From a5aa695821e34fb218c7d705065aaf7077737c8c Mon Sep 17 00:00:00 2001
From: Jonathan Davies <jpds@protonmail.com>
Date: Fri, 5 Nov 2021 15:24:12 +0000
Subject: [PATCH] Moved dracut directory up to top-level to decouple it with
 systemd.

Adds a clevis-luks-generic-unlocker for alternative use without systemd.

Based on patch by Sergio Correia <scorreia@redhat.com>

Closes: #346

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
---
 .../dracut/clevis-pin-sss/meson.build         |  0
 .../dracut/clevis-pin-sss/module-setup.sh.in  |  0
 .../dracut/clevis-pin-tang/meson.build        |  0
 .../dracut/clevis-pin-tang/module-setup.sh.in |  0
 .../dracut/clevis-pin-tpm2/meson.build        |  0
 .../dracut/clevis-pin-tpm2/module-setup.sh.in |  0
 src/dracut/clevis/clevis-hook.sh.in           |  3 +
 .../clevis/clevis-luks-generic-unlocker       | 70 +++++++++++++++++++
 .../systemd => }/dracut/clevis/meson.build    |  1 +
 .../dracut/clevis/module-setup.sh.in          | 19 +++--
 src/{luks/systemd => }/dracut/meson.build     |  0
 .../systemd/dracut/clevis/clevis-hook.sh.in   |  2 -
 src/luks/systemd/meson.build                  |  1 -
 src/meson.build                               |  1 +
 14 files changed, 90 insertions(+), 7 deletions(-)
 rename src/{luks/systemd => }/dracut/clevis-pin-sss/meson.build (100%)
 rename src/{luks/systemd => }/dracut/clevis-pin-sss/module-setup.sh.in (100%)
 rename src/{luks/systemd => }/dracut/clevis-pin-tang/meson.build (100%)
 rename src/{luks/systemd => }/dracut/clevis-pin-tang/module-setup.sh.in (100%)
 rename src/{luks/systemd => }/dracut/clevis-pin-tpm2/meson.build (100%)
 rename src/{luks/systemd => }/dracut/clevis-pin-tpm2/module-setup.sh.in (100%)
 create mode 100755 src/dracut/clevis/clevis-hook.sh.in
 create mode 100755 src/dracut/clevis/clevis-luks-generic-unlocker
 rename src/{luks/systemd => }/dracut/clevis/meson.build (87%)
 rename src/{luks/systemd => }/dracut/clevis/module-setup.sh.in (76%)
 rename src/{luks/systemd => }/dracut/meson.build (100%)
 delete mode 100755 src/luks/systemd/dracut/clevis/clevis-hook.sh.in

diff --git a/src/luks/systemd/dracut/clevis-pin-sss/meson.build b/src/dracut/clevis-pin-sss/meson.build
similarity index 100%
rename from src/luks/systemd/dracut/clevis-pin-sss/meson.build
rename to src/dracut/clevis-pin-sss/meson.build
diff --git a/src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in b/src/dracut/clevis-pin-sss/module-setup.sh.in
similarity index 100%
rename from src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in
rename to src/dracut/clevis-pin-sss/module-setup.sh.in
diff --git a/src/luks/systemd/dracut/clevis-pin-tang/meson.build b/src/dracut/clevis-pin-tang/meson.build
similarity index 100%
rename from src/luks/systemd/dracut/clevis-pin-tang/meson.build
rename to src/dracut/clevis-pin-tang/meson.build
diff --git a/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in
similarity index 100%
rename from src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in
rename to src/dracut/clevis-pin-tang/module-setup.sh.in
diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/meson.build b/src/dracut/clevis-pin-tpm2/meson.build
similarity index 100%
rename from src/luks/systemd/dracut/clevis-pin-tpm2/meson.build
rename to src/dracut/clevis-pin-tpm2/meson.build
diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in b/src/dracut/clevis-pin-tpm2/module-setup.sh.in
similarity index 100%
rename from src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in
rename to src/dracut/clevis-pin-tpm2/module-setup.sh.in
diff --git a/src/dracut/clevis/clevis-hook.sh.in b/src/dracut/clevis/clevis-hook.sh.in
new file mode 100755
index 00000000..91ff2bd3
--- /dev/null
+++ b/src/dracut/clevis/clevis-hook.sh.in
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+@libexecdir@/clevis-luks-generic-unlocker -l
diff --git a/src/dracut/clevis/clevis-luks-generic-unlocker b/src/dracut/clevis/clevis-luks-generic-unlocker
new file mode 100755
index 00000000..a3b9d62e
--- /dev/null
+++ b/src/dracut/clevis/clevis-luks-generic-unlocker
@@ -0,0 +1,70 @@
+#!/bin/bash
+set -eu
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2020-2021 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+. clevis-luks-common-functions
+
+# Make sure to exit cleanly if SIGTERM is received.
+trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
+
+loop=
+while getopts ":l" o; do
+    case "${o}" in
+    l) loop=true;;
+    *) ;;
+    esac
+done
+
+to_unlock() {
+    local _devices='' _d _uuid
+    for _d in $(lsblk -o PATH,FSTYPE,RM \
+               | awk '$2 == "crypto_LUKS" && $3 == "0" { print $1 }' | sort -u);
+    do
+        if ! bindings="$(clevis luks list -d "${_d}" 2>/dev/null)" \
+                         || [ -z "${bindings}" ]; then
+            continue
+        fi
+        _uuid="$(cryptsetup luksUUID "${_d}")"
+        if clevis_is_luks_device_by_uuid_open "${_uuid}"; then
+            continue
+        fi
+        _devices="$(printf '%s\n%s' "${_devices}" "${_d}")"
+    done
+    echo "${_devices}" | sed -e 's/^\n$//'
+}
+
+while true; do
+    for d in $(to_unlock); do
+        uuid="$(cryptsetup luksUUID "${d}")"
+        if ! clevis luks unlock -d "${d}"; then
+            echo "Unable to unlock ${d} (UUID=${uuid})" >&2
+            continue
+        fi
+        echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
+    done
+
+    [ "${loop}" != true ] && break
+    # Checking for pending devices to be unlocked.
+    if remaining=$(to_unlock) && [ -z "${remaining}" ]; then
+        break;
+    fi
+
+    sleep 0.5
+done
diff --git a/src/luks/systemd/dracut/clevis/meson.build b/src/dracut/clevis/meson.build
similarity index 87%
rename from src/luks/systemd/dracut/clevis/meson.build
rename to src/dracut/clevis/meson.build
index 167e708a..224e27fc 100644
--- a/src/luks/systemd/dracut/clevis/meson.build
+++ b/src/dracut/clevis/meson.build
@@ -16,6 +16,7 @@ if dracut.found()
     install_dir: dracutdir,
     configuration: data,
   )
+  install_data('clevis-luks-generic-unlocker', install_dir: libexecdir)
 else
   warning('Will not install dracut module due to missing dependencies!')
 endif
diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in
similarity index 76%
rename from src/luks/systemd/dracut/clevis/module-setup.sh.in
rename to src/dracut/clevis/module-setup.sh.in
index bfe657c1..dbce7900 100755
--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
+++ b/src/dracut/clevis/module-setup.sh.in
@@ -19,7 +19,11 @@
 #
 
 depends() {
-    echo crypt systemd
+    local __depends=crypt
+    if dracut_module_included "systemd"; then
+        __depends=$(printf '%s systemd' "${_depends}")
+    fi
+    echo "${__depends}"
     return 255
 }
 
@@ -27,17 +31,24 @@ install() {
     if dracut_module_included "systemd"; then
         inst_multiple \
             $systemdsystemunitdir/clevis-luks-askpass.service \
-            $systemdsystemunitdir/clevis-luks-askpass.path
+            $systemdsystemunitdir/clevis-luks-askpass.path \
+            @SYSTEMD_REPLY_PASS@ \
+            @libexecdir@/clevis-luks-askpass
         systemctl -q --root "$initdir" add-wants cryptsetup.target clevis-luks-askpass.path
     else
         inst_hook initqueue/online 60 "$moddir/clevis-hook.sh"
         inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
+
+	inst_multiple \
+            @libexecdir@/clevis-luks-generic-unlocker \
+            clevis-luks-unlock \
+            lsblk \
+            sort \
+            awk
     fi
 
     inst_multiple \
         /etc/services \
-        @SYSTEMD_REPLY_PASS@ \
-        @libexecdir@/clevis-luks-askpass \
         clevis-luks-common-functions \
         grep sed cut \
         clevis-decrypt \
diff --git a/src/luks/systemd/dracut/meson.build b/src/dracut/meson.build
similarity index 100%
rename from src/luks/systemd/dracut/meson.build
rename to src/dracut/meson.build
diff --git a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in b/src/luks/systemd/dracut/clevis/clevis-hook.sh.in
deleted file mode 100755
index cb257c99..00000000
--- a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash
-@libexecdir@/clevis-luks-askpass
diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
index e3b3d918..b10494e3 100644
--- a/src/luks/systemd/meson.build
+++ b/src/luks/systemd/meson.build
@@ -10,7 +10,6 @@ sd_reply_pass = find_program(
 
 if systemd.found() and sd_reply_pass.found()
   data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
-  subdir('dracut')
 
   unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
 
diff --git a/src/meson.build b/src/meson.build
index c4e696f6..a0dff5b7 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -1,6 +1,7 @@
 subdir('bash')
 subdir('luks')
 subdir('pins')
+subdir('dracut')
 subdir('initramfs-tools')
 
 bins += join_paths(meson.current_source_dir(), 'clevis-decrypt')