commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2024-06-11 18:27:06
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.19518 (New)
Package is "fde-tools"
Tue Jun 11 18:27:06 2024 rev:23 rq:1179922 version:0.7.2
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-05-31
22:15:33.613274346 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.19518/fde-tools.changes
2024-06-11 18:27:14.156363717 +0200
@@ -1,0 +2,6 @@
+Fri Jun 7 07:52:30 UTC 2024 - Gary Ching-Pang Lin
+
+- Update fde-tools-bsc1220160-conditional-requires.patch to
+ check fde-tpm-helper in %post and %posttrans
+
+---
Other differences:
--
++ fde-tools-bsc1220160-conditional-requires.patch ++
--- /var/tmp/diff_new_pack.zjuxMk/_old 2024-06-11 18:27:15.100398168 +0200
+++ /var/tmp/diff_new_pack.zjuxMk/_new 2024-06-11 18:27:15.104398314 +0200
@@ -1,7 +1,7 @@
-From 7f5a36bb82728a6cce66b15e6bb656ce05cf5978 Mon Sep 17 00:00:00 2001
+From 5f5dc57da2ee1abc3bf63e5389294d97a6027ae8 Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Tue, 5 Mar 2024 14:51:57 +0800
-Subject: [PATCH] macros.fde-tpm-helper: conditionally requires the helper
+Subject: [PATCH 1/2] macros.fde-tpm-helper: conditionally requires the helper
fde-tpm-helper is only used when fde-tools is installed. Update the rpm
macro to make fde-tpm-helper an conditional "Requires".
@@ -24,4 +24,54 @@
--
2.35.3
+
+From 222c145943cde082959de52f5a76dbdf0f254c92 Mon Sep 17 00:00:00 2001
+From: Gary Lin
+Date: Fri, 7 Jun 2024 10:58:45 +0800
+Subject: [PATCH 2/2] macros.fde-tpm-helper: check if fde-tpm-helper exists
+
+Those rpm macros are only valid for the system with fde-tpm-helper so
+those commands should be skipped if fde-tpm-helper is not there.
+
+Signed-off-by: Gary Lin
+---
+ rpm-build/macros.fde-tpm-helper | 20
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/rpm-build/macros.fde-tpm-helper b/rpm-build/macros.fde-tpm-helper
+index 3c89e2b..4ce09e9 100644
+--- a/rpm-build/macros.fde-tpm-helper
b/rpm-build/macros.fde-tpm-helper
+@@ -1,16 +1,20 @@
+ %fde_tpm_update_requires Requires(posttrans): (fde-tpm-helper if fde-tools)
+
+ %fde_tpm_update_post() \
+-mkdir -p %{_rundir}/fde-tpm-helper/ \
+-touch %{_rundir}/fde-tpm-helper/update \
+-for bl in %{?*}; do \
+- echo ${bl} >> %{_rundir}/fde-tpm-helper/update \
+-done \
++if test -x %{_libexecdir}/fde/fde-tpm-helper; then \
++ mkdir -p %{_rundir}/fde-tpm-helper/ \
++ touch %{_rundir}/fde-tpm-helper/update \
++ for bl in %{?*}; do \
++echo ${bl} >> %{_rundir}/fde-tpm-helper/update \
++ done \
++fi \
+ %nil
+
+ %fde_tpm_update_posttrans() \
+-if test -f %{_rundir}/fde-tpm-helper/update; then \
+- %{_libexecdir}/fde/fde-tpm-helper "`cat %{_rundir}/fde-tpm-helper/update |
uniq`" || : \
+- rm -f %{_rundir}/fde-tpm-helper/update \
++if test -x %{_libexecdir}/fde/fde-tpm-helper; then \
++ if test -f %{_rundir}/fde-tpm-helper/update; then \
++%{_libexecdir}/fde/fde-tpm-helper "`cat %{_rundir}/fde-tpm-helper/update
| uniq`" || : \
++rm -f %{_rundir}/fde-tpm-helper/update \
++ fi \
+ fi \
+ %nil
+--
+2.35.3
+
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2024-05-31 22:15:22 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.24587 (New) Package is "fde-tools" Fri May 31 22:15:22 2024 rev:22 rq:1177686 version:0.7.2 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-05-07 18:02:26.768417733 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.24587/fde-tools.changes 2024-05-31 22:15:33.613274346 +0200 @@ -1,0 +2,6 @@ +Thu May 30 06:53:32 UTC 2024 - Gary Ching-Pang Lin + +- Fix fde-tools-change-rpm-macro-dir.patch which didn't set + RPM_MACRO_DIR correctly + +--- Other differences: -- ++ fde-tools-change-rpm-macro-dir.patch ++ --- /var/tmp/diff_new_pack.6ItFxw/_old 2024-05-31 22:15:34.289298971 +0200 +++ /var/tmp/diff_new_pack.6ItFxw/_new 2024-05-31 22:15:34.293299117 +0200 @@ -22,7 +22,7 @@ FIRSTBOOTDIR = $(DATADIR)/jeos-firstboot FDE_HELPER_DIR= $(LIBEXECDIR)/fde -RPM_MACRO_DIR = /etc/rpm -++RPM_MACRO_DIR?= /etc/rpm ++RPM_MACRO_DIR ?= /etc/rpm FIDO_LINK = -lfido2 -lcrypto CRPYT_LINK= -lcryptsetup -ljson-c TOOLS = fde-token fdectl-grub-tpm2
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2024-05-07 18:02:22
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.1880 (New)
Package is "fde-tools"
Tue May 7 18:02:22 2024 rev:21 rq:1172318 version:0.7.2
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-04-21
20:24:59.320874521 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.1880/fde-tools.changes
2024-05-07 18:02:26.768417733 +0200
@@ -1,0 +2,6 @@
+Tue May 7 05:53:20 UTC 2024 - Gary Ching-Pang Lin
+
+- Add fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch
+ to make "pass" mandatory during firstboot (bsc#1223771)
+
+---
New:
fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch
BETA DEBUG BEGIN:
New:
- Add fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch
to make "pass" mandatory during firstboot (bsc#1223771)
BETA DEBUG END:
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.NylBwR/_old 2024-05-07 18:02:27.392440423 +0200
+++ /var/tmp/diff_new_pack.NylBwR/_new 2024-05-07 18:02:27.396440569 +0200
@@ -37,6 +37,7 @@
Patch5: fde-tools-bsc1223002-firstboot-disable-ccid.patch
Patch6:
fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
Patch7:
fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
+Patch8: fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch
BuildRequires: help2man
BuildRequires: pkgconfig(json-c)
BuildRequires: pkgconfig(libcryptsetup)
++ fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch ++
>From e0222c3dcf0bb1a44328b893bed9224d05b7506a Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Mon, 6 May 2024 16:28:41 +0800
Subject: [PATCH] firstboot: make "Pass phrase" mandatory
Without choosing the "Pass phrase" option, the default VM password will
remain after firstboot. To ensure the default password is gone for good,
make "Pass phrase" mandatory.
Signed-off-by: Gary Lin
---
firstboot/fde | 13 -
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/firstboot/fde b/firstboot/fde
index 4911b32..161e832 100755
--- a/firstboot/fde
+++ b/firstboot/fde
@@ -203,15 +203,22 @@ function fde_setup_unencrypted {
function __fde_valid_protections {
+pass_warn=true
for tag in $*; do
case $tag in
-pass|tpm) : ;;
+pass) pass_warn=false ;;
+tpm) : ;;
*)
display_errorbox "FDE key protection scheme $tag not yet
implemented"
return 1;;
esac
done
+if $pass_warn; then
+display_errorbox "Pass phrase is mandatory"
+return 1
+fi
+
return 0
}
@@ -253,10 +260,6 @@ function fde_choose_protection {
FDE_PROTECTION="$result"
fde_trace "user selected protections: <$FDE_PROTECTION>"
- if [ -z "$FDE_PROTECTION" ]; then
- return 1
- fi
-
if __fde_valid_protections $FDE_PROTECTION; then
break
fi
--
2.35.3
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2024-04-21 20:24:26
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.26366 (New)
Package is "fde-tools"
Sun Apr 21 20:24:26 2024 rev:20 rq:1169081 version:0.7.2
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-04-18
22:08:00.587346546 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.26366/fde-tools.changes
2024-04-21 20:24:59.320874521 +0200
@@ -1,0 +2,8 @@
+Fri Apr 19 07:46:43 UTC 2024 - Gary Ching-Pang Lin
+
+- Add patches to adopt the "--target-platform" option when using
+ the newer pcr-oracle (bsc#1218390)
+ + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
+ + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
+
+---
New:
fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
BETA DEBUG BEGIN:
New: the newer pcr-oracle (bsc#1218390)
+ fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
+ fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
New: + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
+ fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
BETA DEBUG END:
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.wietX3/_old 2024-04-21 20:25:01.440952312 +0200
+++ /var/tmp/diff_new_pack.wietX3/_new 2024-04-21 20:25:01.448952606 +0200
@@ -35,6 +35,8 @@
Patch3: fde-tools-bsc1220160-conditional-requires.patch
Patch4: fde-tools-bsc1222970-firstboot-replace-ALP.patch
Patch5: fde-tools-bsc1223002-firstboot-disable-ccid.patch
+Patch6:
fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
+Patch7:
fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
BuildRequires: help2man
BuildRequires: pkgconfig(json-c)
BuildRequires: pkgconfig(libcryptsetup)
++ fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
++
>From fcabeca594d090e4172b88ae5176c947b2dd7c45 Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Fri, 1 Dec 2023 17:11:22 +0800
Subject: [PATCH] Switch to "--target-platform" when available
Check if pcr-oracle supports "--target-platform" and replace
"--key-format" with "--target-platform" if the option is available.
Signed-off-by: Gary Lin
---
share/grub2| 5 +
share/systemd-boot | 10 ++
share/tpm | 37 +++--
3 files changed, 42 insertions(+), 10 deletions(-)
Index: fde-tools-0.7.2/share/grub2
===
--- fde-tools-0.7.2.orig/share/grub2
+++ fde-tools-0.7.2/share/grub2
@@ -34,6 +34,7 @@ alias bootloader_get_keyslots=grub_get_k
alias bootloader_remove_keyslots=grub_remove_keyslots
alias bootloader_wipe=grub_wipe
alias bootloader_rsa_sizes=grub_rsa_sizes
+alias bootloader_platform_parameters=grub_platform_parameters
##
# Edit a variable in /etc/default/grub
@@ -244,3 +245,7 @@ function grub_rsa_sizes {
# TPM 2.0 should at least support RSA2048.
echo "2048"
}
+
+function grub_platform_parameters {
+echo "--target-platform tpm2.0"
+}
Index: fde-tools-0.7.2/share/systemd-boot
===
--- fde-tools-0.7.2.orig/share/systemd-boot
+++ fde-tools-0.7.2/share/systemd-boot
@@ -37,6 +37,7 @@ alias bootloader_get_keyslots=systemd_ge
alias bootloader_remove_keyslots=systemd_remove_keyslots
alias bootloader_wipe=systemd_wipe
alias bootloader_rsa_sizes=systemd_rsa_sizes
+alias bootloader_platform_parameters=systemd_platform_parameters
function not_implemented {
@@ -183,3 +184,12 @@ function systemd_wipe {
function systemd_rsa_sizes {
echo "2048"
}
+
+##
+# This function shows the boot loader specific parameters for
+# pcr-oracle.
+##
+function systemd_platform_parameters {
+
+echo "--target-platform systemd"
+}
Index: fde-tools-0.7.2/share/tpm
===
--- fde-tools-0.7.2.orig/share/tpm
+++ fde-tools-0.7.2/share/tpm
@@ -82,22 +82,40 @@ function tpm_get_rsa_key_size {
echo "$__fde_rsa_key_size"
}
+function tpm_platform_parameters {
+declare -g __fde_platform_param
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2024-04-18 22:07:59
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.26366 (New)
Package is "fde-tools"
Thu Apr 18 22:07:59 2024 rev:19 rq:1168698 version:0.7.2
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-03-15
20:27:36.799975851 +0100
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.26366/fde-tools.changes
2024-04-18 22:08:00.587346546 +0200
@@ -1,0 +2,8 @@
+Thu Apr 18 05:39:44 UTC 2024 - Gary Ching-Pang Lin
+
+- Add fde-tools-bsc1222970-firstboot-replace-ALP.patch to replace
+ "ALP" with "This system" (bsc#1222970)
+- Add fde-tools-bsc1223002-firstboot-disable-ccid.patch to disable
+ the non-functional ccid option (bsc#1223002)
+
+---
New:
fde-tools-bsc1222970-firstboot-replace-ALP.patch
fde-tools-bsc1223002-firstboot-disable-ccid.patch
BETA DEBUG BEGIN:
New:
- Add fde-tools-bsc1222970-firstboot-replace-ALP.patch to replace
"ALP" with "This system" (bsc#1222970)
New: "ALP" with "This system" (bsc#1222970)
- Add fde-tools-bsc1223002-firstboot-disable-ccid.patch to disable
the non-functional ccid option (bsc#1223002)
BETA DEBUG END:
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.Cu2fKg/_old 2024-04-18 22:08:01.467378887 +0200
+++ /var/tmp/diff_new_pack.Cu2fKg/_new 2024-04-18 22:08:01.471379034 +0200
@@ -33,6 +33,8 @@
Patch1: fde-tools-bsc1213945-set-rsa-key-size.patch
Patch2: fde-tools-change-rpm-macro-dir.patch
Patch3: fde-tools-bsc1220160-conditional-requires.patch
+Patch4: fde-tools-bsc1222970-firstboot-replace-ALP.patch
+Patch5: fde-tools-bsc1223002-firstboot-disable-ccid.patch
BuildRequires: help2man
BuildRequires: pkgconfig(json-c)
BuildRequires: pkgconfig(libcryptsetup)
++ fde-tools-bsc1222970-firstboot-replace-ALP.patch ++
>From e3dbd0eed64938a79d82a6916dee3925297ac082 Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Thu, 18 Apr 2024 10:10:15 +0800
Subject: [PATCH] firstboot: replace ALP with a neutral name
The script may be used in the system other than ALP. Replace "ALP" with
"This system".
Signed-off-by: Gary Lin
---
firstboot/fde | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/firstboot/fde b/firstboot/fde
index 0f94829..a4e5c15 100755
--- a/firstboot/fde
+++ b/firstboot/fde
@@ -228,7 +228,7 @@ function fde_choose_protection {
FDE_PROTECTION=""
-message="ALP can be installed with an encrypted root and boot partition.
Please choose the desired protection method(s) or press Cancel to install
without encryption"
+message="This system can be installed with an encrypted root and boot
partition. Please choose the desired protection method(s) or press Cancel to
install without encryption"
options+=(pass 'Pass phrase' on)
if ! tpm_present_and_working; then
--
2.35.3
++ fde-tools-bsc1223002-firstboot-disable-ccid.patch ++
>From 10672433c10ce391f126f426f86eb85fc4dffa73 Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Thu, 18 Apr 2024 10:13:30 +0800
Subject: [PATCH] firstboot: disable the ccid option
Since ccid token is still not supported, disable the option until we
really implement it.
Signed-off-by: Gary Lin
---
firstboot/fde | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/firstboot/fde b/firstboot/fde
index a4e5c15..4911b32 100755
--- a/firstboot/fde
+++ b/firstboot/fde
@@ -237,7 +237,8 @@ function fde_choose_protection {
options+=(tpm 'Stored inside the TPM chip' on)
fi
-options+=(ccid 'Stored inside a CCID capable token' off)
+# Disable the ccid option until we really implement it
+# options+=(ccid 'Stored inside a CCID capable token' off)
while true; do
d --title "Full Disk Encryption" --checklist \
--
2.35.3
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2024-03-15 20:27:32 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.1905 (New) Package is "fde-tools" Fri Mar 15 20:27:32 2024 rev:18 rq:1157881 version:0.7.2 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-03-06 23:03:23.934849170 +0100 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.1905/fde-tools.changes 2024-03-15 20:27:36.799975851 +0100 @@ -1,0 +2,5 @@ +Wed Mar 13 08:54:37 UTC 2024 - Gary Ching-Pang Lin + +- Add json-c to BuildRequires to build on openSUSE Leap 15.5 + +--- Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.1bgJ99/_old 2024-03-15 20:27:37.391997657 +0100 +++ /var/tmp/diff_new_pack.1bgJ99/_new 2024-03-15 20:27:37.391997657 +0100 @@ -34,6 +34,7 @@ Patch2: fde-tools-change-rpm-macro-dir.patch Patch3: fde-tools-bsc1220160-conditional-requires.patch BuildRequires: help2man +BuildRequires: pkgconfig(json-c) BuildRequires: pkgconfig(libcryptsetup) BuildRequires: pkgconfig(libfido2) Requires: cryptsetup
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2024-03-06 23:03:14
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.1770 (New)
Package is "fde-tools"
Wed Mar 6 23:03:14 2024 rev:17 rq:1154987 version:0.7.2
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-02-21
17:51:51.165393449 +0100
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.1770/fde-tools.changes
2024-03-06 23:03:23.934849170 +0100
@@ -1,0 +2,10 @@
+Tue Mar 5 05:54:49 UTC 2024 - Gary Ching-Pang Lin
+
+- Add fde-tools-change-rpm-macro-dir.patch and set the rpm macro
+ directory correctly
+- Make fde-firstboot, fde-tpm-helper, and fde-tpm-helper-rpm-macros
+ noarch
+- Add fde-tools-bsc1220160-conditional-requires.patch to make
+ fde-tpm-helper a conditional "Requires" (bsc#1220160)
+
+---
New:
fde-tools-bsc1220160-conditional-requires.patch
fde-tools-change-rpm-macro-dir.patch
BETA DEBUG BEGIN:
New: noarch
- Add fde-tools-bsc1220160-conditional-requires.patch to make
fde-tpm-helper a conditional "Requires" (bsc#1220160)
New:
- Add fde-tools-change-rpm-macro-dir.patch and set the rpm macro
directory correctly
BETA DEBUG END:
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.lsgmuF/_old 2024-03-06 23:03:24.626874259 +0100
+++ /var/tmp/diff_new_pack.lsgmuF/_new 2024-03-06 23:03:24.626874259 +0100
@@ -16,6 +16,10 @@
#
+%if %{undefined _rpmmacrodir}
+ %define _rpmmacrodir %{_sysconfdir}/rpm
+%endif
+
Name: fde-tools
Version:0.7.2
Release:0
@@ -27,6 +31,8 @@
Source1:fde-tools.service
Patch0: fde-tools-firstboot-alp-snapshot.patch
Patch1: fde-tools-bsc1213945-set-rsa-key-size.patch
+Patch2: fde-tools-change-rpm-macro-dir.patch
+Patch3: fde-tools-bsc1220160-conditional-requires.patch
BuildRequires: help2man
BuildRequires: pkgconfig(libcryptsetup)
BuildRequires: pkgconfig(libfido2)
@@ -45,6 +51,7 @@
Group: System/Boot
Requires: fde-tools
Requires: jeos-firstboot
+BuildArch: noarch
%description -n fde-firstboot
This package contains the scripts necessary to plug Full Disk Encryption
@@ -64,6 +71,7 @@
%package -n fde-tpm-helper
Summary:TPM helper for fde-tools
Group: System/Boot
+BuildArch: noarch
%description -n fde-tpm-helper
This package contains the TPM helper script for the bootloader packages
@@ -72,6 +80,7 @@
%package -n fde-tpm-helper-rpm-macros
Summary:RPM macros for fde-tools
Group: Development/Tools/Building
+BuildArch: noarch
%description -n fde-tpm-helper-rpm-macros
This package contains the RPM macros for the bootloader packages to
@@ -87,7 +96,8 @@
LIBEXECDIR="%{_libexecdir}" \
SBINDIR="%{_sbindir}" \
DATADIR="%{_datadir}" \
- SYSCONFDIR="%{_sysconfdir}"
+ SYSCONFDIR="%{_sysconfdir}" \
+ RPM_MACRO_DIR="%{_rpmmacrodir}"
%install
%make_install \
@@ -95,7 +105,8 @@
LIBEXECDIR="%{_libexecdir}" \
SBINDIR="%{_sbindir}" \
DATADIR="%{_datadir}" \
- SYSCONFDIR="%{_sysconfdir}"
+ SYSCONFDIR="%{_sysconfdir}" \
+ RPM_MACRO_DIR="%{_rpmmacrodir}"
mkdir -p %{buildroot}%{_fillupdir}
mv %{buildroot}/etc/sysconfig/fde-tools
%{buildroot}%{_fillupdir}/sysconfig.fde-tools
@@ -141,5 +152,5 @@
%{_libexecdir}/fde/fde-tpm-helper
%files -n fde-tpm-helper-rpm-macros
-%config %{_sysconfdir}/rpm/macros.fde-tpm-helper
+%{_rpmmacrodir}/macros.fde-tpm-helper
++ fde-tools-bsc1220160-conditional-requires.patch ++
>From 7f5a36bb82728a6cce66b15e6bb656ce05cf5978 Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Tue, 5 Mar 2024 14:51:57 +0800
Subject: [PATCH] macros.fde-tpm-helper: conditionally requires the helper
fde-tpm-helper is only used when fde-tools is installed. Update the rpm
macro to make fde-tpm-helper an conditional "Requires".
Signed-off-by: Gary Lin
---
rpm-build/macros.fde-tpm-helper | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rpm-build/macros.fde-tpm-helper b/rpm-build/macros.fde-tpm-helper
index 1ec3a4e..3c89e2b 100644
--- a/rpm-build/macros.fde-tpm-helper
+++ b/rpm-build/macros.fde-tpm-helper
@@ -1,4 +1,4 @@
-%fde_tpm_update_requires Requires(posttrans): fde-tpm-helper
+%fde_tpm_update_requires Requires(posttrans): (fde-tpm-helper if fde-tools)
%fde_tpm_update_post() \
mkdir -p %{_rundir}/fde-tpm-helper/ \
--
2.35.3
++ fde-tools-change-rpm-macro-dir.patch ++
>From
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-11-07 21:25:12
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.17445 (New)
Package is "fde-tools"
Tue Nov 7 21:25:12 2023 rev:15 rq:1123704 version:0.7.2
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-11-02
20:20:56.510669838 +0100
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.17445/fde-tools.changes
2023-11-07 21:25:19.737238924 +0100
@@ -1,0 +2,6 @@
+Mon Nov 6 16:02:01 UTC 2023 - Dominique Leuenberger
+
+- Fix build with RPM 4.19: unnumbered patches are no longer
+ supported.
+
+---
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.IXwrDG/_old 2023-11-07 21:25:20.409263670 +0100
+++ /var/tmp/diff_new_pack.IXwrDG/_new 2023-11-07 21:25:20.413263818 +0100
@@ -25,7 +25,7 @@
URL:https://github.com/openSUSE/fde-tools
Source:
https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
Source1:fde-tools.service
-Patch: fde-tools-firstboot-alp-snapshot.patch
+Patch0: fde-tools-firstboot-alp-snapshot.patch
BuildRequires: help2man
BuildRequires: pkgconfig(libcryptsetup)
BuildRequires: pkgconfig(libfido2)
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-11-02 20:20:52
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.17445 (New)
Package is "fde-tools"
Thu Nov 2 20:20:52 2023 rev:14 rq:1121560 version:0.7.2
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-10-24
20:06:49.661188106 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.17445/fde-tools.changes
2023-11-02 20:20:56.510669838 +0100
@@ -1,0 +2,7 @@
+Wed Nov 1 07:19:45 UTC 2023 - Gary Ching-Pang Lin
+
+- Update to version 0.7.2
+ + Add help output for the command tpm-authorize
+ + Improve the multi-devices support
+
+---
Old:
fde-tools-0.7.1.tar.bz2
New:
fde-tools-0.7.2.tar.bz2
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.dH7mAB/_old 2023-11-02 20:20:57.138692947 +0100
+++ /var/tmp/diff_new_pack.dH7mAB/_new 2023-11-02 20:20:57.142693094 +0100
@@ -17,7 +17,7 @@
Name: fde-tools
-Version:0.7.1
+Version:0.7.2
Release:0
Summary:Tools required for Full Disk Encryption
License:GPL-2.0-only
++ fde-tools-0.7.1.tar.bz2 -> fde-tools-0.7.2.tar.bz2 ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.1/fde.sh new/fde-tools-0.7.2/fde.sh
--- old/fde-tools-0.7.1/fde.sh 2023-10-23 07:54:57.691250724 +0200
+++ new/fde-tools-0.7.2/fde.sh 2023-11-01 08:18:03.416914490 +0100
@@ -22,7 +22,7 @@
: ${SHAREDIR:=/usr/share/fde}
-version=0.7.1
+version=0.7.2
opt_bootloader=grub2
opt_uefi_bootdir=""
@@ -74,7 +74,8 @@
tpm-present check whether a TPM2 chip is present and working
tpm-enable enable TPM protection
tpm-disable disable TPM protection
- tpm-wipe wipe out the keyslot for the sealed key
+ tpm-wipe wipe out the keyslot for the sealed key
+ tpm-authorizeupdate the authorized pcr policy in the sealed
key
EOF
}
@@ -204,30 +205,28 @@
. "$SHAREDIR/commands/$command"
if cmd_requires_luks_device; then
-# Merge FDE_EXTRA_DEVS into FDE_DEVS and unset FDE_EXTRA_DEVS
-FDE_DEVS="${FDE_DEVS} ${FDE_EXTRA_DEVS}"
-FDE_EXTRA_DEVS=""
-
-fsdev=$(luks_device_for_path /)
-if [ ! -b "$fsdev" ]; then
- fde_bad_argument "Unable to determine partition to operate on"
-fi
+if [ -n "${FDE_DEVS}" ]; then
+ luks_devices="${FDE_DEVS}"
+else
+ fsdev=$(luks_device_for_path /)
+ if [ ! -b "$fsdev" ]; then
+ fde_bad_argument "Unable to determine partition to operate on"
+ fi
-luks_devices=$(luks_get_volume_for_fsdev "$fsdev")
-if [ -z "$luks_devices" ]; then
- display_errorbox "Cannot find the underlying partition for $fsdev"
- exit 1
-fi
+ luks_devices=$(luks_get_volume_for_fsdev "$fsdev")
+ if [ -z "$luks_devices" ]; then
+ display_errorbox "Cannot find the underlying partition for $fsdev"
+ exit 1
+ fi
-# Merge FDE_DEVS and detected devices and remove duplicate devices
-luks_devices=$(tr -s '[:space:]' '\n' <<<"${luks_devices} ${FDE_DEVS}" |
sed '/^$/d' | sort -u)
+ # Merge FDE_EXTRA_DEVS and detected devices
+ luks_devices="${luks_devices} ${FDE_EXTRA_DEVS}"
+fi
-# Extract the first device as the main root device and set others
-# to FDE_EXTRA_DEVS.
-luks_dev=$(head -n 1 <<<${luks_devices})
-FDE_EXTRA_DEVS=$(grep -v "${luks_dev}" <<<${luks_devices})
+# Remove the duplicate devices
+luks_devices=$(tr -s '[:space:]' '\n' <<<"${luks_devices}" | sed '/^$/d' |
sort -u)
-cmd_perform "$luks_dev"
+cmd_perform "$luks_devices"
else
cmd_perform
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/add-secondary-key
new/fde-tools-0.7.2/share/commands/add-secondary-key
--- old/fde-tools-0.7.1/share/commands/add-secondary-key2023-10-23
07:54:00.911620084 +0200
+++ new/fde-tools-0.7.2/share/commands/add-secondary-key2023-11-01
08:17:56.360959136 +0100
@@ -22,19 +22,23 @@
function cmd_add_secondary_key {
-luks_dev="$1"
+local luks_devices="$1"
-keyslots=$(bootloader_get_keyslots ${luks_dev})
-
-if [ -n "$FDE_ENROLL_KEY" ]; then
+if [ -n "$FDE_ENROLL_NEW_KEY" ]; then
display_errorbox "It seems you've already tried to enroll a secondary
key."
return 1
-elif [ -n "${keyslots}" ]; then
- display_errorbox "It seems you've already enrolled a
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-10-24 20:06:47
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.24901 (New)
Package is "fde-tools"
Tue Oct 24 20:06:47 2023 rev:13 rq:1119546 version:0.7.1
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-10-05
20:03:09.654729915 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.24901/fde-tools.changes
2023-10-24 20:06:49.661188106 +0200
@@ -1,0 +2,13 @@
+Mon Oct 23 05:57:33 UTC 2023 - Gary Ching-Pang Lin
+
+- Update to version 0.7.1
+ + add-secondary-key: remove the generation of the secondary
+password
+ + add-secondary-key: remove the inclusion of
+ 'add-secondary-password'
+ + luks: list all underlying LUKS device
+ + Introduce FDE_DEVS to list all LUKS devices
+- Drop upstreamd patch
+ + fde-tools-remove-redundant-2nd-pw-creation.patch
+
+---
Old:
fde-tools-0.7.0.tar.bz2
fde-tools-remove-redundant-2nd-pw-creation.patch
New:
fde-tools-0.7.1.tar.bz2
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.Gx7q05/_old 2023-10-24 20:06:50.305211520 +0200
+++ /var/tmp/diff_new_pack.Gx7q05/_new 2023-10-24 20:06:50.309211665 +0200
@@ -17,7 +17,7 @@
Name: fde-tools
-Version:0.7.0
+Version:0.7.1
Release:0
Summary:Tools required for Full Disk Encryption
License:GPL-2.0-only
@@ -26,7 +26,6 @@
Source:
https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
Source1:fde-tools.service
Patch: fde-tools-firstboot-alp-snapshot.patch
-Patch1: fde-tools-remove-redundant-2nd-pw-creation.patch
BuildRequires: help2man
BuildRequires: pkgconfig(libcryptsetup)
BuildRequires: pkgconfig(libfido2)
++ fde-tools-0.7.0.tar.bz2 -> fde-tools-0.7.1.tar.bz2 ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.0/fde.sh new/fde-tools-0.7.1/fde.sh
--- old/fde-tools-0.7.0/fde.sh 2023-09-19 07:56:12.454296022 +0200
+++ new/fde-tools-0.7.1/fde.sh 2023-10-23 07:54:57.691250724 +0200
@@ -22,7 +22,7 @@
: ${SHAREDIR:=/usr/share/fde}
-version=0.7.0
+version=0.7.1
opt_bootloader=grub2
opt_uefi_bootdir=""
@@ -204,17 +204,29 @@
. "$SHAREDIR/commands/$command"
if cmd_requires_luks_device; then
+# Merge FDE_EXTRA_DEVS into FDE_DEVS and unset FDE_EXTRA_DEVS
+FDE_DEVS="${FDE_DEVS} ${FDE_EXTRA_DEVS}"
+FDE_EXTRA_DEVS=""
+
fsdev=$(luks_device_for_path /)
if [ ! -b "$fsdev" ]; then
fde_bad_argument "Unable to determine partition to operate on"
fi
-luks_dev=$(luks_get_volume_for_fsdev "$fsdev")
-if [ -z "$luks_dev" ]; then
+luks_devices=$(luks_get_volume_for_fsdev "$fsdev")
+if [ -z "$luks_devices" ]; then
display_errorbox "Cannot find the underlying partition for $fsdev"
exit 1
fi
+# Merge FDE_DEVS and detected devices and remove duplicate devices
+luks_devices=$(tr -s '[:space:]' '\n' <<<"${luks_devices} ${FDE_DEVS}" |
sed '/^$/d' | sort -u)
+
+# Extract the first device as the main root device and set others
+# to FDE_EXTRA_DEVS.
+luks_dev=$(head -n 1 <<<${luks_devices})
+FDE_EXTRA_DEVS=$(grep -v "${luks_dev}" <<<${luks_devices})
+
cmd_perform "$luks_dev"
else
cmd_perform
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.7.0/man/fdectl.8
new/fde-tools-0.7.1/man/fdectl.8
--- old/fde-tools-0.7.0/man/fdectl.82023-06-30 11:05:51.588318859 +0200
+++ new/fde-tools-0.7.1/man/fdectl.81970-01-01 01:00:00.0 +0100
@@ -1,125 +0,0 @@
-.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.5.
-.TH FDECTL "8" "June 2023" "fdectl 0.6.3" "System Administration Utilities"
-.SH NAME
-fdectl \- Tool for controlling Full Disk Encryption
-.SH SYNOPSIS
-.B fdectl
-[\fI\,global-options\/\fR] \fI\,command \/\fR[\fI\,cmd-options\/\fR]
-.SH DESCRIPTION
-The primary objective of this tool is to streamline the TPM seal/unseal process
-for system administrators and installers. To achieve this, it heavily depends
-on \fBpcr-oracle\fP to forecast the relevant TPM Platform Configuration
-Registers (PCRs) values at the point when the boot loader needs to unseal the
-key. The primary configuration file for this tool is located at
-\fB/etc/sysconfig/fde-tools\fP.
-.SS "Global options:"
-.HP
-\fB\-\-help\fR
-.IP
-Display this message
-.HP
-\fB\-\-version\fR
-.IP
-Print program version
-.HP
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-10-05 20:02:52
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.28202 (New)
Package is "fde-tools"
Thu Oct 5 20:02:52 2023 rev:12 rq:1115533 version:0.7.0
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-10-02
20:05:04.367797341 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.28202/fde-tools.changes
2023-10-05 20:03:09.654729915 +0200
@@ -1,0 +2,6 @@
+Wed Oct 4 07:04:47 UTC 2023 - Gary Ching-Pang Lin
+
+- Add fde-tools-remove-redundant-2nd-pw-creation.patch to remove
+ the creation of the secondary password in 'add-secondary-key'
+
+---
New:
fde-tools-remove-redundant-2nd-pw-creation.patch
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.XkWziR/_old 2023-10-05 20:03:10.762769945 +0200
+++ /var/tmp/diff_new_pack.XkWziR/_new 2023-10-05 20:03:10.762769945 +0200
@@ -26,6 +26,7 @@
Source:
https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
Source1:fde-tools.service
Patch: fde-tools-firstboot-alp-snapshot.patch
+Patch1: fde-tools-remove-redundant-2nd-pw-creation.patch
BuildRequires: help2man
BuildRequires: pkgconfig(libcryptsetup)
BuildRequires: pkgconfig(libfido2)
++ fde-tools-remove-redundant-2nd-pw-creation.patch ++
>From bea5676c3afbe13b4fee22bb7f3b74ba7a7382c9 Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Wed, 4 Oct 2023 14:56:29 +0800
Subject: [PATCH] add-secondary-key: remove the generation of the secondary
password
The secondary password is only specific to the firstboot and it's the
responsibility of the installer to invoke 'fdectl add-secondary-password'.
Since Agama is preparing to add the command, we can remove the
workaround for good.
Signed-off-by: Gary Lin
---
share/commands/add-secondary-key | 11 ---
1 file changed, 11 deletions(-)
diff --git a/share/commands/add-secondary-key b/share/commands/add-secondary-key
index ba3710e..6113931 100644
--- a/share/commands/add-secondary-key
+++ b/share/commands/add-secondary-key
@@ -37,17 +37,6 @@ function cmd_add_secondary_key {
return 1
fi
-# HACK ATTACK
-# This is here as a workaround, while we're waiting for d-installer to call
-#fdectl add-secondary-password
-# prior to adding the secondary key.
-if [ -z "$(bootloader_get_fde_password)" ]; then
- fde_trace "WORKAROUND: silently adding secondary password to allow
hands-free reboot"
- fde_trace "WORKAROUND: please remove this after adding support for
add-secondary-password to the installer"
- add_secondary_password "$luks_dev"
- bootloader_commit_config
-fi
-
if ! enroll_tpm_secondary_key "${luks_dev}"; then
return 1
fi
--
2.35.3
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-10-02 20:04:16 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.28202 (New) Package is "fde-tools" Mon Oct 2 20:04:16 2023 rev:11 rq:1114736 version:0.7.0 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-09-20 13:31:39.263943572 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.28202/fde-tools.changes 2023-10-02 20:05:04.367797341 +0200 @@ -1,0 +2,7 @@ +Mon Oct 2 08:10:10 UTC 2023 - Gary Ching-Pang Lin + +- Bring ExclusiveArch back and only enable the build for the + architectures with the proper UEFI Secure Boot and TPM 2.0/TCG + protocol support: aarch64 x86_64 riscv64 + +--- Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.7V8xTl/_old 2023-10-02 20:05:05.515838628 +0200 +++ /var/tmp/diff_new_pack.7V8xTl/_new 2023-10-02 20:05:05.515838628 +0200 @@ -33,6 +33,7 @@ Requires: mokutil Requires: pcr-oracle >= 0.4.5 Requires: util-linux-systemd +ExclusiveArch: aarch64 x86_64 riscv64 %description This package provides several components required to support Full Disk
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-09-20 13:29:05
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.16627 (New)
Package is "fde-tools"
Wed Sep 20 13:29:05 2023 rev:10 rq:1112138 version:0.7.0
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-08-30
10:23:34.654774743 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.16627/fde-tools.changes
2023-09-20 13:31:39.263943572 +0200
@@ -1,0 +2,16 @@
+Tue Sep 19 05:59:00 UTC 2023 - Gary Ching-Pang Lin
+
+- Update to version 0.7.0
+ + firstboot: apply the grub.cfg change immediately
+ + fde-tpm-helper for bootloader RPMs to update the sealed key
+automatically
+ + Fix the find command of 'make dist'
+ + Clean up the repo
+ + Make the system flags configurable
+ + fde-tpm-helper: specify the bootloaders in %post
+- Add two new subpackages for the bootloader RPMs to update the
+ sealed key: fde-tpm-helper and fde-tpm-helper-rpm-macros
+- Remove ExclusiveArch and set the system directories for 'make'
+ and 'make install'
+
+---
Old:
fde-tools-0.6.9.tar.bz2
New:
fde-tools-0.7.0.tar.bz2
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.tC9TCY/_old 2023-09-20 13:31:40.443985847 +0200
+++ /var/tmp/diff_new_pack.tC9TCY/_new 2023-09-20 13:31:40.443985847 +0200
@@ -17,7 +17,7 @@
Name: fde-tools
-Version:0.6.9
+Version:0.7.0
Release:0
Summary:Tools required for Full Disk Encryption
License:GPL-2.0-only
@@ -33,7 +33,10 @@
Requires: mokutil
Requires: pcr-oracle >= 0.4.5
Requires: util-linux-systemd
-ExclusiveArch: aarch64 s390x ppc64le x86_64 riscv64
+
+%description
+This package provides several components required to support Full Disk
+Encryption.
%package -n fde-firstboot
Summary:Full Disk Encryption for images
@@ -41,10 +44,6 @@
Requires: fde-tools
Requires: jeos-firstboot
-%description
-This package provides several components required to support Full Disk
-Encryption.
-
%description -n fde-firstboot
This package contains the scripts necessary to plug Full Disk Encryption
into the JeOS Firstboot framework used for image based delivery of ALP.
@@ -60,14 +59,41 @@
%description bash-completion
Bash shell completions for fde-tools
+%package -n fde-tpm-helper
+Summary:TPM helper for fde-tools
+Group: System/Boot
+
+%description -n fde-tpm-helper
+This package contains the TPM helper script for the bootloader packages
+to update the signature in the sealed key.
+
+%package -n fde-tpm-helper-rpm-macros
+Summary:RPM macros for fde-tools
+Group: Development/Tools/Building
+
+%description -n fde-tpm-helper-rpm-macros
+This package contains the RPM macros for the bootloader packages to
+update the signature in the sealed key.
+
%prep
%autosetup -p1
%build
-%make_build
+%make_build \
+ CCFLAGS="%optflags" \
+ LIBDIR="%{_libdir}" \
+ LIBEXECDIR="%{_libexecdir}" \
+ SBINDIR="%{_sbindir}" \
+ DATADIR="%{_datadir}" \
+ SYSCONFDIR="%{_sysconfdir}"
%install
-%make_install
+%make_install \
+ LIBDIR="%{_libdir}" \
+ LIBEXECDIR="%{_libexecdir}" \
+ SBINDIR="%{_sbindir}" \
+ DATADIR="%{_datadir}" \
+ SYSCONFDIR="%{_sysconfdir}"
mkdir -p %{buildroot}%{_fillupdir}
mv %{buildroot}/etc/sysconfig/fde-tools
%{buildroot}%{_fillupdir}/sysconfig.fde-tools
@@ -92,7 +118,7 @@
%{_sbindir}/fdectl
%{_sbindir}/fde-token
%{_sbindir}/fdectl-grub-tpm2
-%dir /etc/fde
+%dir %{_sysconfdir}/fde
%{_fillupdir}/sysconfig.*
%{_datadir}/fde
%{_unitdir}/fde-tpm-enroll.service
@@ -108,3 +134,10 @@
%dir %{_datadir}/jeos-firstboot/modules
%{_datadir}/jeos-firstboot/modules/fde
+%files -n fde-tpm-helper
+%dir %{_libexecdir}/fde
+%{_libexecdir}/fde/fde-tpm-helper
+
+%files -n fde-tpm-helper-rpm-macros
+%config %{_sysconfdir}/rpm/macros.fde-tpm-helper
+
++ fde-tools-0.6.9.tar.bz2 -> fde-tools-0.7.0.tar.bz2 ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.6.9/Makefile new/fde-tools-0.7.0/Makefile
--- old/fde-tools-0.6.9/Makefile2023-08-29 10:34:43.259726248 +0200
+++ new/fde-tools-0.7.0/Makefile2023-09-19 07:52:51.927609722 +0200
@@ -1,20 +1,25 @@
PKGVER = $(shell git describe --tags)
PKGNAME= fde-tools-$(PKGVER)
-CCOPT = -O0 -g
-LIBDIR = /usr/lib64
-SBINDIR= /usr/sbin
-SYSCONFIGDIR =
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-08-30 10:20:47
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.1766 (New)
Package is "fde-tools"
Wed Aug 30 10:20:47 2023 rev:9 rq:1107876 version:0.6.9
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-08-28
17:12:19.622427876 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.1766/fde-tools.changes
2023-08-30 10:23:34.654774743 +0200
@@ -1,0 +2,13 @@
+Tue Aug 29 07:56:44 UTC 2023 - Gary Ching-Pang Lin
+
+- Update to version 0.6.9
+ + Redirect the firstboot messages to journald instead of a
+standalone log file (bsc#1214581)
+ + Update /boot/grub2/grub.cfg at the end of firstboot to reflect
+the LUKS key change
+ + Update the version automatically
+ + Add 'cryptsetup' to 'make dist'
+ + Fix the version in fde.sh
+- Update the download URL
+
+---
Old:
fde-tools-0.6.8.tar.gz
New:
fde-tools-0.6.9.tar.bz2
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.GyHtuw/_old 2023-08-30 10:23:35.722812866 +0200
+++ /var/tmp/diff_new_pack.GyHtuw/_new 2023-08-30 10:23:35.726813008 +0200
@@ -17,13 +17,13 @@
Name: fde-tools
-Version:0.6.8
+Version:0.6.9
Release:0
Summary:Tools required for Full Disk Encryption
License:GPL-2.0-only
Group: System/Boot
URL:https://github.com/openSUSE/fde-tools
-Source:
https://github.com/openSUSE/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
+Source:
https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
Source1:fde-tools.service
Patch: fde-tools-firstboot-alp-snapshot.patch
BuildRequires: help2man
++ fde-tools-0.6.8.tar.gz -> fde-tools-0.6.9.tar.bz2 ++
3468 lines of diff (skipped)
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-08-28 17:12:12
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.1766 (New)
Package is "fde-tools"
Mon Aug 28 17:12:12 2023 rev:8 rq:1105563 version:0.6.8
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-08-18
19:29:26.551432473 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.1766/fde-tools.changes
2023-08-28 17:12:19.622427876 +0200
@@ -1,0 +2,9 @@
+Thu Aug 24 07:45:13 UTC 2023 - Gary Ching-Pang Lin
+
+- Update to version 0.6.8
+ + Improve the LUKS partition detection to support LUKS over LVM
+- Remove openssl and tpm2-0-tss-devel from BuildRequires since all
+ TPM related programs are already in pcr-oracle
+- Add util-linux-systemd to Requires for 'lsblk'
+
+---
Old:
fde-tools-0.6.7.tar.gz
New:
fde-tools-0.6.8.tar.gz
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.ZuCg1K/_old 2023-08-28 17:12:20.686466086 +0200
+++ /var/tmp/diff_new_pack.ZuCg1K/_new 2023-08-28 17:12:20.690466231 +0200
@@ -17,7 +17,7 @@
Name: fde-tools
-Version:0.6.7
+Version:0.6.8
Release:0
Summary:Tools required for Full Disk Encryption
License:GPL-2.0-only
@@ -27,13 +27,12 @@
Source1:fde-tools.service
Patch: fde-tools-firstboot-alp-snapshot.patch
BuildRequires: help2man
-BuildRequires: openssl >= 0.9.8
-BuildRequires: tpm2-0-tss-devel
BuildRequires: pkgconfig(libcryptsetup)
BuildRequires: pkgconfig(libfido2)
Requires: cryptsetup
Requires: mokutil
Requires: pcr-oracle >= 0.4.5
+Requires: util-linux-systemd
ExclusiveArch: aarch64 s390x ppc64le x86_64 riscv64
%package -n fde-firstboot
++ fde-tools-0.6.7.tar.gz -> fde-tools-0.6.8.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.6.7/fde.sh new/fde-tools-0.6.8/fde.sh
--- old/fde-tools-0.6.7/fde.sh 2023-08-04 08:45:44.0 +0200
+++ new/fde-tools-0.6.8/fde.sh 2023-08-24 09:41:10.0 +0200
@@ -204,7 +204,6 @@
. "$SHAREDIR/commands/$command"
if cmd_requires_luks_device; then
-# FIXME: This code needs some love to make it work for LUKS-over-LVM
fsdev=$(luks_device_for_path /)
if [ ! -b "$fsdev" ]; then
fde_bad_argument "Unable to determine partition to operate on"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.6.7/share/luks
new/fde-tools-0.6.8/share/luks
--- old/fde-tools-0.6.7/share/luks 2023-08-04 08:45:44.0 +0200
+++ new/fde-tools-0.6.8/share/luks 2023-08-24 09:41:10.0 +0200
@@ -50,7 +50,7 @@
path="$1"
-df "$path" | grep /dev/ | cut -f1 -d' '
+df --output=source "$path" | grep /dev/
}
##
@@ -101,36 +101,17 @@
dev="/dev/mapper/$dm_name"
fi
-link=$(readlink "$dev")
+# Trace back the block devices to locate the first device with
+# 'crypto_LUKS' file system type
+# - lsblk options
+# -s: inverse dependencies
+# -n: no header line
+# -r: raw format
+# -p: full device path
+# -o: print only NAME and FSTYPE
+dev_path=$(lsblk -snrp -o NAME,FSTYPE ${dev} | grep -m 1 crypto_LUKS | cut
-d' ' -f 1)
-# When using the LUKS volume directly to hold the root fs,
-# we'll be chasing be /dev/mapper/root -> dm-0 -> sdaN
-# When stacking LUKS + LVM, we're going to chase
-# /dev/mapper/root -> dm-1 -> dm-0 -> sdaN
-dev_name=$(basename "$link")
-
-# Turtles all the way down, but not indefinitely
-for i in $(seq 10); do
- vdir="/sys/devices/virtual/block/$dev_name"
- if [ ! -d "$vdir/slaves" ]; then
- break
- fi
-
- set -- $(ls "$vdir/slaves")
- if [ $# -ne 1 ]; then
- fde_trace "Ambiguous slave count for $dev_name"
- return 1
- fi
-
- dev_name="$1"
-done
-
-if [ -z "$dev_name" ]; then
- fde_trace "Failed to chase DM chain for $orig_dev"
- return 1
-fi
-
-echo "/dev/$dev_name"
+echo "${dev_path}"
return 0
}
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-08-18 19:28:55
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.1766 (New)
Package is "fde-tools"
Fri Aug 18 19:28:55 2023 rev:7 rq:1104645 version:0.6.7
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-07-27
16:53:04.370581885 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.1766/fde-tools.changes
2023-08-18 19:29:26.551432473 +0200
@@ -1,0 +2,9 @@
+Fri Aug 18 07:51:12 UTC 2023 - Gary Ching-Pang Lin
+
+- Update to version 0.6.7
+ + Check failure of authorized policy creation
+ + Additional check for recovery password
+- Drop upstreamed patch
+ + fde-tools-handle-authorized-policy-failure.patch
+
+---
Old:
fde-tools-0.6.6.tar.gz
fde-tools-handle-authorized-policy-failure.patch
New:
fde-tools-0.6.7.tar.gz
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.prolCu/_old 2023-08-18 19:29:27.439434065 +0200
+++ /var/tmp/diff_new_pack.prolCu/_new 2023-08-18 19:29:27.443434073 +0200
@@ -17,7 +17,7 @@
Name: fde-tools
-Version:0.6.6
+Version:0.6.7
Release:0
Summary:Tools required for Full Disk Encryption
License:GPL-2.0-only
@@ -26,7 +26,6 @@
Source:
https://github.com/openSUSE/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
Source1:fde-tools.service
Patch: fde-tools-firstboot-alp-snapshot.patch
-Patch1: fde-tools-handle-authorized-policy-failure.patch
BuildRequires: help2man
BuildRequires: openssl >= 0.9.8
BuildRequires: tpm2-0-tss-devel
++ fde-tools-0.6.6.tar.gz -> fde-tools-0.6.7.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.6.6/share/commands/add-secondary-key
new/fde-tools-0.6.7/share/commands/add-secondary-key
--- old/fde-tools-0.6.6/share/commands/add-secondary-key2023-07-20
10:35:24.0 +0200
+++ new/fde-tools-0.6.7/share/commands/add-secondary-key2023-08-04
08:45:44.0 +0200
@@ -48,7 +48,9 @@
bootloader_commit_config
fi
-enroll_tpm_secondary_key "$luks_dev"
+if ! enroll_tpm_secondary_key "${luks_dev}"; then
+ return 1
+fi
return 0
}
@@ -68,6 +70,10 @@
# loading the pubkey.
tpm_set_authorized_policy_paths "$policy_name"
tpm_create_authorized_policy $FDE_AP_SECRET_KEY $FDE_AP_AUTHPOLICY
$FDE_AP_PUBLIC_KEY
+if [ $? -ne 0 ]; then
+ display_errorbox "Failed to create authorized policy"
+ return 1
+fi
if [ "$FDE_AUTHORIZED_POLICY" != "$policy_name" ]; then
fde_set_variable FDE_AUTHORIZED_POLICY "$policy_name"
@@ -87,6 +93,20 @@
return 1
fi
+if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then
+ rm -f "$luks_keyfile"
+ display_errorbox "Failed to verify password on LUKS partition"
+ return 1
+fi
+
+for extra_dev in ${FDE_EXTRA_DEVS}; do
+ if ! luks_verify_password "$extra_dev" "$luks_keyfile"; then
+ rm -f "$luks_keyfile"
+ display_errorbox "Failed to verify password on LUKS
partition($extra_dev)"
+ return 1
+fi
+done
+
if ! luks_add_random_key "${luks_dev}" "${luks_keyfile}"
"${luks_new_keyfile}"; then
display_errorbox "Failed to add secondary LUKS key"
rm -f "$luks_keyfile"
@@ -96,6 +116,7 @@
# Add the new random key to the devices in FDE_EXTRA_DEVS
for extra_dev in ${FDE_EXTRA_DEVS}; do
if ! luks_add_key "$extra_dev" "$luks_keyfile" "$luks_new_keyfile";
then
+ display_errorbox "Failed to add secondary LUKS key (${extra_dev})"
rm -f "$luks_keyfile"
return 1
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.6.6/share/commands/regenerate-key
new/fde-tools-0.6.7/share/commands/regenerate-key
--- old/fde-tools-0.6.6/share/commands/regenerate-key 2023-07-20
10:35:24.0 +0200
+++ new/fde-tools-0.6.7/share/commands/regenerate-key 2023-08-04
08:45:44.0 +0200
@@ -35,7 +35,9 @@
EXTRA_KEYSLOTS_OLD["${extra_dev}"]=$(bootloader_get_keyslots
${extra_dev})
done
-enroll_tpm_secondary_key "${luks_dev}"
+if ! enroll_tpm_secondary_key "${luks_dev}"; then
+ return 1
+fi
# Finish TPM key sealing
tpm_enable ${luks_dev}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-07-27 16:52:48
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.32662 (New)
Package is "fde-tools"
Thu Jul 27 16:52:48 2023 rev:6 rq:1100993 version:0.6.6
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-07-25
11:51:16.309511702 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.32662/fde-tools.changes
2023-07-27 16:53:04.370581885 +0200
@@ -1,0 +2,6 @@
+Thu Jul 27 06:23:22 UTC 2023 - Gary Ching-Pang Lin
+
+- Add fde-tools-handle-authorized-policy-failure.patch handle the
+ failure of authorized policy creation
+
+---
New:
fde-tools-handle-authorized-policy-failure.patch
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.eEXNGW/_old 2023-07-27 16:53:05.010585501 +0200
+++ /var/tmp/diff_new_pack.eEXNGW/_new 2023-07-27 16:53:05.014585523 +0200
@@ -26,15 +26,15 @@
Source:
https://github.com/openSUSE/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
Source1:fde-tools.service
Patch: fde-tools-firstboot-alp-snapshot.patch
+Patch1: fde-tools-handle-authorized-policy-failure.patch
BuildRequires: help2man
BuildRequires: openssl >= 0.9.8
BuildRequires: tpm2-0-tss-devel
BuildRequires: pkgconfig(libcryptsetup)
BuildRequires: pkgconfig(libfido2)
Requires: cryptsetup
-Requires: pcr-oracle >= 0.4.5
-# Requires:tpm2.0-tools
Requires: mokutil
+Requires: pcr-oracle >= 0.4.5
ExclusiveArch: aarch64 s390x ppc64le x86_64 riscv64
%package -n fde-firstboot
++ fde-tools-handle-authorized-policy-failure.patch ++
>From cb36d5affed81af38d673486980d484e71f9d09f Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Thu, 27 Jul 2023 14:21:55 +0800
Subject: [PATCH] Check failure of authorized policy creation (#14)
The return value of tpm_create_authorized_policy was not checked, and
this may ignore the failure from the underlying functions. Besides,
the return value of some pcr-oracle commands were not correctly handled.
Fix those cases to make fdectl exit right after the failure of the
pcr-oracle commands.
Signed-off-by: Gary Lin
---
share/commands/add-secondary-key | 4
share/tpm| 4 ++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/share/commands/add-secondary-key b/share/commands/add-secondary-key
index a9710c7..9673546 100644
--- a/share/commands/add-secondary-key
+++ b/share/commands/add-secondary-key
@@ -68,6 +68,10 @@ function init_authorized_policy {
# loading the pubkey.
tpm_set_authorized_policy_paths "$policy_name"
tpm_create_authorized_policy $FDE_AP_SECRET_KEY $FDE_AP_AUTHPOLICY
$FDE_AP_PUBLIC_KEY
+if [ $? -ne 0 ]; then
+ display_errorbox "Failed to create authorized policy"
+ return 1
+fi
if [ "$FDE_AUTHORIZED_POLICY" != "$policy_name" ]; then
fde_set_variable FDE_AUTHORIZED_POLICY "$policy_name"
diff --git a/share/tpm b/share/tpm
index 90a3da3..0cc507a 100644
--- a/share/tpm
+++ b/share/tpm
@@ -165,7 +165,7 @@ function tpm_create_authorized_policy {
--algorithm $FDE_SEAL_PCR_BANK \
create-authorized-policy $FDE_SEAL_PCR_LIST
if [ $? -ne 0 ]; then
- return $?
+ return 1
fi
# Store the public key in a format suitable for feeding it to the TPM
@@ -175,7 +175,7 @@ function tpm_create_authorized_policy {
--public-key "$public_key" \
store-public-key
if [ $? -ne 0 ]; then
- return $?
+ return 1
fi
fi
}
--
2.35.3
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-07-25 11:50:04
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.1467 (New)
Package is "fde-tools"
Tue Jul 25 11:50:04 2023 rev:5 rq:1099742 version:0.6.6
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-07-13
17:18:51.745228423 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.1467/fde-tools.changes
2023-07-25 11:51:16.309511702 +0200
@@ -1,0 +2,16 @@
+Thu Jul 20 08:39:13 UTC 2023 - Gary Ching-Pang Lin
+
+- Update to version 0.6.6
+ + Avoid cleaning the temp directory when calling tpm_test
+ + firstboot/fde: use functions as the aliases for bootloader
+functions
+ + firstboot/fde: always regenerate initrd
+ + firstboot/fde: use authorized policy by default
+ + Support devices other than the root partition
+- Drop upstreamed patches
+ + fde-tools-avoid-cleaning-temp-dir.patch
+ + fde-tools-fix-bootloader-func.patch
+ + fde-tools-force-dracut.patch
+ + fde-tools-enable-authpol-in-firstboot.patch
+
+---
Old:
fde-tools-0.6.5.tar.gz
fde-tools-avoid-cleaning-temp-dir.patch
fde-tools-enable-authpol-in-firstboot.patch
fde-tools-fix-bootloader-func.patch
fde-tools-force-dracut.patch
New:
fde-tools-0.6.6.tar.gz
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.HGhY5q/_old 2023-07-25 11:51:19.401529807 +0200
+++ /var/tmp/diff_new_pack.HGhY5q/_new 2023-07-25 11:51:19.409529853 +0200
@@ -17,7 +17,7 @@
Name: fde-tools
-Version:0.6.5
+Version:0.6.6
Release:0
Summary:Tools required for Full Disk Encryption
License:GPL-2.0-only
@@ -26,10 +26,6 @@
Source:
https://github.com/openSUSE/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
Source1:fde-tools.service
Patch: fde-tools-firstboot-alp-snapshot.patch
-Patch1: fde-tools-avoid-cleaning-temp-dir.patch
-Patch2: fde-tools-fix-bootloader-func.patch
-Patch3: fde-tools-force-dracut.patch
-Patch4: fde-tools-enable-authpol-in-firstboot.patch
BuildRequires: help2man
BuildRequires: openssl >= 0.9.8
BuildRequires: tpm2-0-tss-devel
++ fde-tools-0.6.5.tar.gz -> fde-tools-0.6.6.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fde-tools-0.6.5/README.md
new/fde-tools-0.6.6/README.md
--- old/fde-tools-0.6.5/README.md 2023-07-04 04:54:56.0 +0200
+++ new/fde-tools-0.6.6/README.md 2023-07-20 10:35:24.0 +0200
@@ -49,7 +49,7 @@
to unlock the system partition on next boot.
If you do not want to be prompted for the recovery password, you can
-also use either the ``--keyfile`` or the ``--password`` option to
+also use either the ``--passfile`` or the ``--password`` option to
specify a LUKS keyfile, or the recovery passphrase, respectively.
Normally, the first boot into a freshly installed system will dispose
@@ -138,6 +138,35 @@
_authorize_ the current system configuration. This will predict a
set of PCR values, and use the RSA key to sign the resulting PCR policy.
+
+# Key management for the already installed systems
+
+For the systems with an already encrypted root partition, it is easy
+to (re)generate and seal the LUKS key with ``regenerate-key``:
+
+# fdectl regenerate-key
+
+This command generates a new random secret key, seals the key with TPM,
+and updates the bootloader configuration.
+
+To disable the TPM unsealing temporarily, ``tpm-disable`` will remove
+the path to the sealed key from the boot loader configuration.
+
+# fdectl tpm-disable
+
+To restore the TPM unsealing functionality, ``tpm-enable`` will update
+the sealed key if necessary and then configure the boot loader to
+unlock the LUKS partition with the sealed key.
+
+# fdectl tpm-enable
+
+In case there is a need to remove the sealed LUKS key from the root
+partition, ``tpm-wipe`` could help to wipe out the keyslot for the sealed
+LUKS key and remove the key file:
+
+# fdectl tpm-wipe
+
+
# Updates of boot components
When updating components such as grub2 or the shim loader, or when
@@ -180,3 +209,30 @@
predict PCR values based on the client's event log plus the actual
hashes of the boot files used, compute the PCR policy and sign it
using its key.
+
+
+# Revocation of the authorized policies
+
+When a serious vulnerability is found in the boot component such
+as grub2 or the shim loader, it is suggested to remove the
+authorized policies associated with the
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-07-13 17:18:51
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.8922 (New)
Package is "fde-tools"
Thu Jul 13 17:18:51 2023 rev:4 rq:1098478 version:0.6.5
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-07-07
15:52:45.082137152 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.8922/fde-tools.changes
2023-07-13 17:18:51.745228423 +0200
@@ -1,0 +2,6 @@
+Thu Jul 13 06:57:46 UTC 2023 - Gary Ching-Pang Lin
+
+- Add fde-tools-enable-authpol-in-firstboot.patch to enable
+ authorized policy in the firstboot script
+
+---
New:
fde-tools-enable-authpol-in-firstboot.patch
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.DDCjn5/_old 2023-07-13 17:18:52.241231350 +0200
+++ /var/tmp/diff_new_pack.DDCjn5/_new 2023-07-13 17:18:52.245231374 +0200
@@ -29,6 +29,7 @@
Patch1: fde-tools-avoid-cleaning-temp-dir.patch
Patch2: fde-tools-fix-bootloader-func.patch
Patch3: fde-tools-force-dracut.patch
+Patch4: fde-tools-enable-authpol-in-firstboot.patch
BuildRequires: help2man
BuildRequires: openssl >= 0.9.8
BuildRequires: tpm2-0-tss-devel
++ fde-tools-enable-authpol-in-firstboot.patch ++
>From 23e675bb74905bd21a60ac6d9e97ac3c2e8d57d7 Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Thu, 13 Jul 2023 14:48:41 +0800
Subject: [PATCH 1/2] fdectl: add '--passfile' option to read the password file
In some cases, we may need to read the recovery password from a file.
This commit adds the new option to read the password from a file.
Signed-off-by: Gary Lin
---
fde.sh | 7 ++-
share/util | 3 +++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/fde.sh b/fde.sh
index 0198d4a..ffc9801 100755
--- a/fde.sh
+++ b/fde.sh
@@ -29,6 +29,7 @@ opt_uefi_bootdir=""
opt_ui=shell
opt_keyfile=""
opt_password=""
+opt_passfile=""
##
# Display a usage message.
@@ -61,6 +62,8 @@ Global options:
--password
Specify the LUKS recovery password. Should be used by the
installer only.
+ --passfile
+ Specify the path to a LUKS recovery password file.
Commands:
help display this message
@@ -121,7 +124,7 @@ function fde_maybe_chroot {
fde_maybe_chroot "$@"
-long_options="help,version,bootloader:,device:,use-dialog,keyfile:,uefi-boot-dir:,password:"
+long_options="help,version,bootloader:,device:,use-dialog,keyfile:,uefi-boot-dir:,password:,passfile:"
if ! getopt -Q -n fdectl -l "$long_options" -o h -- "$@"; then
fde_usage
@@ -156,6 +159,8 @@ while [ $# -gt 0 ]; do
opt_keyfile=$1; shift;;
--password)
opt_password=$1; shift;;
+--passfile)
+ opt_passfile=$1; shift;;
--uefi-boot-dir)
opt_uefi_bootdir=$1; shift;;
*)
diff --git a/share/util b/share/util
index 0a305ce..a9482aa 100644
--- a/share/util
+++ b/share/util
@@ -32,6 +32,9 @@ function fde_request_recovery_password {
if [ -n "$opt_password" ]; then
result_password="$opt_password"
return 0
+elif [ -n "$opt_passfile" -a -f "$opt_passfile" ]; then
+ result_password="$(<$opt_passfile)"
+ return 0
fi
# Ask for the recovery password just once
--
2.35.3
>From ce1b3907bbf76bc9719c7d81a951548f5c9122ea Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Thu, 13 Jul 2023 14:50:08 +0800
Subject: [PATCH 2/2] firstboot: use 'fdectl regenerate-key' to enroll the key
Directly invoke 'fdectl regenerate-key' to create the new random key and
seal it with the TPM PCR policy.
Also enable fde-tpm-enroll.service if the key is sealed successfully.
Signed-off-by: Gary Lin
---
firstboot/fde | 28 +++-
1 file changed, 3 insertions(+), 25 deletions(-)
diff --git a/firstboot/fde b/firstboot/fde
index f1a95ab..4143961 100755
--- a/firstboot/fde
+++ b/firstboot/fde
@@ -43,10 +43,6 @@ KIWI_ROOT_KEYFILE=/root/.root.keyfile
# Set the bootloader specific functions here as aliases
##
-function bootloader_enable_fde_pcr_policy {
-grub_enable_fde_pcr_policy "$@"
-}
-
function bootloader_enable_fde_without_tpm {
grub_enable_fde_without_tpm "$@"
}
@@ -59,18 +55,6 @@ function bootloader_get_fde_password {
# FDE Firstboot functions
##
-function fde_protect_tpm {
-
-local luks_dev=$1
-local luks_keyfile=$2
-
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-07-07 15:49:52
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.23466 (New)
Package is "fde-tools"
Fri Jul 7 15:49:52 2023 rev:3 rq:1097489 version:0.6.5
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-07-04
15:22:10.722133068 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.23466/fde-tools.changes
2023-07-07 15:52:45.082137152 +0200
@@ -1,0 +2,9 @@
+Fri Jul 7 08:40:25 UTC 2023 - Gary Ching-Pang Lin
+
+- Add fde-tools-fix-bootloader-func.patch
+ + Define the bootloader specific functions in the firstboot
+script since the aliases are not expanded
+- Add fde-tools-force-dracut.patch
+ + Always regenerate initrd
+
+---
New:
fde-tools-fix-bootloader-func.patch
fde-tools-force-dracut.patch
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.6VRfdv/_old 2023-07-07 15:52:45.550139940 +0200
+++ /var/tmp/diff_new_pack.6VRfdv/_new 2023-07-07 15:52:45.554139964 +0200
@@ -27,6 +27,8 @@
Source1:fde-tools.service
Patch: fde-tools-firstboot-alp-snapshot.patch
Patch1: fde-tools-avoid-cleaning-temp-dir.patch
+Patch2: fde-tools-fix-bootloader-func.patch
+Patch3: fde-tools-force-dracut.patch
BuildRequires: help2man
BuildRequires: openssl >= 0.9.8
BuildRequires: tpm2-0-tss-devel
++ fde-tools-fix-bootloader-func.patch ++
>From 97336e85f6f271891f8b1ddb5ae04935c0d80fae Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Fri, 7 Jul 2023 16:36:00 +0800
Subject: [PATCH] firstboot/fde: forcefully invoke dracut
To make sure the initrd is always recreated, specify '--force' to
dracut.
Signed-off-by: Gary Lin
---
firstboot/fde | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/firstboot/fde b/firstboot/fde
index 157a9bd..f1a95ab 100755
--- a/firstboot/fde
+++ b/firstboot/fde
@@ -206,7 +206,7 @@ function fde_setup_unencrypted {
rm -f /etc/crypttab
display_infobox "Re-creating initial ramdisk"
-if ! dracut >&2; then
+if ! dracut --force >&2; then
display_errorbox "Failed to rebuild initrd"
return 1
fi
--
2.35.3
++ fde-tools-force-dracut.patch ++
>From 346e41ac7d9e5b1b37dd3e315078b99c58f59799 Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Fri, 7 Jul 2023 16:31:31 +0800
Subject: [PATCH] firstboot/fde: use functions as the aliases for bootloader
functions
Aliases are not expanded in non-interactive mode by default, so those
function aliases defined in the 'grub2' script won't work for firstboot.
Manually define the bootloader specific functions in firstboot/fde to
avoid the potential 'command not found' error.
Signed-off-by: Gary Lin
---
firstboot/fde | 21 +
1 file changed, 21 insertions(+)
diff --git a/firstboot/fde b/firstboot/fde
index 530baed..157a9bd 100755
--- a/firstboot/fde
+++ b/firstboot/fde
@@ -38,6 +38,27 @@ fi
##
KIWI_ROOT_KEYFILE=/root/.root.keyfile
+##
+# Aliases are not expanded in non-interactive mode.
+# Set the bootloader specific functions here as aliases
+##
+
+function bootloader_enable_fde_pcr_policy {
+grub_enable_fde_pcr_policy "$@"
+}
+
+function bootloader_enable_fde_without_tpm {
+grub_enable_fde_without_tpm "$@"
+}
+
+function bootloader_get_fde_password {
+grub_get_fde_password "$@"
+}
+
+##
+# FDE Firstboot functions
+##
+
function fde_protect_tpm {
local luks_dev=$1
--
2.35.3
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package fde-tools for openSUSE:Factory
checked in at 2023-07-04 15:21:55
Comparing /work/SRC/openSUSE:Factory/fde-tools (Old)
and /work/SRC/openSUSE:Factory/.fde-tools.new.23466 (New)
Package is "fde-tools"
Tue Jul 4 15:21:55 2023 rev:2 rq:1096676 version:0.6.5
Changes:
--- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-06-05
18:06:19.483033390 +0200
+++ /work/SRC/openSUSE:Factory/.fde-tools.new.23466/fde-tools.changes
2023-07-04 15:22:10.722133068 +0200
@@ -1,0 +2,58 @@
+Tue Jul 4 07:02:19 UTC 2023 - Gary Ching-Pang Lin
+
+- Add fde-tools-avoid-cleaning-temp-dir.patch to avoid cleaning
+ the temp directory when calling tpm_test
+
+---
+Tue Jul 4 02:59:34 UTC 2023 - Gary Ching-Pang Lin
+
+- Update to version 0.6.5
+ + LUKS2 keyslot management with the grub-tpm2 token
+ + Replace mkinitrd with dracut
+
+---
+Wed Jun 14 02:39:26 UTC 2023 - Gary Ching-Pang Lin
+
+- Update to version 0.6.4
+ + Add man page and bash completion support
+ + Switch to TPM 2.0 Key File for grub2
+ + Update the installation paths
+ + Enable authorized policy by default
+ + Implement 'tpm-disable' command (bsc#1208834)
+- Add a subpackage: fde-tools-bash-completion
+- Use 'tpm-activate' in the systemd service file
+- Add help2man to BuildRequires
+- Drop the upstreamed patches
+ + fde-tools-tpm2.0-key-file-support.patch
+ + fde-tools-fix-paths.patch
+ + fde-tools-set-stop-event-for-tpm_authorize.patch
+ + fde-tools-enable-authorized-policy-by-default.patch
+ + fde-tools-reduce-iterations.patch
+ + fde-tools-set-grub.cfg-as-stop-event.patch
+
+---
+Thu Jun 8 08:31:15 UTC 2023 - Gary Ching-Pang Lin
+
+- Fix the path in fde-tools.service
+
+---
+Wed Jun 7 00:57:26 UTC 2023 - Gary Ching-Pang Lin
+
+- Add fde-tools-tpm2.0-key-file-support.patch to support TPM 2.0
+ Key File for grub2
+- Bump the required pcr-oracle version to 0.4.5 for the TPM 2.0 Key
+ File support
+- Add fde-tools-reduce-iterations.patch to reduce the iterations
+ for the key created by luks_add_random_key
+- Add fde-tools-set-grub.cfg-as-stop-event.patch to set grub.cfg as
+ the stop event for the PCR prediction
+- Add fde-tools-enable-authorized-policy-by-default.patch to switch
+ FDE_USE_AUTHORIZED_POLICIES to yes
+
+---
+Tue Jun 6 07:32:24 UTC 2023 - Marcus Meissner
+
+- remove dracut and jeos-firstboot from buildrequires, just specify
+ the directory.
+
+---
Old:
fde-tools-0.6.3.tar.gz
fde-tools-fix-paths.patch
fde-tools-set-stop-event-for-tpm_authorize.patch
New:
fde-tools-0.6.5.tar.gz
fde-tools-avoid-cleaning-temp-dir.patch
Other differences:
--
++ fde-tools.spec ++
--- /var/tmp/diff_new_pack.iLmR1f/_old 2023-07-04 15:22:11.338136770 +0200
+++ /var/tmp/diff_new_pack.iLmR1f/_new 2023-07-04 15:22:11.342136794 +0200
@@ -17,7 +17,7 @@
Name: fde-tools
-Version:0.6.3
+Version:0.6.5
Release:0
Summary:Tools required for Full Disk Encryption
License:GPL-2.0-only
@@ -26,15 +26,14 @@
Source:
https://github.com/openSUSE/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
Source1:fde-tools.service
Patch: fde-tools-firstboot-alp-snapshot.patch
-Patch1: fde-tools-set-stop-event-for-tpm_authorize.patch
-Patch2: fde-tools-fix-paths.patch
-BuildRequires: dracut
-BuildRequires: jeos-firstboot
-BuildRequires: libfido2-devel
+Patch1: fde-tools-avoid-cleaning-temp-dir.patch
+BuildRequires: help2man
BuildRequires: openssl >= 0.9.8
BuildRequires: tpm2-0-tss-devel
+BuildRequires: pkgconfig(libcryptsetup)
+BuildRequires: pkgconfig(libfido2)
Requires: cryptsetup
-Requires: pcr-oracle >= 0.4.2
+Requires: pcr-oracle >= 0.4.5
# Requires:tpm2.0-tools
Requires: mokutil
ExclusiveArch: aarch64 s390x ppc64le x86_64 riscv64
@@ -53,6 +52,17 @@
This package contains the scripts necessary to plug Full Disk Encryption
into the JeOS Firstboot framework used for image based delivery of ALP.
+%package bash-completion
+Summary:Bash completion for fde-tools
+Group: Productivity/File utilities
+Requires: bash-completion
+Requires: fde-tools
+Supplements:(fde-tools and bash-completion)
+BuildArch: noarch
+
