commit sdbootutil for openSUSE:Factory

Fri, 25 Jul 2025 08:06:02 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package sdbootutil for openSUSE:Factory 
checked in at 2025-07-25 17:04:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sdbootutil (Old)
 and      /work/SRC/openSUSE:Factory/.sdbootutil.new.13279 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "sdbootutil"

Fri Jul 25 17:04:22 2025 rev:70 rq:1295532 version:1+git20250724.553d46c

Changes:
--------
--- /work/SRC/openSUSE:Factory/sdbootutil/sdbootutil.changes    2025-07-23 
16:33:55.332887928 +0200
+++ /work/SRC/openSUSE:Factory/.sdbootutil.new.13279/sdbootutil.changes 
2025-07-25 17:04:55.512266592 +0200
@@ -1,0 +2,10 @@
+Thu Jul 24 11:23:01 UTC 2025 - Alberto Planas Dominguez <apla...@suse.com>
+
+- Update to version 1+git20250724.553d46c:
+  * measure-pcr-validator: fail if the file is missing
+  * measure-pcr-validator.service: Run after initrd-root-device.target
+  * measure-pcr-validator.service: Fix failure handling
+  * Clean the default snapshot in Tumbleweed
+  * Improve volume key extraction
+
+-------------------------------------------------------------------

Old:
----
  sdbootutil-1+git20250722.bf18f3b.obscpio

New:
----
  sdbootutil-1+git20250724.553d46c.obscpio

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ sdbootutil.spec ++++++
--- /var/tmp/diff_new_pack.v8pS3b/_old  2025-07-25 17:04:56.432304767 +0200
+++ /var/tmp/diff_new_pack.v8pS3b/_new  2025-07-25 17:04:56.432304767 +0200
@@ -18,7 +18,7 @@
 
 %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
 Name:           sdbootutil
-Version:        1+git20250722.bf18f3b
+Version:        1+git20250724.553d46c
 Release:        0
 Summary:        bootctl wrapper for BLS boot loaders
 License:        MIT

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.v8pS3b/_old  2025-07-25 17:04:56.476306593 +0200
+++ /var/tmp/diff_new_pack.v8pS3b/_new  2025-07-25 17:04:56.480306759 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://github.com/openSUSE/sdbootutil.git</param>
-              <param 
name="changesrevision">bf18f3b7000989738f928d5d8388025db824111b</param></service></servicedata>
+              <param 
name="changesrevision">553d46cb8f0c258ae20c5670f0afcf308355bcb5</param></service></servicedata>
 (No newline at EOF)
 

++++++ sdbootutil-1+git20250722.bf18f3b.obscpio -> 
sdbootutil-1+git20250724.553d46c.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/sdbootutil-1+git20250722.bf18f3b/10-sdbootutil.snapper 
new/sdbootutil-1+git20250724.553d46c/10-sdbootutil.snapper
--- old/sdbootutil-1+git20250722.bf18f3b/10-sdbootutil.snapper  2025-07-22 
15:40:31.000000000 +0200
+++ new/sdbootutil-1+git20250724.553d46c/10-sdbootutil.snapper  2025-07-24 
13:20:16.000000000 +0200
@@ -24,7 +24,8 @@
        is_transactional && return 0
 
        /usr/bin/sdbootutil add-all-kernels "$num" || :
-       /usr/bin/sdbootutil cleanup "$num" || :
+       # In Tumblweed clean the default snapshot, not the new created
+       /usr/bin/sdbootutil cleanup || :
 }
 
 delete_snapshot()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/sdbootutil-1+git20250722.bf18f3b/measure-pcr-validator.service 
new/sdbootutil-1+git20250724.553d46c/measure-pcr-validator.service
--- old/sdbootutil-1+git20250722.bf18f3b/measure-pcr-validator.service  
2025-07-22 15:40:31.000000000 +0200
+++ new/sdbootutil-1+git20250724.553d46c/measure-pcr-validator.service  
2025-07-24 13:20:16.000000000 +0200
@@ -2,11 +2,11 @@
 Description=Validate LUKS2 devices
 DefaultDependencies=false
 
-OnFailure=systemd-halt.service
+FailureAction=poweroff-immediate
 
 Wants=cryptsetup.target
 After=cryptsetup.target
-Before=local-fs.target
+Before=initrd-root-device.target
 
 [Service]
 Type=oneshot
@@ -18,5 +18,5 @@
 StandardInput=tty
 
 [Install]
-# If we use RequiredBy we trigger the debug shell
-WantedBy=local-fs.target
\ No newline at end of file
+# If we use RequiredBy we trigger its OnFailure=emergency.target
+WantedBy=initrd-root-device.target
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/sdbootutil-1+git20250722.bf18f3b/measure-pcr-validator.sh 
new/sdbootutil-1+git20250724.553d46c/measure-pcr-validator.sh
--- old/sdbootutil-1+git20250722.bf18f3b/measure-pcr-validator.sh       
2025-07-22 15:40:31.000000000 +0200
+++ new/sdbootutil-1+git20250724.553d46c/measure-pcr-validator.sh       
2025-07-24 13:20:16.000000000 +0200
@@ -5,6 +5,10 @@
 LIGHT_BLUE="\e[1;34m"
 END="\e[m"
 
+measure_pcr_crypttab() {
+       grep -q "tpm2-measure-pcr=yes" /etc/crypttab
+}
+
 get_measure_pcr_ignore() {
        (set +eu; . /lib/dracut-lib.sh; getargbool no 
measure-pcr-validator.ignore)
 }
@@ -17,16 +21,6 @@
 }
 
 validate_measure_pcr() {
-       if [ -f "/var/lib/sdbootutil/measure-pcr-prediction.sha256" ] && \
-                  [ -f "/var/lib/sdbootutil/measure-pcr-public.pem" ]; then
-               if ! validate_measure_pcr_signature; then
-                       echo "Error: the signature for the prediction file is 
not valid"
-                       return 1
-               fi
-       else
-               echo "Warning: the signature for the prediction file is missing"
-       fi
-
        if [ ! -e "/sys/class/tpm/tpm0" ]; then
                echo "Error: TPM2 not found in /sys/class/tpm/tpm0"
                return 1
@@ -43,19 +37,26 @@
        return "$res"
 }
 
-# The measure-pcr-prediction file contain a list of hashes (sha1,
-# sha256, ...)
-if [ -f "/var/lib/sdbootutil/measure-pcr-prediction" ] && ! 
validate_measure_pcr; then
-       if get_measure_pcr_ignore; then
-               echo "Warning: the validation of PCR 15 failed. Continuing the 
boot process"
+exit_with_msg() {
+       local msg="$1"
+
+       if ! measure_pcr_crypttab; then
+               echo "INFO: No PCR 15 validation"
+
+               exit 0
+       elif get_measure_pcr_ignore; then
+               echo "WARNING: The validation of PCR 15 failed"
+               echo "WARNING: $msg"
+
+               exit 0
        else
-               echo "Error: the validation of PCR 15 failed"
+               echo "ERROR: the validation of PCR 15 failed"
 
                kill -SIGRTMIN+21 1
                sleep 1
                echo -ne '\n\n\a'
                echo -e 
"${WHITE}*********************************************************************${END}"
-               echo -e "${WHITE}ERROR: PCR 15 mismatch. Encrypted devices 
compromised${END}"
+               echo -e "${WHITE}ERROR: $msg${END}"
                echo -e "${WHITE}Use${END} 
'${LIGHT_BLUE}measure-pcr-validator.ignore=yes${END}' ${WHITE}in cmdline to 
bypass the check${END}"
                echo -e 
"${WHITE}*********************************************************************${END}"
                echo
@@ -65,4 +66,9 @@
 
                exit 1
        fi
-fi
+}
+
+[ -f "/var/lib/sdbootutil/measure-pcr-prediction" ] || exit_with_msg "Missing 
measure-pcr-prediction file"
+[ -f "/var/lib/sdbootutil/measure-pcr-prediction.sha256" ] || exit_with_msg 
"Missing measure-pcr-prediction.sha256 signature file"
+validate_measure_pcr_signature || exit_with_msg "Signature for the prediction 
file is not valid"
+validate_measure_pcr || exit_with_msg "PCR 15 mismatch. Encrypted devices 
compromised"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sdbootutil-1+git20250722.bf18f3b/sdbootutil 
new/sdbootutil-1+git20250724.553d46c/sdbootutil
--- old/sdbootutil-1+git20250722.bf18f3b/sdbootutil     2025-07-22 
15:40:31.000000000 +0200
+++ new/sdbootutil-1+git20250724.553d46c/sdbootutil     2025-07-24 
13:20:16.000000000 +0200
@@ -2392,7 +2392,7 @@
                done < <(jq --raw-output '.[] | .options, .linux, .initrd[0]' 
"$initialentryfile")
        fi
 
-       # With secure boot, grub2-bls will make shim to extend PCR4
+       # With secure boot, grub2-bls invokes shim to extend PCR4
        if is_secure_boot; then
                # 650-kernel-efi-application.pcrlock is not part of
                # the pcrlock standards
@@ -2721,9 +2721,12 @@
                # systemd-cryptenroll ask later for the password.
                # Both passwords can appear in the keyring separated
                # by NULL
-               keyctl revoke %user:cryptenroll 2> /dev/null || true
-               keyctl reap 2> /dev/null || true
-               return 1
+               keyctl revoke %user:cryptenroll &> /dev/null || true
+               keyctl reap &> /dev/null || true
+
+               # Try one more time
+               pw="$(get_volume_password "$dev")"
+               out="$(cryptsetup luksDump --batch-mode --dump-master-key 
"$dev" <<<"$pw")" || return 1
        }
        echo "$out" | sed -n '/MK dump:/,$p' | sed -E 's/MK 
dump:|[[:blank:]]+//g' | sed -z 's/\n//g'
 }

++++++ sdbootutil.obsinfo ++++++
--- /var/tmp/diff_new_pack.v8pS3b/_old  2025-07-25 17:04:56.604311904 +0200
+++ /var/tmp/diff_new_pack.v8pS3b/_new  2025-07-25 17:04:56.608312070 +0200
@@ -1,5 +1,5 @@
 name: sdbootutil
-version: 1+git20250722.bf18f3b
-mtime: 1753191631
-commit: bf18f3b7000989738f928d5d8388025db824111b
+version: 1+git20250724.553d46c
+mtime: 1753356016
+commit: 553d46cb8f0c258ae20c5670f0afcf308355bcb5

Reply via email to