Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-11-02 20:20:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.17445 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fde-tools"
Thu Nov 2 20:20:52 2023 rev:14 rq:1121560 version:0.7.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-10-24
20:06:49.661188106 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.17445/fde-tools.changes
2023-11-02 20:20:56.510669838 +0100
@@ -1,0 +2,7 @@
+Wed Nov 1 07:19:45 UTC 2023 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Update to version 0.7.2
+ + Add help output for the command tpm-authorize
+ + Improve the multi-devices support
+
+-------------------------------------------------------------------
Old:
----
fde-tools-0.7.1.tar.bz2
New:
----
fde-tools-0.7.2.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ fde-tools.spec ++++++
--- /var/tmp/diff_new_pack.dH7mAB/_old 2023-11-02 20:20:57.138692947 +0100
+++ /var/tmp/diff_new_pack.dH7mAB/_new 2023-11-02 20:20:57.142693094 +0100
@@ -17,7 +17,7 @@
Name: fde-tools
-Version: 0.7.1
+Version: 0.7.2
Release: 0
Summary: Tools required for Full Disk Encryption
License: GPL-2.0-only
++++++ fde-tools-0.7.1.tar.bz2 -> fde-tools-0.7.2.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.1/fde.sh new/fde-tools-0.7.2/fde.sh
--- old/fde-tools-0.7.1/fde.sh 2023-10-23 07:54:57.691250724 +0200
+++ new/fde-tools-0.7.2/fde.sh 2023-11-01 08:18:03.416914490 +0100
@@ -22,7 +22,7 @@
: ${SHAREDIR:=/usr/share/fde}
-version=0.7.1
+version=0.7.2
opt_bootloader=grub2
opt_uefi_bootdir=""
@@ -74,7 +74,8 @@
tpm-present check whether a TPM2 chip is present and working
tpm-enable enable TPM protection
tpm-disable disable TPM protection
- tpm-wipe wipe out the keyslot for the sealed key
+ tpm-wipe wipe out the keyslot for the sealed key
+ tpm-authorize update the authorized pcr policy in the sealed
key
EOF
}
@@ -204,30 +205,28 @@
. "$SHAREDIR/commands/$command"
if cmd_requires_luks_device; then
- # Merge FDE_EXTRA_DEVS into FDE_DEVS and unset FDE_EXTRA_DEVS
- FDE_DEVS="${FDE_DEVS} ${FDE_EXTRA_DEVS}"
- FDE_EXTRA_DEVS=""
-
- fsdev=$(luks_device_for_path /)
- if [ ! -b "$fsdev" ]; then
- fde_bad_argument "Unable to determine partition to operate on"
- fi
+ if [ -n "${FDE_DEVS}" ]; then
+ luks_devices="${FDE_DEVS}"
+ else
+ fsdev=$(luks_device_for_path /)
+ if [ ! -b "$fsdev" ]; then
+ fde_bad_argument "Unable to determine partition to operate on"
+ fi
- luks_devices=$(luks_get_volume_for_fsdev "$fsdev")
- if [ -z "$luks_devices" ]; then
- display_errorbox "Cannot find the underlying partition for $fsdev"
- exit 1
- fi
+ luks_devices=$(luks_get_volume_for_fsdev "$fsdev")
+ if [ -z "$luks_devices" ]; then
+ display_errorbox "Cannot find the underlying partition for $fsdev"
+ exit 1
+ fi
- # Merge FDE_DEVS and detected devices and remove duplicate devices
- luks_devices=$(tr -s '[:space:]' '\n' <<<"${luks_devices} ${FDE_DEVS}" |
sed '/^$/d' | sort -u)
+ # Merge FDE_EXTRA_DEVS and detected devices
+ luks_devices="${luks_devices} ${FDE_EXTRA_DEVS}"
+ fi
- # Extract the first device as the main root device and set others
- # to FDE_EXTRA_DEVS.
- luks_dev=$(head -n 1 <<<${luks_devices})
- FDE_EXTRA_DEVS=$(grep -v "${luks_dev}" <<<${luks_devices})
+ # Remove the duplicate devices
+ luks_devices=$(tr -s '[:space:]' '\n' <<<"${luks_devices}" | sed '/^$/d' |
sort -u)
- cmd_perform "$luks_dev"
+ cmd_perform "$luks_devices"
else
cmd_perform
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/add-secondary-key
new/fde-tools-0.7.2/share/commands/add-secondary-key
--- old/fde-tools-0.7.1/share/commands/add-secondary-key 2023-10-23
07:54:00.911620084 +0200
+++ new/fde-tools-0.7.2/share/commands/add-secondary-key 2023-11-01
08:17:56.360959136 +0100
@@ -22,19 +22,23 @@
function cmd_add_secondary_key {
- luks_dev="$1"
+ local luks_devices="$1"
- keyslots=$(bootloader_get_keyslots ${luks_dev})
-
- if [ -n "$FDE_ENROLL_KEY" ]; then
+ if [ -n "$FDE_ENROLL_NEW_KEY" ]; then
display_errorbox "It seems you've already tried to enroll a secondary
key."
return 1
- elif [ -n "${keyslots}" ]; then
- display_errorbox "It seems you've already enrolled a secondary key."
- return 1
fi
- if ! enroll_tpm_secondary_key "${luks_dev}"; then
+ for luks_dev in ${luks_devices}; do
+ keyslots=$(bootloader_get_keyslots ${luks_dev})
+
+ if [ -n "${keyslots}" ]; then
+ display_errorbox "It seems you've already enrolled a secondary
key.(${luks_dev})"
+ return 1
+ fi
+ done
+
+ if ! enroll_tpm_secondary_key "${luks_devices}"; then
return 1
fi
@@ -70,8 +74,8 @@
function add_secondary_key {
- luks_dev="$1"
- luks_new_keyfile="$2"
+ local luks_devices="$1"
+ local luks_new_keyfile="$2"
luks_keyfile=$(fde_make_tempfile pass.key)
if ! fde_request_recovery_passfile "$luks_keyfile"; then
@@ -79,33 +83,24 @@
return 1
fi
- if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then
- rm -f "$luks_keyfile"
- display_errorbox "Failed to verify password on LUKS partition"
- return 1
- fi
-
- for extra_dev in ${FDE_EXTRA_DEVS}; do
- if ! luks_verify_password "$extra_dev" "$luks_keyfile"; then
+ # Verify the recovery password on all specified LUKS partitions first
+ for luks_dev in ${luks_devices}; do
+ if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then
rm -f "$luks_keyfile"
- display_errorbox "Failed to verify password on LUKS
partition($extra_dev)"
+ display_errorbox "Failed to verify password on LUKS partition
(${luks_dev})"
return 1
- fi
+ fi
done
- if ! luks_add_random_key "${luks_dev}" "${luks_keyfile}"
"${luks_new_keyfile}"; then
- display_errorbox "Failed to add secondary LUKS key"
- rm -f "$luks_keyfile"
- return 1
- fi
+ luks_generate_random_key ${luks_new_keyfile}
- # Add the new random key to the devices in FDE_EXTRA_DEVS
- for extra_dev in ${FDE_EXTRA_DEVS}; do
- if ! luks_add_key "$extra_dev" "$luks_keyfile" "$luks_new_keyfile";
then
- display_errorbox "Failed to add secondary LUKS key (${extra_dev})"
- rm -f "$luks_keyfile"
- return 1
- fi
+ # Add the new random key to all specified LUKS partitions
+ for luks_dev in ${luks_devices}; do
+ if ! luks_add_key "${luks_dev}" "${luks_keyfile}"
"${luks_new_keyfile}"; then
+ display_errorbox "Failed to add secondary LUKS key (${luks_dev})"
+ rm -f "$luks_keyfile"
+ return 1
+ fi
done
rm -f "$luks_keyfile"
@@ -113,11 +108,11 @@
function enroll_tpm_secondary_key {
- luks_dev="$1"
+ local luks_devices="$1"
if [[ "$FDE_USE_AUTHORIZED_POLICIES" =~ y.* ]]; then
luks_new_keyfile="$(fde_make_tempfile newkey)"
- if ! init_authorized_policy || ! add_secondary_key "$luks_dev"
"$luks_new_keyfile"; then
+ if ! init_authorized_policy || ! add_secondary_key "${luks_devices}"
"${luks_new_keyfile}"; then
rm -f "$luks_new_keyfile"
return 1
fi
@@ -134,7 +129,7 @@
opt_keyfile="/etc/fde/root.key"
fi
- if ! add_secondary_key "$luks_dev" "$opt_keyfile"; then
+ if ! add_secondary_key "$luks_devices" "$opt_keyfile"; then
return 1
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fde-tools-0.7.1/share/commands/add-secondary-password
new/fde-tools-0.7.2/share/commands/add-secondary-password
--- old/fde-tools-0.7.1/share/commands/add-secondary-password 2023-09-07
08:05:01.314932675 +0200
+++ new/fde-tools-0.7.2/share/commands/add-secondary-password 2023-11-01
08:17:56.360959136 +0100
@@ -24,7 +24,7 @@
function add_secondary_password {
- luks_dev="$1"
+ local luks_devices="$1"
##################################################################
# Check whether we have already defined a firstboot password. If so,
@@ -49,14 +49,9 @@
return 1
fi
- if ! luks_add_password "$luks_dev" "$luks_keyfile" "$insecure_password";
then
- display_errorbox "Failed to add firstboot password to LUKS partition"
- return 1
- fi
-
- for extra_dev in ${FDE_EXTRA_DEVS}; do
- if ! luks_add_password "$extra_dev" "$luks_keyfile"
"$insecure_password"; then
- display_errorbox "Failed to add firstboot password to LUKS
partition(${extra_dev})"
+ for luks_dev in ${luks_devices}; do
+ if ! luks_add_password "$luks_dev" "$luks_keyfile"
"$insecure_password"; then
+ display_errorbox "Failed to add firstboot password to LUKS
partition(${luks_dev})"
return 1
fi
done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/passwd
new/fde-tools-0.7.2/share/commands/passwd
--- old/fde-tools-0.7.1/share/commands/passwd 2023-06-30 09:09:53.883602194
+0200
+++ new/fde-tools-0.7.2/share/commands/passwd 2023-11-01 08:17:56.360959136
+0100
@@ -22,7 +22,36 @@
function cmd_change_password {
- luks_dev="$1"
+ local luks_devices="$1"
- luks_change_password "$luks_dev" ""
+ luks_keyfile=$(fde_make_tempfile pass.key)
+ if ! fde_request_recovery_passfile "$luks_keyfile"; then
+ display_errorbox "Unable to obtain recovery password; aborting."
+ return 1
+ fi
+
+ for luks_dev in ${luks_devices}; do
+ if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then
+ rm -f "$luks_keyfile"
+ display_errorbox "Failed to verify password on LUKS
partition(${luks_dev})"
+ return 1
+ fi
+ done
+
+ request_new_password "Please enter new LUKS recovery password"
+ if [ -z "$result_password" ]; then
+ display_errorbox "Unable to obtain new recovery password"
+ return 1
+ fi
+ luks_new_keyfile=$(luks_write_password newpass "${result_password}")
+
+ for luks_dev in ${luks_devices}; do
+ if ! luks_set_password "$luks_dev" "$luks_keyfile" "$luks_new_keyfile";
then
+ display_errorbox "Failed to change LUKS recovery
password(${luks_dev})"
+ rm -f "$luks_keyfile" "$luks_new_keyfile"
+ return 1
+ fi
+ done
+
+ rm -f "$luks_keyfile" "$luks_new_keyfile"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/regenerate-key
new/fde-tools-0.7.2/share/commands/regenerate-key
--- old/fde-tools-0.7.1/share/commands/regenerate-key 2023-09-07
08:05:01.314932675 +0200
+++ new/fde-tools-0.7.2/share/commands/regenerate-key 2023-11-01
08:17:56.360959136 +0100
@@ -24,39 +24,27 @@
alias cmd_perform=cmd_regenerate_key
function cmd_regenerate_key {
- luks_dev="$1"
- declare -A EXTRA_KEYSLOTS_OLD
+ local luks_devices="$1"
+ declare -A KEYSLOTS_OLD
# Get the current keyslots for the TPM sealed key
- KEYSLOTS_OLD=$(bootloader_get_keyslots ${luks_dev})
-
- # Get the current keyslots in the extra devices
- for extra_dev in ${FDE_EXTRA_DEVS}; do
- EXTRA_KEYSLOTS_OLD["${extra_dev}"]=$(bootloader_get_keyslots
${extra_dev})
+ for luks_dev in ${luks_devices}; do
+ KEYSLOTS_OLD["${luks_dev}"]=$(bootloader_get_keyslots ${luks_dev})
done
- if ! enroll_tpm_secondary_key "${luks_dev}"; then
+ if ! enroll_tpm_secondary_key "${luks_devices}"; then
return 1
fi
# Finish TPM key sealing
- tpm_enable ${luks_dev}
-
- # Remove the previous keyslot
- if [ -n "${KEYSLOTS_OLD}" ]; then
- bootloader_remove_keyslots "${luks_dev}" "${KEYSLOTS_OLD}"
- if [ "$?" -ne 0 ]; then
- display_errorbox "Failed to wipe out key slots: ${KEYSLOTS_OLD}"
- return 1
- fi
- fi
+ tpm_enable "${luks_devices}"
- # Remove the previous keyslots in the extra devices
- for extra_dev in ${FDE_EXTRA_DEVS}; do
- if [ -n "${EXTRA_KEYSLOTS_OLD[${extra_dev}]}" ]; then
- bootloader_remove_keyslots "${extra_dev}"
"${EXTRA_KEYSLOTS_OLD[${extra_dev}]}"
+ # Remove the previous keyslots
+ for luks_dev in ${luks_devices}; do
+ if [ -n "${KEYSLOTS_OLD[${luks_dev}]}" ]; then
+ bootloader_remove_keyslots "${luks_dev}"
"${KEYSLOTS_OLD[${luks_dev}]}"
if [ "$?" -ne 0 ]; then
- display_errorbox "Failed to wipe out key slots in
${extra_dev}: ${EXTRA_KEYSLOTS_OLD[${extra_dev}]}"
+ display_errorbox "Failed to wipe out key slots in ${luks_dev}:
${KEYSLOTS_OLD[${luks_dev}]}"
return 1
fi
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fde-tools-0.7.1/share/commands/remove-secondary-password
new/fde-tools-0.7.2/share/commands/remove-secondary-password
--- old/fde-tools-0.7.1/share/commands/remove-secondary-password
2023-09-07 08:05:01.314932675 +0200
+++ new/fde-tools-0.7.2/share/commands/remove-secondary-password
2023-11-01 08:17:56.360959136 +0100
@@ -22,7 +22,7 @@
function remove_secondary_password {
- luks_dev="$1"
+ local luks_devices="$1"
##################################################################
# Check if we have stashed a key under the doormat
@@ -39,16 +39,11 @@
# Nuke the LUKS header slot associated with this password
##################################################################
luks_keyfile=$(luks_write_password pass "${insecure_password}")
- if ! luks_drop_key "$luks_dev" "$luks_keyfile"; then
- display_errorbox "Unable to disable firstboot password"
- return 1
- fi
-
- for extra_dev in ${FDE_EXTRA_DEVS}; do
- if ! luks_drop_key "$extra_dev" "$luks_keyfile"; then
- display_errorbox "Unable to disable firstboot
password(${extra_dev})"
- return 1
- fi
+ for luks_dev in ${luks_devices}; do
+ if ! luks_drop_key "$luks_dev" "$luks_keyfile"; then
+ display_errorbox "Unable to disable firstboot password(${luks_dev})"
+ return 1
+ fi
done
##################################################################
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/tpm-activate
new/fde-tools-0.7.2/share/commands/tpm-activate
--- old/fde-tools-0.7.1/share/commands/tpm-activate 2023-09-07
08:05:01.318932648 +0200
+++ new/fde-tools-0.7.2/share/commands/tpm-activate 2023-11-01
08:17:56.360959136 +0100
@@ -24,14 +24,14 @@
function cmd_tpm_activate {
- luks_dev="$1"
+ local luks_devices="$1"
- if bootloader_check_sealed_key "${luks_dev}"; then
+ if bootloader_check_sealed_key; then
fde_trace "LUKS key already sealed. Skip activation."
return 0
fi
- if ! tpm_enable "${luks_dev}"; then
+ if ! tpm_enable "${luks_devices}"; then
return 1
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/tpm-disable
new/fde-tools-0.7.2/share/commands/tpm-disable
--- old/fde-tools-0.7.1/share/commands/tpm-disable 2023-09-07
08:05:01.318932648 +0200
+++ new/fde-tools-0.7.2/share/commands/tpm-disable 2023-11-01
08:17:56.360959136 +0100
@@ -21,7 +21,7 @@
alias cmd_perform=cmd_tpm_disable
function tpm_disable {
- luks_dev="$1"
+ local luks_devices="$1"
# Request the user to type the recovery password to prove the password is
# correctly memorized, so that the user won't lock herself/himself out of
@@ -32,18 +32,12 @@
return 1
fi
- if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then
- rm -f "$luks_keyfile"
- display_errorbox "Failed to verify password on LUKS partition"
- return 1
- fi
-
- for extra_dev in ${FDE_EXTRA_DEVS}; do
- if ! luks_verify_password "$extra_dev" "$luks_keyfile"; then
+ for luks_dev in ${luks_devices}; do
+ if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then
rm -f "$luks_keyfile"
- display_errorbox "Failed to verify password on LUKS
partition($extra_dev)"
+ display_errorbox "Failed to verify password on LUKS partition"
return 1
- fi
+ fi
done
rm -f "$luks_keyfile"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/tpm-enable
new/fde-tools-0.7.2/share/commands/tpm-enable
--- old/fde-tools-0.7.1/share/commands/tpm-enable 2023-09-07
08:05:01.318932648 +0200
+++ new/fde-tools-0.7.2/share/commands/tpm-enable 2023-11-01
08:17:56.360959136 +0100
@@ -24,7 +24,7 @@
function tpm_enable {
- luks_dev="$1"
+ local luks_devices="$1"
st=1
@@ -32,7 +32,7 @@
# prompt on firstboot.
# We must clear this before computing any PCR policies, otherwise
# we end up hashing the wrong grub.cfg file
- remove_secondary_password "$luks_dev"
+ remove_secondary_password "${luks_devices}"
if [[ "$FDE_USE_AUTHORIZED_POLICIES" =~ y.* ]]; then
if [ -z "$FDE_AUTHORIZED_POLICY" ]; then
@@ -42,7 +42,7 @@
# Tell the boot loader about the authorized policy and the misc files
# that go with it...
- if tpm_enable_authorized_policy "$luks_dev"; then
+ if tpm_enable_authorized_policy "$luks_devices"; then
# ... and authorize the current system configuration.
# This is what "fdectl tpm-authorize" does, inlined.
bootloader_authorize_pcr_policy "$FDE_AP_SECRET_KEY"
"$FDE_AP_SEALED_SECRET"
@@ -50,12 +50,12 @@
fi
elif [ -n "$opt_keyfile" ]; then
# We were invoked with --keyfile "/foo/bar"
- tpm_enable_pcr_policy "$luks_dev" "$opt_keyfile"
+ tpm_enable_pcr_policy "${luks_devices}" "$opt_keyfile"
st=$?
elif [ -n "$FDE_ENROLL_NEW_KEY" ]; then
# We're asked to enroll a secondary key. Do so, and zap the
# setting in /etc/sysconfig/fde-tools
- tpm_enable_pcr_policy "$luks_dev" "$FDE_ENROLL_NEW_KEY"
+ tpm_enable_pcr_policy "${luks_devices}" "$FDE_ENROLL_NEW_KEY"
st=$?
rm -vf "$FDE_ENROLL_NEW_KEY"
@@ -84,7 +84,7 @@
function tpm_enable_authorized_policy {
- luks_dev="$1"
+ local luks_devices="$1"
# When we get here, the installer should already have
# - created an authorized policy
@@ -115,8 +115,8 @@
function tpm_enable_pcr_policy {
- luks_dev="$1"
- luks_keyfile="$2"
+ local luks_devices="$1"
+ local luks_keyfile="$2"
if [ -n "$luks_keyfile" ]; then
if [ ! -f "$luks_keyfile" ]; then
@@ -124,20 +124,21 @@
return 1
fi
- luks_new_keyfile=$(fde_make_tempfile new.key)
- cp "$luks_keyfile" "$luks_new_keyfile"
-
# We consider the key compromised, because it resided on disk - even if
only
# for a short amount of time. It may have made its way into a btrfs
snapshot,
# which may hang around forever...
# So what we do here is generate a new key and replace the key slot
with the
# compromised key with this new key. Note that the new key is created
below
# /dev/shm, which is an in-memory file system.
- if ! luks_set_random_key "$luks_dev" "$luks_new_keyfile"; then
- display_errorbox "Failed to change secondary LUKS key"
- rm -f "$luks_keyfile" "$luks_new_keyfile"
- return 1
- fi
+ luks_new_keyfile=$(fde_make_tempfile new.key)
+ luks_generate_random_key ${luks_new_keyfile}
+ for luks_dev in ${luks_devices}; do
+ if ! luks_set_key "$luks_dev" "$luks_keyfile" "$luks_new_keyfile";
then
+ display_errorbox "Failed to change secondary LUKS
key(${luks_dev})"
+ rm -f "$luks_keyfile" "$luks_new_keyfile"
+ return 1
+ fi
+ done
else
luks_keyfile=$(fde_make_tempfile pass.key)
if ! fde_request_recovery_passfile "$luks_keyfile"; then
@@ -145,33 +146,21 @@
return 1
fi
- if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then
- rm -f "$luks_keyfile"
- display_errorbox "Failed to verify password on LUKS partition"
- return 1
- fi
-
- for extra_dev in ${FDE_EXTRA_DEVS}; do
- if ! luks_verify_password "$extra_dev" "$luks_keyfile"; then
+ for luks_dev in ${luks_devices}; do
+ if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then
rm -f "$luks_keyfile"
- display_errorbox "Failed to verify password on LUKS
partition($extra_dev)"
+ display_errorbox "Failed to verify password on LUKS
partition(${luks_dev})"
return 1
fi
done
luks_new_keyfile=$(fde_make_tempfile new.key)
- if ! luks_add_random_key "${luks_dev}" "${luks_keyfile}"
"${luks_new_keyfile}"; then
- display_errorbox "Failed to add secondary LUKS key"
- rm -f "$luks_keyfile" "$luks_new_keyfile"
- return 1
- fi
-
- # Add the new random key to the devices in FDE_EXTRA_DEVS
- for extra_dev in ${FDE_EXTRA_DEVS}; do
- if ! luks_add_key "$extra_dev" "$luks_keyfile" "$luks_new_keyfile";
then
- display_errorbox "Failed to add secondary LUKS key
(${extra_dev})"
- rm -f "$luks_keyfile"
+ luks_generate_random_key ${luks_new_keyfile}
+ for luks_dev in ${luks_devices}; do
+ if ! luks_add_key "${luks_dev}" "${luks_keyfile}"
"${luks_new_keyfile}"; then
+ display_errorbox "Failed to add secondary LUKS key(${luks_dev})"
+ rm -f "$luks_keyfile" "$luks_new_keyfile"
return 1
fi
done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/tpm-wipe
new/fde-tools-0.7.2/share/commands/tpm-wipe
--- old/fde-tools-0.7.1/share/commands/tpm-wipe 2023-09-07 08:05:01.318932648
+0200
+++ new/fde-tools-0.7.2/share/commands/tpm-wipe 2023-11-01 08:17:56.360959136
+0100
@@ -24,22 +24,17 @@
function cmd_tpm_wipe {
- luks_dev="$1"
+ local luks_devices="$1"
- if ! tpm_disable "${luks_dev}"; then
+ if ! tpm_disable "${luks_devices}"; then
return 1
fi
- if ! bootloader_wipe "${luks_dev}"; then
- display_errorbox "Failed to wipe out key slots"
- return 1
+ for luks_dev in ${luks_devices}; do
+ if ! bootloader_wipe "${luks_dev}"; then
+ display_errorbox "Failed to wipe out key slots ${luks_dev}"
+ return 1
fi
-
- for extra_dev in ${FDE_EXTRA_DEVS}; do
- if ! bootloader_wipe "$extra_dev"; then
- display_errorbox "Failed to wipe out key slots (${extra_dev})"
- return 1
- fi
done
return 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.1/share/grub2
new/fde-tools-0.7.2/share/grub2
--- old/fde-tools-0.7.1/share/grub2 2023-10-17 03:58:25.343073403 +0200
+++ new/fde-tools-0.7.2/share/grub2 2023-11-01 08:17:56.360959136 +0100
@@ -211,7 +211,7 @@
# TODO Avoid removing the non-grub-tpm2 keyslot or the last keyslot
# Remove the keyslots
- for slot in "${keyslots}"; do
+ for slot in ${keyslots}; do
cryptsetup luksKillSlot -q ${luks_dev} ${slot}
done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.1/share/luks
new/fde-tools-0.7.2/share/luks
--- old/fde-tools-0.7.1/share/luks 2023-10-23 07:54:00.911620084 +0200
+++ new/fde-tools-0.7.2/share/luks 2023-11-01 08:17:56.360959136 +0100
@@ -234,6 +234,23 @@
}
##################################################################
+# Change an existing password by files
+##################################################################
+function luks_set_password {
+ local luks_dev="$1"
+ local luks_keyfile="$2"
+ local luks_new_keyfile="$3"
+
+ display_infobox "Updating LUKS password (${luks_dev})"
+
+ if ! cryptsetup --key-file "${luks_keyfile}" luksChangeKey --pbkdf
"$FDE_LUKS_PBKDF" "${luks_dev}" ${luks_new_keyfile}; then
+ # FIXME: dialog
+ fde_trace "Warning: luksChangeKey indicates failure"
+ return 1
+ fi
+}
+
+##################################################################
# Change an existing password
# This function uses request_new_password to prompt the user for
# the new password.
@@ -258,13 +275,10 @@
return 1
fi
- display_infobox "Updating LUKS recovery password"
-
old_keyfile=$(luks_write_password oldpass "${luks_old_password}")
new_keyfile=$(luks_write_password newpass "${result_password}")
- if ! cryptsetup --key-file "${old_keyfile}" luksChangeKey --pbkdf
"$FDE_LUKS_PBKDF" "${luks_dev}" ${new_keyfile}; then
- # FIXME: dialog
- fde_trace "Warning: luksChangeKey indicates failure"
+ if ! luks_set_password "${luks_dev}" "${old_keyfile}" "${new_keyfile}";
then
+ rm -f ${new_keyfile} ${old_keyfile}
return 1
fi
@@ -325,6 +339,11 @@
fdectl-grub-tpm2 add --key-slot ${luks_keyslot} ${luks_dev}
}
+function luks_generate_random_key {
+ local new_keyfile="$1"
+
+ dd if=/dev/random bs=1 count=$FDE_KEY_SIZE_BYTES of=$new_keyfile
status=none
+}
function luks_add_random_key {
@@ -332,18 +351,16 @@
local luks_keyfile="$2"
local new_keyfile="$3"
- dd if=/dev/random bs=1 count=$FDE_KEY_SIZE_BYTES of=$new_keyfile
status=none
+ luks_generate_random_key ${new_keyfile}
luks_add_key ${luks_dev} ${luks_keyfile} ${new_keyfile}
}
-function luks_set_random_key {
+function luks_set_key {
local luks_dev="$1"
local luks_keyfile="$2"
-
- new_keyfile=/dev/shm/new.keyfile
- dd if=/dev/random bs=1 count=$FDE_KEY_SIZE_BYTES of=$new_keyfile
status=none
+ local new_keyfile="$3"
# Note: we try to reduce the cost of PBKDF to (almost) nothing.
# There's no need in slowing down this operation for a
@@ -351,6 +368,16 @@
cryptsetup --key-file "${luks_keyfile}" luksChangeKey \
--pbkdf "$FDE_LUKS_PBKDF" --pbkdf-force-iterations 1000 \
$luks_dev $new_keyfile
+}
+
+function luks_set_random_key {
+ local luks_dev="$1"
+ local luks_keyfile="$2"
+
+ new_keyfile=/dev/shm/new.keyfile
+ luks_generate_random_key ${new_keyfile}
+
+ luks_set_key ${luks_dev} ${luks_keyfile} ${new_keyfile}
ret=$?
cp $new_keyfile "${luks_keyfile}"
