From f7af42f39685f5c06abc6e798ec2f649703f2cd5 Mon Sep 17 00:00:00 2001
From: luc <luc@bijl.us>
Date: Sun, 2 Mar 2025 20:48:52 +0100
Subject: [PATCH 1/7] README.md: update installation section

---
 README.md | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/README.md b/README.md
index aa9b3f2..6c6722a 100644
--- a/README.md
+++ b/README.md
@@ -4,13 +4,7 @@ A minimal fork of [Clevis](https://github.com/latchset/clevis), rewritten in POS
 
 ## Installation
 
-### Alpine Linux
-
-Work in progress.
-
-### Manual
-
-Zlevis can be manually installed with `meson`, after cloning the repository, setup the build directory
+Zlevis can be installed with `meson`, after cloning the repository, setup the build directory
 
 ```
 $ meson setup builddir

From 8df4ff53a954041be44a0d819ff031230404dc45 Mon Sep 17 00:00:00 2001
From: Luc <luc@bijl.us>
Date: Fri, 2 May 2025 20:39:52 +0200
Subject: [PATCH 2/7] src/zlevis-encrypt: bug fix

Removed bug in parsing of pcr_cfg and removed bug in policy_options
parsing.
---
 src/zlevis-encrypt | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/zlevis-encrypt b/src/zlevis-encrypt
index df95863..5099a65 100755
--- a/src/zlevis-encrypt
+++ b/src/zlevis-encrypt
@@ -87,7 +87,7 @@ pcr_bank="$(printf "%s" "$cfg" | jose fmt -j- -Og pcr_bank -u-)" || {
 pcr_cfg=$(printf "%s" "$cfg" | tr -d '[:space:]')
 
 # Handle both string and JSON array formats for pcr_ids
-if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids 2>/dev/null && ! pcr_ids="$(jose fmt -j- -Og pcr_ids -u- 2>/dev/null < "$tmp"/pcr_cfg)"; then
+if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids 2>/dev/null && ! pcr_ids="$(printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids -u- 2>/dev/null)"; then
     # Attempt to parse as a JSON array if string parsing fails
     if printf "%s" "$pcr_cfg" | jose fmt -j- -Og pcr_ids -A 2>/dev/null; then
         # Construct a comma-separated string from the array
@@ -176,13 +176,13 @@ else
     obj_attr="$obj_attr|userwithauth"
 fi
 
-# Remove tmp_pcr_digest and tmp_pcr_policy
-rm -f "$tmp_pcr_digest" "$tmp_pcr_policy"
+# Remove tmp_pcr_digest
+rm -f "$tmp_pcr_digest"
 
 # Define and trap tmp jwk_pub and jwk_priv
 tmp_jwk_pub="/tmp/jwk_pub.$$"
 tmp_jwk_priv="/tmp/jwk_priv.$$"
-trap 'rm -f "$tmp_primary_context" "$tmp_jwk_pub" "$tmp_jwk_priv"' EXIT
+trap 'rm -f "$tmp_primary_context" "$tmp_pcr_policy" "$tmp_jwk_pub" "$tmp_jwk_priv"' EXIT
 
 # Create the TPM2 object for the JWK
 case "$tpm2tools_version" in
@@ -195,8 +195,8 @@ if [ -n "$fail" ]; then
 fi
 tpm2_flushcontext -t
 
-# Remove tmp_primary_context
-rm -f "$tmp_primary_context"
+# Remove tmp_primary_context and tmp_pcr_policy
+rm -f "$tmp_primary_context" "$tmp_pcr_policy"
 
 # Encode the JWK public and private keys in Base64
 if ! jwk_pub="$(jose b64 enc -I "$tmp_jwk_pub")"; then

From 8bf01a4a03cdcaa2f61c82d3449bb4fe0db1237b Mon Sep 17 00:00:00 2001
From: Luc <luc@bijl.us>
Date: Thu, 31 Jul 2025 13:45:49 +0200
Subject: [PATCH 3/7] src/zlevis-encrypt: update

Bug fix in parsing policy_options in tpm2_create.
---
 src/zlevis-encrypt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/zlevis-encrypt b/src/zlevis-encrypt
index 5099a65..d9a06ed 100755
--- a/src/zlevis-encrypt
+++ b/src/zlevis-encrypt
@@ -186,7 +186,7 @@ trap 'rm -f "$tmp_primary_context" "$tmp_pcr_policy" "$tmp_jwk_pub" "$tmp_jwk_pr
 
 # Create the TPM2 object for the JWK
 case "$tpm2tools_version" in
-    4|5) printf "%s" "$jwk" | tpm2_create -Q -g "$hash" -C "$tmp_primary_context" -u "$tmp_jwk_pub" -r "$tmp_jwk_priv" -a "$obj_attr" -L "$policy_options" -i- || fail=$?;;
+	4|5) printf "%s" "$jwk" | tpm2_create -Q -g "$hash" -C "$tmp_primary_context" -u "$tmp_jwk_pub" -r "$tmp_jwk_priv" -a "$obj_attr" -L "${policy_options[@]}" -i- || fail=$?;;
     *) fail=1;;
 esac
 if [ -n "$fail" ]; then
@@ -230,4 +230,4 @@ jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$jwk_priv" -s jwk_p
 (echo "$jwe$jwk$(/bin/cat)") | jose jwe enc -i- -k- -I- -c
 
 # Exit with the status of the last command
-exit $?
\ No newline at end of file
+exit $?

From 4a3b0583c4e1756ea0d732c84bedde90f4ee5676 Mon Sep 17 00:00:00 2001
From: Luc <luc@bijl.us>
Date: Thu, 31 Jul 2025 13:48:59 +0200
Subject: [PATCH 4/7] src/zlevis-decrypt: update

Silenced tpm2_unseal error when TPM is empty.
---
 src/zlevis-decrypt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/zlevis-decrypt b/src/zlevis-decrypt
index e0798b1..7cac845 100755
--- a/src/zlevis-decrypt
+++ b/src/zlevis-decrypt
@@ -122,7 +122,7 @@ rm -f "$tmp_jwk_pub" "$tmp_jwk_priv" "$tmp_primary_context"
 
 # Unseal the JWK from the TPM
 case "$tpm2tools_version" in
-    4|5) jwk="$(tpm2_unseal -c "$tmp_load_context" ${pcr_spec:+-p pcr:$pcr_spec})" || fail=$?;;
+    4|5) jwk="$(tpm2_unseal -c "$tmp_load_context" ${pcr_spec:+-p pcr:$pcr_spec} 2>/dev/null)" || fail=$?;;
     *) fail=1;;
 esac
 if [ -n "$fail" ]; then
@@ -138,4 +138,4 @@ rm -f "$tmp_load_context"
 (echo "$jwk$hdr."; /bin/cat) | jose jwe dec -k- -i-
 
 # Exit with the status of the last command
-exit $?
\ No newline at end of file
+exit $?

From cc1a1b7065d0292ecaa9cdeb9434d38b02ceef88 Mon Sep 17 00:00:00 2001
From: Luc <luc@bijl.us>
Date: Fri, 1 Aug 2025 20:02:36 +0200
Subject: [PATCH 5/7] README.md: update

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 6c6722a..8c7f31e 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,10 @@
-# Zlevis
+# zlevis
 
 A minimal fork of [Clevis](https://github.com/latchset/clevis), rewritten in POSIX shell to accommodate automatic decryption of a ZFS root pool with TPM2. 
 
 ## Installation
 
-Zlevis can be installed with `meson`, after cloning the repository, setup the build directory
+`zlevis` can be installed with `meson`, after cloning the repository, setup the build directory:
 
 ```
 $ meson setup builddir
@@ -14,7 +14,7 @@ $ meson setup builddir
 
 > Using the `--reconfigure` flag will reconfigure the build directory.
 
-Installation of the zlevis scripts is now performed with
+Installation of the `zlevis` scripts is now performed with:
 
 ```
 # meson install -C builddir

From fb6d31b727a51c5fe2a3172b1bc396710f8f03b9 Mon Sep 17 00:00:00 2001
From: Luc <luc@bijl.us>
Date: Fri, 1 Aug 2025 21:16:02 +0200
Subject: [PATCH 6/7] meson.build: remove version

---
 meson.build | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meson.build b/meson.build
index 3e6f611..e8969cc 100644
--- a/meson.build
+++ b/meson.build
@@ -1,5 +1,5 @@
 # Project definition
-project('zlevis', license: 'GPL3', version: '1')
+project('zlevis', license: 'GPL3')
 
 # Define bindir
 bindir = join_paths(get_option('prefix'), get_option('bindir'))

From d415066add315110214e73063cf7c5f64082648e Mon Sep 17 00:00:00 2001
From: Luc <luc@bijl.us>
Date: Fri, 1 Aug 2025 21:16:32 +0200
Subject: [PATCH 7/7] src/zlevis-encrypt: update

Reverted prior adaptation in parsing policy_options in tpm2_create due
to incombatility with systems using busybox
---
 src/zlevis-encrypt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/zlevis-encrypt b/src/zlevis-encrypt
index d9a06ed..6700bbe 100755
--- a/src/zlevis-encrypt
+++ b/src/zlevis-encrypt
@@ -186,7 +186,7 @@ trap 'rm -f "$tmp_primary_context" "$tmp_pcr_policy" "$tmp_jwk_pub" "$tmp_jwk_pr
 
 # Create the TPM2 object for the JWK
 case "$tpm2tools_version" in
-	4|5) printf "%s" "$jwk" | tpm2_create -Q -g "$hash" -C "$tmp_primary_context" -u "$tmp_jwk_pub" -r "$tmp_jwk_priv" -a "$obj_attr" -L "${policy_options[@]}" -i- || fail=$?;;
+	4|5) printf "%s" "$jwk" | tpm2_create -Q -g "$hash" -C "$tmp_primary_context" -u "$tmp_jwk_pub" -r "$tmp_jwk_priv" -a "$obj_attr" -L "$policy_options" -i- || fail=$?;;
     *) fail=1;;
 esac
 if [ -n "$fail" ]; then