commit: 36c488d3c08ebc4941e11ff13e72fa32f4d47abd
Author: Julien Roy <julien <AT> jroy <DOT> ca>
AuthorDate: Thu Apr 7 01:50:59 2022 +0000
Commit: Ronny Gutbrod <gentoo <AT> tastytea <DOT> de>
CommitDate: Thu Apr 7 01:50:59 2022 +0000
URL: https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=36c488d3
app-crypt/clevis: initial import
Signed-off-by: Julien Roy <julien <AT> jroy.ca>
app-crypt/clevis/Manifest | 1 +
app-crypt/clevis/clevis-18.ebuild | 32 ++++
app-crypt/clevis/files/clevis-dracut.patch | 250 +++++++++++++++++++++++++++++
app-crypt/clevis/metadata.xml | 12 ++
4 files changed, 295 insertions(+)
diff --git a/app-crypt/clevis/Manifest b/app-crypt/clevis/Manifest
new file mode 100644
index 000000000..cccbcfc24
--- /dev/null
+++ b/app-crypt/clevis/Manifest
@@ -0,0 +1 @@
+DIST clevis-18.tar.gz 78191 BLAKE2B
317f30df3c05a9a651363daf17b9320e47a903929af991ecfd9d4d3d630a0ab8e92815db2e5736e9b9ca7f3fb4a41f4cf198ec447f04a9849f4d2a03bb196b22
SHA512
19b6743ff61ff7e29699bbc3fb69dfa31567a37ab824629330b57c92aa89b70759d63c1770be68d4525681ec9ba56d980cae2bb1cdeee6192992ede449a0e4ff
diff --git a/app-crypt/clevis/clevis-18.ebuild
b/app-crypt/clevis/clevis-18.ebuild
new file mode 100644
index 000000000..7e7b30797
--- /dev/null
+++ b/app-crypt/clevis/clevis-18.ebuild
@@ -0,0 +1,32 @@
+# Copyright 2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit meson
+
+PATCHES=(
+ "${FILESDIR}/${PN}-dracut.patch"
+)
+
+DESCRIPTION="Automated Encryption Framework"
+HOMEPAGE="https://github.com/latchset/clevis";
+SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz ->
${P}.tar.gz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="+luks +tpm"
+
+DEPEND="luks? ( app-misc/jq )
+ >=dev-libs/jose-8
+ luks? ( dev-libs/libpwquality )
+ luks? ( dev-libs/luksmeta )
+ tpm? ( app-crypt/tpm2-tools )
+ sys-fs/cryptsetup"
+RDEPEND="${DEPEND}"
+BDEPEND=""
+
+src_configure() {
+ meson_src_configure
+}
diff --git a/app-crypt/clevis/files/clevis-dracut.patch
b/app-crypt/clevis/files/clevis-dracut.patch
new file mode 100644
index 000000000..7aec43e9e
--- /dev/null
+++ b/app-crypt/clevis/files/clevis-dracut.patch
@@ -0,0 +1,250 @@
+From a5aa695821e34fb218c7d705065aaf7077737c8c Mon Sep 17 00:00:00 2001
+From: Jonathan Davies <j...@protonmail.com>
+Date: Fri, 5 Nov 2021 15:24:12 +0000
+Subject: [PATCH] Moved dracut directory up to top-level to decouple it with
+ systemd.
+
+Adds a clevis-luks-generic-unlocker for alternative use without systemd.
+
+Based on patch by Sergio Correia <scorr...@redhat.com>
+
+Closes: #346
+
+Signed-off-by: Jonathan Davies <j...@protonmail.com>
+---
+ .../dracut/clevis-pin-sss/meson.build | 0
+ .../dracut/clevis-pin-sss/module-setup.sh.in | 0
+ .../dracut/clevis-pin-tang/meson.build | 0
+ .../dracut/clevis-pin-tang/module-setup.sh.in | 0
+ .../dracut/clevis-pin-tpm2/meson.build | 0
+ .../dracut/clevis-pin-tpm2/module-setup.sh.in | 0
+ src/dracut/clevis/clevis-hook.sh.in | 3 +
+ .../clevis/clevis-luks-generic-unlocker | 70 +++++++++++++++++++
+ .../systemd => }/dracut/clevis/meson.build | 1 +
+ .../dracut/clevis/module-setup.sh.in | 19 +++--
+ src/{luks/systemd => }/dracut/meson.build | 0
+ .../systemd/dracut/clevis/clevis-hook.sh.in | 2 -
+ src/luks/systemd/meson.build | 1 -
+ src/meson.build | 1 +
+ 14 files changed, 90 insertions(+), 7 deletions(-)
+ rename src/{luks/systemd => }/dracut/clevis-pin-sss/meson.build (100%)
+ rename src/{luks/systemd => }/dracut/clevis-pin-sss/module-setup.sh.in (100%)
+ rename src/{luks/systemd => }/dracut/clevis-pin-tang/meson.build (100%)
+ rename src/{luks/systemd => }/dracut/clevis-pin-tang/module-setup.sh.in (100%)
+ rename src/{luks/systemd => }/dracut/clevis-pin-tpm2/meson.build (100%)
+ rename src/{luks/systemd => }/dracut/clevis-pin-tpm2/module-setup.sh.in (100%)
+ create mode 100755 src/dracut/clevis/clevis-hook.sh.in
+ create mode 100755 src/dracut/clevis/clevis-luks-generic-unlocker
+ rename src/{luks/systemd => }/dracut/clevis/meson.build (87%)
+ rename src/{luks/systemd => }/dracut/clevis/module-setup.sh.in (76%)
+ rename src/{luks/systemd => }/dracut/meson.build (100%)
+ delete mode 100755 src/luks/systemd/dracut/clevis/clevis-hook.sh.in
+
+diff --git a/src/luks/systemd/dracut/clevis-pin-sss/meson.build
b/src/dracut/clevis-pin-sss/meson.build
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-sss/meson.build
+rename to src/dracut/clevis-pin-sss/meson.build
+diff --git a/src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in
b/src/dracut/clevis-pin-sss/module-setup.sh.in
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in
+rename to src/dracut/clevis-pin-sss/module-setup.sh.in
+diff --git a/src/luks/systemd/dracut/clevis-pin-tang/meson.build
b/src/dracut/clevis-pin-tang/meson.build
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-tang/meson.build
+rename to src/dracut/clevis-pin-tang/meson.build
+diff --git a/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in
b/src/dracut/clevis-pin-tang/module-setup.sh.in
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in
+rename to src/dracut/clevis-pin-tang/module-setup.sh.in
+diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/meson.build
b/src/dracut/clevis-pin-tpm2/meson.build
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-tpm2/meson.build
+rename to src/dracut/clevis-pin-tpm2/meson.build
+diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in
b/src/dracut/clevis-pin-tpm2/module-setup.sh.in
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in
+rename to src/dracut/clevis-pin-tpm2/module-setup.sh.in
+diff --git a/src/dracut/clevis/clevis-hook.sh.in
b/src/dracut/clevis/clevis-hook.sh.in
+new file mode 100755
+index 0000000..91ff2bd
+--- /dev/null
++++ b/src/dracut/clevis/clevis-hook.sh.in
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++@libexecdir@/clevis-luks-generic-unlocker -l
+diff --git a/src/dracut/clevis/clevis-luks-generic-unlocker
b/src/dracut/clevis/clevis-luks-generic-unlocker
+new file mode 100755
+index 0000000..a3b9d62
+--- /dev/null
++++ b/src/dracut/clevis/clevis-luks-generic-unlocker
+@@ -0,0 +1,70 @@
++#!/bin/bash
++set -eu
++# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
++#
++# Copyright (c) 2020-2021 Red Hat, Inc.
++# Author: Sergio Correia <scorr...@redhat.com>
++#
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++#
++
++. clevis-luks-common-functions
++
++# Make sure to exit cleanly if SIGTERM is received.
++trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
++
++loop=
++while getopts ":l" o; do
++ case "${o}" in
++ l) loop=true;;
++ *) ;;
++ esac
++done
++
++to_unlock() {
++ local _devices='' _d _uuid
++ for _d in $(lsblk -o PATH,FSTYPE,RM \
++ | awk '$2 == "crypto_LUKS" && $3 == "0" { print $1 }' | sort
-u);
++ do
++ if ! bindings="$(clevis luks list -d "${_d}" 2>/dev/null)" \
++ || [ -z "${bindings}" ]; then
++ continue
++ fi
++ _uuid="$(cryptsetup luksUUID "${_d}")"
++ if clevis_is_luks_device_by_uuid_open "${_uuid}"; then
++ continue
++ fi
++ _devices="$(printf '%s\n%s' "${_devices}" "${_d}")"
++ done
++ echo "${_devices}" | sed -e 's/^\n$//'
++}
++
++while true; do
++ for d in $(to_unlock); do
++ uuid="$(cryptsetup luksUUID "${d}")"
++ if ! clevis luks unlock -d "${d}"; then
++ echo "Unable to unlock ${d} (UUID=${uuid})" >&2
++ continue
++ fi
++ echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
++ done
++
++ [ "${loop}" != true ] && break
++ # Checking for pending devices to be unlocked.
++ if remaining=$(to_unlock) && [ -z "${remaining}" ]; then
++ break;
++ fi
++
++ sleep 0.5
++done
+diff --git a/src/luks/systemd/dracut/clevis/meson.build
b/src/dracut/clevis/meson.build
+similarity index 87%
+rename from src/luks/systemd/dracut/clevis/meson.build
+rename to src/dracut/clevis/meson.build
+index 167e708..224e27f 100644
+--- a/src/luks/systemd/dracut/clevis/meson.build
++++ b/src/dracut/clevis/meson.build
+@@ -16,6 +16,7 @@ if dracut.found()
+ install_dir: dracutdir,
+ configuration: data,
+ )
++ install_data('clevis-luks-generic-unlocker', install_dir: libexecdir)
+ else
+ warning('Will not install dracut module due to missing dependencies!')
+ endif
+diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in
b/src/dracut/clevis/module-setup.sh.in
+similarity index 76%
+rename from src/luks/systemd/dracut/clevis/module-setup.sh.in
+rename to src/dracut/clevis/module-setup.sh.in
+index bfe657c..dbce790 100755
+--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
++++ b/src/dracut/clevis/module-setup.sh.in
+@@ -19,7 +19,11 @@
+ #
+
+ depends() {
+- echo crypt systemd
++ local __depends=crypt
++ if dracut_module_included "systemd"; then
++ __depends=$(printf '%s systemd' "${_depends}")
++ fi
++ echo "${__depends}"
+ return 255
+ }
+
+@@ -27,17 +31,24 @@ install() {
+ if dracut_module_included "systemd"; then
+ inst_multiple \
+ $systemdsystemunitdir/clevis-luks-askpass.service \
+- $systemdsystemunitdir/clevis-luks-askpass.path
++ $systemdsystemunitdir/clevis-luks-askpass.path \
++ @SYSTEMD_REPLY_PASS@ \
++ @libexecdir@/clevis-luks-askpass
+ systemctl -q --root "$initdir" add-wants cryptsetup.target
clevis-luks-askpass.path
+ else
+ inst_hook initqueue/online 60 "$moddir/clevis-hook.sh"
+ inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
++
++ inst_multiple \
++ @libexecdir@/clevis-luks-generic-unlocker \
++ clevis-luks-unlock \
++ lsblk \
++ sort \
++ awk
+ fi
+
+ inst_multiple \
+ /etc/services \
+- @SYSTEMD_REPLY_PASS@ \
+- @libexecdir@/clevis-luks-askpass \
+ clevis-luks-common-functions \
+ grep sed cut \
+ clevis-decrypt \
+diff --git a/src/luks/systemd/dracut/meson.build b/src/dracut/meson.build
+similarity index 100%
+rename from src/luks/systemd/dracut/meson.build
+rename to src/dracut/meson.build
+diff --git a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in
b/src/luks/systemd/dracut/clevis/clevis-hook.sh.in
+deleted file mode 100755
+index cb257c9..0000000
+--- a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in
++++ /dev/null
+@@ -1,2 +0,0 @@
+-#!/bin/bash
+-@libexecdir@/clevis-luks-askpass
+diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
+index e3b3d91..b10494e 100644
+--- a/src/luks/systemd/meson.build
++++ b/src/luks/systemd/meson.build
+@@ -10,7 +10,6 @@ sd_reply_pass = find_program(
+
+ if systemd.found() and sd_reply_pass.found()
+ data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
+- subdir('dracut')
+
+ unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
+
+diff --git a/src/meson.build b/src/meson.build
+index c4e696f..a0dff5b 100644
+--- a/src/meson.build
++++ b/src/meson.build
+@@ -1,6 +1,7 @@
+ subdir('bash')
+ subdir('luks')
+ subdir('pins')
++subdir('dracut')
+ subdir('initramfs-tools')
+
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt')
diff --git a/app-crypt/clevis/metadata.xml b/app-crypt/clevis/metadata.xml
new file mode 100644
index 000000000..4130b4271
--- /dev/null
+++ b/app-crypt/clevis/metadata.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd";>
+<pkgmetadata>
+ <maintainer type="person">
+ <email>jul...@jroy.ca</email>
+ <name>Julien Roy</name>
+ </maintainer>
+ <use>
+ <flag name="luks">Enable LUKS support</flag>
+ <flag name="tpm">Enable TPM support</flag>
+ </use>
+</pkgmetadata>
