diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild index 37a4b60eb9..0f5aff2314 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild @@ -3,7 +3,8 @@ EAPI=8 -inherit meson +# Flatcar: inherit from systemd because we need to use systemd_enable_service below +inherit meson systemd DESCRIPTION="Automated Encryption Framework" HOMEPAGE="https://github.com/latchset/clevis" @@ -14,9 +15,22 @@ SLOT="0" KEYWORDS="~amd64" IUSE="+luks +tpm" +# Flatcar: add dependency for Dracut module DEPEND=" dev-libs/jose sys-fs/cryptsetup + sys-kernel/dracut + luks? ( + app-misc/jq + dev-libs/libpwquality + dev-libs/luksmeta + ) + tpm? ( app-crypt/tpm2-tools ) +" +# Flatcar: The Clevis meson build will not build certain features if certain executables are not found at build time, such as `tpm2_createprimary`. +# The meson function `find_program` that checks for the existence of the executables does not seem to search paths under ${ROOT}, but rather +# under `/`. A fix to make meson find all binaries and include all desired features is to install such runtime dependencies into the SDK. +BDEPEND=" luks? ( app-misc/jq dev-libs/libpwquality @@ -32,4 +46,22 @@ PATCHES=( "${FILESDIR}/clevis-dracut.patch" # Fix for systemd on Gentoo "${FILESDIR}/clevis-meson.patch" + # Flatcar: + # * install `clevis-pin-tang` dracut module in the absence of dracut `network` + # module; Flatcar uses a custom network module + # * skip copying `/etc/services` into initramfs when installing `clevis` dracut + # module, which would fail + "${FILESDIR}/clevis-dracut-flatcar.patch" ) + +post_src_install() { + # Flatcar: the meson build for app-crypt/clevis installs some files to ${D}${ROOT}. After that, Portage + # copies from ${D} to ${ROOT}, leading to files ending up in, e.g., /build/amd64-usr/build/amd64-usr/. + # As a workaround, we move everything from ${D}${ROOT} to ${D} after the src_install phase. + rsync -av ${D}${ROOT}/ ${D} + rm -rfv ${D}${ROOT} + + # Flatcar: enable the systemd unit that triggers Clevis's automatic response to LUKS + # disk decryption password prompts. + systemd_enable_service cryptsetup.target clevis-luks-askpass.path +} \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut-flatcar.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut-flatcar.patch new file mode 100644 index 0000000000..4a4c457253 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut-flatcar.patch @@ -0,0 +1,25 @@ +diff --git a/src/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in +index 929b878..c48e282 100755 +--- a/src/dracut/clevis-pin-tang/module-setup.sh.in ++++ b/src/dracut/clevis-pin-tang/module-setup.sh.in +@@ -19,7 +19,7 @@ + # + + depends() { +- echo clevis network ++ echo clevis + return 0 + } + +diff --git a/src/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in +index dbce790..c9581db 100755 +--- a/src/dracut/clevis/module-setup.sh.in ++++ b/src/dracut/clevis/module-setup.sh.in +@@ -48,7 +48,6 @@ install() { + fi + + inst_multiple \ +- /etc/services \ + clevis-luks-common-functions \ + grep sed cut \ + clevis-decrypt \ diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/metadata.xml index 47804fd7a1..18fcd69367 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/metadata.xml @@ -2,8 +2,8 @@ - julien@jroy.ca - Julien Roy + kjain7@u.rochester.edu + Krish Jain (based off Julien Roy's work) latchset/clevis