diff --git a/fde-tools-bsc1218181-replace-crypttab-key-path.patch b/fde-tools-bsc1218181-replace-crypttab-key-path.patch new file mode 100644 index 0000000..31c84d4 --- /dev/null +++ b/fde-tools-bsc1218181-replace-crypttab-key-path.patch @@ -0,0 +1,63 @@ +From b5ef2a580e28f80fc1634b32ebf7377b5c4ed40b Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Fri, 26 Jul 2024 16:27:20 +0800 +Subject: [PATCH] firstboot: replace the key file path in crypttab + +The key file path in crypttab is not necessary after the system +completes re-encryption since it becomes only a reference for GRUB2 when +generating the synthesized initrd to forward the disk key. Specifying a +key file path in the directory other than '/' could introduce the extra +dependency when unmounting the LUKS partitions and lead to the +unexpected error/warning. Unfortunately, the root partition is read-only +in SL-Micro, so KIWI has to create the key file in "/root". + +To avoid the unexpected error/warning, this commit replace the key file +path with "/.virtual-root.key" after the firstboot script removes the +default key file. This makes dracut/systemd believe that the key file is +in the root partition, so there is no extra dependency when unmounting +the LUKS partitions. + +The initrd also needs to be re-generated at the end to reflect the +change in /etc/crypttab. + +FIXES: bsc#1218181 + +Signed-off-by: Gary Lin +--- + firstboot/fde | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/firstboot/fde b/firstboot/fde +index 59fdb92..b917a35 100755 +--- a/firstboot/fde ++++ b/firstboot/fde +@@ -112,6 +112,11 @@ function fde_setup_encrypted { + return 1 + fi + rm -f "${luks_keyfile}" ++ ++ # Replace the key file path in /etc/crypttab with "/.virtual-root.key" ++ # to avoid errors when unmounting the LUKS partition (bsc#1218181) ++ sed -i "s,${luks_keyfile},/.virtual-root.key,g" /etc/crypttab ++ + luks_keyfile="" + fi + +@@ -152,11 +157,12 @@ function fde_setup_encrypted { + # Remove the password file + rm -f ${pass_keyfile} + +- # Update /boot/grub2/grub.cfg ++ # Update initrd and /boot/grub2/grub.cfg + if test -d "/boot/writable"; then +- transactional-update grub.cfg ++ transactional-update initrd grub.cfg + transactional-update apply + else ++ dracut -f + grub2-mkconfig -o /boot/grub2/grub.cfg + fi + +-- +2.35.3 + diff --git a/fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch b/fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch new file mode 100644 index 0000000..343f180 --- /dev/null +++ b/fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch @@ -0,0 +1,144 @@ +From fcabeca594d090e4172b88ae5176c947b2dd7c45 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Fri, 1 Dec 2023 17:11:22 +0800 +Subject: [PATCH] Switch to "--target-platform" when available + +Check if pcr-oracle supports "--target-platform" and replace +"--key-format" with "--target-platform" if the option is available. + +Signed-off-by: Gary Lin +--- + share/grub2 | 5 +++++ + share/systemd-boot | 10 ++++++++++ + share/tpm | 37 +++++++++++++++++++++++++++---------- + 3 files changed, 42 insertions(+), 10 deletions(-) + +Index: fde-tools-0.7.2/share/grub2 +=================================================================== +--- fde-tools-0.7.2.orig/share/grub2 ++++ fde-tools-0.7.2/share/grub2 +@@ -34,6 +34,7 @@ alias bootloader_get_keyslots=grub_get_k + alias bootloader_remove_keyslots=grub_remove_keyslots + alias bootloader_wipe=grub_wipe + alias bootloader_rsa_sizes=grub_rsa_sizes ++alias bootloader_platform_parameters=grub_platform_parameters + + ################################################################## + # Edit a variable in /etc/default/grub +@@ -244,3 +245,7 @@ function grub_rsa_sizes { + # TPM 2.0 should at least support RSA2048. + echo "2048" + } ++ ++function grub_platform_parameters { ++ echo "--target-platform tpm2.0" ++} +Index: fde-tools-0.7.2/share/systemd-boot +=================================================================== +--- fde-tools-0.7.2.orig/share/systemd-boot ++++ fde-tools-0.7.2/share/systemd-boot +@@ -37,6 +37,7 @@ alias bootloader_get_keyslots=systemd_ge + alias bootloader_remove_keyslots=systemd_remove_keyslots + alias bootloader_wipe=systemd_wipe + alias bootloader_rsa_sizes=systemd_rsa_sizes ++alias bootloader_platform_parameters=systemd_platform_parameters + + + function not_implemented { +@@ -183,3 +184,12 @@ function systemd_wipe { + function systemd_rsa_sizes { + echo "2048" + } ++ ++################################################################## ++# This function shows the boot loader specific parameters for ++# pcr-oracle. ++################################################################## ++function systemd_platform_parameters { ++ ++ echo "--target-platform systemd" ++} +Index: fde-tools-0.7.2/share/tpm +=================================================================== +--- fde-tools-0.7.2.orig/share/tpm ++++ fde-tools-0.7.2/share/tpm +@@ -82,22 +82,40 @@ function tpm_get_rsa_key_size { + echo "$__fde_rsa_key_size" + } + ++function tpm_platform_parameters { ++ declare -g __fde_platform_param ++ ++ if [ -n "$__fde_platform_param" ]; then ++ echo "$__fde_platform_param" ++ return ++ fi ++ ++ # Check if pcr-oracle supports "--target-platform" ++ if pcr-oracle --target-platform 2>&1 | grep -q "unrecognized option"; then ++ __fde_platform_param="--key-format tpm2.0" ++ echo "$__fde_platform_param" ++ return ++ fi ++ ++ __fde_platform_param=$(bootloader_platform_parameters) ++ echo "$__fde_platform_param" ++} ++ + function tpm_seal_key { + + local secret=$1 + local sealed_secret=$2 + +- local opt_rsa_bits= ++ local extra_opts=$(tpm_platform_parameters) + local rsa_size=$(tpm_get_rsa_key_size) + + if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then +- opt_rsa_bits="--rsa-bits ${rsa_size}" ++ extra_opts="${extra_opts} --rsa-bits ${rsa_size}" + fi + + echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2 +- pcr-oracle ${opt_rsa_bits} \ ++ pcr-oracle ${extra_opts} \ + --input "$secret" --output "$sealed_secret" \ +- --key-format tpm2.0 \ + --algorithm "$FDE_SEAL_PCR_BANK" \ + --from eventlog \ + --stop-event "$FDE_STOP_EVENT" \ +@@ -151,19 +169,18 @@ function tpm_seal_secret { + local sealed_secret="$2" + local authorized_policy="$3" + +- local opt_rsa_bits= ++ local extra_opts=$(tpm_platform_parameters) + local rsa_size=$(tpm_get_rsa_key_size) + + if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then +- opt_rsa_bits="--rsa-bits ${rsa_size}" ++ extra_opts="${extra_opts} --rsa-bits ${rsa_size}" + fi + + # If we are expected to use an authorized policy, seal the secret + # against that, using pcr-oracle rather than the tpm2 tools + if [ -n "$authorized_policy" ]; then +- pcr-oracle ${opt_rsa_bits} \ ++ pcr-oracle ${extra_opts} \ + --authorized-policy "$authorized_policy" \ +- --key-format tpm2.0 \ + --input $secret \ + --output $sealed_secret \ + seal-secret +@@ -246,8 +263,9 @@ function tpm_authorize { + sealed_key_file="$2" + signed_key_file="$3" + +- pcr-oracle \ +- --key-format tpm2.0 \ ++ local extra_opts=$(tpm_platform_parameters) ++ ++ pcr-oracle ${extra_opts} \ + --algorithm "$FDE_SEAL_PCR_BANK" \ + --private-key "$private_key_file" \ + --from eventlog \ diff --git a/fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch b/fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch new file mode 100644 index 0000000..c28364a --- /dev/null +++ b/fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch @@ -0,0 +1,51 @@ +From 63714d6ab724082b72abd07474bf52ef47e718d4 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Fri, 19 Apr 2024 15:02:50 +0800 +Subject: [PATCH] tpm: fix tpm-present with the newer pcr-oracle + +Modify tpm_test() to use the tpm2.0 key format for sealing and unsealing +to be compatible with the newer pcr-oracle. + +Signed-off-by: Gary Lin +--- + share/tpm | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/share/tpm b/share/tpm +index 47d72dc..4993351 100644 +--- a/share/tpm ++++ b/share/tpm +@@ -182,6 +182,8 @@ function tpm_test { + + key_size=$1 + ++ local extra_opts=$(tpm_platform_parameters) ++ + secret=$(fde_make_tempfile secret) + dd if=/dev/zero of=$secret bs=$key_size count=1 status=none >&2 + +@@ -193,18 +195,18 @@ function tpm_test { + dd if=/dev/zero of=$secret bs=$key_size count=1 status=none >&2 + + fde_trace "Testing TPM seal/unseal" +- pcr-oracle \ ++ pcr-oracle ${extra_opts} \ + --algorithm "$FDE_SEAL_PCR_BANK" \ + --input "$secret" \ + --output "$sealed_secret" \ + --from current \ + seal-secret "$FDE_SEAL_PCR_LIST" + +- pcr-oracle \ ++ pcr-oracle ${extra_opts} \ + --algorithm "$FDE_SEAL_PCR_BANK" \ + --input "$sealed_secret" \ + --output "$recovered" \ +- unseal-secret "$FDE_SEAL_PCR_LIST" ++ unseal-secret + + if ! cmp "$secret" "$recovered"; then + fde_trace "BAD: Unable to recover original secret" +-- +2.35.3 + diff --git a/fde-tools-bsc1220160-conditional-requires.patch b/fde-tools-bsc1220160-conditional-requires.patch index c6786df..cd4ff73 100644 --- a/fde-tools-bsc1220160-conditional-requires.patch +++ b/fde-tools-bsc1220160-conditional-requires.patch @@ -1,7 +1,7 @@ -From 7f5a36bb82728a6cce66b15e6bb656ce05cf5978 Mon Sep 17 00:00:00 2001 +From 5f5dc57da2ee1abc3bf63e5389294d97a6027ae8 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Tue, 5 Mar 2024 14:51:57 +0800 -Subject: [PATCH] macros.fde-tpm-helper: conditionally requires the helper +Subject: [PATCH 1/2] macros.fde-tpm-helper: conditionally requires the helper fde-tpm-helper is only used when fde-tools is installed. Update the rpm macro to make fde-tpm-helper an conditional "Requires". @@ -24,3 +24,53 @@ index 1ec3a4e..3c89e2b 100644 -- 2.35.3 + +From 222c145943cde082959de52f5a76dbdf0f254c92 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Fri, 7 Jun 2024 10:58:45 +0800 +Subject: [PATCH 2/2] macros.fde-tpm-helper: check if fde-tpm-helper exists + +Those rpm macros are only valid for the system with fde-tpm-helper so +those commands should be skipped if fde-tpm-helper is not there. + +Signed-off-by: Gary Lin +--- + rpm-build/macros.fde-tpm-helper | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/rpm-build/macros.fde-tpm-helper b/rpm-build/macros.fde-tpm-helper +index 3c89e2b..4ce09e9 100644 +--- a/rpm-build/macros.fde-tpm-helper ++++ b/rpm-build/macros.fde-tpm-helper +@@ -1,16 +1,20 @@ + %fde_tpm_update_requires Requires(posttrans): (fde-tpm-helper if fde-tools) + + %fde_tpm_update_post() \ +-mkdir -p %{_rundir}/fde-tpm-helper/ \ +-touch %{_rundir}/fde-tpm-helper/update \ +-for bl in %{?*}; do \ +- echo ${bl} >> %{_rundir}/fde-tpm-helper/update \ +-done \ ++if test -x %{_libexecdir}/fde/fde-tpm-helper; then \ ++ mkdir -p %{_rundir}/fde-tpm-helper/ \ ++ touch %{_rundir}/fde-tpm-helper/update \ ++ for bl in %{?*}; do \ ++ echo ${bl} >> %{_rundir}/fde-tpm-helper/update \ ++ done \ ++fi \ + %nil + + %fde_tpm_update_posttrans() \ +-if test -f %{_rundir}/fde-tpm-helper/update; then \ +- %{_libexecdir}/fde/fde-tpm-helper "`cat %{_rundir}/fde-tpm-helper/update | uniq`" || : \ +- rm -f %{_rundir}/fde-tpm-helper/update \ ++if test -x %{_libexecdir}/fde/fde-tpm-helper; then \ ++ if test -f %{_rundir}/fde-tpm-helper/update; then \ ++ %{_libexecdir}/fde/fde-tpm-helper "`cat %{_rundir}/fde-tpm-helper/update | uniq`" || : \ ++ rm -f %{_rundir}/fde-tpm-helper/update \ ++ fi \ + fi \ + %nil +-- +2.35.3 + diff --git a/fde-tools-change-rpm-macro-dir.patch b/fde-tools-change-rpm-macro-dir.patch index 2ec8dcf..9c9117b 100644 --- a/fde-tools-change-rpm-macro-dir.patch +++ b/fde-tools-change-rpm-macro-dir.patch @@ -22,7 +22,7 @@ Index: fde-tools-0.7.2/Makefile FIRSTBOOTDIR = $(DATADIR)/jeos-firstboot FDE_HELPER_DIR = $(LIBEXECDIR)/fde -RPM_MACRO_DIR = /etc/rpm -++RPM_MACRO_DIR ?= /etc/rpm ++RPM_MACRO_DIR ?= /etc/rpm FIDO_LINK = -lfido2 -lcrypto CRPYT_LINK = -lcryptsetup -ljson-c TOOLS = fde-token fdectl-grub-tpm2 diff --git a/fde-tools.changes b/fde-tools.changes index 4766bea..04e269e 100644 --- a/fde-tools.changes +++ b/fde-tools.changes @@ -1,9 +1,36 @@ +------------------------------------------------------------------- +Wed Jul 31 06:40:52 UTC 2024 - Gary Ching-Pang Lin + +- Add fde-tools-bsc1218181-replace-crypttab-key-path.patch to + change the key path in crypttab to avoid the unexpected error + (bsc#1218181) + +------------------------------------------------------------------- +Fri Jun 7 07:52:30 UTC 2024 - Gary Ching-Pang Lin + +- Update fde-tools-bsc1220160-conditional-requires.patch to + check fde-tpm-helper in %post and %posttrans + +------------------------------------------------------------------- +Thu May 30 06:53:32 UTC 2024 - Gary Ching-Pang Lin + +- Fix fde-tools-change-rpm-macro-dir.patch which didn't set + RPM_MACRO_DIR correctly + ------------------------------------------------------------------- Tue May 7 05:53:20 UTC 2024 - Gary Ching-Pang Lin - Add fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch to make "pass" mandatory during firstboot (bsc#1223771) +------------------------------------------------------------------- +Fri Apr 19 07:46:43 UTC 2024 - Gary Ching-Pang Lin + +- Add patches to adopt the "--target-platform" option when using + the newer pcr-oracle (bsc#1218390) + + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch + + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch + ------------------------------------------------------------------- Thu Apr 18 05:39:44 UTC 2024 - Gary Ching-Pang Lin diff --git a/fde-tools.spec b/fde-tools.spec index 94113cb..8ee0201 100644 --- a/fde-tools.spec +++ b/fde-tools.spec @@ -35,7 +35,10 @@ Patch2: fde-tools-change-rpm-macro-dir.patch Patch3: fde-tools-bsc1220160-conditional-requires.patch Patch4: fde-tools-bsc1222970-firstboot-replace-ALP.patch Patch5: fde-tools-bsc1223002-firstboot-disable-ccid.patch -Patch6: fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch +Patch6: fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch +Patch7: fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch +Patch8: fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch +Patch9: fde-tools-bsc1218181-replace-crypttab-key-path.patch BuildRequires: help2man BuildRequires: pkgconfig(json-c) BuildRequires: pkgconfig(libcryptsetup)