1 |
commit: 36c488d3c08ebc4941e11ff13e72fa32f4d47abd |
2 |
Author: Julien Roy <julien <AT> jroy <DOT> ca> |
3 |
AuthorDate: Thu Apr 7 01:50:59 2022 +0000 |
4 |
Commit: Ronny Gutbrod <gentoo <AT> tastytea <DOT> de> |
5 |
CommitDate: Thu Apr 7 01:50:59 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=36c488d3 |
7 |
|
8 |
app-crypt/clevis: initial import |
9 |
|
10 |
Signed-off-by: Julien Roy <julien <AT> jroy.ca> |
11 |
|
12 |
app-crypt/clevis/Manifest | 1 + |
13 |
app-crypt/clevis/clevis-18.ebuild | 32 ++++ |
14 |
app-crypt/clevis/files/clevis-dracut.patch | 250 +++++++++++++++++++++++++++++ |
15 |
app-crypt/clevis/metadata.xml | 12 ++ |
16 |
4 files changed, 295 insertions(+) |
17 |
|
18 |
diff --git a/app-crypt/clevis/Manifest b/app-crypt/clevis/Manifest |
19 |
new file mode 100644 |
20 |
index 000000000..cccbcfc24 |
21 |
--- /dev/null |
22 |
+++ b/app-crypt/clevis/Manifest |
23 |
@@ -0,0 +1 @@ |
24 |
+DIST clevis-18.tar.gz 78191 BLAKE2B 317f30df3c05a9a651363daf17b9320e47a903929af991ecfd9d4d3d630a0ab8e92815db2e5736e9b9ca7f3fb4a41f4cf198ec447f04a9849f4d2a03bb196b22 SHA512 19b6743ff61ff7e29699bbc3fb69dfa31567a37ab824629330b57c92aa89b70759d63c1770be68d4525681ec9ba56d980cae2bb1cdeee6192992ede449a0e4ff |
25 |
|
26 |
diff --git a/app-crypt/clevis/clevis-18.ebuild b/app-crypt/clevis/clevis-18.ebuild |
27 |
new file mode 100644 |
28 |
index 000000000..7e7b30797 |
29 |
--- /dev/null |
30 |
+++ b/app-crypt/clevis/clevis-18.ebuild |
31 |
@@ -0,0 +1,32 @@ |
32 |
+# Copyright 2022 Gentoo Authors |
33 |
+# Distributed under the terms of the GNU General Public License v2 |
34 |
+ |
35 |
+EAPI=8 |
36 |
+ |
37 |
+inherit meson |
38 |
+ |
39 |
+PATCHES=( |
40 |
+ "${FILESDIR}/${PN}-dracut.patch" |
41 |
+) |
42 |
+ |
43 |
+DESCRIPTION="Automated Encryption Framework" |
44 |
+HOMEPAGE="https://github.com/latchset/clevis" |
45 |
+SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" |
46 |
+ |
47 |
+LICENSE="GPL-3" |
48 |
+SLOT="0" |
49 |
+KEYWORDS="~amd64" |
50 |
+IUSE="+luks +tpm" |
51 |
+ |
52 |
+DEPEND="luks? ( app-misc/jq ) |
53 |
+ >=dev-libs/jose-8 |
54 |
+ luks? ( dev-libs/libpwquality ) |
55 |
+ luks? ( dev-libs/luksmeta ) |
56 |
+ tpm? ( app-crypt/tpm2-tools ) |
57 |
+ sys-fs/cryptsetup" |
58 |
+RDEPEND="${DEPEND}" |
59 |
+BDEPEND="" |
60 |
+ |
61 |
+src_configure() { |
62 |
+ meson_src_configure |
63 |
+} |
64 |
|
65 |
diff --git a/app-crypt/clevis/files/clevis-dracut.patch b/app-crypt/clevis/files/clevis-dracut.patch |
66 |
new file mode 100644 |
67 |
index 000000000..7aec43e9e |
68 |
--- /dev/null |
69 |
+++ b/app-crypt/clevis/files/clevis-dracut.patch |
70 |
@@ -0,0 +1,250 @@ |
71 |
+From a5aa695821e34fb218c7d705065aaf7077737c8c Mon Sep 17 00:00:00 2001 |
72 |
+From: Jonathan Davies <jpds@××××××××××.com> |
73 |
+Date: Fri, 5 Nov 2021 15:24:12 +0000 |
74 |
+Subject: [PATCH] Moved dracut directory up to top-level to decouple it with |
75 |
+ systemd. |
76 |
+ |
77 |
+Adds a clevis-luks-generic-unlocker for alternative use without systemd. |
78 |
+ |
79 |
+Based on patch by Sergio Correia <scorreia@××××××.com> |
80 |
+ |
81 |
+Closes: #346 |
82 |
+ |
83 |
+Signed-off-by: Jonathan Davies <jpds@××××××××××.com> |
84 |
+--- |
85 |
+ .../dracut/clevis-pin-sss/meson.build | 0 |
86 |
+ .../dracut/clevis-pin-sss/module-setup.sh.in | 0 |
87 |
+ .../dracut/clevis-pin-tang/meson.build | 0 |
88 |
+ .../dracut/clevis-pin-tang/module-setup.sh.in | 0 |
89 |
+ .../dracut/clevis-pin-tpm2/meson.build | 0 |
90 |
+ .../dracut/clevis-pin-tpm2/module-setup.sh.in | 0 |
91 |
+ src/dracut/clevis/clevis-hook.sh.in | 3 + |
92 |
+ .../clevis/clevis-luks-generic-unlocker | 70 +++++++++++++++++++ |
93 |
+ .../systemd => }/dracut/clevis/meson.build | 1 + |
94 |
+ .../dracut/clevis/module-setup.sh.in | 19 +++-- |
95 |
+ src/{luks/systemd => }/dracut/meson.build | 0 |
96 |
+ .../systemd/dracut/clevis/clevis-hook.sh.in | 2 - |
97 |
+ src/luks/systemd/meson.build | 1 - |
98 |
+ src/meson.build | 1 + |
99 |
+ 14 files changed, 90 insertions(+), 7 deletions(-) |
100 |
+ rename src/{luks/systemd => }/dracut/clevis-pin-sss/meson.build (100%) |
101 |
+ rename src/{luks/systemd => }/dracut/clevis-pin-sss/module-setup.sh.in (100%) |
102 |
+ rename src/{luks/systemd => }/dracut/clevis-pin-tang/meson.build (100%) |
103 |
+ rename src/{luks/systemd => }/dracut/clevis-pin-tang/module-setup.sh.in (100%) |
104 |
+ rename src/{luks/systemd => }/dracut/clevis-pin-tpm2/meson.build (100%) |
105 |
+ rename src/{luks/systemd => }/dracut/clevis-pin-tpm2/module-setup.sh.in (100%) |
106 |
+ create mode 100755 src/dracut/clevis/clevis-hook.sh.in |
107 |
+ create mode 100755 src/dracut/clevis/clevis-luks-generic-unlocker |
108 |
+ rename src/{luks/systemd => }/dracut/clevis/meson.build (87%) |
109 |
+ rename src/{luks/systemd => }/dracut/clevis/module-setup.sh.in (76%) |
110 |
+ rename src/{luks/systemd => }/dracut/meson.build (100%) |
111 |
+ delete mode 100755 src/luks/systemd/dracut/clevis/clevis-hook.sh.in |
112 |
+ |
113 |
+diff --git a/src/luks/systemd/dracut/clevis-pin-sss/meson.build b/src/dracut/clevis-pin-sss/meson.build |
114 |
+similarity index 100% |
115 |
+rename from src/luks/systemd/dracut/clevis-pin-sss/meson.build |
116 |
+rename to src/dracut/clevis-pin-sss/meson.build |
117 |
+diff --git a/src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in b/src/dracut/clevis-pin-sss/module-setup.sh.in |
118 |
+similarity index 100% |
119 |
+rename from src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in |
120 |
+rename to src/dracut/clevis-pin-sss/module-setup.sh.in |
121 |
+diff --git a/src/luks/systemd/dracut/clevis-pin-tang/meson.build b/src/dracut/clevis-pin-tang/meson.build |
122 |
+similarity index 100% |
123 |
+rename from src/luks/systemd/dracut/clevis-pin-tang/meson.build |
124 |
+rename to src/dracut/clevis-pin-tang/meson.build |
125 |
+diff --git a/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in |
126 |
+similarity index 100% |
127 |
+rename from src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in |
128 |
+rename to src/dracut/clevis-pin-tang/module-setup.sh.in |
129 |
+diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/meson.build b/src/dracut/clevis-pin-tpm2/meson.build |
130 |
+similarity index 100% |
131 |
+rename from src/luks/systemd/dracut/clevis-pin-tpm2/meson.build |
132 |
+rename to src/dracut/clevis-pin-tpm2/meson.build |
133 |
+diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in b/src/dracut/clevis-pin-tpm2/module-setup.sh.in |
134 |
+similarity index 100% |
135 |
+rename from src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in |
136 |
+rename to src/dracut/clevis-pin-tpm2/module-setup.sh.in |
137 |
+diff --git a/src/dracut/clevis/clevis-hook.sh.in b/src/dracut/clevis/clevis-hook.sh.in |
138 |
+new file mode 100755 |
139 |
+index 0000000..91ff2bd |
140 |
+--- /dev/null |
141 |
++++ b/src/dracut/clevis/clevis-hook.sh.in |
142 |
+@@ -0,0 +1,3 @@ |
143 |
++#!/bin/bash |
144 |
++ |
145 |
++@libexecdir@/clevis-luks-generic-unlocker -l |
146 |
+diff --git a/src/dracut/clevis/clevis-luks-generic-unlocker b/src/dracut/clevis/clevis-luks-generic-unlocker |
147 |
+new file mode 100755 |
148 |
+index 0000000..a3b9d62 |
149 |
+--- /dev/null |
150 |
++++ b/src/dracut/clevis/clevis-luks-generic-unlocker |
151 |
+@@ -0,0 +1,70 @@ |
152 |
++#!/bin/bash |
153 |
++set -eu |
154 |
++# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: |
155 |
++# |
156 |
++# Copyright (c) 2020-2021 Red Hat, Inc. |
157 |
++# Author: Sergio Correia <scorreia@××××××.com> |
158 |
++# |
159 |
++# This program is free software: you can redistribute it and/or modify |
160 |
++# it under the terms of the GNU General Public License as published by |
161 |
++# the Free Software Foundation, either version 3 of the License, or |
162 |
++# (at your option) any later version. |
163 |
++# |
164 |
++# This program is distributed in the hope that it will be useful, |
165 |
++# but WITHOUT ANY WARRANTY; without even the implied warranty of |
166 |
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
167 |
++# GNU General Public License for more details. |
168 |
++# |
169 |
++# You should have received a copy of the GNU General Public License |
170 |
++# along with this program. If not, see <http://www.gnu.org/licenses/>. |
171 |
++# |
172 |
++ |
173 |
++. clevis-luks-common-functions |
174 |
++ |
175 |
++# Make sure to exit cleanly if SIGTERM is received. |
176 |
++trap 'echo "Exiting due to SIGTERM" && exit 0' TERM |
177 |
++ |
178 |
++loop= |
179 |
++while getopts ":l" o; do |
180 |
++ case "${o}" in |
181 |
++ l) loop=true;; |
182 |
++ *) ;; |
183 |
++ esac |
184 |
++done |
185 |
++ |
186 |
++to_unlock() { |
187 |
++ local _devices='' _d _uuid |
188 |
++ for _d in $(lsblk -o PATH,FSTYPE,RM \ |
189 |
++ | awk '$2 == "crypto_LUKS" && $3 == "0" { print $1 }' | sort -u); |
190 |
++ do |
191 |
++ if ! bindings="$(clevis luks list -d "${_d}" 2>/dev/null)" \ |
192 |
++ || [ -z "${bindings}" ]; then |
193 |
++ continue |
194 |
++ fi |
195 |
++ _uuid="$(cryptsetup luksUUID "${_d}")" |
196 |
++ if clevis_is_luks_device_by_uuid_open "${_uuid}"; then |
197 |
++ continue |
198 |
++ fi |
199 |
++ _devices="$(printf '%s\n%s' "${_devices}" "${_d}")" |
200 |
++ done |
201 |
++ echo "${_devices}" | sed -e 's/^\n$//' |
202 |
++} |
203 |
++ |
204 |
++while true; do |
205 |
++ for d in $(to_unlock); do |
206 |
++ uuid="$(cryptsetup luksUUID "${d}")" |
207 |
++ if ! clevis luks unlock -d "${d}"; then |
208 |
++ echo "Unable to unlock ${d} (UUID=${uuid})" >&2 |
209 |
++ continue |
210 |
++ fi |
211 |
++ echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2 |
212 |
++ done |
213 |
++ |
214 |
++ [ "${loop}" != true ] && break |
215 |
++ # Checking for pending devices to be unlocked. |
216 |
++ if remaining=$(to_unlock) && [ -z "${remaining}" ]; then |
217 |
++ break; |
218 |
++ fi |
219 |
++ |
220 |
++ sleep 0.5 |
221 |
++done |
222 |
+diff --git a/src/luks/systemd/dracut/clevis/meson.build b/src/dracut/clevis/meson.build |
223 |
+similarity index 87% |
224 |
+rename from src/luks/systemd/dracut/clevis/meson.build |
225 |
+rename to src/dracut/clevis/meson.build |
226 |
+index 167e708..224e27f 100644 |
227 |
+--- a/src/luks/systemd/dracut/clevis/meson.build |
228 |
++++ b/src/dracut/clevis/meson.build |
229 |
+@@ -16,6 +16,7 @@ if dracut.found() |
230 |
+ install_dir: dracutdir, |
231 |
+ configuration: data, |
232 |
+ ) |
233 |
++ install_data('clevis-luks-generic-unlocker', install_dir: libexecdir) |
234 |
+ else |
235 |
+ warning('Will not install dracut module due to missing dependencies!') |
236 |
+ endif |
237 |
+diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in |
238 |
+similarity index 76% |
239 |
+rename from src/luks/systemd/dracut/clevis/module-setup.sh.in |
240 |
+rename to src/dracut/clevis/module-setup.sh.in |
241 |
+index bfe657c..dbce790 100755 |
242 |
+--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in |
243 |
++++ b/src/dracut/clevis/module-setup.sh.in |
244 |
+@@ -19,7 +19,11 @@ |
245 |
+ # |
246 |
+ |
247 |
+ depends() { |
248 |
+- echo crypt systemd |
249 |
++ local __depends=crypt |
250 |
++ if dracut_module_included "systemd"; then |
251 |
++ __depends=$(printf '%s systemd' "${_depends}") |
252 |
++ fi |
253 |
++ echo "${__depends}" |
254 |
+ return 255 |
255 |
+ } |
256 |
+ |
257 |
+@@ -27,17 +31,24 @@ install() { |
258 |
+ if dracut_module_included "systemd"; then |
259 |
+ inst_multiple \ |
260 |
+ $systemdsystemunitdir/clevis-luks-askpass.service \ |
261 |
+- $systemdsystemunitdir/clevis-luks-askpass.path |
262 |
++ $systemdsystemunitdir/clevis-luks-askpass.path \ |
263 |
++ @SYSTEMD_REPLY_PASS@ \ |
264 |
++ @libexecdir@/clevis-luks-askpass |
265 |
+ systemctl -q --root "$initdir" add-wants cryptsetup.target clevis-luks-askpass.path |
266 |
+ else |
267 |
+ inst_hook initqueue/online 60 "$moddir/clevis-hook.sh" |
268 |
+ inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh" |
269 |
++ |
270 |
++ inst_multiple \ |
271 |
++ @libexecdir@/clevis-luks-generic-unlocker \ |
272 |
++ clevis-luks-unlock \ |
273 |
++ lsblk \ |
274 |
++ sort \ |
275 |
++ awk |
276 |
+ fi |
277 |
+ |
278 |
+ inst_multiple \ |
279 |
+ /etc/services \ |
280 |
+- @SYSTEMD_REPLY_PASS@ \ |
281 |
+- @libexecdir@/clevis-luks-askpass \ |
282 |
+ clevis-luks-common-functions \ |
283 |
+ grep sed cut \ |
284 |
+ clevis-decrypt \ |
285 |
+diff --git a/src/luks/systemd/dracut/meson.build b/src/dracut/meson.build |
286 |
+similarity index 100% |
287 |
+rename from src/luks/systemd/dracut/meson.build |
288 |
+rename to src/dracut/meson.build |
289 |
+diff --git a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in b/src/luks/systemd/dracut/clevis/clevis-hook.sh.in |
290 |
+deleted file mode 100755 |
291 |
+index cb257c9..0000000 |
292 |
+--- a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in |
293 |
++++ /dev/null |
294 |
+@@ -1,2 +0,0 @@ |
295 |
+-#!/bin/bash |
296 |
+-@libexecdir@/clevis-luks-askpass |
297 |
+diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build |
298 |
+index e3b3d91..b10494e 100644 |
299 |
+--- a/src/luks/systemd/meson.build |
300 |
++++ b/src/luks/systemd/meson.build |
301 |
+@@ -10,7 +10,6 @@ sd_reply_pass = find_program( |
302 |
+ |
303 |
+ if systemd.found() and sd_reply_pass.found() |
304 |
+ data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path()) |
305 |
+- subdir('dracut') |
306 |
+ |
307 |
+ unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir') |
308 |
+ |
309 |
+diff --git a/src/meson.build b/src/meson.build |
310 |
+index c4e696f..a0dff5b 100644 |
311 |
+--- a/src/meson.build |
312 |
++++ b/src/meson.build |
313 |
+@@ -1,6 +1,7 @@ |
314 |
+ subdir('bash') |
315 |
+ subdir('luks') |
316 |
+ subdir('pins') |
317 |
++subdir('dracut') |
318 |
+ subdir('initramfs-tools') |
319 |
+ |
320 |
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt') |
321 |
|
322 |
diff --git a/app-crypt/clevis/metadata.xml b/app-crypt/clevis/metadata.xml |
323 |
new file mode 100644 |
324 |
index 000000000..4130b4271 |
325 |
--- /dev/null |
326 |
+++ b/app-crypt/clevis/metadata.xml |
327 |
@@ -0,0 +1,12 @@ |
328 |
+<?xml version="1.0" encoding="UTF-8"?> |
329 |
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> |
330 |
+<pkgmetadata> |
331 |
+ <maintainer type="person"> |
332 |
+ <email>julien@××××.ca</email> |
333 |
+ <name>Julien Roy</name> |
334 |
+ </maintainer> |
335 |
+ <use> |
336 |
+ <flag name="luks">Enable LUKS support</flag> |
337 |
+ <flag name="tpm">Enable TPM support</flag> |
338 |
+ </use> |
339 |
+</pkgmetadata> |