From ce31221bd69bfa129acb03e25ac0700187e54df0 Mon Sep 17 00:00:00 2001 From: Krish Jain Date: Sun, 16 Jul 2023 11:58:32 +0530 Subject: [PATCH] Add clevis support files/changes --- .../acct-group/tang/metadata.xml | 8 + .../acct-group/tang/tang-0.ebuild | 10 + .../acct-user/tang/metadata.xml | 8 + .../acct-user/tang/tang-0.ebuild | 13 ++ .../coreos-overlay/app-crypt/clevis/Manifest | 1 + .../app-crypt/clevis/clevis-19-r1.ebuild | 35 +++ .../clevis/files/clevis-dracut.patch | 216 ++++++++++++++++++ .../app-crypt/clevis/files/clevis-meson.patch | 11 + .../app-crypt/clevis/metadata.xml | 15 ++ .../coreos-overlay/app-crypt/tang/Manifest | 2 + .../coreos-overlay/app-crypt/tang/files/tangd | 8 + .../app-crypt/tang/files/tangd.initd | 11 + .../app-crypt/tang/files/tangd.service | 6 + .../app-crypt/tang/metadata.xml | 11 + .../app-crypt/tang/tang-13.ebuild | 35 +++ .../app-crypt/tang/tang-14.ebuild | 35 +++ .../coreos-base/coreos/coreos-0.0.1.ebuild | 1 + .../coreos-overlay/dev-libs/jose/Manifest | 1 + .../dev-libs/jose/jose-11-r1.ebuild | 20 ++ .../coreos-overlay/dev-libs/jose/metadata.xml | 11 + .../coreos-overlay/dev-libs/luksmeta/Manifest | 1 + .../luksmeta/files/luksmeta-tests.patch | 137 +++++++++++ .../dev-libs/luksmeta/luksmeta-9.ebuild | 34 +++ .../dev-libs/luksmeta/metadata.xml | 11 + .../coreos/targets/generic/prod/package.mask | 1 - .../bootengine/bootengine-9999.ebuild | 7 +- sdk_container/src/third_party/gentoo | 1 + 27 files changed, 645 insertions(+), 5 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/acct-group/tang/metadata.xml create mode 100644 sdk_container/src/third_party/coreos-overlay/acct-group/tang/tang-0.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/acct-user/tang/metadata.xml create mode 100644 sdk_container/src/third_party/coreos-overlay/acct-user/tang/tang-0.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-meson.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/metadata.xml create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/tang/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.initd create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.service create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/tang/metadata.xml create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-13.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-14.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/jose/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/jose/jose-11-r1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/jose/metadata.xml create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/files/luksmeta-tests.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/luksmeta-9.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/metadata.xml create mode 160000 sdk_container/src/third_party/gentoo diff --git a/sdk_container/src/third_party/coreos-overlay/acct-group/tang/metadata.xml b/sdk_container/src/third_party/coreos-overlay/acct-group/tang/metadata.xml new file mode 100644 index 0000000000..97ba7c28bb --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/acct-group/tang/metadata.xml @@ -0,0 +1,8 @@ + + + + + julien@jroy.ca + Julien Roy + + diff --git a/sdk_container/src/third_party/coreos-overlay/acct-group/tang/tang-0.ebuild b/sdk_container/src/third_party/coreos-overlay/acct-group/tang/tang-0.ebuild new file mode 100644 index 0000000000..c48b2ad8f5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/acct-group/tang/tang-0.ebuild @@ -0,0 +1,10 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit acct-group + +DESCRIPTION="Group for tang daemon" + +ACCT_GROUP_ID=-1 diff --git a/sdk_container/src/third_party/coreos-overlay/acct-user/tang/metadata.xml b/sdk_container/src/third_party/coreos-overlay/acct-user/tang/metadata.xml new file mode 100644 index 0000000000..97ba7c28bb --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/acct-user/tang/metadata.xml @@ -0,0 +1,8 @@ + + + + + julien@jroy.ca + Julien Roy + + diff --git a/sdk_container/src/third_party/coreos-overlay/acct-user/tang/tang-0.ebuild b/sdk_container/src/third_party/coreos-overlay/acct-user/tang/tang-0.ebuild new file mode 100644 index 0000000000..e76b2a0926 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/acct-user/tang/tang-0.ebuild @@ -0,0 +1,13 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit acct-user + +DESCRIPTION="User for tang daemon" + +ACCT_USER_ID=-1 +ACCT_USER_GROUPS=( ${PN} ) + +acct-user_add_deps diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest new file mode 100644 index 0000000000..ead9af1f71 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest @@ -0,0 +1 @@ +DIST clevis-19.tar.gz 81324 BLAKE2B 75323940d0b53e307f5dbc197e3117e7ddc900d76ae1043bac3d17cc3af0264ba00a5f840c5c9dd3c2dd9c8fbde2cf05934b8ab3e89cd403ad8a8eb28609bb78 SHA512 dee19354c908c3843fc295a84b431780d5d6062c77766ee7ce9550636d3623d92b0cd1f6d4c40d57bef14debddc161da2b72289a5d6185cdd17b09a1ef67409a diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild new file mode 100644 index 0000000000..37a4b60eb9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild @@ -0,0 +1,35 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit meson + +DESCRIPTION="Automated Encryption Framework" +HOMEPAGE="https://github.com/latchset/clevis" +SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~amd64" +IUSE="+luks +tpm" + +DEPEND=" + dev-libs/jose + sys-fs/cryptsetup + luks? ( + app-misc/jq + dev-libs/libpwquality + dev-libs/luksmeta + ) + tpm? ( app-crypt/tpm2-tools ) +" +RDEPEND="${DEPEND}" + +PATCHES=( + # From https://github.com/latchset/clevis/pull/347 + # Allows using dracut without systemd + "${FILESDIR}/clevis-dracut.patch" + # Fix for systemd on Gentoo + "${FILESDIR}/clevis-meson.patch" +) diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch new file mode 100644 index 0000000000..60873b84e4 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch @@ -0,0 +1,216 @@ +diff --git a/src/luks/systemd/dracut/clevis-pin-sss/meson.build b/src/dracut/clevis-pin-sss/meson.build +similarity index 100% +rename from src/luks/systemd/dracut/clevis-pin-sss/meson.build +rename to src/dracut/clevis-pin-sss/meson.build +diff --git a/src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in b/src/dracut/clevis-pin-sss/module-setup.sh.in +similarity index 100% +rename from src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in +rename to src/dracut/clevis-pin-sss/module-setup.sh.in +diff --git a/src/luks/systemd/dracut/clevis-pin-tang/meson.build b/src/dracut/clevis-pin-tang/meson.build +similarity index 100% +rename from src/luks/systemd/dracut/clevis-pin-tang/meson.build +rename to src/dracut/clevis-pin-tang/meson.build +diff --git a/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in +similarity index 100% +rename from src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in +rename to src/dracut/clevis-pin-tang/module-setup.sh.in +diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/meson.build b/src/dracut/clevis-pin-tpm2/meson.build +similarity index 100% +rename from src/luks/systemd/dracut/clevis-pin-tpm2/meson.build +rename to src/dracut/clevis-pin-tpm2/meson.build +diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in b/src/dracut/clevis-pin-tpm2/module-setup.sh.in +similarity index 100% +rename from src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in +rename to src/dracut/clevis-pin-tpm2/module-setup.sh.in +diff --git a/src/dracut/clevis/clevis-hook.sh.in b/src/dracut/clevis/clevis-hook.sh.in +new file mode 100755 +index 0000000..91ff2bd +--- /dev/null ++++ b/src/dracut/clevis/clevis-hook.sh.in +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++@libexecdir@/clevis-luks-generic-unlocker -l +diff --git a/src/dracut/clevis/clevis-luks-generic-unlocker b/src/dracut/clevis/clevis-luks-generic-unlocker +new file mode 100755 +index 0000000..a3b9d62 +--- /dev/null ++++ b/src/dracut/clevis/clevis-luks-generic-unlocker +@@ -0,0 +1,70 @@ ++#!/bin/bash ++set -eu ++# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: ++# ++# Copyright (c) 2020-2021 Red Hat, Inc. ++# Author: Sergio Correia ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++. clevis-luks-common-functions ++ ++# Make sure to exit cleanly if SIGTERM is received. ++trap 'echo "Exiting due to SIGTERM" && exit 0' TERM ++ ++loop= ++while getopts ":l" o; do ++ case "${o}" in ++ l) loop=true;; ++ *) ;; ++ esac ++done ++ ++to_unlock() { ++ local _devices='' _d _uuid ++ for _d in $(lsblk -o PATH,FSTYPE,RM \ ++ | awk '$2 == "crypto_LUKS" && $3 == "0" { print $1 }' | sort -u); ++ do ++ if ! bindings="$(clevis luks list -d "${_d}" 2>/dev/null)" \ ++ || [ -z "${bindings}" ]; then ++ continue ++ fi ++ _uuid="$(cryptsetup luksUUID "${_d}")" ++ if clevis_is_luks_device_by_uuid_open "${_uuid}"; then ++ continue ++ fi ++ _devices="$(printf '%s\n%s' "${_devices}" "${_d}")" ++ done ++ echo "${_devices}" | sed -e 's/^\n$//' ++} ++ ++while true; do ++ for d in $(to_unlock); do ++ uuid="$(cryptsetup luksUUID "${d}")" ++ if ! clevis luks unlock -d "${d}"; then ++ echo "Unable to unlock ${d} (UUID=${uuid})" >&2 ++ continue ++ fi ++ echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2 ++ done ++ ++ [ "${loop}" != true ] && break ++ # Checking for pending devices to be unlocked. ++ if remaining=$(to_unlock) && [ -z "${remaining}" ]; then ++ break; ++ fi ++ ++ sleep 0.5 ++done +diff --git a/src/luks/systemd/dracut/clevis/meson.build b/src/dracut/clevis/meson.build +similarity index 87% +rename from src/luks/systemd/dracut/clevis/meson.build +rename to src/dracut/clevis/meson.build +index 167e708..224e27f 100644 +--- a/src/luks/systemd/dracut/clevis/meson.build ++++ b/src/dracut/clevis/meson.build +@@ -16,6 +16,7 @@ if dracut.found() + install_dir: dracutdir, + configuration: data, + ) ++ install_data('clevis-luks-generic-unlocker', install_dir: libexecdir) + else + warning('Will not install dracut module due to missing dependencies!') + endif +diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in +similarity index 76% +rename from src/luks/systemd/dracut/clevis/module-setup.sh.in +rename to src/dracut/clevis/module-setup.sh.in +index bfe657c..dbce790 100755 +--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in ++++ b/src/dracut/clevis/module-setup.sh.in +@@ -19,7 +19,11 @@ + # + + depends() { +- echo crypt systemd ++ local __depends=crypt ++ if dracut_module_included "systemd"; then ++ __depends=$(printf '%s systemd' "${_depends}") ++ fi ++ echo "${__depends}" + return 255 + } + +@@ -27,17 +31,24 @@ install() { + if dracut_module_included "systemd"; then + inst_multiple \ + $systemdsystemunitdir/clevis-luks-askpass.service \ +- $systemdsystemunitdir/clevis-luks-askpass.path ++ $systemdsystemunitdir/clevis-luks-askpass.path \ ++ @SYSTEMD_REPLY_PASS@ \ ++ @libexecdir@/clevis-luks-askpass + systemctl -q --root "$initdir" add-wants cryptsetup.target clevis-luks-askpass.path + else + inst_hook initqueue/online 60 "$moddir/clevis-hook.sh" + inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh" ++ ++ inst_multiple \ ++ @libexecdir@/clevis-luks-generic-unlocker \ ++ clevis-luks-unlock \ ++ lsblk \ ++ sort \ ++ awk + fi + + inst_multiple \ + /etc/services \ +- @SYSTEMD_REPLY_PASS@ \ +- @libexecdir@/clevis-luks-askpass \ + clevis-luks-common-functions \ + grep sed cut \ + clevis-decrypt \ +diff --git a/src/luks/systemd/dracut/meson.build b/src/dracut/meson.build +similarity index 78% +rename from src/luks/systemd/dracut/meson.build +rename to src/dracut/meson.build +index 7ad5b14..fdb264b 100644 +--- a/src/luks/systemd/dracut/meson.build ++++ b/src/dracut/meson.build +@@ -2,4 +2,3 @@ subdir('clevis') + subdir('clevis-pin-tang') + subdir('clevis-pin-tpm2') + subdir('clevis-pin-sss') +-subdir('clevis-pin-null') +diff --git a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in b/src/luks/systemd/dracut/clevis/clevis-hook.sh.in +deleted file mode 100755 +index cb257c9..0000000 +--- a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in ++++ /dev/null +@@ -1,2 +0,0 @@ +-#!/bin/bash +-@libexecdir@/clevis-luks-askpass +diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build +index e3b3d91..b10494e 100644 +--- a/src/luks/systemd/meson.build ++++ b/src/luks/systemd/meson.build +@@ -10,7 +10,6 @@ sd_reply_pass = find_program( + + if systemd.found() and sd_reply_pass.found() + data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path()) +- subdir('dracut') + + unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir') + +diff --git a/src/meson.build b/src/meson.build +index c4e696f..a0dff5b 100644 +--- a/src/meson.build ++++ b/src/meson.build +@@ -1,6 +1,7 @@ + subdir('bash') + subdir('luks') + subdir('pins') ++subdir('dracut') + subdir('initramfs-tools') + + bins += join_paths(meson.current_source_dir(), 'clevis-decrypt') diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-meson.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-meson.patch new file mode 100644 index 0000000000..bfd517d3e1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-meson.patch @@ -0,0 +1,11 @@ +diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build +index b10494e3ca4d620437aee0d5e440eecf323b03d9..09f7fb51e7320aa71e275c34baa0561233821d69 100644 +--- a/src/luks/systemd/meson.build ++++ b/src/luks/systemd/meson.build +@@ -5,6 +5,7 @@ sd_reply_pass = find_program( + join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'), + join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'), + join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'), ++ join_paths('/', 'lib', 'systemd', 'systemd-reply-password'), + required: false + ) diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/metadata.xml new file mode 100644 index 0000000000..18fcd69367 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/metadata.xml @@ -0,0 +1,15 @@ + + + + + kjain7@u.rochester.edu + Krish Jain (based off Julien Roy's work) + + + latchset/clevis + + + Enable LUKS support + Enable TPM support + + diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/Manifest new file mode 100644 index 0000000000..dca30c608a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/Manifest @@ -0,0 +1,2 @@ +DIST tang-13.tar.gz 41537 BLAKE2B 23c7ebb0e74d56c712200e0bcbf048d32e82f08c91eece19337fc9725a6de48240958435c560a32f47fe506e607b38fc29c2b05635f232f713c8af6066a33ac0 SHA512 c8e99498b31a45bb97092d764bbe5f13f9152a8128ef774de6ac99bd44f15d5895b462ecefc504f37142fdacafc86a39059204514aa509db257b342553e00641 +DIST tang-14.tar.gz 41616 BLAKE2B a26091108b16342f51cf05745ae68b56fab5ffac6d9f9191b4d6952a5c88afcbad8bbcfc0e4754b8d9c5ebf659874026a2020c1ad305f4f7393d2487ec5f95d5 SHA512 3b0872f51d9aa8dfd232fa328a326503800a1eedfe7cf9d73f8e10a3cfb97f667996708a18ea04c982c3ca477fe36961045649437b953c593fce544d8dee8048 diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd new file mode 100644 index 0000000000..3bca6e1b81 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd @@ -0,0 +1,8 @@ +# Address for tang to listen to (default: 0.0.0.0) +ADDRESS=0.0.0.0 + +# Port for tang to listen to (default: 8888) +PORT=8888 + +# Directory where keys will be stored (default: /var/db/tang) +TANGDIR=/var/db/tang diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.initd b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.initd new file mode 100644 index 0000000000..fc3c25c03c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.initd @@ -0,0 +1,11 @@ +#!/sbin/openrc-run +# Copyright 2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +name="tang daemon" +description="Tang binding daemon" +command=/usr/bin/socat +pidfile="/var/run/${RC_SVCNAME}.pid" +command_user="tang" +command_args="TCP-LISTEN:${PORT},bind=${ADDRESS},fork SYSTEM:'/usr/libexec/tangd ${TANGDIR}'" +command_background=true diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.service b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.service new file mode 100644 index 0000000000..59625d9741 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.service @@ -0,0 +1,6 @@ +[Unit] +Description=Tang Server + +[Service] +ExecStart=/usr/bin/socat TCP-LISTEN:8888,bind=0.0.0.0,fork SYSTEM:'/usr/libexec/tangd /var/db/tang' +User=tang diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/metadata.xml new file mode 100644 index 0000000000..89293a302d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/metadata.xml @@ -0,0 +1,11 @@ + + + + + julien@jroy.ca + Julien Roy + + + latchset/tang + + diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-13.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-13.ebuild new file mode 100644 index 0000000000..1b055c35e1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-13.ebuild @@ -0,0 +1,35 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit meson systemd + +DESCRIPTION="Tang binding daemon" +HOMEPAGE="https://github.com/latchset/tang" +SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~amd64" +IUSE="" + +DEPEND="acct-user/tang + net-misc/socat + >=net-libs/http-parser-2.8.0 + >=dev-libs/jose-8" +RDEPEND="${DEPEND}" +BDEPEND="app-text/asciidoc" + +src_install(){ + meson_install + newinitd "${FILESDIR}"/tangd.initd tangd + systemd_dounit "${FILESDIR}"/tangd.service + + doconfd "${FILESDIR}"/tangd + + dodir /var/db/tang + keepdir /var/db/tang + fowners tang:tang /var/db/tang + fperms 770 /var/db/tang +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-14.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-14.ebuild new file mode 100644 index 0000000000..1b055c35e1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-14.ebuild @@ -0,0 +1,35 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit meson systemd + +DESCRIPTION="Tang binding daemon" +HOMEPAGE="https://github.com/latchset/tang" +SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~amd64" +IUSE="" + +DEPEND="acct-user/tang + net-misc/socat + >=net-libs/http-parser-2.8.0 + >=dev-libs/jose-8" +RDEPEND="${DEPEND}" +BDEPEND="app-text/asciidoc" + +src_install(){ + meson_install + newinitd "${FILESDIR}"/tangd.initd tangd + systemd_dounit "${FILESDIR}"/tangd.service + + doconfd "${FILESDIR}"/tangd + + dodir /var/db/tang + keepdir /var/db/tang + fowners tang:tang /var/db/tang + fperms 770 /var/db/tang +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild index a215fdea4b..75e51bbfa7 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild @@ -100,6 +100,7 @@ RDEPEND="${RDEPEND} app-arch/zip app-arch/ncompress app-crypt/adcli + app-crypt/clevis app-crypt/gnupg app-crypt/go-tspi app-crypt/tpmpolicy diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/Manifest new file mode 100644 index 0000000000..e93f6475fb --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/Manifest @@ -0,0 +1 @@ +DIST jose-11.tar.gz 841374 BLAKE2B 5ffe35ebd48ed72d140e1dbf3ad37fcc3b4fd5534a5e1a5d9c43e82ad1901f989610baee2e2eb17209fd72f73c4f17227bed01d168bb4d243f067ec25051f913 SHA512 ffe09000837f79cefa549734d13c5d5d51042a42a055867241777ccbff3a127bac86a6155638fdf5ee52aad3598829e19724fd4e7de541117ed9b1c77c2ce457 diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/jose-11-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/jose-11-r1.ebuild new file mode 100644 index 0000000000..759d25b8f9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/jose-11-r1.ebuild @@ -0,0 +1,20 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit meson + +DESCRIPTION="C-language implementation of Javascript Object Signing and Encryption" +HOMEPAGE="https://github.com/latchset/jose" +SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64" + +DEPEND="dev-libs/jansson" +RDEPEND="${DEPEND} + dev-libs/openssl:= +" +BDEPEND="" diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/metadata.xml b/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/metadata.xml new file mode 100644 index 0000000000..bfb2fba0b9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/metadata.xml @@ -0,0 +1,11 @@ + + + + + julien@jroy.ca + Julien Roy + + + latchset/jose + + diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/Manifest new file mode 100644 index 0000000000..95c5937c64 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/Manifest @@ -0,0 +1 @@ +DIST luksmeta-9.tar.gz 27650 BLAKE2B e55796929410e9a3124c3f28066bac42b46e71df98ab7a1e58c1f973d4fda41d7c8d64b735ae0d1e192054297932951407083f89a7f255c09d22dce370865036 SHA512 874331988fe2648d4924779b348f190ed5c6e4d71da4ad027f176e3f8dcbc78fc26e9f9b8402a97437db5b884db31b72598afc70e025cd8533168a5986417a76 diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/files/luksmeta-tests.patch b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/files/luksmeta-tests.patch new file mode 100644 index 0000000000..aeca588619 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/files/luksmeta-tests.patch @@ -0,0 +1,137 @@ +# Closes Gentoo bug 837308 +# This patch backports the master branch's test-lm-{big,one,two}.c and test-luksmeta.c +# due to failing tests on v9 tag (see https://bugs.gentoo.org/837308) + +diff --git a/test-lm-assumptions.c b/test-lm-assumptions.c +index d9ff20b..b4f293f 100644 +--- a/test-lm-assumptions.c ++++ b/test-lm-assumptions.c +@@ -28,7 +28,8 @@ main(int argc, char *argv[]) + /* Test the layout state. */ + assert(test_layout((range_t[]) { + { 0, 1024 }, /* LUKS header */ +- END(1024), /* Rest of the file */ ++ { 1024, 3072, true }, /* Keyslot Area */ ++ { 0, 0 }, + })); + + unlink(filename); +diff --git a/test-lm-big.c b/test-lm-big.c +index 6098e59..eb94d3b 100644 +--- a/test-lm-big.c ++++ b/test-lm-big.c +@@ -111,7 +111,7 @@ main(int argc, char *argv[]) + + assert(test_layout((range_t[]) { + { 0, 1024 }, /* LUKS header */ +- { 1024, offset - 1024, true }, /* Keyslot Area */ ++ { 1024, 3072, true }, /* Keyslot Area */ + { offset, 4096 }, /* luksmeta header */ + { offset + 4096, 4096 }, /* luksmeta slot 0 */ + { offset + 8192, 4096 }, /* luksmeta slot 0 (cont) */ +@@ -127,7 +127,7 @@ main(int argc, char *argv[]) + + assert(test_layout((range_t[]) { + { 0, 1024 }, /* LUKS header */ +- { 1024, offset - 1024, true }, /* Keyslot Area */ ++ { 1024, 3072, true }, /* Keyslot Area */ + { offset, 4096 }, /* luksmeta header */ + END(offset + 4096), /* Rest of the file */ + })); +diff --git a/test-lm-init.c b/test-lm-init.c +index 2a6cb45..b16d597 100644 +--- a/test-lm-init.c ++++ b/test-lm-init.c +@@ -57,7 +57,7 @@ main(int argc, char *argv[]) + /* Test the layout state. */ + assert(test_layout((range_t[]) { + { 0, 1024 }, /* LUKS header */ +- { 1024, offset - 1024, true }, /* Keyslot Area */ ++ { 1024, 3072, true }, /* Keyslot Area */ + { offset, 4096 }, /* luksmeta header */ + END(offset + 4096), /* Rest of the file */ + })); +@@ -106,7 +106,7 @@ main(int argc, char *argv[]) + assert(luksmeta_test(cd) == -ENOENT); + assert(test_layout((range_t[]) { + { 0, 1024 }, /* LUKS header */ +- { 1024, offset - 1024, true }, /* Keyslot Area */ ++ { 1024, 3072, true }, /* Keyslot Area */ + END(offset), /* Rest of the file */ + })); + +diff --git a/test-lm-one.c b/test-lm-one.c +index 8deb70a..18613e0 100644 +--- a/test-lm-one.c ++++ b/test-lm-one.c +@@ -49,7 +49,7 @@ main(int argc, char *argv[]) + /* Test the layout state. */ + assert(test_layout((range_t[]) { + { 0, 1024 }, /* LUKS header */ +- { 1024, offset - 1024, true }, /* Keyslot Area */ ++ { 1024, 3072, true }, /* Keyslot Area */ + { offset, 4096 }, /* luksmeta header */ + { offset + 4096, 4096 }, /* luksmeta slot 0 */ + END(offset + 8192), /* Rest of the file */ +@@ -68,7 +68,7 @@ main(int argc, char *argv[]) + /* Test the layout state. */ + assert(test_layout((range_t[]) { + { 0, 1024 }, /* LUKS header */ +- { 1024, offset - 1024, true }, /* Keyslot Area */ ++ { 1024, 3072, true }, /* Keyslot Area */ + { offset, 4096 }, /* luksmeta header */ + END(offset + 4096), /* Rest of the file */ + })); +diff --git a/test-lm-two.c b/test-lm-two.c +index 78fea5b..9f0b1c5 100644 +--- a/test-lm-two.c ++++ b/test-lm-two.c +@@ -53,7 +53,7 @@ main(int argc, char *argv[]) + + assert(test_layout((range_t[]) { + { 0, 1024 }, /* LUKS header */ +- { 1024, offset - 1024, true }, /* Keyslot Area */ ++ { 1024, 3072, true }, /* Keyslot Area */ + { offset, 4096 }, /* luksmeta header */ + { offset + 4096, 4096 }, /* luksmeta slot 0 */ + END(offset + 8192), /* Rest of the file */ +@@ -70,7 +70,7 @@ main(int argc, char *argv[]) + + assert(test_layout((range_t[]) { + { 0, 1024 }, /* LUKS header */ +- { 1024, offset - 1024, true }, /* Keyslot Area */ ++ { 1024, 3072, true }, /* Keyslot Area */ + { offset, 4096 }, /* luksmeta header */ + { offset + 4096, 4096 }, /* luksmeta slot 0 */ + { offset + 8192, 4096 }, /* luksmeta slot 1 */ +@@ -88,7 +88,7 @@ main(int argc, char *argv[]) + assert(luksmeta_wipe(cd, 0, UUID0) == 0); + assert(test_layout((range_t[]) { + { 0, 1024 }, /* LUKS header */ +- { 1024, offset - 1024, true }, /* Keyslot Area */ ++ { 1024, 3072, true }, /* Keyslot Area */ + { offset, 4096 }, /* luksmeta header */ + { offset + 4096, 4096, true }, /* luksmeta slot 0 */ + { offset + 8192, 4096 }, /* luksmeta slot 1 */ +@@ -99,7 +99,7 @@ main(int argc, char *argv[]) + assert(luksmeta_wipe(cd, 1, UUID1) == 0); + assert(test_layout((range_t[]) { + { 0, 1024 }, /* LUKS header */ +- { 1024, offset - 1024, true }, /* Keyslot Area */ ++ { 1024, 3072, true }, /* Keyslot Area */ + { offset, 4096 }, /* luksmeta header */ + END(offset + 4096), /* Rest of the file */ + })); +diff --git a/test-luksmeta b/test-luksmeta +index fd17ead..f1e8b2e 100755 +--- a/test-luksmeta ++++ b/test-luksmeta +@@ -11,7 +11,7 @@ function onexit() { + trap 'onexit' EXIT + + truncate -s 4M $tmp +-echo -n foo | cryptsetup luksFormat $tmp - ++echo -n foo | cryptsetup luksFormat --type luks1 $tmp - + + ! ./luksmeta test -d $tmp + diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/luksmeta-9.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/luksmeta-9.ebuild new file mode 100644 index 0000000000..0f5d87e819 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/luksmeta-9.ebuild @@ -0,0 +1,34 @@ +# Copyright 2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools + +DESCRIPTION="LUKSMeta is a simple library for storing metadata in the LUKSv1 header" +HOMEPAGE="https://github.com/latchset/luksmeta" +SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="LGPL-2.1" +SLOT="0" +KEYWORDS="~amd64" +IUSE="+man" + +DEPEND="sys-fs/cryptsetup" +RDEPEND="${DEPEND}" +BDEPEND="man? ( app-text/asciidoc ) + sys-devel/libtool" + +PATCHES=( + "${FILESDIR}/${PN}-tests.patch" +) + +src_prepare() { + default + eautoreconf +} + +src_install() { + default + find "${ED}" -name '*.la' -delete || die +} diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/metadata.xml b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/metadata.xml new file mode 100644 index 0000000000..4a0695b777 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/metadata.xml @@ -0,0 +1,11 @@ + + + + + julien@jroy.ca + Julien Roy + + + latchset/luksmeta + + diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask index 7f198c44e9..928924c2cc 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask @@ -4,7 +4,6 @@ # We don't want to support interpreted languages, changes/updates we make # would have a high risk of breaking users. dev-lang/perl -dev-lang/python dev-lang/ruby # We do not configure/install grub like other distros so shipping the user diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild index b8c81c0245..24319b5ffa 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=7 -CROS_WORKON_PROJECT="flatcar/bootengine" +CROS_WORKON_PROJECT="krishjainx/bootengine" CROS_WORKON_LOCALNAME="bootengine" CROS_WORKON_OUTOFTREE_BUILD=1 CROS_WORKON_REPO="https://github.com" @@ -10,7 +10,7 @@ CROS_WORKON_REPO="https://github.com" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - CROS_WORKON_COMMIT="cc0fdec0cc6c5692acac95a928984ea8a5eb8f08" # flatcar-master + CROS_WORKON_COMMIT="6a286c04e4d0cccf70808ff5a9d9fb0f0aa76521" # flatcar-master KEYWORDS="amd64 arm arm64 x86" fi @@ -41,7 +41,6 @@ src_install() { "${D}"/usr/lib/dracut/modules.d/99setup-root/initrd-setup-root \ "${D}"/usr/lib/dracut/modules.d/99setup-root/initrd-setup-root-after-ignition \ "${D}"/usr/lib/dracut/modules.d/99setup-root/gpg-agent-wrapper \ - "${D}"/usr/lib/dracut/modules.d/30ignition/coreos-metadata-wrapper \ - "${D}"/usr/lib/dracut/modules.d/30ignition/ignition-wrapper \ + "${D}"/usr/lib/dracut/modules.d/30ignition/*-wrapper \ || die chmod } diff --git a/sdk_container/src/third_party/gentoo b/sdk_container/src/third_party/gentoo new file mode 160000 index 0000000000..8a26e0f2f0 --- /dev/null +++ b/sdk_container/src/third_party/gentoo @@ -0,0 +1 @@ +Subproject commit 8a26e0f2f02cfbf5c9bbf35d814fdaaf575fa91e