Bug#989701: buster-pu: package clevis/11-2+deb10u2

[Christoph Biedl <debian.axhn@manchmal.in-ulm.de>]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hello stable release team,

for the upcoming stable point release, I've just uploaded src:clevis
("automated encryption framework") as version 11-2+deb10u2. There is
one change related to the TPM integration:

* Fix handling of TPM chips that support sha256 only

Type: upstream bug
Debian bug: https://bugs.debian.org/989648
Fixed in in stable and testing: 12-1 (February 2020)

Problem: Possibly due to a typo, the clevis-encrypt-tpm2 backend cannot
handle TPM chips that support sha256 only.

Regards,

    Christoph

diff -Nru clevis-11/debian/changelog clevis-11/debian/changelog
--- clevis-11/debian/changelog	2021-01-25 20:03:26.000000000 +0100
+++ clevis-11/debian/changelog	2021-06-09 15:59:00.000000000 +0200
@@ -1,3 +1,10 @@
+clevis (11-2+deb10u2) buster; urgency=medium
+
+  * Cherry-pick "Bugfix: set pcr_bank from pcr_bank not pcr_hash
+    field". Closes: #989648
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Wed, 09 Jun 2021 19:58:50 +0200
+
 clevis (11-2+deb10u1) buster; urgency=medium
 
   * Cherry-pick two comments to fix initramfs creation: Closes: #969361
diff -Nru clevis-11/debian/patches/cherry-pick/1551971881.v11-5-g67fc67c.bugfix-set-pcr-bank-from-pcr-bank-not-pcr-hash-field.patch clevis-11/debian/patches/cherry-pick/1551971881.v11-5-g67fc67c.bugfix-set-pcr-bank-from-pcr-bank-not-pcr-hash-field.patch
--- clevis-11/debian/patches/cherry-pick/1551971881.v11-5-g67fc67c.bugfix-set-pcr-bank-from-pcr-bank-not-pcr-hash-field.patch	1970-01-01 01:00:00.000000000 +0100
+++ clevis-11/debian/patches/cherry-pick/1551971881.v11-5-g67fc67c.bugfix-set-pcr-bank-from-pcr-bank-not-pcr-hash-field.patch	2021-06-09 15:55:44.000000000 +0200
@@ -0,0 +1,16 @@
+Subject: Bugfix: set pcr_bank from pcr_bank not pcr_hash field
+Origin: v11-5-g67fc67c <https://github.com/latchset/clevis/commit/v11-5-g67fc67c>
+Upstream-Author: Markus Linnala <markus.linnala@gmail.com>
+Date: Thu Mar 7 17:18:01 2019 +0200
+
+--- a/src/pins/tpm2/clevis-encrypt-tpm2
++++ b/src/pins/tpm2/clevis-encrypt-tpm2
+@@ -88,7 +88,7 @@
+ 
+ key=`jose fmt -j- -Og key -u- <<< "$cfg"` || key="ecc"
+ 
+-pcr_bank=`jose fmt -j- -Og pcr_hash -u- <<< "$cfg"` || pcr_bank="sha1"
++pcr_bank=`jose fmt -j- -Og pcr_bank -u- <<< "$cfg"` || pcr_bank="sha1"
+ 
+ pcr_ids=`jose fmt -j- -Og pcr_ids -u- <<< "$cfg"` || true
+ 
diff -Nru clevis-11/debian/patches/series clevis-11/debian/patches/series
--- clevis-11/debian/patches/series	2021-01-25 20:03:26.000000000 +0100
+++ clevis-11/debian/patches/series	2021-06-09 15:55:55.000000000 +0200
@@ -2,6 +2,7 @@
 # cherry-picked commits. Keep in upstream's chronological order
 cherry-pick/1541598788.v11-1-g1e344db.delete-remaining-references-to-the-removed-http-pin.patch
 cherry-pick/1541599937.v11-2-g3465859.install-cryptsetup-and-tpm2-pcrlist-in-the-initramfs.patch
+cherry-pick/1551971881.v11-5-g67fc67c.bugfix-set-pcr-bank-from-pcr-bank-not-pcr-hash-field.patch
 
 # local modifications
 debian.use-socat.patch

Attachment: signature.asc
Description: PGP signature