add app-crypt/clevis packages

app-crypt/clevis/Manifest

@@ -0,0 +1,5 @@
+AUX 0001-Fixes-build-failure-with-musl-libc-pid_t-require-sys.patch 807 BLAKE2B 5e5d3d01305fa67d5cb324e5a7c84a166fd76cf013a18a2c933d3368b9adae149c181b91c481d5ed956073f286addef533de8391c1ce26de8f60d6a8f487f10a SHA512 899ca38b26ad01cdbdae846649153b96c4a1611c1fcda61927170406ac3a891cdf27bb08fd515e2246a0a38b1e82d9430ef45731c5b66b1313f25655949bb800
+AUX clevis-tpm2-tools-5.patch 5784 BLAKE2B dc7d29ce4f218ab5cb2720dceeb17966277040366d0e4eb14c5361a36d601621697218e3708959b2d70662451527ccd95a809a5d7c3aa5c9c90eb286bec9f059 SHA512 c4eda96618898da17963d3ecc3e75ea5d783af2adb597594d86dc595d7ab2a1129e9d982ddeaec8ac3432d2676a505c5348c8ff5e542924644a6aaf8db41f58c
+DIST clevis-15.tar.xz 62856 BLAKE2B 7cb4d5f10314718a32175c7cee31448b316f70545736fbf1ce37b6119111622beaae8288449a45cde87ea9113ad0266c5646c50a23e782e9fcd0ddfcca5fea5b SHA512 8a84b9e081d02742c2c718bdc8b2c834764da6ec9ad1ae5640e8af80a38c2a1ec83eeea5de7696f60f7dd8f165b3dc527290831621440b1a46459d2c8bd56918
+EBUILD clevis-15.ebuild 1036 BLAKE2B 31f757b9b02d0dcbe5473003184bd85a09df85e334171fbdddb4484f71eab1627d7e1b5fbd54914da355bbd36c808e0818268ae3b898758e8561aea47ef351e1 SHA512 4f52d04aec4f6d93829f685f96f5099e358bd0db98febcfaf692818da5c1395414177fe96622f94e7efc8c95880818be7e9671d731081498222c6e10f2b9eec4
+MISC metadata.xml 339 BLAKE2B 22a58137717e070a7569fa1bd601e07802e722f947645290fced36991e7b863ed904fa708c0fbaf16e2ad57effa252fc2f99998de695b9a7b9b35991912538bf SHA512 45d27acd78f71ac07f762282f61d167e11f0de2aeafcf03193f3d43401c19f97a72b79cc8811ba2e8ab6b15ad289aeecb00bd402cd98639f479f3b24c4ae737f

app-crypt/clevis/clevis-15.ebuild

@@ -0,0 +1,43 @@
+# Copyright 2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit meson systemd
+
+DESCRIPTION="Clevis is a plugable framework for automated decryption"
+HOMEPAGE="https://latchset.github.io/"
+SRC_URI="https://github.com/latchset/${PN}/releases/download/v${PV}/${P}.tar.xz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="bash-completion dracut systemd tpm udisks"
+
+REQUIRED_USE="dracut? ( systemd )"
+
+BDEPEND="app-misc/jq
+	app-text/asciidoc"
+DEPEND="tpm? ( >=app-crypt/tpm2-tools-4.0 )
+	>=sys-fs/luksmeta-8
+	|| (
+		dev-libs/openssl:0=
+		dev-libs/libressl:0=
+	)
+	systemd? ( sys-apps/systemd )
+	net-misc/curl
+	>=dev-libs/jansson-2.10
+	>=dev-libs/jose-8
+	>=sys-fs/cryptsetup-2.0.4[pwquality]
+	dracut?	(
+		sys-kernel/dracut
+		net-analyzer/nmap[ncat]
+	)
+	udisks? ( sys-fs/udisks:2 )
+	bash-completion? ( app-shells/bash-completion )"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+	"${FILESDIR}"/clevis-tpm2-tools-5.patch
+	"${FILESDIR}"/0001-Fixes-build-failure-with-musl-libc-pid_t-require-sys.patch
+)

app-crypt/clevis/files/0001-Fixes-build-failure-with-musl-libc-pid_t-require-sys.patch

@@ -0,0 +1,29 @@
+From f92d4ba65f88fb8e66d07c4a43b7cb1bec1230e4 Mon Sep 17 00:00:00 2001
+From: Alexander Miroshnichenko <alex@millerson.name>
+Date: Thu, 24 Dec 2020 20:34:06 +0300
+Subject: [PATCH] Fixes build failure with musl libc: pid_t require
+ sys/types.h, respectively.
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+error: unknown type name 'pid_t'
+Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
+---
+ src/pins/sss/sss.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/pins/sss/sss.h b/src/pins/sss/sss.h
+index 66a490913188..81faf791f81c 100644
+--- a/src/pins/sss/sss.h
++++ b/src/pins/sss/sss.h
+@@ -20,6 +20,7 @@
+ #pragma once
+ #include <jansson.h>
+ #include <stdint.h>
++#include <sys/types.h>
+ 
+ json_t *
+ sss_generate(size_t key_bytes, size_t threshold);
+-- 
+2.26.2
+

app-crypt/clevis/files/clevis-tpm2-tools-5.patch

@@ -0,0 +1,118 @@
+From ef76951e4486dadf41ca8085e09849466a0c7fd3 Mon Sep 17 00:00:00 2001
+From: Jonas Witschel <diabonas@gmx.de>
+Date: Wed, 11 Nov 2020 12:43:18 +0100
+Subject: [PATCH] pins/tpm2: add support for tpm2-tools 5.X
+
+tpm2-tools 5.0 consolidates all tools into a single busybox-style binary, so
+the preferred way to invoke the commands would be e.g. "tpm2 createprimary"
+instead of "tpm2_createprimary". However, compatibility symlinks tpm2_* -> tpm2
+are installed by default, so we keep the old syntax for tpm2-tools 5.0 to avoid
+creating another special case, since the option syntax has not changed (it
+should be stable since version 4).
+
+tpm2-tools 3.X is deprecated, but unfortunately still packaged by a few Linux
+distributions, so keep supporting it for now at least.
+---
+ src/pins/tpm2/clevis-decrypt-tpm2 | 12 ++++++------
+ src/pins/tpm2/clevis-encrypt-tpm2 | 16 ++++++++--------
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/src/pins/tpm2/clevis-decrypt-tpm2 b/src/pins/tpm2/clevis-decrypt-tpm2
+index 83bf8f0..6226cb7 100755
+--- a/src/pins/tpm2/clevis-decrypt-tpm2
++++ b/src/pins/tpm2/clevis-decrypt-tpm2
+@@ -49,8 +49,8 @@ TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
+ 
+ match='version="(.)\.'
+ [[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
+-if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
+-    echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
++if [[ $TPM2TOOLS_VERSION -lt 3 ]] || [[ $TPM2TOOLS_VERSION -gt 5 ]]; then
++    echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" >&2
+     exit 1
+ fi
+ 
+@@ -135,7 +135,7 @@ fi
+ 
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
+-    4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
++    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+@@ -146,8 +146,8 @@ fi
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_load -Q -c "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
+                  -C "$TMP"/load.context || fail=$?;;
+-    4) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
+-                 -c "$TMP"/load.context || fail=$?;;
++    4|5) tpm2_load -Q -C "$TMP"/primary.context -u "$TMP"/jwk.pub -r "$TMP"/jwk.priv \
++                   -c "$TMP"/load.context || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+@@ -157,7 +157,7 @@ fi
+ 
+ case "$TPM2TOOLS_VERSION" in
+     3) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-L $pcr_spec})" || fail=$?;;
+-    4) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
++    4|5) jwk="$(tpm2_unseal -c "$TMP"/load.context ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+diff --git a/src/pins/tpm2/clevis-encrypt-tpm2 b/src/pins/tpm2/clevis-encrypt-tpm2
+index 16d35c4..69a1126 100755
+--- a/src/pins/tpm2/clevis-encrypt-tpm2
++++ b/src/pins/tpm2/clevis-encrypt-tpm2
+@@ -71,8 +71,8 @@ TPM2TOOLS_INFO="$(tpm2_createprimary -v)"
+ 
+ match='version="(.)\.'
+ [[ $TPM2TOOLS_INFO =~ $match ]] && TPM2TOOLS_VERSION="${BASH_REMATCH[1]}"
+-if [[ $TPM2TOOLS_VERSION != 3 ]] && [[ $TPM2TOOLS_VERSION != 4 ]]; then
+-    echo "The tpm2 pin requires tpm2-tools version 3 or 4" >&2
++if [[ $TPM2TOOLS_VERSION -lt 3 ]] || [[ $TPM2TOOLS_VERSION -gt 5 ]]; then
++    echo "The tpm2 pin requires a tpm2-tools version between 3 and 5" >&2
+     exit 1
+ fi
+ 
+@@ -153,7 +153,7 @@ trap 'on_exit' EXIT
+ 
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_createprimary -Q -H "$auth" -g "$hash" -G "$key" -C "$TMP"/primary.context || fail=$?;;
+-    4) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
++    4|5) tpm2_createprimary -Q -C "$auth" -g "$hash" -G "$key" -c "$TMP"/primary.context || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then
+@@ -166,7 +166,7 @@ if [ -n "$pcr_ids" ]; then
+     if [ -z "$pcr_digest" ]; then
+         case "$TPM2TOOLS_VERSION" in
+             3) tpm2_pcrlist -Q -L "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
+-            4) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
++            4|5) tpm2_pcrread -Q "$pcr_bank":"$pcr_ids" -o "$TMP"/pcr.digest || fail=$?;;
+             *) fail=1;;
+         esac
+         if [ -n "$fail" ]; then
+@@ -183,8 +183,8 @@ if [ -n "$pcr_ids" ]; then
+     case "$TPM2TOOLS_VERSION" in
+         3) tpm2_createpolicy -Q -g "$hash" -P -L "$pcr_bank":"$pcr_ids" \
+                              -F "$TMP"/pcr.digest -f "$TMP"/pcr.policy || fail=$?;;
+-        4) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
+-                             -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
++        4|5) tpm2_createpolicy -Q -g "$hash" --policy-pcr -l "$pcr_bank":"$pcr_ids" \
++                               -f "$TMP"/pcr.digest -L "$TMP"/pcr.policy || fail=$?;;
+         *) fail=1;;
+     esac
+     if [ -n "$fail" ]; then
+@@ -200,8 +200,8 @@ fi
+ case "$TPM2TOOLS_VERSION" in
+     3) tpm2_create -Q -g "$hash" -G "$alg_create_key" -c "$TMP"/primary.context -u "$TMP"/jwk.pub \
+                    -r "$TMP"/jwk.priv -A "$obj_attr" "${policy_options[@]}" -I- <<< "$jwk" || fail=$?;;
+-    4) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
+-                   -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
++    4|5) tpm2_create -Q -g "$hash" -C "$TMP"/primary.context -u "$TMP"/jwk.pub \
++                     -r "$TMP"/jwk.priv -a "$obj_attr" "${policy_options[@]}" -i- <<< "$jwk" || fail=$?;;
+     *) fail=1;;
+ esac
+ if [ -n "$fail" ]; then

app-crypt/clevis/metadata.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>alex@millerson.name</email>
+		<name>Alexander Miroshnichenko</name>
+	</maintainer>
+	<upstream>
+		<remote-id type="github">latchset/clevis</remote-id>
+	</upstream>
+</pkgmetadata>