stages: add clevis-luks-bind stage

Signed-off-by: Antonio Murdaca <runcom@linux.com>
2022-02-15 11:26:15 +01:00 · 2022-02-15 11:26:15 +01:00 · 25ecd12b3d
commit 25ecd12b3d
parent 5a7d3eee86
1 changed files with 78 additions and 0 deletions
--- a/stages/org.osbuild.clevis.luks-bind
+++ b/stages/org.osbuild.clevis.luks-bind
@ -0,0 +1,78 @@
+#!/usr/bin/python3
+"""
+Bind a LUKS device using the specified policy.
+
+Buildhost commands used: `clevis`, `clevis-luks`, `clevis-pin-*`.
+"""
+
+
+import os
+import subprocess
+import sys
+
+
+import osbuild.api
+
+
+SCHEMA_2 = r"""
+"devices": {
+  "type": "object",
+  "additionalProperties": true,
+  "required": ["device"],
+  "properties": {
+    "device": {
+      "type": "object",
+      "additionalProperties": true
+    }
+  }
+},
+"options": {
+  "additionalProperties": false,
+  "required": ["passphrase", "pin", "policy"],
+  "properties": {
+    "passphrase": {
+        "description": "Passphrase to unlock the container",
+        "type": "string"
+    },
+    "pin": {
+        "description": "The pin to use",
+        "type": "string"
+    },
+    "policy": {
+      "description": "Policy to use with the given pin",
+      "type": "string"
+    }
+  }
+}
+"""
+
+
+def main(devices, options):
+    device = devices["device"]
+    passphrase = options["passphrase"]
+    path = os.path.join("/dev", device["path"])
+    policy = options["policy"]
+    pin = options["pin"]
+
+    command = [
+        "clevis",
+        "luks",
+        "bind",
+        "-k-",
+        "-y",
+        "-f",
+        "-d", path, pin, policy
+    ]
+
+    # The null|sss pin need this
+    os.symlink("/proc/self/fd", "/dev/fd")
+
+    subprocess.run(command,
+                   encoding='utf-8', check=True,
+                   input=passphrase)
+
+
+if __name__ == '__main__':
+    args = osbuild.api.arguments()
+    ret = main(args["devices"], args["options"])
+    sys.exit(ret)