[Libguestfs] [libguestfs-common PATCH 11/12] options, mltools/tools_utils: parse "--key ID:clevis" options
Richard W.M. Jones
rjones at redhat.com
Tue Jun 28 14:48:49 UTC 2022
On Tue, Jun 28, 2022 at 01:49:14PM +0200, Laszlo Ersek wrote:
> Provide the user interface (in both the C and the OCaml tools) for
> selecting network-based, passphrase-less decryption. This is the front-end
> exposing the previously added back-end.
>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
> Signed-off-by: Laszlo Ersek <lersek at redhat.com>
> ---
> mltools/tools_utils.ml | 5 +++++
> mltools/tools_utils-c.c | 3 +++
> options/keys.c | 4 ++++
> options/key-option.pod | 6 ++++++
> 4 files changed, 18 insertions(+)
>
> diff --git a/mltools/tools_utils.ml b/mltools/tools_utils.ml
> index e534cbead47a..1da5850340d4 100644
> --- a/mltools/tools_utils.ml
> +++ b/mltools/tools_utils.ml
> @@ -32,10 +32,11 @@ type key_store = {
> keys : (string * key_store_key) list ref;
> }
> and key_store_key =
> | KeyString of string
> | KeyFileName of string
> + | KeyClevis
>
> external c_inspect_decrypt : Guestfs.t -> int64 -> (string * key_store_key) list -> unit = "guestfs_int_mllib_inspect_decrypt"
> external c_set_echo_keys : unit -> unit = "guestfs_int_mllib_set_echo_keys" [@@noalloc]
> external c_set_keys_from_stdin : unit -> unit = "guestfs_int_mllib_set_keys_from_stdin" [@@noalloc]
> external c_rfc3339_date_time_string : unit -> string = "guestfs_int_mllib_rfc3339_date_time_string"
> @@ -406,10 +407,14 @@ let create_standard_options argspec ?anon_fun ?(key_opts = false)
> | [ _; "file" ]
> | _ :: "file" :: _ :: _ :: _ ->
> error (f_"selector '%s': missing FILENAME, or too many fields") arg
> | [ device; "file"; file ] ->
> List.push_back ks.keys (device, KeyFileName file)
> + | _ :: "clevis" :: _ :: _ ->
> + error (f_"selector '%s': too many fields") arg
> + | [ device; "clevis" ] ->
> + List.push_back ks.keys (device, KeyClevis)
> | _ ->
> error (f_"selector '%s': invalid TYPE") arg
> in
>
> add_argspec ([ L"echo-keys" ], Getopt.Unit c_set_echo_keys, s_"Don’t turn off echo for passphrases");
> diff --git a/mltools/tools_utils-c.c b/mltools/tools_utils-c.c
> index e9f273ec857f..f429d7708772 100644
> --- a/mltools/tools_utils-c.c
> +++ b/mltools/tools_utils-c.c
> @@ -81,10 +81,13 @@ guestfs_int_mllib_inspect_decrypt (value gv, value gpv, value keysv)
> "internal error: unhandled Tag_val (v) = %d",
> Tag_val (v));
> }
> else
> switch (Int_val (v)) {
> + case 0: /* KeyClevis */
> + key.type = key_clevis;
> + break;
> default:
> error (EXIT_FAILURE, 0,
> "internal error: unhandled Int_val (v) = %d",
> Int_val (v));
> }
> diff --git a/options/keys.c b/options/keys.c
> index a6ef2d78b589..d53e3e774a9b 100644
> --- a/options/keys.c
> +++ b/options/keys.c
> @@ -248,10 +248,14 @@ key_store_add_from_selector (struct key_store *ks, const char *selector)
> _("selector '%s': missing FILENAME, or too many fields"),
> selector);
> key.file.name = strdup (fields[2]);
> if (!key.file.name)
> error (EXIT_FAILURE, errno, "strdup");
> + } else if (STREQ (fields[1], "clevis")) {
> + key.type = key_clevis;
> + if (field_count != 2)
> + error (EXIT_FAILURE, 0, _("selector '%s': too many fields"), selector);
> } else
> error (EXIT_FAILURE, 0, _("selector '%s': invalid TYPE"), selector);
>
> return key_store_import_key (ks, &key);
> }
> diff --git a/options/key-option.pod b/options/key-option.pod
> index 90a3b15c57a2..34229ce9cbb2 100644
> --- a/options/key-option.pod
> +++ b/options/key-option.pod
> @@ -12,6 +12,12 @@ Use the specified C<KEY_STRING> as passphrase.
>
> =item B<--key> C<ID>:file:FILENAME
>
> Read the passphrase from F<FILENAME>.
>
> +=item B<--key> C<ID>:clevis
> +
> +Attempt passphrase-less unlocking for C<ID> with Clevis, over the
> +network. Please refer to L<guestfs(3)/ENCRYPTED DISKS> for more
> +information on network-bound disk encryption (NBDE).
> +
Reviewed-by: Richard W.M. Jones <rjones at redhat.com>
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
More information about the Libguestfs
mailing list