-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"1,4,5,7,9"}'
fails on an empty password
#494
Comments
clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"1,4,5,7,9"}'
on an empty passwordclevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"1,4,5,7,9"}'
fails on an empty password
This is not right: clevis_luks_check_valid_key_or_keyfile() {
local DEV="${1}"
local KEY="${2:-}"
local KEYFILE="${3:-}"
local SLT="${4:-}"
local EXISTING_TOKEN_ID="${5:-}"
[ -z "${DEV}" ] && return 1
[ -z "${EXISTING_TOKEN_ID}" ] && [ -z "${KEYFILE}" ] && [ -z "${KEY}" ] && return 1
local extra_args
extra_args="$([ -n "${SLT}" ] && printf -- '--key-slot %s' "${SLT}")"
if [ -n "${KEYFILE}" ]; then
cryptsetup open --test-passphrase "${DEV}" --key-file "${KEYFILE}" \
${extra_args}
return
fi
if [ -n "${EXISTING_TOKEN_ID}" ]; then
cryptsetup open --test-passphrase "${DEV}" --token-id "${EXISTING_TOKEN_ID}" \
${extra_args}
return
fi
printf '%s' "${KEY}" | cryptsetup open --test-passphrase "${DEV}" \
${extra_args}
} There should be means to pass |
What about something like this?
|
I still get with this patch:
I built a local version installed under |
Are you sure it is using the updated version? I get this exact output without the patch. With it, it should not show that |
I'll sanity check this. |
Sorry have been busy work with other not forgotten. |
It fixes the issue:
|
Thanks for testing; I added a PR to address it. |
[originally posted here: https://social.kernel.org/notice/AnAEEyg3ULvyJzNq88]
Clevis has a bug that the following ends up failing unless the passphrase is non-empty:
An empty passphrase can be created by the means of:
It is a totally legit configuration and scenario for my NUC7CJYH, which I use for only kernel testing. Threats are protected by the requirement of having physical presence checked.
Transcript:
The text was updated successfully, but these errors were encountered: