app-crypt/clevis: Version bump to 21

This moves the systemd unit enabling to the image build scripts to make the ebuild less Flatcar-specific. Unfortunately, Clevis is still very automagic, resulting in a poor quality ebuild. Improving this was actually the very first thing I tried to do for Flatcar back in 2022, 1½ years before I joined the team. I will try to revive this effort soon, and then we can maybe get the package upstreamed to Gentoo. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
2026-05-04 11:51:14 +02:00 · 2025-03-14 17:35:34 +00:00 · 2025-03-14 17:35:34 +00:00 · 89c1c5fcd1
commit 89c1c5fcd1
parent 24d8122b96
7 changed files with 23 additions and 250 deletions
--- a/build_library/prod_image_util.sh
+++ b/build_library/prod_image_util.sh
@ -92,6 +92,9 @@ create_prod_image() {
  run_ldconfig "${root_fs_dir}"
  run_localedef "${root_fs_dir}"

+  # Enable desired systemd units.
+  systemd_enable "${root_fs_dir}" cryptsetup.target clevis-luks-askpass.path
+
  local root_with_everything="${root_fs_dir}"

  # Call helper script for adding sysexts to the base OS.
--- a/changelog/updates/2025-03-14-clevis-21.md
+++ b/changelog/updates/2025-03-14-clevis-21.md
@ -0,0 +1 @@
+- Clevis ([21](https://github.com/latchset/clevis/releases/tag/v21))
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest
@ -1 +1 @@
-DIST clevis-19.tar.gz 81324 BLAKE2B 75323940d0b53e307f5dbc197e3117e7ddc900d76ae1043bac3d17cc3af0264ba00a5f840c5c9dd3c2dd9c8fbde2cf05934b8ab3e89cd403ad8a8eb28609bb78 SHA512 dee19354c908c3843fc295a84b431780d5d6062c77766ee7ce9550636d3623d92b0cd1f6d4c40d57bef14debddc161da2b72289a5d6185cdd17b09a1ef67409a
+DIST clevis-21.tar.gz 101599 BLAKE2B 3c02b409e3571d73ad46383da1863e2e2af33786e5a4d4a671b0423133442f379cd42e63f0d8c907604f3339bbf253c255eeefc7567b636ccf1cdb9993efa6dd SHA512 f069969a45195679cc5e521ed0b4ec2199d774aab59ec1d60533a3e9af70468aa2c75dfc695e9d48a255828971a3cf199388c92ffa999faadfc16d7c80eb9fde
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild
@ -1,10 +1,9 @@
-# Copyright 2022-2023 Gentoo Authors
+# Copyright 2022-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2

 EAPI=8

-# Flatcar: inherit from systemd because we need to use systemd_enable_service below
-inherit meson systemd
+inherit meson

 DESCRIPTION="Automated Encryption Framework"
 HOMEPAGE="https://github.com/latchset/clevis"
@ -15,53 +14,39 @@ SLOT="0"
 KEYWORDS="~amd64"
 IUSE="+luks +tpm"

-# Flatcar: add dependency for Dracut module
 DEPEND="
 	dev-libs/jose
 	sys-fs/cryptsetup
 	sys-kernel/dracut
 	luks? (
 		app-misc/jq
-		dev-libs/libpwquality
 		dev-libs/luksmeta
 	)
 	tpm? ( app-crypt/tpm2-tools )
 "
 # Flatcar: The Clevis meson build will not build certain features if certain executables are not found at build time, such as `tpm2_createprimary`.
-# The meson function `find_program` that checks for the existence of the executables does not seem to search paths under ${ROOT}, but rather 
+# The meson function `find_program` that checks for the existence of the executables does not seem to search paths under ${ROOT}, but rather
 # under `/`. A fix to make meson find all binaries and include all desired features is to install such runtime dependencies into the SDK.
 BDEPEND="
 	luks? (
 		app-misc/jq
-		dev-libs/libpwquality
 		dev-libs/luksmeta
 	)
 	tpm? ( app-crypt/tpm2-tools )
 "
-RDEPEND="${DEPEND}"
+RDEPEND="
+	${DEPEND}
+	dev-libs/jansson
+	dev-libs/openssl:=
+"

 PATCHES=(
-	# From https://github.com/latchset/clevis/pull/347
-	# Allows using dracut without systemd
-	"${FILESDIR}/clevis-dracut.patch"
 	# Fix for systemd on Gentoo
 	"${FILESDIR}/clevis-meson.patch"
-	# Flatcar: 
-	# * install `clevis-pin-tang` dracut module in the absence of dracut `network` 
+	# Flatcar:
+	# * install `clevis-pin-tang` dracut module in the absence of dracut `network`
 	#   module; Flatcar uses a custom network module
-	# * skip copying `/etc/services` into initramfs when installing `clevis` dracut 
+	# * skip copying `/etc/services` into initramfs when installing `clevis` dracut
 	# 	module, which would fail
 	"${FILESDIR}/clevis-dracut-flatcar.patch"
 )
-
-post_src_install() {
-	# Flatcar: the meson build for app-crypt/clevis installs some files to ${D}${ROOT}. After that, Portage
-	# copies from ${D} to ${ROOT}, leading to files ending up in, e.g., /build/amd64-usr/build/amd64-usr/.
-	# As a workaround, we move everything from ${D}${ROOT} to ${D} after the src_install phase.
- 	rsync -av ${D}${ROOT}/ ${D}
- 	rm -rfv ${D}${ROOT}
-
-	# Flatcar: enable the systemd unit that triggers Clevis's automatic response to LUKS
-	# disk decryption password prompts.
- 	systemd_enable_service cryptsetup.target clevis-luks-askpass.path
-}
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut-flatcar.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut-flatcar.patch
@ -1,7 +1,7 @@
-diff --git a/src/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in
+diff --git a/src/luks/dracut/clevis-pin-tang/module-setup.sh.in b/src/luks/dracut/clevis-pin-tang/module-setup.sh.in
 index 929b878..c48e282 100755
--- a/src/dracut/clevis-pin-tang/module-setup.sh.in
-+++ b/src/dracut/clevis-pin-tang/module-setup.sh.in
+--- a/src/luks/dracut/clevis-pin-tang/module-setup.sh.in
+++ b/src/luks/dracut/clevis-pin-tang/module-setup.sh.in
@@ -19,7 +19,7 @@
 #
 
@ -11,10 +11,10 @@ index 929b878..c48e282 100755
     return 0
 }
 
-diff --git a/src/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in
+diff --git a/src/luks/dracut/clevis/module-setup.sh.in b/src/luks/dracut/clevis/module-setup.sh.in
 index dbce790..c9581db 100755
--- a/src/dracut/clevis/module-setup.sh.in
-+++ b/src/dracut/clevis/module-setup.sh.in
+--- a/src/luks/dracut/clevis/module-setup.sh.in
+++ b/src/luks/dracut/clevis/module-setup.sh.in
@@ -48,7 +48,6 @@ install() {
     fi
 
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch
@ -1,216 +0,0 @@
-diff --git a/src/luks/systemd/dracut/clevis-pin-sss/meson.build b/src/dracut/clevis-pin-sss/meson.build
-similarity index 100%
-rename from src/luks/systemd/dracut/clevis-pin-sss/meson.build
-rename to src/dracut/clevis-pin-sss/meson.build
-diff --git a/src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in b/src/dracut/clevis-pin-sss/module-setup.sh.in
-similarity index 100%
-rename from src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in
-rename to src/dracut/clevis-pin-sss/module-setup.sh.in
-diff --git a/src/luks/systemd/dracut/clevis-pin-tang/meson.build b/src/dracut/clevis-pin-tang/meson.build
-similarity index 100%
-rename from src/luks/systemd/dracut/clevis-pin-tang/meson.build
-rename to src/dracut/clevis-pin-tang/meson.build
-diff --git a/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in
-similarity index 100%
-rename from src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in
-rename to src/dracut/clevis-pin-tang/module-setup.sh.in
-diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/meson.build b/src/dracut/clevis-pin-tpm2/meson.build
-similarity index 100%
-rename from src/luks/systemd/dracut/clevis-pin-tpm2/meson.build
-rename to src/dracut/clevis-pin-tpm2/meson.build
-diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in b/src/dracut/clevis-pin-tpm2/module-setup.sh.in
-similarity index 100%
-rename from src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in
-rename to src/dracut/clevis-pin-tpm2/module-setup.sh.in
-diff --git a/src/dracut/clevis/clevis-hook.sh.in b/src/dracut/clevis/clevis-hook.sh.in
-new file mode 100755
-index 0000000..91ff2bd
--- /dev/null
-+++ b/src/dracut/clevis/clevis-hook.sh.in
-@@ -0,0 +1,3 @@
-+#!/bin/bash
-+
-+@libexecdir@/clevis-luks-generic-unlocker -l
-diff --git a/src/dracut/clevis/clevis-luks-generic-unlocker b/src/dracut/clevis/clevis-luks-generic-unlocker
-new file mode 100755
-index 0000000..a3b9d62
--- /dev/null
-+++ b/src/dracut/clevis/clevis-luks-generic-unlocker
-@@ -0,0 +1,70 @@
-+#!/bin/bash
-+set -eu
-+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
-+#
-+# Copyright (c) 2020-2021 Red Hat, Inc.
-+# Author: Sergio Correia <scorreia@redhat.com>
-+#
-+# This program is free software: you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation, either version 3 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+#
-+
-+. clevis-luks-common-functions
-+
-+# Make sure to exit cleanly if SIGTERM is received.
-+trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
-+
-+loop=
-+while getopts ":l" o; do
-+    case "${o}" in
-+    l) loop=true;;
-+    *) ;;
-+    esac
-+done
-+
-+to_unlock() {
-+    local _devices='' _d _uuid
-+    for _d in $(lsblk -o PATH,FSTYPE,RM \
-+               | awk '$2 == "crypto_LUKS" && $3 == "0" { print $1 }' | sort -u);
-+    do
-+        if ! bindings="$(clevis luks list -d "${_d}" 2>/dev/null)" \
-+                         || [ -z "${bindings}" ]; then
-+            continue
-+        fi
-+        _uuid="$(cryptsetup luksUUID "${_d}")"
-+        if clevis_is_luks_device_by_uuid_open "${_uuid}"; then
-+            continue
-+        fi
-+        _devices="$(printf '%s\n%s' "${_devices}" "${_d}")"
-+    done
-+    echo "${_devices}" | sed -e 's/^\n$//'
-+}
-+
-+while true; do
-+    for d in $(to_unlock); do
-+        uuid="$(cryptsetup luksUUID "${d}")"
-+        if ! clevis luks unlock -d "${d}"; then
-+            echo "Unable to unlock ${d} (UUID=${uuid})" >&2
-+            continue
-+        fi
-+        echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
-+    done
-+
-+    [ "${loop}" != true ] && break
-+    # Checking for pending devices to be unlocked.
-+    if remaining=$(to_unlock) && [ -z "${remaining}" ]; then
-+        break;
-+    fi
-+
-+    sleep 0.5
-+done
-diff --git a/src/luks/systemd/dracut/clevis/meson.build b/src/dracut/clevis/meson.build
-similarity index 87%
-rename from src/luks/systemd/dracut/clevis/meson.build
-rename to src/dracut/clevis/meson.build
-index 167e708..224e27f 100644
--- a/src/luks/systemd/dracut/clevis/meson.build
-+++ b/src/dracut/clevis/meson.build
-@@ -16,6 +16,7 @@ if dracut.found()
-     install_dir: dracutdir,
-     configuration: data,
-   )
-+  install_data('clevis-luks-generic-unlocker', install_dir: libexecdir)
- else
-   warning('Will not install dracut module due to missing dependencies!')
- endif
-diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in
-similarity index 76%
-rename from src/luks/systemd/dracut/clevis/module-setup.sh.in
-rename to src/dracut/clevis/module-setup.sh.in
-index bfe657c..dbce790 100755
--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
-+++ b/src/dracut/clevis/module-setup.sh.in
-@@ -19,7 +19,11 @@
- #
- 
- depends() {
-    echo crypt systemd
-+    local __depends=crypt
-+    if dracut_module_included "systemd"; then
-+        __depends=$(printf '%s systemd' "${_depends}")
-+    fi
-+    echo "${__depends}"
-     return 255
- }
- 
-@@ -27,17 +31,24 @@ install() {
-     if dracut_module_included "systemd"; then
-         inst_multiple \
-             $systemdsystemunitdir/clevis-luks-askpass.service \
-            $systemdsystemunitdir/clevis-luks-askpass.path
-+            $systemdsystemunitdir/clevis-luks-askpass.path \
-+            @SYSTEMD_REPLY_PASS@ \
-+            @libexecdir@/clevis-luks-askpass
-         systemctl -q --root "$initdir" add-wants cryptsetup.target clevis-luks-askpass.path
-     else
-         inst_hook initqueue/online 60 "$moddir/clevis-hook.sh"
-         inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
-+
-+	inst_multiple \
-+            @libexecdir@/clevis-luks-generic-unlocker \
-+            clevis-luks-unlock \
-+            lsblk \
-+            sort \
-+            awk
-     fi
- 
-     inst_multiple \
-         /etc/services \
-        @SYSTEMD_REPLY_PASS@ \
-        @libexecdir@/clevis-luks-askpass \
-         clevis-luks-common-functions \
-         grep sed cut \
-         clevis-decrypt \
-diff --git a/src/luks/systemd/dracut/meson.build b/src/dracut/meson.build
-similarity index 78%
-rename from src/luks/systemd/dracut/meson.build
-rename to src/dracut/meson.build
-index 7ad5b14..fdb264b 100644
--- a/src/luks/systemd/dracut/meson.build
-+++ b/src/dracut/meson.build
-@@ -2,4 +2,3 @@ subdir('clevis')
- subdir('clevis-pin-tang')
- subdir('clevis-pin-tpm2')
- subdir('clevis-pin-sss')
-subdir('clevis-pin-null')
-diff --git a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in b/src/luks/systemd/dracut/clevis/clevis-hook.sh.in
-deleted file mode 100755
-index cb257c9..0000000
--- a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in
-+++ /dev/null
-@@ -1,2 +0,0 @@
-#!/bin/bash
-@libexecdir@/clevis-luks-askpass
-diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
-index e3b3d91..b10494e 100644
--- a/src/luks/systemd/meson.build
-+++ b/src/luks/systemd/meson.build
-@@ -10,7 +10,6 @@ sd_reply_pass = find_program(
- 
- if systemd.found() and sd_reply_pass.found()
-   data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
-  subdir('dracut')
- 
-   unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
- 
-diff --git a/src/meson.build b/src/meson.build
-index c4e696f..a0dff5b 100644
--- a/src/meson.build
-+++ b/src/meson.build
-@@ -1,6 +1,7 @@
- subdir('bash')
- subdir('luks')
- subdir('pins')
-+subdir('dracut')
- subdir('initramfs-tools')
- 
- bins += join_paths(meson.current_source_dir(), 'clevis-decrypt')
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@ -23,7 +23,7 @@
 =app-crypt/ccid-1.5.5 ~arm64

 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
-=app-crypt/clevis-19-r1 **
+=app-crypt/clevis-21 **

 # Needed by arm64-native SDK.
 =app-emulation/open-vmdk-1.0 *
				`@ -0,0 +1 @@`
				`- Clevis ([21](https://github.com/latchset/clevis/releases/tag/v21))`