From 24e0fa1181657e8cf8ded925bf2cae7845c42265 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Tue, 20 Feb 2024 00:14:54 +0100 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 fde-tools revision 166eeac237c42acb797079e950731717 --- .gitattributes | 23 ++ fde-tools-0.7.2.tar.bz2 | 3 + fde-tools-bsc1213945-set-rsa-key-size.patch | 409 ++++++++++++++++++++ fde-tools-firstboot-alp-snapshot.patch | 18 + fde-tools.changes | 323 ++++++++++++++++ fde-tools.service | 10 + fde-tools.spec | 146 +++++++ 7 files changed, 932 insertions(+) create mode 100644 .gitattributes create mode 100644 fde-tools-0.7.2.tar.bz2 create mode 100644 fde-tools-bsc1213945-set-rsa-key-size.patch create mode 100644 fde-tools-firstboot-alp-snapshot.patch create mode 100644 fde-tools.changes create mode 100644 fde-tools.service create mode 100644 fde-tools.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/fde-tools-0.7.2.tar.bz2 b/fde-tools-0.7.2.tar.bz2 new file mode 100644 index 0000000..8a07027 --- /dev/null +++ b/fde-tools-0.7.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aceb17fce6c8429616a1b86cf8b23488ca2584f33529af556e46f756ce4f2571 +size 28054 diff --git a/fde-tools-bsc1213945-set-rsa-key-size.patch b/fde-tools-bsc1213945-set-rsa-key-size.patch new file mode 100644 index 0000000..6acf666 --- /dev/null +++ b/fde-tools-bsc1213945-set-rsa-key-size.patch @@ -0,0 +1,409 @@ +From 7ab5a433c9fcc8cd56f8f9f7657b32282cb00ee8 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Fri, 6 Oct 2023 16:24:54 +0800 +Subject: [PATCH 1/3] Set the RSA key size automatically + +This commit utilizes the new pcr-oracle command, rsa-test, to detect the +highest RSA key size supported by the TPM chip and then uses the key +size for the TPM SRK and the private sign key. + +Signed-off-by: Gary Lin +--- + share/grub2 | 1 + + share/tpm | 53 ++++++++++++++++++++++++++++++++++++++++++++++++--- + sysconfig.fde | 4 ++++ + 3 files changed, 55 insertions(+), 3 deletions(-) + +diff --git a/share/grub2 b/share/grub2 +index aacd20c..97c8d86 100644 +--- a/share/grub2 ++++ b/share/grub2 +@@ -82,6 +82,7 @@ function grub_update_early_config { + + grub_set_control GRUB_ENABLE_CRYPTODISK "y" + grub_set_control GRUB_TPM2_SEALED_KEY "$sealed_key_file" ++ grub_set_control GRUB_TPM2_SRK_ALG "RSA${FDE_RSA_KEY_SIZE}" + + # Do not clear the password implicitly; require fdectl or + # jeos firstboot to do so explicitly. +diff --git a/share/tpm b/share/tpm +index 0cc507a..0396e7e 100644 +--- a/share/tpm ++++ b/share/tpm +@@ -42,13 +42,47 @@ function tpm_present_and_working { + return 0 + } + ++function tpm_set_rsa_key_size { ++ ++ # Check if pcr-oracle supports rsa-test ++ # If pcr-oracle prints "Unknown action", fall back to default. ++ if pcr-oracle rsa-test 2>&1 | grep -q "Unknown action"; then ++ fde_set_variable FDE_RSA_KEY_SIZE "2048" ++ return 0 ++ fi ++ ++ # Find the highest supported RSA key size ++ sizes_to_test="4096 3072 2048" ++ ++ for size in ${sizes_to_test}; do ++ if pcr-oracle --rsa-bits ${size} rsa-test > /dev/null 2>&1; then ++ fde_set_variable FDE_RSA_KEY_SIZE "${size}" ++ return 0 ++ fi ++ done ++ ++ fde_trace "Failed to find a valid RSA key size" ++ return 1 ++} ++ + function tpm_seal_key { + + secret=$1 + sealed_secret=$2 + ++ tpm_set_rsa_key_size ++ if [ $? -ne 0 ]; then ++ return 1 ++ fi ++ ++ opt_rsa_bits= ++ if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then ++ opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}" ++ fi ++ + echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2 +- pcr-oracle --input "$secret" --output "$sealed_secret" \ ++ pcr-oracle ${opt_rsa_bits} \ ++ --input "$secret" --output "$sealed_secret" \ + --key-format tpm2.0 \ + --algorithm "$FDE_SEAL_PCR_BANK" \ + --from eventlog \ +@@ -97,17 +131,22 @@ function tpm_test { + return $result + } + +- + function tpm_seal_secret { + + secret="$1" + sealed_secret="$2" + authorized_policy="$3" + ++ opt_rsa_bits= ++ if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then ++ opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}" ++ fi ++ + # If we are expected to use an authorized policy, seal the secret + # against that, using pcr-oracle rather than the tpm2 tools + if [ -n "$authorized_policy" ]; then +- pcr-oracle --authorized-policy "$authorized_policy" \ ++ pcr-oracle ${opt_rsa_bits} \ ++ --authorized-policy "$authorized_policy" \ + --key-format tpm2.0 \ + --input $secret \ + --output $sealed_secret \ +@@ -157,6 +196,14 @@ function tpm_create_authorized_policy { + extra_opts= + if [ ! -f "$secret_key" ]; then + extra_opts="--rsa-generate-key" ++ ++ tpm_set_rsa_key_size ++ if [ $? -ne 0 ]; then ++ return 1 ++ fi ++ if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then ++ extra_opts="${extra_opts} --rsa-bits ${FDE_RSA_KEY_SIZE}" ++ fi + fi + + pcr-oracle $extra_opts \ +diff --git a/sysconfig.fde b/sysconfig.fde +index a3435fe..f3ee38b 100644 +--- a/sysconfig.fde ++++ b/sysconfig.fde +@@ -36,3 +36,7 @@ FDE_DEVS="" + # the bootloader update + # Set to yes/no + FDE_TPM_AUTO_UPDATE="yes" ++ ++# The RSA key size to be used for SRK and the private sign key ++# NOTE: Do not touch this variable. It's updated by fdectl automatically. ++FDE_RSA_KEY_SIZE="2048" +-- +2.35.3 + + +From bee71824675721ae73ce770c0e846f0aba48b441 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Fri, 3 Nov 2023 15:04:00 +0800 +Subject: [PATCH 2/3] Detect the RSA sizes supported by the bootloader + +The bootloader may not support the SRK algorithm other than RSA2048. +Use the bootloader specific function to detect the supported RSA sizes. + +Signed-off-by: Gary Lin +--- + share/grub2 | 19 +++++++++++++++++++ + share/systemd-boot | 8 ++++++++ + share/tpm | 2 +- + 3 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/share/grub2 b/share/grub2 +index 97c8d86..cde7680 100644 +--- a/share/grub2 ++++ b/share/grub2 +@@ -33,6 +33,7 @@ alias bootloader_commit_config=grub_commit_config + alias bootloader_get_keyslots=grub_get_keyslots + alias bootloader_remove_keyslots=grub_remove_keyslots + alias bootloader_wipe=grub_wipe ++alias bootloader_rsa_sizes=grub_rsa_sizes + + ################################################################## + # Edit a variable in /etc/default/grub +@@ -224,3 +225,21 @@ function grub_wipe { + + grub_remove_keyslots ${luks_dev} + } ++ ++function grub_rsa_sizes { ++ ++ # Check if the shim-install script supports the SRK algorithm selection. ++ if ! grep -q "GRUB_TPM2_SRK_ALG" "/usr/sbin/shim-install"; then ++ echo "2048" ++ return 0 ++ fi ++ ++ # Check if grub2 supports the RSA4096 SRK. ++ if grub2-protect --help | grep -q "RSA4096"; then ++ echo "4096 3072 2048" ++ return 0 ++ fi ++ ++ # TPM 2.0 should at least support RSA2048. ++ echo "2048" ++} +diff --git a/share/systemd-boot b/share/systemd-boot +index a9475a7..27cb088 100644 +--- a/share/systemd-boot ++++ b/share/systemd-boot +@@ -36,6 +36,7 @@ alias bootloader_commit_config=systemd_commit_config + alias bootloader_get_keyslots=systemd_get_keyslots + alias bootloader_remove_keyslots=systemd_remove_keyslots + alias bootloader_wipe=systemd_wipe ++alias bootloader_rsa_sizes=systemd_rsa_sizes + + + function not_implemented { +@@ -175,3 +176,10 @@ function systemd_wipe { + + not_implemented + } ++ ++################################################################## ++# This function lists all the supported RSA key sizes for SRK. ++################################################################## ++function systemd_rsa_sizes { ++ echo "2048" ++} +diff --git a/share/tpm b/share/tpm +index 0396e7e..00a0016 100644 +--- a/share/tpm ++++ b/share/tpm +@@ -52,7 +52,7 @@ function tpm_set_rsa_key_size { + fi + + # Find the highest supported RSA key size +- sizes_to_test="4096 3072 2048" ++ sizes_to_test=$(bootloader_rsa_sizes) + + for size in ${sizes_to_test}; do + if pcr-oracle --rsa-bits ${size} rsa-test > /dev/null 2>&1; then +-- +2.35.3 + + +From 8912fa960fcecd218b05df45dae471180ebac156 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 22 Nov 2023 15:35:26 +0800 +Subject: [PATCH 3/3] Refactor the RSA key size code to make it more flexible + +Originally, FDE_RSA_KEY_SIZE was updated automatically and used as a +global variable for both tpm and grub2 scripts. However, there may be a +case that the user has to stick to a specific RSA key size due to some +bug or defect. This commit refactors the RSA key size code to make +FDE_RSA_KEY_SIZE empty by default and honor the user setting if the size +is specified. + +Signed-off-by: Gary Lin +--- + share/grub2 | 5 ++-- + share/tpm | 79 ++++++++++++++++++++++++++++++--------------------- + sysconfig.fde | 5 ++-- + 3 files changed, 52 insertions(+), 37 deletions(-) + +diff --git a/share/grub2 b/share/grub2 +index cde7680..95d4b15 100644 +--- a/share/grub2 ++++ b/share/grub2 +@@ -79,11 +79,12 @@ function grub_get_fde_password { + ################################################################## + function grub_update_early_config { + +- sealed_key_file="$1" ++ local sealed_key_file="$1" ++ local rsa_key_size=$(tpm_get_rsa_key_size) + + grub_set_control GRUB_ENABLE_CRYPTODISK "y" + grub_set_control GRUB_TPM2_SEALED_KEY "$sealed_key_file" +- grub_set_control GRUB_TPM2_SRK_ALG "RSA${FDE_RSA_KEY_SIZE}" ++ grub_set_control GRUB_TPM2_SRK_ALG "RSA${rsa_key_size}" + + # Do not clear the password implicitly; require fdectl or + # jeos firstboot to do so explicitly. +diff --git a/share/tpm b/share/tpm +index 00a0016..43747e7 100644 +--- a/share/tpm ++++ b/share/tpm +@@ -42,13 +42,28 @@ function tpm_present_and_working { + return 0 + } + +-function tpm_set_rsa_key_size { ++function tpm_get_rsa_key_size { ++ ++ declare -g __fde_rsa_key_size ++ ++ if [ -n "$__fde_rsa_key_size" ]; then ++ echo "$__fde_rsa_key_size" ++ return ++ fi ++ ++ if [ -n "$FDE_RSA_KEY_SIZE" ]; then ++ # TODO validate $FDE_RSA_KEY_SIZE ++ __fde_rsa_key_size="${FDE_RSA_KEY_SIZE}" ++ echo "$__fde_rsa_key_size" ++ return ++ fi + + # Check if pcr-oracle supports rsa-test + # If pcr-oracle prints "Unknown action", fall back to default. + if pcr-oracle rsa-test 2>&1 | grep -q "Unknown action"; then +- fde_set_variable FDE_RSA_KEY_SIZE "2048" +- return 0 ++ __fde_rsa_key_size="2048" ++ echo "$__fde_rsa_key_size" ++ return + fi + + # Find the highest supported RSA key size +@@ -56,28 +71,27 @@ function tpm_set_rsa_key_size { + + for size in ${sizes_to_test}; do + if pcr-oracle --rsa-bits ${size} rsa-test > /dev/null 2>&1; then +- fde_set_variable FDE_RSA_KEY_SIZE "${size}" +- return 0 ++ __fde_rsa_key_size="${size}" ++ echo "$__fde_rsa_key_size" ++ return + fi + done + +- fde_trace "Failed to find a valid RSA key size" +- return 1 ++ fde_trace "Failed to find a valid RSA key size. Fall back to 2048" ++ __fde_rsa_key_size="2048" ++ echo "$__fde_rsa_key_size" + } + + function tpm_seal_key { + +- secret=$1 +- sealed_secret=$2 ++ local secret=$1 ++ local sealed_secret=$2 + +- tpm_set_rsa_key_size +- if [ $? -ne 0 ]; then +- return 1 +- fi ++ local opt_rsa_bits= ++ local rsa_size=$(tpm_get_rsa_key_size) + +- opt_rsa_bits= +- if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then +- opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}" ++ if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then ++ opt_rsa_bits="--rsa-bits ${rsa_size}" + fi + + echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2 +@@ -133,13 +147,15 @@ function tpm_test { + + function tpm_seal_secret { + +- secret="$1" +- sealed_secret="$2" +- authorized_policy="$3" ++ local secret="$1" ++ local sealed_secret="$2" ++ local authorized_policy="$3" ++ ++ local opt_rsa_bits= ++ local rsa_size=$(tpm_get_rsa_key_size) + +- opt_rsa_bits= +- if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then +- opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}" ++ if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then ++ opt_rsa_bits="--rsa-bits ${rsa_size}" + fi + + # If we are expected to use an authorized policy, seal the secret +@@ -188,21 +204,18 @@ function tpm_set_authorized_policy_paths { + + function tpm_create_authorized_policy { + +- secret_key="$1" +- output_policy="$2" +- public_key="$3" ++ local secret_key="$1" ++ local output_policy="$2" ++ local public_key="$3" + + # Generate the private key if it does not exist +- extra_opts= ++ local extra_opts= + if [ ! -f "$secret_key" ]; then +- extra_opts="--rsa-generate-key" ++ local rsa_size=$(tpm_get_rsa_key_size) + +- tpm_set_rsa_key_size +- if [ $? -ne 0 ]; then +- return 1 +- fi +- if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then +- extra_opts="${extra_opts} --rsa-bits ${FDE_RSA_KEY_SIZE}" ++ extra_opts="--rsa-generate-key" ++ if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then ++ extra_opts="${extra_opts} --rsa-bits ${rsa_size}" + fi + fi + +diff --git a/sysconfig.fde b/sysconfig.fde +index f3ee38b..741f5b4 100644 +--- a/sysconfig.fde ++++ b/sysconfig.fde +@@ -38,5 +38,6 @@ FDE_DEVS="" + FDE_TPM_AUTO_UPDATE="yes" + + # The RSA key size to be used for SRK and the private sign key +-# NOTE: Do not touch this variable. It's updated by fdectl automatically. +-FDE_RSA_KEY_SIZE="2048" ++# Expected values: 2048, 3072, 4096, or just leave it empty to let fdectl ++# to determine the size at runtime ++FDE_RSA_KEY_SIZE="" +-- +2.35.3 + diff --git a/fde-tools-firstboot-alp-snapshot.patch b/fde-tools-firstboot-alp-snapshot.patch new file mode 100644 index 0000000..397db85 --- /dev/null +++ b/fde-tools-firstboot-alp-snapshot.patch @@ -0,0 +1,18 @@ + firstboot/fde | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: fde-tools-0.6.2/firstboot/fde +=================================================================== +--- fde-tools-0.6.2.orig/firstboot/fde ++++ fde-tools-0.6.2/firstboot/fde +@@ -285,8 +285,8 @@ function fde_systemd_firstboot { + # Get the password that was used during installation. + fde_root_passphrase=$(bootloader_get_fde_password) + if [ -z "$fde_root_passphrase" ]; then +- display_errorbox "Cannot find the initial FDE password for the root file system" +- return 1 ++ # HACK: we just know it's 1234 for the ALP kvm_encrypted image, so go with that ++ fde_root_passphrase=1234 + fi + + if [ ! -s "$KIWI_ROOT_KEYFILE" ]; then diff --git a/fde-tools.changes b/fde-tools.changes new file mode 100644 index 0000000..1f9b0f3 --- /dev/null +++ b/fde-tools.changes @@ -0,0 +1,323 @@ +------------------------------------------------------------------- +Mon Feb 19 06:34:27 UTC 2024 - Gary Ching-Pang Lin + +- Add fde-tools-bsc1213945-set-rsa-key-size.patch to set + the highest supported RSA key size (bsc#1213945) + +------------------------------------------------------------------- +Mon Nov 6 16:02:01 UTC 2023 - Dominique Leuenberger + +- Fix build with RPM 4.19: unnumbered patches are no longer + supported. + +------------------------------------------------------------------- +Wed Nov 1 07:19:45 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.7.2 + + Add help output for the command tpm-authorize + + Improve the multi-devices support + +------------------------------------------------------------------- +Mon Oct 23 05:57:33 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.7.1 + + add-secondary-key: remove the generation of the secondary + password + + add-secondary-key: remove the inclusion of + 'add-secondary-password' + + luks: list all underlying LUKS device + + Introduce FDE_DEVS to list all LUKS devices +- Drop upstreamd patch + + fde-tools-remove-redundant-2nd-pw-creation.patch + +------------------------------------------------------------------- +Wed Oct 4 07:04:47 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-remove-redundant-2nd-pw-creation.patch to remove + the creation of the secondary password in 'add-secondary-key' + +------------------------------------------------------------------- +Mon Oct 2 08:10:10 UTC 2023 - Gary Ching-Pang Lin + +- Bring ExclusiveArch back and only enable the build for the + architectures with the proper UEFI Secure Boot and TPM 2.0/TCG + protocol support: aarch64 x86_64 riscv64 + +------------------------------------------------------------------- +Tue Sep 19 05:59:00 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.7.0 + + firstboot: apply the grub.cfg change immediately + + fde-tpm-helper for bootloader RPMs to update the sealed key + automatically + + Fix the find command of 'make dist' + + Clean up the repo + + Make the system flags configurable + + fde-tpm-helper: specify the bootloaders in %post +- Add two new subpackages for the bootloader RPMs to update the + sealed key: fde-tpm-helper and fde-tpm-helper-rpm-macros +- Remove ExclusiveArch and set the system directories for 'make' + and 'make install' + +------------------------------------------------------------------- +Tue Aug 29 07:56:44 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.6.9 + + Redirect the firstboot messages to journald instead of a + standalone log file (bsc#1214581) + + Update /boot/grub2/grub.cfg at the end of firstboot to reflect + the LUKS key change + + Update the version automatically + + Add 'cryptsetup' to 'make dist' + + Fix the version in fde.sh +- Update the download URL + +------------------------------------------------------------------- +Thu Aug 24 07:45:13 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.6.8 + + Improve the LUKS partition detection to support LUKS over LVM +- Remove openssl and tpm2-0-tss-devel from BuildRequires since all + TPM related programs are already in pcr-oracle +- Add util-linux-systemd to Requires for 'lsblk' + +------------------------------------------------------------------- +Fri Aug 18 07:51:12 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.6.7 + + Check failure of authorized policy creation + + Additional check for recovery password +- Drop upstreamed patch + + fde-tools-handle-authorized-policy-failure.patch + +------------------------------------------------------------------- +Thu Jul 27 06:23:22 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-handle-authorized-policy-failure.patch handle the + failure of authorized policy creation + +------------------------------------------------------------------- +Thu Jul 20 08:39:13 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.6.6 + + Avoid cleaning the temp directory when calling tpm_test + + firstboot/fde: use functions as the aliases for bootloader + functions + + firstboot/fde: always regenerate initrd + + firstboot/fde: use authorized policy by default + + Support devices other than the root partition +- Drop upstreamed patches + + fde-tools-avoid-cleaning-temp-dir.patch + + fde-tools-fix-bootloader-func.patch + + fde-tools-force-dracut.patch + + fde-tools-enable-authpol-in-firstboot.patch + +------------------------------------------------------------------- +Thu Jul 13 06:57:46 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-enable-authpol-in-firstboot.patch to enable + authorized policy in the firstboot script + +------------------------------------------------------------------- +Fri Jul 7 08:40:25 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-fix-bootloader-func.patch + + Define the bootloader specific functions in the firstboot + script since the aliases are not expanded +- Add fde-tools-force-dracut.patch + + Always regenerate initrd + +------------------------------------------------------------------- +Tue Jul 4 07:02:19 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-avoid-cleaning-temp-dir.patch to avoid cleaning + the temp directory when calling tpm_test + +------------------------------------------------------------------- +Tue Jul 4 02:59:34 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.6.5 + + LUKS2 keyslot management with the grub-tpm2 token + + Replace mkinitrd with dracut + +------------------------------------------------------------------- +Wed Jun 14 02:39:26 UTC 2023 - Gary Ching-Pang Lin + +- Update to version 0.6.4 + + Add man page and bash completion support + + Switch to TPM 2.0 Key File for grub2 + + Update the installation paths + + Enable authorized policy by default + + Implement 'tpm-disable' command (bsc#1208834) +- Add a subpackage: fde-tools-bash-completion +- Use 'tpm-activate' in the systemd service file +- Add help2man to BuildRequires +- Drop the upstreamed patches + + fde-tools-tpm2.0-key-file-support.patch + + fde-tools-fix-paths.patch + + fde-tools-set-stop-event-for-tpm_authorize.patch + + fde-tools-enable-authorized-policy-by-default.patch + + fde-tools-reduce-iterations.patch + + fde-tools-set-grub.cfg-as-stop-event.patch + +------------------------------------------------------------------- +Thu Jun 8 08:31:15 UTC 2023 - Gary Ching-Pang Lin + +- Fix the path in fde-tools.service + +------------------------------------------------------------------- +Wed Jun 7 00:57:26 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-tpm2.0-key-file-support.patch to support TPM 2.0 + Key File for grub2 +- Bump the required pcr-oracle version to 0.4.5 for the TPM 2.0 Key + File support +- Add fde-tools-reduce-iterations.patch to reduce the iterations + for the key created by luks_add_random_key +- Add fde-tools-set-grub.cfg-as-stop-event.patch to set grub.cfg as + the stop event for the PCR prediction +- Add fde-tools-enable-authorized-policy-by-default.patch to switch + FDE_USE_AUTHORIZED_POLICIES to yes + +------------------------------------------------------------------- +Tue Jun 6 07:32:24 UTC 2023 - Marcus Meissner + +- remove dracut and jeos-firstboot from buildrequires, just specify + the directory. + +------------------------------------------------------------------- +Wed May 17 08:37:47 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-fix-paths.patch to fix the installation paths +- Using the tarball from the github repo +- Remove %clean + +------------------------------------------------------------------- +Fri Apr 21 05:58:08 UTC 2023 - Gary Ching-Pang Lin + +- Update project URL + +------------------------------------------------------------------- +Tue Mar 28 03:19:11 UTC 2023 - Gary Ching-Pang Lin + +- Apply fde-tools-set-stop-event-for-tpm_authorize.patch correctly + +------------------------------------------------------------------- +Mon Mar 6 07:25:45 UTC 2023 - Gary Ching-Pang Lin + +- Add fde-tools-set-stop-event-for-tpm_authorize.patch to set the + stop event when signing the authorized policy + +------------------------------------------------------------------- +Wed Mar 1 10:41:43 UTC 2023 - Olaf Kirch + +- firstboot/fde: ensure that aliases get expanded in shell scripts + This is needed to make the bootloader_foo -> grub2_foo function + name expansion work + +------------------------------------------------------------------- +Tue Feb 28 16:22:19 UTC 2023 - Olaf Kirch + +- Updated to version 0.6.3 +- Fix a bug introduced by the recent change in tempdir handling + +------------------------------------------------------------------- +Mon Jan 9 16:36:00 UTC 2023 - Olaf Kirch + +- Updated to version 0.6.2 +- Several patches that were added last-minute for the December + snapshot have been folded back into git. +- Implement first stab at authorized policies. + +------------------------------------------------------------------- +Wed Dec 14 12:08:06 UTC 2022 - Olaf Kirch + +- Fix several bugs in firstboot + * The approach for reading the initial FDE pass phrase + from /etc/default/grub is not supported in kiwi yet, + so work around that + * The kiwi KVM images have a strange EFI boot path that + does not contain a File component. Try to work + around that. + * shim-install behaves differently between kiwi image build time + and the installed system. Work around. + +------------------------------------------------------------------- +Tue Dec 13 15:56:25 UTC 2022 - Alberto Planas Dominguez + +- Fix source URL + +------------------------------------------------------------------- +Tue Dec 13 11:30:26 UTC 2022 - Olaf Kirch + +- Fix the fde-tpm-enroll.service file + +------------------------------------------------------------------- +Mon Dec 12 15:02:53 UTC 2022 - Olaf Kirch + +- Updated to version 0.6.1 +- Fix tpm-enable subcommand +- Add new add-secondary-key subcommand +- Add a systemd unit file that triggers on the presence of the + key file written by d-installer + +------------------------------------------------------------------- +Wed Dec 7 13:53:56 UTC 2022 - Olaf Kirch + +- Updated to version 0.6 +- pcr-oracle is now a standalone project and package +- Split off the jeos-firstboot stuff into a binary package of its own, + because bare metal installations do not need it +- Refactoring the scripts +- Folded Gary's patches into git. + +------------------------------------------------------------------- +Fri Oct 14 08:25:22 UTC 2022 - Gary Ching-Pang Lin + +- Add bsc1204037-mokutil-check-sb-state.patch to check the + SecureBoot state with mokutil (bsc#1204037) + +------------------------------------------------------------------- +Thu Oct 13 07:02:18 UTC 2022 - Gary Ching-Pang Lin + +- Add bsc1204037-update-grub.cfg-for-pw-only.patch to update + grub.cfg when the user only chooses the pass phrase to encrypt + the disk. (bsc#1204037) + +------------------------------------------------------------------- +Fri Sep 30 11:17:16 UTC 2022 - Dirk Müller + +- add build support for other architectures +- spec file clean ups + +------------------------------------------------------------------- +Fri Sep 16 10:24:54 UTC 2022 - Olaf Kirch + +- Move the (shipped) keyfile into /root to avoid issues with r/o root + +------------------------------------------------------------------- +Tue Sep 13 15:55:21 UTC 2022 - Olaf Kirch + +- Introduce a specific unit script that takes care of mounting root + early (to avoid conflicts with ignition). + +------------------------------------------------------------------- +Mon Aug 29 11:02:58 UTC 2022 - Olaf Kirch + +- Make the firstboot workflow smarter (offer different key protectors) + +------------------------------------------------------------------- +Mon Aug 15 14:53:12 UTC 2022 - Olaf Kirch + +- Fixed typo of tpm2_key_protector_clear + +------------------------------------------------------------------- +Mon Aug 15 09:43:16 UTC 2022 - Olaf Kirch + +- Renamed to fde-tools-0.1 +- included firstboot stuff + +------------------------------------------------------------------- +Tue Jul 26 12:54:28 UTC 2022 - Olaf Kirch + +- Initial build as package pcr-oracle diff --git a/fde-tools.service b/fde-tools.service new file mode 100644 index 0000000..32ba3b5 --- /dev/null +++ b/fde-tools.service @@ -0,0 +1,10 @@ +[Unit] +Description=Activate TPM for Full Disk Encryption +Wants=local-fs.target + +[Service] +Type=oneshot +ExecStart=/usr/sbin/fdectl tpm-activate + +[Install] +WantedBy=default.target diff --git a/fde-tools.spec b/fde-tools.spec new file mode 100644 index 0000000..2155ab8 --- /dev/null +++ b/fde-tools.spec @@ -0,0 +1,146 @@ +# +# spec file for package fde-tools +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: fde-tools +Version: 0.7.2 +Release: 0 +Summary: Tools required for Full Disk Encryption +License: GPL-2.0-only +Group: System/Boot +URL: https://github.com/openSUSE/fde-tools +Source: https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2 +Source1: fde-tools.service +Patch0: fde-tools-firstboot-alp-snapshot.patch +Patch1: fde-tools-bsc1213945-set-rsa-key-size.patch +BuildRequires: help2man +BuildRequires: pkgconfig(libcryptsetup) +BuildRequires: pkgconfig(libfido2) +Requires: cryptsetup +Requires: mokutil +Requires: pcr-oracle >= 0.4.5 +Requires: util-linux-systemd +ExclusiveArch: aarch64 x86_64 riscv64 + +%description +This package provides several components required to support Full Disk +Encryption. + +%package -n fde-firstboot +Summary: Full Disk Encryption for images +Group: System/Boot +Requires: fde-tools +Requires: jeos-firstboot + +%description -n fde-firstboot +This package contains the scripts necessary to plug Full Disk Encryption +into the JeOS Firstboot framework used for image based delivery of ALP. + +%package bash-completion +Summary: Bash completion for fde-tools +Group: Productivity/File utilities +Requires: bash-completion +Requires: fde-tools +Supplements: (fde-tools and bash-completion) +BuildArch: noarch + +%description bash-completion +Bash shell completions for fde-tools + +%package -n fde-tpm-helper +Summary: TPM helper for fde-tools +Group: System/Boot + +%description -n fde-tpm-helper +This package contains the TPM helper script for the bootloader packages +to update the signature in the sealed key. + +%package -n fde-tpm-helper-rpm-macros +Summary: RPM macros for fde-tools +Group: Development/Tools/Building + +%description -n fde-tpm-helper-rpm-macros +This package contains the RPM macros for the bootloader packages to +update the signature in the sealed key. + +%prep +%autosetup -p1 + +%build +%make_build \ + CCFLAGS="%optflags" \ + LIBDIR="%{_libdir}" \ + LIBEXECDIR="%{_libexecdir}" \ + SBINDIR="%{_sbindir}" \ + DATADIR="%{_datadir}" \ + SYSCONFDIR="%{_sysconfdir}" + +%install +%make_install \ + LIBDIR="%{_libdir}" \ + LIBEXECDIR="%{_libexecdir}" \ + SBINDIR="%{_sbindir}" \ + DATADIR="%{_datadir}" \ + SYSCONFDIR="%{_sysconfdir}" + +mkdir -p %{buildroot}%{_fillupdir} +mv %{buildroot}/etc/sysconfig/fde-tools %{buildroot}%{_fillupdir}/sysconfig.fde-tools + +mkdir -p %{buildroot}%{_unitdir} +cp %{S:1} %{buildroot}%{_unitdir}/fde-tpm-enroll.service + +%pre +%service_add_pre fde-tpm-enroll.service + +%post +%service_add_post fde-tpm-enroll.service +%fillup_and_insserv + +%preun +%service_del_preun fde-tpm-enroll.service + +%postun +%service_del_postun fde-tpm-enroll.service + +%files +%{_sbindir}/fdectl +%{_sbindir}/fde-token +%{_sbindir}/fdectl-grub-tpm2 +%dir %{_sysconfdir}/fde +%{_fillupdir}/sysconfig.* +%{_datadir}/fde +%{_unitdir}/fde-tpm-enroll.service +%{_mandir}/man8/fdectl.8.gz +%dir %{_libdir}/cryptsetup/ +%{_libdir}/cryptsetup/libcryptsetup-token-*.so + +%files bash-completion +%{_datadir}/bash-completion/completions/fdectl + +%files -n fde-firstboot +%dir %{_datadir}/jeos-firstboot +%dir %{_datadir}/jeos-firstboot/modules +%{_datadir}/jeos-firstboot/modules/fde + +%files -n fde-tpm-helper +%dir %{_libexecdir}/fde +%{_libexecdir}/fde/fde-tpm-helper + +%files -n fde-tpm-helper-rpm-macros +%config %{_sysconfdir}/rpm/macros.fde-tpm-helper + +%changelog