[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#981059: buster-pu: package clevis/11-2

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hello stable release team,

for the upcoming stable point release, I've just uploaded src:clevis
("automated encryption framework") as version 11-2+deb10u1. There are
three changes related to the dracut integration:

* No longer try to install the clevis-drcrypt-http unlocker

Type: upstream bug
Debian bug: https://bugs.debian.org/969361
Fixed in in stable and testing: 12-1 (February 2020)

Problem: The "module-setup.sh" sniplet tries to install a script that
no longer exists, resulting in am initramfs that no longer can
automatically unlock the root device.

Remark: The upstream commit also includes documentation cleanup,
hence it got a little bigger. Actual code change is just one line
removed.


* Install cryptsetup and tpm2_pcrlist

Type: upstream bug
Debian bug: https://bugs.debian.org/969361
Fixed in in stable and testing: 12-1 (February 2020)

Problem: Under certain circumstances the cryptsetup program ist not installed
in the initramfs, resulting in a system that cannot be unlocked at all, not
even manually.

Remark: The upstream commit also addresses tpm support, it seemed wise
to not touch this.


* Trigger dracut initramfs re-creation

Type: convenience/missing feature
Fixed in in stable and testing: 15-1 (December 2020)

Problem: Upon installation or upgrade, a re-creation of the initramfs
should be triggered to make sure new features are included.

Remark: As a disgression to unstable, the dependency on dracut (where
the trigger is handled) has been lowered to a recommendation. This is a
safeguard against possible installation problems since dracut conflicts
with a few other packages. Let's better play safe although I doubt
there exist users of clevis-dracut who do *not* have dracut itself
installed *but still* want to use a dracut initramfs.

Regards,

    Christoph

-- System Information:
Debian Release: 10.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.10 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


diff -Nru clevis-11/debian/changelog clevis-11/debian/changelog
--- clevis-11/debian/changelog	2019-03-01 11:37:24.000000000 +0100
+++ clevis-11/debian/changelog	2021-01-25 20:03:26.000000000 +0100
@@ -1,3 +1,14 @@
+clevis (11-2+deb10u1) buster; urgency=medium
+
+  * Cherry-pick two comments to fix initramfs creation: Closes: #969361
+    - "Delete remaining references to the removed http pin" to unbreak
+      initramfs generation in dracut. 
+    - "Install cryptsetup and tpm2_pcrlist in the initramfs" to assert
+      cryptsetup is available in the initramfs
+  * clevis-dracut: Trigger initramfs creation upon installation
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Mon, 25 Jan 2021 20:03:26 +0100
+
 clevis (11-2) unstable; urgency=medium
 
   * Use cryptsetup-bin as dependency, following the cryptsetup
diff -Nru clevis-11/debian/clevis-dracut.triggers clevis-11/debian/clevis-dracut.triggers
--- clevis-11/debian/clevis-dracut.triggers	1970-01-01 01:00:00.000000000 +0100
+++ clevis-11/debian/clevis-dracut.triggers	2021-01-25 20:03:26.000000000 +0100
@@ -0,0 +1 @@
+activate-noawait update-initramfs
diff -Nru clevis-11/debian/control clevis-11/debian/control
--- clevis-11/debian/control	2019-03-01 11:32:32.000000000 +0100
+++ clevis-11/debian/control	2021-01-25 20:03:26.000000000 +0100
@@ -60,6 +60,8 @@
 Depends: ${misc:Depends},
     clevis-systemd,
     dracut-network,
+Recommends:
+    dracut,
 Description: Dracut integration for clevis
  Clevis is a plugable framework for automated decryption. This package
  provides integration for the dracut initramfs to automatically unlock
diff -Nru clevis-11/debian/patches/cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch clevis-11/debian/patches/cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch
--- clevis-11/debian/patches/cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch	1970-01-01 01:00:00.000000000 +0100
+++ clevis-11/debian/patches/cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch	2021-01-25 19:54:44.000000000 +0100
@@ -0,0 +1,113 @@
+Subject: Delete remaining references to the removed http pin
+Origin: v11-1-g1e344db <https://github.com/latchset/clevis/commit/v11-1-g1e344db>
+Upstream-Author: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed Nov 7 14:53:08 2018 +0100
+Bug-Debian: https://bugs.debian.org/bug=969361
+
+    Commit 800d73185d7f ("Remove HTTP pin") removed the clevis http pin, but
+    there are still references of it in the docs and also the dracut module.
+
+    This was causing dracut to fail building the initramfs due the following:
+
+    dracut-install: ERROR: installing 'clevis-decrypt-http'
+
+    Suggested-by: Dominick Grift <dac.override@gmail.com>
+
+    Fixes: #73
+
+--- a/README.md
++++ b/README.md
+@@ -58,27 +58,6 @@
+ the advertisment is specified manually like this, Clevis presumes that the
+ advertisement is trusted.
+ 
+-#### PIN: HTTP
+-
+-Clevis also ships a pin for performing escrow using HTTP. Please note that,
+-at this time, this pin does not provide HTTPS support and is suitable only
+-for use over local sockets. This provides integration with services like
+-[Custodia](http://github.com/latchset/custodia).
+-
+-For example:
+-
+-```bash
+-$ echo hi | clevis encrypt http '{"url": "http://server.local/key"}' > hi.jwe
+-```
+-
+-The HTTP pin generate a new (cryptographically-strong random) key and performs
+-encryption using it. It then performs a PUT request to the URL specified. It is
+-understood that the server will securely store this key for later retrieval.
+-During decryption, the pin will perform a GET request to retrieve the key and
+-perform decryption.
+-
+-Patches to provide support for HTTPS and authentication are welcome.
+-
+ #### PIN: TPM2
+ 
+ Clevis provides support to encrypt a key in a Trusted Platform Module 2.0 (TPM2)
+--- a/src/clevis.1.adoc
++++ b/src/clevis.1.adoc
+@@ -21,26 +21,6 @@
+ encrypt the data so that it can be automatically decrypted if the policy is
+ met. Lets walk through an example.
+ 
+-== HTTP ESCROW
+-
+-When using the HTTP pin, we create a new, cryptographically-strong, random key.
+-This key is stored in a remote HTTP escrow server (using a simple PUT or POST).
+-Then at decryption time, we attempt to fetch the key back again in order to
+-decrypt our data. So, for our configuration we need to pass the URL to the key
+-location:
+-
+-    $ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE
+-
+-To decrypt the data, simply provide the ciphertext (JWE):
+-
+-    $ clevis decrypt < JWE > PLAINTEXT
+-
+-Notice that we did not pass any configuration during decryption. The decrypt
+-command extracted the URL (and possibly other configuration) from the JWE
+-object, fetched the encryption key from the escrow and performed decryption.
+-
+-For more information, see link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)].
+-
+ == TANG BINDING
+ 
+ Clevis provides support for the Tang network binding server. Tang provides
+@@ -136,7 +116,6 @@
+ 
+ == SEE ALSO
+ 
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)],
+ link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
+--- a/src/luks/clevis-luks-bind.1.adoc
++++ b/src/luks/clevis-luks-bind.1.adoc
+@@ -61,7 +61,6 @@
+ == SEE ALSO
+ 
+ link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)],
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
+ link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -36,7 +36,6 @@
+     inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
+ 
+     inst_multiple /etc/services \
+-        clevis-decrypt-http \
+         clevis-decrypt-tang \
+         clevis-decrypt-sss \
+         @libexecdir@/clevis-luks-askpass \
+--- a/src/pins/sss/clevis-encrypt-sss.1.adoc
++++ b/src/pins/sss/clevis-encrypt-sss.1.adoc
+@@ -54,6 +54,5 @@
+ 
+ == SEE ALSO
+ 
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
diff -Nru clevis-11/debian/patches/cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch clevis-11/debian/patches/cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch
--- clevis-11/debian/patches/cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch	1970-01-01 01:00:00.000000000 +0100
+++ clevis-11/debian/patches/cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch	2021-01-25 20:03:26.000000000 +0100
@@ -0,0 +1,42 @@
+Subject: Install cryptsetup and tpm2_pcrlist in the initramfs
+Origin: v11-2-g3465859 <https://github.com/latchset/clevis/commit/v11-2-g3465859>
+Upstream-Author: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed Nov 7 15:12:17 2018 +0100
+Bug-Debian: https://bugs.debian.org/bug=969361
+
+    The cryptsetup and tpm2_pcrlist are missing in the initramfs, this makes
+    automatic LUKS unlocking fail with the following errors:
+
+    dracut-initqueue[382]: /usr/libexec/clevis-luks-askpass: line 52: cryptsetup: command not found
+    dracut-initqueue[382]: /usr/bin/clevis-decrypt-tpm2: line 40: tpm2_pcrlist: command not found
+
+    Suggested-by: Federico Chiacchiaretta <federico.chia@gmail.com>
+
+    Fixes: #74
+
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -40,6 +40,7 @@
+         clevis-decrypt-sss \
+         @libexecdir@/clevis-luks-askpass \
+         clevis-decrypt \
++        cryptsetup \
+         luksmeta \
+         clevis \
+         mktemp \
+@@ -49,6 +50,7 @@
+ 
+     for cmd in clevis-decrypt-tpm2 \
+ 	tpm2_createprimary \
++	tpm2_pcrlist \
+ 	tpm2_unseal \
+ 	tpm2_load; do
+ 
+@@ -60,6 +62,7 @@
+     if (($ret == 0)); then
+ 	inst_multiple clevis-decrypt-tpm2 \
+ 	    tpm2_createprimary \
++	    tpm2_pcrlist \
+ 	    tpm2_unseal \
+ 	    tpm2_load
+     fi
diff -Nru clevis-11/debian/patches/series clevis-11/debian/patches/series
--- clevis-11/debian/patches/series	2018-10-30 22:54:32.000000000 +0100
+++ clevis-11/debian/patches/series	2021-01-25 20:03:26.000000000 +0100
@@ -1,2 +1,8 @@
+
+# cherry-picked commits. Keep in upstream's chronological order
+cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch
+cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch
+
+# local modifications
 debian.use-socat.patch
 debian.use-asciidoctor-to-build-manpages.patch

Attachment: signature.asc
Description: PGP signature

Reply to: