diff -Nru clevis-8/debian/changelog clevis-8/debian/changelog --- clevis-8/debian/changelog 2020-04-29 22:18:51.000000000 +0000 +++ clevis-8/debian/changelog 2020-10-14 17:23:01.000000000 +0000 @@ -1,3 +1,21 @@ +clevis (8-1ubuntu0.2) bionic; urgency=medium + + * initramfs: Fix parsing of interface names when bringing the network + back down in local-bottom, which also avoids a mess of "ip: can't find + device '/sys/class/net/$iface'" errors on the console. LP: #1896294. + * initramfs: Warn users with multiple interfaces that they should consider + specifying an 'ip=' parameter for reliable operation. LP: #1896289. + As a side-effect, also fix interface parsing while bringing links + up. LP: #1873593. + * initramfs: Wait for interface to appear before attempting configuration. + LP: #1873914. + * initramfs: Make network configuration as-needed. This functionality + depends on the new clevis-luks-list command which is also backported. + LP: #1896509. Requires new build-dep on asciidoctor in order to build + the clevis-luks-list manpage. + + -- dann frazier Wed, 14 Oct 2020 11:23:01 -0600 + clevis (8-1ubuntu0.1) bionic; urgency=medium * Add clevis-initramfs package (LP: #1872832) diff -Nru clevis-8/debian/clevis.install clevis-8/debian/clevis.install --- clevis-8/debian/clevis.install 2017-11-28 23:01:49.000000000 +0000 +++ clevis-8/debian/clevis.install 2020-10-13 22:42:26.000000000 +0000 @@ -7,3 +7,5 @@ usr/bin/clevis-encrypt-http usr/bin/clevis-encrypt-sss usr/bin/clevis-encrypt-tang +usr/bin/clevis-luks-list +usr/bin/clevis-luks-common-functions diff -Nru clevis-8/debian/clevis-luks.manpages clevis-8/debian/clevis-luks.manpages --- clevis-8/debian/clevis-luks.manpages 2017-11-28 23:01:49.000000000 +0000 +++ clevis-8/debian/clevis-luks.manpages 2020-10-13 22:43:06.000000000 +0000 @@ -2,3 +2,4 @@ debian/tmp/usr/share/man/man1/clevis-luks-bind.1 debian/tmp/usr/share/man/man1/clevis-luks-unlock.1 debian/tmp/usr/share/man/man7/clevis-luks-unlockers.7 +doc/clevis-luks-list.1 diff -Nru clevis-8/debian/control clevis-8/debian/control --- clevis-8/debian/control 2020-04-14 20:03:36.000000000 +0000 +++ clevis-8/debian/control 2020-10-13 22:57:36.000000000 +0000 @@ -4,6 +4,7 @@ Homepage: https://github.com/latchset/clevis Standards-Version: 4.1.1 Build-Depends: debhelper (>= 10~), + asciidoctor, curl, dracut, jose, diff -Nru clevis-8/debian/patches/Add-clevis-luks-list-command.patch clevis-8/debian/patches/Add-clevis-luks-list-command.patch --- clevis-8/debian/patches/Add-clevis-luks-list-command.patch 1970-01-01 00:00:00.000000000 +0000 +++ clevis-8/debian/patches/Add-clevis-luks-list-command.patch 2020-10-02 21:02:03.000000000 +0000 @@ -0,0 +1,425 @@ +From 140cdf6f567942dc72359007bad73db7aca6d599 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Sun, 12 Apr 2020 12:28:13 -0300 +Subject: [PATCH] Add clevis luks list command + +Reviving Javier's idea in PR#24, we now have a command to list the pins +bound to a LUKS volume. + +Usage: +clevis luks list -d DEV [-s SLT] + +Examples: + +clevis luks list -d device +1: sss '{"t":1,"pins":{"tang":[{"url":"addr1"},{"url":"addr2"}],"tpm2":[{"hash":"sha256","key":"ecc"}],"sss":{"t":1,"pins":{"tang":[{"url":"addr3"}]}}}}' +2: tang '{"url":"addr"}' +3: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}' + +clevis luks list -d device -s 3 +3: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}' + +[ dannf: Command is used in later patch + initramfs-Make-network-configuration-on-demand.patch; + Use old make system instead of meson ] + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1896509 +Origin: https://github.com/latchset/clevis/commit/140cdf6f567942dc72359007bad73db7aca6d599 +Last-Updated: 2020-10-02 + +Index: clevis-8/src/clevis-luks-list +=================================================================== +--- /dev/null ++++ clevis-8/src/clevis-luks-list +@@ -0,0 +1,77 @@ ++#!/bin/bash -e ++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2017-2019 Red Hat, Inc. ++# Author: Javier Martinez Canillas ++# Author: Sergio Correia - LUKS2 support. ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++. clevis-luks-common-functions ++ ++SUMMARY="Lists pins bound to a LUKSv1 or LUKSv2 device" ++ ++function usage() { ++ echo >&2 ++ echo "Usage: clevis luks list -d DEV [-s SLT]" >&2 ++ echo >&2 ++ echo "$SUMMARY": >&2 ++ echo >&2 ++ echo " -d DEV The LUKS device to list bound pins" >&2 ++ echo >&2 ++ echo " -s SLOT The slot number to list" >&2 ++ echo >&2 ++ exit 1 ++} ++ ++if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then ++ echo "${SUMMARY}" ++ exit 0 ++fi ++ ++while getopts ":d:s:" o; do ++ case "$o" in ++ d) DEV=${OPTARG};; ++ s) SLT=${OPTARG};; ++ *) usage;; ++ esac ++done ++ ++if [ -z "${DEV}" ]; then ++ echo "Did not specify a device!" >&2 ++ usage ++fi ++ ++if cryptsetup isLuks --type luks1 "${DEV}"; then ++ if ! luksmeta test -d "${DEV}" 2>/dev/null; then ++ echo "The ${DEV} device is not valid!" >&2 ++ exit 1 ++ fi ++fi ++ ++if [ -n "${SLT}" ]; then ++ clevis_luks_read_pins_from_slot "${DEV}" "${SLT}" ++else ++ if ! used_slots=$(clevis_luks_used_slots "${DEV}"); then ++ echo "No used slots detected for device ${DEV}!" >&2 ++ exit 1 ++ fi ++ ++ for s in ${used_slots}; do ++ if ! clevis_luks_read_pins_from_slot "${DEV}" "${s}"; then ++ continue ++ fi ++ done ++fi +Index: clevis-8/src/clevis-luks-common-functions +=================================================================== +--- /dev/null ++++ clevis-8/src/clevis-luks-common-functions +@@ -0,0 +1,283 @@ ++#!/bin/bash -e ++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2019 Red Hat, Inc. ++# Author: Sergio Correia ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++# valid_slot() will check whether a given slot is possibly valid, i.e., if it ++# is a numeric value within the specified range. ++valid_slot() { ++ local SLT="${1}" ++ local MAX_SLOTS="${2}" ++ case "${SLT}" in ++ ''|*[!0-9]*) ++ return 1 ++ ;; ++ *) ++ # We got an integer, now let's make sure it is within the ++ # supported range. ++ if [ "${SLT}" -ge "${MAX_SLOTS}" ]; then ++ return 1 ++ fi ++ ;; ++ esac ++} ++ ++# clevis_luks_read_slot() will read a particular slot of a given device, which ++# should be either LUKS1 or LUKS2. Returns 1 in case of failure; 0 in case of ++# success. ++clevis_luks_read_slot() { ++ local DEV="${1}" ++ local SLT="${2}" ++ ++ if [ -z "${DEV}" ] || [ -z "${SLT}" ]; then ++ echo "Need both a device and a slot as arguments." >&2 ++ return 1 ++ fi ++ ++ local DATA_CODED='' ++ local MAX_LUKS1_SLOTS=8 ++ local MAX_LUKS2_SLOTS=32 ++ if cryptsetup isLuks --type luks1 "${DEV}"; then ++ if ! valid_slot "${SLT}" "${MAX_LUKS1_SLOTS}"; then ++ echo "Please, provide a valid key slot number; 0-7 for LUKS1" >&2 ++ return 1 ++ fi ++ ++ if ! luksmeta test -d "${DEV}"; then ++ echo "The ${DEV} device is not valid!" >&2 ++ return 1 ++ fi ++ ++ local CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" ++ local uuid ++ # Pattern from luksmeta: active slot uuid. ++ read -r _ _ uuid <<< "$(luksmeta show -d "${DEV}" | grep "^${SLT} *")" ++ ++ if [ "${uuid}" != ${CLEVIS_UUID}"" ]; then ++ echo "Not a clevis slot!" >&2 ++ return 1 ++ fi ++ ++ if ! DATA_CODED="$(luksmeta load -d "${DEV}" -s "${SLT}")"; then ++ echo "Cannot load data from ${DEV} slot:${SLT}!" >&2 ++ return 1 ++ fi ++ elif cryptsetup isLuks --type luks2 "${DEV}"; then ++ if ! valid_slot "${SLT}" "${MAX_LUKS2_SLOTS}"; then ++ echo "Please, provide a valid key slot number; 0-31 for LUKS2" >&2 ++ return 1 ++ fi ++ ++ local token_id ++ token_id=$(cryptsetup luksDump "${DEV}" \ ++ | grep -E -B1 "^\s+Keyslot:\s+${SLT}$" \ ++ | head -n 1 | sed -rn 's|^\s+([0-9]+): clevis|\1|p') ++ if [ -z "${token_id}" ]; then ++ echo "Cannot load data from ${DEV} slot:${SLT}. No token found!" >&2 ++ return 1 ++ fi ++ ++ local token ++ token=$(cryptsetup token export --token-id "${token_id}" "${DEV}") ++ DATA_CODED=$(jose fmt -j- -Og jwe -o- <<< "${token}" \ ++ | jose jwe fmt -i- -c) ++ ++ if [ -z "${DATA_CODED}" ]; then ++ echo "Cannot load data from ${DEV} slot:${SLT}!" >&2 ++ return 1 ++ fi ++ else ++ echo "${DEV} is not a supported LUKS device!" >&2 ++ return 1 ++ fi ++ echo "${DATA_CODED}" ++} ++ ++# clevis_luks_used_slots() will return the list of used slots for a given LUKS ++# device. ++clevis_luks_used_slots() { ++ local DEV="${1}" ++ ++ local slots ++ if cryptsetup isLuks --type luks1 "${DEV}"; then ++ readarray -t slots < <(cryptsetup luksDump "${DEV}" \ ++ | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p') ++ elif cryptsetup isLuks --type luks2 "${DEV}"; then ++ readarray -t slots < <(cryptsetup luksDump "${DEV}" \ ++ | sed -rn 's|^\s+([0-9]+): luks2$|\1|p') ++ else ++ echo "${DEV} is not a supported LUKS device!" >&2 ++ return 1 ++ fi ++ echo "${slots[@]}" ++} ++ ++# clevis_luks_decode_jwe() will decode a given JWE. ++clevis_luks_decode_jwe() { ++ local jwe="${1}" ++ ++ local coded ++ if ! coded=$(jose jwe fmt -i- <<< "${jwe}"); then ++ return 1 ++ fi ++ ++ coded=$(jose fmt -j- -g protected -u- <<< "${coded}" | tr -d '"') ++ jose b64 dec -i- <<< "${coded}" ++} ++ ++# clevis_luks_print_pin_config() will print the config of a given pin; i.e. ++# for tang it will display the associated url address, and for tpm2, the ++# properties in place, like the hash, for instance. ++clevis_luks_print_pin_config() { ++ local P="${1}" ++ local decoded="${2}" ++ ++ local content ++ if ! content="$(jose fmt -j- -g clevis -g "${P}" -o- <<< "${decoded}")" \ ++ || [ -z "${content}" ]; then ++ return 1 ++ fi ++ ++ local pin= ++ case "${P}" in ++ tang) ++ local url ++ url="$(jose fmt -j- -g url -u- <<< "${content}")" ++ pin=$(printf '{"url":"%s"}' "${url}") ++ printf "tang '%s'" "${pin}" ++ ;; ++ tpm2) ++ # Valid properties for tpm2 pin are the following: ++ # hash, key, pcr_bank, pcr_ids, pcr_digest. ++ local key ++ local value ++ for key in 'hash' 'key' 'pcr_bank' 'pcr_ids' 'pcr_digest'; do ++ if value=$(jose fmt -j- -g "${key}" -u- <<< "${content}"); then ++ pin=$(printf '%s,"%s":"%s"' "${pin}" "${key}" "${value}") ++ fi ++ done ++ # Remove possible leading comma. ++ pin=${pin/#,/} ++ printf "tpm2 '{%s}'" "${pin}" ++ ;; ++ sss) ++ local threshold ++ threshold=$(jose fmt -j- -Og t -o- <<< "${content}") ++ clevis_luks_process_sss_pin "${content}" "${threshold}" ++ ;; ++ *) ++ printf "unknown pin '%s'" "${P}" ++ ;; ++ esac ++} ++ ++# clevis_luks_decode_pin_config() will receive a JWE and extract a pin config ++# from it. ++clevis_luks_decode_pin_config() { ++ local jwe="${1}" ++ ++ local decoded ++ if ! decoded=$(clevis_luks_decode_jwe "${jwe}"); then ++ return 1 ++ fi ++ ++ local P ++ if ! P=$(jose fmt -j- -Og clevis -g pin -u- <<< "${decoded}"); then ++ return 1 ++ fi ++ ++ clevis_luks_print_pin_config "${P}" "${decoded}" ++} ++ ++# clevis_luks_join_sss_cfg() will receive a list of configurations for a given ++# pin and returns it as list, in the format PIN [cfg1, cfg2, ..., cfgN]. ++clevis_luks_join_sss_cfg() { ++ local pin="${1}" ++ local cfg="${2}" ++ cfg=$(echo "${cfg}" | tr -d "'" | sed -e 's/^,//') ++ printf '"%s":[%s]' "${pin}" "${cfg}" ++} ++ ++# clevis_luks_process_sss_pin() will receive a JWE with information on the sss ++# pin config, and also its associated threshold, and will extract the info. ++clevis_luks_process_sss_pin() { ++ local jwe="${1}" ++ local threshold="${2}" ++ ++ local sss_tang ++ local sss_tpm2 ++ local sss ++ local pin_cfg ++ local pin ++ local cfg ++ ++ local coded ++ for coded in $(jose fmt -j- -Og jwe -Af- <<< "${jwe}"| tr -d '"'); do ++ if ! pin_cfg="$(clevis_luks_decode_pin_config "${coded}")"; then ++ continue ++ fi ++ read -r pin cfg <<< "${pin_cfg}" ++ case "${pin}" in ++ tang) ++ sss_tang="${sss_tang},${cfg}" ++ ;; ++ tpm2) ++ sss_tpm2="${sss_tpm2},${cfg}" ++ ;; ++ sss) ++ sss=$(echo "${cfg}" | tr -d "'") ++ ;; ++ esac ++ done ++ ++ cfg= ++ if [ -n "${sss_tang}" ]; then ++ cfg=$(clevis_luks_join_sss_cfg "tang" "${sss_tang}") ++ fi ++ ++ if [ -n "${sss_tpm2}" ]; then ++ cfg="${cfg},"$(clevis_luks_join_sss_cfg "tpm2" "${sss_tpm2}") ++ fi ++ ++ if [ -n "${sss}" ]; then ++ cfg=$(printf '%s,"sss":%s' "${cfg}" "${sss}") ++ fi ++ ++ # Remove possible leading comma. ++ cfg=${cfg/#,/} ++ pin=$(printf '{"t":%d,"pins":{%s}}' "${threshold}" "${cfg}") ++ printf "sss '%s'" "${pin}" ++} ++ ++# clevis_luks_read_pins_from_slot() will receive a given device and slot and ++# will then output its associated policy configuration. ++clevis_luks_read_pins_from_slot() { ++ local DEV="${1}" ++ local SLOT="${2}" ++ ++ local jwe ++ if ! jwe=$(clevis_luks_read_slot "${DEV}" "${SLOT}" 2>/dev/null); then ++ return 1 ++ fi ++ ++ local cfg ++ if ! cfg="$(clevis_luks_decode_pin_config "${jwe}")"; then ++ return 1 ++ fi ++ printf "%s: %s\n" "${SLOT}" "${cfg}" ++} +Index: clevis-8/src/Makefile.am +=================================================================== +--- clevis-8.orig/src/Makefile.am ++++ clevis-8/src/Makefile.am +@@ -22,6 +22,8 @@ dist_bin_SCRIPTS = \ + clevis-bind-luks \ + clevis-luks-unlock \ + clevis-luks-bind \ ++ clevis-luks-common-functions \ ++ clevis-luks-list \ + clevis-decrypt \ + clevis + +Index: clevis-8/src/Makefile.in +=================================================================== +--- clevis-8.orig/src/Makefile.in ++++ clevis-8/src/Makefile.in +@@ -381,6 +381,8 @@ dist_bin_SCRIPTS = \ + clevis-bind-luks \ + clevis-luks-unlock \ + clevis-luks-bind \ ++ clevis-luks-common-functions \ ++ clevis-luks-list \ + clevis-decrypt \ + clevis + diff -Nru clevis-8/debian/patches/Add-man-page-for-clevis-luks-list.patch clevis-8/debian/patches/Add-man-page-for-clevis-luks-list.patch --- clevis-8/debian/patches/Add-man-page-for-clevis-luks-list.patch 1970-01-01 00:00:00.000000000 +0000 +++ clevis-8/debian/patches/Add-man-page-for-clevis-luks-list.patch 2020-10-02 21:01:34.000000000 +0000 @@ -0,0 +1,76 @@ +From c6edce588599c37ba43b9b2b5c46d7477cb671e3 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Sun, 12 Apr 2020 12:28:29 -0300 +Subject: [PATCH] Add man page for clevis-luks-list + +Update also README. + +[ dannf: Needed to add the command, so might as well add the manpage; + Drop changes to non-existent README; + Put manpage source in doc dir for consistency; + Drop meson hunk since this is before the meson conversion, we'll use + debian/rules to build it ] + +Index: clevis-8/doc/clevis-luks-list.1.adoc +=================================================================== +--- /dev/null ++++ clevis-8/doc/clevis-luks-list.1.adoc +@@ -0,0 +1,58 @@ ++CLEVIS-LUKS-LIST(1) ++=================== ++:doctype: manpage ++ ++ ++== NAME ++ ++clevis-luks-list - Lists pins bound to a LUKS device ++ ++== SYNOPSIS ++ ++*clevis luks list* -d DEV [-s SLT] ++ ++== OVERVIEW ++ ++The *clevis luks list* command list the pins bound to LUKS device. ++For example: ++ ++ clevis luks list -d /dev/sda1 ++ ++== OPTIONS ++ ++* *-d* _DEV_ : ++ The LUKS device on which to list bound pins ++ ++* *-s* _SLT_ : ++ The slot to use for listing the pin from ++ ++== EXAMPLES ++ ++ clevis luks list -d /dev/sda1 ++ 1: sss '{"t":1,"pins":{"tang":[{"url":"addr1"},{"url":"addr2"}],"tpm2":[{"hash":"sha256","key":"ecc"}],"sss":{"t":1,"pins":{"tang":[{"url":"addr3"}]}}}}' ++ 2: tang '{"url":"addr"}' ++ 3: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}' ++ ++As we can see in the example above, */dev/sda1* has three slots bound each with a different pin. ++- Slot #1 is bound with the _sss_ pin, and uses also tang and tpm2 pins in its policy. ++- Slot #2 is bound using the _tang_ pin ++- Slot #3 is bound with the _tpm2_ pin ++ ++Note that the output of *clevis luks list* can be used with the *clevis luks bind* command, such as: ++ ++ clevis luks bind -d /dev/sda1 tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}' ++ ++And we will bind another slot with a policy similar to the one we have in slot #3. ++Also note that if you are interested in a particular slot, you can pass the _-s SLT_ argument to *clevis luks list*: ++ ++ clevis luks list -d /dev/sda1 -s 2 ++ 2: tang '{"url":"addr"}' ++ ++In the above example, we listed only the pin bound to slot #2. ++ ++== SEE ALSO ++ ++link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)], ++link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)], ++link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)], ++link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)], diff -Nru clevis-8/debian/patches/Avoid-head-usage-in-scripts-that-may-run-in-initramf.patch clevis-8/debian/patches/Avoid-head-usage-in-scripts-that-may-run-in-initramf.patch --- clevis-8/debian/patches/Avoid-head-usage-in-scripts-that-may-run-in-initramf.patch 1970-01-01 00:00:00.000000000 +0000 +++ clevis-8/debian/patches/Avoid-head-usage-in-scripts-that-may-run-in-initramf.patch 2020-10-02 20:39:12.000000000 +0000 @@ -0,0 +1,28 @@ +From adaef407265479cd1067c4fbf69fdaa0dd6ae586 Mon Sep 17 00:00:00 2001 +From: dann frazier +Date: Mon, 14 Sep 2020 10:02:13 -0600 +Subject: [PATCH 1/3] Avoid 'head' usage in scripts that may run in initramfs + +Ubuntu's busybox-initramfs package does not provide the `head` function. +Replace `head` usage with an equivalent `sed` command. + +[dannf: Drop hunk removing `head` binary from dracut initramfs, which didn't + yet include it; Drop hunk for clevis-luks-bind which didn't yet use head ] + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1896509 +Origin: https://github.com/latchset/clevis/commit/adaef407265479cd1067c4fbf69fdaa0dd6ae586 +Last-Updated: 2020-10-02 + +Index: clevis-13/src/clevis-luks-common-functions +=================================================================== +--- clevis-13.orig/src/clevis-luks-common-functions ++++ clevis-13/src/clevis-luks-common-functions +@@ -86,7 +86,7 @@ clevis_luks_read_slot() { + local token_id + token_id=$(cryptsetup luksDump "${DEV}" \ + | grep -E -B1 "^\s+Keyslot:\s+${SLT}$" \ +- | head -n 1 | sed -rn 's|^\s+([0-9]+): clevis|\1|p') ++ | sed -n 1p | sed -rn 's|^\s+([0-9]+): clevis|\1|p') + if [ -z "${token_id}" ]; then + echo "Cannot load data from ${DEV} slot:${SLT}. No token found!" >&2 + return 1 diff -Nru clevis-8/debian/patches/initramfs-Drop-comment-about-code-not-working-within.patch clevis-8/debian/patches/initramfs-Drop-comment-about-code-not-working-within.patch --- clevis-8/debian/patches/initramfs-Drop-comment-about-code-not-working-within.patch 1970-01-01 00:00:00.000000000 +0000 +++ clevis-8/debian/patches/initramfs-Drop-comment-about-code-not-working-within.patch 2020-10-02 20:23:24.000000000 +0000 @@ -0,0 +1,30 @@ +From 780eb30986323613f5b192c03c881caecae8cd7b Mon Sep 17 00:00:00 2001 +From: dann frazier +Date: Mon, 14 Sep 2020 11:03:31 -0600 +Subject: [PATCH 3/3] initramfs: Drop comment about code not working within + `clevisloop()` + +I'm not sure what exactly didn't seem to work when executed inside +`clevisloop()` - I didn't have any problems during my testing. Since +this code *is* now running inside of `clevisloop()` let's just drop +the comment. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1896509 +Origin: https://github.com/latchset/clevis/commit/780eb30986323613f5b192c03c881caecae8cd7b +Last-Updated: 2020-09-21 + +diff --git a/src/initramfs-tools/scripts/local-top/clevis.in b/src/initramfs-tools/scripts/local-top/clevis.in +index 7f235dc..c97873e 100755 +--- a/src/initramfs-tools/scripts/local-top/clevis.in ++++ b/src/initramfs-tools/scripts/local-top/clevis.in +@@ -254,7 +254,6 @@ wait_for_device() { + + do_configure_networking() { + # Make sure networking is set up: if booting via nfs, it already is +- # Doesn't seem to work when added to clevisloop for some reason + if [ "$boot" != nfs ] && wait_for_device; then + clevis_net_cnt=$(clevis_all_netbootable_devices | tr ' ' '\n' | wc -l) + if [ -z "$IP" ] && [ "$clevis_net_cnt" -gt 1 ]; then +-- +2.28.0 + diff -Nru clevis-8/debian/patches/initramfs-fix-iface-name-210.patch clevis-8/debian/patches/initramfs-fix-iface-name-210.patch --- clevis-8/debian/patches/initramfs-fix-iface-name-210.patch 1970-01-01 00:00:00.000000000 +0000 +++ clevis-8/debian/patches/initramfs-fix-iface-name-210.patch 2020-10-02 20:23:24.000000000 +0000 @@ -0,0 +1,26 @@ +From ff65a1594f9d90f8baed634b814c30a15549614b Mon Sep 17 00:00:00 2001 +From: Thomas Avril +Date: Thu, 2 Jul 2020 13:02:33 +0200 +Subject: [PATCH] initramfs - fix iface name (#210) + +Co-authored-by: Thomas Avril + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1896294 +Origin: https://github.com/latchset/clevis/commit/ff65a1594f9d90f8baed634b814c30a15549614b +Last-Updated: 2020-09-21 + +diff --git a/src/initramfs-tools/scripts/local-bottom/clevis.in b/src/initramfs-tools/scripts/local-bottom/clevis.in +index ee20320..fb89e35 100755 +--- a/src/initramfs-tools/scripts/local-bottom/clevis.in ++++ b/src/initramfs-tools/scripts/local-bottom/clevis.in +@@ -42,6 +42,7 @@ kill "$pid" + + for iface in /sys/class/net/*; do + if [ -e "$iface" ]; then ++ iface=$(basename "$iface") + ip link set dev "$iface" down + ip addr flush dev "$iface" + ip route flush dev "$iface" +-- +2.28.0 + diff -Nru clevis-8/debian/patches/initramfs-Make-network-configuration-on-demand.patch clevis-8/debian/patches/initramfs-Make-network-configuration-on-demand.patch --- clevis-8/debian/patches/initramfs-Make-network-configuration-on-demand.patch 1970-01-01 00:00:00.000000000 +0000 +++ clevis-8/debian/patches/initramfs-Make-network-configuration-on-demand.patch 2020-10-02 20:23:24.000000000 +0000 @@ -0,0 +1,103 @@ +From ee369808473945165a3f3b79a52c1d10f29eb5c4 Mon Sep 17 00:00:00 2001 +From: dann frazier +Date: Fri, 11 Sep 2020 16:36:58 -0600 +Subject: [PATCH 2/3] initramfs: Make network configuration on-demand + +Today we always try to configure the networking before we even know +if it is necessary. It's not necessary if, say, the volume is using a +TPM pin, or perhaps no pin at all and clevis just happens to be +installed. In those cases, the user is stuck waiting for +configure_networking() to finish before they get prompted for a passphrase, +and that can take nearly 5 minutes to timeout if the system is offline. + +Let's move the configure_networking() code into clevisloop() and only +run it if we detect a LUKS volume using a tang pin. Since clevisloop() +is executing in the background, the boot can continue in the meantime +allowing the user to unlock via passphrase without first waiting for +network configuration to complete or timeout. + +Since we use `clevis-luks-list` to detect the pin type, include it in +in the initramfs. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1896509 +Origin: https://github.com/latchset/clevis/commit/ee369808473945165a3f3b79a52c1d10f29eb5c4 +Last-Updated: 2020-09-23 + +Index: clevis-12/src/initramfs-tools/hooks/clevis.in +=================================================================== +--- clevis-12.orig/src/initramfs-tools/hooks/clevis.in ++++ clevis-12/src/initramfs-tools/hooks/clevis.in +@@ -59,6 +59,8 @@ fi + copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found" + copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found" + copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found" ++copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found" ++copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found" + if [ -x @bindir@/clevis-decrypt-tpm2 ]; then + copy_exec @bindir@/clevis-decrypt-tpm2 || die 1 "@bindir@/clevis-decrypt-tpm2 not found" + tpm2_creatprimary_bin=$(find_binary "tpm2_createprimary") +Index: clevis-12/src/initramfs-tools/scripts/local-top/clevis.in +=================================================================== +--- clevis-12.orig/src/initramfs-tools/scripts/local-top/clevis.in ++++ clevis-12/src/initramfs-tools/scripts/local-top/clevis.in +@@ -105,6 +105,12 @@ luks2_decrypt() { + return 1 + } + ++has_tang_pin() { ++ local dev="$1" ++ ++ clevis luks list -d "${dev}" | grep -q tang ++} ++ + # Wait for askpass, and then try and decrypt immediately. Just in case + # there are multiple devices that need decrypting, this will loop + # infinitely (The local-bottom script will kill this after decryption) +@@ -120,6 +126,7 @@ clevisloop() { + fi + + OLD_CRYPTTAB_SOURCE="" ++ local netcfg_attempted=0 + + while true; do + +@@ -143,6 +150,11 @@ clevisloop() { + [ "$CRYPTTAB_SOURCE" = "$OLD_CRYPTTAB_SOURCE" ] && continue + OLD_CRYPTTAB_SOURCE="$CRYPTTAB_SOURCE" + ++ if [ $netcfg_attempted -eq 0 ] && has_tang_pin ${CRYPTTAB_SOURCE}; then ++ netcfg_attempted=1 ++ do_configure_networking ++ fi ++ + if cryptsetup isLuks --type luks1 "$CRYPTTAB_SOURCE"; then + # If the device is not initialized, sliently skip it. + luksmeta test -d "$CRYPTTAB_SOURCE" || continue +@@ -240,16 +252,18 @@ wait_for_device() { + return $ret + } + +-# Make sure networking is set up: if booting via nfs, it already is +-# Doesn't seem to work when added to clevisloop for some reason +-if [ "$boot" != nfs ] && wait_for_device; then +- clevis_net_cnt=$(clevis_all_netbootable_devices | tr ' ' '\n' | wc -l) +- if [ -z "$IP" ] && [ "$clevis_net_cnt" -gt 1 ]; then +- echo "" +- echo "clevis: Warning: multiple network interfaces available but no ip= parameter provided." ++do_configure_networking() { ++ # Make sure networking is set up: if booting via nfs, it already is ++ # Doesn't seem to work when added to clevisloop for some reason ++ if [ "$boot" != nfs ] && wait_for_device; then ++ clevis_net_cnt=$(clevis_all_netbootable_devices | tr ' ' '\n' | wc -l) ++ if [ -z "$IP" ] && [ "$clevis_net_cnt" -gt 1 ]; then ++ echo "" ++ echo "clevis: Warning: multiple network interfaces available but no ip= parameter provided." ++ fi ++ configure_networking + fi +- configure_networking +-fi ++} + + clevisloop & + echo $! >/run/clevis.pid diff -Nru clevis-8/debian/patches/initramfs-Wait-for-interface-to-appear-instead-of-ch.patch clevis-8/debian/patches/initramfs-Wait-for-interface-to-appear-instead-of-ch.patch --- clevis-8/debian/patches/initramfs-Wait-for-interface-to-appear-instead-of-ch.patch 1970-01-01 00:00:00.000000000 +0000 +++ clevis-8/debian/patches/initramfs-Wait-for-interface-to-appear-instead-of-ch.patch 2020-10-02 20:23:24.000000000 +0000 @@ -0,0 +1,126 @@ +From f670383c276d6a61e165ff9e498e19271f8e168c Mon Sep 17 00:00:00 2001 +From: dann frazier +Date: Mon, 31 Aug 2020 12:52:03 -0600 +Subject: [PATCH 2/4] initramfs: Wait for interface to appear instead of + checking for carriers + +We currently use a function called eth_check() to determine if the network +device is ready before attempting network configuration. eth_check() +decides the device is ready if it sees a carrier on an interface 1s after +bringing it up. If no existing interface passes this test, it fails +and we abort network configuration. This has a few issues: + + - The first device found to have a carrier may not be the one we want + clevis to use. The user can tell us which one to use via the ip= parameter, + but that is ignored here. + - The device we're supposed to use may not have even been enumerated yet, + so eth_check() won't be able to check its carrier. + - It may take more than 1s for the carrier to be established. + configure_networking()'s loop implicitly gives the device a long time + to obtain link, making eth_check()'s test redundant. + +It seems all we really should be doing here is trying to make sure the +appropriate interface is present before calling configure_networking(). + +Replace eth_check() with a new wait_for_device() function that first checks +if a user has specified a preferred interface via the ip= command line +argument. If so, busy wait for up to 10s until that device appears. +Then call wait_for_udev() which will finish processing any udev events for the +specified interface or, if no interface was specified, makes a best effort +attempt to wait for all remaining devices to be enumerated. We can never +guarantee that all interfaces will be enumerated here though - USB NICs, +for example, may still appear later. Users should therefore be encouraged +to specify an appropriate ip= parameter. + +In theory this code should really go into initramfs-tools' +configure_networking() function, where clevis would automatically benefit +from it. I've a merge proposal open for that[*]. However, that will only +help once it gets merged, and then only for future Debian/Debian derivative +releases, unless it were to be backported everywhere. On the other hand, +there's no real harm in doing it in both places. + +Fixes #145 + +[*] https://salsa.debian.org/kernel-team/initramfs-tools/-/merge_requests/32 + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1873914 +Origin: https://github.com/latchset/clevis/commit/f670383c276d6a61e165ff9e498e19271f8e168c +Last-Updated: 2020-09-21 + +diff --git a/src/initramfs-tools/scripts/local-top/clevis.in b/src/initramfs-tools/scripts/local-top/clevis.in +index d721a37..77ffc7f 100755 +--- a/src/initramfs-tools/scripts/local-top/clevis.in ++++ b/src/initramfs-tools/scripts/local-top/clevis.in +@@ -206,29 +206,49 @@ clevis_all_netbootable_devices() { + echo "$DEVICE" + } + +-# Check if network is up before trying to configure it. +-eth_check() { +- for device in $(clevis_all_netbootable_devices); do +- ip link set dev "$device" up +- sleep 1 +- ETH_HAS_CARRIER=$(cat /sys/class/net/"$device"/carrier) +- if [ "$ETH_HAS_CARRIER" = '1' ]; then +- return 0 +- fi +- done +- return 1 ++get_specified_device() { ++ local dev="$(echo $IP | cut -d: -f6)" ++ [ -z "$dev" ] || echo $dev + } +-if eth_check; then +- # Make sure networking is set up: if booting via nfs, it already is +- # Doesn't seem to work when added to clevisloop for some reason +- if [ "$boot" != nfs ]; then +- clevis_net_cnt=$(clevis_all_netbootable_devices | tr ' ' '\n' | wc -l) +- if [ -z "$IP" ] && [ "$clevis_net_cnt" -gt 1 ]; then +- echo "" +- echo "clevis: Warning: multiple network interfaces available but no ip= parameter provided." ++ ++# Workaround configure_networking() not waiting long enough for an interface ++# to appear. This code can be removed once that has been fixed in all the ++# distro releases we care about. ++wait_for_device() { ++ local device="$(get_specified_device)" ++ local ret=0 ++ ++ if [ -n "$device" ]; then ++ log_begin_msg "clevis: Waiting for interface ${device} to become available" ++ local netdev_wait=0 ++ while [ $netdev_wait -lt 10 ]; do ++ if [ -e "/sys/class/net/${device}" ]; then ++ break ++ fi ++ netdev_wait=$((netdev_wait + 1)) ++ sleep 1 ++ done ++ if [ ! -e "/sys/class/net/${device}" ]; then ++ log_failure_msg "clevis: Interface ${device} did not appear in time" ++ ret=1 + fi +- configure_networking ++ log_end_msg ++ fi ++ ++ wait_for_udev 10 ++ ++ return $ret ++} ++ ++# Make sure networking is set up: if booting via nfs, it already is ++# Doesn't seem to work when added to clevisloop for some reason ++if [ "$boot" != nfs ] && wait_for_device; then ++ clevis_net_cnt=$(clevis_all_netbootable_devices | tr ' ' '\n' | wc -l) ++ if [ -z "$IP" ] && [ "$clevis_net_cnt" -gt 1 ]; then ++ echo "" ++ echo "clevis: Warning: multiple network interfaces available but no ip= parameter provided." + fi ++ configure_networking + fi + + clevisloop & +-- +2.28.0 + diff -Nru clevis-8/debian/patches/initramfs-Warn-if-it-s-not-clear-which-nic-to-config.patch clevis-8/debian/patches/initramfs-Warn-if-it-s-not-clear-which-nic-to-config.patch --- clevis-8/debian/patches/initramfs-Warn-if-it-s-not-clear-which-nic-to-config.patch 1970-01-01 00:00:00.000000000 +0000 +++ clevis-8/debian/patches/initramfs-Warn-if-it-s-not-clear-which-nic-to-config.patch 2020-10-02 20:23:24.000000000 +0000 @@ -0,0 +1,52 @@ +From ae3249ed5ff102aa57650c3171330c47a41c95e8 Mon Sep 17 00:00:00 2001 +From: dann frazier +Date: Wed, 20 May 2020 15:45:00 -0600 +Subject: [PATCH] initramfs: Warn if it's not clear which nic to configure + +If the user doesn't provide an ip= command line, configure_networking() +will try to configure each interface until one succeeds. But the one that +configures fastest may not be the one that can communicate with our server. +If we detect a situation where there are multiple configurable NICs and no +ip= parameter, emit a warning so that the user considers this as a possible +reason for failure. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1896289 +Origin: https://github.com/latchset/clevis/commit/ae3249ed5ff102aa57650c3171330c47a41c95e8 +Last-Updated: 2020-09-21 + +diff --git a/src/initramfs-tools/scripts/local-top/clevis.in b/src/initramfs-tools/scripts/local-top/clevis.in +index b989659..d721a37 100755 +--- a/src/initramfs-tools/scripts/local-top/clevis.in ++++ b/src/initramfs-tools/scripts/local-top/clevis.in +@@ -197,7 +197,11 @@ clevis_all_netbootable_devices() { + # attribute on it) + device=$(basename "$device") + ip -o link show "$device" | grep -q -w master && continue +- DEVICE="$DEVICE $device" ++ if [ -z "$DEVICE" ]; then ++ DEVICE="$device" ++ else ++ DEVICE="$DEVICE $device" ++ fi + done + echo "$DEVICE" + } +@@ -217,7 +221,14 @@ eth_check() { + if eth_check; then + # Make sure networking is set up: if booting via nfs, it already is + # Doesn't seem to work when added to clevisloop for some reason +- [ "$boot" = nfs ] || configure_networking ++ if [ "$boot" != nfs ]; then ++ clevis_net_cnt=$(clevis_all_netbootable_devices | tr ' ' '\n' | wc -l) ++ if [ -z "$IP" ] && [ "$clevis_net_cnt" -gt 1 ]; then ++ echo "" ++ echo "clevis: Warning: multiple network interfaces available but no ip= parameter provided." ++ fi ++ configure_networking ++ fi + fi + + clevisloop & +-- +2.28.0 + diff -Nru clevis-8/debian/patches/man-add-newline-to-clevis-luks-list-manpage.patch clevis-8/debian/patches/man-add-newline-to-clevis-luks-list-manpage.patch --- clevis-8/debian/patches/man-add-newline-to-clevis-luks-list-manpage.patch 1970-01-01 00:00:00.000000000 +0000 +++ clevis-8/debian/patches/man-add-newline-to-clevis-luks-list-manpage.patch 2020-10-02 21:01:02.000000000 +0000 @@ -0,0 +1,26 @@ +From 013926d55c2f0dfcd1f5c0ff5e532b96ba76dd2c Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Mon, 20 Apr 2020 16:46:47 -0300 +Subject: [PATCH] man: add newline to clevis luks list manpage + +So that the explanation on its output is shown correctly. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1896509 +Origin: https://github.com/latchset/clevis/commit/140cdf6f567942dc72359007bad73db7aca6d599 +Last-Updated: 2020-10-02 + +diff --git a/doc/clevis-luks-list.1.adoc b/doc/clevis-luks-list.1.adoc +index 2e84f05..f00d9bf 100644 +--- a/doc/clevis-luks-list.1.adoc ++++ b/doc/clevis-luks-list.1.adoc +@@ -34,6 +34,7 @@ For example: + 3: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}' + + As we can see in the example above, */dev/sda1* has three slots bound each with a different pin. ++ + - Slot #1 is bound with the _sss_ pin, and uses also tang and tpm2 pins in its policy. + - Slot #2 is bound using the _tang_ pin + - Slot #3 is bound with the _tpm2_ pin +-- +2.28.0 + diff -Nru clevis-8/debian/patches/series clevis-8/debian/patches/series --- clevis-8/debian/patches/series 2020-04-29 22:18:13.000000000 +0000 +++ clevis-8/debian/patches/series 2020-10-02 20:23:24.000000000 +0000 @@ -11,3 +11,12 @@ 0006-Avoid-grep-z-which-isn-t-supported-by-busybox-initra.patch 0007-Updated-initramfs-tools-to-work-on-18.04-and-20.04-a.patch 0008-initramfs-Avoid-noise-due-to-proc-race.patch +initramfs-fix-iface-name-210.patch +initramfs-Warn-if-it-s-not-clear-which-nic-to-config.patch +initramfs-Wait-for-interface-to-appear-instead-of-ch.patch +Add-clevis-luks-list-command.patch +Add-man-page-for-clevis-luks-list.patch +man-add-newline-to-clevis-luks-list-manpage.patch +Avoid-head-usage-in-scripts-that-may-run-in-initramf.patch +initramfs-Make-network-configuration-on-demand.patch +initramfs-Drop-comment-about-code-not-working-within.patch diff -Nru clevis-8/debian/rules clevis-8/debian/rules --- clevis-8/debian/rules 2017-11-28 23:01:49.000000000 +0000 +++ clevis-8/debian/rules 2020-10-13 22:11:20.000000000 +0000 @@ -11,5 +11,15 @@ override_dh_auto_configure: dh_auto_configure -- --with-dracutmodulesdir=/usr/lib/dracut/modules.d +doc/clevis-luks-list.1: doc/clevis-luks-list.1.adoc + asciidoctor --attribute reproducible --backend=manpage $< + +override_dh_auto_build: doc/clevis-luks-list.1 + dh_auto_build + override_dh_missing: dh_missing --fail-missing + +override_dh_auto_clean: + rm -f doc/clevis-luks-list.1 + dh_auto_clean