debian/changelog

@@ -1,3 +1,11 @@
+clevis (13-2) unstable; urgency=medium
+
+  * Make clevis-udisks2 usable
+  * Embed TPM kernel modules in initramfs
+  * Include more programs in the generated initrd/initramfs
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Thu, 21 May 2020 22:32:37 +0200
+
 clevis (13-1) unstable; urgency=low
 
   * New upstream version 13. Closes: #954208

debian/clevis-udisks2.postinst

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+configure)
+    if ! getent passwd _clevis >/dev/null; then
+        adduser --quiet --system --group --no-create-home --home /nonexistent --force-badname _clevis
+    fi
+    ;;
+abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+*)
+    echo "postinst called with unknown argument '$1'" >&2
+    exit 1
+    ;;
+esac
+
+#DEBHELPER#
+exit 0

debian/clevis-udisks2.postrm

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+remove)
+    deluser --quiet _clevis >/dev/null || :
+    ;;
+purge|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+    ;;
+*)
+    echo "postrm called with unknown argument '$1'" >&2
+    exit 1
+    ;;
+esac
+
+#DEBHELPER#
+exit 0

debian/control

@@ -1,7 +1,7 @@
 Source: clevis
 Maintainer: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
 Homepage: https://github.com/latchset/clevis
-Standards-Version: 4.4.1
+Standards-Version: 4.5.0
 Vcs-Browser: https://git.in-ulm.de/cbiedl/clevis
 Vcs-Git: https://git.in-ulm.de/cbiedl/clevis.git
 Build-Depends: debhelper (>= 11~),
@@ -103,7 +103,10 @@ Description: systemd integration for clevis
 Package: clevis-udisks2
 Architecture: linux-any
 Depends: ${misc:Depends}, ${shlibs:Depends},
+    adduser,
     clevis-luks (= ${binary:Version}),
+    libblockdev-crypto2,
+    udisks2,
 Description: UDisks2/Storaged integration for clevis
  Clevis is a plugable framework for automated decryption. This package
  provides automatic unlocking LUKS encrypted block devices in desktop

debian/patches/debian.set-unprivileged-user.patch

@@ -0,0 +1,12 @@
+Subject: Change to user for unprivileged operations
+Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Date: 2020-05-21
+Forwarded: not-needed
+
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -1,2 +1,2 @@
+-option('user', type: 'string', value: 'clevis', description: 'Unprivileged user for secure clevis operations')
+-option('group', type: 'string', value: 'clevis', description: 'Unprivileged group for secure clevis operations')
++option('user', type: 'string', value: '_clevis', description: 'Unprivileged user for secure clevis operations')
++option('group', type: 'string', value: '_clevis', description: 'Unprivileged group for secure clevis operations')

debian/patches/series

@@ -1 +1,8 @@
-debian.use-asciidoctor-to-build-manpages.patch
+
+# patches for upstream
+upstream.use-asciidoctor-to-build-manpages.patch
+upstream.embed-tpm-modules-in-initramfs.patch
+
+# patches for Debian
+upstream.embed-more-programs-in-initram.patch
+debian.set-unprivileged-user.patch

debian/patches/upstream.embed-more-programs-in-initram.patch

@@ -0,0 +1,29 @@
+Subject: Embed more programs in the initramfs/initrd
+Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Date:  2020-05-21
+Bug: https://github.com/latchset/clevis/issues/195
+
+--- a/src/initramfs-tools/hooks/clevis.in
++++ b/src/initramfs-tools/hooks/clevis.in
+@@ -59,6 +59,9 @@
+ copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
+ copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
+ copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
++copy_exec @bindir@/clevis-luks-common-functions || die 1 "/usr/bin/clevis-luks-common-functions not found"
++copy_exec @bindir@/clevis-luks-list || die 1 "/usr/bin/clevis-luks-list not found"
++copy_exec @bindir@/clevis-luks-unlock || die 1 "/usr/bin/clevis-luks-unlock not found"
+ if [ -x @bindir@/clevis-decrypt-tpm2 ]; then
+     copy_exec @bindir@/clevis-decrypt-tpm2 || die 1 "@bindir@/clevis-decrypt-tpm2 not found"
+     tpm2_creatprimary_bin=$(find_binary "tpm2_createprimary")
+--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
++++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
+@@ -31,6 +31,9 @@
+ 	/etc/services \
+         @libexecdir@/clevis-luks-askpass \
+         clevis-decrypt \
++        clevis-luks-common-functions \
++        clevis-luks-list \
++        clevis-luks-unlock \
+         cryptsetup \
+         luksmeta \
+         clevis \

debian/patches/upstream.embed-tpm-modules-in-initramfs.patch

@@ -0,0 +1,16 @@
+Subject: Embed TPM modules in initramfs
+Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Date:  2020-05-21
+Bug: https://github.com/latchset/clevis/issues/194
+
+--- a/src/initramfs-tools/hooks/clevis.in
++++ b/src/initramfs-tools/hooks/clevis.in
+@@ -72,6 +72,8 @@
+             copy_exec "${_LIBRARY}" || die 2 "Unable to copy ${_LIBRARY}"
+         fi
+     done
++    manual_add_modules tpm_crb
++    manual_add_modules tpm_tis
+ fi
+ 
+ 

debian/tests/control

@@ -0,0 +1,13 @@
+Tests: run-testsuite
+Depends:
+    clevis-dracut,
+    clevis-initramfs,
+    clevis-tpm2,
+    clevis-udisks2,
+    cryptsetup,
+    jose,
+    jq,
+    moreutils,
+    openssl,
+Restrictions:
+    needs-root,

debian/tests/run-testsuite

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -e
+
+cd src/luks/tests
+
+# patch out lukv2 detection switch - we're on the bright side already
+sed -e 's/@OLD_CRYPTSETUP@/0/' \
+    <tests-common-functions.in >tests-common-functions
+
+for f in $(find . -type f -not -name 'tests-common-functions*' -executable | sort) ; do
+    echo "I: Running test $f"
+    # test are very noisy, keep them silent as long as they pass
+    chronic "$f" || :
+done