Date: Thursday, October 10, 2019 @ 16:30:51 Author: diabonas Revision: 514478
Move clevis 11 from the AUR to [community] Added: clevis/ clevis/repos/ clevis/trunk/ clevis/trunk/PKGBUILD clevis/trunk/clevis-11-gh-114-tpm2-tools-4.patch clevis/trunk/clevis-11-gh-115-ncat.patch -------------------------------------+ PKGBUILD | 54 ++++++ clevis-11-gh-114-tpm2-tools-4.patch | 299 ++++++++++++++++++++++++++++++++++ clevis-11-gh-115-ncat.patch | 54 ++++++ 3 files changed, 407 insertions(+) Added: clevis/trunk/PKGBUILD =================================================================== --- clevis/trunk/PKGBUILD (rev 0) +++ clevis/trunk/PKGBUILD 2019-10-10 16:30:51 UTC (rev 514478) @@ -0,0 +1,54 @@ +# Maintainer: Jonas Witschel <diabo...@archlinux.org> +pkgname=clevis +pkgver=11 +pkgrel=6 +pkgdesc='Automated Encryption Framework' +arch=('x86_64') +url='https://github.com/latchset/clevis' +license=('GPL3') +depends=('bash' 'jose') +makedepends=('meson' 'asciidoc' 'bash-completion' 'dracut' 'libpwquality' + 'luksmeta' 'tpm2-tools' 'udisks2') +checkdepends=('tang') +optdepends=('cryptsetup: LUKS unlocker support' + 'curl: Tang pin support' + 'dracut: dracut unlocker support' + 'libpwquality: LUKS unlocker support' + 'luksmeta: LUKS and UDisks2 unlocker support' + 'nmap: dracut unlocker support' + 'tpm2-tools: TPM2 pin support' + 'udisks2: UDisks2 unlocker support') +source=("$url/releases/download/v$pkgver/$pkgname-$pkgver.tar.xz" + "clevis-gh-81-dracut-fixes.patch::$url/pull/81.patch" + 'clevis-11-gh-115-ncat.patch' + 'clevis-11-gh-114-tpm2-tools-4.patch') +sha512sums=('f15033a27f662986c48ca36390d3b0f127bc691b3cd7a35d437db2e2b123f8bbebd6385d799620b11f42db0d279a2030d5bf69e55e96a584800393bf47a00368' + 'ab159ff8de8bc6ffa804cb258e53a7960fbdb016d5b63d872e0e30ac3575765a1380e932fcfb8f694a0c9563bc8ee7d72bf2618eb854b4280b8dc88e65451f40' + 'f98e700fa33c86aa7589c18a13e8c1248c1d8346dc05c17eee5b5f284f6537d514f917d417e1e9e65242657d4f586122b33fc3666c9557b1f00d2f154791b91c' + '21298b8141dd437b7cf9dc8d095bde1f54995eb2f2fd15321b4eafef1a9c9efe95ea5f188e7d67e7c306f7f489d422a866ac7bec125e200df38631bc24502af4') + +prepare() { + cd "$pkgname-$pkgver" + # Fix dracut module-setup.sh (GitHub PR #81) + patch --strip=1 --input="$srcdir/clevis-gh-81-dracut-fixes.patch" + # Replace nc by ncat (backport of GitHub PR #115) + patch --strip=1 --input="$srcdir/clevis-11-gh-115-ncat.patch" + # Add support for tpm2-tools 4.0 (backport of GitHub PR #114) + patch --strip=1 --input="$srcdir/clevis-11-gh-114-tpm2-tools-4.patch" +} + +build() { + cd "$pkgname-$pkgver" + meson --prefix=/usr --libexecdir=/usr/lib --buildtype=plain build + ninja -C build +} + +check() { + cd "$pkgname-$pkgver" + ninja -C build test +} + +package() { + cd "$pkgname-$pkgver" + DESTDIR="$pkgdir" ninja -C build install +} Added: clevis/trunk/clevis-11-gh-114-tpm2-tools-4.patch =================================================================== --- clevis/trunk/clevis-11-gh-114-tpm2-tools-4.patch (rev 0) +++ clevis/trunk/clevis-11-gh-114-tpm2-tools-4.patch 2019-10-10 16:30:51 UTC (rev 514478) @@ -0,0 +1,299 @@ +From 90a926a4c60d8504057ddf8800cd45d99a250262 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel <diabo...@gmx.de> +Date: Sat, 24 Aug 2019 16:43:17 +0200 +Subject: [PATCH 1/2] clevis-encrypt-tpm2: fix TPM object attributes + +Fix two problems with the current specification of the object +attributes: + +1. According to the Trusted Platform Module Library Family 2.0 +Specification - Part 2: Structures, Revision 1.38, Section 8.3.3.5, +sensitiveDataOrigin shall not be set for data objects: + +NOTE 3 The inSensitive.sensitive.data.size parameter may not be zero for +a data object so sensitiveDataOrigin is required to be CLEAR. A data +object has type = TPM_ALG_KEYEDHASH and its sign and decrypt attributes +are CLEAR. + +tpm2-tools 3.X silently removes the inconsistent 'sensitivedataorigin' +attribute. + +2. If the key is sealed against a certain PCR configuration, +'userwithauth' needs to be clear so that the key cannot be unsealed with +the default empty authorisation password. On the other hand, if the key +is not sealed against a specific PCR configuration, 'userwithauth' must +be set because there is no PCR policy to fulfil. + +tpm2-tools 3.X silently adds 'userwithauth' if no policy is specified +for tpm2_create. +--- + src/pins/tpm2/clevis-encrypt-tpm2 | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2 +index c70187d..a7f3332 100755 +--- a/src/pins/tpm2/clevis-encrypt-tpm2 ++++ b/src/pins/tpm2/clevis-encrypt-tpm2 +@@ -24,7 +24,7 @@ auth="o" + # Algorithm type must be keyedhash for object with user provided sensitive data. + alg_create_key="keyedhash" + # Attributes for the created TPM2 object with the JWK as sensitive data. +-obj_attr="fixedtpm|fixedparent|sensitivedataorigin|noda|adminwithpolicy" ++obj_attr="fixedtpm|fixedparent|noda|adminwithpolicy" + + function on_exit() { + if ! rm -rf $TMP; then +@@ -130,6 +130,8 @@ if [ -n "$pcr_ids" ]; then + fi + + policy_options="-L $TMP/pcr.policy" ++else ++ obj_attr="$obj_attr|userwithauth" + fi + + if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \ +-- +2.23.0 + + +From 4cd9621c9f849d6ba9b5d175f661b242878ba43c Mon Sep 17 00:00:00 2001 +From: Jonas Witschel <diabo...@gmx.de> +Date: Sat, 24 Aug 2019 17:01:07 +0200 +Subject: [PATCH 2/2] pins/tpm2: add support for tpm2-tools 4.X + +tpm2-tools renamed tpm2_pcrlist to tpm2_pcrread and changed a lot of +option names. Only the new unified environment variable TPM2TOOLS_TCTI +is supported, TPM2TOOLS_TCTI_NAME and TPM2TOOLS_DEVICE_FILE are no +longer recognised. Determine the tpm2-tools version from the output of +$(tpm2_createprimary -v) and switch accordingly. +--- + src/luks/systemd/dracut/module-setup.sh.in | 6 ++- + src/pins/tpm2/clevis-decrypt-tpm2 | 40 +++++++++++++----- + src/pins/tpm2/clevis-encrypt-tpm2 | 47 +++++++++++++++++----- + src/pins/tpm2/meson.build | 5 ++- + 4 files changed, 76 insertions(+), 22 deletions(-) + +diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in +index 79fd555..fe34b1a 100755 +--- a/src/luks/systemd/dracut/module-setup.sh.in ++++ b/src/luks/systemd/dracut/module-setup.sh.in +@@ -50,7 +50,6 @@ install() { + + for cmd in clevis-decrypt-tpm2 \ + tpm2_createprimary \ +- tpm2_pcrlist \ + tpm2_unseal \ + tpm2_load; do + +@@ -58,13 +57,16 @@ install() { + ((ret++)) + fi + done ++ if ! find_binary tpm2_pcrread &>/dev/null && ! find_binary tpm2_pcrread &>/dev/null; then ++ ((ret++)) ++ fi + + if (($ret == 0)); then + inst_multiple clevis-decrypt-tpm2 \ + tpm2_createprimary \ +- tpm2_pcrlist \ + tpm2_unseal \ + tpm2_load ++ inst_multiple -o tpm2_pcrread tpm2_pcrlist + inst_libdir_file "libtss2-tcti-device.so*" + fi + +diff --git a/src/pins/tpm2/clevis-decrypt-tpm2 b/src/pins/tpm2/clevis-decrypt-tpm2 +index 4fc1c58..78a07e8 100755 +--- a/src/pins/tpm2/clevis-decrypt-tpm2 ++++ b/src/pins/tpm2/clevis-decrypt-tpm2 +@@ -37,16 +37,22 @@ if [ -t 0 ]; then + exit 1 + fi + +-TPM2TOOLS_INFO=`tpm2_pcrlist -v` ++TPM2TOOLS_INFO="$(tpm2_createprimary -v)" + +-if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then +- echo "The tpm2 pin requires tpm2-tools version 3" >&2 ++match='version="(.)\.' ++[[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}" ++if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then ++ echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2 + exit 1 + fi + ++# Old environment variables for tpm2-tools 3.0 + export TPM2TOOLS_TCTI_NAME=device + export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null` + ++# New environment variable for tpm2-tools >= 3.1 ++export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:$TPM2TOOLS_DEVICE_FILE" ++ + if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then + echo "A TPM2 device with the in-kernel resource manager is needed!" >&2 + exit 1 +@@ -98,9 +104,10 @@ trap 'on_exit' EXIT + + pcr_ids=`jose fmt -j- -Og clevis -g tpm2 -g pcr_ids -Su- <<< "$jhd"` || true + ++pcr_spec='' + if [ -n "$pcr_ids" ]; then + pcr_bank=`jose fmt -j- -Og clevis -g tpm2 -g pcr_bank -Su- <<< "$jhd"` +- policy_options="-L $pcr_bank:$pcr_ids" ++ pcr_spec="$pcr_bank:$pcr_ids" + fi + + if ! `jose b64 dec -i- -O $TMP/jwk.pub <<< "$jwk_pub"`; then +@@ -113,19 +120,34 @@ if ! `jose b64 dec -i- -O $TMP/jwk.priv <<< "$jwk_priv"`; then + exit 1 + fi + +-if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" \ +- -C $TMP/primary.context 2>/dev/null; then ++case "$TPM2TOOLS_VERSION" in ++ 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;; ++ 4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;; ++ *) fail=1;; ++esac ++if [ -n "$fail" ]; then + echo "Creating TPM2 primary key failed!" >&2 + exit 1 + fi + +-if ! tpm2_load -Q -c $TMP/primary.context -u $TMP/jwk.pub -r $TMP/jwk.priv \ +- -C $TMP/load.context 2>/dev/null; then ++case "$TPM2TOOLS_VERSION" in ++ 3) tpm2_load -Q -c "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \ ++ -C "$TMP"/load.context || fail=$?;; ++ 4) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \ ++ -c "$TMP"/load.context || fail=$?;; ++ *) fail=1;; ++esac ++if [ -n "$fail" ]; then + echo "Loading jwk to TPM2 failed!" >&2 + exit 1 + fi + +-if ! jwk=`tpm2_unseal -c $TMP/load.context $policy_options 2>/dev/null`; then ++case "$TPM2TOOLS_VERSION" in ++ 3) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-L $pcr_spec})" || fail=$?;; ++ 4) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;; ++ *) fail=1;; ++esac ++if [ -n "$fail" ]; then + echo "Unsealing jwk from TPM failed!" >&2 + exit 1 + fi +diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2 +index a7f3332..d48806d 100755 +--- a/src/pins/tpm2/clevis-encrypt-tpm2 ++++ b/src/pins/tpm2/clevis-encrypt-tpm2 +@@ -59,16 +59,22 @@ if [ -t 0 ]; then + exit 1 + fi + +-TPM2TOOLS_INFO=`tpm2_pcrlist -v` ++TPM2TOOLS_INFO="$(tpm2_createprimary -v)" + +-if [[ $TPM2TOOLS_INFO != *version=\"3.* ]]; then +- echo "The tpm2 pin requires tpm2-tools version 3" >&2 ++match='version="(.)\.' ++[[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}" ++if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then ++ echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2 + exit 1 + fi + ++# Old environment variables for tpm2-tools 3.0 + export TPM2TOOLS_TCTI_NAME=device + export TPM2TOOLS_DEVICE_FILE=`ls /dev/tpmrm? 2>/dev/null` + ++# New environment variable for tpm2-tools >= 3.1 ++export TPM2TOOLS_TCTI="$TPM2TOOLS_TCTI_NAME:$TPM2TOOLS_DEVICE_FILE" ++ + if [ -z "${TPM2TOOLS_DEVICE_FILE[0]}" ]; then + echo "A TPM2 device with the in-kernel resource manager is needed!" >&2 + exit 1 +@@ -106,14 +112,24 @@ fi + + trap 'on_exit' EXIT + +-if ! tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C $TMP/primary.context; then ++case "$TPM2TOOLS_VERSION" in ++ 3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;; ++ 4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;; ++ *) fail=1;; ++esac ++if [ -n "$fail" ]; then + echo "Creating TPM2 primary key failed!" >&2 + exit 1 + fi + + if [ -n "$pcr_ids" ]; then + if [ -z "$pcr_digest" ]; then +- if ! tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o $TMP/pcr.digest; then ++ case "$TPM2TOOLS_VERSION" in ++ 3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;; ++ 4) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;; ++ *) fail=1;; ++ esac ++ if [ -n "$fail" ]; then + echo "Creating PCR hashes file failed!" >&2 + exit 1 + fi +@@ -124,18 +140,31 @@ if [ -n "$pcr_ids" ]; then + fi + fi + +- if ! tpm2_createpolicy -Q -P -L "$pcr_bank":"$pcr_ids" -F $TMP/pcr.digest -f $TMP/pcr.policy; then ++ case "$TPM2TOOLS_VERSION" in ++ 3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \ ++ -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;; ++ 4) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \ ++ -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;; ++ *) fail=1;; ++ esac ++ if [ -n "$fail" ]; then + echo "create policy fail, please check the environment or parameters!" + exit 1 + fi + +- policy_options="-L $TMP/pcr.policy" ++ policy_options+=(-L "$TMP/pcr.policy") + else + obj_attr="$obj_attr|userwithauth" + fi + +-if ! tpm2_create -Q -g "$hash" -G "$alg_create_key" -c $TMP/primary.context -u $TMP/jwk.pub \ +- -r $TMP/jwk.priv -A "$obj_attr" $policy_options -I- <<< "$jwk"; then ++case "$TPM2TOOLS_VERSION" in ++ 3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \ ++ -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;; ++ 4) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \ ++ -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;; ++ *) fail=1;; ++esac ++if [ -n "$fail" ]; then + echo "Creating TPM2 object for jwk failed!" >&2 + exit 1 + fi +diff --git a/src/pins/tpm2/meson.build b/src/pins/tpm2/meson.build +index 8121ec4..4041a9a 100644 +--- a/src/pins/tpm2/meson.build ++++ b/src/pins/tpm2/meson.build +@@ -1,8 +1,9 @@ +-cmds = ['createprimary', 'pcrlist', 'createpolicy', 'create', 'load', 'unseal'] ++cmds = ['tpm2_createprimary', ['tpm2_pcrread', 'tpm2_pcrlist'], ++ 'tpm2_createpolicy', 'tpm2_create', 'tpm2_load', 'tpm2_unseal'] + + all = true + foreach cmd : cmds +- all = all and find_program('tpm2_' + cmd, required: false).found() ++ all = all and find_program(cmd, required: false).found() + endforeach + + if all +-- +2.23.0 + Added: clevis/trunk/clevis-11-gh-115-ncat.patch =================================================================== --- clevis/trunk/clevis-11-gh-115-ncat.patch (rev 0) +++ clevis/trunk/clevis-11-gh-115-ncat.patch 2019-10-10 16:30:51 UTC (rev 514478) @@ -0,0 +1,54 @@ +From 78019b9ce50c84ac9511072a004fea533841ed01 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel <diabo...@gmx.de> +Date: Thu, 29 Aug 2019 11:22:47 +0200 +Subject: [PATCH] clevis-luks-askpass: replace nc by ncat + +nc is assumed to be ncat from Nmap for the --send-only option to work. +This assumption holds true on Fedora, where nc is a symbolic link to +ncat, while other distributions only ship the binary with the original +upstream name. Replacing the name makes it clearer which version of nc +is expected and improves compatibility with other distributions while +retaining compatibility with Fedora. +--- + src/luks/systemd/clevis-luks-askpass | 4 ++-- + src/luks/systemd/dracut/module-setup.sh.in | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass +index b01d93a..0903cd0 100755 +--- a/src/luks/systemd/clevis-luks-askpass ++++ b/src/luks/systemd/clevis-luks-askpass +@@ -59,7 +59,7 @@ while true; do + metadata=true + + if pt="`luksmeta load -d $d -s $slot -u $UUID | clevis decrypt`"; then +- echo -n "+$pt" | nc -U -u --send-only "$s" ++ echo -n "+$pt" | ncat -U -u --send-only "$s" + unlocked=true + break + fi +@@ -72,7 +72,7 @@ while true; do + metadata=true + + if pt=`echo -n "$jwe" | clevis decrypt`; then +- echo -n "+$pt" | nc -U -u --send-only "$s" ++ echo -n "+$pt" | ncat -U -u --send-only "$s" + unlocked=true + break + fi +diff --git a/src/luks/systemd/dracut/module-setup.sh.in b/src/luks/systemd/dracut/module-setup.sh.in +index 990bf4a..79fd555 100755 +--- a/src/luks/systemd/dracut/module-setup.sh.in ++++ b/src/luks/systemd/dracut/module-setup.sh.in +@@ -46,7 +46,7 @@ install() { + mktemp \ + curl \ + jose \ +- nc ++ ncat + + for cmd in clevis-decrypt-tpm2 \ + tpm2_createprimary \ +-- +2.23.0 +