mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-06 13:17:44 +03:00
1fe6d37ea5
Quoting Richard Fontana in [1]: CC0 has been listed by Fedora as a 'good' license for code and content (corresponding to allowed and allowed-content under the new system). We plan to classify CC0 as allowed-content only, so that CC0 would no longer be allowed for code. Over a long period of time a consensus has been building in FOSS that licenses that preclude any form of patent licensing or patent forbearance cannot be considered FOSS. CC0 has a clause that says: "No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document." (The trademark side of that clause is nonproblematic from a FOSS licensing norms standpoint.) The regular Creative Commons licenses have similar clauses. For the case of our documentation snippets, patent issues do not matter much. But it is always nicer to have a license that is considerred acceptable without any further considerations. So let's change the license to the (now recommended replacement) MIT-0. [1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/NO7KGDNL5GX3KCB7T3XTGFA3QPSUJA6R/ Using 'git blame -b' and 'git log -p --follow', I identified the following folks as having made non-trivial changes to those snippets: Lennart Poettering Tom Gundersen Luca Bocassi Zbigniew Jędrzejewski-Szmek Thomas Mühlbacher Daan De Meyer I'll ask for confirmation in the pull request.
29 lines
1.1 KiB
Bash
29 lines
1.1 KiB
Bash
# SPDX-License-Identifier: MIT-0
|
|
|
|
# Destroy any old key on the Yubikey (careful!)
|
|
ykman piv reset
|
|
|
|
# Generate a new private/public key pair on the device, store the public key in
|
|
# 'pubkey.pem'.
|
|
ykman piv generate-key -a RSA2048 9d pubkey.pem
|
|
|
|
# Create a self-signed certificate from this public key, and store it on the
|
|
# device. The "subject" should be an arbitrary user-chosen string to identify
|
|
# the token with.
|
|
ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem
|
|
|
|
# We don't need the public key anymore, let's remove it. Since it is not
|
|
# security sensitive we just do a regular "rm" here.
|
|
rm pubkey.pem
|
|
|
|
# Enroll the freshly initialized security token in the LUKS2 volume. Replace
|
|
# /dev/sdXn by the partition to use (e.g. /dev/sda1).
|
|
sudo systemd-cryptenroll --pkcs11-token-uri=auto /dev/sdXn
|
|
|
|
# Test: Let's run systemd-cryptsetup to test if this all worked.
|
|
sudo /usr/lib/systemd/systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto
|
|
|
|
# If that worked, let's now add the same line persistently to /etc/crypttab,
|
|
# for the future.
|
|
sudo bash -c 'echo "mytest /dev/sdXn - pkcs11-uri=auto" >> /etc/crypttab'
|