Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-09-20 13:29:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.16627 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fde-tools"
Wed Sep 20 13:29:05 2023 rev:10 rq:1112138 version:0.7.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-08-30
10:23:34.654774743 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.16627/fde-tools.changes
2023-09-20 13:31:39.263943572 +0200
@@ -1,0 +2,16 @@
+Tue Sep 19 05:59:00 UTC 2023 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Update to version 0.7.0
+ + firstboot: apply the grub.cfg change immediately
+ + fde-tpm-helper for bootloader RPMs to update the sealed key
+ automatically
+ + Fix the find command of 'make dist'
+ + Clean up the repo
+ + Make the system flags configurable
+ + fde-tpm-helper: specify the bootloaders in %post
+- Add two new subpackages for the bootloader RPMs to update the
+ sealed key: fde-tpm-helper and fde-tpm-helper-rpm-macros
+- Remove ExclusiveArch and set the system directories for 'make'
+ and 'make install'
+
+-------------------------------------------------------------------
Old:
----
fde-tools-0.6.9.tar.bz2
New:
----
fde-tools-0.7.0.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ fde-tools.spec ++++++
--- /var/tmp/diff_new_pack.tC9TCY/_old 2023-09-20 13:31:40.443985847 +0200
+++ /var/tmp/diff_new_pack.tC9TCY/_new 2023-09-20 13:31:40.443985847 +0200
@@ -17,7 +17,7 @@
Name: fde-tools
-Version: 0.6.9
+Version: 0.7.0
Release: 0
Summary: Tools required for Full Disk Encryption
License: GPL-2.0-only
@@ -33,7 +33,10 @@
Requires: mokutil
Requires: pcr-oracle >= 0.4.5
Requires: util-linux-systemd
-ExclusiveArch: aarch64 s390x ppc64le x86_64 riscv64
+
+%description
+This package provides several components required to support Full Disk
+Encryption.
%package -n fde-firstboot
Summary: Full Disk Encryption for images
@@ -41,10 +44,6 @@
Requires: fde-tools
Requires: jeos-firstboot
-%description
-This package provides several components required to support Full Disk
-Encryption.
-
%description -n fde-firstboot
This package contains the scripts necessary to plug Full Disk Encryption
into the JeOS Firstboot framework used for image based delivery of ALP.
@@ -60,14 +59,41 @@
%description bash-completion
Bash shell completions for fde-tools
+%package -n fde-tpm-helper
+Summary: TPM helper for fde-tools
+Group: System/Boot
+
+%description -n fde-tpm-helper
+This package contains the TPM helper script for the bootloader packages
+to update the signature in the sealed key.
+
+%package -n fde-tpm-helper-rpm-macros
+Summary: RPM macros for fde-tools
+Group: Development/Tools/Building
+
+%description -n fde-tpm-helper-rpm-macros
+This package contains the RPM macros for the bootloader packages to
+update the signature in the sealed key.
+
%prep
%autosetup -p1
%build
-%make_build
+%make_build \
+ CCFLAGS="%optflags" \
+ LIBDIR="%{_libdir}" \
+ LIBEXECDIR="%{_libexecdir}" \
+ SBINDIR="%{_sbindir}" \
+ DATADIR="%{_datadir}" \
+ SYSCONFDIR="%{_sysconfdir}"
%install
-%make_install
+%make_install \
+ LIBDIR="%{_libdir}" \
+ LIBEXECDIR="%{_libexecdir}" \
+ SBINDIR="%{_sbindir}" \
+ DATADIR="%{_datadir}" \
+ SYSCONFDIR="%{_sysconfdir}"
mkdir -p %{buildroot}%{_fillupdir}
mv %{buildroot}/etc/sysconfig/fde-tools
%{buildroot}%{_fillupdir}/sysconfig.fde-tools
@@ -92,7 +118,7 @@
%{_sbindir}/fdectl
%{_sbindir}/fde-token
%{_sbindir}/fdectl-grub-tpm2
-%dir /etc/fde
+%dir %{_sysconfdir}/fde
%{_fillupdir}/sysconfig.*
%{_datadir}/fde
%{_unitdir}/fde-tpm-enroll.service
@@ -108,3 +134,10 @@
%dir %{_datadir}/jeos-firstboot/modules
%{_datadir}/jeos-firstboot/modules/fde
+%files -n fde-tpm-helper
+%dir %{_libexecdir}/fde
+%{_libexecdir}/fde/fde-tpm-helper
+
+%files -n fde-tpm-helper-rpm-macros
+%config %{_sysconfdir}/rpm/macros.fde-tpm-helper
+
++++++ fde-tools-0.6.9.tar.bz2 -> fde-tools-0.7.0.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.6.9/Makefile new/fde-tools-0.7.0/Makefile
--- old/fde-tools-0.6.9/Makefile 2023-08-29 10:34:43.259726248 +0200
+++ new/fde-tools-0.7.0/Makefile 2023-09-19 07:52:51.927609722 +0200
@@ -1,20 +1,25 @@
PKGVER = $(shell git describe --tags)
PKGNAME = fde-tools-$(PKGVER)
-CCOPT = -O0 -g
-LIBDIR = /usr/lib64
-SBINDIR = /usr/sbin
-SYSCONFIGDIR = /etc/sysconfig
-FDE_CONFIG_DIR = /etc/fde
-FDE_SHARE_DIR = /usr/share/fde
-FIRSTBOOTDIR = /usr/share/jeos-firstboot
-CFLAGS = -Wall $(CCOPT)
+CFLAGS ?= -Wall -O0 -g
+LIBDIR ?= /usr/lib64
+LIBEXECDIR ?= /usr/libexec
+SBINDIR ?= /usr/sbin
+DATADIR ?= /usr/share
+SYSCONFDIR ?= /etc
+SYSCONFIGDIR = $(SYSCONFDIR)/sysconfig
+FDE_CONFIG_DIR = ${SYSCONFDIR}/fde
+FDE_SHARE_DIR = $(DATADIR)/fde
+FIRSTBOOTDIR = $(DATADIR)/jeos-firstboot
+FDE_HELPER_DIR = $(LIBEXECDIR)/fde
+RPM_MACRO_DIR = /etc/rpm
FIDO_LINK = -lfido2 -lcrypto
CRPYT_LINK = -lcryptsetup -ljson-c
TOOLS = fde-token fdectl-grub-tpm2
TOKEN_LINK = -lcryptsetup
TOKEN_ABI_PATH = cryptsetup/libcryptsetup-token.sym
TOKEN_PLUGINS = libcryptsetup-token-grub-tpm2.so
+TPM_HELPER = fde-tpm-helper
LIBSCRIPTS = grub2 \
luks \
@@ -44,8 +49,8 @@
all:: $(TOOLS) $(SUBDIRS) $(TOKEN_PLUGINS)
install:: $(TOOLS)
- install -d $(DESTDIR)/usr/sbin
- install -m 755 $(TOOLS) $(DESTDIR)/usr/sbin
+ install -d $(DESTDIR)$(SBINDIR)
+ install -m 755 $(TOOLS) $(DESTDIR)$(SBINDIR)
install:: $(TOKEN_PLUGINS)
install -d $(DESTDIR)/$(LIBDIR)/cryptsetup
@@ -56,12 +61,16 @@
@cp -v firstboot/fde $(DESTDIR)$(FIRSTBOOTDIR)/modules/fde
@mkdir -p $(DESTDIR)$(SYSCONFIGDIR)
@cp -v sysconfig.fde $(DESTDIR)$(SYSCONFIGDIR)/fde-tools
+ @mkdir -p $(DESTDIR)$(RPM_MACRO_DIR)
+ @cp -v rpm-build/macros.fde-tpm-helper $(DESTDIR)$(RPM_MACRO_DIR)
@mkdir -p $(DESTDIR)$(FDE_SHARE_DIR)
@for name in $(LIBSCRIPTS); do \
d=$$(dirname $$name); \
mkdir -p $(DESTDIR)$(FDE_SHARE_DIR)/$$d; \
cp -v share/$$name $(DESTDIR)$(FDE_SHARE_DIR)/$$d; \
done
+ @mkdir -p $(DESTDIR)$(FDE_HELPER_DIR)/
+ @install -m 755 rpm-build/$(TPM_HELPER)
$(DESTDIR)$(FDE_HELPER_DIR)/$(TPM_HELPER)
@mkdir -p $(DESTDIR)$(SBINDIR)
@install -m 555 -v fde.sh $(DESTDIR)$(SBINDIR)/fdectl
@install -m 755 -v -d $(DESTDIR)$(FDE_CONFIG_DIR)
@@ -98,8 +107,9 @@
dist:
mkdir -p $(PKGNAME)
- cp -a Makefile sysconfig.fde fde.sh src share firstboot cryptsetup
$(SUBDIRS) $(PKGNAME)
+ cp -a Makefile sysconfig.fde fde.sh src share firstboot cryptsetup
rpm-build \
+ $(SUBDIRS) $(PKGNAME)
sed -i "s/__VERSION__/$(PKGVER)/" $(PKGNAME)/fde.sh
- @find $(PKGNAME) -name '.*.swp' -o -name '*.{rej,orig}' -exec rm {} \;
+ @find $(PKGNAME) \( -name '.*.swp' -o -name '*.{rej,orig}' \) -exec rm
{} \;
tar -cvjf $(PKGNAME).tar.bz2 $(PKGNAME)/*
rm -rf $(PKGNAME)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.6.9/fde.sh new/fde-tools-0.7.0/fde.sh
--- old/fde-tools-0.6.9/fde.sh 2023-08-29 10:35:01.543604657 +0200
+++ new/fde-tools-0.7.0/fde.sh 2023-09-19 07:56:12.454296022 +0200
@@ -22,7 +22,7 @@
: ${SHAREDIR:=/usr/share/fde}
-version=0.6.9
+version=0.7.0
opt_bootloader=grub2
opt_uefi_bootdir=""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.6.9/firstboot/fde
new/fde-tools-0.7.0/firstboot/fde
--- old/fde-tools-0.6.9/firstboot/fde 2023-08-29 09:26:14.363091052 +0200
+++ new/fde-tools-0.7.0/firstboot/fde 2023-09-07 08:05:01.314932675 +0200
@@ -155,6 +155,7 @@
# Update /boot/grub2/grub.cfg
if test -d "/boot/writable"; then
transactional-update grub.cfg
+ transactional-update apply
else
grub2-mkconfig -o /boot/grub2/grub.cfg
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.6.9/rpm-build/fde-tpm-helper
new/fde-tools-0.7.0/rpm-build/fde-tpm-helper
--- old/fde-tools-0.6.9/rpm-build/fde-tpm-helper 1970-01-01
01:00:00.000000000 +0100
+++ new/fde-tools-0.7.0/rpm-build/fde-tpm-helper 2023-09-19
07:52:51.927609722 +0200
@@ -0,0 +1,70 @@
+#!/bin/bash
+#
+# Copyright (C) 2023 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# Written by Gary Lin <g...@suse.com>
+
+CRYPTTAB="/etc/crypttab"
+FDE_SYSCONFIG="/etc/sysconfig/fde-tools"
+GRUB2_DEFAULT="/etc/default/grub"
+FDECTL="/usr/sbin/fdectl"
+
+COMPONENTS="$@"
+
+# Exit if crypttab doesn't exist
+if [ ! -f ${CRYPTTAB} ]; then
+ exit
+fi
+
+# Exit if fde-tools is not installed
+if [ ! -f ${FDE_SYSCONFIG} -o ! -x ${FDECTL} ]; then
+ exit
+fi
+
+# Check if the system enables TPM auto-unlock
+if [ -f ${GRUB2_DEFAULT} ]; then
+ source ${GRUB2_DEFAULT}
+ # Exit if there is no sealed key for grub2
+ if [ -z "${GRUB_TPM2_SEALED_KEY}" ]; then
+ exit
+ fi
+fi
+
+source ${FDE_SYSCONFIG}
+
+# Exit if authorized policy is not enabled
+if ! [[ "$FDE_USE_AUTHORIZED_POLICIES" =~ y.* ]]; then
+ echo "Bootloader(s) updated and authorized policy disabled."
+ echo "Please update the sealed key with 'fdectl regenerate-key'."
+ echo "Updated bootloader(s): ${COMPONENTS}"
+ exit
+fi
+
+# Exit if auto-update is not enabled
+if ! [[ "$FDE_TPM_AUTO_UPDATE" =~ y.* ]]; then
+ echo "Bootloader(s) updated and signature auto-update disabled."
+ echo "Please update the signature with 'fdectl tpm-authorize'."
+ echo "Updated bootloader(s): ${COMPONENTS}"
+ exit
+fi
+
+# TODO Compare the diff in the event log
+# The boot components to update: ${COMPONENTS}
+
+# Update the signature in the sealed key
+echo "Update the signature due to changes in \"${COMPONENTS}\""
+${FDECTL} tpm-authorize
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.6.9/rpm-build/macros.fde-tpm-helper
new/fde-tools-0.7.0/rpm-build/macros.fde-tpm-helper
--- old/fde-tools-0.6.9/rpm-build/macros.fde-tpm-helper 1970-01-01
01:00:00.000000000 +0100
+++ new/fde-tools-0.7.0/rpm-build/macros.fde-tpm-helper 2023-09-19
07:52:51.927609722 +0200
@@ -0,0 +1,16 @@
+%fde_tpm_update_requires Requires(posttrans): fde-tpm-helper
+
+%fde_tpm_update_post() \
+mkdir -p %{_rundir}/fde-tpm-helper/ \
+touch %{_rundir}/fde-tpm-helper/update \
+for bl in %{?*}; do \
+ echo ${bl} >> %{_rundir}/fde-tpm-helper/update \
+done \
+%nil
+
+%fde_tpm_update_posttrans() \
+if test -f %{_rundir}/fde-tpm-helper/update; then \
+ %{_libexecdir}/fde/fde-tpm-helper "`cat %{_rundir}/fde-tpm-helper/update |
uniq`" || : \
+ rm -f %{_rundir}/fde-tpm-helper/update \
+fi \
+%nil
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.6.9/sysconfig.fde
new/fde-tools-0.7.0/sysconfig.fde
--- old/fde-tools-0.6.9/sysconfig.fde 2023-07-20 10:33:48.749119029 +0200
+++ new/fde-tools-0.7.0/sysconfig.fde 2023-09-19 07:52:51.927609722 +0200
@@ -29,3 +29,8 @@
# NOTE: Those devices must use the same recovery password as the one of the
# root partition.
FDE_EXTRA_DEVS=""
+
+# Configure whether to update the authorized policy in the sealed key after
+# the bootloader update
+# Set to yes/no
+FDE_TPM_AUTO_UPDATE="yes"
