[Libguestfs] [libguestfs-common PATCH 11/12] options, mltools/tools_utils: parse "--key ID:clevis" options

Richard W.M. Jones rjones at redhat.com
Tue Jun 28 14:48:49 UTC 2022 

On Tue, Jun 28, 2022 at 01:49:14PM +0200, Laszlo Ersek wrote:
> Provide the user interface (in both the C and the OCaml tools) for
> selecting network-based, passphrase-less decryption. This is the front-end
> exposing the previously added back-end.
> 
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
> Signed-off-by: Laszlo Ersek <lersek at redhat.com>
> ---
>  mltools/tools_utils.ml  | 5 +++++
>  mltools/tools_utils-c.c | 3 +++
>  options/keys.c          | 4 ++++
>  options/key-option.pod  | 6 ++++++
>  4 files changed, 18 insertions(+)
> 
> diff --git a/mltools/tools_utils.ml b/mltools/tools_utils.ml
> index e534cbead47a..1da5850340d4 100644
> --- a/mltools/tools_utils.ml
> +++ b/mltools/tools_utils.ml
> @@ -32,10 +32,11 @@ type key_store = {
>    keys : (string * key_store_key) list ref;
>  }
>  and key_store_key =
>    | KeyString of string
>    | KeyFileName of string
> +  | KeyClevis
>  
>  external c_inspect_decrypt : Guestfs.t -> int64 -> (string * key_store_key) list -> unit = "guestfs_int_mllib_inspect_decrypt"
>  external c_set_echo_keys : unit -> unit = "guestfs_int_mllib_set_echo_keys" [@@noalloc]
>  external c_set_keys_from_stdin : unit -> unit = "guestfs_int_mllib_set_keys_from_stdin" [@@noalloc]
>  external c_rfc3339_date_time_string : unit -> string = "guestfs_int_mllib_rfc3339_date_time_string"
> @@ -406,10 +407,14 @@ let create_standard_options argspec ?anon_fun ?(key_opts = false)
>        | [ _; "file" ]
>        |  _ :: "file" :: _ :: _ :: _ ->
>          error (f_"selector '%s': missing FILENAME, or too many fields") arg
>        | [ device; "file"; file ] ->
>           List.push_back ks.keys (device, KeyFileName file)
> +      |  _ :: "clevis" :: _ :: _ ->
> +        error (f_"selector '%s': too many fields") arg
> +      | [ device; "clevis" ] ->
> +         List.push_back ks.keys (device, KeyClevis)
>        | _ ->
>           error (f_"selector '%s': invalid TYPE") arg
>      in
>  
>      add_argspec ([ L"echo-keys" ],       Getopt.Unit c_set_echo_keys,       s_"Don’t turn off echo for passphrases");
> diff --git a/mltools/tools_utils-c.c b/mltools/tools_utils-c.c
> index e9f273ec857f..f429d7708772 100644
> --- a/mltools/tools_utils-c.c
> +++ b/mltools/tools_utils-c.c
> @@ -81,10 +81,13 @@ guestfs_int_mllib_inspect_decrypt (value gv, value gpv, value keysv)
>                 "internal error: unhandled Tag_val (v) = %d",
>                 Tag_val (v));
>        }
>      else
>        switch (Int_val (v)) {
> +      case 0:  /* KeyClevis */
> +        key.type = key_clevis;
> +        break;
>        default:
>          error (EXIT_FAILURE, 0,
>                 "internal error: unhandled Int_val (v) = %d",
>                 Int_val (v));
>        }
> diff --git a/options/keys.c b/options/keys.c
> index a6ef2d78b589..d53e3e774a9b 100644
> --- a/options/keys.c
> +++ b/options/keys.c
> @@ -248,10 +248,14 @@ key_store_add_from_selector (struct key_store *ks, const char *selector)
>               _("selector '%s': missing FILENAME, or too many fields"),
>               selector);
>      key.file.name = strdup (fields[2]);
>      if (!key.file.name)
>        error (EXIT_FAILURE, errno, "strdup");
> +  } else if (STREQ (fields[1], "clevis")) {
> +    key.type = key_clevis;
> +    if (field_count != 2)
> +      error (EXIT_FAILURE, 0, _("selector '%s': too many fields"), selector);
>    } else
>      error (EXIT_FAILURE, 0, _("selector '%s': invalid TYPE"), selector);
>  
>    return key_store_import_key (ks, &key);
>  }
> diff --git a/options/key-option.pod b/options/key-option.pod
> index 90a3b15c57a2..34229ce9cbb2 100644
> --- a/options/key-option.pod
> +++ b/options/key-option.pod
> @@ -12,6 +12,12 @@ Use the specified C<KEY_STRING> as passphrase.
>  
>  =item B<--key> C<ID>:file:FILENAME
>  
>  Read the passphrase from F<FILENAME>.
>  
> +=item B<--key> C<ID>:clevis
> +
> +Attempt passphrase-less unlocking for C<ID> with Clevis, over the
> +network.  Please refer to L<guestfs(3)/ENCRYPTED DISKS> for more
> +information on network-bound disk encryption (NBDE).
> +

Reviewed-by: Richard W.M. Jones <rjones at redhat.com>


-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html

More information about the Libguestfs mailing list