Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hello stable release team,
for the upcoming stable point release, I've just uploaded src:clevis
("automated encryption framework") as version 11-2+deb10u1. There are
three changes related to the dracut integration:
* No longer try to install the clevis-drcrypt-http unlocker
Type: upstream bug
Debian bug: https://bugs.debian.org/969361
Fixed in in stable and testing: 12-1 (February 2020)
Problem: The "module-setup.sh" sniplet tries to install a script that
no longer exists, resulting in am initramfs that no longer can
automatically unlock the root device.
Remark: The upstream commit also includes documentation cleanup,
hence it got a little bigger. Actual code change is just one line
removed.
* Install cryptsetup and tpm2_pcrlist
Type: upstream bug
Debian bug: https://bugs.debian.org/969361
Fixed in in stable and testing: 12-1 (February 2020)
Problem: Under certain circumstances the cryptsetup program ist not installed
in the initramfs, resulting in a system that cannot be unlocked at all, not
even manually.
Remark: The upstream commit also addresses tpm support, it seemed wise
to not touch this.
* Trigger dracut initramfs re-creation
Type: convenience/missing feature
Fixed in in stable and testing: 15-1 (December 2020)
Problem: Upon installation or upgrade, a re-creation of the initramfs
should be triggered to make sure new features are included.
Remark: As a disgression to unstable, the dependency on dracut (where
the trigger is handled) has been lowered to a recommendation. This is a
safeguard against possible installation problems since dracut conflicts
with a few other packages. Let's better play safe although I doubt
there exist users of clevis-dracut who do *not* have dracut itself
installed *but still* want to use a dracut initramfs.
Regards,
Christoph
-- System Information:
Debian Release: 10.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.10 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru clevis-11/debian/changelog clevis-11/debian/changelog
--- clevis-11/debian/changelog 2019-03-01 11:37:24.000000000 +0100
+++ clevis-11/debian/changelog 2021-01-25 20:03:26.000000000 +0100
@@ -1,3 +1,14 @@
+clevis (11-2+deb10u1) buster; urgency=medium
+
+ * Cherry-pick two comments to fix initramfs creation: Closes: #969361
+ - "Delete remaining references to the removed http pin" to unbreak
+ initramfs generation in dracut.
+ - "Install cryptsetup and tpm2_pcrlist in the initramfs" to assert
+ cryptsetup is available in the initramfs
+ * clevis-dracut: Trigger initramfs creation upon installation
+
+ -- Christoph Biedl <debian.a...@manchmal.in-ulm.de> Mon, 25 Jan 2021
20:03:26 +0100
+
clevis (11-2) unstable; urgency=medium
* Use cryptsetup-bin as dependency, following the cryptsetup
diff -Nru clevis-11/debian/clevis-dracut.triggers
clevis-11/debian/clevis-dracut.triggers
--- clevis-11/debian/clevis-dracut.triggers 1970-01-01 01:00:00.000000000
+0100
+++ clevis-11/debian/clevis-dracut.triggers 2021-01-25 20:03:26.000000000
+0100
@@ -0,0 +1 @@
+activate-noawait update-initramfs
diff -Nru clevis-11/debian/control clevis-11/debian/control
--- clevis-11/debian/control 2019-03-01 11:32:32.000000000 +0100
+++ clevis-11/debian/control 2021-01-25 20:03:26.000000000 +0100
@@ -60,6 +60,8 @@
Depends: ${misc:Depends},
clevis-systemd,
dracut-network,
+Recommends:
+ dracut,
Description: Dracut integration for clevis
Clevis is a plugable framework for automated decryption. This package
provides integration for the dracut initramfs to automatically unlock
diff -Nru
clevis-11/debian/patches/cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch
clevis-11/debian/patches/cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch
---
clevis-11/debian/patches/cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch
1970-01-01 01:00:00.000000000 +0100
+++
clevis-11/debian/patches/cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch
2021-01-25 19:54:44.000000000 +0100
@@ -0,0 +1,113 @@
+Subject: Delete remaining references to the removed http pin
+Origin: v11-1-g1e344db
<https://github.com/latchset/clevis/commit/v11-1-g1e344db>
+Upstream-Author: Javier Martinez Canillas <javi...@redhat.com>
+Date: Wed Nov 7 14:53:08 2018 +0100
+Bug-Debian: https://bugs.debian.org/bug=969361
+
+ Commit 800d73185d7f ("Remove HTTP pin") removed the clevis http pin, but
+ there are still references of it in the docs and also the dracut module.
+
+ This was causing dracut to fail building the initramfs due the following:
+
+ dracut-install: ERROR: installing 'clevis-decrypt-http'
+
+ Suggested-by: Dominick Grift <dac.overr...@gmail.com>
+
+ Fixes: #73
+
+--- a/README.md
++++ b/README.md
+@@ -58,27 +58,6 @@
+ the advertisment is specified manually like this, Clevis presumes that the
+ advertisement is trusted.
+
+-#### PIN: HTTP
+-
+-Clevis also ships a pin for performing escrow using HTTP. Please note that,
+-at this time, this pin does not provide HTTPS support and is suitable only
+-for use over local sockets. This provides integration with services like
+-[Custodia](http://github.com/latchset/custodia).
+-
+-For example:
+-
+-```bash
+-$ echo hi | clevis encrypt http '{"url": "http://server.local/key"}' > hi.jwe
+-```
+-
+-The HTTP pin generate a new (cryptographically-strong random) key and performs
+-encryption using it. It then performs a PUT request to the URL specified. It
is
+-understood that the server will securely store this key for later retrieval.
+-During decryption, the pin will perform a GET request to retrieve the key and
+-perform decryption.
+-
+-Patches to provide support for HTTPS and authentication are welcome.
+-
+ #### PIN: TPM2
+
+ Clevis provides support to encrypt a key in a Trusted Platform Module 2.0
(TPM2)
+--- a/src/clevis.1.adoc
++++ b/src/clevis.1.adoc
+@@ -21,26 +21,6 @@
+ encrypt the data so that it can be automatically decrypted if the policy is
+ met. Lets walk through an example.
+
+-== HTTP ESCROW
+-
+-When using the HTTP pin, we create a new, cryptographically-strong, random
key.
+-This key is stored in a remote HTTP escrow server (using a simple PUT or
POST).
+-Then at decryption time, we attempt to fetch the key back again in order to
+-decrypt our data. So, for our configuration we need to pass the URL to the key
+-location:
+-
+- $ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE
+-
+-To decrypt the data, simply provide the ciphertext (JWE):
+-
+- $ clevis decrypt < JWE > PLAINTEXT
+-
+-Notice that we did not pass any configuration during decryption. The decrypt
+-command extracted the URL (and possibly other configuration) from the JWE
+-object, fetched the encryption key from the escrow and performed decryption.
+-
+-For more information, see
link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)].
+-
+ == TANG BINDING
+
+ Clevis provides support for the Tang network binding server. Tang provides
+@@ -136,7 +116,6 @@
+
+ == SEE ALSO
+
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)],
+ link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
+--- a/src/luks/clevis-luks-bind.1.adoc
++++ b/src/luks/clevis-luks-bind.1.adoc
+@@ -61,7 +61,6 @@
+ == SEE ALSO
+
+ link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlockers*(7)],
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
+ link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -36,7 +36,6 @@
+ inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
+
+ inst_multiple /etc/services \
+- clevis-decrypt-http \
+ clevis-decrypt-tang \
+ clevis-decrypt-sss \
+ @libexecdir@/clevis-luks-askpass \
+--- a/src/pins/sss/clevis-encrypt-sss.1.adoc
++++ b/src/pins/sss/clevis-encrypt-sss.1.adoc
+@@ -54,6 +54,5 @@
+
+ == SEE ALSO
+
+-link:clevis-encrypt-http.1.adoc[*clevis-encrypt-http*(1)],
+ link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+ link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
diff -Nru
clevis-11/debian/patches/cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch
clevis-11/debian/patches/cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch
---
clevis-11/debian/patches/cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch
1970-01-01 01:00:00.000000000 +0100
+++
clevis-11/debian/patches/cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch
2021-01-25 20:03:26.000000000 +0100
@@ -0,0 +1,42 @@
+Subject: Install cryptsetup and tpm2_pcrlist in the initramfs
+Origin: v11-2-g3465859
<https://github.com/latchset/clevis/commit/v11-2-g3465859>
+Upstream-Author: Javier Martinez Canillas <javi...@redhat.com>
+Date: Wed Nov 7 15:12:17 2018 +0100
+Bug-Debian: https://bugs.debian.org/bug=969361
+
+ The cryptsetup and tpm2_pcrlist are missing in the initramfs, this makes
+ automatic LUKS unlocking fail with the following errors:
+
+ dracut-initqueue[382]: /usr/libexec/clevis-luks-askpass: line 52:
cryptsetup: command not found
+ dracut-initqueue[382]: /usr/bin/clevis-decrypt-tpm2: line 40:
tpm2_pcrlist: command not found
+
+ Suggested-by: Federico Chiacchiaretta <federico.c...@gmail.com>
+
+ Fixes: #74
+
+--- a/src/luks/systemd/dracut/module-setup.sh.in
++++ b/src/luks/systemd/dracut/module-setup.sh.in
+@@ -40,6 +40,7 @@
+ clevis-decrypt-sss \
+ @libexecdir@/clevis-luks-askpass \
+ clevis-decrypt \
++ cryptsetup \
+ luksmeta \
+ clevis \
+ mktemp \
+@@ -49,6 +50,7 @@
+
+ for cmd in clevis-decrypt-tpm2 \
+ tpm2_createprimary \
++ tpm2_pcrlist \
+ tpm2_unseal \
+ tpm2_load; do
+
+@@ -60,6 +62,7 @@
+ if (($ret == 0)); then
+ inst_multiple clevis-decrypt-tpm2 \
+ tpm2_createprimary \
++ tpm2_pcrlist \
+ tpm2_unseal \
+ tpm2_load
+ fi
diff -Nru clevis-11/debian/patches/series clevis-11/debian/patches/series
--- clevis-11/debian/patches/series 2018-10-30 22:54:32.000000000 +0100
+++ clevis-11/debian/patches/series 2021-01-25 20:03:26.000000000 +0100
@@ -1,2 +1,8 @@
+
+# cherry-picked commits. Keep in upstream's chronological order
+cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch
+cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch
+
+# local modifications
debian.use-socat.patch
debian.use-asciidoctor-to-build-manpages.patch
signature.asc
Description: PGP signature
