Sync from SUSE:SLFO:Main fde-tools revision f40ef80188c5fd24985849cb7a219c7a

fde-tools-bsc1218181-replace-crypttab-key-path.patch

@@ -0,0 +1,63 @@
+From b5ef2a580e28f80fc1634b32ebf7377b5c4ed40b Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 26 Jul 2024 16:27:20 +0800
+Subject: [PATCH] firstboot: replace the key file path in crypttab
+
+The key file path in crypttab is not necessary after the system
+completes re-encryption since it becomes only a reference for GRUB2 when
+generating the synthesized initrd to forward the disk key. Specifying a
+key file path in the directory other than '/' could introduce the extra
+dependency when unmounting the LUKS partitions and lead to the
+unexpected error/warning. Unfortunately, the root partition is read-only
+in SL-Micro, so KIWI has to create the key file in "/root".
+
+To avoid the unexpected error/warning, this commit replace the key file
+path with "/.virtual-root.key" after the firstboot script removes the
+default key file. This makes dracut/systemd believe that the key file is
+in the root partition, so there is no extra dependency when unmounting
+the LUKS partitions.
+
+The initrd also needs to be re-generated at the end to reflect the
+change in /etc/crypttab.
+
+FIXES: bsc#1218181
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ firstboot/fde | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/firstboot/fde b/firstboot/fde
+index 59fdb92..b917a35 100755
+--- a/firstboot/fde
++++ b/firstboot/fde
+@@ -112,6 +112,11 @@ function fde_setup_encrypted {
+ 	    return 1
+ 	fi
+ 	rm -f "${luks_keyfile}"
++
++	# Replace the key file path in /etc/crypttab with "/.virtual-root.key"
++	# to avoid errors when unmounting the LUKS partition (bsc#1218181)
++	sed -i "s,${luks_keyfile},/.virtual-root.key,g" /etc/crypttab
++
+ 	luks_keyfile=""
+     fi
+ 
+@@ -152,11 +157,12 @@ function fde_setup_encrypted {
+     # Remove the password file
+     rm -f ${pass_keyfile}
+ 
+-    # Update /boot/grub2/grub.cfg
++    # Update initrd and /boot/grub2/grub.cfg
+     if test -d "/boot/writable"; then
+-	transactional-update grub.cfg
++	transactional-update initrd grub.cfg
+ 	transactional-update apply
+     else
++	dracut -f
+ 	grub2-mkconfig -o /boot/grub2/grub.cfg
+     fi
+ 
+-- 
+2.35.3
+

fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch

@@ -0,0 +1,144 @@
+From fcabeca594d090e4172b88ae5176c947b2dd7c45 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 1 Dec 2023 17:11:22 +0800
+Subject: [PATCH] Switch to "--target-platform" when available
+
+Check if pcr-oracle supports "--target-platform" and replace
+"--key-format" with "--target-platform" if the option is available.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ share/grub2        |  5 +++++
+ share/systemd-boot | 10 ++++++++++
+ share/tpm          | 37 +++++++++++++++++++++++++++----------
+ 3 files changed, 42 insertions(+), 10 deletions(-)
+
+Index: fde-tools-0.7.2/share/grub2
+===================================================================
+--- fde-tools-0.7.2.orig/share/grub2
++++ fde-tools-0.7.2/share/grub2
+@@ -34,6 +34,7 @@ alias bootloader_get_keyslots=grub_get_k
+ alias bootloader_remove_keyslots=grub_remove_keyslots
+ alias bootloader_wipe=grub_wipe
+ alias bootloader_rsa_sizes=grub_rsa_sizes
++alias bootloader_platform_parameters=grub_platform_parameters
+ 
+ ##################################################################
+ # Edit a variable in /etc/default/grub
+@@ -244,3 +245,7 @@ function grub_rsa_sizes {
+     # TPM 2.0 should at least support RSA2048.
+     echo "2048"
+ }
++
++function grub_platform_parameters {
++    echo "--target-platform tpm2.0"
++}
+Index: fde-tools-0.7.2/share/systemd-boot
+===================================================================
+--- fde-tools-0.7.2.orig/share/systemd-boot
++++ fde-tools-0.7.2/share/systemd-boot
+@@ -37,6 +37,7 @@ alias bootloader_get_keyslots=systemd_ge
+ alias bootloader_remove_keyslots=systemd_remove_keyslots
+ alias bootloader_wipe=systemd_wipe
+ alias bootloader_rsa_sizes=systemd_rsa_sizes
++alias bootloader_platform_parameters=systemd_platform_parameters
+ 
+ 
+ function not_implemented {
+@@ -183,3 +184,12 @@ function systemd_wipe {
+ function systemd_rsa_sizes {
+     echo "2048"
+ }
++
++##################################################################
++# This function shows the boot loader specific parameters for
++# pcr-oracle.
++##################################################################
++function systemd_platform_parameters {
++
++    echo "--target-platform systemd"
++}
+Index: fde-tools-0.7.2/share/tpm
+===================================================================
+--- fde-tools-0.7.2.orig/share/tpm
++++ fde-tools-0.7.2/share/tpm
+@@ -82,22 +82,40 @@ function tpm_get_rsa_key_size {
+     echo "$__fde_rsa_key_size"
+ }
+ 
++function tpm_platform_parameters {
++    declare -g __fde_platform_param
++
++    if [ -n "$__fde_platform_param" ]; then
++	echo "$__fde_platform_param"
++	return
++    fi
++
++    # Check if pcr-oracle supports "--target-platform"
++    if pcr-oracle --target-platform 2>&1 | grep -q "unrecognized option"; then
++	__fde_platform_param="--key-format tpm2.0"
++	echo "$__fde_platform_param"
++	return
++    fi
++
++    __fde_platform_param=$(bootloader_platform_parameters)
++    echo "$__fde_platform_param"
++}
++
+ function tpm_seal_key {
+ 
+     local secret=$1
+     local sealed_secret=$2
+ 
+-    local opt_rsa_bits=
++    local extra_opts=$(tpm_platform_parameters)
+     local rsa_size=$(tpm_get_rsa_key_size)
+ 
+     if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
+-	opt_rsa_bits="--rsa-bits ${rsa_size}"
++	extra_opts="${extra_opts} --rsa-bits ${rsa_size}"
+     fi
+ 
+     echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2
+-    pcr-oracle ${opt_rsa_bits} \
++    pcr-oracle ${extra_opts} \
+ 			--input "$secret" --output "$sealed_secret" \
+-			--key-format tpm2.0 \
+ 			--algorithm "$FDE_SEAL_PCR_BANK" \
+ 			--from eventlog \
+ 			--stop-event "$FDE_STOP_EVENT" \
+@@ -151,19 +169,18 @@ function tpm_seal_secret {
+     local sealed_secret="$2"
+     local authorized_policy="$3"
+ 
+-    local opt_rsa_bits=
++    local extra_opts=$(tpm_platform_parameters)
+     local rsa_size=$(tpm_get_rsa_key_size)
+ 
+     if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
+-	opt_rsa_bits="--rsa-bits ${rsa_size}"
++	extra_opts="${extra_opts} --rsa-bits ${rsa_size}"
+     fi
+ 
+     # If we are expected to use an authorized policy, seal the secret
+     # against that, using pcr-oracle rather than the tpm2 tools
+     if [ -n "$authorized_policy" ]; then
+-	pcr-oracle ${opt_rsa_bits} \
++	pcr-oracle ${extra_opts} \
+ 			--authorized-policy "$authorized_policy" \
+-			--key-format tpm2.0 \
+ 			--input $secret \
+ 			--output $sealed_secret \
+ 			seal-secret
+@@ -246,8 +263,9 @@ function tpm_authorize {
+     sealed_key_file="$2"
+     signed_key_file="$3"
+ 
+-    pcr-oracle \
+-		--key-format tpm2.0 \
++    local extra_opts=$(tpm_platform_parameters)
++
++    pcr-oracle ${extra_opts} \
+ 		--algorithm "$FDE_SEAL_PCR_BANK" \
+                 --private-key "$private_key_file" \
+                 --from eventlog \

fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch

@@ -0,0 +1,51 @@
+From 63714d6ab724082b72abd07474bf52ef47e718d4 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 19 Apr 2024 15:02:50 +0800
+Subject: [PATCH] tpm: fix tpm-present with the newer pcr-oracle
+
+Modify tpm_test() to use the tpm2.0 key format for sealing and unsealing
+to be compatible with the newer pcr-oracle.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ share/tpm | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/share/tpm b/share/tpm
+index 47d72dc..4993351 100644
+--- a/share/tpm
++++ b/share/tpm
+@@ -182,6 +182,8 @@ function tpm_test {
+ 
+     key_size=$1
+ 
++    local extra_opts=$(tpm_platform_parameters)
++
+     secret=$(fde_make_tempfile secret)
+     dd if=/dev/zero of=$secret bs=$key_size count=1 status=none >&2
+ 
+@@ -193,18 +195,18 @@ function tpm_test {
+     dd if=/dev/zero of=$secret bs=$key_size count=1 status=none >&2
+ 
+     fde_trace "Testing TPM seal/unseal"
+-    pcr-oracle \
++    pcr-oracle ${extra_opts} \
+ 	--algorithm "$FDE_SEAL_PCR_BANK" \
+         --input "$secret" \
+         --output "$sealed_secret" \
+         --from current \
+         seal-secret "$FDE_SEAL_PCR_LIST"
+ 
+-    pcr-oracle \
++    pcr-oracle ${extra_opts} \
+ 	--algorithm "$FDE_SEAL_PCR_BANK" \
+         --input "$sealed_secret" \
+         --output "$recovered" \
+-        unseal-secret "$FDE_SEAL_PCR_LIST"
++        unseal-secret
+ 
+     if ! cmp "$secret" "$recovered"; then
+         fde_trace "BAD: Unable to recover original secret"
+-- 
+2.35.3
+

fde-tools-bsc1220160-conditional-requires.patch

@@ -1,7 +1,7 @@
-From 7f5a36bb82728a6cce66b15e6bb656ce05cf5978 Mon Sep 17 00:00:00 2001
+From 5f5dc57da2ee1abc3bf63e5389294d97a6027ae8 Mon Sep 17 00:00:00 2001
 From: Gary Lin <glin@suse.com>
 Date: Tue, 5 Mar 2024 14:51:57 +0800
-Subject: [PATCH] macros.fde-tpm-helper: conditionally requires the helper
+Subject: [PATCH 1/2] macros.fde-tpm-helper: conditionally requires the helper
 
 fde-tpm-helper is only used when fde-tools is installed. Update the rpm
 macro to make fde-tpm-helper an conditional "Requires".
@@ -24,3 +24,53 @@ index 1ec3a4e..3c89e2b 100644
 -- 
 2.35.3
 
+
+From 222c145943cde082959de52f5a76dbdf0f254c92 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 7 Jun 2024 10:58:45 +0800
+Subject: [PATCH 2/2] macros.fde-tpm-helper: check if fde-tpm-helper exists
+
+Those rpm macros are only valid for the system with fde-tpm-helper so
+those commands should be skipped if fde-tpm-helper is not there.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ rpm-build/macros.fde-tpm-helper | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/rpm-build/macros.fde-tpm-helper b/rpm-build/macros.fde-tpm-helper
+index 3c89e2b..4ce09e9 100644
+--- a/rpm-build/macros.fde-tpm-helper
++++ b/rpm-build/macros.fde-tpm-helper
+@@ -1,16 +1,20 @@
+ %fde_tpm_update_requires Requires(posttrans): (fde-tpm-helper if fde-tools)
+ 
+ %fde_tpm_update_post() \
+-mkdir -p %{_rundir}/fde-tpm-helper/ \
+-touch %{_rundir}/fde-tpm-helper/update \
+-for bl in %{?*}; do \
+-  echo ${bl} >> %{_rundir}/fde-tpm-helper/update \
+-done \
++if test -x %{_libexecdir}/fde/fde-tpm-helper; then \
++  mkdir -p %{_rundir}/fde-tpm-helper/ \
++  touch %{_rundir}/fde-tpm-helper/update \
++  for bl in %{?*}; do \
++    echo ${bl} >> %{_rundir}/fde-tpm-helper/update \
++  done \
++fi \
+ %nil
+ 
+ %fde_tpm_update_posttrans() \
+-if test -f %{_rundir}/fde-tpm-helper/update; then \
+-  %{_libexecdir}/fde/fde-tpm-helper "`cat %{_rundir}/fde-tpm-helper/update | uniq`" || : \
+-  rm -f %{_rundir}/fde-tpm-helper/update \
++if test -x %{_libexecdir}/fde/fde-tpm-helper; then \
++  if test -f %{_rundir}/fde-tpm-helper/update; then \
++    %{_libexecdir}/fde/fde-tpm-helper "`cat %{_rundir}/fde-tpm-helper/update | uniq`" || : \
++    rm -f %{_rundir}/fde-tpm-helper/update \
++  fi \
+ fi \
+ %nil
+-- 
+2.35.3
+

fde-tools-change-rpm-macro-dir.patch

@@ -22,7 +22,7 @@ Index: fde-tools-0.7.2/Makefile
  FIRSTBOOTDIR	= $(DATADIR)/jeos-firstboot
  FDE_HELPER_DIR	= $(LIBEXECDIR)/fde
 -RPM_MACRO_DIR	= /etc/rpm
-++RPM_MACRO_DIR	?= /etc/rpm
++RPM_MACRO_DIR	?= /etc/rpm
  FIDO_LINK	= -lfido2 -lcrypto
  CRPYT_LINK	= -lcryptsetup -ljson-c
  TOOLS		= fde-token fdectl-grub-tpm2

fde-tools.changes

@@ -1,9 +1,36 @@
+-------------------------------------------------------------------
+Wed Jul 31 06:40:52 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add fde-tools-bsc1218181-replace-crypttab-key-path.patch to
+  change the key path in crypttab to avoid the unexpected error
+  (bsc#1218181)
+
+-------------------------------------------------------------------
+Fri Jun  7 07:52:30 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Update fde-tools-bsc1220160-conditional-requires.patch to
+  check fde-tpm-helper in %post and %posttrans
+
+-------------------------------------------------------------------
+Thu May 30 06:53:32 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Fix fde-tools-change-rpm-macro-dir.patch which didn't set
+  RPM_MACRO_DIR correctly
+
 -------------------------------------------------------------------
 Tue May  7 05:53:20 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
 
 - Add fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch
   to make "pass" mandatory during firstboot (bsc#1223771)
 
+-------------------------------------------------------------------
+Fri Apr 19 07:46:43 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add patches to adopt the "--target-platform" option when using
+  the newer pcr-oracle (bsc#1218390)
+  + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
+  + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
+
 -------------------------------------------------------------------
 Thu Apr 18 05:39:44 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
 

fde-tools.spec

@@ -35,7 +35,10 @@ Patch2:         fde-tools-change-rpm-macro-dir.patch
 Patch3:         fde-tools-bsc1220160-conditional-requires.patch
 Patch4:         fde-tools-bsc1222970-firstboot-replace-ALP.patch
 Patch5:         fde-tools-bsc1223002-firstboot-disable-ccid.patch
-Patch6:         fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch
+Patch6:         fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
+Patch7:         fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
+Patch8:         fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch
+Patch9:         fde-tools-bsc1218181-replace-crypttab-key-path.patch
 BuildRequires:  help2man
 BuildRequires:  pkgconfig(json-c)
 BuildRequires:  pkgconfig(libcryptsetup)