Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package disk-encryption-tool for
openSUSE:Factory checked in at 2024-02-16 21:41:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/disk-encryption-tool (Old)
and /work/SRC/openSUSE:Factory/.disk-encryption-tool.new.1815 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "disk-encryption-tool"
Fri Feb 16 21:41:43 2024 rev:4 rq:1146884 version:1+git20240213.68c965a
Changes:
--------
---
/work/SRC/openSUSE:Factory/disk-encryption-tool/disk-encryption-tool.changes
2023-12-22 22:40:59.819260565 +0100
+++
/work/SRC/openSUSE:Factory/.disk-encryption-tool.new.1815/disk-encryption-tool.changes
2024-02-16 21:41:44.944387121 +0100
@@ -1,0 +2,11 @@
+Tue Feb 13 16:51:11 UTC 2024 - lnus...@suse.com
+
+- Update to version 1+git20240213.68c965a:
+ * Fix pcr-oracle detection logic
+ * Do not call dracut after encryption
+ * Use systemd-pcrlock
+ * Rename generate_key function
+ * Allow to turn off disk encryption via rd.enrypt
+ * Turn on messages again
+
+-------------------------------------------------------------------
Old:
----
disk-encryption-tool-1+git20231221.d2e7fe6.obscpio
New:
----
disk-encryption-tool-1+git20240213.68c965a.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ disk-encryption-tool.spec ++++++
--- /var/tmp/diff_new_pack.wg2XlR/_old 2024-02-16 21:41:45.488406749 +0100
+++ /var/tmp/diff_new_pack.wg2XlR/_new 2024-02-16 21:41:45.492406894 +0100
@@ -1,7 +1,7 @@
#
# spec file for package disk-encryption-tool
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -28,7 +28,7 @@
%endif
Name: disk-encryption-tool
-Version: 1+git20231221.d2e7fe6%{git_version}
+Version: 1+git20240213.68c965a%{git_version}
Release: 0
Summary: Tool to reencrypt kiwi raw images
License: MIT
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.wg2XlR/_old 2024-02-16 21:41:45.524408048 +0100
+++ /var/tmp/diff_new_pack.wg2XlR/_new 2024-02-16 21:41:45.528408193 +0100
@@ -3,6 +3,6 @@
<param
name="url">https://github.com/lnussel/disk-encryption-tool.git</param>
<param
name="changesrevision">702dff62d37b74244b58b41f78b41cd2befe581b</param></service><service
name="tar_scm">
<param
name="url">https://github.com/openSUSE/disk-encryption-tool.git</param>
- <param
name="changesrevision">d2e7fe6e0781b71a19f35ca4fd27bca559c31fd7</param></service></servicedata>
+ <param
name="changesrevision">68c965a91d8f16314c3cea6a8c11cfa2ac92529e</param></service></servicedata>
(No newline at EOF)
++++++ disk-encryption-tool-1+git20231221.d2e7fe6.obscpio ->
disk-encryption-tool-1+git20240213.68c965a.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool
new/disk-encryption-tool-1+git20240213.68c965a/disk-encryption-tool
--- old/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool
2023-12-21 16:03:00.000000000 +0100
+++ new/disk-encryption-tool-1+git20240213.68c965a/disk-encryption-tool
2024-02-13 17:46:57.000000000 +0100
@@ -438,7 +438,8 @@
grep LOADER_TYPE "$mp"/etc/sysconfig/bootloader
fi
-call_dracut
+# A new initrd is created as side effect of the enrolment
+# (jeos-firtboot module), as this calls sdbootutil
make_ro
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool-dracut
new/disk-encryption-tool-1+git20240213.68c965a/disk-encryption-tool-dracut
--- old/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool-dracut
2023-12-21 16:03:00.000000000 +0100
+++ new/disk-encryption-tool-1+git20240213.68c965a/disk-encryption-tool-dracut
2024-02-13 17:46:57.000000000 +0100
@@ -3,6 +3,11 @@
exec < /dev/console >/dev/console 2>&1
type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
+# check whether encryption was explicitly turned off
+if ! getargbool 1 rd.encrypt; then
+ exit 0
+fi
+
# XXX: this is so dirty
systemctl start sysroot.mount
mount --target-prefix /sysroot --fstab /sysroot/etc/fstab /var
@@ -21,3 +26,5 @@
if [ "$inhibitor" != $'\e' ]; then
/usr/bin/disk-encryption-tool -v --gen-key || die "Encryption failed"
fi
+# turn messages on again
+kill -SIGRTMIN+20 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231221.d2e7fe6/jeos-firstboot-enroll
new/disk-encryption-tool-1+git20240213.68c965a/jeos-firstboot-enroll
--- old/disk-encryption-tool-1+git20231221.d2e7fe6/jeos-firstboot-enroll
2023-12-21 16:03:00.000000000 +0100
+++ new/disk-encryption-tool-1+git20240213.68c965a/jeos-firstboot-enroll
2024-02-13 17:46:57.000000000 +0100
@@ -5,13 +5,14 @@
declare -a luks2_devices
-# After the enrolling, other tools can find this list in the LUKS
-# header
-pcrs="0,2,4,7,9"
+# After the enrolling, other tools can find this list in
+# /etc/sysconfig/fde-tools
+FDE_SEAL_PCR_LIST="0,2,4,7,9"
+
have_luks2()
{
- [ "${#luks2_devices[@]}" -gt 0 ]
+ [ "${#luks2_devices[@]}" -gt 0 ]
}
detect_luks2()
@@ -34,20 +35,26 @@
local has_tpm2=
[ -z "$(systemd-cryptenroll --fido2-device=list 2>/dev/null)" ] ||
has_fido2=1
- [ -e '/sys/class/tpm/tpm0' ] && has_tpm2=1
+ if [ -e '/sys/class/tpm/tpm0' ]; then
+ if have_pcrlock; then
+ has_tpm2=lock
+ elif have_pcr_oracle; then
+ has_tpm2=oracle
+ fi
+ fi
# For now seems that if a FIDO2 key is enrolled, it will take
# precedence over the TPM2 and the key will be asked to be present
# in subsequent boots.
- if [ "$has_fido2" = '1' ] && [ "$has_tpm2" = '1' ]; then
+ if [ "$has_fido2" = '1' ] && [ -n "$has_tpm2" ]; then
local list=('FIDO2' 'FIDO2' 'TPM2' 'TPM2' 'none' $"Skip")
d --no-tags --default-item 'FIDO2' --menu $"Select unlock device" 0 0
"$(menuheight ${#list[@]})" "${list[@]}"
[ "$result" = 'FIDO2' ] && with_fido2=1
- [ "$result" = 'TPM2' ] && with_tpm2=1
+ [ "$result" = 'TPM2' ] && with_tpm2="$has_tpm2"
elif [ "$has_fido2" ]; then
dialog $dialog_alternate_screen --backtitle "$PRETTY_NAME" --yesno
$"Unlock encrypted disk via FIDO2 token?" 0 0 && with_fido2=1
- elif [ "$has_tpm2" ]; then
- dialog $dialog_alternate_screen --backtitle "$PRETTY_NAME" --yesno
$"Unlock encrypted disk via TPM?" 0 0 && with_tpm2=1
+ elif [ -n "$has_tpm2" ]; then
+ dialog $dialog_alternate_screen --backtitle "$PRETTY_NAME" --yesno
$"Unlock encrypted disk via TPM?" 0 0 && with_tpm2="$has_tpm2"
fi
return 0
}
@@ -61,7 +68,7 @@
run systemd-cryptenroll --fido2-device=auto "$dev"
}
-generate_key() {
+generate_rsa_key() {
[ -z "$dry" ] && mkdir -p /etc/systemd
run pcr-oracle \
--rsa-generate-key \
@@ -70,10 +77,10 @@
store-public-key
}
-enroll_tpm2() {
+enroll_tpm2_pcr_oracle() {
local dev="$1"
- echo "Enrolling with TPM2: $dev"
+ echo "Enrolling with TPM2 (pcr-oracle): $dev"
# The password is read from "cryptenroll" kernel keyring
# XXX: Wipe is separated by now (possible systemd bug)
@@ -84,7 +91,25 @@
run systemd-cryptenroll \
--tpm2-device=auto \
--tpm2-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
- --tpm2-public-key-pcrs="$pcrs" \
+ --tpm2-public-key-pcrs="$FDE_SEAL_PCR_LIST" \
+ "$dev"
+}
+
+enroll_tpm2_pcrlock() {
+ local dev="$1"
+
+ echo "Enrolling with TPM2 (pcrlock): $dev"
+
+ # The password is read from "cryptenroll" kernel keyring
+ # XXX: Wipe is separated by now (possible systemd bug)
+ run systemd-cryptenroll \
+ --wipe-slot=tpm2 \
+ "$dev"
+
+ # Note that the PCRs are now not stored in the LUKS2 header
+ run systemd-cryptenroll \
+ --tpm2-device=auto \
+ --tpm2-pcrlock=/var/lib/systemd/pcrlock.json \
"$dev"
}
@@ -116,32 +141,68 @@
run chmod 644 /etc/crypttab
}
+have_pcrlock() {
+ [ -e /usr/lib/systemd/systemd-pcrlock ]
+}
+
+have_pcr_oracle() {
+ [ -e /usr/bin/pcr-oracle ]
+}
+
+is_pcr_oracle() {
+ have_pcr_oracle && \
+ [ -e /etc/systemd/tpm2-pcr-public-key.pem ] && \
+ [ -e /etc/systemd/tpm2-pcr-private-key.pem ]
+}
+
enroll_post() {
[ -e /usr/bin/systemd-cryptenroll ] || return 0
detect_luks2 || return 0
+ # For now is a first step before moving into fde-tools
+ if [ -e /etc/sysconfig/fde-tools ]; then
+ . /etc/sysconfig/fde-tools
+ else
+ echo "FDE_SEAL_PCR_LIST=${FDE_SEAL_PCR_LIST}" > /etc/sysconfig/fde-tools
+ fi
+
local dev
local fstype
crypttab_options="x-initrd.attach"
+ # Generate first the crypttab + initrd, so the predictions can be
+ # done in case of pcrlock
if [ "$with_fido2" = '1' ]; then
- for dev in "${luks2_devices[@]}"; do
- enroll_fido2 "$dev"
- done
crypttab_options+=",fido2-device=auto"
+ elif [ -n "$with_tpm2" ]; then
+ crypttab_options+=",tpm2-device=auto"
+ fi
+ update_crypttab_options "$crypttab_options"
+
+ if [ "$with_tpm2" = 'oracle' ]; then
+ generate_rsa_key
+ else
+ # sdbootutil will generate predictions for pcrlock
+ SDB_ADD_INITIAL_CMDLINE=1 run sdbootutil add-all-kernels
--no-reuse-initrd
fi
- if [ "$with_tpm2" = '1' ]; then
- generate_key
-
+ if [ "$with_fido2" = '1' ]; then
for dev in "${luks2_devices[@]}"; do
- enroll_tpm2 "$dev"
+ enroll_fido2 "$dev"
+ done
+ elif [ -n "$with_tpm2" ]; then
+ for dev in "${luks2_devices[@]}"; do
+ if [ "$with_tpm2" = 'lock' ]; then
+ enroll_tpm2_pcrlock "$dev"
+ else
+ enroll_tpm2_pcr_oracle "$dev"
+ fi
done
- crypttab_options+=",tpm2-device=auto"
fi
- update_crypttab_options "$crypttab_options"
-
- run sdbootutil add-all-kernels --no-reuse-initrd
+ if [ "$with_tpm2" = 'oracle' ]; then
+ # with pcr-oracle we pick up settings from the luks header
+ run sdbootutil add-all-kernels --no-reuse-initrd
+ fi
}
++++++ disk-encryption-tool.obsinfo ++++++
--- /var/tmp/diff_new_pack.wg2XlR/_old 2024-02-16 21:41:45.616411367 +0100
+++ /var/tmp/diff_new_pack.wg2XlR/_new 2024-02-16 21:41:45.620411512 +0100
@@ -1,5 +1,5 @@
name: disk-encryption-tool
-version: 1+git20231221.d2e7fe6
-mtime: 1703170980
-commit: d2e7fe6e0781b71a19f35ca4fd27bca559c31fd7
+version: 1+git20240213.68c965a
+mtime: 1707842817
+commit: 68c965a91d8f16314c3cea6a8c11cfa2ac92529e
