cbiedl
/
clevis


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240
							Subject: Systemd: drop ncat dependency
Origin: v15-5-g9cdd041 <https://github.com/latchset/clevis/commit/v15-5-g9cdd041>
Upstream-Author: Sergio Correia <scorreia@redhat.com>
Date: Wed Dec 2 20:53:48 2020 -0300

    When using systemd, i.e., clevis-luks-askpass, we use ncat to send
    the decrypted password to the systemd socket as per systemd's password
    agents specification [1].

    However, systemd itself has a utility that does exactly that,
    systemd-reply-password.

    In this commit we drop the ncat dependency and instead use
    systemd-reply-password in clevis-luks-askpass.

    [1] https://systemd.io/PASSWORD_AGENTS/

--- a/INSTALL.md
+++ b/INSTALL.md
@@ -22,7 +22,6 @@
 * [tang](https://github.com/latchset/tang)
 * [curl](https://github.com/curl/curl)
 * [tpm2-tools](https://github.com/tpm2-software/tpm2-tools)
-* [ncat](https://nmap.org/ncat/) (for clevis-luks-askpass)
 
 ### Fedora
 
--- a/src/luks/systemd/clevis-luks-askpass
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/bin/bash
-set -eu
-# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
-#
-# Copyright (c) 2016 Red Hat, Inc.
-# Author: Harald Hoyer <harald@redhat.com>
-# Author: Nathaniel McCallum <npmccallum@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-. clevis-luks-common-functions
-
-# Make sure to exit cleanly if SIGTERM is received.
-trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
-
-loop=
-path=/run/systemd/ask-password
-while getopts ":lp:" o; do
-    case "${o}" in
-    l) loop=true;;
-    p) path="${OPTARG}";;
-    *) ;;
-    esac
-done
-
-while true; do
-    for question in "${path}"/ask.*; do
-        # question will expand to itself, in case no files match, so we verify
-        # whether it actually exists, before proceeding.
-        [ ! -e "${question}" ] && continue
-
-        d=
-        s=
-        while read -r line; do
-            case "$line" in
-                Id=cryptsetup:*) d="${line##Id=cryptsetup:}";;
-                Socket=*) s="${line##Socket=}";;
-            esac
-        done < "$question"
-
-        [ -b "${d}" ] || continue
-        [ -S "${s}" ] || continue
-
-        if ! pt="$(clevis_luks_unlock_device "${d}")" || [ -z "${pt}" ]; then
-            continue
-        fi
-
-        uuid="$(cryptsetup luksUUID "${d}")"
-        if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
-            echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
-            continue
-        fi
-
-        echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
-    done
-
-    [ "${loop}" != true ] && break
-    # Checking for pending devices to be unlocked.
-    if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
-        break;
-    fi
-
-    sleep 0.5
-done
--- /dev/null
+++ b/src/luks/systemd/clevis-luks-askpass.in
@@ -0,0 +1,76 @@
+#!/bin/bash
+set -eu
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Harald Hoyer <harald@redhat.com>
+# Author: Nathaniel McCallum <npmccallum@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+. clevis-luks-common-functions
+
+# Make sure to exit cleanly if SIGTERM is received.
+trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
+
+loop=
+path=/run/systemd/ask-password
+while getopts ":lp:" o; do
+    case "${o}" in
+    l) loop=true;;
+    p) path="${OPTARG}";;
+    *) ;;
+    esac
+done
+
+while true; do
+    for question in "${path}"/ask.*; do
+        # question will expand to itself, in case no files match, so we verify
+        # whether it actually exists, before proceeding.
+        [ ! -e "${question}" ] && continue
+
+        d=
+        s=
+        while read -r line; do
+            case "$line" in
+                Id=cryptsetup:*) d="${line##Id=cryptsetup:}";;
+                Socket=*) s="${line##Socket=}";;
+            esac
+        done < "$question"
+
+        [ -b "${d}" ] || continue
+        [ -S "${s}" ] || continue
+
+        if ! pt="$(clevis_luks_unlock_device "${d}")" || [ -z "${pt}" ]; then
+            continue
+        fi
+
+        uuid="$(cryptsetup luksUUID "${d}")"
+        if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
+            echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
+            continue
+        fi
+
+        echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
+    done
+
+    [ "${loop}" != true ] && break
+    # Checking for pending devices to be unlocked.
+    if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
+        break;
+    fi
+
+    sleep 0.5
+done
--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
+++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
@@ -36,6 +36,7 @@
 
     inst_multiple \
         /etc/services \
+        @SYSTEMD_REPLY_PASS@ \
         @libexecdir@/clevis-luks-askpass \
         clevis-luks-common-functions \
         grep sed cut \
@@ -45,8 +46,7 @@
         luksmeta \
         clevis \
         mktemp \
-        jose \
-        ncat
+        jose
 
     dracut_need_initqueue
 }
--- a/src/luks/systemd/meson.build
+++ b/src/luks/systemd/meson.build
@@ -1,6 +1,15 @@
 systemd = dependency('systemd', required: false)
 
-if systemd.found()
+sd_reply_pass = find_program(
+  join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
+  join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
+  join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
+  join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
+  required: false
+)
+
+if systemd.found() and sd_reply_pass.found()
+  data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
   subdir('dracut')
 
   unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
@@ -12,8 +21,14 @@
     configuration: data,
   )
 
+  configure_file(
+    input: 'clevis-luks-askpass.in',
+    output: 'clevis-luks-askpass',
+    install_dir: libexecdir,
+    configuration: data
+  )
+
   install_data('clevis-luks-askpass.path', install_dir: unitdir)
-  install_data('clevis-luks-askpass', install_dir: libexecdir)
 else
   warning('Will not install systemd support due to missing dependencies!')
 endif