chimera-linux · Natthias · Jul 15, 2024 · Jul 15, 2024 · Jul 15, 2024 · Jul 15, 2024
diff --git a/user/clevis/files/sysusers.conf b/user/clevis/files/sysusers.conf
@@ -0,0 +1,3 @@
+# Create clevis system user
+
+u _clevis - "clevis user" /var/lib/clevis /usr/bin/nologin
diff --git a/user/clevis/files/tmpfiles.conf b/user/clevis/files/tmpfiles.conf
@@ -0,0 +1,3 @@
+# Create clevis state directory
+
+d /var/lib/clevis 0755 _clevis _clevis -
diff --git a/user/clevis/patches/failing-tests.patch b/user/clevis/patches/failing-tests.patch
@@ -0,0 +1,9 @@
+diff --git a/src/pins/tang/tests/meson.build b/src/pins/tang/tests/meson.build
+index 83f9637..dc1ec1a 100644
+--- a/src/pins/tang/tests/meson.build
++++ b/src/pins/tang/tests/meson.build
+@@ -63,4 +63,3 @@ env.prepend('PATH',
+
+ test('pin-tang', find_program('pin-tang'), env: env)
+ test('tang-validate-adv', find_program('tang-validate-adv'), env: env)
+-test('default-thp-alg', find_program('default-thp-alg'), env: env)
diff --git a/user/clevis/patches/missing-binaries.patch b/user/clevis/patches/missing-binaries.patch
@@ -0,0 +1,20 @@
+diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
+index 3d4eb67..7312d7a 100755
+--- a/src/initramfs-tools/hooks/clevis.in
++++ b/src/initramfs-tools/hooks/clevis.in
+@@ -92,9 +92,15 @@ copy_exec @bindir@/clevis || die 1 "@bindir@/clevis not found"
+ curl_bin=$(find_binary "curl")
+ awk_bin=$(find_binary "awk")
+ bash_bin=$(find_binary "bash")
++ps_bin=$(find_binary "ps")
++ip_bin=$(find_binary "ip")
++mktemp_bin=$(find_binary "mktemp")
+ copy_exec "${curl_bin}" || die 2 "Unable to copy ${curl_bin} to initrd image"
+ copy_exec "${awk_bin}" || die 2 "Unable to copy ${awk_bin} to initrd image"
+ copy_exec "${bash_bin}" || die 2 "Unable to copy ${bash_bin} to initrd image"
++copy_exec "${ps_bin}" || die 2 "Unable to copy ${ps_bin} to initrd image"
++copy_exec "${ip_bin}" || die 2 "Unable to copy ${ip_bin} to initrd image"
++copy_exec "${mktemp_bin}" || die 2 "Unable to copy ${mktemp_bin} to initrd image"
+
+ # Copy latest versions of shared objects needed for DNS resolution
+ for so in $(ldconfig -p | sed -nr 's/^\s*libnss_files\.so\.[0-9]+\s.*=>\s*//p'); do
diff --git a/user/clevis/patches/ps-path.patch b/user/clevis/patches/ps-path.patch
@@ -0,0 +1,13 @@
+diff --git a/src/initramfs-tools/scripts/local-top/clevis.in b/src/initramfs-tools/scripts/local-top/clevis.in
+index da68507..82f2812 100755
+--- a/src/initramfs-tools/scripts/local-top/clevis.in
++++ b/src/initramfs-tools/scripts/local-top/clevis.in
+@@ -41,7 +41,7 @@ get_fifo_path() {
+
+ # Print the PID of the askpass process and fifo path with a file descriptor opened to
+ get_askpass_pid() {
+-    psinfo=$(ps) # Doing this so I don't end up matching myself
++    psinfo=$(ps t) # Doing this so I don't end up matching myself
+     echo "$psinfo" | awk "/$cryptkeyscript/ { print \$1 }" | while read -r pid; do
+         pf=$(get_fifo_path "${pid}")
+         if [[ $pf != "" ]]; then
diff --git a/user/clevis/patches/usrmerge.patch b/user/clevis/patches/usrmerge.patch
@@ -0,0 +1,31 @@
+diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
+index 7312d7a..afd2d44 100755
+--- a/src/initramfs-tools/hooks/clevis.in
++++ b/src/initramfs-tools/hooks/clevis.in
+@@ -48,7 +48,7 @@ find_binary() {
+ }
+
+ if [ -n "${FORCE_CLEVIS}" ] && [ "${FORCE_CLEVIS}" != "n" ]; then
+-    for f in /sbin/cryptsetup /sbin/dmsetup /lib/cryptsetup/askpass; do
++    for f in /usr/bin/cryptsetup /usr/bin/dmsetup /usr/lib/cryptsetup/askpass; do
+         if [ ! -e "${DESTDIR}${f}" ]; then
+             die 2 "cryptsetup utility '$f' wasn't found in the generated ramdisk image. "
+         fi
+diff --git a/src/initramfs-tools/scripts/local-top/clevis.in b/src/initramfs-tools/scripts/local-top/clevis.in
+index 1487264..da68507 100755
+--- a/src/initramfs-tools/scripts/local-top/clevis.in
++++ b/src/initramfs-tools/scripts/local-top/clevis.in
+@@ -118,11 +118,11 @@ clevisloop() {
+     # Set the path how we want it (Probably not all needed)
+     PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin"
+
+-    if [ -x /bin/plymouth ] && plymouth --ping; then
++    if [ -x /usr/bin/plymouth ] && plymouth --ping; then
+         cryptkeyscript='plymouth ask-for-password'
+     else
+         # This has to be escaped for awk
+-        cryptkeyscript='\/lib\/cryptsetup\/askpass'
++        cryptkeyscript='\/usr\/lib\/cryptsetup\/askpass'
+     fi
+
+     OLD_CRYPTTAB_SOURCE=""
diff --git a/user/clevis/template.py b/user/clevis/template.py
@@ -0,0 +1,48 @@
+pkgname = "clevis"
+pkgver = "21"
+pkgrel = 0
+build_style = "meson"
+configure_args = [
+    "-Duser=_clevis",
+    "-Dgroup=_clevis",
+]
+hostmakedepends = [
+    "asciidoc",
+    "cryptsetup",
+    "initramfs-tools",
+    "meson",
+    "pkgconf",
+    "tpm2-tools",
+]
+makedepends = [
+    "bash-completion",
+    "jansson-devel",
+    "jose-devel",
+    "luksmeta-devel",
+]
+depends = [
+    "bash",
+    "jq",
+    "luksmeta",
+]
+checkdepends = [
+    "curl",
+    "keyutils",
+    "lsof",
+    "socat",
+    "tang",
+]
+pkgdesc = "Pluggable framework for automated decryption"
+maintainer = "natthias <[email protected]>"
+license = "GPL-3.0-or-later WITH custom:openssl-exception"
+url = "https://github.com/latchset/clevis"
+source = f"{url}/archive/refs/tags/v{pkgver}.tar.gz"
+sha256 = "0ba38f0438337a799e98e1ab41ca30670cc8c13eb5f1f628b4680d46e2ef0013"
+# cfi causes some tests to fail
+hardening = ["vis", "!cfi"]
+
+
+def post_install(self):
+    self.install_license("COPYING.openssl")
+    self.install_sysusers(self.files_path / "sysusers.conf")
+    self.install_tmpfiles(self.files_path / "tmpfiles.conf")
diff --git a/user/jose-devel b/user/jose-devel
@@ -0,0 +1 @@
+jose
diff --git a/user/jose/patches/failing-tests.patch b/user/jose/patches/failing-tests.patch
@@ -0,0 +1,12 @@
+diff --git a/tests/meson.build b/tests/meson.build
+index 1de53a1..6687b24 100644
+--- a/tests/meson.build
++++ b/tests/meson.build
+@@ -25,7 +25,6 @@ progs = [
+   'alg_comp',
+   'api_b64',
+   'api_jws',
+-  'api_jwe',
+ ]
+
+ e = environment()
diff --git a/user/jose/patches/ldd-18-fix.patch b/user/jose/patches/ldd-18-fix.patch
@@ -0,0 +1,21 @@
+diff --git a/lib/meson.build b/lib/meson.build
+index a997ca9..703ae37 100644
+--- a/lib/meson.build
++++ b/lib/meson.build
+@@ -2,14 +2,8 @@ flags = '-Wl,--version-script=' + meson.current_source_dir() + '/libjose.map'
+ code = 'int main() { return 0; }'
+ cc = meson.get_compiler('c')
+
+-if host_machine.system() == 'freebsd'
+-  if not cc.links(code, args: flags + ',--undefined-version' , name: '-Wl,--version-script=...')
+-     flags = [ '-export-symbols-regex=^jose_.*' ]
+-  endif
+-else
+-  if not cc.links(code, args: flags, name: '-Wl,--version-script=...')
+-     flags = [ '-export-symbols-regex=^jose_.*' ]
+-  endif
++if not cc.links(code, args: flags + ',--undefined-version' , name: '-Wl,--version-script=...')
++  flags = [ '-export-symbols-regex=^jose_.*' ]
+ endif
+
+ libjose_lib = shared_library('jose',
diff --git a/user/jose/template.py b/user/jose/template.py
@@ -0,0 +1,29 @@
+pkgname = "jose"
+pkgver = "14"
+pkgrel = 0
+build_style = "meson"
+hostmakedepends = [
+    "asciidoc",
+    "libxml2-progs",
+    "meson",
+    "pkgconf",
+]
+makedepends = [
+    "jansson-devel",
+    "openssl-devel",
+    "zlib-ng-compat-devel",
+]
+checkdepends = ["jq"]
+pkgdesc = "JSON Object Signing and Encryption standards in C"
+maintainer = "natthias <[email protected]>"
+license = "GPL-3.0-or-later"
+url = "https://github.com/latchset/jose"
+source = f"{url}/archive/refs/tags/v{pkgver}.tar.gz"
+sha256 = "3ffb8ea9a0fa5194051499d96bfde957621fcd490ef7ed95effc699029d7ad3b"
+# vis breaks symbols
+hardening = ["!vis", "!cfi"]
+
+
+@subpackage("jose-devel")
+def _(self):
+    return self.default_devel()
diff --git a/user/luksmeta-devel b/user/luksmeta-devel
@@ -0,0 +1 @@
+luksmeta
diff --git a/user/luksmeta/patches/force-creation-of-luks1-containers-in-tests.patch b/user/luksmeta/patches/force-creation-of-luks1-containers-in-tests.patch
@@ -0,0 +1,26 @@
+Patch-Source: https://github.com/latchset/luksmeta/pull/10
+
+From af81262c0f6e6b37e5c6b520d0fca3a9f9b6c1fc Mon Sep 17 00:00:00 2001
+From: Christoph Biedl <[email protected]>
+Date: Sat, 28 Sep 2019 13:24:11 +0200
+Subject: [PATCH] Force creation of LUKS1 containers in test suite
+
+Cryptsetup defaults to LUKS2 since version 2.1, make sure to create
+LUKS1 containers instead by using the "--type luks1" argument.
+---
+ test-luksmeta | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test-luksmeta b/test-luksmeta
+index fd17ead..f1e8b2e 100755
+--- a/test-luksmeta
++++ b/test-luksmeta
+@@ -11,7 +11,7 @@ function onexit() {
+ trap 'onexit' EXIT
+
+ truncate -s 4M $tmp
+-echo -n foo | cryptsetup luksFormat $tmp -
++echo -n foo | cryptsetup luksFormat --type luks1 $tmp -
+
+ ! ./luksmeta test -d $tmp
+