Sync from SUSE:ALP:Source:Standard:1.0 fde-tools revision 166eeac237c42acb797079e950731717
This commit is contained in:
commit
24e0fa1181
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
## Default LFS
|
||||||
|
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.png filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zst filter=lfs diff=lfs merge=lfs -text
|
BIN
fde-tools-0.7.2.tar.bz2
(Stored with Git LFS)
Normal file
BIN
fde-tools-0.7.2.tar.bz2
(Stored with Git LFS)
Normal file
Binary file not shown.
409
fde-tools-bsc1213945-set-rsa-key-size.patch
Normal file
409
fde-tools-bsc1213945-set-rsa-key-size.patch
Normal file
@ -0,0 +1,409 @@
|
|||||||
|
From 7ab5a433c9fcc8cd56f8f9f7657b32282cb00ee8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Lin <glin@suse.com>
|
||||||
|
Date: Fri, 6 Oct 2023 16:24:54 +0800
|
||||||
|
Subject: [PATCH 1/3] Set the RSA key size automatically
|
||||||
|
|
||||||
|
This commit utilizes the new pcr-oracle command, rsa-test, to detect the
|
||||||
|
highest RSA key size supported by the TPM chip and then uses the key
|
||||||
|
size for the TPM SRK and the private sign key.
|
||||||
|
|
||||||
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
|
---
|
||||||
|
share/grub2 | 1 +
|
||||||
|
share/tpm | 53 ++++++++++++++++++++++++++++++++++++++++++++++++---
|
||||||
|
sysconfig.fde | 4 ++++
|
||||||
|
3 files changed, 55 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/share/grub2 b/share/grub2
|
||||||
|
index aacd20c..97c8d86 100644
|
||||||
|
--- a/share/grub2
|
||||||
|
+++ b/share/grub2
|
||||||
|
@@ -82,6 +82,7 @@ function grub_update_early_config {
|
||||||
|
|
||||||
|
grub_set_control GRUB_ENABLE_CRYPTODISK "y"
|
||||||
|
grub_set_control GRUB_TPM2_SEALED_KEY "$sealed_key_file"
|
||||||
|
+ grub_set_control GRUB_TPM2_SRK_ALG "RSA${FDE_RSA_KEY_SIZE}"
|
||||||
|
|
||||||
|
# Do not clear the password implicitly; require fdectl or
|
||||||
|
# jeos firstboot to do so explicitly.
|
||||||
|
diff --git a/share/tpm b/share/tpm
|
||||||
|
index 0cc507a..0396e7e 100644
|
||||||
|
--- a/share/tpm
|
||||||
|
+++ b/share/tpm
|
||||||
|
@@ -42,13 +42,47 @@ function tpm_present_and_working {
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
+function tpm_set_rsa_key_size {
|
||||||
|
+
|
||||||
|
+ # Check if pcr-oracle supports rsa-test
|
||||||
|
+ # If pcr-oracle prints "Unknown action", fall back to default.
|
||||||
|
+ if pcr-oracle rsa-test 2>&1 | grep -q "Unknown action"; then
|
||||||
|
+ fde_set_variable FDE_RSA_KEY_SIZE "2048"
|
||||||
|
+ return 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ # Find the highest supported RSA key size
|
||||||
|
+ sizes_to_test="4096 3072 2048"
|
||||||
|
+
|
||||||
|
+ for size in ${sizes_to_test}; do
|
||||||
|
+ if pcr-oracle --rsa-bits ${size} rsa-test > /dev/null 2>&1; then
|
||||||
|
+ fde_set_variable FDE_RSA_KEY_SIZE "${size}"
|
||||||
|
+ return 0
|
||||||
|
+ fi
|
||||||
|
+ done
|
||||||
|
+
|
||||||
|
+ fde_trace "Failed to find a valid RSA key size"
|
||||||
|
+ return 1
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
function tpm_seal_key {
|
||||||
|
|
||||||
|
secret=$1
|
||||||
|
sealed_secret=$2
|
||||||
|
|
||||||
|
+ tpm_set_rsa_key_size
|
||||||
|
+ if [ $? -ne 0 ]; then
|
||||||
|
+ return 1
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ opt_rsa_bits=
|
||||||
|
+ if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
|
||||||
|
+ opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2
|
||||||
|
- pcr-oracle --input "$secret" --output "$sealed_secret" \
|
||||||
|
+ pcr-oracle ${opt_rsa_bits} \
|
||||||
|
+ --input "$secret" --output "$sealed_secret" \
|
||||||
|
--key-format tpm2.0 \
|
||||||
|
--algorithm "$FDE_SEAL_PCR_BANK" \
|
||||||
|
--from eventlog \
|
||||||
|
@@ -97,17 +131,22 @@ function tpm_test {
|
||||||
|
return $result
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
function tpm_seal_secret {
|
||||||
|
|
||||||
|
secret="$1"
|
||||||
|
sealed_secret="$2"
|
||||||
|
authorized_policy="$3"
|
||||||
|
|
||||||
|
+ opt_rsa_bits=
|
||||||
|
+ if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
|
||||||
|
+ opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
# If we are expected to use an authorized policy, seal the secret
|
||||||
|
# against that, using pcr-oracle rather than the tpm2 tools
|
||||||
|
if [ -n "$authorized_policy" ]; then
|
||||||
|
- pcr-oracle --authorized-policy "$authorized_policy" \
|
||||||
|
+ pcr-oracle ${opt_rsa_bits} \
|
||||||
|
+ --authorized-policy "$authorized_policy" \
|
||||||
|
--key-format tpm2.0 \
|
||||||
|
--input $secret \
|
||||||
|
--output $sealed_secret \
|
||||||
|
@@ -157,6 +196,14 @@ function tpm_create_authorized_policy {
|
||||||
|
extra_opts=
|
||||||
|
if [ ! -f "$secret_key" ]; then
|
||||||
|
extra_opts="--rsa-generate-key"
|
||||||
|
+
|
||||||
|
+ tpm_set_rsa_key_size
|
||||||
|
+ if [ $? -ne 0 ]; then
|
||||||
|
+ return 1
|
||||||
|
+ fi
|
||||||
|
+ if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
|
||||||
|
+ extra_opts="${extra_opts} --rsa-bits ${FDE_RSA_KEY_SIZE}"
|
||||||
|
+ fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
pcr-oracle $extra_opts \
|
||||||
|
diff --git a/sysconfig.fde b/sysconfig.fde
|
||||||
|
index a3435fe..f3ee38b 100644
|
||||||
|
--- a/sysconfig.fde
|
||||||
|
+++ b/sysconfig.fde
|
||||||
|
@@ -36,3 +36,7 @@ FDE_DEVS=""
|
||||||
|
# the bootloader update
|
||||||
|
# Set to yes/no
|
||||||
|
FDE_TPM_AUTO_UPDATE="yes"
|
||||||
|
+
|
||||||
|
+# The RSA key size to be used for SRK and the private sign key
|
||||||
|
+# NOTE: Do not touch this variable. It's updated by fdectl automatically.
|
||||||
|
+FDE_RSA_KEY_SIZE="2048"
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
||||||
|
|
||||||
|
From bee71824675721ae73ce770c0e846f0aba48b441 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Lin <glin@suse.com>
|
||||||
|
Date: Fri, 3 Nov 2023 15:04:00 +0800
|
||||||
|
Subject: [PATCH 2/3] Detect the RSA sizes supported by the bootloader
|
||||||
|
|
||||||
|
The bootloader may not support the SRK algorithm other than RSA2048.
|
||||||
|
Use the bootloader specific function to detect the supported RSA sizes.
|
||||||
|
|
||||||
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
|
---
|
||||||
|
share/grub2 | 19 +++++++++++++++++++
|
||||||
|
share/systemd-boot | 8 ++++++++
|
||||||
|
share/tpm | 2 +-
|
||||||
|
3 files changed, 28 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/share/grub2 b/share/grub2
|
||||||
|
index 97c8d86..cde7680 100644
|
||||||
|
--- a/share/grub2
|
||||||
|
+++ b/share/grub2
|
||||||
|
@@ -33,6 +33,7 @@ alias bootloader_commit_config=grub_commit_config
|
||||||
|
alias bootloader_get_keyslots=grub_get_keyslots
|
||||||
|
alias bootloader_remove_keyslots=grub_remove_keyslots
|
||||||
|
alias bootloader_wipe=grub_wipe
|
||||||
|
+alias bootloader_rsa_sizes=grub_rsa_sizes
|
||||||
|
|
||||||
|
##################################################################
|
||||||
|
# Edit a variable in /etc/default/grub
|
||||||
|
@@ -224,3 +225,21 @@ function grub_wipe {
|
||||||
|
|
||||||
|
grub_remove_keyslots ${luks_dev}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+function grub_rsa_sizes {
|
||||||
|
+
|
||||||
|
+ # Check if the shim-install script supports the SRK algorithm selection.
|
||||||
|
+ if ! grep -q "GRUB_TPM2_SRK_ALG" "/usr/sbin/shim-install"; then
|
||||||
|
+ echo "2048"
|
||||||
|
+ return 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ # Check if grub2 supports the RSA4096 SRK.
|
||||||
|
+ if grub2-protect --help | grep -q "RSA4096"; then
|
||||||
|
+ echo "4096 3072 2048"
|
||||||
|
+ return 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ # TPM 2.0 should at least support RSA2048.
|
||||||
|
+ echo "2048"
|
||||||
|
+}
|
||||||
|
diff --git a/share/systemd-boot b/share/systemd-boot
|
||||||
|
index a9475a7..27cb088 100644
|
||||||
|
--- a/share/systemd-boot
|
||||||
|
+++ b/share/systemd-boot
|
||||||
|
@@ -36,6 +36,7 @@ alias bootloader_commit_config=systemd_commit_config
|
||||||
|
alias bootloader_get_keyslots=systemd_get_keyslots
|
||||||
|
alias bootloader_remove_keyslots=systemd_remove_keyslots
|
||||||
|
alias bootloader_wipe=systemd_wipe
|
||||||
|
+alias bootloader_rsa_sizes=systemd_rsa_sizes
|
||||||
|
|
||||||
|
|
||||||
|
function not_implemented {
|
||||||
|
@@ -175,3 +176,10 @@ function systemd_wipe {
|
||||||
|
|
||||||
|
not_implemented
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+##################################################################
|
||||||
|
+# This function lists all the supported RSA key sizes for SRK.
|
||||||
|
+##################################################################
|
||||||
|
+function systemd_rsa_sizes {
|
||||||
|
+ echo "2048"
|
||||||
|
+}
|
||||||
|
diff --git a/share/tpm b/share/tpm
|
||||||
|
index 0396e7e..00a0016 100644
|
||||||
|
--- a/share/tpm
|
||||||
|
+++ b/share/tpm
|
||||||
|
@@ -52,7 +52,7 @@ function tpm_set_rsa_key_size {
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Find the highest supported RSA key size
|
||||||
|
- sizes_to_test="4096 3072 2048"
|
||||||
|
+ sizes_to_test=$(bootloader_rsa_sizes)
|
||||||
|
|
||||||
|
for size in ${sizes_to_test}; do
|
||||||
|
if pcr-oracle --rsa-bits ${size} rsa-test > /dev/null 2>&1; then
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
||||||
|
|
||||||
|
From 8912fa960fcecd218b05df45dae471180ebac156 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Lin <glin@suse.com>
|
||||||
|
Date: Wed, 22 Nov 2023 15:35:26 +0800
|
||||||
|
Subject: [PATCH 3/3] Refactor the RSA key size code to make it more flexible
|
||||||
|
|
||||||
|
Originally, FDE_RSA_KEY_SIZE was updated automatically and used as a
|
||||||
|
global variable for both tpm and grub2 scripts. However, there may be a
|
||||||
|
case that the user has to stick to a specific RSA key size due to some
|
||||||
|
bug or defect. This commit refactors the RSA key size code to make
|
||||||
|
FDE_RSA_KEY_SIZE empty by default and honor the user setting if the size
|
||||||
|
is specified.
|
||||||
|
|
||||||
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
|
---
|
||||||
|
share/grub2 | 5 ++--
|
||||||
|
share/tpm | 79 ++++++++++++++++++++++++++++++---------------------
|
||||||
|
sysconfig.fde | 5 ++--
|
||||||
|
3 files changed, 52 insertions(+), 37 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/share/grub2 b/share/grub2
|
||||||
|
index cde7680..95d4b15 100644
|
||||||
|
--- a/share/grub2
|
||||||
|
+++ b/share/grub2
|
||||||
|
@@ -79,11 +79,12 @@ function grub_get_fde_password {
|
||||||
|
##################################################################
|
||||||
|
function grub_update_early_config {
|
||||||
|
|
||||||
|
- sealed_key_file="$1"
|
||||||
|
+ local sealed_key_file="$1"
|
||||||
|
+ local rsa_key_size=$(tpm_get_rsa_key_size)
|
||||||
|
|
||||||
|
grub_set_control GRUB_ENABLE_CRYPTODISK "y"
|
||||||
|
grub_set_control GRUB_TPM2_SEALED_KEY "$sealed_key_file"
|
||||||
|
- grub_set_control GRUB_TPM2_SRK_ALG "RSA${FDE_RSA_KEY_SIZE}"
|
||||||
|
+ grub_set_control GRUB_TPM2_SRK_ALG "RSA${rsa_key_size}"
|
||||||
|
|
||||||
|
# Do not clear the password implicitly; require fdectl or
|
||||||
|
# jeos firstboot to do so explicitly.
|
||||||
|
diff --git a/share/tpm b/share/tpm
|
||||||
|
index 00a0016..43747e7 100644
|
||||||
|
--- a/share/tpm
|
||||||
|
+++ b/share/tpm
|
||||||
|
@@ -42,13 +42,28 @@ function tpm_present_and_working {
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
-function tpm_set_rsa_key_size {
|
||||||
|
+function tpm_get_rsa_key_size {
|
||||||
|
+
|
||||||
|
+ declare -g __fde_rsa_key_size
|
||||||
|
+
|
||||||
|
+ if [ -n "$__fde_rsa_key_size" ]; then
|
||||||
|
+ echo "$__fde_rsa_key_size"
|
||||||
|
+ return
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ if [ -n "$FDE_RSA_KEY_SIZE" ]; then
|
||||||
|
+ # TODO validate $FDE_RSA_KEY_SIZE
|
||||||
|
+ __fde_rsa_key_size="${FDE_RSA_KEY_SIZE}"
|
||||||
|
+ echo "$__fde_rsa_key_size"
|
||||||
|
+ return
|
||||||
|
+ fi
|
||||||
|
|
||||||
|
# Check if pcr-oracle supports rsa-test
|
||||||
|
# If pcr-oracle prints "Unknown action", fall back to default.
|
||||||
|
if pcr-oracle rsa-test 2>&1 | grep -q "Unknown action"; then
|
||||||
|
- fde_set_variable FDE_RSA_KEY_SIZE "2048"
|
||||||
|
- return 0
|
||||||
|
+ __fde_rsa_key_size="2048"
|
||||||
|
+ echo "$__fde_rsa_key_size"
|
||||||
|
+ return
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Find the highest supported RSA key size
|
||||||
|
@@ -56,28 +71,27 @@ function tpm_set_rsa_key_size {
|
||||||
|
|
||||||
|
for size in ${sizes_to_test}; do
|
||||||
|
if pcr-oracle --rsa-bits ${size} rsa-test > /dev/null 2>&1; then
|
||||||
|
- fde_set_variable FDE_RSA_KEY_SIZE "${size}"
|
||||||
|
- return 0
|
||||||
|
+ __fde_rsa_key_size="${size}"
|
||||||
|
+ echo "$__fde_rsa_key_size"
|
||||||
|
+ return
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
- fde_trace "Failed to find a valid RSA key size"
|
||||||
|
- return 1
|
||||||
|
+ fde_trace "Failed to find a valid RSA key size. Fall back to 2048"
|
||||||
|
+ __fde_rsa_key_size="2048"
|
||||||
|
+ echo "$__fde_rsa_key_size"
|
||||||
|
}
|
||||||
|
|
||||||
|
function tpm_seal_key {
|
||||||
|
|
||||||
|
- secret=$1
|
||||||
|
- sealed_secret=$2
|
||||||
|
+ local secret=$1
|
||||||
|
+ local sealed_secret=$2
|
||||||
|
|
||||||
|
- tpm_set_rsa_key_size
|
||||||
|
- if [ $? -ne 0 ]; then
|
||||||
|
- return 1
|
||||||
|
- fi
|
||||||
|
+ local opt_rsa_bits=
|
||||||
|
+ local rsa_size=$(tpm_get_rsa_key_size)
|
||||||
|
|
||||||
|
- opt_rsa_bits=
|
||||||
|
- if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
|
||||||
|
- opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}"
|
||||||
|
+ if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
|
||||||
|
+ opt_rsa_bits="--rsa-bits ${rsa_size}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2
|
||||||
|
@@ -133,13 +147,15 @@ function tpm_test {
|
||||||
|
|
||||||
|
function tpm_seal_secret {
|
||||||
|
|
||||||
|
- secret="$1"
|
||||||
|
- sealed_secret="$2"
|
||||||
|
- authorized_policy="$3"
|
||||||
|
+ local secret="$1"
|
||||||
|
+ local sealed_secret="$2"
|
||||||
|
+ local authorized_policy="$3"
|
||||||
|
+
|
||||||
|
+ local opt_rsa_bits=
|
||||||
|
+ local rsa_size=$(tpm_get_rsa_key_size)
|
||||||
|
|
||||||
|
- opt_rsa_bits=
|
||||||
|
- if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
|
||||||
|
- opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}"
|
||||||
|
+ if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
|
||||||
|
+ opt_rsa_bits="--rsa-bits ${rsa_size}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If we are expected to use an authorized policy, seal the secret
|
||||||
|
@@ -188,21 +204,18 @@ function tpm_set_authorized_policy_paths {
|
||||||
|
|
||||||
|
function tpm_create_authorized_policy {
|
||||||
|
|
||||||
|
- secret_key="$1"
|
||||||
|
- output_policy="$2"
|
||||||
|
- public_key="$3"
|
||||||
|
+ local secret_key="$1"
|
||||||
|
+ local output_policy="$2"
|
||||||
|
+ local public_key="$3"
|
||||||
|
|
||||||
|
# Generate the private key if it does not exist
|
||||||
|
- extra_opts=
|
||||||
|
+ local extra_opts=
|
||||||
|
if [ ! -f "$secret_key" ]; then
|
||||||
|
- extra_opts="--rsa-generate-key"
|
||||||
|
+ local rsa_size=$(tpm_get_rsa_key_size)
|
||||||
|
|
||||||
|
- tpm_set_rsa_key_size
|
||||||
|
- if [ $? -ne 0 ]; then
|
||||||
|
- return 1
|
||||||
|
- fi
|
||||||
|
- if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
|
||||||
|
- extra_opts="${extra_opts} --rsa-bits ${FDE_RSA_KEY_SIZE}"
|
||||||
|
+ extra_opts="--rsa-generate-key"
|
||||||
|
+ if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
|
||||||
|
+ extra_opts="${extra_opts} --rsa-bits ${rsa_size}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
diff --git a/sysconfig.fde b/sysconfig.fde
|
||||||
|
index f3ee38b..741f5b4 100644
|
||||||
|
--- a/sysconfig.fde
|
||||||
|
+++ b/sysconfig.fde
|
||||||
|
@@ -38,5 +38,6 @@ FDE_DEVS=""
|
||||||
|
FDE_TPM_AUTO_UPDATE="yes"
|
||||||
|
|
||||||
|
# The RSA key size to be used for SRK and the private sign key
|
||||||
|
-# NOTE: Do not touch this variable. It's updated by fdectl automatically.
|
||||||
|
-FDE_RSA_KEY_SIZE="2048"
|
||||||
|
+# Expected values: 2048, 3072, 4096, or just leave it empty to let fdectl
|
||||||
|
+# to determine the size at runtime
|
||||||
|
+FDE_RSA_KEY_SIZE=""
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
18
fde-tools-firstboot-alp-snapshot.patch
Normal file
18
fde-tools-firstboot-alp-snapshot.patch
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
firstboot/fde | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
Index: fde-tools-0.6.2/firstboot/fde
|
||||||
|
===================================================================
|
||||||
|
--- fde-tools-0.6.2.orig/firstboot/fde
|
||||||
|
+++ fde-tools-0.6.2/firstboot/fde
|
||||||
|
@@ -285,8 +285,8 @@ function fde_systemd_firstboot {
|
||||||
|
# Get the password that was used during installation.
|
||||||
|
fde_root_passphrase=$(bootloader_get_fde_password)
|
||||||
|
if [ -z "$fde_root_passphrase" ]; then
|
||||||
|
- display_errorbox "Cannot find the initial FDE password for the root file system"
|
||||||
|
- return 1
|
||||||
|
+ # HACK: we just know it's 1234 for the ALP kvm_encrypted image, so go with that
|
||||||
|
+ fde_root_passphrase=1234
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -s "$KIWI_ROOT_KEYFILE" ]; then
|
323
fde-tools.changes
Normal file
323
fde-tools.changes
Normal file
@ -0,0 +1,323 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Feb 19 06:34:27 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Add fde-tools-bsc1213945-set-rsa-key-size.patch to set
|
||||||
|
the highest supported RSA key size (bsc#1213945)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Nov 6 16:02:01 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||||
|
|
||||||
|
- Fix build with RPM 4.19: unnumbered patches are no longer
|
||||||
|
supported.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 1 07:19:45 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update to version 0.7.2
|
||||||
|
+ Add help output for the command tpm-authorize
|
||||||
|
+ Improve the multi-devices support
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Oct 23 05:57:33 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update to version 0.7.1
|
||||||
|
+ add-secondary-key: remove the generation of the secondary
|
||||||
|
password
|
||||||
|
+ add-secondary-key: remove the inclusion of
|
||||||
|
'add-secondary-password'
|
||||||
|
+ luks: list all underlying LUKS device
|
||||||
|
+ Introduce FDE_DEVS to list all LUKS devices
|
||||||
|
- Drop upstreamd patch
|
||||||
|
+ fde-tools-remove-redundant-2nd-pw-creation.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 4 07:04:47 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Add fde-tools-remove-redundant-2nd-pw-creation.patch to remove
|
||||||
|
the creation of the secondary password in 'add-secondary-key'
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Oct 2 08:10:10 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Bring ExclusiveArch back and only enable the build for the
|
||||||
|
architectures with the proper UEFI Secure Boot and TPM 2.0/TCG
|
||||||
|
protocol support: aarch64 x86_64 riscv64
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 19 05:59:00 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update to version 0.7.0
|
||||||
|
+ firstboot: apply the grub.cfg change immediately
|
||||||
|
+ fde-tpm-helper for bootloader RPMs to update the sealed key
|
||||||
|
automatically
|
||||||
|
+ Fix the find command of 'make dist'
|
||||||
|
+ Clean up the repo
|
||||||
|
+ Make the system flags configurable
|
||||||
|
+ fde-tpm-helper: specify the bootloaders in %post
|
||||||
|
- Add two new subpackages for the bootloader RPMs to update the
|
||||||
|
sealed key: fde-tpm-helper and fde-tpm-helper-rpm-macros
|
||||||
|
- Remove ExclusiveArch and set the system directories for 'make'
|
||||||
|
and 'make install'
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 29 07:56:44 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update to version 0.6.9
|
||||||
|
+ Redirect the firstboot messages to journald instead of a
|
||||||
|
standalone log file (bsc#1214581)
|
||||||
|
+ Update /boot/grub2/grub.cfg at the end of firstboot to reflect
|
||||||
|
the LUKS key change
|
||||||
|
+ Update the version automatically
|
||||||
|
+ Add 'cryptsetup' to 'make dist'
|
||||||
|
+ Fix the version in fde.sh
|
||||||
|
- Update the download URL
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Aug 24 07:45:13 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update to version 0.6.8
|
||||||
|
+ Improve the LUKS partition detection to support LUKS over LVM
|
||||||
|
- Remove openssl and tpm2-0-tss-devel from BuildRequires since all
|
||||||
|
TPM related programs are already in pcr-oracle
|
||||||
|
- Add util-linux-systemd to Requires for 'lsblk'
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Aug 18 07:51:12 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update to version 0.6.7
|
||||||
|
+ Check failure of authorized policy creation
|
||||||
|
+ Additional check for recovery password
|
||||||
|
- Drop upstreamed patch
|
||||||
|
+ fde-tools-handle-authorized-policy-failure.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jul 27 06:23:22 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Add fde-tools-handle-authorized-policy-failure.patch handle the
|
||||||
|
failure of authorized policy creation
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jul 20 08:39:13 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update to version 0.6.6
|
||||||
|
+ Avoid cleaning the temp directory when calling tpm_test
|
||||||
|
+ firstboot/fde: use functions as the aliases for bootloader
|
||||||
|
functions
|
||||||
|
+ firstboot/fde: always regenerate initrd
|
||||||
|
+ firstboot/fde: use authorized policy by default
|
||||||
|
+ Support devices other than the root partition
|
||||||
|
- Drop upstreamed patches
|
||||||
|
+ fde-tools-avoid-cleaning-temp-dir.patch
|
||||||
|
+ fde-tools-fix-bootloader-func.patch
|
||||||
|
+ fde-tools-force-dracut.patch
|
||||||
|
+ fde-tools-enable-authpol-in-firstboot.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jul 13 06:57:46 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Add fde-tools-enable-authpol-in-firstboot.patch to enable
|
||||||
|
authorized policy in the firstboot script
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jul 7 08:40:25 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Add fde-tools-fix-bootloader-func.patch
|
||||||
|
+ Define the bootloader specific functions in the firstboot
|
||||||
|
script since the aliases are not expanded
|
||||||
|
- Add fde-tools-force-dracut.patch
|
||||||
|
+ Always regenerate initrd
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 4 07:02:19 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Add fde-tools-avoid-cleaning-temp-dir.patch to avoid cleaning
|
||||||
|
the temp directory when calling tpm_test
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 4 02:59:34 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update to version 0.6.5
|
||||||
|
+ LUKS2 keyslot management with the grub-tpm2 token
|
||||||
|
+ Replace mkinitrd with dracut
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jun 14 02:39:26 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update to version 0.6.4
|
||||||
|
+ Add man page and bash completion support
|
||||||
|
+ Switch to TPM 2.0 Key File for grub2
|
||||||
|
+ Update the installation paths
|
||||||
|
+ Enable authorized policy by default
|
||||||
|
+ Implement 'tpm-disable' command (bsc#1208834)
|
||||||
|
- Add a subpackage: fde-tools-bash-completion
|
||||||
|
- Use 'tpm-activate' in the systemd service file
|
||||||
|
- Add help2man to BuildRequires
|
||||||
|
- Drop the upstreamed patches
|
||||||
|
+ fde-tools-tpm2.0-key-file-support.patch
|
||||||
|
+ fde-tools-fix-paths.patch
|
||||||
|
+ fde-tools-set-stop-event-for-tpm_authorize.patch
|
||||||
|
+ fde-tools-enable-authorized-policy-by-default.patch
|
||||||
|
+ fde-tools-reduce-iterations.patch
|
||||||
|
+ fde-tools-set-grub.cfg-as-stop-event.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jun 8 08:31:15 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Fix the path in fde-tools.service
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jun 7 00:57:26 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Add fde-tools-tpm2.0-key-file-support.patch to support TPM 2.0
|
||||||
|
Key File for grub2
|
||||||
|
- Bump the required pcr-oracle version to 0.4.5 for the TPM 2.0 Key
|
||||||
|
File support
|
||||||
|
- Add fde-tools-reduce-iterations.patch to reduce the iterations
|
||||||
|
for the key created by luks_add_random_key
|
||||||
|
- Add fde-tools-set-grub.cfg-as-stop-event.patch to set grub.cfg as
|
||||||
|
the stop event for the PCR prediction
|
||||||
|
- Add fde-tools-enable-authorized-policy-by-default.patch to switch
|
||||||
|
FDE_USE_AUTHORIZED_POLICIES to yes
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jun 6 07:32:24 UTC 2023 - Marcus Meissner <meissner@suse.com>
|
||||||
|
|
||||||
|
- remove dracut and jeos-firstboot from buildrequires, just specify
|
||||||
|
the directory.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed May 17 08:37:47 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Add fde-tools-fix-paths.patch to fix the installation paths
|
||||||
|
- Using the tarball from the github repo
|
||||||
|
- Remove %clean
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Apr 21 05:58:08 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update project URL
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Mar 28 03:19:11 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Apply fde-tools-set-stop-event-for-tpm_authorize.patch correctly
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 6 07:25:45 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Add fde-tools-set-stop-event-for-tpm_authorize.patch to set the
|
||||||
|
stop event when signing the authorized policy
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Mar 1 10:41:43 UTC 2023 - Olaf Kirch <okir@suse.com>
|
||||||
|
|
||||||
|
- firstboot/fde: ensure that aliases get expanded in shell scripts
|
||||||
|
This is needed to make the bootloader_foo -> grub2_foo function
|
||||||
|
name expansion work
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Feb 28 16:22:19 UTC 2023 - Olaf Kirch <okir@suse.com>
|
||||||
|
|
||||||
|
- Updated to version 0.6.3
|
||||||
|
- Fix a bug introduced by the recent change in tempdir handling
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jan 9 16:36:00 UTC 2023 - Olaf Kirch <okir@suse.com>
|
||||||
|
|
||||||
|
- Updated to version 0.6.2
|
||||||
|
- Several patches that were added last-minute for the December
|
||||||
|
snapshot have been folded back into git.
|
||||||
|
- Implement first stab at authorized policies.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 14 12:08:06 UTC 2022 - Olaf Kirch <okir@suse.com>
|
||||||
|
|
||||||
|
- Fix several bugs in firstboot
|
||||||
|
* The approach for reading the initial FDE pass phrase
|
||||||
|
from /etc/default/grub is not supported in kiwi yet,
|
||||||
|
so work around that
|
||||||
|
* The kiwi KVM images have a strange EFI boot path that
|
||||||
|
does not contain a File component. Try to work
|
||||||
|
around that.
|
||||||
|
* shim-install behaves differently between kiwi image build time
|
||||||
|
and the installed system. Work around.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 13 15:56:25 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||||
|
|
||||||
|
- Fix source URL
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 13 11:30:26 UTC 2022 - Olaf Kirch <okir@suse.com>
|
||||||
|
|
||||||
|
- Fix the fde-tpm-enroll.service file
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Dec 12 15:02:53 UTC 2022 - Olaf Kirch <okir@suse.com>
|
||||||
|
|
||||||
|
- Updated to version 0.6.1
|
||||||
|
- Fix tpm-enable subcommand
|
||||||
|
- Add new add-secondary-key subcommand
|
||||||
|
- Add a systemd unit file that triggers on the presence of the
|
||||||
|
key file written by d-installer
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 7 13:53:56 UTC 2022 - Olaf Kirch <okir@suse.com>
|
||||||
|
|
||||||
|
- Updated to version 0.6
|
||||||
|
- pcr-oracle is now a standalone project and package
|
||||||
|
- Split off the jeos-firstboot stuff into a binary package of its own,
|
||||||
|
because bare metal installations do not need it
|
||||||
|
- Refactoring the scripts
|
||||||
|
- Folded Gary's patches into git.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Oct 14 08:25:22 UTC 2022 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Add bsc1204037-mokutil-check-sb-state.patch to check the
|
||||||
|
SecureBoot state with mokutil (bsc#1204037)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 13 07:02:18 UTC 2022 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Add bsc1204037-update-grub.cfg-for-pw-only.patch to update
|
||||||
|
grub.cfg when the user only chooses the pass phrase to encrypt
|
||||||
|
the disk. (bsc#1204037)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 30 11:17:16 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|
||||||
|
- add build support for other architectures
|
||||||
|
- spec file clean ups
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 16 10:24:54 UTC 2022 - Olaf Kirch <okir@suse.com>
|
||||||
|
|
||||||
|
- Move the (shipped) keyfile into /root to avoid issues with r/o root
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 13 15:55:21 UTC 2022 - Olaf Kirch <okir@suse.com>
|
||||||
|
|
||||||
|
- Introduce a specific unit script that takes care of mounting root
|
||||||
|
early (to avoid conflicts with ignition).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Aug 29 11:02:58 UTC 2022 - Olaf Kirch <okir@suse.com>
|
||||||
|
|
||||||
|
- Make the firstboot workflow smarter (offer different key protectors)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Aug 15 14:53:12 UTC 2022 - Olaf Kirch <okir@suse.com>
|
||||||
|
|
||||||
|
- Fixed typo of tpm2_key_protector_clear
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Aug 15 09:43:16 UTC 2022 - Olaf Kirch <okir@suse.com>
|
||||||
|
|
||||||
|
- Renamed to fde-tools-0.1
|
||||||
|
- included firstboot stuff
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 26 12:54:28 UTC 2022 - Olaf Kirch <okir@suse.com>
|
||||||
|
|
||||||
|
- Initial build as package pcr-oracle
|
10
fde-tools.service
Normal file
10
fde-tools.service
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Activate TPM for Full Disk Encryption
|
||||||
|
Wants=local-fs.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/sbin/fdectl tpm-activate
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
146
fde-tools.spec
Normal file
146
fde-tools.spec
Normal file
@ -0,0 +1,146 @@
|
|||||||
|
#
|
||||||
|
# spec file for package fde-tools
|
||||||
|
#
|
||||||
|
# Copyright (c) 2024 SUSE LLC
|
||||||
|
#
|
||||||
|
# All modifications and additions to the file contributed by third parties
|
||||||
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
# upon. The license for this file, and modifications and additions to the
|
||||||
|
# file, is the same license as for the pristine package itself (unless the
|
||||||
|
# license for the pristine package is not an Open Source License, in which
|
||||||
|
# case the license is the MIT License). An "Open Source License" is a
|
||||||
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
Name: fde-tools
|
||||||
|
Version: 0.7.2
|
||||||
|
Release: 0
|
||||||
|
Summary: Tools required for Full Disk Encryption
|
||||||
|
License: GPL-2.0-only
|
||||||
|
Group: System/Boot
|
||||||
|
URL: https://github.com/openSUSE/fde-tools
|
||||||
|
Source: https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
|
||||||
|
Source1: fde-tools.service
|
||||||
|
Patch0: fde-tools-firstboot-alp-snapshot.patch
|
||||||
|
Patch1: fde-tools-bsc1213945-set-rsa-key-size.patch
|
||||||
|
BuildRequires: help2man
|
||||||
|
BuildRequires: pkgconfig(libcryptsetup)
|
||||||
|
BuildRequires: pkgconfig(libfido2)
|
||||||
|
Requires: cryptsetup
|
||||||
|
Requires: mokutil
|
||||||
|
Requires: pcr-oracle >= 0.4.5
|
||||||
|
Requires: util-linux-systemd
|
||||||
|
ExclusiveArch: aarch64 x86_64 riscv64
|
||||||
|
|
||||||
|
%description
|
||||||
|
This package provides several components required to support Full Disk
|
||||||
|
Encryption.
|
||||||
|
|
||||||
|
%package -n fde-firstboot
|
||||||
|
Summary: Full Disk Encryption for images
|
||||||
|
Group: System/Boot
|
||||||
|
Requires: fde-tools
|
||||||
|
Requires: jeos-firstboot
|
||||||
|
|
||||||
|
%description -n fde-firstboot
|
||||||
|
This package contains the scripts necessary to plug Full Disk Encryption
|
||||||
|
into the JeOS Firstboot framework used for image based delivery of ALP.
|
||||||
|
|
||||||
|
%package bash-completion
|
||||||
|
Summary: Bash completion for fde-tools
|
||||||
|
Group: Productivity/File utilities
|
||||||
|
Requires: bash-completion
|
||||||
|
Requires: fde-tools
|
||||||
|
Supplements: (fde-tools and bash-completion)
|
||||||
|
BuildArch: noarch
|
||||||
|
|
||||||
|
%description bash-completion
|
||||||
|
Bash shell completions for fde-tools
|
||||||
|
|
||||||
|
%package -n fde-tpm-helper
|
||||||
|
Summary: TPM helper for fde-tools
|
||||||
|
Group: System/Boot
|
||||||
|
|
||||||
|
%description -n fde-tpm-helper
|
||||||
|
This package contains the TPM helper script for the bootloader packages
|
||||||
|
to update the signature in the sealed key.
|
||||||
|
|
||||||
|
%package -n fde-tpm-helper-rpm-macros
|
||||||
|
Summary: RPM macros for fde-tools
|
||||||
|
Group: Development/Tools/Building
|
||||||
|
|
||||||
|
%description -n fde-tpm-helper-rpm-macros
|
||||||
|
This package contains the RPM macros for the bootloader packages to
|
||||||
|
update the signature in the sealed key.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p1
|
||||||
|
|
||||||
|
%build
|
||||||
|
%make_build \
|
||||||
|
CCFLAGS="%optflags" \
|
||||||
|
LIBDIR="%{_libdir}" \
|
||||||
|
LIBEXECDIR="%{_libexecdir}" \
|
||||||
|
SBINDIR="%{_sbindir}" \
|
||||||
|
DATADIR="%{_datadir}" \
|
||||||
|
SYSCONFDIR="%{_sysconfdir}"
|
||||||
|
|
||||||
|
%install
|
||||||
|
%make_install \
|
||||||
|
LIBDIR="%{_libdir}" \
|
||||||
|
LIBEXECDIR="%{_libexecdir}" \
|
||||||
|
SBINDIR="%{_sbindir}" \
|
||||||
|
DATADIR="%{_datadir}" \
|
||||||
|
SYSCONFDIR="%{_sysconfdir}"
|
||||||
|
|
||||||
|
mkdir -p %{buildroot}%{_fillupdir}
|
||||||
|
mv %{buildroot}/etc/sysconfig/fde-tools %{buildroot}%{_fillupdir}/sysconfig.fde-tools
|
||||||
|
|
||||||
|
mkdir -p %{buildroot}%{_unitdir}
|
||||||
|
cp %{S:1} %{buildroot}%{_unitdir}/fde-tpm-enroll.service
|
||||||
|
|
||||||
|
%pre
|
||||||
|
%service_add_pre fde-tpm-enroll.service
|
||||||
|
|
||||||
|
%post
|
||||||
|
%service_add_post fde-tpm-enroll.service
|
||||||
|
%fillup_and_insserv
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%service_del_preun fde-tpm-enroll.service
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%service_del_postun fde-tpm-enroll.service
|
||||||
|
|
||||||
|
%files
|
||||||
|
%{_sbindir}/fdectl
|
||||||
|
%{_sbindir}/fde-token
|
||||||
|
%{_sbindir}/fdectl-grub-tpm2
|
||||||
|
%dir %{_sysconfdir}/fde
|
||||||
|
%{_fillupdir}/sysconfig.*
|
||||||
|
%{_datadir}/fde
|
||||||
|
%{_unitdir}/fde-tpm-enroll.service
|
||||||
|
%{_mandir}/man8/fdectl.8.gz
|
||||||
|
%dir %{_libdir}/cryptsetup/
|
||||||
|
%{_libdir}/cryptsetup/libcryptsetup-token-*.so
|
||||||
|
|
||||||
|
%files bash-completion
|
||||||
|
%{_datadir}/bash-completion/completions/fdectl
|
||||||
|
|
||||||
|
%files -n fde-firstboot
|
||||||
|
%dir %{_datadir}/jeos-firstboot
|
||||||
|
%dir %{_datadir}/jeos-firstboot/modules
|
||||||
|
%{_datadir}/jeos-firstboot/modules/fde
|
||||||
|
|
||||||
|
%files -n fde-tpm-helper
|
||||||
|
%dir %{_libexecdir}/fde
|
||||||
|
%{_libexecdir}/fde/fde-tpm-helper
|
||||||
|
|
||||||
|
%files -n fde-tpm-helper-rpm-macros
|
||||||
|
%config %{_sysconfdir}/rpm/macros.fde-tpm-helper
|
||||||
|
|
||||||
|
%changelog
|
Loading…
Reference in New Issue
Block a user