introduce the "clevis_luks_unlock" API

Introduce a new guestfs API called "clevis_luks_unlock". At the libguestfs level, it is quite simple; it wraps the "clevis luks unlock" guest command (implemented by the "clevis-luks-unlock" executable, which is in fact a shell script). The complexity is instead in the network-based disk encryption (Clevis/Tang) scheme. Useful documentation: - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/security_hardening/index#configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening - https://github.com/latchset/clevis#clevis - https://github.com/latchset/tang#tang The package providing "clevis-luks-unlock" is usually called "clevis-luks", occasionally "clevis". Some distros don't package clevis at all. Add the new API under a new option group (which may not be available) called "clevisluks". Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Message-Id: <20220630122048.19335-3-lersek@redhat.com> Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
2026-03-21 22:53:37 +00:00 · 2022-06-30 14:20:47 +02:00
parent 99844660b4
commit 9a3e9a6c03
7 changed files with 120 additions and 5 deletions
--- a/appliance/packagelist.in
+++ b/appliance/packagelist.in
@@ -23,6 +23,7 @@ dnl Basically the same with a few minor tweaks.
 ifelse(UBUNTU,1,`define(`DEBIAN',1)')

 ifelse(REDHAT,1,
+  clevis-luks
  cryptsetup
  cryptsetup-luks      dnl old name used before Fedora 17
  dhclient
@@ -53,6 +54,7 @@ ifelse(DEBIAN,1,
  bsdmainutils
 dnl old name used in Jessie and earlier
  btrfs-tools
+  clevis-luks
  cryptsetup
  dash
  extlinux
@@ -92,6 +94,7 @@ dnl iproute has been renamed to iproute2
 ifelse(ARCHLINUX,1,
  cdrkit
  cdrtools
+  clevis
  cryptsetup
  dhclient
  dhcpcd
@@ -119,6 +122,7 @@ ifelse(SUSE,1,
  augeas-lenses
  btrfsprogs
  cdrkit-cdrtools-compat
+  clevis
  cryptsetup
  dhcpcd
  dhcp-client