commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2024-06-11 18:27:06 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.19518 (New) Package is "fde-tools" Tue Jun 11 18:27:06 2024 rev:23 rq:1179922 version:0.7.2 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-05-31 22:15:33.613274346 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.19518/fde-tools.changes 2024-06-11 18:27:14.156363717 +0200 @@ -1,0 +2,6 @@ +Fri Jun 7 07:52:30 UTC 2024 - Gary Ching-Pang Lin + +- Update fde-tools-bsc1220160-conditional-requires.patch to + check fde-tpm-helper in %post and %posttrans + +--- Other differences: -- ++ fde-tools-bsc1220160-conditional-requires.patch ++ --- /var/tmp/diff_new_pack.zjuxMk/_old 2024-06-11 18:27:15.100398168 +0200 +++ /var/tmp/diff_new_pack.zjuxMk/_new 2024-06-11 18:27:15.104398314 +0200 @@ -1,7 +1,7 @@ -From 7f5a36bb82728a6cce66b15e6bb656ce05cf5978 Mon Sep 17 00:00:00 2001 +From 5f5dc57da2ee1abc3bf63e5389294d97a6027ae8 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Tue, 5 Mar 2024 14:51:57 +0800 -Subject: [PATCH] macros.fde-tpm-helper: conditionally requires the helper +Subject: [PATCH 1/2] macros.fde-tpm-helper: conditionally requires the helper fde-tpm-helper is only used when fde-tools is installed. Update the rpm macro to make fde-tpm-helper an conditional "Requires". @@ -24,4 +24,54 @@ -- 2.35.3 + +From 222c145943cde082959de52f5a76dbdf0f254c92 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Fri, 7 Jun 2024 10:58:45 +0800 +Subject: [PATCH 2/2] macros.fde-tpm-helper: check if fde-tpm-helper exists + +Those rpm macros are only valid for the system with fde-tpm-helper so +those commands should be skipped if fde-tpm-helper is not there. + +Signed-off-by: Gary Lin +--- + rpm-build/macros.fde-tpm-helper | 20 + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/rpm-build/macros.fde-tpm-helper b/rpm-build/macros.fde-tpm-helper +index 3c89e2b..4ce09e9 100644 +--- a/rpm-build/macros.fde-tpm-helper b/rpm-build/macros.fde-tpm-helper +@@ -1,16 +1,20 @@ + %fde_tpm_update_requires Requires(posttrans): (fde-tpm-helper if fde-tools) + + %fde_tpm_update_post() \ +-mkdir -p %{_rundir}/fde-tpm-helper/ \ +-touch %{_rundir}/fde-tpm-helper/update \ +-for bl in %{?*}; do \ +- echo ${bl} >> %{_rundir}/fde-tpm-helper/update \ +-done \ ++if test -x %{_libexecdir}/fde/fde-tpm-helper; then \ ++ mkdir -p %{_rundir}/fde-tpm-helper/ \ ++ touch %{_rundir}/fde-tpm-helper/update \ ++ for bl in %{?*}; do \ ++echo ${bl} >> %{_rundir}/fde-tpm-helper/update \ ++ done \ ++fi \ + %nil + + %fde_tpm_update_posttrans() \ +-if test -f %{_rundir}/fde-tpm-helper/update; then \ +- %{_libexecdir}/fde/fde-tpm-helper "`cat %{_rundir}/fde-tpm-helper/update | uniq`" || : \ +- rm -f %{_rundir}/fde-tpm-helper/update \ ++if test -x %{_libexecdir}/fde/fde-tpm-helper; then \ ++ if test -f %{_rundir}/fde-tpm-helper/update; then \ ++%{_libexecdir}/fde/fde-tpm-helper "`cat %{_rundir}/fde-tpm-helper/update | uniq`" || : \ ++rm -f %{_rundir}/fde-tpm-helper/update \ ++ fi \ + fi \ + %nil +-- +2.35.3 +
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2024-05-31 22:15:22 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.24587 (New) Package is "fde-tools" Fri May 31 22:15:22 2024 rev:22 rq:1177686 version:0.7.2 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-05-07 18:02:26.768417733 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.24587/fde-tools.changes 2024-05-31 22:15:33.613274346 +0200 @@ -1,0 +2,6 @@ +Thu May 30 06:53:32 UTC 2024 - Gary Ching-Pang Lin + +- Fix fde-tools-change-rpm-macro-dir.patch which didn't set + RPM_MACRO_DIR correctly + +--- Other differences: -- ++ fde-tools-change-rpm-macro-dir.patch ++ --- /var/tmp/diff_new_pack.6ItFxw/_old 2024-05-31 22:15:34.289298971 +0200 +++ /var/tmp/diff_new_pack.6ItFxw/_new 2024-05-31 22:15:34.293299117 +0200 @@ -22,7 +22,7 @@ FIRSTBOOTDIR = $(DATADIR)/jeos-firstboot FDE_HELPER_DIR= $(LIBEXECDIR)/fde -RPM_MACRO_DIR = /etc/rpm -++RPM_MACRO_DIR?= /etc/rpm ++RPM_MACRO_DIR ?= /etc/rpm FIDO_LINK = -lfido2 -lcrypto CRPYT_LINK= -lcryptsetup -ljson-c TOOLS = fde-token fdectl-grub-tpm2
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2024-05-07 18:02:22 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.1880 (New) Package is "fde-tools" Tue May 7 18:02:22 2024 rev:21 rq:1172318 version:0.7.2 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-04-21 20:24:59.320874521 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.1880/fde-tools.changes 2024-05-07 18:02:26.768417733 +0200 @@ -1,0 +2,6 @@ +Tue May 7 05:53:20 UTC 2024 - Gary Ching-Pang Lin + +- Add fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch + to make "pass" mandatory during firstboot (bsc#1223771) + +--- New: fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch BETA DEBUG BEGIN: New: - Add fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch to make "pass" mandatory during firstboot (bsc#1223771) BETA DEBUG END: Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.NylBwR/_old 2024-05-07 18:02:27.392440423 +0200 +++ /var/tmp/diff_new_pack.NylBwR/_new 2024-05-07 18:02:27.396440569 +0200 @@ -37,6 +37,7 @@ Patch5: fde-tools-bsc1223002-firstboot-disable-ccid.patch Patch6: fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch Patch7: fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch +Patch8: fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch BuildRequires: help2man BuildRequires: pkgconfig(json-c) BuildRequires: pkgconfig(libcryptsetup) ++ fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch ++ >From e0222c3dcf0bb1a44328b893bed9224d05b7506a Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Mon, 6 May 2024 16:28:41 +0800 Subject: [PATCH] firstboot: make "Pass phrase" mandatory Without choosing the "Pass phrase" option, the default VM password will remain after firstboot. To ensure the default password is gone for good, make "Pass phrase" mandatory. Signed-off-by: Gary Lin --- firstboot/fde | 13 - 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/firstboot/fde b/firstboot/fde index 4911b32..161e832 100755 --- a/firstboot/fde +++ b/firstboot/fde @@ -203,15 +203,22 @@ function fde_setup_unencrypted { function __fde_valid_protections { +pass_warn=true for tag in $*; do case $tag in -pass|tpm) : ;; +pass) pass_warn=false ;; +tpm) : ;; *) display_errorbox "FDE key protection scheme $tag not yet implemented" return 1;; esac done +if $pass_warn; then +display_errorbox "Pass phrase is mandatory" +return 1 +fi + return 0 } @@ -253,10 +260,6 @@ function fde_choose_protection { FDE_PROTECTION="$result" fde_trace "user selected protections: <$FDE_PROTECTION>" - if [ -z "$FDE_PROTECTION" ]; then - return 1 - fi - if __fde_valid_protections $FDE_PROTECTION; then break fi -- 2.35.3
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2024-04-21 20:24:26 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.26366 (New) Package is "fde-tools" Sun Apr 21 20:24:26 2024 rev:20 rq:1169081 version:0.7.2 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-04-18 22:08:00.587346546 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.26366/fde-tools.changes 2024-04-21 20:24:59.320874521 +0200 @@ -1,0 +2,8 @@ +Fri Apr 19 07:46:43 UTC 2024 - Gary Ching-Pang Lin + +- Add patches to adopt the "--target-platform" option when using + the newer pcr-oracle (bsc#1218390) + + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch + + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch + +--- New: fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch BETA DEBUG BEGIN: New: the newer pcr-oracle (bsc#1218390) + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch New: + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch BETA DEBUG END: Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.wietX3/_old 2024-04-21 20:25:01.440952312 +0200 +++ /var/tmp/diff_new_pack.wietX3/_new 2024-04-21 20:25:01.448952606 +0200 @@ -35,6 +35,8 @@ Patch3: fde-tools-bsc1220160-conditional-requires.patch Patch4: fde-tools-bsc1222970-firstboot-replace-ALP.patch Patch5: fde-tools-bsc1223002-firstboot-disable-ccid.patch +Patch6: fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch +Patch7: fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch BuildRequires: help2man BuildRequires: pkgconfig(json-c) BuildRequires: pkgconfig(libcryptsetup) ++ fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch ++ >From fcabeca594d090e4172b88ae5176c947b2dd7c45 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Fri, 1 Dec 2023 17:11:22 +0800 Subject: [PATCH] Switch to "--target-platform" when available Check if pcr-oracle supports "--target-platform" and replace "--key-format" with "--target-platform" if the option is available. Signed-off-by: Gary Lin --- share/grub2| 5 + share/systemd-boot | 10 ++ share/tpm | 37 +++-- 3 files changed, 42 insertions(+), 10 deletions(-) Index: fde-tools-0.7.2/share/grub2 === --- fde-tools-0.7.2.orig/share/grub2 +++ fde-tools-0.7.2/share/grub2 @@ -34,6 +34,7 @@ alias bootloader_get_keyslots=grub_get_k alias bootloader_remove_keyslots=grub_remove_keyslots alias bootloader_wipe=grub_wipe alias bootloader_rsa_sizes=grub_rsa_sizes +alias bootloader_platform_parameters=grub_platform_parameters ## # Edit a variable in /etc/default/grub @@ -244,3 +245,7 @@ function grub_rsa_sizes { # TPM 2.0 should at least support RSA2048. echo "2048" } + +function grub_platform_parameters { +echo "--target-platform tpm2.0" +} Index: fde-tools-0.7.2/share/systemd-boot === --- fde-tools-0.7.2.orig/share/systemd-boot +++ fde-tools-0.7.2/share/systemd-boot @@ -37,6 +37,7 @@ alias bootloader_get_keyslots=systemd_ge alias bootloader_remove_keyslots=systemd_remove_keyslots alias bootloader_wipe=systemd_wipe alias bootloader_rsa_sizes=systemd_rsa_sizes +alias bootloader_platform_parameters=systemd_platform_parameters function not_implemented { @@ -183,3 +184,12 @@ function systemd_wipe { function systemd_rsa_sizes { echo "2048" } + +## +# This function shows the boot loader specific parameters for +# pcr-oracle. +## +function systemd_platform_parameters { + +echo "--target-platform systemd" +} Index: fde-tools-0.7.2/share/tpm === --- fde-tools-0.7.2.orig/share/tpm +++ fde-tools-0.7.2/share/tpm @@ -82,22 +82,40 @@ function tpm_get_rsa_key_size { echo "$__fde_rsa_key_size" } +function tpm_platform_parameters { +declare -g __fde_platform_param
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2024-04-18 22:07:59 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.26366 (New) Package is "fde-tools" Thu Apr 18 22:07:59 2024 rev:19 rq:1168698 version:0.7.2 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-03-15 20:27:36.799975851 +0100 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.26366/fde-tools.changes 2024-04-18 22:08:00.587346546 +0200 @@ -1,0 +2,8 @@ +Thu Apr 18 05:39:44 UTC 2024 - Gary Ching-Pang Lin + +- Add fde-tools-bsc1222970-firstboot-replace-ALP.patch to replace + "ALP" with "This system" (bsc#1222970) +- Add fde-tools-bsc1223002-firstboot-disable-ccid.patch to disable + the non-functional ccid option (bsc#1223002) + +--- New: fde-tools-bsc1222970-firstboot-replace-ALP.patch fde-tools-bsc1223002-firstboot-disable-ccid.patch BETA DEBUG BEGIN: New: - Add fde-tools-bsc1222970-firstboot-replace-ALP.patch to replace "ALP" with "This system" (bsc#1222970) New: "ALP" with "This system" (bsc#1222970) - Add fde-tools-bsc1223002-firstboot-disable-ccid.patch to disable the non-functional ccid option (bsc#1223002) BETA DEBUG END: Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.Cu2fKg/_old 2024-04-18 22:08:01.467378887 +0200 +++ /var/tmp/diff_new_pack.Cu2fKg/_new 2024-04-18 22:08:01.471379034 +0200 @@ -33,6 +33,8 @@ Patch1: fde-tools-bsc1213945-set-rsa-key-size.patch Patch2: fde-tools-change-rpm-macro-dir.patch Patch3: fde-tools-bsc1220160-conditional-requires.patch +Patch4: fde-tools-bsc1222970-firstboot-replace-ALP.patch +Patch5: fde-tools-bsc1223002-firstboot-disable-ccid.patch BuildRequires: help2man BuildRequires: pkgconfig(json-c) BuildRequires: pkgconfig(libcryptsetup) ++ fde-tools-bsc1222970-firstboot-replace-ALP.patch ++ >From e3dbd0eed64938a79d82a6916dee3925297ac082 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Thu, 18 Apr 2024 10:10:15 +0800 Subject: [PATCH] firstboot: replace ALP with a neutral name The script may be used in the system other than ALP. Replace "ALP" with "This system". Signed-off-by: Gary Lin --- firstboot/fde | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firstboot/fde b/firstboot/fde index 0f94829..a4e5c15 100755 --- a/firstboot/fde +++ b/firstboot/fde @@ -228,7 +228,7 @@ function fde_choose_protection { FDE_PROTECTION="" -message="ALP can be installed with an encrypted root and boot partition. Please choose the desired protection method(s) or press Cancel to install without encryption" +message="This system can be installed with an encrypted root and boot partition. Please choose the desired protection method(s) or press Cancel to install without encryption" options+=(pass 'Pass phrase' on) if ! tpm_present_and_working; then -- 2.35.3 ++ fde-tools-bsc1223002-firstboot-disable-ccid.patch ++ >From 10672433c10ce391f126f426f86eb85fc4dffa73 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Thu, 18 Apr 2024 10:13:30 +0800 Subject: [PATCH] firstboot: disable the ccid option Since ccid token is still not supported, disable the option until we really implement it. Signed-off-by: Gary Lin --- firstboot/fde | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/firstboot/fde b/firstboot/fde index a4e5c15..4911b32 100755 --- a/firstboot/fde +++ b/firstboot/fde @@ -237,7 +237,8 @@ function fde_choose_protection { options+=(tpm 'Stored inside the TPM chip' on) fi -options+=(ccid 'Stored inside a CCID capable token' off) +# Disable the ccid option until we really implement it +# options+=(ccid 'Stored inside a CCID capable token' off) while true; do d --title "Full Disk Encryption" --checklist \ -- 2.35.3
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2024-03-15 20:27:32 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.1905 (New) Package is "fde-tools" Fri Mar 15 20:27:32 2024 rev:18 rq:1157881 version:0.7.2 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-03-06 23:03:23.934849170 +0100 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.1905/fde-tools.changes 2024-03-15 20:27:36.799975851 +0100 @@ -1,0 +2,5 @@ +Wed Mar 13 08:54:37 UTC 2024 - Gary Ching-Pang Lin + +- Add json-c to BuildRequires to build on openSUSE Leap 15.5 + +--- Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.1bgJ99/_old 2024-03-15 20:27:37.391997657 +0100 +++ /var/tmp/diff_new_pack.1bgJ99/_new 2024-03-15 20:27:37.391997657 +0100 @@ -34,6 +34,7 @@ Patch2: fde-tools-change-rpm-macro-dir.patch Patch3: fde-tools-bsc1220160-conditional-requires.patch BuildRequires: help2man +BuildRequires: pkgconfig(json-c) BuildRequires: pkgconfig(libcryptsetup) BuildRequires: pkgconfig(libfido2) Requires: cryptsetup
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2024-03-06 23:03:14 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.1770 (New) Package is "fde-tools" Wed Mar 6 23:03:14 2024 rev:17 rq:1154987 version:0.7.2 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2024-02-21 17:51:51.165393449 +0100 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.1770/fde-tools.changes 2024-03-06 23:03:23.934849170 +0100 @@ -1,0 +2,10 @@ +Tue Mar 5 05:54:49 UTC 2024 - Gary Ching-Pang Lin + +- Add fde-tools-change-rpm-macro-dir.patch and set the rpm macro + directory correctly +- Make fde-firstboot, fde-tpm-helper, and fde-tpm-helper-rpm-macros + noarch +- Add fde-tools-bsc1220160-conditional-requires.patch to make + fde-tpm-helper a conditional "Requires" (bsc#1220160) + +--- New: fde-tools-bsc1220160-conditional-requires.patch fde-tools-change-rpm-macro-dir.patch BETA DEBUG BEGIN: New: noarch - Add fde-tools-bsc1220160-conditional-requires.patch to make fde-tpm-helper a conditional "Requires" (bsc#1220160) New: - Add fde-tools-change-rpm-macro-dir.patch and set the rpm macro directory correctly BETA DEBUG END: Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.lsgmuF/_old 2024-03-06 23:03:24.626874259 +0100 +++ /var/tmp/diff_new_pack.lsgmuF/_new 2024-03-06 23:03:24.626874259 +0100 @@ -16,6 +16,10 @@ # +%if %{undefined _rpmmacrodir} + %define _rpmmacrodir %{_sysconfdir}/rpm +%endif + Name: fde-tools Version:0.7.2 Release:0 @@ -27,6 +31,8 @@ Source1:fde-tools.service Patch0: fde-tools-firstboot-alp-snapshot.patch Patch1: fde-tools-bsc1213945-set-rsa-key-size.patch +Patch2: fde-tools-change-rpm-macro-dir.patch +Patch3: fde-tools-bsc1220160-conditional-requires.patch BuildRequires: help2man BuildRequires: pkgconfig(libcryptsetup) BuildRequires: pkgconfig(libfido2) @@ -45,6 +51,7 @@ Group: System/Boot Requires: fde-tools Requires: jeos-firstboot +BuildArch: noarch %description -n fde-firstboot This package contains the scripts necessary to plug Full Disk Encryption @@ -64,6 +71,7 @@ %package -n fde-tpm-helper Summary:TPM helper for fde-tools Group: System/Boot +BuildArch: noarch %description -n fde-tpm-helper This package contains the TPM helper script for the bootloader packages @@ -72,6 +80,7 @@ %package -n fde-tpm-helper-rpm-macros Summary:RPM macros for fde-tools Group: Development/Tools/Building +BuildArch: noarch %description -n fde-tpm-helper-rpm-macros This package contains the RPM macros for the bootloader packages to @@ -87,7 +96,8 @@ LIBEXECDIR="%{_libexecdir}" \ SBINDIR="%{_sbindir}" \ DATADIR="%{_datadir}" \ - SYSCONFDIR="%{_sysconfdir}" + SYSCONFDIR="%{_sysconfdir}" \ + RPM_MACRO_DIR="%{_rpmmacrodir}" %install %make_install \ @@ -95,7 +105,8 @@ LIBEXECDIR="%{_libexecdir}" \ SBINDIR="%{_sbindir}" \ DATADIR="%{_datadir}" \ - SYSCONFDIR="%{_sysconfdir}" + SYSCONFDIR="%{_sysconfdir}" \ + RPM_MACRO_DIR="%{_rpmmacrodir}" mkdir -p %{buildroot}%{_fillupdir} mv %{buildroot}/etc/sysconfig/fde-tools %{buildroot}%{_fillupdir}/sysconfig.fde-tools @@ -141,5 +152,5 @@ %{_libexecdir}/fde/fde-tpm-helper %files -n fde-tpm-helper-rpm-macros -%config %{_sysconfdir}/rpm/macros.fde-tpm-helper +%{_rpmmacrodir}/macros.fde-tpm-helper ++ fde-tools-bsc1220160-conditional-requires.patch ++ >From 7f5a36bb82728a6cce66b15e6bb656ce05cf5978 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Tue, 5 Mar 2024 14:51:57 +0800 Subject: [PATCH] macros.fde-tpm-helper: conditionally requires the helper fde-tpm-helper is only used when fde-tools is installed. Update the rpm macro to make fde-tpm-helper an conditional "Requires". Signed-off-by: Gary Lin --- rpm-build/macros.fde-tpm-helper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpm-build/macros.fde-tpm-helper b/rpm-build/macros.fde-tpm-helper index 1ec3a4e..3c89e2b 100644 --- a/rpm-build/macros.fde-tpm-helper +++ b/rpm-build/macros.fde-tpm-helper @@ -1,4 +1,4 @@ -%fde_tpm_update_requires Requires(posttrans): fde-tpm-helper +%fde_tpm_update_requires Requires(posttrans): (fde-tpm-helper if fde-tools) %fde_tpm_update_post() \ mkdir -p %{_rundir}/fde-tpm-helper/ \ -- 2.35.3 ++ fde-tools-change-rpm-macro-dir.patch ++ >From
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-11-07 21:25:12 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.17445 (New) Package is "fde-tools" Tue Nov 7 21:25:12 2023 rev:15 rq:1123704 version:0.7.2 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-11-02 20:20:56.510669838 +0100 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.17445/fde-tools.changes 2023-11-07 21:25:19.737238924 +0100 @@ -1,0 +2,6 @@ +Mon Nov 6 16:02:01 UTC 2023 - Dominique Leuenberger + +- Fix build with RPM 4.19: unnumbered patches are no longer + supported. + +--- Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.IXwrDG/_old 2023-11-07 21:25:20.409263670 +0100 +++ /var/tmp/diff_new_pack.IXwrDG/_new 2023-11-07 21:25:20.413263818 +0100 @@ -25,7 +25,7 @@ URL:https://github.com/openSUSE/fde-tools Source: https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2 Source1:fde-tools.service -Patch: fde-tools-firstboot-alp-snapshot.patch +Patch0: fde-tools-firstboot-alp-snapshot.patch BuildRequires: help2man BuildRequires: pkgconfig(libcryptsetup) BuildRequires: pkgconfig(libfido2)
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-11-02 20:20:52 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.17445 (New) Package is "fde-tools" Thu Nov 2 20:20:52 2023 rev:14 rq:1121560 version:0.7.2 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-10-24 20:06:49.661188106 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.17445/fde-tools.changes 2023-11-02 20:20:56.510669838 +0100 @@ -1,0 +2,7 @@ +Wed Nov 1 07:19:45 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.7.2 + + Add help output for the command tpm-authorize + + Improve the multi-devices support + +--- Old: fde-tools-0.7.1.tar.bz2 New: fde-tools-0.7.2.tar.bz2 Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.dH7mAB/_old 2023-11-02 20:20:57.138692947 +0100 +++ /var/tmp/diff_new_pack.dH7mAB/_new 2023-11-02 20:20:57.142693094 +0100 @@ -17,7 +17,7 @@ Name: fde-tools -Version:0.7.1 +Version:0.7.2 Release:0 Summary:Tools required for Full Disk Encryption License:GPL-2.0-only ++ fde-tools-0.7.1.tar.bz2 -> fde-tools-0.7.2.tar.bz2 ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/fde.sh new/fde-tools-0.7.2/fde.sh --- old/fde-tools-0.7.1/fde.sh 2023-10-23 07:54:57.691250724 +0200 +++ new/fde-tools-0.7.2/fde.sh 2023-11-01 08:18:03.416914490 +0100 @@ -22,7 +22,7 @@ : ${SHAREDIR:=/usr/share/fde} -version=0.7.1 +version=0.7.2 opt_bootloader=grub2 opt_uefi_bootdir="" @@ -74,7 +74,8 @@ tpm-present check whether a TPM2 chip is present and working tpm-enable enable TPM protection tpm-disable disable TPM protection - tpm-wipe wipe out the keyslot for the sealed key + tpm-wipe wipe out the keyslot for the sealed key + tpm-authorizeupdate the authorized pcr policy in the sealed key EOF } @@ -204,30 +205,28 @@ . "$SHAREDIR/commands/$command" if cmd_requires_luks_device; then -# Merge FDE_EXTRA_DEVS into FDE_DEVS and unset FDE_EXTRA_DEVS -FDE_DEVS="${FDE_DEVS} ${FDE_EXTRA_DEVS}" -FDE_EXTRA_DEVS="" - -fsdev=$(luks_device_for_path /) -if [ ! -b "$fsdev" ]; then - fde_bad_argument "Unable to determine partition to operate on" -fi +if [ -n "${FDE_DEVS}" ]; then + luks_devices="${FDE_DEVS}" +else + fsdev=$(luks_device_for_path /) + if [ ! -b "$fsdev" ]; then + fde_bad_argument "Unable to determine partition to operate on" + fi -luks_devices=$(luks_get_volume_for_fsdev "$fsdev") -if [ -z "$luks_devices" ]; then - display_errorbox "Cannot find the underlying partition for $fsdev" - exit 1 -fi + luks_devices=$(luks_get_volume_for_fsdev "$fsdev") + if [ -z "$luks_devices" ]; then + display_errorbox "Cannot find the underlying partition for $fsdev" + exit 1 + fi -# Merge FDE_DEVS and detected devices and remove duplicate devices -luks_devices=$(tr -s '[:space:]' '\n' <<<"${luks_devices} ${FDE_DEVS}" | sed '/^$/d' | sort -u) + # Merge FDE_EXTRA_DEVS and detected devices + luks_devices="${luks_devices} ${FDE_EXTRA_DEVS}" +fi -# Extract the first device as the main root device and set others -# to FDE_EXTRA_DEVS. -luks_dev=$(head -n 1 <<<${luks_devices}) -FDE_EXTRA_DEVS=$(grep -v "${luks_dev}" <<<${luks_devices}) +# Remove the duplicate devices +luks_devices=$(tr -s '[:space:]' '\n' <<<"${luks_devices}" | sed '/^$/d' | sort -u) -cmd_perform "$luks_dev" +cmd_perform "$luks_devices" else cmd_perform fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.1/share/commands/add-secondary-key new/fde-tools-0.7.2/share/commands/add-secondary-key --- old/fde-tools-0.7.1/share/commands/add-secondary-key2023-10-23 07:54:00.911620084 +0200 +++ new/fde-tools-0.7.2/share/commands/add-secondary-key2023-11-01 08:17:56.360959136 +0100 @@ -22,19 +22,23 @@ function cmd_add_secondary_key { -luks_dev="$1" +local luks_devices="$1" -keyslots=$(bootloader_get_keyslots ${luks_dev}) - -if [ -n "$FDE_ENROLL_KEY" ]; then +if [ -n "$FDE_ENROLL_NEW_KEY" ]; then display_errorbox "It seems you've already tried to enroll a secondary key." return 1 -elif [ -n "${keyslots}" ]; then - display_errorbox "It seems you've already enrolled a
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-10-24 20:06:47 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.24901 (New) Package is "fde-tools" Tue Oct 24 20:06:47 2023 rev:13 rq:1119546 version:0.7.1 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-10-05 20:03:09.654729915 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.24901/fde-tools.changes 2023-10-24 20:06:49.661188106 +0200 @@ -1,0 +2,13 @@ +Mon Oct 23 05:57:33 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.7.1 + + add-secondary-key: remove the generation of the secondary +password + + add-secondary-key: remove the inclusion of + 'add-secondary-password' + + luks: list all underlying LUKS device + + Introduce FDE_DEVS to list all LUKS devices +- Drop upstreamd patch + + fde-tools-remove-redundant-2nd-pw-creation.patch + +--- Old: fde-tools-0.7.0.tar.bz2 fde-tools-remove-redundant-2nd-pw-creation.patch New: fde-tools-0.7.1.tar.bz2 Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.Gx7q05/_old 2023-10-24 20:06:50.305211520 +0200 +++ /var/tmp/diff_new_pack.Gx7q05/_new 2023-10-24 20:06:50.309211665 +0200 @@ -17,7 +17,7 @@ Name: fde-tools -Version:0.7.0 +Version:0.7.1 Release:0 Summary:Tools required for Full Disk Encryption License:GPL-2.0-only @@ -26,7 +26,6 @@ Source: https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2 Source1:fde-tools.service Patch: fde-tools-firstboot-alp-snapshot.patch -Patch1: fde-tools-remove-redundant-2nd-pw-creation.patch BuildRequires: help2man BuildRequires: pkgconfig(libcryptsetup) BuildRequires: pkgconfig(libfido2) ++ fde-tools-0.7.0.tar.bz2 -> fde-tools-0.7.1.tar.bz2 ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.0/fde.sh new/fde-tools-0.7.1/fde.sh --- old/fde-tools-0.7.0/fde.sh 2023-09-19 07:56:12.454296022 +0200 +++ new/fde-tools-0.7.1/fde.sh 2023-10-23 07:54:57.691250724 +0200 @@ -22,7 +22,7 @@ : ${SHAREDIR:=/usr/share/fde} -version=0.7.0 +version=0.7.1 opt_bootloader=grub2 opt_uefi_bootdir="" @@ -204,17 +204,29 @@ . "$SHAREDIR/commands/$command" if cmd_requires_luks_device; then +# Merge FDE_EXTRA_DEVS into FDE_DEVS and unset FDE_EXTRA_DEVS +FDE_DEVS="${FDE_DEVS} ${FDE_EXTRA_DEVS}" +FDE_EXTRA_DEVS="" + fsdev=$(luks_device_for_path /) if [ ! -b "$fsdev" ]; then fde_bad_argument "Unable to determine partition to operate on" fi -luks_dev=$(luks_get_volume_for_fsdev "$fsdev") -if [ -z "$luks_dev" ]; then +luks_devices=$(luks_get_volume_for_fsdev "$fsdev") +if [ -z "$luks_devices" ]; then display_errorbox "Cannot find the underlying partition for $fsdev" exit 1 fi +# Merge FDE_DEVS and detected devices and remove duplicate devices +luks_devices=$(tr -s '[:space:]' '\n' <<<"${luks_devices} ${FDE_DEVS}" | sed '/^$/d' | sort -u) + +# Extract the first device as the main root device and set others +# to FDE_EXTRA_DEVS. +luks_dev=$(head -n 1 <<<${luks_devices}) +FDE_EXTRA_DEVS=$(grep -v "${luks_dev}" <<<${luks_devices}) + cmd_perform "$luks_dev" else cmd_perform diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.0/man/fdectl.8 new/fde-tools-0.7.1/man/fdectl.8 --- old/fde-tools-0.7.0/man/fdectl.82023-06-30 11:05:51.588318859 +0200 +++ new/fde-tools-0.7.1/man/fdectl.81970-01-01 01:00:00.0 +0100 @@ -1,125 +0,0 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.5. -.TH FDECTL "8" "June 2023" "fdectl 0.6.3" "System Administration Utilities" -.SH NAME -fdectl \- Tool for controlling Full Disk Encryption -.SH SYNOPSIS -.B fdectl -[\fI\,global-options\/\fR] \fI\,command \/\fR[\fI\,cmd-options\/\fR] -.SH DESCRIPTION -The primary objective of this tool is to streamline the TPM seal/unseal process -for system administrators and installers. To achieve this, it heavily depends -on \fBpcr-oracle\fP to forecast the relevant TPM Platform Configuration -Registers (PCRs) values at the point when the boot loader needs to unseal the -key. The primary configuration file for this tool is located at -\fB/etc/sysconfig/fde-tools\fP. -.SS "Global options:" -.HP -\fB\-\-help\fR -.IP -Display this message -.HP -\fB\-\-version\fR -.IP -Print program version -.HP
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-10-05 20:02:52 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.28202 (New) Package is "fde-tools" Thu Oct 5 20:02:52 2023 rev:12 rq:1115533 version:0.7.0 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-10-02 20:05:04.367797341 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.28202/fde-tools.changes 2023-10-05 20:03:09.654729915 +0200 @@ -1,0 +2,6 @@ +Wed Oct 4 07:04:47 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-remove-redundant-2nd-pw-creation.patch to remove + the creation of the secondary password in 'add-secondary-key' + +--- New: fde-tools-remove-redundant-2nd-pw-creation.patch Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.XkWziR/_old 2023-10-05 20:03:10.762769945 +0200 +++ /var/tmp/diff_new_pack.XkWziR/_new 2023-10-05 20:03:10.762769945 +0200 @@ -26,6 +26,7 @@ Source: https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2 Source1:fde-tools.service Patch: fde-tools-firstboot-alp-snapshot.patch +Patch1: fde-tools-remove-redundant-2nd-pw-creation.patch BuildRequires: help2man BuildRequires: pkgconfig(libcryptsetup) BuildRequires: pkgconfig(libfido2) ++ fde-tools-remove-redundant-2nd-pw-creation.patch ++ >From bea5676c3afbe13b4fee22bb7f3b74ba7a7382c9 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Wed, 4 Oct 2023 14:56:29 +0800 Subject: [PATCH] add-secondary-key: remove the generation of the secondary password The secondary password is only specific to the firstboot and it's the responsibility of the installer to invoke 'fdectl add-secondary-password'. Since Agama is preparing to add the command, we can remove the workaround for good. Signed-off-by: Gary Lin --- share/commands/add-secondary-key | 11 --- 1 file changed, 11 deletions(-) diff --git a/share/commands/add-secondary-key b/share/commands/add-secondary-key index ba3710e..6113931 100644 --- a/share/commands/add-secondary-key +++ b/share/commands/add-secondary-key @@ -37,17 +37,6 @@ function cmd_add_secondary_key { return 1 fi -# HACK ATTACK -# This is here as a workaround, while we're waiting for d-installer to call -#fdectl add-secondary-password -# prior to adding the secondary key. -if [ -z "$(bootloader_get_fde_password)" ]; then - fde_trace "WORKAROUND: silently adding secondary password to allow hands-free reboot" - fde_trace "WORKAROUND: please remove this after adding support for add-secondary-password to the installer" - add_secondary_password "$luks_dev" - bootloader_commit_config -fi - if ! enroll_tpm_secondary_key "${luks_dev}"; then return 1 fi -- 2.35.3
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-10-02 20:04:16 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.28202 (New) Package is "fde-tools" Mon Oct 2 20:04:16 2023 rev:11 rq:1114736 version:0.7.0 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-09-20 13:31:39.263943572 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.28202/fde-tools.changes 2023-10-02 20:05:04.367797341 +0200 @@ -1,0 +2,7 @@ +Mon Oct 2 08:10:10 UTC 2023 - Gary Ching-Pang Lin + +- Bring ExclusiveArch back and only enable the build for the + architectures with the proper UEFI Secure Boot and TPM 2.0/TCG + protocol support: aarch64 x86_64 riscv64 + +--- Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.7V8xTl/_old 2023-10-02 20:05:05.515838628 +0200 +++ /var/tmp/diff_new_pack.7V8xTl/_new 2023-10-02 20:05:05.515838628 +0200 @@ -33,6 +33,7 @@ Requires: mokutil Requires: pcr-oracle >= 0.4.5 Requires: util-linux-systemd +ExclusiveArch: aarch64 x86_64 riscv64 %description This package provides several components required to support Full Disk
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-09-20 13:29:05 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.16627 (New) Package is "fde-tools" Wed Sep 20 13:29:05 2023 rev:10 rq:1112138 version:0.7.0 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-08-30 10:23:34.654774743 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.16627/fde-tools.changes 2023-09-20 13:31:39.263943572 +0200 @@ -1,0 +2,16 @@ +Tue Sep 19 05:59:00 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.7.0 + + firstboot: apply the grub.cfg change immediately + + fde-tpm-helper for bootloader RPMs to update the sealed key +automatically + + Fix the find command of 'make dist' + + Clean up the repo + + Make the system flags configurable + + fde-tpm-helper: specify the bootloaders in %post +- Add two new subpackages for the bootloader RPMs to update the + sealed key: fde-tpm-helper and fde-tpm-helper-rpm-macros +- Remove ExclusiveArch and set the system directories for 'make' + and 'make install' + +--- Old: fde-tools-0.6.9.tar.bz2 New: fde-tools-0.7.0.tar.bz2 Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.tC9TCY/_old 2023-09-20 13:31:40.443985847 +0200 +++ /var/tmp/diff_new_pack.tC9TCY/_new 2023-09-20 13:31:40.443985847 +0200 @@ -17,7 +17,7 @@ Name: fde-tools -Version:0.6.9 +Version:0.7.0 Release:0 Summary:Tools required for Full Disk Encryption License:GPL-2.0-only @@ -33,7 +33,10 @@ Requires: mokutil Requires: pcr-oracle >= 0.4.5 Requires: util-linux-systemd -ExclusiveArch: aarch64 s390x ppc64le x86_64 riscv64 + +%description +This package provides several components required to support Full Disk +Encryption. %package -n fde-firstboot Summary:Full Disk Encryption for images @@ -41,10 +44,6 @@ Requires: fde-tools Requires: jeos-firstboot -%description -This package provides several components required to support Full Disk -Encryption. - %description -n fde-firstboot This package contains the scripts necessary to plug Full Disk Encryption into the JeOS Firstboot framework used for image based delivery of ALP. @@ -60,14 +59,41 @@ %description bash-completion Bash shell completions for fde-tools +%package -n fde-tpm-helper +Summary:TPM helper for fde-tools +Group: System/Boot + +%description -n fde-tpm-helper +This package contains the TPM helper script for the bootloader packages +to update the signature in the sealed key. + +%package -n fde-tpm-helper-rpm-macros +Summary:RPM macros for fde-tools +Group: Development/Tools/Building + +%description -n fde-tpm-helper-rpm-macros +This package contains the RPM macros for the bootloader packages to +update the signature in the sealed key. + %prep %autosetup -p1 %build -%make_build +%make_build \ + CCFLAGS="%optflags" \ + LIBDIR="%{_libdir}" \ + LIBEXECDIR="%{_libexecdir}" \ + SBINDIR="%{_sbindir}" \ + DATADIR="%{_datadir}" \ + SYSCONFDIR="%{_sysconfdir}" %install -%make_install +%make_install \ + LIBDIR="%{_libdir}" \ + LIBEXECDIR="%{_libexecdir}" \ + SBINDIR="%{_sbindir}" \ + DATADIR="%{_datadir}" \ + SYSCONFDIR="%{_sysconfdir}" mkdir -p %{buildroot}%{_fillupdir} mv %{buildroot}/etc/sysconfig/fde-tools %{buildroot}%{_fillupdir}/sysconfig.fde-tools @@ -92,7 +118,7 @@ %{_sbindir}/fdectl %{_sbindir}/fde-token %{_sbindir}/fdectl-grub-tpm2 -%dir /etc/fde +%dir %{_sysconfdir}/fde %{_fillupdir}/sysconfig.* %{_datadir}/fde %{_unitdir}/fde-tpm-enroll.service @@ -108,3 +134,10 @@ %dir %{_datadir}/jeos-firstboot/modules %{_datadir}/jeos-firstboot/modules/fde +%files -n fde-tpm-helper +%dir %{_libexecdir}/fde +%{_libexecdir}/fde/fde-tpm-helper + +%files -n fde-tpm-helper-rpm-macros +%config %{_sysconfdir}/rpm/macros.fde-tpm-helper + ++ fde-tools-0.6.9.tar.bz2 -> fde-tools-0.7.0.tar.bz2 ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.9/Makefile new/fde-tools-0.7.0/Makefile --- old/fde-tools-0.6.9/Makefile2023-08-29 10:34:43.259726248 +0200 +++ new/fde-tools-0.7.0/Makefile2023-09-19 07:52:51.927609722 +0200 @@ -1,20 +1,25 @@ PKGVER = $(shell git describe --tags) PKGNAME= fde-tools-$(PKGVER) -CCOPT = -O0 -g -LIBDIR = /usr/lib64 -SBINDIR= /usr/sbin -SYSCONFIGDIR =
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-08-30 10:20:47 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.1766 (New) Package is "fde-tools" Wed Aug 30 10:20:47 2023 rev:9 rq:1107876 version:0.6.9 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-08-28 17:12:19.622427876 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.1766/fde-tools.changes 2023-08-30 10:23:34.654774743 +0200 @@ -1,0 +2,13 @@ +Tue Aug 29 07:56:44 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.6.9 + + Redirect the firstboot messages to journald instead of a +standalone log file (bsc#1214581) + + Update /boot/grub2/grub.cfg at the end of firstboot to reflect +the LUKS key change + + Update the version automatically + + Add 'cryptsetup' to 'make dist' + + Fix the version in fde.sh +- Update the download URL + +--- Old: fde-tools-0.6.8.tar.gz New: fde-tools-0.6.9.tar.bz2 Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.GyHtuw/_old 2023-08-30 10:23:35.722812866 +0200 +++ /var/tmp/diff_new_pack.GyHtuw/_new 2023-08-30 10:23:35.726813008 +0200 @@ -17,13 +17,13 @@ Name: fde-tools -Version:0.6.8 +Version:0.6.9 Release:0 Summary:Tools required for Full Disk Encryption License:GPL-2.0-only Group: System/Boot URL:https://github.com/openSUSE/fde-tools -Source: https://github.com/openSUSE/%{name}/archive/%{version}/%{name}-%{version}.tar.gz +Source: https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2 Source1:fde-tools.service Patch: fde-tools-firstboot-alp-snapshot.patch BuildRequires: help2man ++ fde-tools-0.6.8.tar.gz -> fde-tools-0.6.9.tar.bz2 ++ 3468 lines of diff (skipped)
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-08-28 17:12:12 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.1766 (New) Package is "fde-tools" Mon Aug 28 17:12:12 2023 rev:8 rq:1105563 version:0.6.8 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-08-18 19:29:26.551432473 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.1766/fde-tools.changes 2023-08-28 17:12:19.622427876 +0200 @@ -1,0 +2,9 @@ +Thu Aug 24 07:45:13 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.6.8 + + Improve the LUKS partition detection to support LUKS over LVM +- Remove openssl and tpm2-0-tss-devel from BuildRequires since all + TPM related programs are already in pcr-oracle +- Add util-linux-systemd to Requires for 'lsblk' + +--- Old: fde-tools-0.6.7.tar.gz New: fde-tools-0.6.8.tar.gz Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.ZuCg1K/_old 2023-08-28 17:12:20.686466086 +0200 +++ /var/tmp/diff_new_pack.ZuCg1K/_new 2023-08-28 17:12:20.690466231 +0200 @@ -17,7 +17,7 @@ Name: fde-tools -Version:0.6.7 +Version:0.6.8 Release:0 Summary:Tools required for Full Disk Encryption License:GPL-2.0-only @@ -27,13 +27,12 @@ Source1:fde-tools.service Patch: fde-tools-firstboot-alp-snapshot.patch BuildRequires: help2man -BuildRequires: openssl >= 0.9.8 -BuildRequires: tpm2-0-tss-devel BuildRequires: pkgconfig(libcryptsetup) BuildRequires: pkgconfig(libfido2) Requires: cryptsetup Requires: mokutil Requires: pcr-oracle >= 0.4.5 +Requires: util-linux-systemd ExclusiveArch: aarch64 s390x ppc64le x86_64 riscv64 %package -n fde-firstboot ++ fde-tools-0.6.7.tar.gz -> fde-tools-0.6.8.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.7/fde.sh new/fde-tools-0.6.8/fde.sh --- old/fde-tools-0.6.7/fde.sh 2023-08-04 08:45:44.0 +0200 +++ new/fde-tools-0.6.8/fde.sh 2023-08-24 09:41:10.0 +0200 @@ -204,7 +204,6 @@ . "$SHAREDIR/commands/$command" if cmd_requires_luks_device; then -# FIXME: This code needs some love to make it work for LUKS-over-LVM fsdev=$(luks_device_for_path /) if [ ! -b "$fsdev" ]; then fde_bad_argument "Unable to determine partition to operate on" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.7/share/luks new/fde-tools-0.6.8/share/luks --- old/fde-tools-0.6.7/share/luks 2023-08-04 08:45:44.0 +0200 +++ new/fde-tools-0.6.8/share/luks 2023-08-24 09:41:10.0 +0200 @@ -50,7 +50,7 @@ path="$1" -df "$path" | grep /dev/ | cut -f1 -d' ' +df --output=source "$path" | grep /dev/ } ## @@ -101,36 +101,17 @@ dev="/dev/mapper/$dm_name" fi -link=$(readlink "$dev") +# Trace back the block devices to locate the first device with +# 'crypto_LUKS' file system type +# - lsblk options +# -s: inverse dependencies +# -n: no header line +# -r: raw format +# -p: full device path +# -o: print only NAME and FSTYPE +dev_path=$(lsblk -snrp -o NAME,FSTYPE ${dev} | grep -m 1 crypto_LUKS | cut -d' ' -f 1) -# When using the LUKS volume directly to hold the root fs, -# we'll be chasing be /dev/mapper/root -> dm-0 -> sdaN -# When stacking LUKS + LVM, we're going to chase -# /dev/mapper/root -> dm-1 -> dm-0 -> sdaN -dev_name=$(basename "$link") - -# Turtles all the way down, but not indefinitely -for i in $(seq 10); do - vdir="/sys/devices/virtual/block/$dev_name" - if [ ! -d "$vdir/slaves" ]; then - break - fi - - set -- $(ls "$vdir/slaves") - if [ $# -ne 1 ]; then - fde_trace "Ambiguous slave count for $dev_name" - return 1 - fi - - dev_name="$1" -done - -if [ -z "$dev_name" ]; then - fde_trace "Failed to chase DM chain for $orig_dev" - return 1 -fi - -echo "/dev/$dev_name" +echo "${dev_path}" return 0 }
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-08-18 19:28:55 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.1766 (New) Package is "fde-tools" Fri Aug 18 19:28:55 2023 rev:7 rq:1104645 version:0.6.7 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-07-27 16:53:04.370581885 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.1766/fde-tools.changes 2023-08-18 19:29:26.551432473 +0200 @@ -1,0 +2,9 @@ +Fri Aug 18 07:51:12 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.6.7 + + Check failure of authorized policy creation + + Additional check for recovery password +- Drop upstreamed patch + + fde-tools-handle-authorized-policy-failure.patch + +--- Old: fde-tools-0.6.6.tar.gz fde-tools-handle-authorized-policy-failure.patch New: fde-tools-0.6.7.tar.gz Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.prolCu/_old 2023-08-18 19:29:27.439434065 +0200 +++ /var/tmp/diff_new_pack.prolCu/_new 2023-08-18 19:29:27.443434073 +0200 @@ -17,7 +17,7 @@ Name: fde-tools -Version:0.6.6 +Version:0.6.7 Release:0 Summary:Tools required for Full Disk Encryption License:GPL-2.0-only @@ -26,7 +26,6 @@ Source: https://github.com/openSUSE/%{name}/archive/%{version}/%{name}-%{version}.tar.gz Source1:fde-tools.service Patch: fde-tools-firstboot-alp-snapshot.patch -Patch1: fde-tools-handle-authorized-policy-failure.patch BuildRequires: help2man BuildRequires: openssl >= 0.9.8 BuildRequires: tpm2-0-tss-devel ++ fde-tools-0.6.6.tar.gz -> fde-tools-0.6.7.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.6/share/commands/add-secondary-key new/fde-tools-0.6.7/share/commands/add-secondary-key --- old/fde-tools-0.6.6/share/commands/add-secondary-key2023-07-20 10:35:24.0 +0200 +++ new/fde-tools-0.6.7/share/commands/add-secondary-key2023-08-04 08:45:44.0 +0200 @@ -48,7 +48,9 @@ bootloader_commit_config fi -enroll_tpm_secondary_key "$luks_dev" +if ! enroll_tpm_secondary_key "${luks_dev}"; then + return 1 +fi return 0 } @@ -68,6 +70,10 @@ # loading the pubkey. tpm_set_authorized_policy_paths "$policy_name" tpm_create_authorized_policy $FDE_AP_SECRET_KEY $FDE_AP_AUTHPOLICY $FDE_AP_PUBLIC_KEY +if [ $? -ne 0 ]; then + display_errorbox "Failed to create authorized policy" + return 1 +fi if [ "$FDE_AUTHORIZED_POLICY" != "$policy_name" ]; then fde_set_variable FDE_AUTHORIZED_POLICY "$policy_name" @@ -87,6 +93,20 @@ return 1 fi +if ! luks_verify_password "$luks_dev" "$luks_keyfile"; then + rm -f "$luks_keyfile" + display_errorbox "Failed to verify password on LUKS partition" + return 1 +fi + +for extra_dev in ${FDE_EXTRA_DEVS}; do + if ! luks_verify_password "$extra_dev" "$luks_keyfile"; then + rm -f "$luks_keyfile" + display_errorbox "Failed to verify password on LUKS partition($extra_dev)" + return 1 +fi +done + if ! luks_add_random_key "${luks_dev}" "${luks_keyfile}" "${luks_new_keyfile}"; then display_errorbox "Failed to add secondary LUKS key" rm -f "$luks_keyfile" @@ -96,6 +116,7 @@ # Add the new random key to the devices in FDE_EXTRA_DEVS for extra_dev in ${FDE_EXTRA_DEVS}; do if ! luks_add_key "$extra_dev" "$luks_keyfile" "$luks_new_keyfile"; then + display_errorbox "Failed to add secondary LUKS key (${extra_dev})" rm -f "$luks_keyfile" return 1 fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.6/share/commands/regenerate-key new/fde-tools-0.6.7/share/commands/regenerate-key --- old/fde-tools-0.6.6/share/commands/regenerate-key 2023-07-20 10:35:24.0 +0200 +++ new/fde-tools-0.6.7/share/commands/regenerate-key 2023-08-04 08:45:44.0 +0200 @@ -35,7 +35,9 @@ EXTRA_KEYSLOTS_OLD["${extra_dev}"]=$(bootloader_get_keyslots ${extra_dev}) done -enroll_tpm_secondary_key "${luks_dev}" +if ! enroll_tpm_secondary_key "${luks_dev}"; then + return 1 +fi # Finish TPM key sealing tpm_enable ${luks_dev} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore'
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-07-27 16:52:48 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.32662 (New) Package is "fde-tools" Thu Jul 27 16:52:48 2023 rev:6 rq:1100993 version:0.6.6 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-07-25 11:51:16.309511702 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.32662/fde-tools.changes 2023-07-27 16:53:04.370581885 +0200 @@ -1,0 +2,6 @@ +Thu Jul 27 06:23:22 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-handle-authorized-policy-failure.patch handle the + failure of authorized policy creation + +--- New: fde-tools-handle-authorized-policy-failure.patch Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.eEXNGW/_old 2023-07-27 16:53:05.010585501 +0200 +++ /var/tmp/diff_new_pack.eEXNGW/_new 2023-07-27 16:53:05.014585523 +0200 @@ -26,15 +26,15 @@ Source: https://github.com/openSUSE/%{name}/archive/%{version}/%{name}-%{version}.tar.gz Source1:fde-tools.service Patch: fde-tools-firstboot-alp-snapshot.patch +Patch1: fde-tools-handle-authorized-policy-failure.patch BuildRequires: help2man BuildRequires: openssl >= 0.9.8 BuildRequires: tpm2-0-tss-devel BuildRequires: pkgconfig(libcryptsetup) BuildRequires: pkgconfig(libfido2) Requires: cryptsetup -Requires: pcr-oracle >= 0.4.5 -# Requires:tpm2.0-tools Requires: mokutil +Requires: pcr-oracle >= 0.4.5 ExclusiveArch: aarch64 s390x ppc64le x86_64 riscv64 %package -n fde-firstboot ++ fde-tools-handle-authorized-policy-failure.patch ++ >From cb36d5affed81af38d673486980d484e71f9d09f Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 27 Jul 2023 14:21:55 +0800 Subject: [PATCH] Check failure of authorized policy creation (#14) The return value of tpm_create_authorized_policy was not checked, and this may ignore the failure from the underlying functions. Besides, the return value of some pcr-oracle commands were not correctly handled. Fix those cases to make fdectl exit right after the failure of the pcr-oracle commands. Signed-off-by: Gary Lin --- share/commands/add-secondary-key | 4 share/tpm| 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/share/commands/add-secondary-key b/share/commands/add-secondary-key index a9710c7..9673546 100644 --- a/share/commands/add-secondary-key +++ b/share/commands/add-secondary-key @@ -68,6 +68,10 @@ function init_authorized_policy { # loading the pubkey. tpm_set_authorized_policy_paths "$policy_name" tpm_create_authorized_policy $FDE_AP_SECRET_KEY $FDE_AP_AUTHPOLICY $FDE_AP_PUBLIC_KEY +if [ $? -ne 0 ]; then + display_errorbox "Failed to create authorized policy" + return 1 +fi if [ "$FDE_AUTHORIZED_POLICY" != "$policy_name" ]; then fde_set_variable FDE_AUTHORIZED_POLICY "$policy_name" diff --git a/share/tpm b/share/tpm index 90a3da3..0cc507a 100644 --- a/share/tpm +++ b/share/tpm @@ -165,7 +165,7 @@ function tpm_create_authorized_policy { --algorithm $FDE_SEAL_PCR_BANK \ create-authorized-policy $FDE_SEAL_PCR_LIST if [ $? -ne 0 ]; then - return $? + return 1 fi # Store the public key in a format suitable for feeding it to the TPM @@ -175,7 +175,7 @@ function tpm_create_authorized_policy { --public-key "$public_key" \ store-public-key if [ $? -ne 0 ]; then - return $? + return 1 fi fi } -- 2.35.3
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-07-25 11:50:04 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.1467 (New) Package is "fde-tools" Tue Jul 25 11:50:04 2023 rev:5 rq:1099742 version:0.6.6 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-07-13 17:18:51.745228423 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.1467/fde-tools.changes 2023-07-25 11:51:16.309511702 +0200 @@ -1,0 +2,16 @@ +Thu Jul 20 08:39:13 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.6.6 + + Avoid cleaning the temp directory when calling tpm_test + + firstboot/fde: use functions as the aliases for bootloader +functions + + firstboot/fde: always regenerate initrd + + firstboot/fde: use authorized policy by default + + Support devices other than the root partition +- Drop upstreamed patches + + fde-tools-avoid-cleaning-temp-dir.patch + + fde-tools-fix-bootloader-func.patch + + fde-tools-force-dracut.patch + + fde-tools-enable-authpol-in-firstboot.patch + +--- Old: fde-tools-0.6.5.tar.gz fde-tools-avoid-cleaning-temp-dir.patch fde-tools-enable-authpol-in-firstboot.patch fde-tools-fix-bootloader-func.patch fde-tools-force-dracut.patch New: fde-tools-0.6.6.tar.gz Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.HGhY5q/_old 2023-07-25 11:51:19.401529807 +0200 +++ /var/tmp/diff_new_pack.HGhY5q/_new 2023-07-25 11:51:19.409529853 +0200 @@ -17,7 +17,7 @@ Name: fde-tools -Version:0.6.5 +Version:0.6.6 Release:0 Summary:Tools required for Full Disk Encryption License:GPL-2.0-only @@ -26,10 +26,6 @@ Source: https://github.com/openSUSE/%{name}/archive/%{version}/%{name}-%{version}.tar.gz Source1:fde-tools.service Patch: fde-tools-firstboot-alp-snapshot.patch -Patch1: fde-tools-avoid-cleaning-temp-dir.patch -Patch2: fde-tools-fix-bootloader-func.patch -Patch3: fde-tools-force-dracut.patch -Patch4: fde-tools-enable-authpol-in-firstboot.patch BuildRequires: help2man BuildRequires: openssl >= 0.9.8 BuildRequires: tpm2-0-tss-devel ++ fde-tools-0.6.5.tar.gz -> fde-tools-0.6.6.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.6.5/README.md new/fde-tools-0.6.6/README.md --- old/fde-tools-0.6.5/README.md 2023-07-04 04:54:56.0 +0200 +++ new/fde-tools-0.6.6/README.md 2023-07-20 10:35:24.0 +0200 @@ -49,7 +49,7 @@ to unlock the system partition on next boot. If you do not want to be prompted for the recovery password, you can -also use either the ``--keyfile`` or the ``--password`` option to +also use either the ``--passfile`` or the ``--password`` option to specify a LUKS keyfile, or the recovery passphrase, respectively. Normally, the first boot into a freshly installed system will dispose @@ -138,6 +138,35 @@ _authorize_ the current system configuration. This will predict a set of PCR values, and use the RSA key to sign the resulting PCR policy. + +# Key management for the already installed systems + +For the systems with an already encrypted root partition, it is easy +to (re)generate and seal the LUKS key with ``regenerate-key``: + +# fdectl regenerate-key + +This command generates a new random secret key, seals the key with TPM, +and updates the bootloader configuration. + +To disable the TPM unsealing temporarily, ``tpm-disable`` will remove +the path to the sealed key from the boot loader configuration. + +# fdectl tpm-disable + +To restore the TPM unsealing functionality, ``tpm-enable`` will update +the sealed key if necessary and then configure the boot loader to +unlock the LUKS partition with the sealed key. + +# fdectl tpm-enable + +In case there is a need to remove the sealed LUKS key from the root +partition, ``tpm-wipe`` could help to wipe out the keyslot for the sealed +LUKS key and remove the key file: + +# fdectl tpm-wipe + + # Updates of boot components When updating components such as grub2 or the shim loader, or when @@ -180,3 +209,30 @@ predict PCR values based on the client's event log plus the actual hashes of the boot files used, compute the PCR policy and sign it using its key. + + +# Revocation of the authorized policies + +When a serious vulnerability is found in the boot component such +as grub2 or the shim loader, it is suggested to remove the +authorized policies associated with the
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-07-13 17:18:51 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.8922 (New) Package is "fde-tools" Thu Jul 13 17:18:51 2023 rev:4 rq:1098478 version:0.6.5 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-07-07 15:52:45.082137152 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.8922/fde-tools.changes 2023-07-13 17:18:51.745228423 +0200 @@ -1,0 +2,6 @@ +Thu Jul 13 06:57:46 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-enable-authpol-in-firstboot.patch to enable + authorized policy in the firstboot script + +--- New: fde-tools-enable-authpol-in-firstboot.patch Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.DDCjn5/_old 2023-07-13 17:18:52.241231350 +0200 +++ /var/tmp/diff_new_pack.DDCjn5/_new 2023-07-13 17:18:52.245231374 +0200 @@ -29,6 +29,7 @@ Patch1: fde-tools-avoid-cleaning-temp-dir.patch Patch2: fde-tools-fix-bootloader-func.patch Patch3: fde-tools-force-dracut.patch +Patch4: fde-tools-enable-authpol-in-firstboot.patch BuildRequires: help2man BuildRequires: openssl >= 0.9.8 BuildRequires: tpm2-0-tss-devel ++ fde-tools-enable-authpol-in-firstboot.patch ++ >From 23e675bb74905bd21a60ac6d9e97ac3c2e8d57d7 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Thu, 13 Jul 2023 14:48:41 +0800 Subject: [PATCH 1/2] fdectl: add '--passfile' option to read the password file In some cases, we may need to read the recovery password from a file. This commit adds the new option to read the password from a file. Signed-off-by: Gary Lin --- fde.sh | 7 ++- share/util | 3 +++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/fde.sh b/fde.sh index 0198d4a..ffc9801 100755 --- a/fde.sh +++ b/fde.sh @@ -29,6 +29,7 @@ opt_uefi_bootdir="" opt_ui=shell opt_keyfile="" opt_password="" +opt_passfile="" ## # Display a usage message. @@ -61,6 +62,8 @@ Global options: --password Specify the LUKS recovery password. Should be used by the installer only. + --passfile + Specify the path to a LUKS recovery password file. Commands: help display this message @@ -121,7 +124,7 @@ function fde_maybe_chroot { fde_maybe_chroot "$@" -long_options="help,version,bootloader:,device:,use-dialog,keyfile:,uefi-boot-dir:,password:" +long_options="help,version,bootloader:,device:,use-dialog,keyfile:,uefi-boot-dir:,password:,passfile:" if ! getopt -Q -n fdectl -l "$long_options" -o h -- "$@"; then fde_usage @@ -156,6 +159,8 @@ while [ $# -gt 0 ]; do opt_keyfile=$1; shift;; --password) opt_password=$1; shift;; +--passfile) + opt_passfile=$1; shift;; --uefi-boot-dir) opt_uefi_bootdir=$1; shift;; *) diff --git a/share/util b/share/util index 0a305ce..a9482aa 100644 --- a/share/util +++ b/share/util @@ -32,6 +32,9 @@ function fde_request_recovery_password { if [ -n "$opt_password" ]; then result_password="$opt_password" return 0 +elif [ -n "$opt_passfile" -a -f "$opt_passfile" ]; then + result_password="$(<$opt_passfile)" + return 0 fi # Ask for the recovery password just once -- 2.35.3 >From ce1b3907bbf76bc9719c7d81a951548f5c9122ea Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Thu, 13 Jul 2023 14:50:08 +0800 Subject: [PATCH 2/2] firstboot: use 'fdectl regenerate-key' to enroll the key Directly invoke 'fdectl regenerate-key' to create the new random key and seal it with the TPM PCR policy. Also enable fde-tpm-enroll.service if the key is sealed successfully. Signed-off-by: Gary Lin --- firstboot/fde | 28 +++- 1 file changed, 3 insertions(+), 25 deletions(-) diff --git a/firstboot/fde b/firstboot/fde index f1a95ab..4143961 100755 --- a/firstboot/fde +++ b/firstboot/fde @@ -43,10 +43,6 @@ KIWI_ROOT_KEYFILE=/root/.root.keyfile # Set the bootloader specific functions here as aliases ## -function bootloader_enable_fde_pcr_policy { -grub_enable_fde_pcr_policy "$@" -} - function bootloader_enable_fde_without_tpm { grub_enable_fde_without_tpm "$@" } @@ -59,18 +55,6 @@ function bootloader_get_fde_password { # FDE Firstboot functions ## -function fde_protect_tpm { - -local luks_dev=$1 -local luks_keyfile=$2 -
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-07-07 15:49:52 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.23466 (New) Package is "fde-tools" Fri Jul 7 15:49:52 2023 rev:3 rq:1097489 version:0.6.5 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-07-04 15:22:10.722133068 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.23466/fde-tools.changes 2023-07-07 15:52:45.082137152 +0200 @@ -1,0 +2,9 @@ +Fri Jul 7 08:40:25 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-fix-bootloader-func.patch + + Define the bootloader specific functions in the firstboot +script since the aliases are not expanded +- Add fde-tools-force-dracut.patch + + Always regenerate initrd + +--- New: fde-tools-fix-bootloader-func.patch fde-tools-force-dracut.patch Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.6VRfdv/_old 2023-07-07 15:52:45.550139940 +0200 +++ /var/tmp/diff_new_pack.6VRfdv/_new 2023-07-07 15:52:45.554139964 +0200 @@ -27,6 +27,8 @@ Source1:fde-tools.service Patch: fde-tools-firstboot-alp-snapshot.patch Patch1: fde-tools-avoid-cleaning-temp-dir.patch +Patch2: fde-tools-fix-bootloader-func.patch +Patch3: fde-tools-force-dracut.patch BuildRequires: help2man BuildRequires: openssl >= 0.9.8 BuildRequires: tpm2-0-tss-devel ++ fde-tools-fix-bootloader-func.patch ++ >From 97336e85f6f271891f8b1ddb5ae04935c0d80fae Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Fri, 7 Jul 2023 16:36:00 +0800 Subject: [PATCH] firstboot/fde: forcefully invoke dracut To make sure the initrd is always recreated, specify '--force' to dracut. Signed-off-by: Gary Lin --- firstboot/fde | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firstboot/fde b/firstboot/fde index 157a9bd..f1a95ab 100755 --- a/firstboot/fde +++ b/firstboot/fde @@ -206,7 +206,7 @@ function fde_setup_unencrypted { rm -f /etc/crypttab display_infobox "Re-creating initial ramdisk" -if ! dracut >&2; then +if ! dracut --force >&2; then display_errorbox "Failed to rebuild initrd" return 1 fi -- 2.35.3 ++ fde-tools-force-dracut.patch ++ >From 346e41ac7d9e5b1b37dd3e315078b99c58f59799 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Fri, 7 Jul 2023 16:31:31 +0800 Subject: [PATCH] firstboot/fde: use functions as the aliases for bootloader functions Aliases are not expanded in non-interactive mode by default, so those function aliases defined in the 'grub2' script won't work for firstboot. Manually define the bootloader specific functions in firstboot/fde to avoid the potential 'command not found' error. Signed-off-by: Gary Lin --- firstboot/fde | 21 + 1 file changed, 21 insertions(+) diff --git a/firstboot/fde b/firstboot/fde index 530baed..157a9bd 100755 --- a/firstboot/fde +++ b/firstboot/fde @@ -38,6 +38,27 @@ fi ## KIWI_ROOT_KEYFILE=/root/.root.keyfile +## +# Aliases are not expanded in non-interactive mode. +# Set the bootloader specific functions here as aliases +## + +function bootloader_enable_fde_pcr_policy { +grub_enable_fde_pcr_policy "$@" +} + +function bootloader_enable_fde_without_tpm { +grub_enable_fde_without_tpm "$@" +} + +function bootloader_get_fde_password { +grub_get_fde_password "$@" +} + +## +# FDE Firstboot functions +## + function fde_protect_tpm { local luks_dev=$1 -- 2.35.3
commit fde-tools for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-07-04 15:21:55 Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.23466 (New) Package is "fde-tools" Tue Jul 4 15:21:55 2023 rev:2 rq:1096676 version:0.6.5 Changes: --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-06-05 18:06:19.483033390 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.23466/fde-tools.changes 2023-07-04 15:22:10.722133068 +0200 @@ -1,0 +2,58 @@ +Tue Jul 4 07:02:19 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-avoid-cleaning-temp-dir.patch to avoid cleaning + the temp directory when calling tpm_test + +--- +Tue Jul 4 02:59:34 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.6.5 + + LUKS2 keyslot management with the grub-tpm2 token + + Replace mkinitrd with dracut + +--- +Wed Jun 14 02:39:26 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.6.4 + + Add man page and bash completion support + + Switch to TPM 2.0 Key File for grub2 + + Update the installation paths + + Enable authorized policy by default + + Implement 'tpm-disable' command (bsc#1208834) +- Add a subpackage: fde-tools-bash-completion +- Use 'tpm-activate' in the systemd service file +- Add help2man to BuildRequires +- Drop the upstreamed patches + + fde-tools-tpm2.0-key-file-support.patch + + fde-tools-fix-paths.patch + + fde-tools-set-stop-event-for-tpm_authorize.patch + + fde-tools-enable-authorized-policy-by-default.patch + + fde-tools-reduce-iterations.patch + + fde-tools-set-grub.cfg-as-stop-event.patch + +--- +Thu Jun 8 08:31:15 UTC 2023 - Gary Ching-Pang Lin + +- Fix the path in fde-tools.service + +--- +Wed Jun 7 00:57:26 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-tpm2.0-key-file-support.patch to support TPM 2.0 + Key File for grub2 +- Bump the required pcr-oracle version to 0.4.5 for the TPM 2.0 Key + File support +- Add fde-tools-reduce-iterations.patch to reduce the iterations + for the key created by luks_add_random_key +- Add fde-tools-set-grub.cfg-as-stop-event.patch to set grub.cfg as + the stop event for the PCR prediction +- Add fde-tools-enable-authorized-policy-by-default.patch to switch + FDE_USE_AUTHORIZED_POLICIES to yes + +--- +Tue Jun 6 07:32:24 UTC 2023 - Marcus Meissner + +- remove dracut and jeos-firstboot from buildrequires, just specify + the directory. + +--- Old: fde-tools-0.6.3.tar.gz fde-tools-fix-paths.patch fde-tools-set-stop-event-for-tpm_authorize.patch New: fde-tools-0.6.5.tar.gz fde-tools-avoid-cleaning-temp-dir.patch Other differences: -- ++ fde-tools.spec ++ --- /var/tmp/diff_new_pack.iLmR1f/_old 2023-07-04 15:22:11.338136770 +0200 +++ /var/tmp/diff_new_pack.iLmR1f/_new 2023-07-04 15:22:11.342136794 +0200 @@ -17,7 +17,7 @@ Name: fde-tools -Version:0.6.3 +Version:0.6.5 Release:0 Summary:Tools required for Full Disk Encryption License:GPL-2.0-only @@ -26,15 +26,14 @@ Source: https://github.com/openSUSE/%{name}/archive/%{version}/%{name}-%{version}.tar.gz Source1:fde-tools.service Patch: fde-tools-firstboot-alp-snapshot.patch -Patch1: fde-tools-set-stop-event-for-tpm_authorize.patch -Patch2: fde-tools-fix-paths.patch -BuildRequires: dracut -BuildRequires: jeos-firstboot -BuildRequires: libfido2-devel +Patch1: fde-tools-avoid-cleaning-temp-dir.patch +BuildRequires: help2man BuildRequires: openssl >= 0.9.8 BuildRequires: tpm2-0-tss-devel +BuildRequires: pkgconfig(libcryptsetup) +BuildRequires: pkgconfig(libfido2) Requires: cryptsetup -Requires: pcr-oracle >= 0.4.2 +Requires: pcr-oracle >= 0.4.5 # Requires:tpm2.0-tools Requires: mokutil ExclusiveArch: aarch64 s390x ppc64le x86_64 riscv64 @@ -53,6 +52,17 @@ This package contains the scripts necessary to plug Full Disk Encryption into the JeOS Firstboot framework used for image based delivery of ALP. +%package bash-completion +Summary:Bash completion for fde-tools +Group: Productivity/File utilities +Requires: bash-completion +Requires: fde-tools +Supplements:(fde-tools and bash-completion) +BuildArch: noarch +