Support persistent SRK (bsc#1248516)

Read FDE_TPM_PERSISTENT_SRK and make SRK persistent when pcr-oracle
supports the feature.

fde-tools-bsc1248516-tpm-Support-persistent-SRK.patch

@@ -0,0 +1,65 @@
+From 9d15b48478534a9555b1ba17c5e82261385c93df Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Thu, 30 Oct 2025 15:40:27 +0800
+Subject: [PATCH] tpm: Support persistent SRK
+
+If pcr-oracle supports persistent SRK and the user assigns the
+persistent handle in the config file, make SRK persistent when sealing
+the disk key.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ share/tpm     | 14 ++++++++++++++
+ sysconfig.fde |  7 +++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/share/tpm b/share/tpm
+index 63a4ae6..d69cf2b 100644
+--- a/share/tpm
++++ b/share/tpm
+@@ -260,6 +260,13 @@ function tpm_seal_key {
+ 	extra_opts="${extra_opts} --rsa-bits ${rsa_size}"
+     fi
+ 
++    if [ -n "$FDE_TPM_PERSISTENT_SRK" ]; then
++	# Check if pcr-oracle supports '--persistent-srk'
++	if ! pcr-oracle --persistent-srk 2>&1 | grep -q "unrecognized option"; then
++	    extra_opts="${extra_opts} --persistent-srk ${FDE_TPM_PERSISTENT_SRK}"
++	fi
++    fi
++
+     local stop_event=$(bootloader_stop_event)
+ 
+     echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2
+@@ -350,6 +357,13 @@ function tpm_seal_secret {
+     # If we are expected to use an authorized policy, seal the secret
+     # against that, using pcr-oracle rather than the tpm2 tools
+     if [ -n "$authorized_policy" ]; then
++	if [ -n "$FDE_TPM_PERSISTENT_SRK" ]; then
++	    # Check if pcr-oracle supports '--persistent-srk'
++	    if ! pcr-oracle --persistent-srk 2>&1 | grep -q "unrecognized option"; then
++		extra_opts="${extra_opts} --persistent-srk ${FDE_TPM_PERSISTENT_SRK}"
++	    fi
++	fi
++
+ 	pcr-oracle ${extra_opts} \
+ 			--authorized-policy "$authorized_policy" \
+ 			--input $secret \
+diff --git a/sysconfig.fde b/sysconfig.fde
+index 741f5b4..0a32b19 100644
+--- a/sysconfig.fde
++++ b/sysconfig.fde
+@@ -41,3 +41,10 @@ FDE_TPM_AUTO_UPDATE="yes"
+ # Expected values: 2048, 3072, 4096, or just leave it empty to let fdectl
+ # to determine the size at runtime
+ FDE_RSA_KEY_SIZE=""
++
++# Specify the TPM persistent handle to store SRK
++# The valid range of this variable is 0x81000000~0x817FFFFF.
++# If this variable is unset, grub2 will generate SRK dynamically.
++# NOTE: The persistent handle will be overwritten. Please make sure that no
++#       other program is using the same handle before setting this variable.
++FDE_TPM_PERSISTENT_SRK=""
+-- 
+2.51.0
+

fde-tools.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Fri Jan 30 06:38:56 UTC 2026 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add fde-tools-bsc1248516-tpm-Support-persistent-SRK.patch to
+  support persistent SRK (bsc#1248516)
+
+-------------------------------------------------------------------
+Wed Dec 31 06:29:41 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add fde-tools.conf to create /var/log/fde with tmpfiles.d
+  (jsc#PED-14754)
+
+-------------------------------------------------------------------
+Thu Dec  4 10:58:50 UTC 2025 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Build with distro flags
+
 -------------------------------------------------------------------
 Tue Jul 29 07:32:53 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>
 

fde-tools.conf

@@ -0,0 +1 @@
+d /var/log/fde 0750 root root -

fde-tools.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package fde-tools
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,10 +29,12 @@ Group:          System/Boot
 URL:            https://github.com/openSUSE/fde-tools
 Source:         https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
 Source1:        fde-tools.service
+Source2:        fde-tools.conf
 Patch0:         fde-tools-firstboot-alp-snapshot.patch
 Patch1:         fde-tools-bsc1243877-firstboot-remove-key-conf.patch
 Patch2:         fde-tools-bsc1244323-firstboot-fix-lsinitrd.patch
 Patch3:         fde-tools-bsc1246464-use-default-uefi-boot-path.patch
+Patch4:         fde-tools-bsc1248516-tpm-Support-persistent-SRK.patch
 BuildRequires:  help2man
 BuildRequires:  pkgconfig(json-c)
 BuildRequires:  pkgconfig(libcryptsetup)
@@ -91,8 +93,8 @@ update the signature in the sealed key.
 %autosetup -p1
 
 %build
+%set_build_flags
 %make_build \
-	CCFLAGS="%optflags" \
 	LIBDIR="%{_libdir}" \
 	LIBEXECDIR="%{_libexecdir}" \
 	SBINDIR="%{_sbindir}" \
@@ -101,6 +103,7 @@ update the signature in the sealed key.
 	RPM_MACRO_DIR="%{_rpmmacrodir}"
 
 %install
+%set_build_flags
 %make_install \
 	LIBDIR="%{_libdir}" \
 	LIBEXECDIR="%{_libexecdir}" \
@@ -115,12 +118,16 @@ mv %{buildroot}/etc/sysconfig/fde-tools %{buildroot}%{_fillupdir}/sysconfig.fde-
 mkdir -p %{buildroot}%{_unitdir}
 cp %{S:1} %{buildroot}%{_unitdir}/fde-tpm-enroll.service
 
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 0644 %{S:2} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+
 %pre
 %service_add_pre fde-tpm-enroll.service
 
 %post
 %service_add_post fde-tpm-enroll.service
 %fillup_and_insserv
+%tmpfiles_create %{name}.conf
 
 %preun
 %service_del_preun fde-tpm-enroll.service
@@ -139,7 +146,7 @@ cp %{S:1} %{buildroot}%{_unitdir}/fde-tpm-enroll.service
 %{_mandir}/man8/fdectl.8.gz
 %dir %{_libdir}/cryptsetup/
 %{_libdir}/cryptsetup/libcryptsetup-token-*.so
-%dir %attr(750,root,root) %{_var}/log/fde
+%{_tmpfilesdir}/%{name}.conf
 
 %files bash-completion
 %{_datadir}/bash-completion/completions/fdectl