Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2024-04-21 20:24:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.26366 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fde-tools" Sun Apr 21 20:24:26 2024 rev:20 rq:1169081 version:0.7.2 Changes: -------- --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-04-18 22:08:00.587346546 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.26366/fde-tools.changes 2024-04-21 20:24:59.320874521 +0200 @@ -1,0 +2,8 @@ +Fri Apr 19 07:46:43 UTC 2024 - Gary Ching-Pang Lin <g...@suse.com> + +- Add patches to adopt the "--target-platform" option when using + the newer pcr-oracle (bsc#1218390) + + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch + + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch + +------------------------------------------------------------------- New: ---- fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch BETA DEBUG BEGIN: New: the newer pcr-oracle (bsc#1218390) + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch New: + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fde-tools.spec ++++++ --- /var/tmp/diff_new_pack.wietX3/_old 2024-04-21 20:25:01.440952312 +0200 +++ /var/tmp/diff_new_pack.wietX3/_new 2024-04-21 20:25:01.448952606 +0200 @@ -35,6 +35,8 @@ Patch3: fde-tools-bsc1220160-conditional-requires.patch Patch4: fde-tools-bsc1222970-firstboot-replace-ALP.patch Patch5: fde-tools-bsc1223002-firstboot-disable-ccid.patch +Patch6: fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch +Patch7: fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch BuildRequires: help2man BuildRequires: pkgconfig(json-c) BuildRequires: pkgconfig(libcryptsetup) ++++++ fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch ++++++ >From fcabeca594d090e4172b88ae5176c947b2dd7c45 Mon Sep 17 00:00:00 2001 From: Gary Lin <g...@suse.com> Date: Fri, 1 Dec 2023 17:11:22 +0800 Subject: [PATCH] Switch to "--target-platform" when available Check if pcr-oracle supports "--target-platform" and replace "--key-format" with "--target-platform" if the option is available. Signed-off-by: Gary Lin <g...@suse.com> --- share/grub2 | 5 +++++ share/systemd-boot | 10 ++++++++++ share/tpm | 37 +++++++++++++++++++++++++++---------- 3 files changed, 42 insertions(+), 10 deletions(-) Index: fde-tools-0.7.2/share/grub2 =================================================================== --- fde-tools-0.7.2.orig/share/grub2 +++ fde-tools-0.7.2/share/grub2 @@ -34,6 +34,7 @@ alias bootloader_get_keyslots=grub_get_k alias bootloader_remove_keyslots=grub_remove_keyslots alias bootloader_wipe=grub_wipe alias bootloader_rsa_sizes=grub_rsa_sizes +alias bootloader_platform_parameters=grub_platform_parameters ################################################################## # Edit a variable in /etc/default/grub @@ -244,3 +245,7 @@ function grub_rsa_sizes { # TPM 2.0 should at least support RSA2048. echo "2048" } + +function grub_platform_parameters { + echo "--target-platform tpm2.0" +} Index: fde-tools-0.7.2/share/systemd-boot =================================================================== --- fde-tools-0.7.2.orig/share/systemd-boot +++ fde-tools-0.7.2/share/systemd-boot @@ -37,6 +37,7 @@ alias bootloader_get_keyslots=systemd_ge alias bootloader_remove_keyslots=systemd_remove_keyslots alias bootloader_wipe=systemd_wipe alias bootloader_rsa_sizes=systemd_rsa_sizes +alias bootloader_platform_parameters=systemd_platform_parameters function not_implemented { @@ -183,3 +184,12 @@ function systemd_wipe { function systemd_rsa_sizes { echo "2048" } + +################################################################## +# This function shows the boot loader specific parameters for +# pcr-oracle. +################################################################## +function systemd_platform_parameters { + + echo "--target-platform systemd" +} Index: fde-tools-0.7.2/share/tpm =================================================================== --- fde-tools-0.7.2.orig/share/tpm +++ fde-tools-0.7.2/share/tpm @@ -82,22 +82,40 @@ function tpm_get_rsa_key_size { echo "$__fde_rsa_key_size" } +function tpm_platform_parameters { + declare -g __fde_platform_param + + if [ -n "$__fde_platform_param" ]; then + echo "$__fde_platform_param" + return + fi + + # Check if pcr-oracle supports "--target-platform" + if pcr-oracle --target-platform 2>&1 | grep -q "unrecognized option"; then + __fde_platform_param="--key-format tpm2.0" + echo "$__fde_platform_param" + return + fi + + __fde_platform_param=$(bootloader_platform_parameters) + echo "$__fde_platform_param" +} + function tpm_seal_key { local secret=$1 local sealed_secret=$2 - local opt_rsa_bits= + local extra_opts=$(tpm_platform_parameters) local rsa_size=$(tpm_get_rsa_key_size) if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then - opt_rsa_bits="--rsa-bits ${rsa_size}" + extra_opts="${extra_opts} --rsa-bits ${rsa_size}" fi echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2 - pcr-oracle ${opt_rsa_bits} \ + pcr-oracle ${extra_opts} \ --input "$secret" --output "$sealed_secret" \ - --key-format tpm2.0 \ --algorithm "$FDE_SEAL_PCR_BANK" \ --from eventlog \ --stop-event "$FDE_STOP_EVENT" \ @@ -151,19 +169,18 @@ function tpm_seal_secret { local sealed_secret="$2" local authorized_policy="$3" - local opt_rsa_bits= + local extra_opts=$(tpm_platform_parameters) local rsa_size=$(tpm_get_rsa_key_size) if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then - opt_rsa_bits="--rsa-bits ${rsa_size}" + extra_opts="${extra_opts} --rsa-bits ${rsa_size}" fi # If we are expected to use an authorized policy, seal the secret # against that, using pcr-oracle rather than the tpm2 tools if [ -n "$authorized_policy" ]; then - pcr-oracle ${opt_rsa_bits} \ + pcr-oracle ${extra_opts} \ --authorized-policy "$authorized_policy" \ - --key-format tpm2.0 \ --input $secret \ --output $sealed_secret \ seal-secret @@ -246,8 +263,9 @@ function tpm_authorize { sealed_key_file="$2" signed_key_file="$3" - pcr-oracle \ - --key-format tpm2.0 \ + local extra_opts=$(tpm_platform_parameters) + + pcr-oracle ${extra_opts} \ --algorithm "$FDE_SEAL_PCR_BANK" \ --private-key "$private_key_file" \ --from eventlog \ ++++++ fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch ++++++ >From 63714d6ab724082b72abd07474bf52ef47e718d4 Mon Sep 17 00:00:00 2001 From: Gary Lin <g...@suse.com> Date: Fri, 19 Apr 2024 15:02:50 +0800 Subject: [PATCH] tpm: fix tpm-present with the newer pcr-oracle Modify tpm_test() to use the tpm2.0 key format for sealing and unsealing to be compatible with the newer pcr-oracle. Signed-off-by: Gary Lin <g...@suse.com> --- share/tpm | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/share/tpm b/share/tpm index 47d72dc..4993351 100644 --- a/share/tpm +++ b/share/tpm @@ -182,6 +182,8 @@ function tpm_test { key_size=$1 + local extra_opts=$(tpm_platform_parameters) + secret=$(fde_make_tempfile secret) dd if=/dev/zero of=$secret bs=$key_size count=1 status=none >&2 @@ -193,18 +195,18 @@ function tpm_test { dd if=/dev/zero of=$secret bs=$key_size count=1 status=none >&2 fde_trace "Testing TPM seal/unseal" - pcr-oracle \ + pcr-oracle ${extra_opts} \ --algorithm "$FDE_SEAL_PCR_BANK" \ --input "$secret" \ --output "$sealed_secret" \ --from current \ seal-secret "$FDE_SEAL_PCR_LIST" - pcr-oracle \ + pcr-oracle ${extra_opts} \ --algorithm "$FDE_SEAL_PCR_BANK" \ --input "$sealed_secret" \ --output "$recovered" \ - unseal-secret "$FDE_SEAL_PCR_LIST" + unseal-secret if ! cmp "$secret" "$recovered"; then fde_trace "BAD: Unable to recover original secret" -- 2.35.3