-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1560 from simoncampion/add-clevis-krish
Add support for TPM- and Tang-based disk encryption
- Loading branch information
Showing
83 changed files
with
4,095 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
- Added Ignition Clevis support for encrypted disks unlocked with a TPM2 device or a Tang server ([scripts#1560](https://github.com/flatcar/scripts/pull/1560)) |
1 change: 1 addition & 0 deletions
1
sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
DIST clevis-19.tar.gz 81324 BLAKE2B 75323940d0b53e307f5dbc197e3117e7ddc900d76ae1043bac3d17cc3af0264ba00a5f840c5c9dd3c2dd9c8fbde2cf05934b8ab3e89cd403ad8a8eb28609bb78 SHA512 dee19354c908c3843fc295a84b431780d5d6062c77766ee7ce9550636d3623d92b0cd1f6d4c40d57bef14debddc161da2b72289a5d6185cdd17b09a1ef67409a |
67 changes: 67 additions & 0 deletions
67
sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
# Copyright 2022-2023 Gentoo Authors | ||
# Distributed under the terms of the GNU General Public License v2 | ||
|
||
EAPI=8 | ||
|
||
# Flatcar: inherit from systemd because we need to use systemd_enable_service below | ||
inherit meson systemd | ||
|
||
DESCRIPTION="Automated Encryption Framework" | ||
HOMEPAGE="https://github.com/latchset/clevis" | ||
SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" | ||
|
||
LICENSE="GPL-3" | ||
SLOT="0" | ||
KEYWORDS="~amd64" | ||
IUSE="+luks +tpm" | ||
|
||
# Flatcar: add dependency for Dracut module | ||
DEPEND=" | ||
dev-libs/jose | ||
sys-fs/cryptsetup | ||
sys-kernel/dracut | ||
luks? ( | ||
app-misc/jq | ||
dev-libs/libpwquality | ||
dev-libs/luksmeta | ||
) | ||
tpm? ( app-crypt/tpm2-tools ) | ||
" | ||
# Flatcar: The Clevis meson build will not build certain features if certain executables are not found at build time, such as `tpm2_createprimary`. | ||
# The meson function `find_program` that checks for the existence of the executables does not seem to search paths under ${ROOT}, but rather | ||
# under `/`. A fix to make meson find all binaries and include all desired features is to install such runtime dependencies into the SDK. | ||
BDEPEND=" | ||
luks? ( | ||
app-misc/jq | ||
dev-libs/libpwquality | ||
dev-libs/luksmeta | ||
) | ||
tpm? ( app-crypt/tpm2-tools ) | ||
" | ||
RDEPEND="${DEPEND}" | ||
|
||
PATCHES=( | ||
# From https://github.com/latchset/clevis/pull/347 | ||
# Allows using dracut without systemd | ||
"${FILESDIR}/clevis-dracut.patch" | ||
# Fix for systemd on Gentoo | ||
"${FILESDIR}/clevis-meson.patch" | ||
# Flatcar: | ||
# * install `clevis-pin-tang` dracut module in the absence of dracut `network` | ||
# module; Flatcar uses a custom network module | ||
# * skip copying `/etc/services` into initramfs when installing `clevis` dracut | ||
# module, which would fail | ||
"${FILESDIR}/clevis-dracut-flatcar.patch" | ||
) | ||
|
||
post_src_install() { | ||
# Flatcar: the meson build for app-crypt/clevis installs some files to ${D}${ROOT}. After that, Portage | ||
# copies from ${D} to ${ROOT}, leading to files ending up in, e.g., /build/amd64-usr/build/amd64-usr/. | ||
# As a workaround, we move everything from ${D}${ROOT} to ${D} after the src_install phase. | ||
rsync -av ${D}${ROOT}/ ${D} | ||
rm -rfv ${D}${ROOT} | ||
|
||
# Flatcar: enable the systemd unit that triggers Clevis's automatic response to LUKS | ||
# disk decryption password prompts. | ||
systemd_enable_service cryptsetup.target clevis-luks-askpass.path | ||
} |
25 changes: 25 additions & 0 deletions
25
...ntainer/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut-flatcar.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
diff --git a/src/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in | ||
index 929b878..c48e282 100755 | ||
--- a/src/dracut/clevis-pin-tang/module-setup.sh.in | ||
+++ b/src/dracut/clevis-pin-tang/module-setup.sh.in | ||
@@ -19,7 +19,7 @@ | ||
# | ||
|
||
depends() { | ||
- echo clevis network | ||
+ echo clevis | ||
return 0 | ||
} | ||
|
||
diff --git a/src/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in | ||
index dbce790..c9581db 100755 | ||
--- a/src/dracut/clevis/module-setup.sh.in | ||
+++ b/src/dracut/clevis/module-setup.sh.in | ||
@@ -48,7 +48,6 @@ install() { | ||
fi | ||
|
||
inst_multiple \ | ||
- /etc/services \ | ||
clevis-luks-common-functions \ | ||
grep sed cut \ | ||
clevis-decrypt \ |
216 changes: 216 additions & 0 deletions
216
sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,216 @@ | ||
diff --git a/src/luks/systemd/dracut/clevis-pin-sss/meson.build b/src/dracut/clevis-pin-sss/meson.build | ||
similarity index 100% | ||
rename from src/luks/systemd/dracut/clevis-pin-sss/meson.build | ||
rename to src/dracut/clevis-pin-sss/meson.build | ||
diff --git a/src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in b/src/dracut/clevis-pin-sss/module-setup.sh.in | ||
similarity index 100% | ||
rename from src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in | ||
rename to src/dracut/clevis-pin-sss/module-setup.sh.in | ||
diff --git a/src/luks/systemd/dracut/clevis-pin-tang/meson.build b/src/dracut/clevis-pin-tang/meson.build | ||
similarity index 100% | ||
rename from src/luks/systemd/dracut/clevis-pin-tang/meson.build | ||
rename to src/dracut/clevis-pin-tang/meson.build | ||
diff --git a/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in | ||
similarity index 100% | ||
rename from src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in | ||
rename to src/dracut/clevis-pin-tang/module-setup.sh.in | ||
diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/meson.build b/src/dracut/clevis-pin-tpm2/meson.build | ||
similarity index 100% | ||
rename from src/luks/systemd/dracut/clevis-pin-tpm2/meson.build | ||
rename to src/dracut/clevis-pin-tpm2/meson.build | ||
diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in b/src/dracut/clevis-pin-tpm2/module-setup.sh.in | ||
similarity index 100% | ||
rename from src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in | ||
rename to src/dracut/clevis-pin-tpm2/module-setup.sh.in | ||
diff --git a/src/dracut/clevis/clevis-hook.sh.in b/src/dracut/clevis/clevis-hook.sh.in | ||
new file mode 100755 | ||
index 0000000..91ff2bd | ||
--- /dev/null | ||
+++ b/src/dracut/clevis/clevis-hook.sh.in | ||
@@ -0,0 +1,3 @@ | ||
+#!/bin/bash | ||
+ | ||
+@libexecdir@/clevis-luks-generic-unlocker -l | ||
diff --git a/src/dracut/clevis/clevis-luks-generic-unlocker b/src/dracut/clevis/clevis-luks-generic-unlocker | ||
new file mode 100755 | ||
index 0000000..a3b9d62 | ||
--- /dev/null | ||
+++ b/src/dracut/clevis/clevis-luks-generic-unlocker | ||
@@ -0,0 +1,70 @@ | ||
+#!/bin/bash | ||
+set -eu | ||
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: | ||
+# | ||
+# Copyright (c) 2020-2021 Red Hat, Inc. | ||
+# Author: Sergio Correia <scorreia@redhat.com> | ||
+# | ||
+# This program is free software: you can redistribute it and/or modify | ||
+# it under the terms of the GNU General Public License as published by | ||
+# the Free Software Foundation, either version 3 of the License, or | ||
+# (at your option) any later version. | ||
+# | ||
+# This program is distributed in the hope that it will be useful, | ||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
+# GNU General Public License for more details. | ||
+# | ||
+# You should have received a copy of the GNU General Public License | ||
+# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
+# | ||
+ | ||
+. clevis-luks-common-functions | ||
+ | ||
+# Make sure to exit cleanly if SIGTERM is received. | ||
+trap 'echo "Exiting due to SIGTERM" && exit 0' TERM | ||
+ | ||
+loop= | ||
+while getopts ":l" o; do | ||
+ case "${o}" in | ||
+ l) loop=true;; | ||
+ *) ;; | ||
+ esac | ||
+done | ||
+ | ||
+to_unlock() { | ||
+ local _devices='' _d _uuid | ||
+ for _d in $(lsblk -o PATH,FSTYPE,RM \ | ||
+ | awk '$2 == "crypto_LUKS" && $3 == "0" { print $1 }' | sort -u); | ||
+ do | ||
+ if ! bindings="$(clevis luks list -d "${_d}" 2>/dev/null)" \ | ||
+ || [ -z "${bindings}" ]; then | ||
+ continue | ||
+ fi | ||
+ _uuid="$(cryptsetup luksUUID "${_d}")" | ||
+ if clevis_is_luks_device_by_uuid_open "${_uuid}"; then | ||
+ continue | ||
+ fi | ||
+ _devices="$(printf '%s\n%s' "${_devices}" "${_d}")" | ||
+ done | ||
+ echo "${_devices}" | sed -e 's/^\n$//' | ||
+} | ||
+ | ||
+while true; do | ||
+ for d in $(to_unlock); do | ||
+ uuid="$(cryptsetup luksUUID "${d}")" | ||
+ if ! clevis luks unlock -d "${d}"; then | ||
+ echo "Unable to unlock ${d} (UUID=${uuid})" >&2 | ||
+ continue | ||
+ fi | ||
+ echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2 | ||
+ done | ||
+ | ||
+ [ "${loop}" != true ] && break | ||
+ # Checking for pending devices to be unlocked. | ||
+ if remaining=$(to_unlock) && [ -z "${remaining}" ]; then | ||
+ break; | ||
+ fi | ||
+ | ||
+ sleep 0.5 | ||
+done | ||
diff --git a/src/luks/systemd/dracut/clevis/meson.build b/src/dracut/clevis/meson.build | ||
similarity index 87% | ||
rename from src/luks/systemd/dracut/clevis/meson.build | ||
rename to src/dracut/clevis/meson.build | ||
index 167e708..224e27f 100644 | ||
--- a/src/luks/systemd/dracut/clevis/meson.build | ||
+++ b/src/dracut/clevis/meson.build | ||
@@ -16,6 +16,7 @@ if dracut.found() | ||
install_dir: dracutdir, | ||
configuration: data, | ||
) | ||
+ install_data('clevis-luks-generic-unlocker', install_dir: libexecdir) | ||
else | ||
warning('Will not install dracut module due to missing dependencies!') | ||
endif | ||
diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in | ||
similarity index 76% | ||
rename from src/luks/systemd/dracut/clevis/module-setup.sh.in | ||
rename to src/dracut/clevis/module-setup.sh.in | ||
index bfe657c..dbce790 100755 | ||
--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in | ||
+++ b/src/dracut/clevis/module-setup.sh.in | ||
@@ -19,7 +19,11 @@ | ||
# | ||
|
||
depends() { | ||
- echo crypt systemd | ||
+ local __depends=crypt | ||
+ if dracut_module_included "systemd"; then | ||
+ __depends=$(printf '%s systemd' "${_depends}") | ||
+ fi | ||
+ echo "${__depends}" | ||
return 255 | ||
} | ||
|
||
@@ -27,17 +31,24 @@ install() { | ||
if dracut_module_included "systemd"; then | ||
inst_multiple \ | ||
$systemdsystemunitdir/clevis-luks-askpass.service \ | ||
- $systemdsystemunitdir/clevis-luks-askpass.path | ||
+ $systemdsystemunitdir/clevis-luks-askpass.path \ | ||
+ @SYSTEMD_REPLY_PASS@ \ | ||
+ @libexecdir@/clevis-luks-askpass | ||
systemctl -q --root "$initdir" add-wants cryptsetup.target clevis-luks-askpass.path | ||
else | ||
inst_hook initqueue/online 60 "$moddir/clevis-hook.sh" | ||
inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh" | ||
+ | ||
+ inst_multiple \ | ||
+ @libexecdir@/clevis-luks-generic-unlocker \ | ||
+ clevis-luks-unlock \ | ||
+ lsblk \ | ||
+ sort \ | ||
+ awk | ||
fi | ||
|
||
inst_multiple \ | ||
/etc/services \ | ||
- @SYSTEMD_REPLY_PASS@ \ | ||
- @libexecdir@/clevis-luks-askpass \ | ||
clevis-luks-common-functions \ | ||
grep sed cut \ | ||
clevis-decrypt \ | ||
diff --git a/src/luks/systemd/dracut/meson.build b/src/dracut/meson.build | ||
similarity index 78% | ||
rename from src/luks/systemd/dracut/meson.build | ||
rename to src/dracut/meson.build | ||
index 7ad5b14..fdb264b 100644 | ||
--- a/src/luks/systemd/dracut/meson.build | ||
+++ b/src/dracut/meson.build | ||
@@ -2,4 +2,3 @@ subdir('clevis') | ||
subdir('clevis-pin-tang') | ||
subdir('clevis-pin-tpm2') | ||
subdir('clevis-pin-sss') | ||
-subdir('clevis-pin-null') | ||
diff --git a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in b/src/luks/systemd/dracut/clevis/clevis-hook.sh.in | ||
deleted file mode 100755 | ||
index cb257c9..0000000 | ||
--- a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in | ||
+++ /dev/null | ||
@@ -1,2 +0,0 @@ | ||
-#!/bin/bash | ||
-@libexecdir@/clevis-luks-askpass | ||
diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build | ||
index e3b3d91..b10494e 100644 | ||
--- a/src/luks/systemd/meson.build | ||
+++ b/src/luks/systemd/meson.build | ||
@@ -10,7 +10,6 @@ sd_reply_pass = find_program( | ||
|
||
if systemd.found() and sd_reply_pass.found() | ||
data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path()) | ||
- subdir('dracut') | ||
|
||
unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir') | ||
|
||
diff --git a/src/meson.build b/src/meson.build | ||
index c4e696f..a0dff5b 100644 | ||
--- a/src/meson.build | ||
+++ b/src/meson.build | ||
@@ -1,6 +1,7 @@ | ||
subdir('bash') | ||
subdir('luks') | ||
subdir('pins') | ||
+subdir('dracut') | ||
subdir('initramfs-tools') | ||
|
||
bins += join_paths(meson.current_source_dir(), 'clevis-decrypt') |
11 changes: 11 additions & 0 deletions
11
sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-meson.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build | ||
index b10494e3ca4d620437aee0d5e440eecf323b03d9..09f7fb51e7320aa71e275c34baa0561233821d69 100644 | ||
--- a/src/luks/systemd/meson.build | ||
+++ b/src/luks/systemd/meson.build | ||
@@ -5,6 +5,7 @@ sd_reply_pass = find_program( | ||
join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'), | ||
join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'), | ||
join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'), | ||
+ join_paths('/', 'lib', 'systemd', 'systemd-reply-password'), | ||
required: false | ||
) |
15 changes: 15 additions & 0 deletions
15
sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/metadata.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> | ||
<pkgmetadata> | ||
<maintainer type="person"> | ||
<email>kjain7@u.rochester.edu</email> | ||
<name>Krish Jain (based off Julien Roy's work) </name> | ||
</maintainer> | ||
<upstream> | ||
<remote-id type="github">latchset/clevis</remote-id> | ||
</upstream> | ||
<use> | ||
<flag name="luks">Enable LUKS support</flag> | ||
<flag name="tpm">Enable TPM support</flag> | ||
</use> | ||
</pkgmetadata> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.