diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh index 1fd94845ca..1f40630669 100755 --- a/build_library/prod_image_util.sh +++ b/build_library/prod_image_util.sh @@ -92,6 +92,9 @@ create_prod_image() { run_ldconfig "${root_fs_dir}" run_localedef "${root_fs_dir}" + # Enable desired systemd units. + systemd_enable "${root_fs_dir}" cryptsetup.target clevis-luks-askpass.path + local root_with_everything="${root_fs_dir}" # Call helper script for adding sysexts to the base OS. diff --git a/changelog/updates/2025-03-14-clevis-21.md b/changelog/updates/2025-03-14-clevis-21.md new file mode 100644 index 0000000000..72587dbe26 --- /dev/null +++ b/changelog/updates/2025-03-14-clevis-21.md @@ -0,0 +1 @@ +- Clevis ([21](https://github.com/latchset/clevis/releases/tag/v21)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest index ead9af1f71..8d7f0de085 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest @@ -1 +1 @@ -DIST clevis-19.tar.gz 81324 BLAKE2B 75323940d0b53e307f5dbc197e3117e7ddc900d76ae1043bac3d17cc3af0264ba00a5f840c5c9dd3c2dd9c8fbde2cf05934b8ab3e89cd403ad8a8eb28609bb78 SHA512 dee19354c908c3843fc295a84b431780d5d6062c77766ee7ce9550636d3623d92b0cd1f6d4c40d57bef14debddc161da2b72289a5d6185cdd17b09a1ef67409a +DIST clevis-21.tar.gz 101599 BLAKE2B 3c02b409e3571d73ad46383da1863e2e2af33786e5a4d4a671b0423133442f379cd42e63f0d8c907604f3339bbf253c255eeefc7567b636ccf1cdb9993efa6dd SHA512 f069969a45195679cc5e521ed0b4ec2199d774aab59ec1d60533a3e9af70468aa2c75dfc695e9d48a255828971a3cf199388c92ffa999faadfc16d7c80eb9fde diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-21.ebuild similarity index 55% rename from sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-21.ebuild index 0f5aff2314..2a162fa209 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-21.ebuild @@ -1,10 +1,9 @@ -# Copyright 2022-2023 Gentoo Authors +# Copyright 2022-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 -# Flatcar: inherit from systemd because we need to use systemd_enable_service below -inherit meson systemd +inherit meson DESCRIPTION="Automated Encryption Framework" HOMEPAGE="https://github.com/latchset/clevis" @@ -15,53 +14,39 @@ SLOT="0" KEYWORDS="~amd64" IUSE="+luks +tpm" -# Flatcar: add dependency for Dracut module DEPEND=" dev-libs/jose sys-fs/cryptsetup sys-kernel/dracut luks? ( app-misc/jq - dev-libs/libpwquality dev-libs/luksmeta ) tpm? ( app-crypt/tpm2-tools ) " # Flatcar: The Clevis meson build will not build certain features if certain executables are not found at build time, such as `tpm2_createprimary`. -# The meson function `find_program` that checks for the existence of the executables does not seem to search paths under ${ROOT}, but rather +# The meson function `find_program` that checks for the existence of the executables does not seem to search paths under ${ROOT}, but rather # under `/`. A fix to make meson find all binaries and include all desired features is to install such runtime dependencies into the SDK. BDEPEND=" luks? ( app-misc/jq - dev-libs/libpwquality dev-libs/luksmeta ) tpm? ( app-crypt/tpm2-tools ) " -RDEPEND="${DEPEND}" +RDEPEND=" + ${DEPEND} + dev-libs/jansson + dev-libs/openssl:= +" PATCHES=( - # From https://github.com/latchset/clevis/pull/347 - # Allows using dracut without systemd - "${FILESDIR}/clevis-dracut.patch" # Fix for systemd on Gentoo "${FILESDIR}/clevis-meson.patch" - # Flatcar: - # * install `clevis-pin-tang` dracut module in the absence of dracut `network` + # Flatcar: + # * install `clevis-pin-tang` dracut module in the absence of dracut `network` # module; Flatcar uses a custom network module - # * skip copying `/etc/services` into initramfs when installing `clevis` dracut + # * skip copying `/etc/services` into initramfs when installing `clevis` dracut # module, which would fail "${FILESDIR}/clevis-dracut-flatcar.patch" ) - -post_src_install() { - # Flatcar: the meson build for app-crypt/clevis installs some files to ${D}${ROOT}. After that, Portage - # copies from ${D} to ${ROOT}, leading to files ending up in, e.g., /build/amd64-usr/build/amd64-usr/. - # As a workaround, we move everything from ${D}${ROOT} to ${D} after the src_install phase. - rsync -av ${D}${ROOT}/ ${D} - rm -rfv ${D}${ROOT} - - # Flatcar: enable the systemd unit that triggers Clevis's automatic response to LUKS - # disk decryption password prompts. - systemd_enable_service cryptsetup.target clevis-luks-askpass.path -} \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut-flatcar.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut-flatcar.patch index 4a4c457253..3a0321e519 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut-flatcar.patch +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut-flatcar.patch @@ -1,7 +1,7 @@ -diff --git a/src/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in +diff --git a/src/luks/dracut/clevis-pin-tang/module-setup.sh.in b/src/luks/dracut/clevis-pin-tang/module-setup.sh.in index 929b878..c48e282 100755 ---- a/src/dracut/clevis-pin-tang/module-setup.sh.in -+++ b/src/dracut/clevis-pin-tang/module-setup.sh.in +--- a/src/luks/dracut/clevis-pin-tang/module-setup.sh.in ++++ b/src/luks/dracut/clevis-pin-tang/module-setup.sh.in @@ -19,7 +19,7 @@ # @@ -11,10 +11,10 @@ index 929b878..c48e282 100755 return 0 } -diff --git a/src/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in +diff --git a/src/luks/dracut/clevis/module-setup.sh.in b/src/luks/dracut/clevis/module-setup.sh.in index dbce790..c9581db 100755 ---- a/src/dracut/clevis/module-setup.sh.in -+++ b/src/dracut/clevis/module-setup.sh.in +--- a/src/luks/dracut/clevis/module-setup.sh.in ++++ b/src/luks/dracut/clevis/module-setup.sh.in @@ -48,7 +48,6 @@ install() { fi diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch deleted file mode 100644 index 60873b84e4..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch +++ /dev/null @@ -1,216 +0,0 @@ -diff --git a/src/luks/systemd/dracut/clevis-pin-sss/meson.build b/src/dracut/clevis-pin-sss/meson.build -similarity index 100% -rename from src/luks/systemd/dracut/clevis-pin-sss/meson.build -rename to src/dracut/clevis-pin-sss/meson.build -diff --git a/src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in b/src/dracut/clevis-pin-sss/module-setup.sh.in -similarity index 100% -rename from src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in -rename to src/dracut/clevis-pin-sss/module-setup.sh.in -diff --git a/src/luks/systemd/dracut/clevis-pin-tang/meson.build b/src/dracut/clevis-pin-tang/meson.build -similarity index 100% -rename from src/luks/systemd/dracut/clevis-pin-tang/meson.build -rename to src/dracut/clevis-pin-tang/meson.build -diff --git a/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in -similarity index 100% -rename from src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in -rename to src/dracut/clevis-pin-tang/module-setup.sh.in -diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/meson.build b/src/dracut/clevis-pin-tpm2/meson.build -similarity index 100% -rename from src/luks/systemd/dracut/clevis-pin-tpm2/meson.build -rename to src/dracut/clevis-pin-tpm2/meson.build -diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in b/src/dracut/clevis-pin-tpm2/module-setup.sh.in -similarity index 100% -rename from src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in -rename to src/dracut/clevis-pin-tpm2/module-setup.sh.in -diff --git a/src/dracut/clevis/clevis-hook.sh.in b/src/dracut/clevis/clevis-hook.sh.in -new file mode 100755 -index 0000000..91ff2bd ---- /dev/null -+++ b/src/dracut/clevis/clevis-hook.sh.in -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+@libexecdir@/clevis-luks-generic-unlocker -l -diff --git a/src/dracut/clevis/clevis-luks-generic-unlocker b/src/dracut/clevis/clevis-luks-generic-unlocker -new file mode 100755 -index 0000000..a3b9d62 ---- /dev/null -+++ b/src/dracut/clevis/clevis-luks-generic-unlocker -@@ -0,0 +1,70 @@ -+#!/bin/bash -+set -eu -+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: -+# -+# Copyright (c) 2020-2021 Red Hat, Inc. -+# Author: Sergio Correia -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+ -+. clevis-luks-common-functions -+ -+# Make sure to exit cleanly if SIGTERM is received. -+trap 'echo "Exiting due to SIGTERM" && exit 0' TERM -+ -+loop= -+while getopts ":l" o; do -+ case "${o}" in -+ l) loop=true;; -+ *) ;; -+ esac -+done -+ -+to_unlock() { -+ local _devices='' _d _uuid -+ for _d in $(lsblk -o PATH,FSTYPE,RM \ -+ | awk '$2 == "crypto_LUKS" && $3 == "0" { print $1 }' | sort -u); -+ do -+ if ! bindings="$(clevis luks list -d "${_d}" 2>/dev/null)" \ -+ || [ -z "${bindings}" ]; then -+ continue -+ fi -+ _uuid="$(cryptsetup luksUUID "${_d}")" -+ if clevis_is_luks_device_by_uuid_open "${_uuid}"; then -+ continue -+ fi -+ _devices="$(printf '%s\n%s' "${_devices}" "${_d}")" -+ done -+ echo "${_devices}" | sed -e 's/^\n$//' -+} -+ -+while true; do -+ for d in $(to_unlock); do -+ uuid="$(cryptsetup luksUUID "${d}")" -+ if ! clevis luks unlock -d "${d}"; then -+ echo "Unable to unlock ${d} (UUID=${uuid})" >&2 -+ continue -+ fi -+ echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2 -+ done -+ -+ [ "${loop}" != true ] && break -+ # Checking for pending devices to be unlocked. -+ if remaining=$(to_unlock) && [ -z "${remaining}" ]; then -+ break; -+ fi -+ -+ sleep 0.5 -+done -diff --git a/src/luks/systemd/dracut/clevis/meson.build b/src/dracut/clevis/meson.build -similarity index 87% -rename from src/luks/systemd/dracut/clevis/meson.build -rename to src/dracut/clevis/meson.build -index 167e708..224e27f 100644 ---- a/src/luks/systemd/dracut/clevis/meson.build -+++ b/src/dracut/clevis/meson.build -@@ -16,6 +16,7 @@ if dracut.found() - install_dir: dracutdir, - configuration: data, - ) -+ install_data('clevis-luks-generic-unlocker', install_dir: libexecdir) - else - warning('Will not install dracut module due to missing dependencies!') - endif -diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in -similarity index 76% -rename from src/luks/systemd/dracut/clevis/module-setup.sh.in -rename to src/dracut/clevis/module-setup.sh.in -index bfe657c..dbce790 100755 ---- a/src/luks/systemd/dracut/clevis/module-setup.sh.in -+++ b/src/dracut/clevis/module-setup.sh.in -@@ -19,7 +19,11 @@ - # - - depends() { -- echo crypt systemd -+ local __depends=crypt -+ if dracut_module_included "systemd"; then -+ __depends=$(printf '%s systemd' "${_depends}") -+ fi -+ echo "${__depends}" - return 255 - } - -@@ -27,17 +31,24 @@ install() { - if dracut_module_included "systemd"; then - inst_multiple \ - $systemdsystemunitdir/clevis-luks-askpass.service \ -- $systemdsystemunitdir/clevis-luks-askpass.path -+ $systemdsystemunitdir/clevis-luks-askpass.path \ -+ @SYSTEMD_REPLY_PASS@ \ -+ @libexecdir@/clevis-luks-askpass - systemctl -q --root "$initdir" add-wants cryptsetup.target clevis-luks-askpass.path - else - inst_hook initqueue/online 60 "$moddir/clevis-hook.sh" - inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh" -+ -+ inst_multiple \ -+ @libexecdir@/clevis-luks-generic-unlocker \ -+ clevis-luks-unlock \ -+ lsblk \ -+ sort \ -+ awk - fi - - inst_multiple \ - /etc/services \ -- @SYSTEMD_REPLY_PASS@ \ -- @libexecdir@/clevis-luks-askpass \ - clevis-luks-common-functions \ - grep sed cut \ - clevis-decrypt \ -diff --git a/src/luks/systemd/dracut/meson.build b/src/dracut/meson.build -similarity index 78% -rename from src/luks/systemd/dracut/meson.build -rename to src/dracut/meson.build -index 7ad5b14..fdb264b 100644 ---- a/src/luks/systemd/dracut/meson.build -+++ b/src/dracut/meson.build -@@ -2,4 +2,3 @@ subdir('clevis') - subdir('clevis-pin-tang') - subdir('clevis-pin-tpm2') - subdir('clevis-pin-sss') --subdir('clevis-pin-null') -diff --git a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in b/src/luks/systemd/dracut/clevis/clevis-hook.sh.in -deleted file mode 100755 -index cb257c9..0000000 ---- a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in -+++ /dev/null -@@ -1,2 +0,0 @@ --#!/bin/bash --@libexecdir@/clevis-luks-askpass -diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build -index e3b3d91..b10494e 100644 ---- a/src/luks/systemd/meson.build -+++ b/src/luks/systemd/meson.build -@@ -10,7 +10,6 @@ sd_reply_pass = find_program( - - if systemd.found() and sd_reply_pass.found() - data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path()) -- subdir('dracut') - - unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir') - -diff --git a/src/meson.build b/src/meson.build -index c4e696f..a0dff5b 100644 ---- a/src/meson.build -+++ b/src/meson.build -@@ -1,6 +1,7 @@ - subdir('bash') - subdir('luks') - subdir('pins') -+subdir('dracut') - subdir('initramfs-tools') - - bins += join_paths(meson.current_source_dir(), 'clevis-decrypt') diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 1bd462daa0..75a62aa7d4 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -23,7 +23,7 @@ =app-crypt/ccid-1.5.5 ~arm64 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet. -=app-crypt/clevis-19-r1 ** +=app-crypt/clevis-21 ** # Needed by arm64-native SDK. =app-emulation/open-vmdk-1.0 *