luks_udisks2_DEPENDENCIES =
-AM_V_P = $(am__v_P_@AM_V@)
-am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN     " $@;
-am__v_GEN_1 = 
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 = 
-DEFAULT_INCLUDES = -I.@am__isrc@
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_@AM_V@)
-am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
-am__v_CC_0 = @echo "  CC      " $@;
-am__v_CC_1 = 
-CCLD = $(CC)
-LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_@AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo "  CCLD    " $@;
-am__v_CCLD_1 = 
-SOURCES = clevis-luks-udisks2.c
-DIST_SOURCES = clevis-luks-udisks2.c
-am__can_run_installinfo = \
-  case $$AM_UPDATE_INFO_DIR in \
-    n|no|NO) false;; \
-    *) (install-info --version) >/dev/null 2>&1;; \
-  esac
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-DATA = $(nodist_autostart_DATA)
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-# Read a list of newline-separated strings from the standard input,
-# and print each of them once, without duplicates.  Input order is
-# *not* preserved.
-am__uniquify_input = $(AWK) '\
-  BEGIN { nonempty = 0; } \
-  { items[$$0] = 1; nonempty = 1; } \
-  END { if (nonempty) { for (i in items) print i; }; } \
-'
-# Make sure the list of sources is unique.  This is necessary because,
-# e.g., the same source file might be shared among _SOURCES variables
-# for different programs/libraries.
-am__define_uniq_tagged_files = \
-  list='$(am__tagged_files)'; \
-  unique=`for i in $$list; do \
-    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-  done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
-am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CLEVIS_CFLAGS = @CLEVIS_CFLAGS@
-CLEVIS_GROUP = @CLEVIS_GROUP@
-CLEVIS_USER = @CLEVIS_USER@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EXEEXT = @EXEEXT@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LDFLAGS = @LDFLAGS@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-OBJEXT = @OBJEXT@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PWMAKE = @PWMAKE@
-RANLIB = @RANLIB@
-SD_ACTIVATE = @SD_ACTIVATE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-STRIP = @STRIP@
-TPM2_TOOLS = @TPM2_TOOLS@
-VERSION = @VERSION@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-audit_CFLAGS = @audit_CFLAGS@
-audit_LIBS = @audit_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dracut_CFLAGS = @dracut_CFLAGS@
-dracut_LIBS = @dracut_LIBS@
-dracutmodulesdir = @dracutmodulesdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-jansson_CFLAGS = @jansson_CFLAGS@
-jansson_LIBS = @jansson_LIBS@
-jose_CFLAGS = @jose_CFLAGS@
-jose_LIBS = @jose_LIBS@
-libcrypto_CFLAGS = @libcrypto_CFLAGS@
-libcrypto_LIBS = @libcrypto_LIBS@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-luksmeta_CFLAGS = @luksmeta_CFLAGS@
-luksmeta_LIBS = @luksmeta_LIBS@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-sysconfdir = @sysconfdir@
-systemd_CFLAGS = @systemd_CFLAGS@
-systemd_LIBS = @systemd_LIBS@
-systemdsystemunitdir = @systemdsystemunitdir@
-target = @target@
-target_alias = @target_alias@
-target_cpu = @target_cpu@
-target_os = @target_os@
-target_vendor = @target_vendor@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-udisks2_CFLAGS = @udisks2_CFLAGS@
-udisks2_LIBS = @udisks2_LIBS@
-AM_CFLAGS = \
-    @CLEVIS_CFLAGS@ \
-    @jansson_CFLAGS@ \
-    @libcrypto_CFLAGS@ \
-    @jose_CFLAGS@ \
-    @udisks2_CFLAGS@ \
-    @audit_CFLAGS@ \
-    -D BINDIR='"@bindir@"' \
-    -D CLEVIS_USER='"@CLEVIS_USER@"' \
-    -D CLEVIS_GROUP='"@CLEVIS_GROUP@"'
-
-autostartdir = $(sysconfdir)/xdg/autostart
-nodist_autostart_DATA = clevis-luks-udisks2.desktop
-clevis_luks_udisks2_LDADD = @luksmeta_LIBS@ @udisks2_LIBS@ @audit_LIBS@
-CLEANFILES = clevis-luks-udisks2.desktop
-EXTRA_DIST = clevis-luks-udisks2.desktop.in
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/udisks2/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --foreign src/udisks2/Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-libexecPROGRAMS: $(libexec_PROGRAMS)
-	@$(NORMAL_INSTALL)
-	@list='$(libexec_PROGRAMS)'; test -n "$(libexecdir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(libexecdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(libexecdir)" || exit 1; \
-	fi; \
-	for p in $$list; do echo "$$p $$p"; done | \
-	sed 's/$(EXEEXT)$$//' | \
-	while read p p1; do if test -f $$p \
-	  ; then echo "$$p"; echo "$$p"; else :; fi; \
-	done | \
-	sed -e 'p;s,.*/,,;n;h' \
-	    -e 's|.*|.|' \
-	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
-	sed 'N;N;N;s,\n, ,g' | \
-	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
-	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
-	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
-	    else { print "f", $$3 "/" $$4, $$1; } } \
-	  END { for (d in files) print "f", d, files[d] }' | \
-	while read type dir files; do \
-	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
-	    test -z "$$files" || { \
-	      echo " $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(libexecdir)$$dir'"; \
-	      $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(libexecdir)$$dir" || exit $$?; \
-	    } \
-	; done
-
-uninstall-libexecPROGRAMS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(libexec_PROGRAMS)'; test -n "$(libexecdir)" || list=; \
-	files=`for p in $$list; do echo "$$p"; done | \
-	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-	      -e 's/$$/$(EXEEXT)/' \
-	`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(libexecdir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(libexecdir)" && rm -f $$files
-
-clean-libexecPROGRAMS:
-	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
-
-clevis-luks-udisks2$(EXEEXT): $(clevis_luks_udisks2_OBJECTS) $(clevis_luks_udisks2_DEPENDENCIES) $(EXTRA_clevis_luks_udisks2_DEPENDENCIES) 
-	@rm -f clevis-luks-udisks2$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(clevis_luks_udisks2_OBJECTS) $(clevis_luks_udisks2_LDADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/clevis-luks-udisks2.Po@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
-@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
-@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-install-nodist_autostartDATA: $(nodist_autostart_DATA)
-	@$(NORMAL_INSTALL)
-	@list='$(nodist_autostart_DATA)'; test -n "$(autostartdir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(autostartdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(autostartdir)" || exit 1; \
-	fi; \
-	for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; \
-	done | $(am__base_list) | \
-	while read files; do \
-	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(autostartdir)'"; \
-	  $(INSTALL_DATA) $$files "$(DESTDIR)$(autostartdir)" || exit $$?; \
-	done
-
-uninstall-nodist_autostartDATA:
-	@$(NORMAL_UNINSTALL)
-	@list='$(nodist_autostart_DATA)'; test -n "$(autostartdir)" || list=; \
-	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	dir='$(DESTDIR)$(autostartdir)'; $(am__uninstall_files_from_dir)
-
-ID: $(am__tagged_files)
-	$(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-am
-TAGS: tags
-
-tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	set x; \
-	here=`pwd`; \
-	$(am__define_uniq_tagged_files); \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: ctags-am
-
-CTAGS: ctags
-ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	$(am__define_uniq_tagged_files); \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-am
-
-cscopelist-am: $(am__tagged_files)
-	list='$(am__tagged_files)'; \
-	case "$(srcdir)" in \
-	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
-	  *) sdir=$(subdir)/$(srcdir) ;; \
-	esac; \
-	for i in $$list; do \
-	  if test -f "$$i"; then \
-	    echo "$(subdir)/$$i"; \
-	  else \
-	    echo "$$sdir/$$i"; \
-	  fi; \
-	done >> $(top_builddir)/cscope.files
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-am
-all-am: Makefile $(PROGRAMS) $(DATA)
-installdirs:
-	for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(autostartdir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	if test -z '$(STRIP)'; then \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	      install; \
-	else \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
-	fi
-mostlyclean-generic:
-
-clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic clean-libexecPROGRAMS mostlyclean-am
-
-distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-nodist_autostartDATA
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am: install-libexecPROGRAMS
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-libexecPROGRAMS uninstall-nodist_autostartDATA
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
-	clean-libexecPROGRAMS cscopelist-am ctags ctags-am distclean \
-	distclean-compile distclean-generic distclean-tags distdir dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-dvi install-dvi-am \
-	install-exec install-exec-am install-html install-html-am \
-	install-info install-info-am install-libexecPROGRAMS \
-	install-man install-nodist_autostartDATA install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic pdf pdf-am ps ps-am tags tags-am uninstall \
-	uninstall-am uninstall-libexecPROGRAMS \
-	uninstall-nodist_autostartDATA
-
-.PRECIOUS: Makefile
-
-
-%: %.in
-	$(AM_V_GEN)mkdir -p $(dir $@)
-	$(AM_V_GEN)$(SED) \
-		-e 's,@libexecdir\@,$(libexecdir),g' \
-		$(srcdir)/$@.in > $@
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:

+ 0 - 148
test-driver

@@ -1,148 +0,0 @@
-#! /bin/sh
-# test-driver - basic testsuite driver script.
-
-scriptversion=2016-01-11.22; # UTC
-
-# Copyright (C) 2011-2017 Free Software Foundation, Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# This file is maintained in Automake, please report
-# bugs to <bug-automake@gnu.org> or send patches to
-# <automake-patches@gnu.org>.
-
-# Make unconditional expansion of undefined variables an error.  This
-# helps a lot in preventing typo-related bugs.
-set -u
-
-usage_error ()
-{
-  echo "$0: $*" >&2
-  print_usage >&2
-  exit 2
-}
-
-print_usage ()
-{
-  cat <<END
-Usage:
-  test-driver --test-name=NAME --log-file=PATH --trs-file=PATH
-              [--expect-failure={yes|no}] [--color-tests={yes|no}]
-              [--enable-hard-errors={yes|no}] [--]
-              TEST-SCRIPT [TEST-SCRIPT-ARGUMENTS]
-The '--test-name', '--log-file' and '--trs-file' options are mandatory.
-END
-}
-
-test_name= # Used for reporting.
-log_file=  # Where to save the output of the test script.
-trs_file=  # Where to save the metadata of the test run.
-expect_failure=no
-color_tests=no
-enable_hard_errors=yes
-while test $# -gt 0; do
-  case $1 in
-  --help) print_usage; exit $?;;
-  --version) echo "test-driver $scriptversion"; exit $?;;
-  --test-name) test_name=$2; shift;;
-  --log-file) log_file=$2; shift;;
-  --trs-file) trs_file=$2; shift;;
-  --color-tests) color_tests=$2; shift;;
-  --expect-failure) expect_failure=$2; shift;;
-  --enable-hard-errors) enable_hard_errors=$2; shift;;
-  --) shift; break;;
-  -*) usage_error "invalid option: '$1'";;
-   *) break;;
-  esac
-  shift
-done
-
-missing_opts=
-test x"$test_name" = x && missing_opts="$missing_opts --test-name"
-test x"$log_file"  = x && missing_opts="$missing_opts --log-file"
-test x"$trs_file"  = x && missing_opts="$missing_opts --trs-file"
-if test x"$missing_opts" != x; then
-  usage_error "the following mandatory options are missing:$missing_opts"
-fi
-
-if test $# -eq 0; then
-  usage_error "missing argument"
-fi
-
-if test $color_tests = yes; then
-  # Keep this in sync with 'lib/am/check.am:$(am__tty_colors)'.
-  red='' # Red.
-  grn='' # Green.
-  lgn='' # Light green.
-  blu='' # Blue.
-  mgn='' # Magenta.
-  std=''     # No color.
-else
-  red= grn= lgn= blu= mgn= std=
-fi
-
-do_exit='rm -f $log_file $trs_file; (exit $st); exit $st'
-trap "st=129; $do_exit" 1
-trap "st=130; $do_exit" 2
-trap "st=141; $do_exit" 13
-trap "st=143; $do_exit" 15
-
-# Test script is run here.
-"$@" >$log_file 2>&1
-estatus=$?
-
-if test $enable_hard_errors = no && test $estatus -eq 99; then
-  tweaked_estatus=1
-else
-  tweaked_estatus=$estatus
-fi
-
-case $tweaked_estatus:$expect_failure in
-  0:yes) col=$red res=XPASS recheck=yes gcopy=yes;;
-  0:*)   col=$grn res=PASS  recheck=no  gcopy=no;;
-  77:*)  col=$blu res=SKIP  recheck=no  gcopy=yes;;
-  99:*)  col=$mgn res=ERROR recheck=yes gcopy=yes;;
-  *:yes) col=$lgn res=XFAIL recheck=no  gcopy=yes;;
-  *:*)   col=$red res=FAIL  recheck=yes gcopy=yes;;
-esac
-
-# Report the test outcome and exit status in the logs, so that one can
-# know whether the test passed or failed simply by looking at the '.log'
-# file, without the need of also peaking into the corresponding '.trs'
-# file (automake bug#11814).
-echo "$res $test_name (exit status: $estatus)" >>$log_file
-
-# Report outcome to console.
-echo "${col}${res}${std}: $test_name"
-
-# Register the test result, and other relevant metadata.
-echo ":test-result: $res" > $trs_file
-echo ":global-test-result: $res" >> $trs_file
-echo ":recheck: $recheck" >> $trs_file
-echo ":copy-in-global-log: $gcopy" >> $trs_file
-
-# Local Variables:
-# mode: shell-script
-# sh-indentation: 2
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC0"
-# time-stamp-end: "; # UTC"
-# End:

+ 0 - 7
tests/Makefile.am

@@ -1,7 +0,0 @@
-AM_CFLAGS = @CLEVIS_CFLAGS@
-
-AM_TESTS_ENVIRONMENT = \
-    SD_ACTIVATE="@SD_ACTIVATE@" \
-    PATH=${top_srcdir}/src:${top_builddir}/src/:$(PATH)
-TESTS = pin-test pin-http pin-sss pin-tang
-dist_check_SCRIPTS = $(TESTS) pin-httpd

+ 0 - 836
tests/Makefile.in

@@ -1,836 +0,0 @@
-# Makefile.in generated by automake 1.15.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2017 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-VPATH = @srcdir@
-am__is_gnu_make = { \
-  if test -z '$(MAKELEVEL)'; then \
-    false; \
-  elif test -n '$(MAKE_HOST)'; then \
-    true; \
-  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
-    true; \
-  else \
-    false; \
-  fi; \
-}
-am__make_running_with_option = \
-  case $${target_option-} in \
-      ?) ;; \
-      *) echo "am__make_running_with_option: internal error: invalid" \
-              "target option '$${target_option-}' specified" >&2; \
-         exit 1;; \
-  esac; \
-  has_opt=no; \
-  sane_makeflags=$$MAKEFLAGS; \
-  if $(am__is_gnu_make); then \
-    sane_makeflags=$$MFLAGS; \
-  else \
-    case $$MAKEFLAGS in \
-      *\\[\ \	]*) \
-        bs=\\; \
-        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
-          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
-    esac; \
-  fi; \
-  skip_next=no; \
-  strip_trailopt () \
-  { \
-    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
-  }; \
-  for flg in $$sane_makeflags; do \
-    test $$skip_next = yes && { skip_next=no; continue; }; \
-    case $$flg in \
-      *=*|--*) continue;; \
-        -*I) strip_trailopt 'I'; skip_next=yes;; \
-      -*I?*) strip_trailopt 'I';; \
-        -*O) strip_trailopt 'O'; skip_next=yes;; \
-      -*O?*) strip_trailopt 'O';; \
-        -*l) strip_trailopt 'l'; skip_next=yes;; \
-      -*l?*) strip_trailopt 'l';; \
-      -[dEDm]) skip_next=yes;; \
-      -[JT]) skip_next=yes;; \
-    esac; \
-    case $$flg in \
-      *$$target_option*) has_opt=yes; break;; \
-    esac; \
-  done; \
-  test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-target_triplet = @target@
-subdir = tests
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \
-	$(am__DIST_COMMON)
-mkinstalldirs = $(install_sh) -d
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-AM_V_P = $(am__v_P_@AM_V@)
-am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN     " $@;
-am__v_GEN_1 = 
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 = 
-SOURCES =
-DIST_SOURCES =
-am__can_run_installinfo = \
-  case $$AM_UPDATE_INFO_DIR in \
-    n|no|NO) false;; \
-    *) (install-info --version) >/dev/null 2>&1;; \
-  esac
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-am__tty_colors_dummy = \
-  mgn= red= grn= lgn= blu= brg= std=; \
-  am__color_tests=no
-am__tty_colors = { \
-  $(am__tty_colors_dummy); \
-  if test "X$(AM_COLOR_TESTS)" = Xno; then \
-    am__color_tests=no; \
-  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
-    am__color_tests=yes; \
-  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
-    am__color_tests=yes; \
-  fi; \
-  if test $$am__color_tests = yes; then \
-    red=''; \
-    grn=''; \
-    lgn=''; \
-    blu=''; \
-    mgn=''; \
-    brg=''; \
-    std=''; \
-  fi; \
-}
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-am__recheck_rx = ^[ 	]*:recheck:[ 	]*
-am__global_test_result_rx = ^[ 	]*:global-test-result:[ 	]*
-am__copy_in_global_log_rx = ^[ 	]*:copy-in-global-log:[ 	]*
-# A command that, given a newline-separated list of test names on the
-# standard input, print the name of the tests that are to be re-run
-# upon "make recheck".
-am__list_recheck_tests = $(AWK) '{ \
-  recheck = 1; \
-  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
-    { \
-      if (rc < 0) \
-        { \
-          if ((getline line2 < ($$0 ".log")) < 0) \
-	    recheck = 0; \
-          break; \
-        } \
-      else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \
-        { \
-          recheck = 0; \
-          break; \
-        } \
-      else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \
-        { \
-          break; \
-        } \
-    }; \
-  if (recheck) \
-    print $$0; \
-  close ($$0 ".trs"); \
-  close ($$0 ".log"); \
-}'
-# A command that, given a newline-separated list of test names on the
-# standard input, create the global log from their .trs and .log files.
-am__create_global_log = $(AWK) ' \
-function fatal(msg) \
-{ \
-  print "fatal: making $@: " msg | "cat >&2"; \
-  exit 1; \
-} \
-function rst_section(header) \
-{ \
-  print header; \
-  len = length(header); \
-  for (i = 1; i <= len; i = i + 1) \
-    printf "="; \
-  printf "\n\n"; \
-} \
-{ \
-  copy_in_global_log = 1; \
-  global_test_result = "RUN"; \
-  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
-    { \
-      if (rc < 0) \
-         fatal("failed to read from " $$0 ".trs"); \
-      if (line ~ /$(am__global_test_result_rx)/) \
-        { \
-          sub("$(am__global_test_result_rx)", "", line); \
-          sub("[ 	]*$$", "", line); \
-          global_test_result = line; \
-        } \
-      else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \
-        copy_in_global_log = 0; \
-    }; \
-  if (copy_in_global_log) \
-    { \
-      rst_section(global_test_result ": " $$0); \
-      while ((rc = (getline line < ($$0 ".log"))) != 0) \
-      { \
-        if (rc < 0) \
-          fatal("failed to read from " $$0 ".log"); \
-        print line; \
-      }; \
-      printf "\n"; \
-    }; \
-  close ($$0 ".trs"); \
-  close ($$0 ".log"); \
-}'
-# Restructured Text title.
-am__rst_title = { sed 's/.*/   &   /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; }
-# Solaris 10 'make', and several other traditional 'make' implementations,
-# pass "-e" to $(SHELL), and POSIX 2008 even requires this.  Work around it
-# by disabling -e (using the XSI extension "set +e") if it's set.
-am__sh_e_setup = case $$- in *e*) set +e;; esac
-# Default flags passed to test drivers.
-am__common_driver_flags = \
-  --color-tests "$$am__color_tests" \
-  --enable-hard-errors "$$am__enable_hard_errors" \
-  --expect-failure "$$am__expect_failure"
-# To be inserted before the command running the test.  Creates the
-# directory for the log if needed.  Stores in $dir the directory
-# containing $f, in $tst the test, in $log the log.  Executes the
-# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and
-# passes TESTS_ENVIRONMENT.  Set up options for the wrapper that
-# will run the test scripts (or their associated LOG_COMPILER, if
-# thy have one).
-am__check_pre = \
-$(am__sh_e_setup);					\
-$(am__vpath_adj_setup) $(am__vpath_adj)			\
-$(am__tty_colors);					\
-srcdir=$(srcdir); export srcdir;			\
-case "$@" in						\
-  */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;;	\
-    *) am__odir=.;; 					\
-esac;							\
-test "x$$am__odir" = x"." || test -d "$$am__odir" 	\
-  || $(MKDIR_P) "$$am__odir" || exit $$?;		\
-if test -f "./$$f"; then dir=./;			\
-elif test -f "$$f"; then dir=;				\
-else dir="$(srcdir)/"; fi;				\
-tst=$$dir$$f; log='$@'; 				\
-if test -n '$(DISABLE_HARD_ERRORS)'; then		\
-  am__enable_hard_errors=no; 				\
-else							\
-  am__enable_hard_errors=yes; 				\
-fi; 							\
-case " $(XFAIL_TESTS) " in				\
-  *[\ \	]$$f[\ \	]* | *[\ \	]$$dir$$f[\ \	]*) \
-    am__expect_failure=yes;;				\
-  *)							\
-    am__expect_failure=no;;				\
-esac; 							\
-$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT)
-# A shell command to get the names of the tests scripts with any registered
-# extension removed (i.e., equivalently, the names of the test logs, with
-# the '.log' extension removed).  The result is saved in the shell variable
-# '$bases'.  This honors runtime overriding of TESTS and TEST_LOGS.  Sadly,
-# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)",
-# since that might cause problem with VPATH rewrites for suffix-less tests.
-# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'.
-am__set_TESTS_bases = \
-  bases='$(TEST_LOGS)'; \
-  bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
-  bases=`echo $$bases`
-RECHECK_LOGS = $(TEST_LOGS)
-AM_RECURSIVE_TARGETS = check recheck
-TEST_SUITE_LOG = test-suite.log
-TEST_EXTENSIONS = @EXEEXT@ .test
-LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS)
-am__set_b = \
-  case '$@' in \
-    */*) \
-      case '$*' in \
-        */*) b='$*';; \
-          *) b=`echo '$@' | sed 's/\.log$$//'`; \
-       esac;; \
-    *) \
-      b='$*';; \
-  esac
-am__test_logs1 = $(TESTS:=.log)
-am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log)
-TEST_LOGS = $(am__test_logs2:.test.log=.log)
-TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
-	$(TEST_LOG_FLAGS)
-am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/test-driver
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CLEVIS_CFLAGS = @CLEVIS_CFLAGS@
-CLEVIS_GROUP = @CLEVIS_GROUP@
-CLEVIS_USER = @CLEVIS_USER@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EXEEXT = @EXEEXT@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LDFLAGS = @LDFLAGS@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-OBJEXT = @OBJEXT@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PWMAKE = @PWMAKE@
-RANLIB = @RANLIB@
-SD_ACTIVATE = @SD_ACTIVATE@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-STRIP = @STRIP@
-TPM2_TOOLS = @TPM2_TOOLS@
-VERSION = @VERSION@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-audit_CFLAGS = @audit_CFLAGS@
-audit_LIBS = @audit_LIBS@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dracut_CFLAGS = @dracut_CFLAGS@
-dracut_LIBS = @dracut_LIBS@
-dracutmodulesdir = @dracutmodulesdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-jansson_CFLAGS = @jansson_CFLAGS@
-jansson_LIBS = @jansson_LIBS@
-jose_CFLAGS = @jose_CFLAGS@
-jose_LIBS = @jose_LIBS@
-libcrypto_CFLAGS = @libcrypto_CFLAGS@
-libcrypto_LIBS = @libcrypto_LIBS@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-luksmeta_CFLAGS = @luksmeta_CFLAGS@
-luksmeta_LIBS = @luksmeta_LIBS@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-sysconfdir = @sysconfdir@
-systemd_CFLAGS = @systemd_CFLAGS@
-systemd_LIBS = @systemd_LIBS@
-systemdsystemunitdir = @systemdsystemunitdir@
-target = @target@
-target_alias = @target_alias@
-target_cpu = @target_cpu@
-target_os = @target_os@
-target_vendor = @target_vendor@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-udisks2_CFLAGS = @udisks2_CFLAGS@
-udisks2_LIBS = @udisks2_LIBS@
-AM_CFLAGS = @CLEVIS_CFLAGS@
-AM_TESTS_ENVIRONMENT = \
-    SD_ACTIVATE="@SD_ACTIVATE@" \
-    PATH=${top_srcdir}/src:${top_builddir}/src/:$(PATH)
-
-TESTS = pin-test pin-http pin-sss pin-tang
-dist_check_SCRIPTS = $(TESTS) pin-httpd
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .log .test .test$(EXEEXT) .trs
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tests/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --foreign tests/Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-tags TAGS:
-
-ctags CTAGS:
-
-cscope cscopelist:
-
-
-# Recover from deleted '.trs' file; this should ensure that
-# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create
-# both 'foo.log' and 'foo.trs'.  Break the recipe in two subshells
-# to avoid problems with "make -n".
-.log.trs:
-	rm -f $< $@
-	$(MAKE) $(AM_MAKEFLAGS) $<
-
-# Leading 'am--fnord' is there to ensure the list of targets does not
-# expand to empty, as could happen e.g. with make check TESTS=''.
-am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck)
-am--force-recheck:
-	@:
-
-$(TEST_SUITE_LOG): $(TEST_LOGS)
-	@$(am__set_TESTS_bases); \
-	am__f_ok () { test -f "$$1" && test -r "$$1"; }; \
-	redo_bases=`for i in $$bases; do \
-	              am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \
-	            done`; \
-	if test -n "$$redo_bases"; then \
-	  redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \
-	  redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \
-	  if $(am__make_dryrun); then :; else \
-	    rm -f $$redo_logs && rm -f $$redo_results || exit 1; \
-	  fi; \
-	fi; \
-	if test -n "$$am__remaking_logs"; then \
-	  echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
-	       "recursion detected" >&2; \
-	elif test -n "$$redo_logs"; then \
-	  am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
-	fi; \
-	if $(am__make_dryrun); then :; else \
-	  st=0;  \
-	  errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \
-	  for i in $$redo_bases; do \
-	    test -f $$i.trs && test -r $$i.trs \
-	      || { echo "$$errmsg $$i.trs" >&2; st=1; }; \
-	    test -f $$i.log && test -r $$i.log \
-	      || { echo "$$errmsg $$i.log" >&2; st=1; }; \
-	  done; \
-	  test $$st -eq 0 || exit 1; \
-	fi
-	@$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \
-	ws='[ 	]'; \
-	results=`for b in $$bases; do echo $$b.trs; done`; \
-	test -n "$$results" || results=/dev/null; \
-	all=`  grep "^$$ws*:test-result:"           $$results | wc -l`; \
-	pass=` grep "^$$ws*:test-result:$$ws*PASS"  $$results | wc -l`; \
-	fail=` grep "^$$ws*:test-result:$$ws*FAIL"  $$results | wc -l`; \
-	skip=` grep "^$$ws*:test-result:$$ws*SKIP"  $$results | wc -l`; \
-	xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \
-	xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \
-	error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \
-	if test `expr $$fail + $$xpass + $$error` -eq 0; then \
-	  success=true; \
-	else \
-	  success=false; \
-	fi; \
-	br='==================='; br=$$br$$br$$br$$br; \
-	result_count () \
-	{ \
-	    if test x"$$1" = x"--maybe-color"; then \
-	      maybe_colorize=yes; \
-	    elif test x"$$1" = x"--no-color"; then \
-	      maybe_colorize=no; \
-	    else \
-	      echo "$@: invalid 'result_count' usage" >&2; exit 4; \
-	    fi; \
-	    shift; \
-	    desc=$$1 count=$$2; \
-	    if test $$maybe_colorize = yes && test $$count -gt 0; then \
-	      color_start=$$3 color_end=$$std; \
-	    else \
-	      color_start= color_end=; \
-	    fi; \
-	    echo "$${color_start}# $$desc $$count$${color_end}"; \
-	}; \
-	create_testsuite_report () \
-	{ \
-	  result_count $$1 "TOTAL:" $$all   "$$brg"; \
-	  result_count $$1 "PASS: " $$pass  "$$grn"; \
-	  result_count $$1 "SKIP: " $$skip  "$$blu"; \
-	  result_count $$1 "XFAIL:" $$xfail "$$lgn"; \
-	  result_count $$1 "FAIL: " $$fail  "$$red"; \
-	  result_count $$1 "XPASS:" $$xpass "$$red"; \
-	  result_count $$1 "ERROR:" $$error "$$mgn"; \
-	}; \
-	{								\
-	  echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" |	\
-	    $(am__rst_title);						\
-	  create_testsuite_report --no-color;				\
-	  echo;								\
-	  echo ".. contents:: :depth: 2";				\
-	  echo;								\
-	  for b in $$bases; do echo $$b; done				\
-	    | $(am__create_global_log);					\
-	} >$(TEST_SUITE_LOG).tmp || exit 1;				\
-	mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG);			\
-	if $$success; then						\
-	  col="$$grn";							\
-	 else								\
-	  col="$$red";							\
-	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
-	fi;								\
-	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
-	echo "$${col}$$br$${std}"; 					\
-	create_testsuite_report --maybe-color;				\
-	echo "$$col$$br$$std";						\
-	if $$success; then :; else					\
-	  echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}";		\
-	  if test -n "$(PACKAGE_BUGREPORT)"; then			\
-	    echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}";	\
-	  fi;								\
-	  echo "$$col$$br$$std";					\
-	fi;								\
-	$$success || exit 1
-
-check-TESTS:
-	@list='$(RECHECK_LOGS)';           test -z "$$list" || rm -f $$list
-	@list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
-	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-	@set +e; $(am__set_TESTS_bases); \
-	log_list=`for i in $$bases; do echo $$i.log; done`; \
-	trs_list=`for i in $$bases; do echo $$i.trs; done`; \
-	log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \
-	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \
-	exit $$?;
-recheck: all $(dist_check_SCRIPTS)
-	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-	@set +e; $(am__set_TESTS_bases); \
-	bases=`for i in $$bases; do echo $$i; done \
-	         | $(am__list_recheck_tests)` || exit 1; \
-	log_list=`for i in $$bases; do echo $$i.log; done`; \
-	log_list=`echo $$log_list`; \
-	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \
-	        am__force_recheck=am--force-recheck \
-	        TEST_LOGS="$$log_list"; \
-	exit $$?
-pin-test.log: pin-test
-	@p='pin-test'; \
-	b='pin-test'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-pin-http.log: pin-http
-	@p='pin-http'; \
-	b='pin-http'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-pin-sss.log: pin-sss
-	@p='pin-sss'; \
-	b='pin-sss'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-pin-tang.log: pin-tang
-	@p='pin-tang'; \
-	b='pin-tang'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-.test.log:
-	@p='$<'; \
-	$(am__set_b); \
-	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-@am__EXEEXT_TRUE@.test$(EXEEXT).log:
-@am__EXEEXT_TRUE@	@p='$<'; \
-@am__EXEEXT_TRUE@	$(am__set_b); \
-@am__EXEEXT_TRUE@	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
-@am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
-@am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
-@am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-	$(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS)
-	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
-check: check-am
-all-am: Makefile
-installdirs:
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	if test -z '$(STRIP)'; then \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	      install; \
-	else \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
-	fi
-mostlyclean-generic:
-	-test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS)
-	-test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs)
-	-test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-generic mostlyclean-am
-
-distclean: distclean-am
-	-rm -f Makefile
-distclean-am: clean-am distclean-generic
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am:
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-generic
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am:
-
-.MAKE: check-am install-am install-strip
-
-.PHONY: all all-am check check-TESTS check-am clean clean-generic \
-	cscopelist-am ctags-am distclean distclean-generic distdir dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-dvi install-dvi-am \
-	install-exec install-exec-am install-html install-html-am \
-	install-info install-info-am install-man install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-generic pdf \
-	pdf-am ps ps-am recheck tags-am uninstall uninstall-am
-
-.PRECIOUS: Makefile
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:

+ 0 - 29
tests/pin-http

@@ -1,29 +0,0 @@
-#!/bin/bash -x
-
-function on_exit() {
-    [ "$PID" ] && kill $PID && ! wait $PID
-    [ -d "$TMP" ] && rm -rf $TMP
-}
-
-trap 'on_exit' EXIT
-trap 'exit' ERR
-
-export TMP=`mktemp -d`
-
-PORT=`shuf -i 1024-65535 -n 1`
-$SD_ACTIVATE -l 127.0.0.1:$PORT -a ${0%/*}/pin-httpd "$TMP" &
-export PID=$!
-sleep 0.25
-
-cfg="{\"url\":\"http://localhost:${PORT}/foo\"}"
-! clevis encrypt http "$cfg" <<< "hi"
-
-cfg=`jose fmt -j "$cfg" -Oj true -s http -U -Oo-`
-e=`echo -n hi | clevis encrypt http "$cfg"`
-d=`echo -n "$e" | clevis decrypt`
-test "$d" == "hi"
-
-kill $PID
-! wait $PID
-
-! echo "$e" | clevis decrypt

+ 0 - 74
tests/pin-httpd

@@ -1,74 +0,0 @@
-#!/bin/bash
-
-function fetch() {
-    dd of=/dev/null bs=1 count=$2 2>/dev/null
-
-    if ! [ -f "$1" -a -f "$1.ct" ]; then
-        echo -e "HTTP/1.1 404 Not Found\r"
-        echo -e "Content-Length: 0\r"
-        echo -e "\r"
-        return 0
-    fi
-
-    echo -e "HTTP/1.1 200 OK\r"
-    echo -e "Content-Type: `cat $1.ct`\r"
-    echo -e "Content-Length: `stat -c%s $1`\r"
-    echo -e "\r"
-    cat $1
-}
-
-function store() {
-    if [ -z "$3" ]; then
-        dd of=/dev/null bs=1 count=$2 2>/dev/null
-        echo -e "HTTP/1.1 400 Bad Request\r"
-        echo -e "Content-Length: 0\r"
-        echo -e "\r"
-    fi
-
-    dd of=$1 bs=1 count=$2 2>/dev/null
-    echo "$3" > $1.ct
-
-    echo -e "HTTP/1.1 200 OK\r"
-    echo -e "Content-Length: 0\r"
-    echo -e "\r"
-}
-
-function methd() {
-    dd of=/dev/null bs=1 count=$2 2>/dev/null
-
-    echo -e "HTTP/1.1 405 Method Not Allowed\r"
-    echo -e "Content-Length: 0\r"
-    echo -e "\r"
-}
-
-if [ $# -ne 1 ]; then
-    echo "Usage: `basename $0` STATEDIR" >&2
-    exit 1
-fi
-
-shopt -s nocasematch
-
-while true; do
-    read meth path vers
-
-    [ -z "$meth" -a -z "$path" -a -z "$vers" ] && exit 0
-    [[ "$vers" =~ ^HTTP/1\.[01]$'\r'?$ ]] || exit 1
-
-    cl=0
-    while read h && [ "$h" != $'\r' ]; do
-        [[ "$h" =~ ^Content-Length:[[:blank:]]*([[:digit:]]+)[[:space:]]*$ ]] \
-            && cl=${BASH_REMATCH[1]}
-        [[ "$h" =~ ^Content-Type:[[:blank:]]*(.+)[[:blank:]]*$ ]] \
-            && ct=${BASH_REMATCH[1]}
-    done
-
-    echo "$meth $path" >&2
-
-    read path discard < <(echo "$path" | sha224sum)
-    case "$meth" in
-    GET)  fetch "$1/$path" "$cl";;
-    PUT)  store "$1/$path" "$cl" "$ct";;
-    POST) store "$1/$path" "$cl" "$ct";;
-    *)    methd "$1/$path" "$cl";;
-    esac
-done