Subject: Do not kill non clevis slots (#315) Origin: v18-3-g4600bd6 Upstream-Author: Sergio Arroutbi Date: Fri Jun 11 04:33:45 2021 +0200 When using clevis-luks-unbind against a slot that has no clevis token assigned, removing the slot must be avoided. Fixes #183 Signed-off-by: Sergio Arroutbi Braojos --- a/src/luks/clevis-luks-unbind.in +++ b/src/luks/clevis-luks-unbind.in @@ -106,6 +106,10 @@ grep -q "^\s*$SLT: luks2" <<< "$dump" && KILL=true TOK="$(grep -E -B1 "^\s+Keyslot:\s+$SLT$" <<< "$dump" \ | sed -rn 's|^\s+([0-9]+): clevis|\1|p')" + if [ -z "${TOK}" ]; then + echo "No clevis slot detected on device ${DEV}:${SLT}!" >&2 + exit 1 + fi fi if [ -z "${FRC[*]}" ]; then --- a/src/luks/tests/unbind-luks2 +++ b/src/luks/tests/unbind-luks2 @@ -42,10 +42,23 @@ new_device "luks2" "${DEV}" # Binding. if ! clevis luks bind -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then - error "${TEST}: Binding is expected to succeed." >&2 + error "${TEST}: Binding is expected to succeed." fi SLT=1 if ! clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then - error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}" >&2 + error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}" +fi + +SLT=0 +if ! echo "${DEFAULT_PASS}" | cryptsetup open --test-passphrase "${DEV}" --key-slot "${SLT}"; then + error "${TEST}: Unable to open device ${DEV}:${SLT}" +fi + +if clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then + error "${TEST}: Unbind is expected to fail for device ${DEV}:${SLT} that is not bound with clevis" +fi + +if ! echo "${DEFAULT_PASS}" | cryptsetup open --test-passphrase "${DEV}" --key-slot "${SLT}"; then + error "${TEST}: Unbind is expected not to remove non clevis slots" fi