Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-07-25 11:50:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.1467 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fde-tools" Tue Jul 25 11:50:04 2023 rev:5 rq:1099742 version:0.6.6 Changes: -------- --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-07-13 17:18:51.745228423 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.1467/fde-tools.changes 2023-07-25 11:51:16.309511702 +0200 @@ -1,0 +2,16 @@ +Thu Jul 20 08:39:13 UTC 2023 - Gary Ching-Pang Lin <g...@suse.com> + +- Update to version 0.6.6 + + Avoid cleaning the temp directory when calling tpm_test + + firstboot/fde: use functions as the aliases for bootloader + functions + + firstboot/fde: always regenerate initrd + + firstboot/fde: use authorized policy by default + + Support devices other than the root partition +- Drop upstreamed patches + + fde-tools-avoid-cleaning-temp-dir.patch + + fde-tools-fix-bootloader-func.patch + + fde-tools-force-dracut.patch + + fde-tools-enable-authpol-in-firstboot.patch + +------------------------------------------------------------------- Old: ---- fde-tools-0.6.5.tar.gz fde-tools-avoid-cleaning-temp-dir.patch fde-tools-enable-authpol-in-firstboot.patch fde-tools-fix-bootloader-func.patch fde-tools-force-dracut.patch New: ---- fde-tools-0.6.6.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fde-tools.spec ++++++ --- /var/tmp/diff_new_pack.HGhY5q/_old 2023-07-25 11:51:19.401529807 +0200 +++ /var/tmp/diff_new_pack.HGhY5q/_new 2023-07-25 11:51:19.409529853 +0200 @@ -17,7 +17,7 @@ Name: fde-tools -Version: 0.6.5 +Version: 0.6.6 Release: 0 Summary: Tools required for Full Disk Encryption License: GPL-2.0-only @@ -26,10 +26,6 @@ Source: https://github.com/openSUSE/%{name}/archive/%{version}/%{name}-%{version}.tar.gz Source1: fde-tools.service Patch: fde-tools-firstboot-alp-snapshot.patch -Patch1: fde-tools-avoid-cleaning-temp-dir.patch -Patch2: fde-tools-fix-bootloader-func.patch -Patch3: fde-tools-force-dracut.patch -Patch4: fde-tools-enable-authpol-in-firstboot.patch BuildRequires: help2man BuildRequires: openssl >= 0.9.8 BuildRequires: tpm2-0-tss-devel ++++++ fde-tools-0.6.5.tar.gz -> fde-tools-0.6.6.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/README.md new/fde-tools-0.6.6/README.md --- old/fde-tools-0.6.5/README.md 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/README.md 2023-07-20 10:35:24.000000000 +0200 @@ -49,7 +49,7 @@ to unlock the system partition on next boot. If you do not want to be prompted for the recovery password, you can -also use either the ``--keyfile`` or the ``--password`` option to +also use either the ``--passfile`` or the ``--password`` option to specify a LUKS keyfile, or the recovery passphrase, respectively. Normally, the first boot into a freshly installed system will dispose @@ -138,6 +138,35 @@ _authorize_ the current system configuration. This will predict a set of PCR values, and use the RSA key to sign the resulting PCR policy. + +# Key management for the already installed systems + +For the systems with an already encrypted root partition, it is easy +to (re)generate and seal the LUKS key with ``regenerate-key``: + + # fdectl regenerate-key + +This command generates a new random secret key, seals the key with TPM, +and updates the bootloader configuration. + +To disable the TPM unsealing temporarily, ``tpm-disable`` will remove +the path to the sealed key from the boot loader configuration. + + # fdectl tpm-disable + +To restore the TPM unsealing functionality, ``tpm-enable`` will update +the sealed key if necessary and then configure the boot loader to +unlock the LUKS partition with the sealed key. + + # fdectl tpm-enable + +In case there is a need to remove the sealed LUKS key from the root +partition, ``tpm-wipe`` could help to wipe out the keyslot for the sealed +LUKS key and remove the key file: + + # fdectl tpm-wipe + + # Updates of boot components When updating components such as grub2 or the shim loader, or when @@ -180,3 +209,30 @@ predict PCR values based on the client's event log plus the actual hashes of the boot files used, compute the PCR policy and sign it using its key. + + +# Revocation of the authorized policies + +When a serious vulnerability is found in the boot component such +as grub2 or the shim loader, it is suggested to remove the +authorized policies associated with the affected component. However, +there is no easy way to revoke the already signed and authorized +polices. The most effective method is to replace the sealed LUKS key +with ``regenerate-key``: + + # fdectl regenerate-key + +Since the old LUKS key is replaced, all those authorized policies +against the old key are invalidated consequentially. + +# LUKS key management on devices other than the root partition + +By default, ``fdectl`` only manage the keyslots of the root partition. +To extend the key management, the extra devices(partitions) can be +specified in __/etc/sysconfig/fde-tools__ like this: + + FDE_EXTRA_DEVS="/dev/sda3 /dev/sda4" + +It requires those devices(partitions) sharing the same recovery +password as the root partition. Once the variable is set properly, +``fdectl`` will iterate the list and apply the corresponding commands. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/bash-completion/fdectl new/fde-tools-0.6.6/bash-completion/fdectl --- old/fde-tools-0.6.5/bash-completion/fdectl 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/bash-completion/fdectl 2023-07-20 10:35:24.000000000 +0200 @@ -34,6 +34,10 @@ COMPREPLY=( $(compgen -d -- ${cur}) ) return 0 ;; + --passfile) + COMPREPLY=( $(compgen -f -- ${cur}) ) + return 0 + ;; esac opts=$( fdectl --help 2>&1 | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/fde.sh new/fde-tools-0.6.6/fde.sh --- old/fde-tools-0.6.5/fde.sh 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/fde.sh 2023-07-20 10:35:24.000000000 +0200 @@ -22,13 +22,14 @@ : ${SHAREDIR:=/usr/share/fde} -version=0.6.3 +version=0.6.6 opt_bootloader=grub2 opt_uefi_bootdir="" opt_ui=shell opt_keyfile="" opt_password="" +opt_passfile="" ################################################################## # Display a usage message. @@ -61,6 +62,8 @@ --password Specify the LUKS recovery password. Should be used by the installer only. + --passfile + Specify the path to a LUKS recovery password file. Commands: help display this message @@ -121,7 +124,7 @@ fde_maybe_chroot "$@" -long_options="help,version,bootloader:,device:,use-dialog,keyfile:,uefi-boot-dir:,password:" +long_options="help,version,bootloader:,device:,use-dialog,keyfile:,uefi-boot-dir:,password:,passfile:" if ! getopt -Q -n fdectl -l "$long_options" -o h -- "$@"; then fde_usage @@ -156,6 +159,8 @@ opt_keyfile=$1; shift;; --password) opt_password=$1; shift;; + --passfile) + opt_passfile=$1; shift;; --uefi-boot-dir) opt_uefi_bootdir=$1; shift;; *) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/firstboot/fde new/fde-tools-0.6.6/firstboot/fde --- old/fde-tools-0.6.5/firstboot/fde 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/firstboot/fde 2023-07-20 10:35:24.000000000 +0200 @@ -38,18 +38,23 @@ ################################################################## KIWI_ROOT_KEYFILE=/root/.root.keyfile -function fde_protect_tpm { - - local luks_dev=$1 - local luks_keyfile=$2 - - luks_set_random_key "${luks_dev}" "${luks_keyfile}" +################################################################## +# Aliases are not expanded in non-interactive mode. +# Set the bootloader specific functions here as aliases +################################################################## - bootloader_enable_fde_pcr_policy "${luks_keyfile}" +function bootloader_enable_fde_without_tpm { + grub_enable_fde_without_tpm "$@" +} - return $? +function bootloader_get_fde_password { + grub_get_fde_password "$@" } +################################################################## +# FDE Firstboot functions +################################################################## + function fde_protect_notpm { local luks_dev=$1 @@ -129,18 +134,12 @@ luks_reencrypt "${luks_dev}" "${pass_keyfile}" if $with_tpm; then - # Generate a random key again - luks_keyfile="/root/.root.keyfile" - luks_add_random_key "${luks_dev}" "${pass_keyfile}" "${luks_keyfile}" - - # FIXME: fde_protect_tpm should not have to change key slot key any more. - if ! fde_protect_tpm "${luks_dev}" "${luks_keyfile}"; then + if ! fdectl regenerate-key --passfile "${pass_keyfile}"; then display_errorbox "Failed to protect encrypted volume with TPM" with_tpm=false + else + systemctl enable fde-tpm-enroll.service fi - - rm -f "${luks_keyfile}" - luks_keyfile="" else # Update grub.cfg to attempt a cryptomount and ask the user for the # password @@ -185,7 +184,7 @@ rm -f /etc/crypttab display_infobox "Re-creating initial ramdisk" - if ! dracut >&2; then + if ! dracut --force >&2; then display_errorbox "Failed to rebuild initrd" return 1 fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/share/commands/add-secondary-key new/fde-tools-0.6.6/share/commands/add-secondary-key --- old/fde-tools-0.6.5/share/commands/add-secondary-key 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/share/commands/add-secondary-key 2023-07-20 10:35:24.000000000 +0200 @@ -27,9 +27,14 @@ luks_dev="$1" + keyslots=$(bootloader_get_keyslots ${luks_dev}) + if [ -n "$FDE_ENROLL_KEY" ]; then display_errorbox "It seems you've already tried to enroll a secondary key." return 1 + elif [ -n "${keyslots}" ]; then + display_errorbox "It seems you've already enrolled a secondary key." + return 1 fi # HACK ATTACK @@ -43,34 +48,7 @@ bootloader_commit_config fi - if [[ "$FDE_USE_AUTHORIZED_POLICIES" =~ y.* ]]; then - luks_new_keyfile="$(fde_make_tempfile newkey)" - if ! init_authorized_policy || ! add_secondary_key "$luks_dev" "$luks_new_keyfile"; then - rm -f "$luks_new_keyfile" - return 1 - fi - - tpm_set_authorized_policy_paths "$FDE_AUTHORIZED_POLICY" - if ! tpm_seal_secret "$luks_new_keyfile" "$FDE_AP_SEALED_SECRET" "$FDE_AP_AUTHPOLICY"; then - display_errorbox "Failed to seal secondary LUKS key against TPM Authorized Policy" - rm -f "$luks_new_keyfile" - return 1 - fi - - rm -f "$luks_new_keyfile" - else - if [ -z "$opt_keyfile" ]; then - opt_keyfile="/etc/fde/root.key" - fi - - if ! add_secondary_key "$luks_dev" "$opt_keyfile"; then - return 1 - fi - - # Leave the keyfile around so that tpm-enable can seal it on the next reboot - echo "Leaving secondary key in $opt_keyfile" - fde_set_variable FDE_ENROLL_NEW_KEY "$opt_keyfile" - fi + enroll_tpm_secondary_key "$luks_dev" return 0 } @@ -103,22 +81,58 @@ luks_dev="$1" luks_new_keyfile="$2" - # FIXME: we should track somewhere whether we've already added a secondary - # key or not (eg in /etc/fde). If we have, we should refuse to add another - # key. - - if ! fde_request_recovery_password; then + luks_keyfile=$(fde_make_tempfile pass.key) + if ! fde_request_recovery_passfile "$luks_keyfile"; then display_errorbox "Unable to obtain recovery password; aborting." return 1 fi - luks_keyfile=$(luks_write_password pass "${result_password}") - if ! luks_add_random_key "${luks_dev}" "${luks_keyfile}" "${luks_new_keyfile}"; then display_errorbox "Failed to add secondary LUKS key" rm -f "$luks_keyfile" return 1 fi + # Add the new random key to the devices in FDE_EXTRA_DEVS + for extra_dev in ${FDE_EXTRA_DEVS}; do + if ! luks_add_key "$extra_dev" "$luks_keyfile" "$luks_new_keyfile"; then + rm -f "$luks_keyfile" + return 1 + fi + done + rm -f "$luks_keyfile" } + +function enroll_tpm_secondary_key { + + luks_dev="$1" + + if [[ "$FDE_USE_AUTHORIZED_POLICIES" =~ y.* ]]; then + luks_new_keyfile="$(fde_make_tempfile newkey)" + if ! init_authorized_policy || ! add_secondary_key "$luks_dev" "$luks_new_keyfile"; then + rm -f "$luks_new_keyfile" + return 1 + fi + + if ! tpm_seal_secret "$luks_new_keyfile" "$FDE_AP_SEALED_SECRET" "$FDE_AP_AUTHPOLICY"; then + display_errorbox "Failed to seal secondary LUKS key against TPM Authorized Policy" + rm -f "$luks_new_keyfile" + return 1 + fi + + rm -f "$luks_new_keyfile" + else + if [ -z "$opt_keyfile" ]; then + opt_keyfile="/etc/fde/root.key" + fi + + if ! add_secondary_key "$luks_dev" "$opt_keyfile"; then + return 1 + fi + + # Leave the keyfile around so that tpm-enable can seal it on the next reboot + echo "Leaving secondary key in $opt_keyfile" + fde_set_variable FDE_ENROLL_NEW_KEY "$opt_keyfile" + fi +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/share/commands/add-secondary-password new/fde-tools-0.6.6/share/commands/add-secondary-password --- old/fde-tools-0.6.5/share/commands/add-secondary-password 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/share/commands/add-secondary-password 2023-07-20 10:35:24.000000000 +0200 @@ -42,26 +42,27 @@ insecure_password="$(fde_random_password)" # In order to install the new password, we need to prove to luks that - # we're worthy. Either present a keyfile or the recovery passphrase. - if [ -n "$opt_keyfile" -a -f "$opt_keyfile" ]; then - luks_add_password "$luks_dev" "$opt_keyfile" "$insecure_password" - status=$? - else - if ! fde_request_recovery_password; then - display_errorbox "Unable to obtain recovery password; aborting." - return 1 - fi - luks_keyfile=$(luks_write_password pass "${result_password}") - luks_add_password "$luks_dev" "$luks_keyfile" "$insecure_password" - status=$? - rm -f "$luks_keyfile" + # we're worthy. Either present a passfile or the recovery passphrase. + luks_keyfile=$(fde_make_tempfile pass.key) + if ! fde_request_recovery_passfile "$luks_keyfile"; then + display_errorbox "Unable to obtain recovery password; aborting." + return 1 fi - if [ "$status" -ne 0 ]; then + if ! luks_add_password "$luks_dev" "$luks_keyfile" "$insecure_password"; then display_errorbox "Failed to add firstboot password to LUKS partition" return 1 fi + for extra_dev in ${FDE_EXTRA_DEVS}; do + if ! luks_add_password "$extra_dev" "$luks_keyfile" "$insecure_password"; then + display_errorbox "Failed to add firstboot password to LUKS partition(${extra_dev})" + return 1 + fi + done + + rm -f "$luks_keyfile" + # Write the firstboot password to the bootloader config. # We leave it to the caller to actually update the bootloader's # data in the EFI System Partition. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/share/commands/regenerate-key new/fde-tools-0.6.6/share/commands/regenerate-key --- old/fde-tools-0.6.5/share/commands/regenerate-key 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/share/commands/regenerate-key 2023-07-20 10:35:24.000000000 +0200 @@ -25,51 +25,40 @@ function cmd_regenerate_key { luks_dev="$1" + declare -A EXTRA_KEYSLOTS_OLD # Get the current keyslots for the TPM sealed key - KEYSLOTS_TO_BE_WIPED=$(bootloader_get_keyslots ${luks_dev}) + KEYSLOTS_OLD=$(bootloader_get_keyslots ${luks_dev}) - # Create the new key to be sealed - if [[ "$FDE_USE_AUTHORIZED_POLICIES" =~ y.* ]]; then - luks_new_keyfile="$(fde_make_tempfile newkey)" - if ! init_authorized_policy || ! add_secondary_key "$luks_dev" "$luks_new_keyfile"; then - rm -f "$luks_new_keyfile" - return 1 - fi - - tpm_set_authorized_policy_paths "$FDE_AUTHORIZED_POLICY" - if ! tpm_seal_secret "$luks_new_keyfile" "$FDE_AP_SEALED_SECRET" "$FDE_AP_AUTHPOLICY"; then - display_errorbox "Failed to seal secondary LUKS key against TPM Authorized Policy" - rm -f "$luks_new_keyfile" - return 1 - fi - - rm -f "$luks_new_keyfile" - else - if [ -z "$opt_keyfile" ]; then - opt_keyfile="/etc/fde/root.key" - fi - - if ! add_secondary_key "$luks_dev" "$opt_keyfile"; then - return 1 - fi - - # Leave the keyfile around so that tpm-enable can seal it on the next reboot - echo "Leaving secondary key in $opt_keyfile" - fde_set_variable FDE_ENROLL_NEW_KEY "$opt_keyfile" - fi + # Get the current keyslots in the extra devices + for extra_dev in ${FDE_EXTRA_DEVS}; do + EXTRA_KEYSLOTS_OLD["${extra_dev}"]=$(bootloader_get_keyslots ${extra_dev}) + done + + enroll_tpm_secondary_key "${luks_dev}" # Finish TPM key sealing tpm_enable ${luks_dev} # Remove the previous keyslot - if [ -n "${KEYSLOTS_TO_BE_WIPED}" ]; then - bootloader_remove_keyslots "${luks_dev}" "${KEYSLOTS_TO_BE_WIPED}" + if [ -n "${KEYSLOTS_OLD}" ]; then + bootloader_remove_keyslots "${luks_dev}" "${KEYSLOTS_OLD}" if [ "$?" -ne 0 ]; then - display_errorbox "Failed to wipe out key slots: ${KEYSLOTS_TO_BE_WIPED}" - return 1 + display_errorbox "Failed to wipe out key slots: ${KEYSLOTS_OLD}" + return 1 fi fi + # Remove the previous keyslots in the extra devices + for extra_dev in ${FDE_EXTRA_DEVS}; do + if [ -n "${EXTRA_KEYSLOTS_OLD[${extra_dev}]}" ]; then + bootloader_remove_keyslots "${extra_dev}" "${EXTRA_KEYSLOTS_OLD[${extra_dev}]}" + if [ "$?" -ne 0 ]; then + display_errorbox "Failed to wipe out key slots in ${extra_dev}: ${EXTRA_KEYSLOTS_OLD[${extra_dev}]}" + return 1 + fi + fi + done + return 0 } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/share/commands/remove-secondary-password new/fde-tools-0.6.6/share/commands/remove-secondary-password --- old/fde-tools-0.6.5/share/commands/remove-secondary-password 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/share/commands/remove-secondary-password 2023-07-20 10:35:24.000000000 +0200 @@ -44,6 +44,13 @@ return 1 fi + for extra_dev in ${FDE_EXTRA_DEVS}; do + if ! luks_drop_key "$extra_dev" "$luks_keyfile"; then + display_errorbox "Unable to disable firstboot password(${extra_dev})" + return 1 + fi + done + ################################################################## # And finally, wipe the password from the boot loader config files. ################################################################## diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/share/commands/tpm-activate new/fde-tools-0.6.6/share/commands/tpm-activate --- old/fde-tools-0.6.5/share/commands/tpm-activate 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/share/commands/tpm-activate 2023-07-20 10:35:24.000000000 +0200 @@ -23,12 +23,15 @@ alias cmd_perform=cmd_tpm_activate function cmd_tpm_activate { - if [[ ! "$FDE_TPM_ENABLE" =~ y.* ]]; then - fde_trace "TPM key unsealing disabled" + + luks_dev="$1" + + if bootloader_check_sealed_key "${luks_dev}"; then + fde_trace "LUKS key already sealed. Skip activation." return 0 fi - if ! tpm_enable "$1"; then + if ! tpm_enable "${luks_dev}"; then return 1 fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/share/commands/tpm-disable new/fde-tools-0.6.6/share/commands/tpm-disable --- old/fde-tools-0.6.5/share/commands/tpm-disable 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/share/commands/tpm-disable 2023-07-20 10:35:24.000000000 +0200 @@ -26,29 +26,33 @@ # Request the user to type the recovery password to prove the password is # correctly memorized, so that the user won't lock herself/himself out of # the system after reboot. - if [ -n "$opt_keyfile" -a -f "$opt_keyfile" ]; then - luks_verify_password "$luks_dev" "$opt_keyfile" - status=$? - else - if ! fde_request_recovery_password; then - display_errorbox "Unable to obtain recovery password; aborting." - return 1 - fi - luks_keyfile=$(luks_write_password pass "${result_password}") - luks_verify_password "$luks_dev" "$luks_keyfile" - status=$? - rm -f "$luks_keyfile" + luks_keyfile=$(fde_make_tempfile pass.key) + if ! fde_request_recovery_passfile "$luks_keyfile"; then + display_errorbox "Unable to obtain recovery password; aborting." + return 1 fi - if [ "$status" -ne 0 ]; then + if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then + rm -f "$luks_keyfile" display_errorbox "Failed to verify password on LUKS partition" return 1 fi - fde_set_variable FDE_TPM_ENABLE "no" + for extra_dev in ${FDE_EXTRA_DEVS}; do + if ! luks_verify_password "$extra_dev" "$luks_keyfile"; then + rm -f "$luks_keyfile" + display_errorbox "Failed to verify password on LUKS partition($extra_dev)" + return 1 + fi + done + + rm -f "$luks_keyfile" # Update the bootloader settings without TPM bootloader_enable_fde_without_tpm + + bootloader_remove_sealed_key + return $? } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/share/commands/tpm-enable new/fde-tools-0.6.6/share/commands/tpm-enable --- old/fde-tools-0.6.5/share/commands/tpm-enable 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/share/commands/tpm-enable 2023-07-20 10:35:24.000000000 +0200 @@ -45,7 +45,6 @@ if tpm_enable_authorized_policy "$luks_dev"; then # ... and authorize the current system configuration. # This is what "fdectl tpm-authorize" does, inlined. - tpm_set_authorized_policy_paths "$FDE_AUTHORIZED_POLICY" bootloader_authorize_pcr_policy "$FDE_AP_SECRET_KEY" "$FDE_AP_SEALED_SECRET" st=$? fi @@ -140,12 +139,12 @@ return 1 fi else - if ! fde_request_recovery_password; then + luks_keyfile=$(fde_make_tempfile pass.key) + if ! fde_request_recovery_passfile "$luks_keyfile"; then display_errorbox "Unable to obtain recovery password; aborting." return 1 fi - luks_keyfile=$(luks_write_password pass "${result_password}") luks_new_keyfile=$(fde_make_tempfile new.key) if ! luks_add_random_key "${luks_dev}" "${luks_keyfile}" "${luks_new_keyfile}"; then @@ -166,10 +165,6 @@ } function cmd_tpm_enable { - if [[ ! "$FDE_TPM_ENABLE" =~ y.* ]]; then - fde_set_variable FDE_TPM_ENABLE "yes" - fi - if ! tpm_enable "$1"; then return 1 fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/share/commands/tpm-wipe new/fde-tools-0.6.6/share/commands/tpm-wipe --- old/fde-tools-0.6.5/share/commands/tpm-wipe 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/share/commands/tpm-wipe 2023-07-20 10:35:24.000000000 +0200 @@ -30,11 +30,17 @@ return 1 fi - bootloader_wipe "${luks_dev}" - if [ "$?" -ne 0 ]; then + if ! bootloader_wipe "${luks_dev}"; then display_errorbox "Failed to wipe out key slots" return 1 fi + for extra_dev in ${FDE_EXTRA_DEVS}; do + if ! bootloader_wipe "$extra_dev"; then + display_errorbox "Failed to wipe out key slots (${extra_dev})" + return 1 + fi + done + return 0 } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/share/grub2 new/fde-tools-0.6.6/share/grub2 --- old/fde-tools-0.6.5/share/grub2 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/share/grub2 2023-07-20 10:35:24.000000000 +0200 @@ -24,6 +24,8 @@ alias bootloader_enable_fde_without_tpm=grub_enable_fde_without_tpm alias bootloader_enable_fde_pcr_policy=grub_enable_fde_pcr_policy alias bootloader_enable_fde_authorized_policy=grub_enable_fde_authorized_policy +alias bootloader_check_sealed_key=grub_check_sealed_key +alias bootloader_remove_sealed_key=grub_remove_sealed_key alias bootloader_authorize_pcr_policy=grub_authorize_pcr_policy alias bootloader_set_fde_password=grub_set_fde_password alias bootloader_get_fde_password=grub_get_fde_password @@ -154,6 +156,34 @@ grub_update_early_config } +function grub_check_sealed_key { + + grub_efi_dir=$(uefi_get_current_efidir) + if [ -z "$grub_efi_dir" ]; then + return 1 + fi + + if [ -f "$grub_efi_dir/sealed.tpm" ]; then + return 0 + fi + + return 1 +} + +function grub_remove_sealed_key { + + # Remove the sealed key file in the EFI system partition + grub_efi_dir=$(uefi_get_current_efidir) + if [ -z "$grub_efi_dir" ]; then + return 1 + fi + grub_sealed_key="$grub_efi_dir/sealed.tpm" + + if [ -f "${grub_sealed_key}" ]; then + rm -f "${grub_sealed_key}" + fi +} + function grub_get_keyslots { local luks_dev=$1 @@ -192,15 +222,4 @@ local luks_dev=$1 grub_remove_keyslots ${luks_dev} - - # Remove the sealed key file in the EFI system partition - grub_efi_dir=$(uefi_get_current_efidir) - if [ -z "$grub_efi_dir" ]; then - return 1 - fi - grub_sealed_key="$grub_efi_dir/sealed.tpm" - - if [ -f ${grub_sealed_key} ]; then - rm -f "$grub_efi_dir/sealed.tpm" - fi } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/share/luks new/fde-tools-0.6.6/share/luks --- old/fde-tools-0.6.5/share/luks 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/share/luks 2023-07-20 10:35:24.000000000 +0200 @@ -204,7 +204,7 @@ local luks_dev=$1 old_pass="$2" - display_infobox "Dropping old recovery password" + display_infobox "Dropping old recovery password (${luks_dev})" old_keyfile=$(luks_write_password oldpass "${old_pass}") if ! cryptsetup luksRemoveKey "${luks_dev}" ${old_keyfile}; then fde_trace "Warning: luksRemoveKey indicates failure" @@ -223,7 +223,7 @@ local luks_dev=$1 local luks_keyfile="$2" - display_infobox "Dropping old LUKS key" + display_infobox "Dropping old LUKS key (${luks_dev})" if ! cryptsetup luksRemoveKey "${luks_dev}" ${luks_keyfile}; then fde_trace "Warning: luksRemoveKey indicates failure" return 1 @@ -240,7 +240,7 @@ local luks_dev=$1 local luks_keyfile="$2" - display_infobox "Verifying LUKS recovery password" + display_infobox "Verifying LUKS recovery password (${luks_dev})" if ! cryptsetup open --test-passphrase --key-file "${luks_keyfile}" "${luks_dev}"; then fde_trace "Unable to open the device with the password" return 1 @@ -280,7 +280,7 @@ new_keyfile=$(luks_write_password newpass "${result_password}") if ! cryptsetup --key-file "${old_keyfile}" luksChangeKey --pbkdf "$FDE_LUKS_PBKDF" "${luks_dev}" ${new_keyfile}; then # FIXME: dialog - fde_trace "Warning: luksAddKey indicates failure" + fde_trace "Warning: luksChangeKey indicates failure" return 1 fi @@ -302,7 +302,7 @@ luks_new_password="${result_password}" fi - display_infobox "Updating LUKS password" + display_infobox "Updating LUKS password (${luks_dev})" new_keyfile=$(luks_write_password newpass "${luks_new_password}") if ! cryptsetup --key-file "${luks_keyfile}" luksAddKey --pbkdf "$FDE_LUKS_PBKDF" "${luks_dev}" ${new_keyfile}; then @@ -313,7 +313,7 @@ rm -f ${new_keyfile} } -function luks_add_random_key { +function luks_add_key { local luks_dev="$1" local luks_keyfile="$2" @@ -321,7 +321,10 @@ local luks_output local luks_keyslot - dd if=/dev/random bs=1 count=$FDE_KEY_SIZE_BYTES of=$new_keyfile status=none + if [ -z "$new_keyfile" ]; then + echo "Unable to obtain new key" >&2 + return 1 + fi # Note: we try to reduce the cost of PBKDF to (almost) nothing. # There's no need in slowing down this operation for a @@ -338,6 +341,18 @@ fdectl-grub-tpm2 add --key-slot ${luks_keyslot} ${luks_dev} } + +function luks_add_random_key { + + local luks_dev="$1" + local luks_keyfile="$2" + local new_keyfile="$3" + + dd if=/dev/random bs=1 count=$FDE_KEY_SIZE_BYTES of=$new_keyfile status=none + + luks_add_key ${luks_dev} ${luks_keyfile} ${new_keyfile} +} + function luks_set_random_key { local luks_dev="$1" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/share/systemd-boot new/fde-tools-0.6.6/share/systemd-boot --- old/fde-tools-0.6.5/share/systemd-boot 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/share/systemd-boot 2023-07-20 10:35:24.000000000 +0200 @@ -27,9 +27,12 @@ alias bootloader_enable_fde_without_tpm=systemd_enable_fde_without_tpm alias bootloader_enable_fde_pcr_policy=systemd_enable_fde_pcr_policy alias bootloader_enable_fde_authorized_policy=systemd_enable_fde_authorized_policy +alias bootloader_check_sealed_key=systemd_check_sealed_key +alias bootloader_remove_sealed_key=systemd_remove_sealed_key alias bootloader_authorize_pcr_policy=systemd_authorize_pcr_policy alias bootloader_set_fde_password=systemd_set_fde_password alias bootloader_get_fde_password=systemd_get_fde_password +alias bootloader_commit_config=systemd_commit_config alias bootloader_get_keyslots=systemd_get_keyslots alias bootloader_remove_keyslots=systemd_remove_keyslots alias bootloader_wipe=systemd_wipe @@ -120,6 +123,31 @@ not_implemented } + +################################################################## +# This function checks whether the sealed LUKS key exists or not +################################################################## +function systemd_check_sealed_key { + + not_implemented +} + +################################################################## +# This function removes the sealed LUKS key. +################################################################## +function systemd_remove_sealed_key { + + not_implemented +} + +################################################################## +# This function implements the boot loader specific part to commit +# changes to systemd-boot configuration. +################################################################## +function systemd_commit_config { + + not_implemented +} ################################################################## # This function implements the boot loader specific part to get diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/share/tpm new/fde-tools-0.6.6/share/tpm --- old/fde-tools-0.6.5/share/tpm 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/share/tpm 2023-07-20 10:35:24.000000000 +0200 @@ -94,7 +94,6 @@ result=0 fi - fde_clean_tempdir return $result } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/share/util new/fde-tools-0.6.6/share/util --- old/fde-tools-0.6.5/share/util 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/share/util 2023-07-20 10:35:24.000000000 +0200 @@ -49,6 +49,23 @@ return 0 } +################################################################## +# Obtain the recovery password and copy it to a file +################################################################## +function fde_request_recovery_passfile { + + outfile=$1 + + if [ -n "$opt_passfile" -a -f "$opt_passfile" ]; then + cp "$opt_passfile" "$outfile" + else + if ! fde_request_recovery_password; then + return 1 + fi + echo -n "${result_password}" > "$outfile" + fi +} + function fde_set_variable { sysconfig_set_variable /etc/sysconfig/fde-tools "$@" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/sysconfig.fde new/fde-tools-0.6.6/sysconfig.fde --- old/fde-tools-0.6.5/sysconfig.fde 2023-07-04 04:54:56.000000000 +0200 +++ new/fde-tools-0.6.6/sysconfig.fde 2023-07-20 10:35:24.000000000 +0200 @@ -25,6 +25,7 @@ # to enroll on the next reboot FDE_ENROLL_NEW_KEY="" -# Enable/disable TPM key unsealing -# Set to yes/no -FDE_TPM_ENABLE=yes +# Specify the devices to be managed by fdectl other than the root partition +# NOTE: Those devices must use the same recovery password as the one of the +# root partition. +FDE_EXTRA_DEVS=""