Add clevis-luks-unbind command

This command unbinds a pin bound to a LUKSv1 volume. Signed-off-by: Javier Martinez Canillas <[email protected]>
npmccallum · Mar 21, 2018 · b4f0a7c · b4f0a7c
1 parent 82aec64
commit b4f0a7c
Show file tree

Hide file tree

Showing 6 changed files with 171 additions and 0 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -11,6 +11,7 @@ dist_man1_MANS = \
     doc/clevis-encrypt-sss.1 \
     doc/clevis-luks-unlock.1 \
     doc/clevis-luks-bind.1 \
+    doc/clevis-luks-unbind.1 \
     doc/clevis-decrypt.1 \
     doc/clevis.1
 

diff --git a/README.md b/README.md
@@ -190,6 +190,14 @@ luks unlock command.
 $ sudo clevis luks unlock -d /dev/sda1
 ```
 
+#### Unbinding LUKS volumes
+
+LUKS volumes can be unbound using the clevis luks unbind command. For example:
+
+```bash
+$ sudo clevis luks unbind -d /dev/sda1 -s 1
+```
+
 ## Installing Clevis
 
 Please don't install Clevis directly. Instead, use your preferred

diff --git a/doc/clevis-luks-unbind.1 b/doc/clevis-luks-unbind.1
@@ -0,0 +1,34 @@
+.\" Automatically generated by Pandoc 1.19.1
+.\"
+.TH "CLEVIS\-LUKS\-UNBIND" "1" "February 2018" "" ""
+.hy
+.SH NAME
+.PP
+clevis\-luks\-unbind \-\- Unbinds a pin bound to a LUKSv1 volume
+.SH SYNOPSIS
+.PP
+\f[C]clevis\ luks\ unbind\f[] \-d DEV \-s SLT
+.SH OVERVIEW
+.PP
+The \f[C]clevis\ luks\ unbind\f[] command unbinds a pin bound to a
+LUKSv1 volume.
+For example:
+.IP
+.nf
+\f[C]
+$\ clevis\ luks\ unbind\ \-d\ /dev/sda\ \-s\ 1
+\f[]
+.fi
+.SH OPTIONS
+.IP \[bu] 2
+\f[C]\-d\f[] \f[I]DEV\f[] : The bound LUKS device
+.IP \[bu] 2
+\f[C]\-s\f[] \f[I]SLT\f[] : The LUKSMeta slot number for the pin to
+unbind
+.IP \[bu] 2
+\f[C]\-f\f[] : Do not ask for confirmation and wipe slot in batch\-mode
+.SH SEE ALSO
+.PP
+\f[C]clevis\-luks\-bind\f[](1)
+.SH AUTHORS
+Javier Martinez Canillas <[email protected]>.
diff --git a/doc/clevis-luks-unbind.1.md b/doc/clevis-luks-unbind.1.md
@@ -0,0 +1,33 @@
+% CLEVIS-LUKS-UNBIND(1)
+% Javier Martinez Canillas <[email protected]>
+% February 2018
+
+# NAME
+
+clevis-luks-unbind -- Unbinds a pin bound to a LUKSv1 volume
+
+# SYNOPSIS
+
+`clevis luks unbind` -d DEV -s SLT
+
+# OVERVIEW
+
+The `clevis luks unbind` command unbinds a pin bound to a LUKSv1 volume.
+For example:
+
+    $ clevis luks unbind -d /dev/sda -s 1
+
+# OPTIONS
+
+* `-d` _DEV_ :
+  The bound LUKS device
+
+* `-s` _SLT_ :
+  The LUKSMeta slot number for the pin to unbind
+
+* `-f` :
+  Do not ask for confirmation and wipe slot in batch-mode
+
+# SEE ALSO
+
+`clevis-luks-bind`(1)
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -22,6 +22,7 @@ dist_bin_SCRIPTS = \
     clevis-bind-luks \
     clevis-luks-unlock \
     clevis-luks-bind \
+    clevis-luks-unbind \
     clevis-decrypt \
     clevis
 

diff --git a/src/clevis-luks-unbind b/src/clevis-luks-unbind
@@ -0,0 +1,94 @@
+#!/bin/bash -e
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2017 Red Hat, Inc.
+# Author: Javier Martinez Canillas <[email protected]>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+SUMMARY="Unbinds a pin bound to a LUKSv1 volume"
+UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
+
+function usage() {
+    echo >&2
+    echo "Usage: clevis luks unbind -d DEV -s SLT" >&2
+    echo >&2
+    echo "$SUMMARY": >&2
+    echo >&2
+    echo "  -d DEV  The bound LUKS device" >&2
+    echo >&2
+    echo "  -s SLOT The LUKSMeta slot number for the pin unbind" >&2
+    echo >&2
+    echo "  -f      Do not ask for confirmation and wipe slot in batch-mode" >&2
+    echo >&2
+    exit 1
+}
+
+if [ $# -eq 1 -a "$1" == "--summary" ]; then
+    echo "$SUMMARY"
+    exit 0
+fi
+
+while getopts ":d:s:f" o; do
+    case "$o" in
+    f) FRC=-q;;
+    d) DEV=$OPTARG;;
+    s) SLT=$OPTARG;;
+    *) usage;;
+    esac
+done
+
+if [ -z "$DEV" ]; then
+    echo "Did not specify a device!" >&2
+    usage
+fi
+
+if [ -z "$SLT" ]; then
+    echo "Did not specify a slot!" >&2
+    usage
+fi
+
+if ! luksmeta test -d $DEV 2>/dev/null; then
+    echo "The $DEV device is not valid!" >&2
+    exit 1
+fi
+
+read -r slot active uuid <<< $(luksmeta show -d "$DEV" | grep "^$SLT *")
+
+if [ "$uuid" = "empty" ]; then
+   echo "The LUKSMeta slot $SLT on device $DEV is already empty." >&2
+   exit 1
+fi
+
+if [ "$active" = "active" ]; then
+    if ! cryptsetup luksKillSlot "$DEV" "$SLT" $FRC; then
+	echo "LUKSv1 slot $SLT for device $DEV couldn't be deleted"
+	exit 1
+    fi
+else
+   echo "LUKSv1 slot $SLT not present on $DEV, only LUKSMeta slot will be cleared." >&2
+   if [ -z "$FRC" ]; then
+       echo "The unbind operation will wipe a slot. This operation is unrecoverable." >&2
+       read -r -p "Do you wish to erase LUKSMeta slot $SLT on $DEV? [ynYN] " ans < /dev/tty
+       [[ "$ans" =~ ^[yY]$ ]] || exit 0
+   fi
+fi
+
+if ! luksmeta wipe -f -d "$DEV" -u "$UUID" -s "$SLT"; then
+    echo "LUKSMeta slot $SLT for device $DEV couldn't be deleted"
+    exit 1
+fi
+
+exit 0