Add support for TPM- and Tang-based disk encryption

changelog/changes/2024-03-14-tpm-tang-encryption.md

@@ -0,0 +1 @@
+- Added Ignition Clevis support for encrypted disks unlocked with a TPM2 device or a Tang server ([scripts#1560](https://github.com/flatcar/scripts/pull/1560))

sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest

@@ -0,0 +1 @@
+DIST clevis-19.tar.gz 81324 BLAKE2B 75323940d0b53e307f5dbc197e3117e7ddc900d76ae1043bac3d17cc3af0264ba00a5f840c5c9dd3c2dd9c8fbde2cf05934b8ab3e89cd403ad8a8eb28609bb78 SHA512 dee19354c908c3843fc295a84b431780d5d6062c77766ee7ce9550636d3623d92b0cd1f6d4c40d57bef14debddc161da2b72289a5d6185cdd17b09a1ef67409a

sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild

@@ -0,0 +1,67 @@
+# Copyright 2022-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Flatcar: inherit from systemd because we need to use systemd_enable_service below
+inherit meson systemd
+
+DESCRIPTION="Automated Encryption Framework"
+HOMEPAGE="https://github.com/latchset/clevis"
+SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="+luks +tpm"
+
+# Flatcar: add dependency for Dracut module
+DEPEND="
+	dev-libs/jose
+	sys-fs/cryptsetup
+	sys-kernel/dracut
+	luks? (
+		app-misc/jq
+		dev-libs/libpwquality
+		dev-libs/luksmeta
+	)
+	tpm? ( app-crypt/tpm2-tools )
+"
+# Flatcar: The Clevis meson build will not build certain features if certain executables are not found at build time, such as `tpm2_createprimary`.
+# The meson function `find_program` that checks for the existence of the executables does not seem to search paths under ${ROOT}, but rather 
+# under `/`. A fix to make meson find all binaries and include all desired features is to install such runtime dependencies into the SDK.
+BDEPEND="
+	luks? (
+		app-misc/jq
+		dev-libs/libpwquality
+		dev-libs/luksmeta
+	)
+	tpm? ( app-crypt/tpm2-tools )
+"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+	# From https://github.com/latchset/clevis/pull/347
+	# Allows using dracut without systemd
+	"${FILESDIR}/clevis-dracut.patch"
+	# Fix for systemd on Gentoo
+	"${FILESDIR}/clevis-meson.patch"
+	# Flatcar: 
+	# * install `clevis-pin-tang` dracut module in the absence of dracut `network` 
+	#   module; Flatcar uses a custom network module
+	# * skip copying `/etc/services` into initramfs when installing `clevis` dracut 
+	# 	module, which would fail
+	"${FILESDIR}/clevis-dracut-flatcar.patch"
+)
+
+post_src_install() {
+	# Flatcar: the meson build for app-crypt/clevis installs some files to ${D}${ROOT}. After that, Portage
+	# copies from ${D} to ${ROOT}, leading to files ending up in, e.g., /build/amd64-usr/build/amd64-usr/.
+	# As a workaround, we move everything from ${D}${ROOT} to ${D} after the src_install phase.
+ 	rsync -av ${D}${ROOT}/ ${D}
+ 	rm -rfv ${D}${ROOT}
+
+	# Flatcar: enable the systemd unit that triggers Clevis's automatic response to LUKS
+	# disk decryption password prompts.
+ 	systemd_enable_service cryptsetup.target clevis-luks-askpass.path
+}

sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut-flatcar.patch

@@ -0,0 +1,25 @@
+diff --git a/src/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in
+index 929b878..c48e282 100755
+--- a/src/dracut/clevis-pin-tang/module-setup.sh.in
++++ b/src/dracut/clevis-pin-tang/module-setup.sh.in
+@@ -19,7 +19,7 @@
+ #
+
+ depends() {
+-    echo clevis network
++    echo clevis
+     return 0
+ }
+
+diff --git a/src/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in
+index dbce790..c9581db 100755
+--- a/src/dracut/clevis/module-setup.sh.in
++++ b/src/dracut/clevis/module-setup.sh.in
+@@ -48,7 +48,6 @@ install() {
+     fi
+
+     inst_multiple \
+-        /etc/services \
+         clevis-luks-common-functions \
+         grep sed cut \
+         clevis-decrypt \

sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch

@@ -0,0 +1,216 @@
+diff --git a/src/luks/systemd/dracut/clevis-pin-sss/meson.build b/src/dracut/clevis-pin-sss/meson.build
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-sss/meson.build
+rename to src/dracut/clevis-pin-sss/meson.build
+diff --git a/src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in b/src/dracut/clevis-pin-sss/module-setup.sh.in
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in
+rename to src/dracut/clevis-pin-sss/module-setup.sh.in
+diff --git a/src/luks/systemd/dracut/clevis-pin-tang/meson.build b/src/dracut/clevis-pin-tang/meson.build
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-tang/meson.build
+rename to src/dracut/clevis-pin-tang/meson.build
+diff --git a/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in
+rename to src/dracut/clevis-pin-tang/module-setup.sh.in
+diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/meson.build b/src/dracut/clevis-pin-tpm2/meson.build
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-tpm2/meson.build
+rename to src/dracut/clevis-pin-tpm2/meson.build
+diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in b/src/dracut/clevis-pin-tpm2/module-setup.sh.in
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in
+rename to src/dracut/clevis-pin-tpm2/module-setup.sh.in
+diff --git a/src/dracut/clevis/clevis-hook.sh.in b/src/dracut/clevis/clevis-hook.sh.in
+new file mode 100755
+index 0000000..91ff2bd
+--- /dev/null
++++ b/src/dracut/clevis/clevis-hook.sh.in
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++@libexecdir@/clevis-luks-generic-unlocker -l
+diff --git a/src/dracut/clevis/clevis-luks-generic-unlocker b/src/dracut/clevis/clevis-luks-generic-unlocker
+new file mode 100755
+index 0000000..a3b9d62
+--- /dev/null
++++ b/src/dracut/clevis/clevis-luks-generic-unlocker
+@@ -0,0 +1,70 @@
++#!/bin/bash
++set -eu
++# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
++#
++# Copyright (c) 2020-2021 Red Hat, Inc.
++# Author: Sergio Correia <scorreia@redhat.com>
++#
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++#
++
++. clevis-luks-common-functions
++
++# Make sure to exit cleanly if SIGTERM is received.
++trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
++
++loop=
++while getopts ":l" o; do
++    case "${o}" in
++    l) loop=true;;
++    *) ;;
++    esac
++done
++
++to_unlock() {
++    local _devices='' _d _uuid
++    for _d in $(lsblk -o PATH,FSTYPE,RM \
++               | awk '$2 == "crypto_LUKS" && $3 == "0" { print $1 }' | sort -u);
++    do
++        if ! bindings="$(clevis luks list -d "${_d}" 2>/dev/null)" \
++                         || [ -z "${bindings}" ]; then
++            continue
++        fi
++        _uuid="$(cryptsetup luksUUID "${_d}")"
++        if clevis_is_luks_device_by_uuid_open "${_uuid}"; then
++            continue
++        fi
++        _devices="$(printf '%s\n%s' "${_devices}" "${_d}")"
++    done
++    echo "${_devices}" | sed -e 's/^\n$//'
++}
++
++while true; do
++    for d in $(to_unlock); do
++        uuid="$(cryptsetup luksUUID "${d}")"
++        if ! clevis luks unlock -d "${d}"; then
++            echo "Unable to unlock ${d} (UUID=${uuid})" >&2
++            continue
++        fi
++        echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
++    done
++
++    [ "${loop}" != true ] && break
++    # Checking for pending devices to be unlocked.
++    if remaining=$(to_unlock) && [ -z "${remaining}" ]; then
++        break;
++    fi
++
++    sleep 0.5
++done
+diff --git a/src/luks/systemd/dracut/clevis/meson.build b/src/dracut/clevis/meson.build
+similarity index 87%
+rename from src/luks/systemd/dracut/clevis/meson.build
+rename to src/dracut/clevis/meson.build
+index 167e708..224e27f 100644
+--- a/src/luks/systemd/dracut/clevis/meson.build
++++ b/src/dracut/clevis/meson.build
+@@ -16,6 +16,7 @@ if dracut.found()
+     install_dir: dracutdir,
+     configuration: data,
+   )
++  install_data('clevis-luks-generic-unlocker', install_dir: libexecdir)
+ else
+   warning('Will not install dracut module due to missing dependencies!')
+ endif
+diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in
+similarity index 76%
+rename from src/luks/systemd/dracut/clevis/module-setup.sh.in
+rename to src/dracut/clevis/module-setup.sh.in
+index bfe657c..dbce790 100755
+--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
++++ b/src/dracut/clevis/module-setup.sh.in
+@@ -19,7 +19,11 @@
+ #
+
+ depends() {
+-    echo crypt systemd
++    local __depends=crypt
++    if dracut_module_included "systemd"; then
++        __depends=$(printf '%s systemd' "${_depends}")
++    fi
++    echo "${__depends}"
+     return 255
+ }
+
+@@ -27,17 +31,24 @@ install() {
+     if dracut_module_included "systemd"; then
+         inst_multiple \
+             $systemdsystemunitdir/clevis-luks-askpass.service \
+-            $systemdsystemunitdir/clevis-luks-askpass.path
++            $systemdsystemunitdir/clevis-luks-askpass.path \
++            @SYSTEMD_REPLY_PASS@ \
++            @libexecdir@/clevis-luks-askpass
+         systemctl -q --root "$initdir" add-wants cryptsetup.target clevis-luks-askpass.path
+     else
+         inst_hook initqueue/online 60 "$moddir/clevis-hook.sh"
+         inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
++
++	inst_multiple \
++            @libexecdir@/clevis-luks-generic-unlocker \
++            clevis-luks-unlock \
++            lsblk \
++            sort \
++            awk
+     fi
+
+     inst_multiple \
+         /etc/services \
+-        @SYSTEMD_REPLY_PASS@ \
+-        @libexecdir@/clevis-luks-askpass \
+         clevis-luks-common-functions \
+         grep sed cut \
+         clevis-decrypt \
+diff --git a/src/luks/systemd/dracut/meson.build b/src/dracut/meson.build
+similarity index 78%
+rename from src/luks/systemd/dracut/meson.build
+rename to src/dracut/meson.build
+index 7ad5b14..fdb264b 100644
+--- a/src/luks/systemd/dracut/meson.build
++++ b/src/dracut/meson.build
+@@ -2,4 +2,3 @@ subdir('clevis')
+ subdir('clevis-pin-tang')
+ subdir('clevis-pin-tpm2')
+ subdir('clevis-pin-sss')
+-subdir('clevis-pin-null')
+diff --git a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in b/src/luks/systemd/dracut/clevis/clevis-hook.sh.in
+deleted file mode 100755
+index cb257c9..0000000
+--- a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in
++++ /dev/null
+@@ -1,2 +0,0 @@
+-#!/bin/bash
+-@libexecdir@/clevis-luks-askpass
+diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
+index e3b3d91..b10494e 100644
+--- a/src/luks/systemd/meson.build
++++ b/src/luks/systemd/meson.build
+@@ -10,7 +10,6 @@ sd_reply_pass = find_program(
+
+ if systemd.found() and sd_reply_pass.found()
+   data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
+-  subdir('dracut')
+
+   unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
+
+diff --git a/src/meson.build b/src/meson.build
+index c4e696f..a0dff5b 100644
+--- a/src/meson.build
++++ b/src/meson.build
+@@ -1,6 +1,7 @@
+ subdir('bash')
+ subdir('luks')
+ subdir('pins')
++subdir('dracut')
+ subdir('initramfs-tools')
+
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt')

sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-meson.patch

@@ -0,0 +1,11 @@
+diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
+index b10494e3ca4d620437aee0d5e440eecf323b03d9..09f7fb51e7320aa71e275c34baa0561233821d69 100644
+--- a/src/luks/systemd/meson.build
++++ b/src/luks/systemd/meson.build
+@@ -5,6 +5,7 @@ sd_reply_pass = find_program(
+   join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
+   join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
+   join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
++  join_paths('/', 'lib', 'systemd', 'systemd-reply-password'),
+   required: false
+ )

sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/metadata.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>kjain7@u.rochester.edu</email>
+		<name>Krish Jain (based off Julien Roy's work) </name>
+	</maintainer>
+	<upstream>
+		<remote-id type="github">latchset/clevis</remote-id>
+	</upstream>
+	<use>
+		<flag name="luks">Enable LUKS support</flag>
+		<flag name="tpm">Enable TPM support</flag>
+	</use>
+</pkgmetadata>

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild

@@ -101,6 +101,7 @@ RDEPEND="${RDEPEND}
 	app-arch/zip
 	app-arch/ncompress
 	app-crypt/adcli
+	app-crypt/clevis
 	app-crypt/gnupg
 	app-crypt/go-tspi
 	app-crypt/tpmpolicy

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -14,6 +14,9 @@
 # Seems to be the only available ebuild in portage-stable right now.
 =app-crypt/adcli-0.9.2 ~amd64 ~arm64
 
+# The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
+=app-crypt/clevis-19-r1 **
+
 # Needed by arm64-native SDK.
 =app-crypt/efitools-1.9.2-r1 ~arm64
 
@@ -42,6 +45,12 @@
 # Needed by arm64-native SDK.
 =dev-lang/yasm-1.3.0-r1 ~arm64
 
+# The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
+=dev-libs/jose-12 **
+
+# The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
+=dev-libs/luksmeta-9-r1 **
+
 # Keep versions on both arches in sync.
 =dev-libs/ding-libs-0.6.2-r1 ~arm64
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild

@@ -10,7 +10,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="08125679df614d1e95c20ea7676ba19c56838103" # flatcar-master
+	CROS_WORKON_COMMIT="ea430ee8ada8f3415228c185c1205d1f681c8ca4" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 
@@ -38,10 +38,9 @@ src_install() {
 		"${D}"/usr/lib/dracut/modules.d/30ignition/ignition-setup-pre.sh \
 		"${D}"/usr/lib/dracut/modules.d/30ignition/ignition-kargs-helper \
 		"${D}"/usr/lib/dracut/modules.d/30ignition/retry-umount.sh \
+		"${D}"/usr/lib/dracut/modules.d/40networkd-dependency/*-generator \
 		"${D}"/usr/lib/dracut/modules.d/99setup-root/initrd-setup-root \
 		"${D}"/usr/lib/dracut/modules.d/99setup-root/initrd-setup-root-after-ignition \
 		"${D}"/usr/lib/dracut/modules.d/99setup-root/gpg-agent-wrapper \
-		"${D}"/usr/lib/dracut/modules.d/30ignition/coreos-metadata-wrapper \
-		"${D}"/usr/lib/dracut/modules.d/30ignition/ignition-wrapper \
 		|| die chmod
 }