Accepting request 1271352 from security

Draft request UNTESTED - Create packages: * clevis-pin_tpm2 * clevis-pin_pkcs11 * clevis-pin-sss * clevis-pin-tang - Add 0002-find-pcscd.patch - Update to version 21: * [EXPERIMENTAL] Add PKCS#11 pin basic functionality (5b07e40) * Ensure dnf builddep is installed in Fedora (#466) (2b34226) * udisks2: check for EINTR when reading in recover_key() (4c6d5d9) * udisks2: check if variables are NULL before calling unref (eea777f) * Fix README.md to include tang https configuration (#175) (#417) (4bddd5e) * Prevent Address in use error (601d0a9) * Fedora test build fix (3420001) * luks/udisks2: explicitly NULL-terminate buffer (251a888) * pins/sss: intialize variable before use (0938231) * Fix DNS resolution in initramfs (#367) (bebb037) * Upgrade checkout version (v3->v4) (#452) (ea7a8e1) * Fix killing of child process of clevisloop (c03dbf3) * Added language and misspell check for markdown files (#439) (fee1db3) * luks: decouple dracut from systemd unlocker (afe91eb) * luks: move dracut out of systemd directory (cfefdde) * Include manual compilation steps (#433) (ec16c7a) * Avoid execution of Github actions for Markdown (#427) (c9f2066) * Upgrade version for checkout Github action (#429) (4764b66) * Fix README.md to include "tang" pin (#424) (3add946) * Use jose, not pwmake, for password generation (#418) (4d23eda) * Use quay.io version of Fedora Rawhide container (#425) (bf9e1cd) * Add bash syntax highlighting to README.md (#414) (7c23279) * Fix README.md to include correct sss example (#409) (eb92459) * Fix Github actions by using latest ubuntu distro (#411) (c1a8aff) * documenting parameter to pass args to cryptsetup (96726a2) * initial test of passing args to 'crypsetup open' (0666b88) * passing args to 'crypsetup open' (forwarded request 1270955 from iDesmI) OBS-URL: https://build.opensuse.org/request/show/1271352 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/clevis?expand=0&rev=3
Draft request
2025-04-22 15:29:57 +00:00 · 2025-04-22 08:34:13 +00:00
5 changed files with 154 additions and 21 deletions
--- a/0002-find-pcscd.patch
+++ b/0002-find-pcscd.patch
@@ -0,0 +1,19 @@
+Index: clevis-21/src/pins/pkcs11/meson.build
+===================================================================
+--- clevis-21.orig/src/pins/pkcs11/meson.build
+++ clevis-21/src/pins/pkcs11/meson.build
+@@ -1,4 +1,4 @@
+-pcscd = find_program('pcscd', required: false)
+pcscd = find_program(['pcscd', '/usr/sbin/pcscd', '/sbin/pcscd'], required: false)
+ pkcs11tool = find_program('pkcs11-tool', required: false)
+ pcscd_disable_polkit = false
+ git = find_program('git', required: false)
+@@ -12,7 +12,7 @@ endif
+ GIT_VERSION_FLAG = '-DGIT_VERSION="' + git_version + '"'
+ 
+ if pcscd.found()
+-  pcscd_options = run_command('pcscd', '--help', check: false)
+  pcscd_options = run_command('/usr/sbin/pcscd', '--help', check: false)
+   pcscd_disable_polkit = pcscd_options.stdout().strip().contains('disable-polkit')
+   if not pcscd_disable_polkit
+     warning('pcscd does not have --disable-polkit option')
--- a/clevis-19.tar.xz
+++ b/clevis-19.tar.xz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b34e97d72cf59feb56875bfccd6732d8b3d2751714da799a6a6a388cfe234b55
-size 66376
--- a/clevis-21.tar.xz
+++ b/clevis-21.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a0388a544c77139dc751cdbf66bdd38fc29c43f9e81a1cdfd119c84109ffca3f
+size 81096
--- a/clevis.changes
+++ b/clevis.changes
@@ -1,3 +1,41 @@
+-------------------------------------------------------------------
+Sat Apr 19 12:57:13 UTC 2025 - Enrico Belleri <kilgore.trout@idesmi.eu>
+
+- Create packages:
+  * clevis-pin_tpm2
+  * clevis-pin_pkcs11
+  * clevis-pin-sss
+  * clevis-pin-tang
+- Add 0002-find-pcscd.patch
+- Update to version 21:
+  * [EXPERIMENTAL] Add PKCS#11 pin basic functionality (5b07e40)
+  * Ensure dnf builddep is installed in Fedora (#466) (2b34226)
+  * udisks2: check for EINTR when reading in recover_key() (4c6d5d9)
+  * udisks2: check if variables are NULL before calling unref (eea777f)
+  * Fix README.md to include tang https configuration (#175) (#417) (4bddd5e)
+  * Prevent Address in use error (601d0a9)
+  * Fedora test build fix (3420001)
+  * luks/udisks2: explicitly NULL-terminate buffer (251a888)
+  * pins/sss: intialize variable before use (0938231)
+  * Fix DNS resolution in initramfs (#367) (bebb037)
+  * Upgrade checkout version (v3->v4) (#452) (ea7a8e1)
+  * Fix killing of child process of clevisloop (c03dbf3)
+  * Added language and misspell check for markdown files (#439) (fee1db3)
+  * luks: decouple dracut from systemd unlocker (afe91eb)
+  * luks: move dracut out of systemd directory (cfefdde)
+  * Include manual compilation steps (#433) (ec16c7a)
+  * Avoid execution of Github actions for Markdown (#427) (c9f2066)
+  * Upgrade version for checkout Github action (#429) (4764b66)
+  * Fix README.md to include "tang" pin (#424) (3add946)
+  * Use jose, not pwmake, for password generation (#418) (4d23eda)
+  * Use quay.io version of Fedora Rawhide container (#425) (bf9e1cd)
+  * Add bash syntax highlighting to README.md (#414) (7c23279)
+  * Fix README.md to include correct sss example (#409) (eb92459)
+  * Fix Github actions by using latest ubuntu distro (#411) (c1a8aff)
+  * documenting parameter to pass args to cryptsetup (96726a2)
+  * initial test of passing args to 'crypsetup open' (0666b88)
+  * passing args to 'crypsetup open' 
+
 -------------------------------------------------------------------
 Mon May 22 10:00:00 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>

--- a/clevis.spec
+++ b/clevis.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package clevis
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,14 +16,17 @@
 #


+%bcond_without pin_pkcs11
+%bcond_without pin_tpm2
 Name:           clevis
-Version:        19
+Version:        21
 Release:        0
 Summary:        A pluggable framework for automated decryption
 License:        GPL-3.0-or-later
 URL:            https://github.com/latchset/clevis
 Source0:        https://github.com/latchset/clevis/releases/download/v%{version}/%{name}-%{version}.tar.xz
 Patch0:         cryptsetup-path.patch
+Patch1:         0002-find-pcscd.patch
 BuildRequires:  asciidoc
 BuildRequires:  cryptsetup
 BuildRequires:  curl
@@ -34,7 +37,6 @@ BuildRequires:  meson
 BuildRequires:  ninja
 BuildRequires:  pkgconfig
 BuildRequires:  socat
-BuildRequires:  tpm2.0-tools >= 3.0.0
 BuildRequires:  pkgconfig(audit) >= 2.7.8
 BuildRequires:  pkgconfig(bash-completion)
 BuildRequires:  pkgconfig(dracut)
@@ -42,19 +44,62 @@ BuildRequires:  pkgconfig(gio-2.0)
 BuildRequires:  pkgconfig(jansson) >= 2.10
 BuildRequires:  pkgconfig(jose) >= 8
 BuildRequires:  pkgconfig(libcrypto)
-BuildRequires:  pkgconfig(libcryptsetup) >= 2.0.2
+BuildRequires:  pkgconfig(libcryptsetup) >= 2.0.4
 BuildRequires:  pkgconfig(luksmeta) >= 8
 BuildRequires:  pkgconfig(systemd)
 BuildRequires:  pkgconfig(udisks2)
-Requires:       curl
 Requires:       jose >= 8
-Requires:       tpm2.0-tools >= 3.0.0
+#TPM2 pin
+%if %{with pin_tpm2}
+BuildRequires:  tpm2.0-tools >= 3.0.0
+%endif
+# pkcs11 pin
+%if %{with pin_pkcs11}
+BuildRequires:  pcsc-lite
+BuildRequires:  pkgconfig(opensc-pkcs11)
+%endif

 %description
 Clevis is a pluggable framework for automated decryption. It can be used to
 provide automated decryption of data or even automated unlocking of LUKS
 volumes.

+%if %{with pin_pkcs11}
+%package pin-pkcs11
+Summary:        PKCS\#11 pin integration for Clevis
+Requires:       %{name}-luks = %{version}
+Requires:       opensc
+Requires:       pcsc-lite
+
+%description pin-pkcs11
+Automatically unlocks LUKS block devices through a PKCS\#11 device.
+%endif
+
+%if %{with pin_tpm2}
+%package pin-tpm2
+Summary:        TPM2 pin integration for Clevis
+Requires:       tpm2.0-tools >= 3.0.0
+
+%description pin-tpm2
+Provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2) chip. The key used for encryption is encrypted using the TPM2 chip, and is decrypted using TPM2 to allow clevis to decrypt the secret stored in the JWE.
+Clevis store the public and private keys of the encrypted key in the JWE object, so those can be fetched on decryption to unseal the key encrypted using the TPM2.
+%endif
+
+%package pin-sss
+Summary:        SSS pin integration for Clevis
+Recommends:     %{name}-pin-pkcs11
+Recommends:     %{name}-pin-tpm2
+
+%description pin-sss
+Support for the Shamir Secret Service algorithm as a way to mix pins together to provide sophisticated unlocking policies.
+
+%package pin-tang
+Summary:        Tang pin integration for Clevis
+Requires:       curl
+
+%description pin-tang
+Support for Tang, a server implementation which provides cryptographic binding services without the need for an escrow.
+
 %package luks
 Summary:        LUKS integration for Clevis
 Requires:       %{name} = %{version}
@@ -71,15 +116,14 @@ Requires:       %{name}-luks = %{version}
 Requires:       systemd

 %description systemd
-Automatically unlock LUKS devices in /etc/crypttab with Clevis.
+Automatically unlock LUKS devices in %{_sysconfdir}/crypttab with Clevis.

 %package dracut
 Summary:        Dracut integration for Clevis
-Requires:       %{name}-systemd = %{version}
 Requires:       dracut

 %description dracut
-Automatically unlock LUKS devices in /etc/crypttab with Clevis at early boot.
+Automatically unlock LUKS devices in %{_sysconfdir}/crypttab with Clevis at early boot.

 %package udisks2
 Summary:        UDisks2 integration for Clevis
@@ -92,7 +136,7 @@ Automatically unlock LUKS devices in UDisks2 with Clevis.
 Summary:        Bash completion for Clevis
 Requires:       %{name} = %{version}
 Requires:       bash-completion
-Supplements:    packageand(%{name}:bash)
+Supplements:    (%{name} and bash)

 %description bash-completion
 This package provides Bash completion for Clevis.
@@ -128,15 +172,39 @@ This package provides Bash completion for Clevis.
 %posttrans dracut
 %{?regenerate_initrd_posttrans}

-%files
+%if %{with pin_pkcs11}
+%files pin-pkcs11
 %license COPYING
-%{_bindir}/clevis
-%{_bindir}/clevis-decrypt
-%{_bindir}/clevis-decrypt-*
-%{_bindir}/clevis-encrypt-*
-%{_mandir}/man1/clevis.1%{?ext_man}
-%{_mandir}/man1/clevis-decrypt.1%{?ext_man}
-%{_mandir}/man1/clevis-encrypt-*.1%{?ext_man}
+%{_libexecdir}/clevis-luks-pkcs11-askpass
+%{_libexecdir}/clevis-luks-pkcs11-askpin
+%{_bindir}/clevis-decrypt-pkcs11
+%{_bindir}/clevis-encrypt-pkcs11
+%{_bindir}/clevis-pkcs11-common
+%{_bindir}/clevis-pkcs11-afunix-socket-unlock
+%{_mandir}/man1/clevis-encrypt-pkcs11.1%{?ext_man}
+%endif
+
+%files pin-tang
+%license COPYING
+%{_bindir}/clevis-decrypt-tang
+%{_bindir}/clevis-encrypt-tang
+%{_mandir}/man1/clevis-encrypt-tang.1%{?ext_man}
+
+%if %{with pin_tpm2}
+%files pin-tpm2
+%license COPYING
+%{_bindir}/clevis-decrypt-tpm2
+%{_bindir}/clevis-encrypt-tpm2
+%{_mandir}/man1/clevis-encrypt-tpm2.1%{?ext_man}
+%endif
+
+%files pin-sss
+%license COPYING
+%{_bindir}/clevis-decrypt-sss
+%{_bindir}/clevis-encrypt-sss
+%{_bindir}/clevis-decrypt-null
+%{_bindir}/clevis-encrypt-null
+%{_mandir}/man1/clevis-encrypt-sss.1%{?ext_man}

 %files luks
 %license COPYING
@@ -151,6 +219,7 @@ This package provides Bash completion for Clevis.
 %files dracut
 %license COPYING
 %{_prefix}/lib/dracut/modules.d/**
+%{_libexecdir}/clevis-luks-unlocker

 %files udisks2
 %license COPYING
@@ -161,4 +230,11 @@ This package provides Bash completion for Clevis.
 %license COPYING
 %{_datadir}/bash-completion/completions/clevis

+%files
+%license COPYING
+%{_bindir}/clevis
+%{_bindir}/clevis-decrypt
+%{_mandir}/man1/clevis.1%{?ext_man}
+%{_mandir}/man1/clevis-decrypt.1%{?ext_man}
+
 %changelog