Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: oldium/clevis
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v21
Choose a base ref
...
head repository: oldium/clevis
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v21_tpm1
Choose a head ref
  • 11 commits
  • 28 files changed
  • 1 contributor

Commits on Sep 28, 2024

  1. Ensure the shutdown dependency is present 

    The DefaultDependencies=yes option adds conflicting dependency on the
shutdown.target automatically to ensure the service is terminated during
the shutdown, so add it when we use DefaultDependencies=no.

Signed-off-by: Oldřich Jedlička <[email protected]>
    @oldium
    oldium committed Sep 28, 2024
    Configuration menu
    Copy the full SHA
    78ff0d8 View commit details
    Browse the repository at this point in the history

  2. Allow reading used set of pins by clevis scripts 

    Signed-off-by: Oldřich Jedlička <[email protected]>
    @oldium
    oldium committed Sep 28, 2024
    Configuration menu
    Copy the full SHA
    300ff3c View commit details
    Browse the repository at this point in the history

  3. Supply cryptsetup password through pipe in Dracut 

    Current Dracut integration ignores all cryptsetup options, which are
usually handled by Dracut itself (like reading /etc/crypttab). We need to
hook into the Dracut cryptsetup process in order to allow Dracut handling
the options and us handling the password only.

Dracut uses generated udev rules to create cryptsetup unlocking scripts
in initqueue/settled dynamically when the corresponding device appears. The
unlocking tries to unlock by the key file first and then by password read
from user.

We can hook into the key file reading stage by providing our own pipe and
send the password via the pipe similarly to how the initramfs-tools
clevisloop is doing it. There is one difference, though, we have only one
try to unlock, but that should be enough.

For the network pins (tang and sss/tang at the moment) we can move the
generated Dracut cryptsetup unlocking scripts to initqueue/online to
ensure the unlocking happens at the right time.

Signed-off-by: Oldřich Jedlička <[email protected]>
    @oldium
    oldium committed Sep 28, 2024
    Configuration menu
    Copy the full SHA
    d8a71c1 View commit details
    Browse the repository at this point in the history

  4. Support printing the null pin configuration 

    This is useful during testing.

Signed-off-by: Oldřich Jedlička <oldium.pro.gmail.com>
    @oldium
    oldium committed Sep 28, 2024
    Configuration menu
    Copy the full SHA
    76f719e View commit details
    Browse the repository at this point in the history

  5. Added encrypt and decrypt support for TPM 1.2 as tpm1 pin 

    Signed-off-by: Oldřich Jedlička <[email protected]>
    @oldium
    oldium committed Sep 28, 2024
    Configuration menu
    Copy the full SHA
    ec4aede View commit details
    Browse the repository at this point in the history

  6. Added tpm1 pin tests 

    Signed-off-by: Oldřich Jedlička <[email protected]>
    @oldium
    oldium committed Sep 28, 2024
    Configuration menu
    Copy the full SHA
    29bede3 View commit details
    Browse the repository at this point in the history

  7. Added tpm1 pin documentation 

    Signed-off-by: Oldřich Jedlička <[email protected]>
    @oldium
    oldium committed Sep 28, 2024
    Configuration menu
    Copy the full SHA
    ecbb4dd View commit details
    Browse the repository at this point in the history

  8. Ensure TCSD is started before Clevis for tpm1 pin functionality 

    This is a weak requirement, so when TCSD is missing, it does not influence
the Clevis askpass service startup. Similarly if the TCSD startup fails,
it does not affect the Clevis askpass service startup.

Signed-off-by: Oldřich Jedlička <[email protected]>
    @oldium
    oldium committed Sep 28, 2024
    Configuration menu
    Copy the full SHA
    5fa3dd2 View commit details
    Browse the repository at this point in the history

  9. Added TPM 1.2 support for initramfs-tools 

    Signed-off-by: Oldřich Jedlička <[email protected]>
    @oldium
    oldium committed Sep 28, 2024
    Configuration menu
    Copy the full SHA
    c83ec45 View commit details
    Browse the repository at this point in the history

  10. Added TPM 1.2 support for Dracut 

    Signed-off-by: Oldřich Jedlička <[email protected]>
    @oldium
    oldium committed Sep 28, 2024
    Configuration menu
    Copy the full SHA
    b96e490 View commit details
    Browse the repository at this point in the history

  11. Mention TPM 1.2 support in README 

    Signed-off-by: Oldřich Jedlička <[email protected]>
    @oldium
    oldium committed Sep 28, 2024
    Configuration menu
    Copy the full SHA
    20bdb2f View commit details
    Browse the repository at this point in the history
Loading