SLFO-pool/fde-tools
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main fde-tools revision 64f77398c7b869e347ff2a504f98192a

Browse Source
This commit is contained in:
Adrian Schröter 2024-05-03 12:25:11 +02:00
commit 84b1ae7fc7
11 changed files with 1082 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

BIN
fde-tools-0.7.2.tar.bz2 (Stored with Git LFS) Normal file
View File

Binary file not shown.

409
fde-tools-bsc1213945-set-rsa-key-size.patch Normal file
View File

@ -0,0 +1,409 @@
From 7ab5a433c9fcc8cd56f8f9f7657b32282cb00ee8 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 6 Oct 2023 16:24:54 +0800
Subject: [PATCH 1/3] Set the RSA key size automatically
This commit utilizes the new pcr-oracle command, rsa-test, to detect the
highest RSA key size supported by the TPM chip and then uses the key
size for the TPM SRK and the private sign key.
Signed-off-by: Gary Lin <glin@suse.com>
---
share/grub2 | 1 +
share/tpm | 53 ++++++++++++++++++++++++++++++++++++++++++++++++---
sysconfig.fde | 4 ++++
3 files changed, 55 insertions(+), 3 deletions(-)
diff --git a/share/grub2 b/share/grub2
index aacd20c..97c8d86 100644
--- a/share/grub2
+++ b/share/grub2
@@ -82,6 +82,7 @@ function grub_update_early_config {
grub_set_control GRUB_ENABLE_CRYPTODISK "y"
grub_set_control GRUB_TPM2_SEALED_KEY "$sealed_key_file"
+ grub_set_control GRUB_TPM2_SRK_ALG "RSA${FDE_RSA_KEY_SIZE}"
# Do not clear the password implicitly; require fdectl or
# jeos firstboot to do so explicitly.
diff --git a/share/tpm b/share/tpm
index 0cc507a..0396e7e 100644
--- a/share/tpm
+++ b/share/tpm
@@ -42,13 +42,47 @@ function tpm_present_and_working {
return 0
}
+function tpm_set_rsa_key_size {
+
+ # Check if pcr-oracle supports rsa-test
+ # If pcr-oracle prints "Unknown action", fall back to default.
+ if pcr-oracle rsa-test 2>&1 | grep -q "Unknown action"; then
+ fde_set_variable FDE_RSA_KEY_SIZE "2048"
+ return 0
+ fi
+
+ # Find the highest supported RSA key size
+ sizes_to_test="4096 3072 2048"
+
+ for size in ${sizes_to_test}; do
+ if pcr-oracle --rsa-bits ${size} rsa-test > /dev/null 2>&1; then
+ fde_set_variable FDE_RSA_KEY_SIZE "${size}"
+ return 0
+ fi
+ done
+
+ fde_trace "Failed to find a valid RSA key size"
+ return 1
+}
+
function tpm_seal_key {
secret=$1
sealed_secret=$2
+ tpm_set_rsa_key_size
+ if [ $? -ne 0 ]; then
+ return 1
+ fi
+
+ opt_rsa_bits=
+ if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
+ opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}"
+ fi
+
echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2
- pcr-oracle --input "$secret" --output "$sealed_secret" \
+ pcr-oracle ${opt_rsa_bits} \
+ --input "$secret" --output "$sealed_secret" \
--key-format tpm2.0 \
--algorithm "$FDE_SEAL_PCR_BANK" \
--from eventlog \
@@ -97,17 +131,22 @@ function tpm_test {
return $result
}
-
function tpm_seal_secret {
secret="$1"
sealed_secret="$2"
authorized_policy="$3"
+ opt_rsa_bits=
+ if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
+ opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}"
+ fi
+
# If we are expected to use an authorized policy, seal the secret
# against that, using pcr-oracle rather than the tpm2 tools
if [ -n "$authorized_policy" ]; then
- pcr-oracle --authorized-policy "$authorized_policy" \
+ pcr-oracle ${opt_rsa_bits} \
+ --authorized-policy "$authorized_policy" \
--key-format tpm2.0 \
--input $secret \
--output $sealed_secret \
@@ -157,6 +196,14 @@ function tpm_create_authorized_policy {
extra_opts=
if [ ! -f "$secret_key" ]; then
extra_opts="--rsa-generate-key"
+
+ tpm_set_rsa_key_size
+ if [ $? -ne 0 ]; then
+ return 1
+ fi
+ if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
+ extra_opts="${extra_opts} --rsa-bits ${FDE_RSA_KEY_SIZE}"
+ fi
fi
pcr-oracle $extra_opts \
diff --git a/sysconfig.fde b/sysconfig.fde
index a3435fe..f3ee38b 100644
--- a/sysconfig.fde
+++ b/sysconfig.fde
@@ -36,3 +36,7 @@ FDE_DEVS=""
# the bootloader update
# Set to yes/no
FDE_TPM_AUTO_UPDATE="yes"
+
+# The RSA key size to be used for SRK and the private sign key
+# NOTE: Do not touch this variable. It's updated by fdectl automatically.
+FDE_RSA_KEY_SIZE="2048"
--
2.35.3
From bee71824675721ae73ce770c0e846f0aba48b441 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 3 Nov 2023 15:04:00 +0800
Subject: [PATCH 2/3] Detect the RSA sizes supported by the bootloader
The bootloader may not support the SRK algorithm other than RSA2048.
Use the bootloader specific function to detect the supported RSA sizes.
Signed-off-by: Gary Lin <glin@suse.com>
---
share/grub2 | 19 +++++++++++++++++++
share/systemd-boot | 8 ++++++++
share/tpm | 2 +-
3 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/share/grub2 b/share/grub2
index 97c8d86..cde7680 100644
--- a/share/grub2
+++ b/share/grub2
@@ -33,6 +33,7 @@ alias bootloader_commit_config=grub_commit_config
alias bootloader_get_keyslots=grub_get_keyslots
alias bootloader_remove_keyslots=grub_remove_keyslots
alias bootloader_wipe=grub_wipe
+alias bootloader_rsa_sizes=grub_rsa_sizes
##################################################################
# Edit a variable in /etc/default/grub
@@ -224,3 +225,21 @@ function grub_wipe {
grub_remove_keyslots ${luks_dev}
}
+
+function grub_rsa_sizes {
+
+ # Check if the shim-install script supports the SRK algorithm selection.
+ if ! grep -q "GRUB_TPM2_SRK_ALG" "/usr/sbin/shim-install"; then
+ echo "2048"
+ return 0
+ fi
+
+ # Check if grub2 supports the RSA4096 SRK.
+ if grub2-protect --help | grep -q "RSA4096"; then
+ echo "4096 3072 2048"
+ return 0
+ fi
+
+ # TPM 2.0 should at least support RSA2048.
+ echo "2048"
+}
diff --git a/share/systemd-boot b/share/systemd-boot
index a9475a7..27cb088 100644
--- a/share/systemd-boot
+++ b/share/systemd-boot
@@ -36,6 +36,7 @@ alias bootloader_commit_config=systemd_commit_config
alias bootloader_get_keyslots=systemd_get_keyslots
alias bootloader_remove_keyslots=systemd_remove_keyslots
alias bootloader_wipe=systemd_wipe
+alias bootloader_rsa_sizes=systemd_rsa_sizes
function not_implemented {
@@ -175,3 +176,10 @@ function systemd_wipe {
not_implemented
}
+
+##################################################################
+# This function lists all the supported RSA key sizes for SRK.
+##################################################################
+function systemd_rsa_sizes {
+ echo "2048"
+}
diff --git a/share/tpm b/share/tpm
index 0396e7e..00a0016 100644
--- a/share/tpm
+++ b/share/tpm
@@ -52,7 +52,7 @@ function tpm_set_rsa_key_size {
fi
# Find the highest supported RSA key size
- sizes_to_test="4096 3072 2048"
+ sizes_to_test=$(bootloader_rsa_sizes)
for size in ${sizes_to_test}; do
if pcr-oracle --rsa-bits ${size} rsa-test > /dev/null 2>&1; then
--
2.35.3
From 8912fa960fcecd218b05df45dae471180ebac156 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 22 Nov 2023 15:35:26 +0800
Subject: [PATCH 3/3] Refactor the RSA key size code to make it more flexible
Originally, FDE_RSA_KEY_SIZE was updated automatically and used as a
global variable for both tpm and grub2 scripts. However, there may be a
case that the user has to stick to a specific RSA key size due to some
bug or defect. This commit refactors the RSA key size code to make
FDE_RSA_KEY_SIZE empty by default and honor the user setting if the size
is specified.
Signed-off-by: Gary Lin <glin@suse.com>
---
share/grub2 | 5 ++--
share/tpm | 79 ++++++++++++++++++++++++++++++---------------------
sysconfig.fde | 5 ++--
3 files changed, 52 insertions(+), 37 deletions(-)
diff --git a/share/grub2 b/share/grub2
index cde7680..95d4b15 100644
--- a/share/grub2
+++ b/share/grub2
@@ -79,11 +79,12 @@ function grub_get_fde_password {
##################################################################
function grub_update_early_config {
- sealed_key_file="$1"
+ local sealed_key_file="$1"
+ local rsa_key_size=$(tpm_get_rsa_key_size)
grub_set_control GRUB_ENABLE_CRYPTODISK "y"
grub_set_control GRUB_TPM2_SEALED_KEY "$sealed_key_file"
- grub_set_control GRUB_TPM2_SRK_ALG "RSA${FDE_RSA_KEY_SIZE}"
+ grub_set_control GRUB_TPM2_SRK_ALG "RSA${rsa_key_size}"
# Do not clear the password implicitly; require fdectl or
# jeos firstboot to do so explicitly.
diff --git a/share/tpm b/share/tpm
index 00a0016..43747e7 100644
--- a/share/tpm
+++ b/share/tpm
@@ -42,13 +42,28 @@ function tpm_present_and_working {
return 0
}
-function tpm_set_rsa_key_size {
+function tpm_get_rsa_key_size {
+
+ declare -g __fde_rsa_key_size
+
+ if [ -n "$__fde_rsa_key_size" ]; then
+ echo "$__fde_rsa_key_size"
+ return
+ fi
+
+ if [ -n "$FDE_RSA_KEY_SIZE" ]; then
+ # TODO validate $FDE_RSA_KEY_SIZE
+ __fde_rsa_key_size="${FDE_RSA_KEY_SIZE}"
+ echo "$__fde_rsa_key_size"
+ return
+ fi
# Check if pcr-oracle supports rsa-test
# If pcr-oracle prints "Unknown action", fall back to default.
if pcr-oracle rsa-test 2>&1 | grep -q "Unknown action"; then
- fde_set_variable FDE_RSA_KEY_SIZE "2048"
- return 0
+ __fde_rsa_key_size="2048"
+ echo "$__fde_rsa_key_size"
+ return
fi
# Find the highest supported RSA key size
@@ -56,28 +71,27 @@ function tpm_set_rsa_key_size {
for size in ${sizes_to_test}; do
if pcr-oracle --rsa-bits ${size} rsa-test > /dev/null 2>&1; then
- fde_set_variable FDE_RSA_KEY_SIZE "${size}"
- return 0
+ __fde_rsa_key_size="${size}"
+ echo "$__fde_rsa_key_size"
+ return
fi
done
- fde_trace "Failed to find a valid RSA key size"
- return 1
+ fde_trace "Failed to find a valid RSA key size. Fall back to 2048"
+ __fde_rsa_key_size="2048"
+ echo "$__fde_rsa_key_size"
}
function tpm_seal_key {
- secret=$1
- sealed_secret=$2
+ local secret=$1
+ local sealed_secret=$2
- tpm_set_rsa_key_size
- if [ $? -ne 0 ]; then
- return 1
- fi
+ local opt_rsa_bits=
+ local rsa_size=$(tpm_get_rsa_key_size)
- opt_rsa_bits=
- if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
- opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}"
+ if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
+ opt_rsa_bits="--rsa-bits ${rsa_size}"
fi
echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2
@@ -133,13 +147,15 @@ function tpm_test {
function tpm_seal_secret {
- secret="$1"
- sealed_secret="$2"
- authorized_policy="$3"
+ local secret="$1"
+ local sealed_secret="$2"
+ local authorized_policy="$3"
+
+ local opt_rsa_bits=
+ local rsa_size=$(tpm_get_rsa_key_size)
- opt_rsa_bits=
- if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
- opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}"
+ if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
+ opt_rsa_bits="--rsa-bits ${rsa_size}"
fi
# If we are expected to use an authorized policy, seal the secret
@@ -188,21 +204,18 @@ function tpm_set_authorized_policy_paths {
function tpm_create_authorized_policy {
- secret_key="$1"
- output_policy="$2"
- public_key="$3"
+ local secret_key="$1"
+ local output_policy="$2"
+ local public_key="$3"
# Generate the private key if it does not exist
- extra_opts=
+ local extra_opts=
if [ ! -f "$secret_key" ]; then
- extra_opts="--rsa-generate-key"
+ local rsa_size=$(tpm_get_rsa_key_size)
- tpm_set_rsa_key_size
- if [ $? -ne 0 ]; then
- return 1
- fi
- if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
- extra_opts="${extra_opts} --rsa-bits ${FDE_RSA_KEY_SIZE}"
+ extra_opts="--rsa-generate-key"
+ if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
+ extra_opts="${extra_opts} --rsa-bits ${rsa_size}"
fi
fi
diff --git a/sysconfig.fde b/sysconfig.fde
index f3ee38b..741f5b4 100644
--- a/sysconfig.fde
+++ b/sysconfig.fde
@@ -38,5 +38,6 @@ FDE_DEVS=""
FDE_TPM_AUTO_UPDATE="yes"
# The RSA key size to be used for SRK and the private sign key
-# NOTE: Do not touch this variable. It's updated by fdectl automatically.
-FDE_RSA_KEY_SIZE="2048"
+# Expected values: 2048, 3072, 4096, or just leave it empty to let fdectl
+# to determine the size at runtime
+FDE_RSA_KEY_SIZE=""
--
2.35.3

26
fde-tools-bsc1220160-conditional-requires.patch Normal file
View File

@ -0,0 +1,26 @@
From 7f5a36bb82728a6cce66b15e6bb656ce05cf5978 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 5 Mar 2024 14:51:57 +0800
Subject: [PATCH] macros.fde-tpm-helper: conditionally requires the helper
fde-tpm-helper is only used when fde-tools is installed. Update the rpm
macro to make fde-tpm-helper an conditional "Requires".
Signed-off-by: Gary Lin <glin@suse.com>
---
rpm-build/macros.fde-tpm-helper | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rpm-build/macros.fde-tpm-helper b/rpm-build/macros.fde-tpm-helper
index 1ec3a4e..3c89e2b 100644
--- a/rpm-build/macros.fde-tpm-helper
+++ b/rpm-build/macros.fde-tpm-helper
@@ -1,4 +1,4 @@
-%fde_tpm_update_requires Requires(posttrans): fde-tpm-helper
+%fde_tpm_update_requires Requires(posttrans): (fde-tpm-helper if fde-tools)
%fde_tpm_update_post() \
mkdir -p %{_rundir}/fde-tpm-helper/ \
--
2.35.3

29
fde-tools-bsc1222970-firstboot-replace-ALP.patch Normal file
View File

@ -0,0 +1,29 @@
From e3dbd0eed64938a79d82a6916dee3925297ac082 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 18 Apr 2024 10:10:15 +0800
Subject: [PATCH] firstboot: replace ALP with a neutral name
The script may be used in the system other than ALP. Replace "ALP" with
"This system".
Signed-off-by: Gary Lin <glin@suse.com>
---
firstboot/fde | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/firstboot/fde b/firstboot/fde
index 0f94829..a4e5c15 100755
--- a/firstboot/fde
+++ b/firstboot/fde
@@ -228,7 +228,7 @@ function fde_choose_protection {
FDE_PROTECTION=""
- message="ALP can be installed with an encrypted root and boot partition. Please choose the desired protection method(s) or press Cancel to install without encryption"
+ message="This system can be installed with an encrypted root and boot partition. Please choose the desired protection method(s) or press Cancel to install without encryption"
options+=(pass 'Pass phrase' on)
if ! tpm_present_and_working; then
--
2.35.3

30
fde-tools-bsc1223002-firstboot-disable-ccid.patch Normal file
View File

@ -0,0 +1,30 @@
From 10672433c10ce391f126f426f86eb85fc4dffa73 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 18 Apr 2024 10:13:30 +0800
Subject: [PATCH] firstboot: disable the ccid option
Since ccid token is still not supported, disable the option until we
really implement it.
Signed-off-by: Gary Lin <glin@suse.com>
---
firstboot/fde | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/firstboot/fde b/firstboot/fde
index a4e5c15..4911b32 100755
--- a/firstboot/fde
+++ b/firstboot/fde
@@ -237,7 +237,8 @@ function fde_choose_protection {
options+=(tpm 'Stored inside the TPM chip' on)
fi
- options+=(ccid 'Stored inside a CCID capable token' off)
+ # Disable the ccid option until we really implement it
+ # options+=(ccid 'Stored inside a CCID capable token' off)
while true; do
d --title "Full Disk Encryption" --checklist \
--
2.35.3

28
fde-tools-change-rpm-macro-dir.patch Normal file
View File

@ -0,0 +1,28 @@
From 7dd8ab8920806384c01e3765ff2027222ac21d29 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 29 Feb 2024 15:05:35 +0800
Subject: [PATCH] Allow RPM_MACRO_DIR to be defined during build time
The system directory of rpm macro files could be either /etc/rpm
or /usr/lib/rpm/macros.d/. This commit allows RPM_MACRO_DIR to be
defined during build time, so that the packager can change the variable
if necessary.
Signed-off-by: Gary Lin <glin@suse.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: fde-tools-0.7.2/Makefile
===================================================================
--- fde-tools-0.7.2.orig/Makefile
+++ fde-tools-0.7.2/Makefile
@@ -12,7 +12,7 @@ FDE_CONFIG_DIR = ${SYSCONFDIR}/fde
FDE_SHARE_DIR = $(DATADIR)/fde
FIRSTBOOTDIR = $(DATADIR)/jeos-firstboot
FDE_HELPER_DIR = $(LIBEXECDIR)/fde
-RPM_MACRO_DIR = /etc/rpm
++RPM_MACRO_DIR ?= /etc/rpm
FIDO_LINK = -lfido2 -lcrypto
CRPYT_LINK = -lcryptsetup -ljson-c
TOOLS = fde-token fdectl-grub-tpm2

18
fde-tools-firstboot-alp-snapshot.patch Normal file
View File

@ -0,0 +1,18 @@
firstboot/fde | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: fde-tools-0.6.2/firstboot/fde
===================================================================
--- fde-tools-0.6.2.orig/firstboot/fde
+++ fde-tools-0.6.2/firstboot/fde
@@ -285,8 +285,8 @@ function fde_systemd_firstboot {
# Get the password that was used during installation.
fde_root_passphrase=$(bootloader_get_fde_password)
if [ -z "$fde_root_passphrase" ]; then
- display_errorbox "Cannot find the initial FDE password for the root file system"
- return 1
+ # HACK: we just know it's 1234 for the ALP kvm_encrypted image, so go with that
+ fde_root_passphrase=1234
fi
if [ ! -s "$KIWI_ROOT_KEYFILE" ]; then

346
fde-tools.changes Normal file
View File

@ -0,0 +1,346 @@
-------------------------------------------------------------------
Thu Apr 18 05:39:44 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
- Add fde-tools-bsc1222970-firstboot-replace-ALP.patch to replace
"ALP" with "This system" (bsc#1222970)
- Add fde-tools-bsc1223002-firstboot-disable-ccid.patch to disable
the non-functional ccid option (bsc#1223002)
-------------------------------------------------------------------
Wed Mar 13 08:54:37 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
- Add json-c to BuildRequires to build on openSUSE Leap 15.5
-------------------------------------------------------------------
Tue Mar 5 05:54:49 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
- Add fde-tools-change-rpm-macro-dir.patch and set the rpm macro
directory correctly
- Make fde-firstboot, fde-tpm-helper, and fde-tpm-helper-rpm-macros
noarch
- Add fde-tools-bsc1220160-conditional-requires.patch to make
fde-tpm-helper a conditional "Requires" (bsc#1220160)
-------------------------------------------------------------------
Mon Feb 19 06:34:27 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
- Add fde-tools-bsc1213945-set-rsa-key-size.patch to set
the highest supported RSA key size (bsc#1213945)
-------------------------------------------------------------------
Mon Nov 6 16:02:01 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
- Fix build with RPM 4.19: unnumbered patches are no longer
supported.
-------------------------------------------------------------------
Wed Nov 1 07:19:45 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update to version 0.7.2
+ Add help output for the command tpm-authorize
+ Improve the multi-devices support
-------------------------------------------------------------------
Mon Oct 23 05:57:33 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update to version 0.7.1
+ add-secondary-key: remove the generation of the secondary
password
+ add-secondary-key: remove the inclusion of
'add-secondary-password'
+ luks: list all underlying LUKS device
+ Introduce FDE_DEVS to list all LUKS devices
- Drop upstreamd patch
+ fde-tools-remove-redundant-2nd-pw-creation.patch
-------------------------------------------------------------------
Wed Oct 4 07:04:47 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Add fde-tools-remove-redundant-2nd-pw-creation.patch to remove
the creation of the secondary password in 'add-secondary-key'
-------------------------------------------------------------------
Mon Oct 2 08:10:10 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Bring ExclusiveArch back and only enable the build for the
architectures with the proper UEFI Secure Boot and TPM 2.0/TCG
protocol support: aarch64 x86_64 riscv64
-------------------------------------------------------------------
Tue Sep 19 05:59:00 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update to version 0.7.0
+ firstboot: apply the grub.cfg change immediately
+ fde-tpm-helper for bootloader RPMs to update the sealed key
automatically
+ Fix the find command of 'make dist'
+ Clean up the repo
+ Make the system flags configurable
+ fde-tpm-helper: specify the bootloaders in %post
- Add two new subpackages for the bootloader RPMs to update the
sealed key: fde-tpm-helper and fde-tpm-helper-rpm-macros
- Remove ExclusiveArch and set the system directories for 'make'
and 'make install'
-------------------------------------------------------------------
Tue Aug 29 07:56:44 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update to version 0.6.9
+ Redirect the firstboot messages to journald instead of a
standalone log file (bsc#1214581)
+ Update /boot/grub2/grub.cfg at the end of firstboot to reflect
the LUKS key change
+ Update the version automatically
+ Add 'cryptsetup' to 'make dist'
+ Fix the version in fde.sh
- Update the download URL
-------------------------------------------------------------------
Thu Aug 24 07:45:13 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update to version 0.6.8
+ Improve the LUKS partition detection to support LUKS over LVM
- Remove openssl and tpm2-0-tss-devel from BuildRequires since all
TPM related programs are already in pcr-oracle
- Add util-linux-systemd to Requires for 'lsblk'
-------------------------------------------------------------------
Fri Aug 18 07:51:12 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update to version 0.6.7
+ Check failure of authorized policy creation
+ Additional check for recovery password
- Drop upstreamed patch
+ fde-tools-handle-authorized-policy-failure.patch
-------------------------------------------------------------------
Thu Jul 27 06:23:22 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Add fde-tools-handle-authorized-policy-failure.patch handle the
failure of authorized policy creation
-------------------------------------------------------------------
Thu Jul 20 08:39:13 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update to version 0.6.6
+ Avoid cleaning the temp directory when calling tpm_test
+ firstboot/fde: use functions as the aliases for bootloader
functions
+ firstboot/fde: always regenerate initrd
+ firstboot/fde: use authorized policy by default
+ Support devices other than the root partition
- Drop upstreamed patches
+ fde-tools-avoid-cleaning-temp-dir.patch
+ fde-tools-fix-bootloader-func.patch
+ fde-tools-force-dracut.patch
+ fde-tools-enable-authpol-in-firstboot.patch
-------------------------------------------------------------------
Thu Jul 13 06:57:46 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Add fde-tools-enable-authpol-in-firstboot.patch to enable
authorized policy in the firstboot script
-------------------------------------------------------------------
Fri Jul 7 08:40:25 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Add fde-tools-fix-bootloader-func.patch
+ Define the bootloader specific functions in the firstboot
script since the aliases are not expanded
- Add fde-tools-force-dracut.patch
+ Always regenerate initrd
-------------------------------------------------------------------
Tue Jul 4 07:02:19 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Add fde-tools-avoid-cleaning-temp-dir.patch to avoid cleaning
the temp directory when calling tpm_test
-------------------------------------------------------------------
Tue Jul 4 02:59:34 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update to version 0.6.5
+ LUKS2 keyslot management with the grub-tpm2 token
+ Replace mkinitrd with dracut
-------------------------------------------------------------------
Wed Jun 14 02:39:26 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update to version 0.6.4
+ Add man page and bash completion support
+ Switch to TPM 2.0 Key File for grub2
+ Update the installation paths
+ Enable authorized policy by default
+ Implement 'tpm-disable' command (bsc#1208834)
- Add a subpackage: fde-tools-bash-completion
- Use 'tpm-activate' in the systemd service file
- Add help2man to BuildRequires
- Drop the upstreamed patches
+ fde-tools-tpm2.0-key-file-support.patch
+ fde-tools-fix-paths.patch
+ fde-tools-set-stop-event-for-tpm_authorize.patch
+ fde-tools-enable-authorized-policy-by-default.patch
+ fde-tools-reduce-iterations.patch
+ fde-tools-set-grub.cfg-as-stop-event.patch
-------------------------------------------------------------------
Thu Jun 8 08:31:15 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Fix the path in fde-tools.service
-------------------------------------------------------------------
Wed Jun 7 00:57:26 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Add fde-tools-tpm2.0-key-file-support.patch to support TPM 2.0
Key File for grub2
- Bump the required pcr-oracle version to 0.4.5 for the TPM 2.0 Key
File support
- Add fde-tools-reduce-iterations.patch to reduce the iterations
for the key created by luks_add_random_key
- Add fde-tools-set-grub.cfg-as-stop-event.patch to set grub.cfg as
the stop event for the PCR prediction
- Add fde-tools-enable-authorized-policy-by-default.patch to switch
FDE_USE_AUTHORIZED_POLICIES to yes
-------------------------------------------------------------------
Tue Jun 6 07:32:24 UTC 2023 - Marcus Meissner <meissner@suse.com>
- remove dracut and jeos-firstboot from buildrequires, just specify
the directory.
-------------------------------------------------------------------
Wed May 17 08:37:47 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Add fde-tools-fix-paths.patch to fix the installation paths
- Using the tarball from the github repo
- Remove %clean
-------------------------------------------------------------------
Fri Apr 21 05:58:08 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update project URL
-------------------------------------------------------------------
Tue Mar 28 03:19:11 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Apply fde-tools-set-stop-event-for-tpm_authorize.patch correctly
-------------------------------------------------------------------
Mon Mar 6 07:25:45 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Add fde-tools-set-stop-event-for-tpm_authorize.patch to set the
stop event when signing the authorized policy
-------------------------------------------------------------------
Wed Mar 1 10:41:43 UTC 2023 - Olaf Kirch <okir@suse.com>
- firstboot/fde: ensure that aliases get expanded in shell scripts
This is needed to make the bootloader_foo -> grub2_foo function
name expansion work
-------------------------------------------------------------------
Tue Feb 28 16:22:19 UTC 2023 - Olaf Kirch <okir@suse.com>
- Updated to version 0.6.3
- Fix a bug introduced by the recent change in tempdir handling
-------------------------------------------------------------------
Mon Jan 9 16:36:00 UTC 2023 - Olaf Kirch <okir@suse.com>
- Updated to version 0.6.2
- Several patches that were added last-minute for the December
snapshot have been folded back into git.
- Implement first stab at authorized policies.
-------------------------------------------------------------------
Wed Dec 14 12:08:06 UTC 2022 - Olaf Kirch <okir@suse.com>
- Fix several bugs in firstboot
* The approach for reading the initial FDE pass phrase
from /etc/default/grub is not supported in kiwi yet,
so work around that
* The kiwi KVM images have a strange EFI boot path that
does not contain a File component. Try to work
around that.
* shim-install behaves differently between kiwi image build time
and the installed system. Work around.
-------------------------------------------------------------------
Tue Dec 13 15:56:25 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Fix source URL
-------------------------------------------------------------------
Tue Dec 13 11:30:26 UTC 2022 - Olaf Kirch <okir@suse.com>
- Fix the fde-tpm-enroll.service file
-------------------------------------------------------------------
Mon Dec 12 15:02:53 UTC 2022 - Olaf Kirch <okir@suse.com>
- Updated to version 0.6.1
- Fix tpm-enable subcommand
- Add new add-secondary-key subcommand
- Add a systemd unit file that triggers on the presence of the
key file written by d-installer
-------------------------------------------------------------------
Wed Dec 7 13:53:56 UTC 2022 - Olaf Kirch <okir@suse.com>
- Updated to version 0.6
- pcr-oracle is now a standalone project and package
- Split off the jeos-firstboot stuff into a binary package of its own,
because bare metal installations do not need it
- Refactoring the scripts
- Folded Gary's patches into git.
-------------------------------------------------------------------
Fri Oct 14 08:25:22 UTC 2022 - Gary Ching-Pang Lin <glin@suse.com>
- Add bsc1204037-mokutil-check-sb-state.patch to check the
SecureBoot state with mokutil (bsc#1204037)
-------------------------------------------------------------------
Thu Oct 13 07:02:18 UTC 2022 - Gary Ching-Pang Lin <glin@suse.com>
- Add bsc1204037-update-grub.cfg-for-pw-only.patch to update
grub.cfg when the user only chooses the pass phrase to encrypt
the disk. (bsc#1204037)
-------------------------------------------------------------------
Fri Sep 30 11:17:16 UTC 2022 - Dirk Müller <dmueller@suse.com>
- add build support for other architectures
- spec file clean ups
-------------------------------------------------------------------
Fri Sep 16 10:24:54 UTC 2022 - Olaf Kirch <okir@suse.com>
- Move the (shipped) keyfile into /root to avoid issues with r/o root
-------------------------------------------------------------------
Tue Sep 13 15:55:21 UTC 2022 - Olaf Kirch <okir@suse.com>
- Introduce a specific unit script that takes care of mounting root
early (to avoid conflicts with ignition).
-------------------------------------------------------------------
Mon Aug 29 11:02:58 UTC 2022 - Olaf Kirch <okir@suse.com>
- Make the firstboot workflow smarter (offer different key protectors)
-------------------------------------------------------------------
Mon Aug 15 14:53:12 UTC 2022 - Olaf Kirch <okir@suse.com>
- Fixed typo of tpm2_key_protector_clear
-------------------------------------------------------------------
Mon Aug 15 09:43:16 UTC 2022 - Olaf Kirch <okir@suse.com>
- Renamed to fde-tools-0.1
- included firstboot stuff
-------------------------------------------------------------------
Tue Jul 26 12:54:28 UTC 2022 - Olaf Kirch <okir@suse.com>
- Initial build as package pcr-oracle

10
fde-tools.service Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=Activate TPM for Full Disk Encryption
Wants=local-fs.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/fdectl tpm-activate
[Install]
WantedBy=default.target

160
fde-tools.spec Normal file
View File

@ -0,0 +1,160 @@
#
# spec file for package fde-tools
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if %{undefined _rpmmacrodir}
%define _rpmmacrodir %{_sysconfdir}/rpm
%endif
Name: fde-tools
Version: 0.7.2
Release: 0
Summary: Tools required for Full Disk Encryption
License: GPL-2.0-only
Group: System/Boot
URL: https://github.com/openSUSE/fde-tools
Source: https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
Source1: fde-tools.service
Patch0: fde-tools-firstboot-alp-snapshot.patch
Patch1: fde-tools-bsc1213945-set-rsa-key-size.patch
Patch2: fde-tools-change-rpm-macro-dir.patch
Patch3: fde-tools-bsc1220160-conditional-requires.patch
Patch4: fde-tools-bsc1222970-firstboot-replace-ALP.patch
Patch5: fde-tools-bsc1223002-firstboot-disable-ccid.patch
BuildRequires: help2man
BuildRequires: pkgconfig(json-c)
BuildRequires: pkgconfig(libcryptsetup)
BuildRequires: pkgconfig(libfido2)
Requires: cryptsetup
Requires: mokutil
Requires: pcr-oracle >= 0.4.5
Requires: util-linux-systemd
ExclusiveArch: aarch64 x86_64 riscv64
%description
This package provides several components required to support Full Disk
Encryption.
%package -n fde-firstboot
Summary: Full Disk Encryption for images
Group: System/Boot
Requires: fde-tools
Requires: jeos-firstboot
BuildArch: noarch
%description -n fde-firstboot
This package contains the scripts necessary to plug Full Disk Encryption
into the JeOS Firstboot framework used for image based delivery of ALP.
%package bash-completion
Summary: Bash completion for fde-tools
Group: Productivity/File utilities
Requires: bash-completion
Requires: fde-tools
Supplements: (fde-tools and bash-completion)
BuildArch: noarch
%description bash-completion
Bash shell completions for fde-tools
%package -n fde-tpm-helper
Summary: TPM helper for fde-tools
Group: System/Boot
BuildArch: noarch
%description -n fde-tpm-helper
This package contains the TPM helper script for the bootloader packages
to update the signature in the sealed key.
%package -n fde-tpm-helper-rpm-macros
Summary: RPM macros for fde-tools
Group: Development/Tools/Building
BuildArch: noarch
%description -n fde-tpm-helper-rpm-macros
This package contains the RPM macros for the bootloader packages to
update the signature in the sealed key.
%prep
%autosetup -p1
%build
%make_build \
CCFLAGS="%optflags" \
LIBDIR="%{_libdir}" \
LIBEXECDIR="%{_libexecdir}" \
SBINDIR="%{_sbindir}" \
DATADIR="%{_datadir}" \
SYSCONFDIR="%{_sysconfdir}" \
RPM_MACRO_DIR="%{_rpmmacrodir}"
%install
%make_install \
LIBDIR="%{_libdir}" \
LIBEXECDIR="%{_libexecdir}" \
SBINDIR="%{_sbindir}" \
DATADIR="%{_datadir}" \
SYSCONFDIR="%{_sysconfdir}" \
RPM_MACRO_DIR="%{_rpmmacrodir}"
mkdir -p %{buildroot}%{_fillupdir}
mv %{buildroot}/etc/sysconfig/fde-tools %{buildroot}%{_fillupdir}/sysconfig.fde-tools
mkdir -p %{buildroot}%{_unitdir}
cp %{S:1} %{buildroot}%{_unitdir}/fde-tpm-enroll.service
%pre
%service_add_pre fde-tpm-enroll.service
%post
%service_add_post fde-tpm-enroll.service
%fillup_and_insserv
%preun
%service_del_preun fde-tpm-enroll.service
%postun
%service_del_postun fde-tpm-enroll.service
%files
%{_sbindir}/fdectl
%{_sbindir}/fde-token
%{_sbindir}/fdectl-grub-tpm2
%dir %{_sysconfdir}/fde
%{_fillupdir}/sysconfig.*
%{_datadir}/fde
%{_unitdir}/fde-tpm-enroll.service
%{_mandir}/man8/fdectl.8.gz
%dir %{_libdir}/cryptsetup/
%{_libdir}/cryptsetup/libcryptsetup-token-*.so
%files bash-completion
%{_datadir}/bash-completion/completions/fdectl
%files -n fde-firstboot
%dir %{_datadir}/jeos-firstboot
%dir %{_datadir}/jeos-firstboot/modules
%{_datadir}/jeos-firstboot/modules/fde
%files -n fde-tpm-helper
%dir %{_libexecdir}/fde
%{_libexecdir}/fde/fde-tpm-helper
%files -n fde-tpm-helper-rpm-macros
%{_rpmmacrodir}/macros.fde-tpm-helper
%changelog