Compare commits
7 Commits
84b1ae7fc7
...
main
| Author | SHA256 | Date | |
|---|---|---|---|
| c09005f52b | |||
| fd86860d5b | |||
| 2a9165618c | |||
| 2c62fd8bbc | |||
| 8b0a4adec3 | |||
| d8bd15525e | |||
| 9cbd480d71 |
BIN
fde-tools-0.7.2.tar.bz2
(Stored with Git LFS)
BIN
fde-tools-0.7.2.tar.bz2
(Stored with Git LFS)
Binary file not shown.
BIN
fde-tools-0.7.3.tar.bz2
(Stored with Git LFS)
Normal file
BIN
fde-tools-0.7.3.tar.bz2
(Stored with Git LFS)
Normal file
Binary file not shown.
@@ -1,409 +0,0 @@
|
||||
From 7ab5a433c9fcc8cd56f8f9f7657b32282cb00ee8 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Fri, 6 Oct 2023 16:24:54 +0800
|
||||
Subject: [PATCH 1/3] Set the RSA key size automatically
|
||||
|
||||
This commit utilizes the new pcr-oracle command, rsa-test, to detect the
|
||||
highest RSA key size supported by the TPM chip and then uses the key
|
||||
size for the TPM SRK and the private sign key.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
share/grub2 | 1 +
|
||||
share/tpm | 53 ++++++++++++++++++++++++++++++++++++++++++++++++---
|
||||
sysconfig.fde | 4 ++++
|
||||
3 files changed, 55 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/share/grub2 b/share/grub2
|
||||
index aacd20c..97c8d86 100644
|
||||
--- a/share/grub2
|
||||
+++ b/share/grub2
|
||||
@@ -82,6 +82,7 @@ function grub_update_early_config {
|
||||
|
||||
grub_set_control GRUB_ENABLE_CRYPTODISK "y"
|
||||
grub_set_control GRUB_TPM2_SEALED_KEY "$sealed_key_file"
|
||||
+ grub_set_control GRUB_TPM2_SRK_ALG "RSA${FDE_RSA_KEY_SIZE}"
|
||||
|
||||
# Do not clear the password implicitly; require fdectl or
|
||||
# jeos firstboot to do so explicitly.
|
||||
diff --git a/share/tpm b/share/tpm
|
||||
index 0cc507a..0396e7e 100644
|
||||
--- a/share/tpm
|
||||
+++ b/share/tpm
|
||||
@@ -42,13 +42,47 @@ function tpm_present_and_working {
|
||||
return 0
|
||||
}
|
||||
|
||||
+function tpm_set_rsa_key_size {
|
||||
+
|
||||
+ # Check if pcr-oracle supports rsa-test
|
||||
+ # If pcr-oracle prints "Unknown action", fall back to default.
|
||||
+ if pcr-oracle rsa-test 2>&1 | grep -q "Unknown action"; then
|
||||
+ fde_set_variable FDE_RSA_KEY_SIZE "2048"
|
||||
+ return 0
|
||||
+ fi
|
||||
+
|
||||
+ # Find the highest supported RSA key size
|
||||
+ sizes_to_test="4096 3072 2048"
|
||||
+
|
||||
+ for size in ${sizes_to_test}; do
|
||||
+ if pcr-oracle --rsa-bits ${size} rsa-test > /dev/null 2>&1; then
|
||||
+ fde_set_variable FDE_RSA_KEY_SIZE "${size}"
|
||||
+ return 0
|
||||
+ fi
|
||||
+ done
|
||||
+
|
||||
+ fde_trace "Failed to find a valid RSA key size"
|
||||
+ return 1
|
||||
+}
|
||||
+
|
||||
function tpm_seal_key {
|
||||
|
||||
secret=$1
|
||||
sealed_secret=$2
|
||||
|
||||
+ tpm_set_rsa_key_size
|
||||
+ if [ $? -ne 0 ]; then
|
||||
+ return 1
|
||||
+ fi
|
||||
+
|
||||
+ opt_rsa_bits=
|
||||
+ if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
|
||||
+ opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}"
|
||||
+ fi
|
||||
+
|
||||
echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2
|
||||
- pcr-oracle --input "$secret" --output "$sealed_secret" \
|
||||
+ pcr-oracle ${opt_rsa_bits} \
|
||||
+ --input "$secret" --output "$sealed_secret" \
|
||||
--key-format tpm2.0 \
|
||||
--algorithm "$FDE_SEAL_PCR_BANK" \
|
||||
--from eventlog \
|
||||
@@ -97,17 +131,22 @@ function tpm_test {
|
||||
return $result
|
||||
}
|
||||
|
||||
-
|
||||
function tpm_seal_secret {
|
||||
|
||||
secret="$1"
|
||||
sealed_secret="$2"
|
||||
authorized_policy="$3"
|
||||
|
||||
+ opt_rsa_bits=
|
||||
+ if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
|
||||
+ opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}"
|
||||
+ fi
|
||||
+
|
||||
# If we are expected to use an authorized policy, seal the secret
|
||||
# against that, using pcr-oracle rather than the tpm2 tools
|
||||
if [ -n "$authorized_policy" ]; then
|
||||
- pcr-oracle --authorized-policy "$authorized_policy" \
|
||||
+ pcr-oracle ${opt_rsa_bits} \
|
||||
+ --authorized-policy "$authorized_policy" \
|
||||
--key-format tpm2.0 \
|
||||
--input $secret \
|
||||
--output $sealed_secret \
|
||||
@@ -157,6 +196,14 @@ function tpm_create_authorized_policy {
|
||||
extra_opts=
|
||||
if [ ! -f "$secret_key" ]; then
|
||||
extra_opts="--rsa-generate-key"
|
||||
+
|
||||
+ tpm_set_rsa_key_size
|
||||
+ if [ $? -ne 0 ]; then
|
||||
+ return 1
|
||||
+ fi
|
||||
+ if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
|
||||
+ extra_opts="${extra_opts} --rsa-bits ${FDE_RSA_KEY_SIZE}"
|
||||
+ fi
|
||||
fi
|
||||
|
||||
pcr-oracle $extra_opts \
|
||||
diff --git a/sysconfig.fde b/sysconfig.fde
|
||||
index a3435fe..f3ee38b 100644
|
||||
--- a/sysconfig.fde
|
||||
+++ b/sysconfig.fde
|
||||
@@ -36,3 +36,7 @@ FDE_DEVS=""
|
||||
# the bootloader update
|
||||
# Set to yes/no
|
||||
FDE_TPM_AUTO_UPDATE="yes"
|
||||
+
|
||||
+# The RSA key size to be used for SRK and the private sign key
|
||||
+# NOTE: Do not touch this variable. It's updated by fdectl automatically.
|
||||
+FDE_RSA_KEY_SIZE="2048"
|
||||
--
|
||||
2.35.3
|
||||
|
||||
|
||||
From bee71824675721ae73ce770c0e846f0aba48b441 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Fri, 3 Nov 2023 15:04:00 +0800
|
||||
Subject: [PATCH 2/3] Detect the RSA sizes supported by the bootloader
|
||||
|
||||
The bootloader may not support the SRK algorithm other than RSA2048.
|
||||
Use the bootloader specific function to detect the supported RSA sizes.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
share/grub2 | 19 +++++++++++++++++++
|
||||
share/systemd-boot | 8 ++++++++
|
||||
share/tpm | 2 +-
|
||||
3 files changed, 28 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/share/grub2 b/share/grub2
|
||||
index 97c8d86..cde7680 100644
|
||||
--- a/share/grub2
|
||||
+++ b/share/grub2
|
||||
@@ -33,6 +33,7 @@ alias bootloader_commit_config=grub_commit_config
|
||||
alias bootloader_get_keyslots=grub_get_keyslots
|
||||
alias bootloader_remove_keyslots=grub_remove_keyslots
|
||||
alias bootloader_wipe=grub_wipe
|
||||
+alias bootloader_rsa_sizes=grub_rsa_sizes
|
||||
|
||||
##################################################################
|
||||
# Edit a variable in /etc/default/grub
|
||||
@@ -224,3 +225,21 @@ function grub_wipe {
|
||||
|
||||
grub_remove_keyslots ${luks_dev}
|
||||
}
|
||||
+
|
||||
+function grub_rsa_sizes {
|
||||
+
|
||||
+ # Check if the shim-install script supports the SRK algorithm selection.
|
||||
+ if ! grep -q "GRUB_TPM2_SRK_ALG" "/usr/sbin/shim-install"; then
|
||||
+ echo "2048"
|
||||
+ return 0
|
||||
+ fi
|
||||
+
|
||||
+ # Check if grub2 supports the RSA4096 SRK.
|
||||
+ if grub2-protect --help | grep -q "RSA4096"; then
|
||||
+ echo "4096 3072 2048"
|
||||
+ return 0
|
||||
+ fi
|
||||
+
|
||||
+ # TPM 2.0 should at least support RSA2048.
|
||||
+ echo "2048"
|
||||
+}
|
||||
diff --git a/share/systemd-boot b/share/systemd-boot
|
||||
index a9475a7..27cb088 100644
|
||||
--- a/share/systemd-boot
|
||||
+++ b/share/systemd-boot
|
||||
@@ -36,6 +36,7 @@ alias bootloader_commit_config=systemd_commit_config
|
||||
alias bootloader_get_keyslots=systemd_get_keyslots
|
||||
alias bootloader_remove_keyslots=systemd_remove_keyslots
|
||||
alias bootloader_wipe=systemd_wipe
|
||||
+alias bootloader_rsa_sizes=systemd_rsa_sizes
|
||||
|
||||
|
||||
function not_implemented {
|
||||
@@ -175,3 +176,10 @@ function systemd_wipe {
|
||||
|
||||
not_implemented
|
||||
}
|
||||
+
|
||||
+##################################################################
|
||||
+# This function lists all the supported RSA key sizes for SRK.
|
||||
+##################################################################
|
||||
+function systemd_rsa_sizes {
|
||||
+ echo "2048"
|
||||
+}
|
||||
diff --git a/share/tpm b/share/tpm
|
||||
index 0396e7e..00a0016 100644
|
||||
--- a/share/tpm
|
||||
+++ b/share/tpm
|
||||
@@ -52,7 +52,7 @@ function tpm_set_rsa_key_size {
|
||||
fi
|
||||
|
||||
# Find the highest supported RSA key size
|
||||
- sizes_to_test="4096 3072 2048"
|
||||
+ sizes_to_test=$(bootloader_rsa_sizes)
|
||||
|
||||
for size in ${sizes_to_test}; do
|
||||
if pcr-oracle --rsa-bits ${size} rsa-test > /dev/null 2>&1; then
|
||||
--
|
||||
2.35.3
|
||||
|
||||
|
||||
From 8912fa960fcecd218b05df45dae471180ebac156 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Wed, 22 Nov 2023 15:35:26 +0800
|
||||
Subject: [PATCH 3/3] Refactor the RSA key size code to make it more flexible
|
||||
|
||||
Originally, FDE_RSA_KEY_SIZE was updated automatically and used as a
|
||||
global variable for both tpm and grub2 scripts. However, there may be a
|
||||
case that the user has to stick to a specific RSA key size due to some
|
||||
bug or defect. This commit refactors the RSA key size code to make
|
||||
FDE_RSA_KEY_SIZE empty by default and honor the user setting if the size
|
||||
is specified.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
share/grub2 | 5 ++--
|
||||
share/tpm | 79 ++++++++++++++++++++++++++++++---------------------
|
||||
sysconfig.fde | 5 ++--
|
||||
3 files changed, 52 insertions(+), 37 deletions(-)
|
||||
|
||||
diff --git a/share/grub2 b/share/grub2
|
||||
index cde7680..95d4b15 100644
|
||||
--- a/share/grub2
|
||||
+++ b/share/grub2
|
||||
@@ -79,11 +79,12 @@ function grub_get_fde_password {
|
||||
##################################################################
|
||||
function grub_update_early_config {
|
||||
|
||||
- sealed_key_file="$1"
|
||||
+ local sealed_key_file="$1"
|
||||
+ local rsa_key_size=$(tpm_get_rsa_key_size)
|
||||
|
||||
grub_set_control GRUB_ENABLE_CRYPTODISK "y"
|
||||
grub_set_control GRUB_TPM2_SEALED_KEY "$sealed_key_file"
|
||||
- grub_set_control GRUB_TPM2_SRK_ALG "RSA${FDE_RSA_KEY_SIZE}"
|
||||
+ grub_set_control GRUB_TPM2_SRK_ALG "RSA${rsa_key_size}"
|
||||
|
||||
# Do not clear the password implicitly; require fdectl or
|
||||
# jeos firstboot to do so explicitly.
|
||||
diff --git a/share/tpm b/share/tpm
|
||||
index 00a0016..43747e7 100644
|
||||
--- a/share/tpm
|
||||
+++ b/share/tpm
|
||||
@@ -42,13 +42,28 @@ function tpm_present_and_working {
|
||||
return 0
|
||||
}
|
||||
|
||||
-function tpm_set_rsa_key_size {
|
||||
+function tpm_get_rsa_key_size {
|
||||
+
|
||||
+ declare -g __fde_rsa_key_size
|
||||
+
|
||||
+ if [ -n "$__fde_rsa_key_size" ]; then
|
||||
+ echo "$__fde_rsa_key_size"
|
||||
+ return
|
||||
+ fi
|
||||
+
|
||||
+ if [ -n "$FDE_RSA_KEY_SIZE" ]; then
|
||||
+ # TODO validate $FDE_RSA_KEY_SIZE
|
||||
+ __fde_rsa_key_size="${FDE_RSA_KEY_SIZE}"
|
||||
+ echo "$__fde_rsa_key_size"
|
||||
+ return
|
||||
+ fi
|
||||
|
||||
# Check if pcr-oracle supports rsa-test
|
||||
# If pcr-oracle prints "Unknown action", fall back to default.
|
||||
if pcr-oracle rsa-test 2>&1 | grep -q "Unknown action"; then
|
||||
- fde_set_variable FDE_RSA_KEY_SIZE "2048"
|
||||
- return 0
|
||||
+ __fde_rsa_key_size="2048"
|
||||
+ echo "$__fde_rsa_key_size"
|
||||
+ return
|
||||
fi
|
||||
|
||||
# Find the highest supported RSA key size
|
||||
@@ -56,28 +71,27 @@ function tpm_set_rsa_key_size {
|
||||
|
||||
for size in ${sizes_to_test}; do
|
||||
if pcr-oracle --rsa-bits ${size} rsa-test > /dev/null 2>&1; then
|
||||
- fde_set_variable FDE_RSA_KEY_SIZE "${size}"
|
||||
- return 0
|
||||
+ __fde_rsa_key_size="${size}"
|
||||
+ echo "$__fde_rsa_key_size"
|
||||
+ return
|
||||
fi
|
||||
done
|
||||
|
||||
- fde_trace "Failed to find a valid RSA key size"
|
||||
- return 1
|
||||
+ fde_trace "Failed to find a valid RSA key size. Fall back to 2048"
|
||||
+ __fde_rsa_key_size="2048"
|
||||
+ echo "$__fde_rsa_key_size"
|
||||
}
|
||||
|
||||
function tpm_seal_key {
|
||||
|
||||
- secret=$1
|
||||
- sealed_secret=$2
|
||||
+ local secret=$1
|
||||
+ local sealed_secret=$2
|
||||
|
||||
- tpm_set_rsa_key_size
|
||||
- if [ $? -ne 0 ]; then
|
||||
- return 1
|
||||
- fi
|
||||
+ local opt_rsa_bits=
|
||||
+ local rsa_size=$(tpm_get_rsa_key_size)
|
||||
|
||||
- opt_rsa_bits=
|
||||
- if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
|
||||
- opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}"
|
||||
+ if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
|
||||
+ opt_rsa_bits="--rsa-bits ${rsa_size}"
|
||||
fi
|
||||
|
||||
echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2
|
||||
@@ -133,13 +147,15 @@ function tpm_test {
|
||||
|
||||
function tpm_seal_secret {
|
||||
|
||||
- secret="$1"
|
||||
- sealed_secret="$2"
|
||||
- authorized_policy="$3"
|
||||
+ local secret="$1"
|
||||
+ local sealed_secret="$2"
|
||||
+ local authorized_policy="$3"
|
||||
+
|
||||
+ local opt_rsa_bits=
|
||||
+ local rsa_size=$(tpm_get_rsa_key_size)
|
||||
|
||||
- opt_rsa_bits=
|
||||
- if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
|
||||
- opt_rsa_bits="--rsa-bits ${FDE_RSA_KEY_SIZE}"
|
||||
+ if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
|
||||
+ opt_rsa_bits="--rsa-bits ${rsa_size}"
|
||||
fi
|
||||
|
||||
# If we are expected to use an authorized policy, seal the secret
|
||||
@@ -188,21 +204,18 @@ function tpm_set_authorized_policy_paths {
|
||||
|
||||
function tpm_create_authorized_policy {
|
||||
|
||||
- secret_key="$1"
|
||||
- output_policy="$2"
|
||||
- public_key="$3"
|
||||
+ local secret_key="$1"
|
||||
+ local output_policy="$2"
|
||||
+ local public_key="$3"
|
||||
|
||||
# Generate the private key if it does not exist
|
||||
- extra_opts=
|
||||
+ local extra_opts=
|
||||
if [ ! -f "$secret_key" ]; then
|
||||
- extra_opts="--rsa-generate-key"
|
||||
+ local rsa_size=$(tpm_get_rsa_key_size)
|
||||
|
||||
- tpm_set_rsa_key_size
|
||||
- if [ $? -ne 0 ]; then
|
||||
- return 1
|
||||
- fi
|
||||
- if [ -n "${FDE_RSA_KEY_SIZE}" -a ${FDE_RSA_KEY_SIZE} -ne 2048 ]; then
|
||||
- extra_opts="${extra_opts} --rsa-bits ${FDE_RSA_KEY_SIZE}"
|
||||
+ extra_opts="--rsa-generate-key"
|
||||
+ if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then
|
||||
+ extra_opts="${extra_opts} --rsa-bits ${rsa_size}"
|
||||
fi
|
||||
fi
|
||||
|
||||
diff --git a/sysconfig.fde b/sysconfig.fde
|
||||
index f3ee38b..741f5b4 100644
|
||||
--- a/sysconfig.fde
|
||||
+++ b/sysconfig.fde
|
||||
@@ -38,5 +38,6 @@ FDE_DEVS=""
|
||||
FDE_TPM_AUTO_UPDATE="yes"
|
||||
|
||||
# The RSA key size to be used for SRK and the private sign key
|
||||
-# NOTE: Do not touch this variable. It's updated by fdectl automatically.
|
||||
-FDE_RSA_KEY_SIZE="2048"
|
||||
+# Expected values: 2048, 3072, 4096, or just leave it empty to let fdectl
|
||||
+# to determine the size at runtime
|
||||
+FDE_RSA_KEY_SIZE=""
|
||||
--
|
||||
2.35.3
|
||||
|
||||
@@ -1,26 +0,0 @@
|
||||
From 7f5a36bb82728a6cce66b15e6bb656ce05cf5978 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Tue, 5 Mar 2024 14:51:57 +0800
|
||||
Subject: [PATCH] macros.fde-tpm-helper: conditionally requires the helper
|
||||
|
||||
fde-tpm-helper is only used when fde-tools is installed. Update the rpm
|
||||
macro to make fde-tpm-helper an conditional "Requires".
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
rpm-build/macros.fde-tpm-helper | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/rpm-build/macros.fde-tpm-helper b/rpm-build/macros.fde-tpm-helper
|
||||
index 1ec3a4e..3c89e2b 100644
|
||||
--- a/rpm-build/macros.fde-tpm-helper
|
||||
+++ b/rpm-build/macros.fde-tpm-helper
|
||||
@@ -1,4 +1,4 @@
|
||||
-%fde_tpm_update_requires Requires(posttrans): fde-tpm-helper
|
||||
+%fde_tpm_update_requires Requires(posttrans): (fde-tpm-helper if fde-tools)
|
||||
|
||||
%fde_tpm_update_post() \
|
||||
mkdir -p %{_rundir}/fde-tpm-helper/ \
|
||||
--
|
||||
2.35.3
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
From e3dbd0eed64938a79d82a6916dee3925297ac082 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Thu, 18 Apr 2024 10:10:15 +0800
|
||||
Subject: [PATCH] firstboot: replace ALP with a neutral name
|
||||
|
||||
The script may be used in the system other than ALP. Replace "ALP" with
|
||||
"This system".
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
firstboot/fde | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/firstboot/fde b/firstboot/fde
|
||||
index 0f94829..a4e5c15 100755
|
||||
--- a/firstboot/fde
|
||||
+++ b/firstboot/fde
|
||||
@@ -228,7 +228,7 @@ function fde_choose_protection {
|
||||
|
||||
FDE_PROTECTION=""
|
||||
|
||||
- message="ALP can be installed with an encrypted root and boot partition. Please choose the desired protection method(s) or press Cancel to install without encryption"
|
||||
+ message="This system can be installed with an encrypted root and boot partition. Please choose the desired protection method(s) or press Cancel to install without encryption"
|
||||
options+=(pass 'Pass phrase' on)
|
||||
|
||||
if ! tpm_present_and_working; then
|
||||
--
|
||||
2.35.3
|
||||
|
||||
@@ -1,30 +0,0 @@
|
||||
From 10672433c10ce391f126f426f86eb85fc4dffa73 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Thu, 18 Apr 2024 10:13:30 +0800
|
||||
Subject: [PATCH] firstboot: disable the ccid option
|
||||
|
||||
Since ccid token is still not supported, disable the option until we
|
||||
really implement it.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
firstboot/fde | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/firstboot/fde b/firstboot/fde
|
||||
index a4e5c15..4911b32 100755
|
||||
--- a/firstboot/fde
|
||||
+++ b/firstboot/fde
|
||||
@@ -237,7 +237,8 @@ function fde_choose_protection {
|
||||
options+=(tpm 'Stored inside the TPM chip' on)
|
||||
fi
|
||||
|
||||
- options+=(ccid 'Stored inside a CCID capable token' off)
|
||||
+ # Disable the ccid option until we really implement it
|
||||
+ # options+=(ccid 'Stored inside a CCID capable token' off)
|
||||
|
||||
while true; do
|
||||
d --title "Full Disk Encryption" --checklist \
|
||||
--
|
||||
2.35.3
|
||||
|
||||
31
fde-tools-bsc1243877-firstboot-remove-key-conf.patch
Normal file
31
fde-tools-bsc1243877-firstboot-remove-key-conf.patch
Normal file
@@ -0,0 +1,31 @@
|
||||
From 80b2c20abfee7cc40d99c55bcc617de23abc4134 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Thu, 5 Jun 2025 10:49:45 +0800
|
||||
Subject: [PATCH] firstboot: remove the dracut conf for the key file
|
||||
|
||||
KIWI inserts a dracut conf to include the default key file into initrd.
|
||||
Since the key file is not used after reencryption, the dracut conf
|
||||
should be removed to avoid the potential error from dracut.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
firstboot/fde | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/firstboot/fde b/firstboot/fde
|
||||
index 94bfb0a..c948e88 100755
|
||||
--- a/firstboot/fde
|
||||
+++ b/firstboot/fde
|
||||
@@ -146,6 +146,9 @@ function fde_setup_encrypted {
|
||||
|
||||
rm -f "${luks_keyfile}"
|
||||
|
||||
+ # Remove the dracut conf for the key file
|
||||
+ rm -f /etc/dracut.conf.d/99-luks-boot.conf
|
||||
+
|
||||
# Replace the key file path in /etc/crypttab with "/.virtual-root.key"
|
||||
# to avoid errors when unmounting the LUKS partition (bsc#1218181)
|
||||
sed -i "s,${luks_keyfile},/.virtual-root.key,g" /etc/crypttab
|
||||
--
|
||||
2.43.0
|
||||
|
||||
41
fde-tools-bsc1244323-firstboot-fix-lsinitrd.patch
Normal file
41
fde-tools-bsc1244323-firstboot-fix-lsinitrd.patch
Normal file
@@ -0,0 +1,41 @@
|
||||
From 10b76aff260792314002f745915eaf56a60280b0 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Wed, 11 Jun 2025 15:19:56 +0800
|
||||
Subject: [PATCH] firstboot: use the real path to initrd
|
||||
|
||||
When invoking 'lsinitrd' to fetch the LUKS header checksum, 'zstd' may
|
||||
ignore the symlink and 'lsinitrd' returned an empty checksum.
|
||||
|
||||
To avoid the potential error, always use the real path to the initrd
|
||||
file when invoking 'lsinitrd'.
|
||||
|
||||
FIX: bsc#1244323
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
firstboot/fde | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/firstboot/fde b/firstboot/fde
|
||||
index c948e88..1c81edf 100755
|
||||
--- a/firstboot/fde
|
||||
+++ b/firstboot/fde
|
||||
@@ -114,10 +114,14 @@ function fde_setup_encrypted {
|
||||
return 1
|
||||
fi
|
||||
|
||||
+ # bsc#1244323 lsinitrd may not be able to deal with the symlink properly.
|
||||
+ # To avoid the potential error, always use the real path to the initrd.
|
||||
+ sys_initrd="`readlink -f /boot/initrd`"
|
||||
+
|
||||
# KIWI may save sha256sum of the LUKS header in initrd before reencrypting
|
||||
# the root partition. If the checksum differs from the one of the current
|
||||
# LUKS header, the root partition is already reencryted.
|
||||
- luks_hdr_sum_kiwi="`lsinitrd --file root/.luks.header /boot/initrd`"
|
||||
+ luks_hdr_sum_kiwi="`lsinitrd --file root/.luks.header ${sys_initrd}`"
|
||||
if [ "${luks_hdr_sum_kiwi}" != "" ]; then
|
||||
cryptsetup luksHeaderBackup ${luks_dev} --header-backup-file /root/.luks.header
|
||||
luks_hdr_sum_cur="`sha256sum /root/.luks.header | cut -f1 -d' '`"
|
||||
--
|
||||
2.43.0
|
||||
|
||||
47
fde-tools-bsc1246464-use-default-uefi-boot-path.patch
Normal file
47
fde-tools-bsc1246464-use-default-uefi-boot-path.patch
Normal file
@@ -0,0 +1,47 @@
|
||||
From 35d11a160a3d9a736ca0c76a0051b82bba6a6a68 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Tue, 22 Jul 2025 10:19:28 +0800
|
||||
Subject: [PATCH] uefi: use the default boot path if no EFI FILE path
|
||||
|
||||
Some boot entries are generated by the firmware automatically, and those
|
||||
boot entries load the default boot path: "\EFI\BOOT\boot*.efi". Tweak
|
||||
uefi_get_current_loader() to use the default EFI boot path as the
|
||||
fallback.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
share/uefi | 16 ++++++++++------
|
||||
1 file changed, 10 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/share/uefi b/share/uefi
|
||||
index 971d7cc..9b625da 100644
|
||||
--- a/share/uefi
|
||||
+++ b/share/uefi
|
||||
@@ -57,14 +57,18 @@ function uefi_get_current_loader {
|
||||
file=$(efibootdump "Boot$entry" | sed 's/.*File(\([^)]*\)).*/\1/;t;d' | tr '\\' /)
|
||||
|
||||
# Some boot setups do not use an EFI path with a file component.
|
||||
- # Our ALP kvm images built with kiwi fall into that category.
|
||||
#
|
||||
- # As a fallback, check if there is exactly one grub entry in /boot/efi,
|
||||
- # and if so, use that.
|
||||
+ # As a fallback, check the default EFI boot path: \EFI\BOOT\boot*.efi
|
||||
if [ -z "$file" -a -d "/boot/efi/EFI" ]; then
|
||||
- set -- /boot/efi/EFI/*/grub.cfg
|
||||
- if [ $# -eq 1 -a -f "$1" ]; then
|
||||
- realpath $1
|
||||
+ arch=$(uname -m)
|
||||
+ if [ x"$arch" = xx86_64 ]; then
|
||||
+ boot_efi=bootx64.efi
|
||||
+ elif [ x"$arch" = xaarch64 ]; then
|
||||
+ boot_efi=bootaa64.efi
|
||||
+ fi
|
||||
+
|
||||
+ if [ -f /boot/efi/EFI/BOOT/$boot_efi ]; then
|
||||
+ realpath "/boot/efi/EFI/BOOT/$boot_efi"
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,28 +0,0 @@
|
||||
From 7dd8ab8920806384c01e3765ff2027222ac21d29 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Thu, 29 Feb 2024 15:05:35 +0800
|
||||
Subject: [PATCH] Allow RPM_MACRO_DIR to be defined during build time
|
||||
|
||||
The system directory of rpm macro files could be either /etc/rpm
|
||||
or /usr/lib/rpm/macros.d/. This commit allows RPM_MACRO_DIR to be
|
||||
defined during build time, so that the packager can change the variable
|
||||
if necessary.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
Makefile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
Index: fde-tools-0.7.2/Makefile
|
||||
===================================================================
|
||||
--- fde-tools-0.7.2.orig/Makefile
|
||||
+++ fde-tools-0.7.2/Makefile
|
||||
@@ -12,7 +12,7 @@ FDE_CONFIG_DIR = ${SYSCONFDIR}/fde
|
||||
FDE_SHARE_DIR = $(DATADIR)/fde
|
||||
FIRSTBOOTDIR = $(DATADIR)/jeos-firstboot
|
||||
FDE_HELPER_DIR = $(LIBEXECDIR)/fde
|
||||
-RPM_MACRO_DIR = /etc/rpm
|
||||
++RPM_MACRO_DIR ?= /etc/rpm
|
||||
FIDO_LINK = -lfido2 -lcrypto
|
||||
CRPYT_LINK = -lcryptsetup -ljson-c
|
||||
TOOLS = fde-token fdectl-grub-tpm2
|
||||
@@ -1,13 +1,13 @@
|
||||
firstboot/fde | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
Index: fde-tools-0.6.2/firstboot/fde
|
||||
Index: fde-tools-0.7.3/firstboot/fde
|
||||
===================================================================
|
||||
--- fde-tools-0.6.2.orig/firstboot/fde
|
||||
+++ fde-tools-0.6.2/firstboot/fde
|
||||
@@ -285,8 +285,8 @@ function fde_systemd_firstboot {
|
||||
# Get the password that was used during installation.
|
||||
fde_root_passphrase=$(bootloader_get_fde_password)
|
||||
--- fde-tools-0.7.3.orig/firstboot/fde
|
||||
+++ fde-tools-0.7.3/firstboot/fde
|
||||
@@ -342,8 +342,8 @@ function fde_systemd_firstboot {
|
||||
fi
|
||||
|
||||
if [ -z "$fde_root_passphrase" ]; then
|
||||
- display_errorbox "Cannot find the initial FDE password for the root file system"
|
||||
- return 1
|
||||
|
||||
@@ -1,3 +1,110 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 29 07:32:53 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Add the missing /var/log/fde (bsc#1247228)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 22 02:55:53 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Add fde-tools-bsc1246464-use-default-uefi-boot-path.patch to
|
||||
use the default EFI boot path if there is no FILE compoment in
|
||||
in the boot entry (bsc#1246464)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 11 08:25:31 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Add fde-tools-bsc1244323-firstboot-fix-lsinitrd.patch to fix the
|
||||
empty LUKS header checksum from lsinitrd (bsc#1244323)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jun 5 02:58:15 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Add fde-tools-bsc1243877-firstboot-remove-key-conf.patch to
|
||||
remove the dracut conf for the key file to avoid the error from
|
||||
dracut (bsc#1243877)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 15 02:54:23 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Update to version 0.7.3
|
||||
+ Detect the supported RSA key size
|
||||
+ Take snapshot when signing
|
||||
+ Switch to "--target-platform" when available
|
||||
+ Allow RPM_MACRO_DIR to be defined during build time
|
||||
+ Fix naming and disable ccid
|
||||
+ tpm: fix tpm-present with the newer pcr-oracle
|
||||
+ firstboot: make "Pass phrase" mandatory
|
||||
+ firstboot: disable FDE/TPM2 when secure boot is off
|
||||
+ Conditional helper
|
||||
+ firstboot: replace the key file path in crypttab
|
||||
+ firstboot: add more alias bootloader functions
|
||||
+ firstboot: detect the early reencryption
|
||||
- Refresh fde-tools-firstboot-alp-snapshot.patch
|
||||
- Drop merged patches
|
||||
+ fde-tools-bsc1213945-set-rsa-key-size.patch
|
||||
+ fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch
|
||||
+ fde-tools-bsc1223002-firstboot-disable-ccid.patch
|
||||
+ fde-tools-bsc1218181-replace-crypttab-key-path.patch
|
||||
+ fde-tools-bsc1220160-conditional-requires.patch
|
||||
+ fde-tools-change-rpm-macro-dir.patch
|
||||
+ fde-tools-bsc1243166-firstboot-disable-tpm2-when-sb-is-off.patch
|
||||
+ fde-tools-bsc1222970-firstboot-replace-ALP.patch
|
||||
+ fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
|
||||
+ fde-tools-bsc1238593-firstboot-more-bootloader-functions.patch
|
||||
+ fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed May 14 08:17:56 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Add fde-tools-bsc1243166-firstboot-disable-tpm2-when-sb-is-off.patch
|
||||
to not skip the encryption process when Secure Boot is off
|
||||
(bsc#1243166)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 11 07:55:45 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Add fde-tools-bsc1238593-firstboot-more-bootloader-functions.patch
|
||||
to define non-expanded functions for the firstboot script
|
||||
(bsc#1238593)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Dec 6 12:28:34 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
||||
|
||||
- Enable build on loongarch64
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 31 06:40:52 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Add fde-tools-bsc1218181-replace-crypttab-key-path.patch to
|
||||
change the key path in crypttab to avoid the unexpected error
|
||||
(bsc#1218181)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 7 07:52:30 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Update fde-tools-bsc1220160-conditional-requires.patch to
|
||||
check fde-tpm-helper in %post and %posttrans
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 30 06:53:32 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Fix fde-tools-change-rpm-macro-dir.patch which didn't set
|
||||
RPM_MACRO_DIR correctly
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue May 7 05:53:20 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Add fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch
|
||||
to make "pass" mandatory during firstboot (bsc#1223771)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 19 07:46:43 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Add patches to adopt the "--target-platform" option when using
|
||||
the newer pcr-oracle (bsc#1218390)
|
||||
+ fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch
|
||||
+ fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 18 05:39:44 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package fde-tools
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
# Copyright (c) 2025 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -21,7 +21,7 @@
|
||||
%endif
|
||||
|
||||
Name: fde-tools
|
||||
Version: 0.7.2
|
||||
Version: 0.7.3
|
||||
Release: 0
|
||||
Summary: Tools required for Full Disk Encryption
|
||||
License: GPL-2.0-only
|
||||
@@ -30,11 +30,9 @@ URL: https://github.com/openSUSE/fde-tools
|
||||
Source: https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
|
||||
Source1: fde-tools.service
|
||||
Patch0: fde-tools-firstboot-alp-snapshot.patch
|
||||
Patch1: fde-tools-bsc1213945-set-rsa-key-size.patch
|
||||
Patch2: fde-tools-change-rpm-macro-dir.patch
|
||||
Patch3: fde-tools-bsc1220160-conditional-requires.patch
|
||||
Patch4: fde-tools-bsc1222970-firstboot-replace-ALP.patch
|
||||
Patch5: fde-tools-bsc1223002-firstboot-disable-ccid.patch
|
||||
Patch1: fde-tools-bsc1243877-firstboot-remove-key-conf.patch
|
||||
Patch2: fde-tools-bsc1244323-firstboot-fix-lsinitrd.patch
|
||||
Patch3: fde-tools-bsc1246464-use-default-uefi-boot-path.patch
|
||||
BuildRequires: help2man
|
||||
BuildRequires: pkgconfig(json-c)
|
||||
BuildRequires: pkgconfig(libcryptsetup)
|
||||
@@ -43,7 +41,7 @@ Requires: cryptsetup
|
||||
Requires: mokutil
|
||||
Requires: pcr-oracle >= 0.4.5
|
||||
Requires: util-linux-systemd
|
||||
ExclusiveArch: aarch64 x86_64 riscv64
|
||||
ExclusiveArch: aarch64 x86_64 riscv64 loongarch64
|
||||
|
||||
%description
|
||||
This package provides several components required to support Full Disk
|
||||
@@ -141,6 +139,7 @@ cp %{S:1} %{buildroot}%{_unitdir}/fde-tpm-enroll.service
|
||||
%{_mandir}/man8/fdectl.8.gz
|
||||
%dir %{_libdir}/cryptsetup/
|
||||
%{_libdir}/cryptsetup/libcryptsetup-token-*.so
|
||||
%dir %attr(750,root,root) %{_var}/log/fde
|
||||
|
||||
%files bash-completion
|
||||
%{_datadir}/bash-completion/completions/fdectl
|
||||
|
||||
Reference in New Issue
Block a user