Re: [Libguestfs] [libguestfs-common PATCH 11/12] options, mltools/tools_utils: parse "--key ID:clevis" options

Provide the user interface (in both the C and the OCaml tools) for selecting network-based, passphrase-less decryption. This is the front-end exposing the previously added back-end. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809453 Signed-off-by: Laszlo Ersek <lersek(a)redhat.com&gt; --- mltools/tools_utils.ml | 5 +++++ mltools/tools_utils-c.c | 3 +++ options/keys.c | 4 ++++ options/key-option.pod | 6 ++++++ 4 files changed, 18 insertions(+) diff --git a/mltools/tools_utils.ml b/mltools/tools_utils.ml index e534cbead47a..1da5850340d4 100644 --- a/mltools/tools_utils.ml +++ b/mltools/tools_utils.ml @@ -32,10 +32,11 @@ type key_store = { keys : (string * key_store_key) list ref; } and key_store_key = | KeyString of string | KeyFileName of string + | KeyClevis external c_inspect_decrypt : Guestfs.t -> int64 -> (string * key_store_key) list -> unit = "guestfs_int_mllib_inspect_decrypt" external c_set_echo_keys : unit -> unit = "guestfs_int_mllib_set_echo_keys" [@@noalloc] external c_set_keys_from_stdin : unit -> unit = "guestfs_int_mllib_set_keys_from_stdin" [@@noalloc] external c_rfc3339_date_time_string : unit -> string = "guestfs_int_mllib_rfc3339_date_time_string" @@ -406,10 +407,14 @@ let create_standard_options argspec ?anon_fun ?(key_opts = false) | [ _; "file" ] | _ :: "file" :: _ :: _ :: _ -> error (f_"selector '%s': missing FILENAME, or too many fields") arg | [ device; "file"; file ] -> List.push_back ks.keys (device, KeyFileName file) + | _ :: "clevis" :: _ :: _ -> + error (f_"selector '%s': too many fields") arg + | [ device; "clevis" ] -> + List.push_back ks.keys (device, KeyClevis) | _ -> error (f_"selector '%s': invalid TYPE") arg in add_argspec ([ L"echo-keys" ], Getopt.Unit c_set_echo_keys, s_"Don’t turn off echo for passphrases"); diff --git a/mltools/tools_utils-c.c b/mltools/tools_utils-c.c index e9f273ec857f..f429d7708772 100644 --- a/mltools/tools_utils-c.c +++ b/mltools/tools_utils-c.c @@ -81,10 +81,13 @@ guestfs_int_mllib_inspect_decrypt (value gv, value gpv, value keysv) "internal error: unhandled Tag_val (v) = %d", Tag_val (v)); } else switch (Int_val (v)) { + case 0: /* KeyClevis */ + key.type = key_clevis; + break; default: error (EXIT_FAILURE, 0, "internal error: unhandled Int_val (v) = %d", Int_val (v)); } diff --git a/options/keys.c b/options/keys.c index a6ef2d78b589..d53e3e774a9b 100644 --- a/options/keys.c +++ b/options/keys.c @@ -248,10 +248,14 @@ key_store_add_from_selector (struct key_store *ks, const char *selector) _("selector '%s': missing FILENAME, or too many fields"), selector); key.file.name = strdup (fields[2]); if (!key.file.name) error (EXIT_FAILURE, errno, "strdup"); + } else if (STREQ (fields[1], "clevis")) { + key.type = key_clevis; + if (field_count != 2) + error (EXIT_FAILURE, 0, _("selector '%s': too many fields"), selector); } else error (EXIT_FAILURE, 0, _("selector '%s': invalid TYPE"), selector); return key_store_import_key (ks, &key); } diff --git a/options/key-option.pod b/options/key-option.pod index 90a3b15c57a2..34229ce9cbb2 100644 --- a/options/key-option.pod +++ b/options/key-option.pod @@ -12,6 +12,12 @@ Use the specified C<KEY_STRING> as passphrase. =item B<--key> C<ID>:file:FILENAME Read the passphrase from F<FILENAME>. +=item B<--key> C<ID>:clevis + +Attempt passphrase-less unlocking for C<ID> with Clevis, over the +network. Please refer to L<guestfs(3)/ENCRYPTED DISKS> for more +information on network-bound disk encryption (NBDE). +