Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-11-02 20:20:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.17445 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fde-tools" Thu Nov 2 20:20:52 2023 rev:14 rq:1121560 version:0.7.2 Changes: -------- --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-10-24 20:06:49.661188106 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.17445/fde-tools.changes 2023-11-02 20:20:56.510669838 +0100 @@ -1,0 +2,7 @@ +Wed Nov 1 07:19:45 UTC 2023 - Gary Ching-Pang Lin <g...@suse.com> + +- Update to version 0.7.2 + + Add help output for the command tpm-authorize + + Improve the multi-devices support + +------------------------------------------------------------------- Old: ---- fde-tools-0.7.1.tar.bz2 New: ---- fde-tools-0.7.2.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fde-tools.spec ++++++ --- /var/tmp/diff_new_pack.dH7mAB/_old 2023-11-02 20:20:57.138692947 +0100 +++ /var/tmp/diff_new_pack.dH7mAB/_new 2023-11-02 20:20:57.142693094 +0100 @@ -17,7 +17,7 @@ Name: fde-tools -Version: 0.7.1 +Version: 0.7.2 Release: 0 Summary: Tools required for Full Disk Encryption License: GPL-2.0-only ++++++ fde-tools-0.7.1.tar.bz2 -> fde-tools-0.7.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/fde.sh new/fde-tools-0.7.2/fde.sh --- old/fde-tools-0.7.1/fde.sh 2023-10-23 07:54:57.691250724 +0200 +++ new/fde-tools-0.7.2/fde.sh 2023-11-01 08:18:03.416914490 +0100 @@ -22,7 +22,7 @@ : ${SHAREDIR:=/usr/share/fde} -version=0.7.1 +version=0.7.2 opt_bootloader=grub2 opt_uefi_bootdir="" @@ -74,7 +74,8 @@ tpm-present check whether a TPM2 chip is present and working tpm-enable enable TPM protection tpm-disable disable TPM protection - tpm-wipe wipe out the keyslot for the sealed key + tpm-wipe wipe out the keyslot for the sealed key + tpm-authorize update the authorized pcr policy in the sealed key EOF } @@ -204,30 +205,28 @@ . "$SHAREDIR/commands/$command" if cmd_requires_luks_device; then - # Merge FDE_EXTRA_DEVS into FDE_DEVS and unset FDE_EXTRA_DEVS - FDE_DEVS="${FDE_DEVS} ${FDE_EXTRA_DEVS}" - FDE_EXTRA_DEVS="" - - fsdev=$(luks_device_for_path /) - if [ ! -b "$fsdev" ]; then - fde_bad_argument "Unable to determine partition to operate on" - fi + if [ -n "${FDE_DEVS}" ]; then + luks_devices="${FDE_DEVS}" + else + fsdev=$(luks_device_for_path /) + if [ ! -b "$fsdev" ]; then + fde_bad_argument "Unable to determine partition to operate on" + fi - luks_devices=$(luks_get_volume_for_fsdev "$fsdev") - if [ -z "$luks_devices" ]; then - display_errorbox "Cannot find the underlying partition for $fsdev" - exit 1 - fi + luks_devices=$(luks_get_volume_for_fsdev "$fsdev") + if [ -z "$luks_devices" ]; then + display_errorbox "Cannot find the underlying partition for $fsdev" + exit 1 + fi - # Merge FDE_DEVS and detected devices and remove duplicate devices - luks_devices=$(tr -s '[:space:]' '\n' <<<"${luks_devices} ${FDE_DEVS}" | sed '/^$/d' | sort -u) + # Merge FDE_EXTRA_DEVS and detected devices + luks_devices="${luks_devices} ${FDE_EXTRA_DEVS}" + fi - # Extract the first device as the main root device and set others - # to FDE_EXTRA_DEVS. - luks_dev=$(head -n 1 <<<${luks_devices}) - FDE_EXTRA_DEVS=$(grep -v "${luks_dev}" <<<${luks_devices}) + # Remove the duplicate devices + luks_devices=$(tr -s '[:space:]' '\n' <<<"${luks_devices}" | sed '/^$/d' | sort -u) - cmd_perform "$luks_dev" + cmd_perform "$luks_devices" else cmd_perform fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/add-secondary-key new/fde-tools-0.7.2/share/commands/add-secondary-key --- old/fde-tools-0.7.1/share/commands/add-secondary-key 2023-10-23 07:54:00.911620084 +0200 +++ new/fde-tools-0.7.2/share/commands/add-secondary-key 2023-11-01 08:17:56.360959136 +0100 @@ -22,19 +22,23 @@ function cmd_add_secondary_key { - luks_dev="$1" + local luks_devices="$1" - keyslots=$(bootloader_get_keyslots ${luks_dev}) - - if [ -n "$FDE_ENROLL_KEY" ]; then + if [ -n "$FDE_ENROLL_NEW_KEY" ]; then display_errorbox "It seems you've already tried to enroll a secondary key." return 1 - elif [ -n "${keyslots}" ]; then - display_errorbox "It seems you've already enrolled a secondary key." - return 1 fi - if ! enroll_tpm_secondary_key "${luks_dev}"; then + for luks_dev in ${luks_devices}; do + keyslots=$(bootloader_get_keyslots ${luks_dev}) + + if [ -n "${keyslots}" ]; then + display_errorbox "It seems you've already enrolled a secondary key.(${luks_dev})" + return 1 + fi + done + + if ! enroll_tpm_secondary_key "${luks_devices}"; then return 1 fi @@ -70,8 +74,8 @@ function add_secondary_key { - luks_dev="$1" - luks_new_keyfile="$2" + local luks_devices="$1" + local luks_new_keyfile="$2" luks_keyfile=$(fde_make_tempfile pass.key) if ! fde_request_recovery_passfile "$luks_keyfile"; then @@ -79,33 +83,24 @@ return 1 fi - if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then - rm -f "$luks_keyfile" - display_errorbox "Failed to verify password on LUKS partition" - return 1 - fi - - for extra_dev in ${FDE_EXTRA_DEVS}; do - if ! luks_verify_password "$extra_dev" "$luks_keyfile"; then + # Verify the recovery password on all specified LUKS partitions first + for luks_dev in ${luks_devices}; do + if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then rm -f "$luks_keyfile" - display_errorbox "Failed to verify password on LUKS partition($extra_dev)" + display_errorbox "Failed to verify password on LUKS partition (${luks_dev})" return 1 - fi + fi done - if ! luks_add_random_key "${luks_dev}" "${luks_keyfile}" "${luks_new_keyfile}"; then - display_errorbox "Failed to add secondary LUKS key" - rm -f "$luks_keyfile" - return 1 - fi + luks_generate_random_key ${luks_new_keyfile} - # Add the new random key to the devices in FDE_EXTRA_DEVS - for extra_dev in ${FDE_EXTRA_DEVS}; do - if ! luks_add_key "$extra_dev" "$luks_keyfile" "$luks_new_keyfile"; then - display_errorbox "Failed to add secondary LUKS key (${extra_dev})" - rm -f "$luks_keyfile" - return 1 - fi + # Add the new random key to all specified LUKS partitions + for luks_dev in ${luks_devices}; do + if ! luks_add_key "${luks_dev}" "${luks_keyfile}" "${luks_new_keyfile}"; then + display_errorbox "Failed to add secondary LUKS key (${luks_dev})" + rm -f "$luks_keyfile" + return 1 + fi done rm -f "$luks_keyfile" @@ -113,11 +108,11 @@ function enroll_tpm_secondary_key { - luks_dev="$1" + local luks_devices="$1" if [[ "$FDE_USE_AUTHORIZED_POLICIES" =~ y.* ]]; then luks_new_keyfile="$(fde_make_tempfile newkey)" - if ! init_authorized_policy || ! add_secondary_key "$luks_dev" "$luks_new_keyfile"; then + if ! init_authorized_policy || ! add_secondary_key "${luks_devices}" "${luks_new_keyfile}"; then rm -f "$luks_new_keyfile" return 1 fi @@ -134,7 +129,7 @@ opt_keyfile="/etc/fde/root.key" fi - if ! add_secondary_key "$luks_dev" "$opt_keyfile"; then + if ! add_secondary_key "$luks_devices" "$opt_keyfile"; then return 1 fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/add-secondary-password new/fde-tools-0.7.2/share/commands/add-secondary-password --- old/fde-tools-0.7.1/share/commands/add-secondary-password 2023-09-07 08:05:01.314932675 +0200 +++ new/fde-tools-0.7.2/share/commands/add-secondary-password 2023-11-01 08:17:56.360959136 +0100 @@ -24,7 +24,7 @@ function add_secondary_password { - luks_dev="$1" + local luks_devices="$1" ################################################################## # Check whether we have already defined a firstboot password. If so, @@ -49,14 +49,9 @@ return 1 fi - if ! luks_add_password "$luks_dev" "$luks_keyfile" "$insecure_password"; then - display_errorbox "Failed to add firstboot password to LUKS partition" - return 1 - fi - - for extra_dev in ${FDE_EXTRA_DEVS}; do - if ! luks_add_password "$extra_dev" "$luks_keyfile" "$insecure_password"; then - display_errorbox "Failed to add firstboot password to LUKS partition(${extra_dev})" + for luks_dev in ${luks_devices}; do + if ! luks_add_password "$luks_dev" "$luks_keyfile" "$insecure_password"; then + display_errorbox "Failed to add firstboot password to LUKS partition(${luks_dev})" return 1 fi done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/passwd new/fde-tools-0.7.2/share/commands/passwd --- old/fde-tools-0.7.1/share/commands/passwd 2023-06-30 09:09:53.883602194 +0200 +++ new/fde-tools-0.7.2/share/commands/passwd 2023-11-01 08:17:56.360959136 +0100 @@ -22,7 +22,36 @@ function cmd_change_password { - luks_dev="$1" + local luks_devices="$1" - luks_change_password "$luks_dev" "" + luks_keyfile=$(fde_make_tempfile pass.key) + if ! fde_request_recovery_passfile "$luks_keyfile"; then + display_errorbox "Unable to obtain recovery password; aborting." + return 1 + fi + + for luks_dev in ${luks_devices}; do + if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then + rm -f "$luks_keyfile" + display_errorbox "Failed to verify password on LUKS partition(${luks_dev})" + return 1 + fi + done + + request_new_password "Please enter new LUKS recovery password" + if [ -z "$result_password" ]; then + display_errorbox "Unable to obtain new recovery password" + return 1 + fi + luks_new_keyfile=$(luks_write_password newpass "${result_password}") + + for luks_dev in ${luks_devices}; do + if ! luks_set_password "$luks_dev" "$luks_keyfile" "$luks_new_keyfile"; then + display_errorbox "Failed to change LUKS recovery password(${luks_dev})" + rm -f "$luks_keyfile" "$luks_new_keyfile" + return 1 + fi + done + + rm -f "$luks_keyfile" "$luks_new_keyfile" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/regenerate-key new/fde-tools-0.7.2/share/commands/regenerate-key --- old/fde-tools-0.7.1/share/commands/regenerate-key 2023-09-07 08:05:01.314932675 +0200 +++ new/fde-tools-0.7.2/share/commands/regenerate-key 2023-11-01 08:17:56.360959136 +0100 @@ -24,39 +24,27 @@ alias cmd_perform=cmd_regenerate_key function cmd_regenerate_key { - luks_dev="$1" - declare -A EXTRA_KEYSLOTS_OLD + local luks_devices="$1" + declare -A KEYSLOTS_OLD # Get the current keyslots for the TPM sealed key - KEYSLOTS_OLD=$(bootloader_get_keyslots ${luks_dev}) - - # Get the current keyslots in the extra devices - for extra_dev in ${FDE_EXTRA_DEVS}; do - EXTRA_KEYSLOTS_OLD["${extra_dev}"]=$(bootloader_get_keyslots ${extra_dev}) + for luks_dev in ${luks_devices}; do + KEYSLOTS_OLD["${luks_dev}"]=$(bootloader_get_keyslots ${luks_dev}) done - if ! enroll_tpm_secondary_key "${luks_dev}"; then + if ! enroll_tpm_secondary_key "${luks_devices}"; then return 1 fi # Finish TPM key sealing - tpm_enable ${luks_dev} - - # Remove the previous keyslot - if [ -n "${KEYSLOTS_OLD}" ]; then - bootloader_remove_keyslots "${luks_dev}" "${KEYSLOTS_OLD}" - if [ "$?" -ne 0 ]; then - display_errorbox "Failed to wipe out key slots: ${KEYSLOTS_OLD}" - return 1 - fi - fi + tpm_enable "${luks_devices}" - # Remove the previous keyslots in the extra devices - for extra_dev in ${FDE_EXTRA_DEVS}; do - if [ -n "${EXTRA_KEYSLOTS_OLD[${extra_dev}]}" ]; then - bootloader_remove_keyslots "${extra_dev}" "${EXTRA_KEYSLOTS_OLD[${extra_dev}]}" + # Remove the previous keyslots + for luks_dev in ${luks_devices}; do + if [ -n "${KEYSLOTS_OLD[${luks_dev}]}" ]; then + bootloader_remove_keyslots "${luks_dev}" "${KEYSLOTS_OLD[${luks_dev}]}" if [ "$?" -ne 0 ]; then - display_errorbox "Failed to wipe out key slots in ${extra_dev}: ${EXTRA_KEYSLOTS_OLD[${extra_dev}]}" + display_errorbox "Failed to wipe out key slots in ${luks_dev}: ${KEYSLOTS_OLD[${luks_dev}]}" return 1 fi fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/remove-secondary-password new/fde-tools-0.7.2/share/commands/remove-secondary-password --- old/fde-tools-0.7.1/share/commands/remove-secondary-password 2023-09-07 08:05:01.314932675 +0200 +++ new/fde-tools-0.7.2/share/commands/remove-secondary-password 2023-11-01 08:17:56.360959136 +0100 @@ -22,7 +22,7 @@ function remove_secondary_password { - luks_dev="$1" + local luks_devices="$1" ################################################################## # Check if we have stashed a key under the doormat @@ -39,16 +39,11 @@ # Nuke the LUKS header slot associated with this password ################################################################## luks_keyfile=$(luks_write_password pass "${insecure_password}") - if ! luks_drop_key "$luks_dev" "$luks_keyfile"; then - display_errorbox "Unable to disable firstboot password" - return 1 - fi - - for extra_dev in ${FDE_EXTRA_DEVS}; do - if ! luks_drop_key "$extra_dev" "$luks_keyfile"; then - display_errorbox "Unable to disable firstboot password(${extra_dev})" - return 1 - fi + for luks_dev in ${luks_devices}; do + if ! luks_drop_key "$luks_dev" "$luks_keyfile"; then + display_errorbox "Unable to disable firstboot password(${luks_dev})" + return 1 + fi done ################################################################## diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/tpm-activate new/fde-tools-0.7.2/share/commands/tpm-activate --- old/fde-tools-0.7.1/share/commands/tpm-activate 2023-09-07 08:05:01.318932648 +0200 +++ new/fde-tools-0.7.2/share/commands/tpm-activate 2023-11-01 08:17:56.360959136 +0100 @@ -24,14 +24,14 @@ function cmd_tpm_activate { - luks_dev="$1" + local luks_devices="$1" - if bootloader_check_sealed_key "${luks_dev}"; then + if bootloader_check_sealed_key; then fde_trace "LUKS key already sealed. Skip activation." return 0 fi - if ! tpm_enable "${luks_dev}"; then + if ! tpm_enable "${luks_devices}"; then return 1 fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/tpm-disable new/fde-tools-0.7.2/share/commands/tpm-disable --- old/fde-tools-0.7.1/share/commands/tpm-disable 2023-09-07 08:05:01.318932648 +0200 +++ new/fde-tools-0.7.2/share/commands/tpm-disable 2023-11-01 08:17:56.360959136 +0100 @@ -21,7 +21,7 @@ alias cmd_perform=cmd_tpm_disable function tpm_disable { - luks_dev="$1" + local luks_devices="$1" # Request the user to type the recovery password to prove the password is # correctly memorized, so that the user won't lock herself/himself out of @@ -32,18 +32,12 @@ return 1 fi - if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then - rm -f "$luks_keyfile" - display_errorbox "Failed to verify password on LUKS partition" - return 1 - fi - - for extra_dev in ${FDE_EXTRA_DEVS}; do - if ! luks_verify_password "$extra_dev" "$luks_keyfile"; then + for luks_dev in ${luks_devices}; do + if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then rm -f "$luks_keyfile" - display_errorbox "Failed to verify password on LUKS partition($extra_dev)" + display_errorbox "Failed to verify password on LUKS partition" return 1 - fi + fi done rm -f "$luks_keyfile" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/tpm-enable new/fde-tools-0.7.2/share/commands/tpm-enable --- old/fde-tools-0.7.1/share/commands/tpm-enable 2023-09-07 08:05:01.318932648 +0200 +++ new/fde-tools-0.7.2/share/commands/tpm-enable 2023-11-01 08:17:56.360959136 +0100 @@ -24,7 +24,7 @@ function tpm_enable { - luks_dev="$1" + local luks_devices="$1" st=1 @@ -32,7 +32,7 @@ # prompt on firstboot. # We must clear this before computing any PCR policies, otherwise # we end up hashing the wrong grub.cfg file - remove_secondary_password "$luks_dev" + remove_secondary_password "${luks_devices}" if [[ "$FDE_USE_AUTHORIZED_POLICIES" =~ y.* ]]; then if [ -z "$FDE_AUTHORIZED_POLICY" ]; then @@ -42,7 +42,7 @@ # Tell the boot loader about the authorized policy and the misc files # that go with it... - if tpm_enable_authorized_policy "$luks_dev"; then + if tpm_enable_authorized_policy "$luks_devices"; then # ... and authorize the current system configuration. # This is what "fdectl tpm-authorize" does, inlined. bootloader_authorize_pcr_policy "$FDE_AP_SECRET_KEY" "$FDE_AP_SEALED_SECRET" @@ -50,12 +50,12 @@ fi elif [ -n "$opt_keyfile" ]; then # We were invoked with --keyfile "/foo/bar" - tpm_enable_pcr_policy "$luks_dev" "$opt_keyfile" + tpm_enable_pcr_policy "${luks_devices}" "$opt_keyfile" st=$? elif [ -n "$FDE_ENROLL_NEW_KEY" ]; then # We're asked to enroll a secondary key. Do so, and zap the # setting in /etc/sysconfig/fde-tools - tpm_enable_pcr_policy "$luks_dev" "$FDE_ENROLL_NEW_KEY" + tpm_enable_pcr_policy "${luks_devices}" "$FDE_ENROLL_NEW_KEY" st=$? rm -vf "$FDE_ENROLL_NEW_KEY" @@ -84,7 +84,7 @@ function tpm_enable_authorized_policy { - luks_dev="$1" + local luks_devices="$1" # When we get here, the installer should already have # - created an authorized policy @@ -115,8 +115,8 @@ function tpm_enable_pcr_policy { - luks_dev="$1" - luks_keyfile="$2" + local luks_devices="$1" + local luks_keyfile="$2" if [ -n "$luks_keyfile" ]; then if [ ! -f "$luks_keyfile" ]; then @@ -124,20 +124,21 @@ return 1 fi - luks_new_keyfile=$(fde_make_tempfile new.key) - cp "$luks_keyfile" "$luks_new_keyfile" - # We consider the key compromised, because it resided on disk - even if only # for a short amount of time. It may have made its way into a btrfs snapshot, # which may hang around forever... # So what we do here is generate a new key and replace the key slot with the # compromised key with this new key. Note that the new key is created below # /dev/shm, which is an in-memory file system. - if ! luks_set_random_key "$luks_dev" "$luks_new_keyfile"; then - display_errorbox "Failed to change secondary LUKS key" - rm -f "$luks_keyfile" "$luks_new_keyfile" - return 1 - fi + luks_new_keyfile=$(fde_make_tempfile new.key) + luks_generate_random_key ${luks_new_keyfile} + for luks_dev in ${luks_devices}; do + if ! luks_set_key "$luks_dev" "$luks_keyfile" "$luks_new_keyfile"; then + display_errorbox "Failed to change secondary LUKS key(${luks_dev})" + rm -f "$luks_keyfile" "$luks_new_keyfile" + return 1 + fi + done else luks_keyfile=$(fde_make_tempfile pass.key) if ! fde_request_recovery_passfile "$luks_keyfile"; then @@ -145,33 +146,21 @@ return 1 fi - if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then - rm -f "$luks_keyfile" - display_errorbox "Failed to verify password on LUKS partition" - return 1 - fi - - for extra_dev in ${FDE_EXTRA_DEVS}; do - if ! luks_verify_password "$extra_dev" "$luks_keyfile"; then + for luks_dev in ${luks_devices}; do + if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then rm -f "$luks_keyfile" - display_errorbox "Failed to verify password on LUKS partition($extra_dev)" + display_errorbox "Failed to verify password on LUKS partition(${luks_dev})" return 1 fi done luks_new_keyfile=$(fde_make_tempfile new.key) - if ! luks_add_random_key "${luks_dev}" "${luks_keyfile}" "${luks_new_keyfile}"; then - display_errorbox "Failed to add secondary LUKS key" - rm -f "$luks_keyfile" "$luks_new_keyfile" - return 1 - fi - - # Add the new random key to the devices in FDE_EXTRA_DEVS - for extra_dev in ${FDE_EXTRA_DEVS}; do - if ! luks_add_key "$extra_dev" "$luks_keyfile" "$luks_new_keyfile"; then - display_errorbox "Failed to add secondary LUKS key (${extra_dev})" - rm -f "$luks_keyfile" + luks_generate_random_key ${luks_new_keyfile} + for luks_dev in ${luks_devices}; do + if ! luks_add_key "${luks_dev}" "${luks_keyfile}" "${luks_new_keyfile}"; then + display_errorbox "Failed to add secondary LUKS key(${luks_dev})" + rm -f "$luks_keyfile" "$luks_new_keyfile" return 1 fi done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/tpm-wipe new/fde-tools-0.7.2/share/commands/tpm-wipe --- old/fde-tools-0.7.1/share/commands/tpm-wipe 2023-09-07 08:05:01.318932648 +0200 +++ new/fde-tools-0.7.2/share/commands/tpm-wipe 2023-11-01 08:17:56.360959136 +0100 @@ -24,22 +24,17 @@ function cmd_tpm_wipe { - luks_dev="$1" + local luks_devices="$1" - if ! tpm_disable "${luks_dev}"; then + if ! tpm_disable "${luks_devices}"; then return 1 fi - if ! bootloader_wipe "${luks_dev}"; then - display_errorbox "Failed to wipe out key slots" - return 1 + for luks_dev in ${luks_devices}; do + if ! bootloader_wipe "${luks_dev}"; then + display_errorbox "Failed to wipe out key slots ${luks_dev}" + return 1 fi - - for extra_dev in ${FDE_EXTRA_DEVS}; do - if ! bootloader_wipe "$extra_dev"; then - display_errorbox "Failed to wipe out key slots (${extra_dev})" - return 1 - fi done return 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/share/grub2 new/fde-tools-0.7.2/share/grub2 --- old/fde-tools-0.7.1/share/grub2 2023-10-17 03:58:25.343073403 +0200 +++ new/fde-tools-0.7.2/share/grub2 2023-11-01 08:17:56.360959136 +0100 @@ -211,7 +211,7 @@ # TODO Avoid removing the non-grub-tpm2 keyslot or the last keyslot # Remove the keyslots - for slot in "${keyslots}"; do + for slot in ${keyslots}; do cryptsetup luksKillSlot -q ${luks_dev} ${slot} done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/share/luks new/fde-tools-0.7.2/share/luks --- old/fde-tools-0.7.1/share/luks 2023-10-23 07:54:00.911620084 +0200 +++ new/fde-tools-0.7.2/share/luks 2023-11-01 08:17:56.360959136 +0100 @@ -234,6 +234,23 @@ } ################################################################## +# Change an existing password by files +################################################################## +function luks_set_password { + local luks_dev="$1" + local luks_keyfile="$2" + local luks_new_keyfile="$3" + + display_infobox "Updating LUKS password (${luks_dev})" + + if ! cryptsetup --key-file "${luks_keyfile}" luksChangeKey --pbkdf "$FDE_LUKS_PBKDF" "${luks_dev}" ${luks_new_keyfile}; then + # FIXME: dialog + fde_trace "Warning: luksChangeKey indicates failure" + return 1 + fi +} + +################################################################## # Change an existing password # This function uses request_new_password to prompt the user for # the new password. @@ -258,13 +275,10 @@ return 1 fi - display_infobox "Updating LUKS recovery password" - old_keyfile=$(luks_write_password oldpass "${luks_old_password}") new_keyfile=$(luks_write_password newpass "${result_password}") - if ! cryptsetup --key-file "${old_keyfile}" luksChangeKey --pbkdf "$FDE_LUKS_PBKDF" "${luks_dev}" ${new_keyfile}; then - # FIXME: dialog - fde_trace "Warning: luksChangeKey indicates failure" + if ! luks_set_password "${luks_dev}" "${old_keyfile}" "${new_keyfile}"; then + rm -f ${new_keyfile} ${old_keyfile} return 1 fi @@ -325,6 +339,11 @@ fdectl-grub-tpm2 add --key-slot ${luks_keyslot} ${luks_dev} } +function luks_generate_random_key { + local new_keyfile="$1" + + dd if=/dev/random bs=1 count=$FDE_KEY_SIZE_BYTES of=$new_keyfile status=none +} function luks_add_random_key { @@ -332,18 +351,16 @@ local luks_keyfile="$2" local new_keyfile="$3" - dd if=/dev/random bs=1 count=$FDE_KEY_SIZE_BYTES of=$new_keyfile status=none + luks_generate_random_key ${new_keyfile} luks_add_key ${luks_dev} ${luks_keyfile} ${new_keyfile} } -function luks_set_random_key { +function luks_set_key { local luks_dev="$1" local luks_keyfile="$2" - - new_keyfile=/dev/shm/new.keyfile - dd if=/dev/random bs=1 count=$FDE_KEY_SIZE_BYTES of=$new_keyfile status=none + local new_keyfile="$3" # Note: we try to reduce the cost of PBKDF to (almost) nothing. # There's no need in slowing down this operation for a @@ -351,6 +368,16 @@ cryptsetup --key-file "${luks_keyfile}" luksChangeKey \ --pbkdf "$FDE_LUKS_PBKDF" --pbkdf-force-iterations 1000 \ $luks_dev $new_keyfile +} + +function luks_set_random_key { + local luks_dev="$1" + local luks_keyfile="$2" + + new_keyfile=/dev/shm/new.keyfile + luks_generate_random_key ${new_keyfile} + + luks_set_key ${luks_dev} ${luks_keyfile} ${new_keyfile} ret=$? cp $new_keyfile "${luks_keyfile}"