cherry-pick.v15-5-g9cdd041.systemd-drop-ncat-dependency.patch 7.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245
  1. Subject: Systemd: drop ncat dependency
  2. Origin: v15-5-g9cdd041 <https://github.com/latchset/clevis/commit/v15-5-g9cdd041>
  3. Upstream-Author: Sergio Correia <scorreia@redhat.com>
  4. Date: Wed Dec 2 20:53:48 2020 -0300
  5. When using systemd, i.e., clevis-luks-askpass, we use ncat to send
  6. the decrypted password to the systemd socket as per systemd's password
  7. agents specification [1].
  8. However, systemd itself has a utility that does exactly that,
  9. systemd-reply-password.
  10. In this commit we drop the ncat dependency and instead use
  11. systemd-reply-password in clevis-luks-askpass.
  12. [1] https://systemd.io/PASSWORD_AGENTS/
  13. --
  14. Extra adjustment needed to build on pre-usrmerge chroots.
  15. --- a/INSTALL.md
  16. +++ b/INSTALL.md
  17. @@ -22,7 +22,6 @@
  18. * [tang](https://github.com/latchset/tang)
  19. * [curl](https://github.com/curl/curl)
  20. * [tpm2-tools](https://github.com/tpm2-software/tpm2-tools)
  21. -* [ncat](https://nmap.org/ncat/) (for clevis-luks-askpass)
  22. ### Fedora
  23. --- a/src/luks/systemd/clevis-luks-askpass
  24. +++ /dev/null
  25. @@ -1,76 +0,0 @@
  26. -#!/bin/bash
  27. -set -eu
  28. -# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
  29. -#
  30. -# Copyright (c) 2016 Red Hat, Inc.
  31. -# Author: Harald Hoyer <harald@redhat.com>
  32. -# Author: Nathaniel McCallum <npmccallum@redhat.com>
  33. -#
  34. -# This program is free software: you can redistribute it and/or modify
  35. -# it under the terms of the GNU General Public License as published by
  36. -# the Free Software Foundation, either version 3 of the License, or
  37. -# (at your option) any later version.
  38. -#
  39. -# This program is distributed in the hope that it will be useful,
  40. -# but WITHOUT ANY WARRANTY; without even the implied warranty of
  41. -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  42. -# GNU General Public License for more details.
  43. -#
  44. -# You should have received a copy of the GNU General Public License
  45. -# along with this program. If not, see <http://www.gnu.org/licenses/>.
  46. -#
  47. -
  48. -. clevis-luks-common-functions
  49. -
  50. -# Make sure to exit cleanly if SIGTERM is received.
  51. -trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
  52. -
  53. -loop=
  54. -path=/run/systemd/ask-password
  55. -while getopts ":lp:" o; do
  56. - case "${o}" in
  57. - l) loop=true;;
  58. - p) path="${OPTARG}";;
  59. - *) ;;
  60. - esac
  61. -done
  62. -
  63. -while true; do
  64. - for question in "${path}"/ask.*; do
  65. - # question will expand to itself, in case no files match, so we verify
  66. - # whether it actually exists, before proceeding.
  67. - [ ! -e "${question}" ] && continue
  68. -
  69. - d=
  70. - s=
  71. - while read -r line; do
  72. - case "$line" in
  73. - Id=cryptsetup:*) d="${line##Id=cryptsetup:}";;
  74. - Socket=*) s="${line##Socket=}";;
  75. - esac
  76. - done < "$question"
  77. -
  78. - [ -b "${d}" ] || continue
  79. - [ -S "${s}" ] || continue
  80. -
  81. - if ! pt="$(clevis_luks_unlock_device "${d}")" || [ -z "${pt}" ]; then
  82. - continue
  83. - fi
  84. -
  85. - uuid="$(cryptsetup luksUUID "${d}")"
  86. - if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
  87. - echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
  88. - continue
  89. - fi
  90. -
  91. - echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
  92. - done
  93. -
  94. - [ "${loop}" != true ] && break
  95. - # Checking for pending devices to be unlocked.
  96. - if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
  97. - break;
  98. - fi
  99. -
  100. - sleep 0.5
  101. -done
  102. --- /dev/null
  103. +++ b/src/luks/systemd/clevis-luks-askpass.in
  104. @@ -0,0 +1,76 @@
  105. +#!/bin/bash
  106. +set -eu
  107. +# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
  108. +#
  109. +# Copyright (c) 2016 Red Hat, Inc.
  110. +# Author: Harald Hoyer <harald@redhat.com>
  111. +# Author: Nathaniel McCallum <npmccallum@redhat.com>
  112. +#
  113. +# This program is free software: you can redistribute it and/or modify
  114. +# it under the terms of the GNU General Public License as published by
  115. +# the Free Software Foundation, either version 3 of the License, or
  116. +# (at your option) any later version.
  117. +#
  118. +# This program is distributed in the hope that it will be useful,
  119. +# but WITHOUT ANY WARRANTY; without even the implied warranty of
  120. +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  121. +# GNU General Public License for more details.
  122. +#
  123. +# You should have received a copy of the GNU General Public License
  124. +# along with this program. If not, see <http://www.gnu.org/licenses/>.
  125. +#
  126. +
  127. +. clevis-luks-common-functions
  128. +
  129. +# Make sure to exit cleanly if SIGTERM is received.
  130. +trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
  131. +
  132. +loop=
  133. +path=/run/systemd/ask-password
  134. +while getopts ":lp:" o; do
  135. + case "${o}" in
  136. + l) loop=true;;
  137. + p) path="${OPTARG}";;
  138. + *) ;;
  139. + esac
  140. +done
  141. +
  142. +while true; do
  143. + for question in "${path}"/ask.*; do
  144. + # question will expand to itself, in case no files match, so we verify
  145. + # whether it actually exists, before proceeding.
  146. + [ ! -e "${question}" ] && continue
  147. +
  148. + d=
  149. + s=
  150. + while read -r line; do
  151. + case "$line" in
  152. + Id=cryptsetup:*) d="${line##Id=cryptsetup:}";;
  153. + Socket=*) s="${line##Socket=}";;
  154. + esac
  155. + done < "$question"
  156. +
  157. + [ -b "${d}" ] || continue
  158. + [ -S "${s}" ] || continue
  159. +
  160. + if ! pt="$(clevis_luks_unlock_device "${d}")" || [ -z "${pt}" ]; then
  161. + continue
  162. + fi
  163. +
  164. + uuid="$(cryptsetup luksUUID "${d}")"
  165. + if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
  166. + echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
  167. + continue
  168. + fi
  169. +
  170. + echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
  171. + done
  172. +
  173. + [ "${loop}" != true ] && break
  174. + # Checking for pending devices to be unlocked.
  175. + if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
  176. + break;
  177. + fi
  178. +
  179. + sleep 0.5
  180. +done
  181. --- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
  182. +++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
  183. @@ -36,6 +36,7 @@
  184. inst_multiple \
  185. /etc/services \
  186. + @SYSTEMD_REPLY_PASS@ \
  187. @libexecdir@/clevis-luks-askpass \
  188. clevis-luks-common-functions \
  189. grep sed cut \
  190. @@ -45,8 +46,7 @@
  191. luksmeta \
  192. clevis \
  193. mktemp \
  194. - jose \
  195. - ncat
  196. + jose
  197. dracut_need_initqueue
  198. }
  199. --- a/src/luks/systemd/meson.build
  200. +++ b/src/luks/systemd/meson.build
  201. @@ -1,6 +1,16 @@
  202. systemd = dependency('systemd', required: false)
  203. -if systemd.found()
  204. +sd_reply_pass = find_program(
  205. + join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
  206. + join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
  207. + join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
  208. + join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
  209. + join_paths('/', 'lib', 'systemd', 'systemd-reply-password'),
  210. + required: false
  211. +)
  212. +
  213. +if systemd.found() and sd_reply_pass.found()
  214. + data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
  215. subdir('dracut')
  216. unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
  217. @@ -12,8 +22,14 @@
  218. configuration: data,
  219. )
  220. + configure_file(
  221. + input: 'clevis-luks-askpass.in',
  222. + output: 'clevis-luks-askpass',
  223. + install_dir: libexecdir,
  224. + configuration: data
  225. + )
  226. +
  227. install_data('clevis-luks-askpass.path', install_dir: unitdir)
  228. - install_data('clevis-luks-askpass', install_dir: libexecdir)
  229. else
  230. warning('Will not install systemd support due to missing dependencies!')
  231. endif