[Libguestfs] [libguestfs-common PATCH v2 11/12] options, mltools/tools_utils: parse "--key ID:clevis" options
Laszlo Ersek
lersek at redhat.com
Thu Jun 30 12:20:27 UTC 2022
Provide the user interface (in both the C and the OCaml tools) for
selecting network-based, passphrase-less decryption. This is the front-end
exposing the previously added back-end.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453
Signed-off-by: Laszlo Ersek <lersek at redhat.com>
Reviewed-by: Richard W.M. Jones <rjones at redhat.com>
---
Notes:
v2:
- pick up Rich's R-b
mltools/tools_utils.ml | 5 +++++
mltools/tools_utils-c.c | 3 +++
options/keys.c | 4 ++++
options/key-option.pod | 6 ++++++
4 files changed, 18 insertions(+)
diff --git a/mltools/tools_utils.ml b/mltools/tools_utils.ml
index e534cbead47a..1da5850340d4 100644
--- a/mltools/tools_utils.ml
+++ b/mltools/tools_utils.ml
@@ -32,10 +32,11 @@ type key_store = {
keys : (string * key_store_key) list ref;
}
and key_store_key =
| KeyString of string
| KeyFileName of string
+ | KeyClevis
external c_inspect_decrypt : Guestfs.t -> int64 -> (string * key_store_key) list -> unit = "guestfs_int_mllib_inspect_decrypt"
external c_set_echo_keys : unit -> unit = "guestfs_int_mllib_set_echo_keys" [@@noalloc]
external c_set_keys_from_stdin : unit -> unit = "guestfs_int_mllib_set_keys_from_stdin" [@@noalloc]
external c_rfc3339_date_time_string : unit -> string = "guestfs_int_mllib_rfc3339_date_time_string"
@@ -406,10 +407,14 @@ let create_standard_options argspec ?anon_fun ?(key_opts = false)
| [ _; "file" ]
| _ :: "file" :: _ :: _ :: _ ->
error (f_"selector '%s': missing FILENAME, or too many fields") arg
| [ device; "file"; file ] ->
List.push_back ks.keys (device, KeyFileName file)
+ | _ :: "clevis" :: _ :: _ ->
+ error (f_"selector '%s': too many fields") arg
+ | [ device; "clevis" ] ->
+ List.push_back ks.keys (device, KeyClevis)
| _ ->
error (f_"selector '%s': invalid TYPE") arg
in
add_argspec ([ L"echo-keys" ], Getopt.Unit c_set_echo_keys, s_"Don’t turn off echo for passphrases");
diff --git a/mltools/tools_utils-c.c b/mltools/tools_utils-c.c
index d22a5e65b0c2..4ff42e5d5f7f 100644
--- a/mltools/tools_utils-c.c
+++ b/mltools/tools_utils-c.c
@@ -79,10 +79,13 @@ guestfs_int_mllib_inspect_decrypt (value gv, value gpv, value keysv)
default:
abort ();
}
else
switch (Int_val (v)) {
+ case 0: /* KeyClevis */
+ key.type = key_clevis;
+ break;
default:
abort ();
}
ks = key_store_import_key (ks, &key);
diff --git a/options/keys.c b/options/keys.c
index 37e1648fc969..e7c550f4796b 100644
--- a/options/keys.c
+++ b/options/keys.c
@@ -248,10 +248,14 @@ key_store_add_from_selector (struct key_store *ks, const char *selector)
_("selector '%s': missing FILENAME, or too many fields"),
selector);
key.file.name = strdup (fields[2]);
if (!key.file.name)
error (EXIT_FAILURE, errno, "strdup");
+ } else if (STREQ (fields[1], "clevis")) {
+ key.type = key_clevis;
+ if (field_count != 2)
+ error (EXIT_FAILURE, 0, _("selector '%s': too many fields"), selector);
} else
error (EXIT_FAILURE, 0, _("selector '%s': invalid TYPE"), selector);
return key_store_import_key (ks, &key);
}
diff --git a/options/key-option.pod b/options/key-option.pod
index 90a3b15c57a2..34229ce9cbb2 100644
--- a/options/key-option.pod
+++ b/options/key-option.pod
@@ -12,6 +12,12 @@ Use the specified C<KEY_STRING> as passphrase.
=item B<--key> C<ID>:file:FILENAME
Read the passphrase from F<FILENAME>.
+=item B<--key> C<ID>:clevis
+
+Attempt passphrase-less unlocking for C<ID> with Clevis, over the
+network. Please refer to L<guestfs(3)/ENCRYPTED DISKS> for more
+information on network-bound disk encryption (NBDE).
+
=back
--
2.19.1.3.g30247aa5d201
More information about the Libguestfs
mailing list