1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
|
From a5aa695821e34fb218c7d705065aaf7077737c8c Mon Sep 17 00:00:00 2001
From: Jonathan Davies <jpds@protonmail.com>
Date: Fri, 5 Nov 2021 15:24:12 +0000
Subject: [PATCH] Moved dracut directory up to top-level to decouple it with
systemd.
Adds a clevis-luks-generic-unlocker for alternative use without systemd.
Based on patch by Sergio Correia <scorreia@redhat.com>
Closes: #346
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
---
.../dracut/clevis-pin-sss/meson.build | 0
.../dracut/clevis-pin-sss/module-setup.sh.in | 0
.../dracut/clevis-pin-tang/meson.build | 0
.../dracut/clevis-pin-tang/module-setup.sh.in | 0
.../dracut/clevis-pin-tpm2/meson.build | 0
.../dracut/clevis-pin-tpm2/module-setup.sh.in | 0
src/dracut/clevis/clevis-hook.sh.in | 3 +
.../clevis/clevis-luks-generic-unlocker | 70 +++++++++++++++++++
.../systemd => }/dracut/clevis/meson.build | 1 +
.../dracut/clevis/module-setup.sh.in | 19 +++--
src/{luks/systemd => }/dracut/meson.build | 0
.../systemd/dracut/clevis/clevis-hook.sh.in | 2 -
src/luks/systemd/meson.build | 1 -
src/meson.build | 1 +
14 files changed, 90 insertions(+), 7 deletions(-)
rename src/{luks/systemd => }/dracut/clevis-pin-sss/meson.build (100%)
rename src/{luks/systemd => }/dracut/clevis-pin-sss/module-setup.sh.in (100%)
rename src/{luks/systemd => }/dracut/clevis-pin-tang/meson.build (100%)
rename src/{luks/systemd => }/dracut/clevis-pin-tang/module-setup.sh.in (100%)
rename src/{luks/systemd => }/dracut/clevis-pin-tpm2/meson.build (100%)
rename src/{luks/systemd => }/dracut/clevis-pin-tpm2/module-setup.sh.in (100%)
create mode 100755 src/dracut/clevis/clevis-hook.sh.in
create mode 100755 src/dracut/clevis/clevis-luks-generic-unlocker
rename src/{luks/systemd => }/dracut/clevis/meson.build (87%)
rename src/{luks/systemd => }/dracut/clevis/module-setup.sh.in (76%)
rename src/{luks/systemd => }/dracut/meson.build (100%)
delete mode 100755 src/luks/systemd/dracut/clevis/clevis-hook.sh.in
diff --git a/src/luks/systemd/dracut/clevis-pin-sss/meson.build b/src/dracut/clevis-pin-sss/meson.build
similarity index 100%
rename from src/luks/systemd/dracut/clevis-pin-sss/meson.build
rename to src/dracut/clevis-pin-sss/meson.build
diff --git a/src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in b/src/dracut/clevis-pin-sss/module-setup.sh.in
similarity index 100%
rename from src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in
rename to src/dracut/clevis-pin-sss/module-setup.sh.in
diff --git a/src/luks/systemd/dracut/clevis-pin-tang/meson.build b/src/dracut/clevis-pin-tang/meson.build
similarity index 100%
rename from src/luks/systemd/dracut/clevis-pin-tang/meson.build
rename to src/dracut/clevis-pin-tang/meson.build
diff --git a/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in
similarity index 100%
rename from src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in
rename to src/dracut/clevis-pin-tang/module-setup.sh.in
diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/meson.build b/src/dracut/clevis-pin-tpm2/meson.build
similarity index 100%
rename from src/luks/systemd/dracut/clevis-pin-tpm2/meson.build
rename to src/dracut/clevis-pin-tpm2/meson.build
diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in b/src/dracut/clevis-pin-tpm2/module-setup.sh.in
similarity index 100%
rename from src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in
rename to src/dracut/clevis-pin-tpm2/module-setup.sh.in
diff --git a/src/dracut/clevis/clevis-hook.sh.in b/src/dracut/clevis/clevis-hook.sh.in
new file mode 100755
index 0000000..91ff2bd
--- /dev/null
+++ b/src/dracut/clevis/clevis-hook.sh.in
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+@libexecdir@/clevis-luks-generic-unlocker -l
diff --git a/src/dracut/clevis/clevis-luks-generic-unlocker b/src/dracut/clevis/clevis-luks-generic-unlocker
new file mode 100755
index 0000000..a3b9d62
--- /dev/null
+++ b/src/dracut/clevis/clevis-luks-generic-unlocker
@@ -0,0 +1,70 @@
+#!/bin/bash
+set -eu
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2020-2021 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+. clevis-luks-common-functions
+
+# Make sure to exit cleanly if SIGTERM is received.
+trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
+
+loop=
+while getopts ":l" o; do
+ case "${o}" in
+ l) loop=true;;
+ *) ;;
+ esac
+done
+
+to_unlock() {
+ local _devices='' _d _uuid
+ for _d in $(lsblk -o PATH,FSTYPE,RM \
+ | awk '$2 == "crypto_LUKS" && $3 == "0" { print $1 }' | sort -u);
+ do
+ if ! bindings="$(clevis luks list -d "${_d}" 2>/dev/null)" \
+ || [ -z "${bindings}" ]; then
+ continue
+ fi
+ _uuid="$(cryptsetup luksUUID "${_d}")"
+ if clevis_is_luks_device_by_uuid_open "${_uuid}"; then
+ continue
+ fi
+ _devices="$(printf '%s\n%s' "${_devices}" "${_d}")"
+ done
+ echo "${_devices}" | sed -e 's/^\n$//'
+}
+
+while true; do
+ for d in $(to_unlock); do
+ uuid="$(cryptsetup luksUUID "${d}")"
+ if ! clevis luks unlock -d "${d}"; then
+ echo "Unable to unlock ${d} (UUID=${uuid})" >&2
+ continue
+ fi
+ echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
+ done
+
+ [ "${loop}" != true ] && break
+ # Checking for pending devices to be unlocked.
+ if remaining=$(to_unlock) && [ -z "${remaining}" ]; then
+ break;
+ fi
+
+ sleep 0.5
+done
diff --git a/src/luks/systemd/dracut/clevis/meson.build b/src/dracut/clevis/meson.build
similarity index 87%
rename from src/luks/systemd/dracut/clevis/meson.build
rename to src/dracut/clevis/meson.build
index 167e708..224e27f 100644
--- a/src/luks/systemd/dracut/clevis/meson.build
+++ b/src/dracut/clevis/meson.build
@@ -16,6 +16,7 @@ if dracut.found()
install_dir: dracutdir,
configuration: data,
)
+ install_data('clevis-luks-generic-unlocker', install_dir: libexecdir)
else
warning('Will not install dracut module due to missing dependencies!')
endif
diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in
similarity index 76%
rename from src/luks/systemd/dracut/clevis/module-setup.sh.in
rename to src/dracut/clevis/module-setup.sh.in
index bfe657c..dbce790 100755
--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
+++ b/src/dracut/clevis/module-setup.sh.in
@@ -19,7 +19,11 @@
#
depends() {
- echo crypt systemd
+ local __depends=crypt
+ if dracut_module_included "systemd"; then
+ __depends=$(printf '%s systemd' "${_depends}")
+ fi
+ echo "${__depends}"
return 255
}
@@ -27,17 +31,24 @@ install() {
if dracut_module_included "systemd"; then
inst_multiple \
$systemdsystemunitdir/clevis-luks-askpass.service \
- $systemdsystemunitdir/clevis-luks-askpass.path
+ $systemdsystemunitdir/clevis-luks-askpass.path \
+ @SYSTEMD_REPLY_PASS@ \
+ @libexecdir@/clevis-luks-askpass
systemctl -q --root "$initdir" add-wants cryptsetup.target clevis-luks-askpass.path
else
inst_hook initqueue/online 60 "$moddir/clevis-hook.sh"
inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
+
+ inst_multiple \
+ @libexecdir@/clevis-luks-generic-unlocker \
+ clevis-luks-unlock \
+ lsblk \
+ sort \
+ awk
fi
inst_multiple \
/etc/services \
- @SYSTEMD_REPLY_PASS@ \
- @libexecdir@/clevis-luks-askpass \
clevis-luks-common-functions \
grep sed cut \
clevis-decrypt \
diff --git a/src/luks/systemd/dracut/meson.build b/src/dracut/meson.build
similarity index 100%
rename from src/luks/systemd/dracut/meson.build
rename to src/dracut/meson.build
diff --git a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in b/src/luks/systemd/dracut/clevis/clevis-hook.sh.in
deleted file mode 100755
index cb257c9..0000000
--- a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-@libexecdir@/clevis-luks-askpass
diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
index e3b3d91..b10494e 100644
--- a/src/luks/systemd/meson.build
+++ b/src/luks/systemd/meson.build
@@ -10,7 +10,6 @@ sd_reply_pass = find_program(
if systemd.found() and sd_reply_pass.found()
data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
- subdir('dracut')
unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
diff --git a/src/meson.build b/src/meson.build
index c4e696f..a0dff5b 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -1,6 +1,7 @@
subdir('bash')
subdir('luks')
subdir('pins')
+subdir('dracut')
subdir('initramfs-tools')
bins += join_paths(meson.current_source_dir(), 'clevis-decrypt')
|
