Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2024-04-21 20:24:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.26366 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fde-tools"
Sun Apr 21 20:24:26 2024 rev:20 rq:1169081 version:0.7.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-04-18
22:08:00.587346546 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.26366/fde-tools.changes
2024-04-21 20:24:59.320874521 +0200
@@ -1,0 +2,8 @@
+Fri Apr 19 07:46:43 UTC 2024 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Add patches to adopt the "--target-platform" option when using
+ the newer pcr-oracle (bsc#1218390)
+ + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
+ + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
+
+-------------------------------------------------------------------
New:
----
fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
BETA DEBUG BEGIN:
New: the newer pcr-oracle (bsc#1218390)
+ fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
+ fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
New: + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
+ fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ fde-tools.spec ++++++
--- /var/tmp/diff_new_pack.wietX3/_old 2024-04-21 20:25:01.440952312 +0200
+++ /var/tmp/diff_new_pack.wietX3/_new 2024-04-21 20:25:01.448952606 +0200
@@ -35,6 +35,8 @@
Patch3: fde-tools-bsc1220160-conditional-requires.patch
Patch4: fde-tools-bsc1222970-firstboot-replace-ALP.patch
Patch5: fde-tools-bsc1223002-firstboot-disable-ccid.patch
+Patch6:
fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
+Patch7:
fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
BuildRequires: help2man
BuildRequires: pkgconfig(json-c)
BuildRequires: pkgconfig(libcryptsetup)
++++++ fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
++++++
>From fcabeca594d090e4172b88ae5176c947b2dd7c45 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Fri, 1 Dec 2023 17:11:22 +0800
Subject: [PATCH] Switch to "--target-platform" when available
Check if pcr-oracle supports "--target-platform" and replace
"--key-format" with "--target-platform" if the option is available.
Signed-off-by: Gary Lin <g...@suse.com>
---
share/grub2 | 5 +++++
share/systemd-boot | 10 ++++++++++
share/tpm | 37 +++++++++++++++++++++++++++----------
3 files changed, 42 insertions(+), 10 deletions(-)
Index: fde-tools-0.7.2/share/grub2
===================================================================
--- fde-tools-0.7.2.orig/share/grub2
+++ fde-tools-0.7.2/share/grub2
@@ -34,6 +34,7 @@ alias bootloader_get_keyslots=grub_get_k
alias bootloader_remove_keyslots=grub_remove_keyslots
alias bootloader_wipe=grub_wipe
alias bootloader_rsa_sizes=grub_rsa_sizes
+alias bootloader_platform_parameters=grub_platform_parameters
##################################################################
# Edit a variable in /etc/default/grub
@@ -244,3 +245,7 @@ function grub_rsa_sizes {
# TPM 2.0 should at least support RSA2048.
echo "2048"
}
+
+function grub_platform_parameters {
+ echo "--target-platform tpm2.0"
+}
Index: fde-tools-0.7.2/share/systemd-boot
===================================================================
--- fde-tools-0.7.2.orig/share/systemd-boot
+++ fde-tools-0.7.2/share/systemd-boot
@@ -37,6 +37,7 @@ alias bootloader_get_keyslots=systemd_ge
alias bootloader_remove_keyslots=systemd_remove_keyslots
alias bootloader_wipe=systemd_wipe
alias bootloader_rsa_sizes=systemd_rsa_sizes
+alias bootloader_platform_parameters=systemd_platform_parameters
function not_implemented {
@@ -183,3 +184,12 @@ function systemd_wipe {
function systemd_rsa_sizes {
echo "2048"
}
+
+##################################################################
+# This function shows the boot loader specific parameters for
+# pcr-oracle.
+##################################################################
+function systemd_platform_parameters {
+
+ echo "--target-platform systemd"
+}
Index: fde-tools-0.7.2/share/tpm
===================================================================
--- fde-tools-0.7.2.orig/share/tpm
+++ fde-tools-0.7.2/share/tpm
@@ -82,22 +82,40 @@ function tpm_get_rsa_key_size {
echo "$__fde_rsa_key_size"
}
+function tpm_platform_parameters {
+ declare -g __fde_platform_param
+
+ if [ -n "$__fde_platform_param" ]; then
+ echo "$__fde_platform_param"
+ return
+ fi
+
+ # Check if pcr-oracle supports "--target-platform"
+ if pcr-oracle --target-platform 2>&1 | grep -q "unrecognized option"; then
+ __fde_platform_param="--key-format tpm2.0"
+ echo "$__fde_platform_param"
+ return
+ fi
+
+ __fde_platform_param=$(bootloader_platform_parameters)
+ echo "$__fde_platform_param"
+}
+
function tpm_seal_key {
local secret=$1
local sealed_secret=$2
- local opt_rsa_bits=
+ local extra_opts=$(tpm_platform_parameters)
local rsa_size=$(tpm_get_rsa_key_size)
if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
- opt_rsa_bits="--rsa-bits ${rsa_size}"
+ extra_opts="${extra_opts} --rsa-bits ${rsa_size}"
fi
echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2
- pcr-oracle ${opt_rsa_bits} \
+ pcr-oracle ${extra_opts} \
--input "$secret" --output "$sealed_secret" \
- --key-format tpm2.0 \
--algorithm "$FDE_SEAL_PCR_BANK" \
--from eventlog \
--stop-event "$FDE_STOP_EVENT" \
@@ -151,19 +169,18 @@ function tpm_seal_secret {
local sealed_secret="$2"
local authorized_policy="$3"
- local opt_rsa_bits=
+ local extra_opts=$(tpm_platform_parameters)
local rsa_size=$(tpm_get_rsa_key_size)
if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
- opt_rsa_bits="--rsa-bits ${rsa_size}"
+ extra_opts="${extra_opts} --rsa-bits ${rsa_size}"
fi
# If we are expected to use an authorized policy, seal the secret
# against that, using pcr-oracle rather than the tpm2 tools
if [ -n "$authorized_policy" ]; then
- pcr-oracle ${opt_rsa_bits} \
+ pcr-oracle ${extra_opts} \
--authorized-policy "$authorized_policy" \
- --key-format tpm2.0 \
--input $secret \
--output $sealed_secret \
seal-secret
@@ -246,8 +263,9 @@ function tpm_authorize {
sealed_key_file="$2"
signed_key_file="$3"
- pcr-oracle \
- --key-format tpm2.0 \
+ local extra_opts=$(tpm_platform_parameters)
+
+ pcr-oracle ${extra_opts} \
--algorithm "$FDE_SEAL_PCR_BANK" \
--private-key "$private_key_file" \
--from eventlog \
++++++ fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
++++++
>From 63714d6ab724082b72abd07474bf52ef47e718d4 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Fri, 19 Apr 2024 15:02:50 +0800
Subject: [PATCH] tpm: fix tpm-present with the newer pcr-oracle
Modify tpm_test() to use the tpm2.0 key format for sealing and unsealing
to be compatible with the newer pcr-oracle.
Signed-off-by: Gary Lin <g...@suse.com>
---
share/tpm | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/share/tpm b/share/tpm
index 47d72dc..4993351 100644
--- a/share/tpm
+++ b/share/tpm
@@ -182,6 +182,8 @@ function tpm_test {
key_size=$1
+ local extra_opts=$(tpm_platform_parameters)
+
secret=$(fde_make_tempfile secret)
dd if=/dev/zero of=$secret bs=$key_size count=1 status=none >&2
@@ -193,18 +195,18 @@ function tpm_test {
dd if=/dev/zero of=$secret bs=$key_size count=1 status=none >&2
fde_trace "Testing TPM seal/unseal"
- pcr-oracle \
+ pcr-oracle ${extra_opts} \
--algorithm "$FDE_SEAL_PCR_BANK" \
--input "$secret" \
--output "$sealed_secret" \
--from current \
seal-secret "$FDE_SEAL_PCR_LIST"
- pcr-oracle \
+ pcr-oracle ${extra_opts} \
--algorithm "$FDE_SEAL_PCR_BANK" \
--input "$sealed_secret" \
--output "$recovered" \
- unseal-secret "$FDE_SEAL_PCR_LIST"
+ unseal-secret
if ! cmp "$secret" "$recovered"; then
fde_trace "BAD: Unable to recover original secret"
--
2.35.3
