Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-09-20 13:29:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.16627 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fde-tools" Wed Sep 20 13:29:05 2023 rev:10 rq:1112138 version:0.7.0 Changes: -------- --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-08-30 10:23:34.654774743 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.16627/fde-tools.changes 2023-09-20 13:31:39.263943572 +0200 @@ -1,0 +2,16 @@ +Tue Sep 19 05:59:00 UTC 2023 - Gary Ching-Pang Lin <g...@suse.com> + +- Update to version 0.7.0 + + firstboot: apply the grub.cfg change immediately + + fde-tpm-helper for bootloader RPMs to update the sealed key + automatically + + Fix the find command of 'make dist' + + Clean up the repo + + Make the system flags configurable + + fde-tpm-helper: specify the bootloaders in %post +- Add two new subpackages for the bootloader RPMs to update the + sealed key: fde-tpm-helper and fde-tpm-helper-rpm-macros +- Remove ExclusiveArch and set the system directories for 'make' + and 'make install' + +------------------------------------------------------------------- Old: ---- fde-tools-0.6.9.tar.bz2 New: ---- fde-tools-0.7.0.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fde-tools.spec ++++++ --- /var/tmp/diff_new_pack.tC9TCY/_old 2023-09-20 13:31:40.443985847 +0200 +++ /var/tmp/diff_new_pack.tC9TCY/_new 2023-09-20 13:31:40.443985847 +0200 @@ -17,7 +17,7 @@ Name: fde-tools -Version: 0.6.9 +Version: 0.7.0 Release: 0 Summary: Tools required for Full Disk Encryption License: GPL-2.0-only @@ -33,7 +33,10 @@ Requires: mokutil Requires: pcr-oracle >= 0.4.5 Requires: util-linux-systemd -ExclusiveArch: aarch64 s390x ppc64le x86_64 riscv64 + +%description +This package provides several components required to support Full Disk +Encryption. %package -n fde-firstboot Summary: Full Disk Encryption for images @@ -41,10 +44,6 @@ Requires: fde-tools Requires: jeos-firstboot -%description -This package provides several components required to support Full Disk -Encryption. - %description -n fde-firstboot This package contains the scripts necessary to plug Full Disk Encryption into the JeOS Firstboot framework used for image based delivery of ALP. @@ -60,14 +59,41 @@ %description bash-completion Bash shell completions for fde-tools +%package -n fde-tpm-helper +Summary: TPM helper for fde-tools +Group: System/Boot + +%description -n fde-tpm-helper +This package contains the TPM helper script for the bootloader packages +to update the signature in the sealed key. + +%package -n fde-tpm-helper-rpm-macros +Summary: RPM macros for fde-tools +Group: Development/Tools/Building + +%description -n fde-tpm-helper-rpm-macros +This package contains the RPM macros for the bootloader packages to +update the signature in the sealed key. + %prep %autosetup -p1 %build -%make_build +%make_build \ + CCFLAGS="%optflags" \ + LIBDIR="%{_libdir}" \ + LIBEXECDIR="%{_libexecdir}" \ + SBINDIR="%{_sbindir}" \ + DATADIR="%{_datadir}" \ + SYSCONFDIR="%{_sysconfdir}" %install -%make_install +%make_install \ + LIBDIR="%{_libdir}" \ + LIBEXECDIR="%{_libexecdir}" \ + SBINDIR="%{_sbindir}" \ + DATADIR="%{_datadir}" \ + SYSCONFDIR="%{_sysconfdir}" mkdir -p %{buildroot}%{_fillupdir} mv %{buildroot}/etc/sysconfig/fde-tools %{buildroot}%{_fillupdir}/sysconfig.fde-tools @@ -92,7 +118,7 @@ %{_sbindir}/fdectl %{_sbindir}/fde-token %{_sbindir}/fdectl-grub-tpm2 -%dir /etc/fde +%dir %{_sysconfdir}/fde %{_fillupdir}/sysconfig.* %{_datadir}/fde %{_unitdir}/fde-tpm-enroll.service @@ -108,3 +134,10 @@ %dir %{_datadir}/jeos-firstboot/modules %{_datadir}/jeos-firstboot/modules/fde +%files -n fde-tpm-helper +%dir %{_libexecdir}/fde +%{_libexecdir}/fde/fde-tpm-helper + +%files -n fde-tpm-helper-rpm-macros +%config %{_sysconfdir}/rpm/macros.fde-tpm-helper + ++++++ fde-tools-0.6.9.tar.bz2 -> fde-tools-0.7.0.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.9/Makefile new/fde-tools-0.7.0/Makefile --- old/fde-tools-0.6.9/Makefile 2023-08-29 10:34:43.259726248 +0200 +++ new/fde-tools-0.7.0/Makefile 2023-09-19 07:52:51.927609722 +0200 @@ -1,20 +1,25 @@ PKGVER = $(shell git describe --tags) PKGNAME = fde-tools-$(PKGVER) -CCOPT = -O0 -g -LIBDIR = /usr/lib64 -SBINDIR = /usr/sbin -SYSCONFIGDIR = /etc/sysconfig -FDE_CONFIG_DIR = /etc/fde -FDE_SHARE_DIR = /usr/share/fde -FIRSTBOOTDIR = /usr/share/jeos-firstboot -CFLAGS = -Wall $(CCOPT) +CFLAGS ?= -Wall -O0 -g +LIBDIR ?= /usr/lib64 +LIBEXECDIR ?= /usr/libexec +SBINDIR ?= /usr/sbin +DATADIR ?= /usr/share +SYSCONFDIR ?= /etc +SYSCONFIGDIR = $(SYSCONFDIR)/sysconfig +FDE_CONFIG_DIR = ${SYSCONFDIR}/fde +FDE_SHARE_DIR = $(DATADIR)/fde +FIRSTBOOTDIR = $(DATADIR)/jeos-firstboot +FDE_HELPER_DIR = $(LIBEXECDIR)/fde +RPM_MACRO_DIR = /etc/rpm FIDO_LINK = -lfido2 -lcrypto CRPYT_LINK = -lcryptsetup -ljson-c TOOLS = fde-token fdectl-grub-tpm2 TOKEN_LINK = -lcryptsetup TOKEN_ABI_PATH = cryptsetup/libcryptsetup-token.sym TOKEN_PLUGINS = libcryptsetup-token-grub-tpm2.so +TPM_HELPER = fde-tpm-helper LIBSCRIPTS = grub2 \ luks \ @@ -44,8 +49,8 @@ all:: $(TOOLS) $(SUBDIRS) $(TOKEN_PLUGINS) install:: $(TOOLS) - install -d $(DESTDIR)/usr/sbin - install -m 755 $(TOOLS) $(DESTDIR)/usr/sbin + install -d $(DESTDIR)$(SBINDIR) + install -m 755 $(TOOLS) $(DESTDIR)$(SBINDIR) install:: $(TOKEN_PLUGINS) install -d $(DESTDIR)/$(LIBDIR)/cryptsetup @@ -56,12 +61,16 @@ @cp -v firstboot/fde $(DESTDIR)$(FIRSTBOOTDIR)/modules/fde @mkdir -p $(DESTDIR)$(SYSCONFIGDIR) @cp -v sysconfig.fde $(DESTDIR)$(SYSCONFIGDIR)/fde-tools + @mkdir -p $(DESTDIR)$(RPM_MACRO_DIR) + @cp -v rpm-build/macros.fde-tpm-helper $(DESTDIR)$(RPM_MACRO_DIR) @mkdir -p $(DESTDIR)$(FDE_SHARE_DIR) @for name in $(LIBSCRIPTS); do \ d=$$(dirname $$name); \ mkdir -p $(DESTDIR)$(FDE_SHARE_DIR)/$$d; \ cp -v share/$$name $(DESTDIR)$(FDE_SHARE_DIR)/$$d; \ done + @mkdir -p $(DESTDIR)$(FDE_HELPER_DIR)/ + @install -m 755 rpm-build/$(TPM_HELPER) $(DESTDIR)$(FDE_HELPER_DIR)/$(TPM_HELPER) @mkdir -p $(DESTDIR)$(SBINDIR) @install -m 555 -v fde.sh $(DESTDIR)$(SBINDIR)/fdectl @install -m 755 -v -d $(DESTDIR)$(FDE_CONFIG_DIR) @@ -98,8 +107,9 @@ dist: mkdir -p $(PKGNAME) - cp -a Makefile sysconfig.fde fde.sh src share firstboot cryptsetup $(SUBDIRS) $(PKGNAME) + cp -a Makefile sysconfig.fde fde.sh src share firstboot cryptsetup rpm-build \ + $(SUBDIRS) $(PKGNAME) sed -i "s/__VERSION__/$(PKGVER)/" $(PKGNAME)/fde.sh - @find $(PKGNAME) -name '.*.swp' -o -name '*.{rej,orig}' -exec rm {} \; + @find $(PKGNAME) \( -name '.*.swp' -o -name '*.{rej,orig}' \) -exec rm {} \; tar -cvjf $(PKGNAME).tar.bz2 $(PKGNAME)/* rm -rf $(PKGNAME) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.9/fde.sh new/fde-tools-0.7.0/fde.sh --- old/fde-tools-0.6.9/fde.sh 2023-08-29 10:35:01.543604657 +0200 +++ new/fde-tools-0.7.0/fde.sh 2023-09-19 07:56:12.454296022 +0200 @@ -22,7 +22,7 @@ : ${SHAREDIR:=/usr/share/fde} -version=0.6.9 +version=0.7.0 opt_bootloader=grub2 opt_uefi_bootdir="" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.9/firstboot/fde new/fde-tools-0.7.0/firstboot/fde --- old/fde-tools-0.6.9/firstboot/fde 2023-08-29 09:26:14.363091052 +0200 +++ new/fde-tools-0.7.0/firstboot/fde 2023-09-07 08:05:01.314932675 +0200 @@ -155,6 +155,7 @@ # Update /boot/grub2/grub.cfg if test -d "/boot/writable"; then transactional-update grub.cfg + transactional-update apply else grub2-mkconfig -o /boot/grub2/grub.cfg fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.9/rpm-build/fde-tpm-helper new/fde-tools-0.7.0/rpm-build/fde-tpm-helper --- old/fde-tools-0.6.9/rpm-build/fde-tpm-helper 1970-01-01 01:00:00.000000000 +0100 +++ new/fde-tools-0.7.0/rpm-build/fde-tpm-helper 2023-09-19 07:52:51.927609722 +0200 @@ -0,0 +1,70 @@ +#!/bin/bash +# +# Copyright (C) 2023 SUSE LLC +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +# Written by Gary Lin <g...@suse.com> + +CRYPTTAB="/etc/crypttab" +FDE_SYSCONFIG="/etc/sysconfig/fde-tools" +GRUB2_DEFAULT="/etc/default/grub" +FDECTL="/usr/sbin/fdectl" + +COMPONENTS="$@" + +# Exit if crypttab doesn't exist +if [ ! -f ${CRYPTTAB} ]; then + exit +fi + +# Exit if fde-tools is not installed +if [ ! -f ${FDE_SYSCONFIG} -o ! -x ${FDECTL} ]; then + exit +fi + +# Check if the system enables TPM auto-unlock +if [ -f ${GRUB2_DEFAULT} ]; then + source ${GRUB2_DEFAULT} + # Exit if there is no sealed key for grub2 + if [ -z "${GRUB_TPM2_SEALED_KEY}" ]; then + exit + fi +fi + +source ${FDE_SYSCONFIG} + +# Exit if authorized policy is not enabled +if ! [[ "$FDE_USE_AUTHORIZED_POLICIES" =~ y.* ]]; then + echo "Bootloader(s) updated and authorized policy disabled." + echo "Please update the sealed key with 'fdectl regenerate-key'." + echo "Updated bootloader(s): ${COMPONENTS}" + exit +fi + +# Exit if auto-update is not enabled +if ! [[ "$FDE_TPM_AUTO_UPDATE" =~ y.* ]]; then + echo "Bootloader(s) updated and signature auto-update disabled." + echo "Please update the signature with 'fdectl tpm-authorize'." + echo "Updated bootloader(s): ${COMPONENTS}" + exit +fi + +# TODO Compare the diff in the event log +# The boot components to update: ${COMPONENTS} + +# Update the signature in the sealed key +echo "Update the signature due to changes in \"${COMPONENTS}\"" +${FDECTL} tpm-authorize diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.9/rpm-build/macros.fde-tpm-helper new/fde-tools-0.7.0/rpm-build/macros.fde-tpm-helper --- old/fde-tools-0.6.9/rpm-build/macros.fde-tpm-helper 1970-01-01 01:00:00.000000000 +0100 +++ new/fde-tools-0.7.0/rpm-build/macros.fde-tpm-helper 2023-09-19 07:52:51.927609722 +0200 @@ -0,0 +1,16 @@ +%fde_tpm_update_requires Requires(posttrans): fde-tpm-helper + +%fde_tpm_update_post() \ +mkdir -p %{_rundir}/fde-tpm-helper/ \ +touch %{_rundir}/fde-tpm-helper/update \ +for bl in %{?*}; do \ + echo ${bl} >> %{_rundir}/fde-tpm-helper/update \ +done \ +%nil + +%fde_tpm_update_posttrans() \ +if test -f %{_rundir}/fde-tpm-helper/update; then \ + %{_libexecdir}/fde/fde-tpm-helper "`cat %{_rundir}/fde-tpm-helper/update | uniq`" || : \ + rm -f %{_rundir}/fde-tpm-helper/update \ +fi \ +%nil diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.9/sysconfig.fde new/fde-tools-0.7.0/sysconfig.fde --- old/fde-tools-0.6.9/sysconfig.fde 2023-07-20 10:33:48.749119029 +0200 +++ new/fde-tools-0.7.0/sysconfig.fde 2023-09-19 07:52:51.927609722 +0200 @@ -29,3 +29,8 @@ # NOTE: Those devices must use the same recovery password as the one of the # root partition. FDE_EXTRA_DEVS="" + +# Configure whether to update the authorized policy in the sealed key after +# the bootloader update +# Set to yes/no +FDE_TPM_AUTO_UPDATE="yes"