| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 |
- Subject: Do not kill non clevis slots (#315)
- Origin: v18-3-g4600bd6 <https://github.com/latchset/clevis/commit/v18-3-g4600bd6>
- Upstream-Author: Sergio Arroutbi <sarroutb@redhat.com>
- Date: Fri Jun 11 04:33:45 2021 +0200
- When using clevis-luks-unbind against a slot
- that has no clevis token assigned, removing the slot
- must be avoided. Fixes #183
- Signed-off-by: Sergio Arroutbi Braojos <sarroutb@redhat.com>
- --- a/src/luks/clevis-luks-unbind.in
- +++ b/src/luks/clevis-luks-unbind.in
- @@ -106,6 +106,10 @@
- grep -q "^\s*$SLT: luks2" <<< "$dump" && KILL=true
- TOK="$(grep -E -B1 "^\s+Keyslot:\s+$SLT$" <<< "$dump" \
- | sed -rn 's|^\s+([0-9]+): clevis|\1|p')"
- + if [ -z "${TOK}" ]; then
- + echo "No clevis slot detected on device ${DEV}:${SLT}!" >&2
- + exit 1
- + fi
- fi
-
- if [ -z "${FRC[*]}" ]; then
- --- a/src/luks/tests/unbind-luks2
- +++ b/src/luks/tests/unbind-luks2
- @@ -42,10 +42,23 @@
- new_device "luks2" "${DEV}"
- # Binding.
- if ! clevis luks bind -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
- - error "${TEST}: Binding is expected to succeed." >&2
- + error "${TEST}: Binding is expected to succeed."
- fi
-
- SLT=1
- if ! clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then
- - error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}" >&2
- + error "${TEST}: Unbind is expected to succeed for device ${DEV} and slot ${SLT}"
- +fi
- +
- +SLT=0
- +if ! echo "${DEFAULT_PASS}" | cryptsetup open --test-passphrase "${DEV}" --key-slot "${SLT}"; then
- + error "${TEST}: Unable to open device ${DEV}:${SLT}"
- +fi
- +
- +if clevis luks unbind -f -d "${DEV}" -s "${SLT}"; then
- + error "${TEST}: Unbind is expected to fail for device ${DEV}:${SLT} that is not bound with clevis"
- +fi
- +
- +if ! echo "${DEFAULT_PASS}" | cryptsetup open --test-passphrase "${DEV}" --key-slot "${SLT}"; then
- + error "${TEST}: Unbind is expected not to remove non clevis slots"
- fi
|
