cbiedl
/
clevis


			
				
					
						
						
							1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495
							Subject: Avoid luksmeta corruption on clevis bind (#319)
Origin: v18-5-gd8a25e3 <https://github.com/latchset/clevis/commit/v18-5-gd8a25e3>
Upstream-Author: Sergio Arroutbi <sarroutb@redhat.com>
Date: Tue Jun 15 12:51:23 2021 +0200

    When using long key information to be stored in luks metadata,
    luksmeta save is not reporting the corruption of LUKs meta.
    This change detects if issue occurs after luksmeta metadata save
    and, in that case, restores the device. Fixes #181

    Signed-off-by: Sergio Arroutbi Braojos <sarroutb@redhat.com>

--- a/src/luks/clevis-luks-common-functions.in
+++ b/src/luks/clevis-luks-common-functions.in
@@ -448,6 +448,12 @@
         echo "Error saving metadata to LUKSMeta slot ${SLOT} from ${DEV}" >&2
         return 1
     fi
+
+    if ! luksmeta test -d "${DEV}" 2>/dev/null >/dev/null ; then
+        echo "Error detected after saving metadata to LUKSMeta slot ${SLOT}, device ${DEV}" >&2
+        return 1
+    fi
+
     return 0
 }
 
--- /dev/null
+++ b/src/luks/tests/bind-luks1-avoid-luksmeta-corruption
@@ -0,0 +1,55 @@
+#!/bin/bash -ex
+#
+# Copyright (c) 2021 Red Hat, Inc.
+# Author: Sergio Arroutbi Braojos <sarroutb@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+    [ ! -d "${TMP}" ] && return 0
+    tang_stop "${TMP}"
+    rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+
+TMP="$(mktemp -d)"
+
+ADV_AMOUNT=50
+
+# Create LUKS1 device
+DEV="${TMP}/luks1-device"
+new_device "luks1" "${DEV}"
+
+# TANG server specifics
+port=$(tang_new_random_port)
+tang_run "${TMP}" "${port}"
+url="http://localhost:${port}"
+
+# Initial binding to ensure luksmeta gets corrupted
+for ADV_NU in $(seq 0 ${ADV_AMOUNT}); do
+    "${TANGD_KEYGEN}" "${TMP}/db"
+done
+tang_new_keys "${TMP}"
+
+CFG=$(printf '{"url":"%s"}' "${url}")
+
+# At this point, luks bind must return an error. If not, test fails
+if clevis luks bind -y -d "${DEV}" tang "${CFG}" <<< "${DEFAULT_PASS}"; then
+    error "${TEST}: Binding is expected to fail when given a too long adv"
+fi
--- a/src/luks/tests/meson.build
+++ b/src/luks/tests/meson.build
@@ -59,6 +59,7 @@
 
 test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env, timeout: 60)
 test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env, timeout: 60)
+test('bind-luks1-avoid-luksmeta-corruption', find_program('bind-luks1-avoid-luksmeta-corruption'), env: env, timeout: 60)
 
 # LUKS2 tests go here, and they get included if we get support for it, based
 # on the cryptsetup version.