From 23ff2279c0d42139676fb258f2e7d09d04429f5d Mon Sep 17 00:00:00 2001
From: Alice Frosi <afrosi@redhat.com>
Date: Tue, 16 Dec 2025 08:17:53 +0100
Subject: [PATCH] Backport of arbitrary custom clevis pin in 3.5

In order to support new clevis pin, either they need to be added each
time in the hardcoded list of pins or ignition can allow any name for
the pin. This is required in order to enable the clevis trustee pin used
for confidential clusters.

The backport to 3.5 is necessary because the rust crate for ignition
only support up to 3.5 config version and cannot be used with
3.6-experimental.

Signed-off-by: Alice Frosi <afrosi@redhat.com>
---
 config/v3_5/types/clevis.go      | 8 +-------
 config/v3_5/types/clevis_test.go | 2 +-
 docs/release-notes.md            | 2 +-
 3 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/config/v3_5/types/clevis.go b/config/v3_5/types/clevis.go
index 68887d434..3742633dd 100644
--- a/config/v3_5/types/clevis.go
+++ b/config/v3_5/types/clevis.go
@@ -33,13 +33,7 @@ func (cu ClevisCustom) Validate(c path.ContextPath) (r report.Report) {
 	if util.NilOrEmpty(cu.Pin) && util.NilOrEmpty(cu.Config) && !util.IsTrue(cu.NeedsNetwork) {
 		return
 	}
-	if util.NotEmpty(cu.Pin) {
-		switch *cu.Pin {
-		case "tpm2", "tang", "sss":
-		default:
-			r.AddOnError(c.Append("pin"), errors.ErrUnknownClevisPin)
-		}
-	} else {
+	if util.NilOrEmpty(cu.Pin) {
 		r.AddOnError(c.Append("pin"), errors.ErrClevisPinRequired)
 	}
 	if util.NilOrEmpty(cu.Config) {
diff --git a/config/v3_5/types/clevis_test.go b/config/v3_5/types/clevis_test.go
index f616868cd..81fb3b26e 100644
--- a/config/v3_5/types/clevis_test.go
+++ b/config/v3_5/types/clevis_test.go
@@ -56,7 +56,7 @@ func TestClevisCustomValidate(t *testing.T) {
 				Pin:    util.StrToPtr("z"),
 			},
 			at:  path.New("", "pin"),
-			out: errors.ErrUnknownClevisPin,
+			out: nil,
 		},
 		{
 			in: ClevisCustom{
diff --git a/docs/release-notes.md b/docs/release-notes.md
index 4c0c0e7c5..7fe4e2303 100644
--- a/docs/release-notes.md
+++ b/docs/release-notes.md
@@ -22,7 +22,7 @@ Starting with this release, ignition-validate binaries are signed with the
 
 ### Features
 
-- The name for custom clevis pins is not validated by Ignition anymore, enabling the use of arbitrary custom pins _(3.6.0-exp)_
+- The name for custom clevis pins is not validated by Ignition anymore, enabling the use of arbitrary custom pins _(3.5)_
 - Add NVIDIA BlueField provider
 
 ### Bug fixes