Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package disk-encryption-tool for
openSUSE:Factory checked in at 2023-12-15 21:47:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/disk-encryption-tool (Old)
and /work/SRC/openSUSE:Factory/.disk-encryption-tool.new.25432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "disk-encryption-tool"
Fri Dec 15 21:47:23 2023 rev:2 rq:1133050 version:1+git20231214.1708e01
Changes:
--------
---
/work/SRC/openSUSE:Factory/disk-encryption-tool/disk-encryption-tool.changes
2023-11-17 20:50:31.083291519 +0100
+++
/work/SRC/openSUSE:Factory/.disk-encryption-tool.new.25432/disk-encryption-tool.changes
2023-12-15 21:47:31.570691649 +0100
@@ -1,0 +2,39 @@
+Thu Dec 14 10:05:42 UTC 2023 - [email protected]
+
+- Update to version 1+git20231214.1708e01:
+ * Add ExclusiveArch for 64-bit EFI architectures
+ * Don't set rw systems ro
+
+-------------------------------------------------------------------
+Wed Dec 13 16:47:45 UTC 2023 - [email protected]
+
+- Update to version 1+git20231213.cfe4cb3:
+ * Drop the second wipe
+ * Comment where to find the PCRs later
+ * Drop pcr-oracle RSA PEM parameter
+ * Include PCR#9 in the predictions
+ * Drop TPM2 from cryptab
+
+-------------------------------------------------------------------
+Mon Dec 11 07:46:39 UTC 2023 - [email protected]
+
+- Update to version 1+git20231130.dac7e54:
+ * Silence shellcheck
+ * Drop TPM2 from crypttab
+
+-------------------------------------------------------------------
+Wed Nov 29 13:55:58 UTC 2023 - [email protected]
+
+- Update to version 1+git20231129.5fb1e1a:
+ * Require tpm2.0-tools
+ * FIDO2 and TPM2 dialog improvements
+ * Fix yesno dialog call o_O
+ * Fix partition resizing on first boot
+ * Add jeos-firstboot-enroll
+ * Requires pcr-enroll
+ * Store generated key as 'cryptenroll' keyring
+ * Update README
+ * Require keyutils
+ * Rename to disk-encryption-tool
+
+-------------------------------------------------------------------
Old:
----
disk-encryption-tool-1+git20231114.702dff6.obscpio
New:
----
disk-encryption-tool-1+git20231214.1708e01.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ disk-encryption-tool.spec ++++++
--- /var/tmp/diff_new_pack.jYsabc/_old 2023-12-15 21:47:32.338719722 +0100
+++ /var/tmp/diff_new_pack.jYsabc/_new 2023-12-15 21:47:32.338719722 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package aaa_base
+# spec file for package disk-encryption-tool
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,6 +16,7 @@
#
# icecream 0
+
%if 0%{?_build_in_place}
%define git_version %(git log '-n1' '--date=format:%Y%m%d'
'--no-show-signature' "--pretty=format:+git%cd.%h")
BuildRequires: git-core
@@ -27,7 +28,7 @@
%endif
Name: disk-encryption-tool
-Version: 1+git20231114.702dff6%{git_version}
+Version: 1+git20231214.1708e01%{git_version}
Release: 0
Summary: Tool to reencrypt kiwi raw images
License: MIT
@@ -35,6 +36,10 @@
Source: disk-encryption-tool-%{version}.tar
Requires: cryptsetup
Requires: keyutils
+Requires: pcr-oracle
+# something needs to require it. Can be us.
+Requires: tpm2.0-tools
+ExclusiveArch: aarch64 ppc64le riscv64 x86_64
%description
Convert a plain text kiwi image into one with LUKS full disk
@@ -59,6 +64,7 @@
install -D -m 644 jeos-firstboot-diskencrypt-override.conf \
%{buildroot}/usr/lib/systemd/system/jeos-firstboot.service.d/jeos-firstboot-diskencrypt-override.conf
install -D -m 644 jeos-firstboot-diskencrypt
%buildroot/usr/share/jeos-firstboot/modules/diskencrypt
+install -D -m 644 jeos-firstboot-enroll
%buildroot/usr/share/jeos-firstboot/modules/enroll
%files
%license LICENSE
@@ -70,6 +76,7 @@
%dir /usr/share/jeos-firstboot
%dir /usr/share/jeos-firstboot/modules
/usr/share/jeos-firstboot/modules/diskencrypt
+/usr/share/jeos-firstboot/modules/enroll
%dir /usr/lib/systemd/system/jeos-firstboot.service.d
/usr/lib/systemd/system/jeos-firstboot.service.d/jeos-firstboot-diskencrypt-override.conf
++++++ _service ++++++
--- /var/tmp/diff_new_pack.jYsabc/_old 2023-12-15 21:47:32.362720599 +0100
+++ /var/tmp/diff_new_pack.jYsabc/_new 2023-12-15 21:47:32.366720746 +0100
@@ -1,7 +1,7 @@
<services>
<service name="obs_scm" mode="manual">
<param name="scm">git</param>
- <param
name="url">https://github.com/lnussel/disk-encryption-tool.git</param>
+ <param
name="url">https://github.com/openSUSE/disk-encryption-tool.git</param>
<param name="revision">master</param>
<param name="versionformat">1+git%cd.%h</param>
<param name="changesgenerate">enable</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.jYsabc/_old 2023-12-15 21:47:32.382721330 +0100
+++ /var/tmp/diff_new_pack.jYsabc/_new 2023-12-15 21:47:32.386721477 +0100
@@ -1,6 +1,8 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/lnussel/disk-encryption-tool.git</param>
- <param
name="changesrevision">702dff62d37b74244b58b41f78b41cd2befe581b</param></service></servicedata>
+ <param
name="changesrevision">702dff62d37b74244b58b41f78b41cd2befe581b</param></service><service
name="tar_scm">
+ <param
name="url">https://github.com/openSUSE/disk-encryption-tool.git</param>
+ <param
name="changesrevision">1708e014184aba1d69c3294a990594a35abbe71c</param></service></servicedata>
(No newline at EOF)
++++++ disk-encryption-tool-1+git20231114.702dff6.obscpio ->
disk-encryption-tool-1+git20231214.1708e01.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/disk-encryption-tool-1+git20231114.702dff6/README.md
new/disk-encryption-tool-1+git20231214.1708e01/README.md
--- old/disk-encryption-tool-1+git20231114.702dff6/README.md 2023-11-14
17:06:49.000000000 +0100
+++ new/disk-encryption-tool-1+git20231214.1708e01/README.md 2023-12-14
11:04:59.000000000 +0100
@@ -1,23 +1,36 @@
-Convert a plain text kiwi image into one with LUKS full disk
-encryption. Supports both raw and qcow2 images. It assumes that the
-third partition is the root fs using btrfs.
-After encrypting the disk, the fs is mounted and a new initrd
-created as well as the grub2 config adjusted.
-
-The script can either encrypt the image directly, or alternatively
-add code to the initrd of the image. In the latter case the image
-would encrypt itself on first boot.
+Tool to turn a plain text image into one using LUKS full disk
+encryption. There are three modes:
-Example to encrypt an image:
+* Directly encrypt a disk image on a host system. The image can then
+ be deployed somewhere else
+* Prime a disk image by adding code to the initrd of the image that
+ encrypts the image on first boot
+* Include the initrd code already when building an image. The image
+ would then encrypt itself on first boot.
+
+In general the tool is developed with [kiwi](https://github.com/OSInside/kiwi)
+in mind. It assumes that the image contains a single root fs using btrfs in the
+third partition. Both grub2 and systemd-boot are supported. The tool generates
+a
+
+Example to directly encrypt an image:
disk-encryption-tool -v SLE-Micro.x86_64-5.4.0-Default-GM.raw
-Example to encrypt on first boot:
+Example to prime a plain text image to encrypt on first boot:
disk-encryption-tool -v --prime SLE-Micro.x86_64-5.4.0-Default-GM.raw
+
+When run on first boot the tool integrates with
+[jeos-firstboot](https://github.com/openSUSE/jeos-firstboot/). The encryption
+in initrd deploys an automatically generated recovery key, compatible with
+[systemd-cryptenroll](https://www.freedesktop.org/software/systemd/man/latest/systemd-cryptenroll.html).
+Later in the real root a jeos-firsboot module then offers to deploy
+either the root password or another custom passphrase as well.
+
Parameters for cryptsetup-reencrypt(8) can be passed via
-/etc/encrypt_options. One option per line, e.g.
+`/etc/encrypt_options`. One option per line, e.g.
--type=luks1
--iter-time=2000
@@ -28,7 +41,7 @@
#!/bin/bash
# combustion: encrypt
if [ "$1" = "--encrypt" ]; then
- echo 12345 | disk-encryption-tool -v
+ echo 12345 | disk-encryption-tool -v --gen-key
else
echo root:12345 | chpasswd
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231114.702dff6/disk-encryption-tool
new/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool
--- old/disk-encryption-tool-1+git20231114.702dff6/disk-encryption-tool
2023-11-14 17:06:49.000000000 +0100
+++ new/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool
2023-12-14 11:04:59.000000000 +0100
@@ -208,6 +208,9 @@
make_rw()
{
+ local prop
+ read -r prop < <(btrfs prop get -t s "$mp" ro)
+ [ "$prop" = "ro=true" ] || return 0
log_info "switch to rw"
btrfs prop set -t s "$mp" ro false
switched_rw=1
@@ -355,7 +358,9 @@
if [ -n "$gen_key" ]; then
read -r password < <(generate-recovery-key)
echo -e "Recovery key: \e[1m$password\e[m"
- read -r key_id < <(echo -n "$password" | keyctl padd user
disk-encryption-tool-recovery-key @u)
+ if [ -e /etc/initrd-release ]; then
+ read -r key_id < <(echo -n "$password" | keyctl padd user
cryptenroll @u)
+ fi
fi
echo "Encrypting..."
@@ -363,6 +368,16 @@
log_info "grow partition again"
echo ", +" | sfdisk --no-reread -q -N "$partno" "$blkdev"
+if [ -e /etc/initrd-release ]; then
+ # seems to be the only way to tell the kernel about a specific
partition change
+ partx -u --nr "$partno" "$blkdev" || :
+ # now resize the mapping. For some reason cryptsetup wants a
passphrase. Hack
+ # around this by installing a token that makes it read the key we
installed
+ # before, then remove the token again o_O
+ cryptsetup token add --key-slot 0 --key-description cryptenroll
--token-id 9 "$blkpart"
+ cryptsetup resize "$cr_name" < /dev/null
+ cryptsetup token remove --token-id 9 "$blkpart"
+fi
if [ -z "$mounted" ]; then
mount -o rw "$cr_dev" "/mnt"
@@ -383,13 +398,13 @@
make_rw
-crypttab_options="x-initrd.attach"
-# this triggers dracut to add tpm2 code. should actually look at tokens
-if [ -e "/sys/class/tpm/tpm0" ]; then
- crypttab_options+=",tpm2-device=auto"
-fi
+declare loop_UUID
eval "$(blkid -c /dev/null -o export "$blkpart"|sed 's/^/loop_/')"
-echo "$cr_name /dev/disk/by-uuid/$loop_UUID none $crypttab_options" >
"$mp"/etc/crypttab
+if [ -n "$loop_UUID" ]; then
+ echo "$cr_name /dev/disk/by-uuid/$loop_UUID none x-initrd.attach" >
"$mp"/etc/crypttab
+else
+ warn "Can't determine device UUID. Can't generate crypttab"
+fi
mountstuff
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231114.702dff6/disk-encryption-tool-dracut.service
new/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool-dracut.service
---
old/disk-encryption-tool-1+git20231114.702dff6/disk-encryption-tool-dracut.service
2023-11-14 17:06:49.000000000 +0100
+++
new/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool-dracut.service
2023-12-14 11:04:59.000000000 +0100
@@ -29,6 +29,7 @@
[Service]
Type=oneshot
+KeyringMode=shared
ExecStart=/usr/bin/disk-encryption-tool-dracut
[Install]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231114.702dff6/disk-encryption-tool.spec
new/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool.spec
--- old/disk-encryption-tool-1+git20231114.702dff6/disk-encryption-tool.spec
2023-11-14 17:06:49.000000000 +0100
+++ new/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool.spec
2023-12-14 11:04:59.000000000 +0100
@@ -35,6 +35,10 @@
Source: disk-encryption-tool-%{version}.tar
Requires: cryptsetup
Requires: keyutils
+Requires: pcr-oracle
+# something needs to require it. Can be us.
+Requires: tpm2.0-tools
+ExclusiveArch: aarch64 ppc64le riscv64 x86_64
%description
Convert a plain text kiwi image into one with LUKS full disk
@@ -59,6 +63,7 @@
install -D -m 644 jeos-firstboot-diskencrypt-override.conf \
%{buildroot}/usr/lib/systemd/system/jeos-firstboot.service.d/jeos-firstboot-diskencrypt-override.conf
install -D -m 644 jeos-firstboot-diskencrypt
%buildroot/usr/share/jeos-firstboot/modules/diskencrypt
+install -D -m 644 jeos-firstboot-enroll
%buildroot/usr/share/jeos-firstboot/modules/enroll
%files
%license LICENSE
@@ -70,6 +75,7 @@
%dir /usr/share/jeos-firstboot
%dir /usr/share/jeos-firstboot/modules
/usr/share/jeos-firstboot/modules/diskencrypt
+/usr/share/jeos-firstboot/modules/enroll
%dir /usr/lib/systemd/system/jeos-firstboot.service.d
/usr/lib/systemd/system/jeos-firstboot.service.d/jeos-firstboot-diskencrypt-override.conf
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231114.702dff6/jeos-firstboot-diskencrypt
new/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-diskencrypt
--- old/disk-encryption-tool-1+git20231114.702dff6/jeos-firstboot-diskencrypt
2023-11-14 17:06:49.000000000 +0100
+++ new/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-diskencrypt
2023-12-14 11:04:59.000000000 +0100
@@ -5,7 +5,7 @@
crypt_devs=()
diskencrypt_systemd_firstboot() {
- crypt_keyid="$(keyctl search @u user disk-encryption-tool-recovery-key)"
+ crypt_keyid="$(keyctl id %user:cryptenroll)"
[ -n "$crypt_keyid" ] || return 0
local dev
while read -r dev fstype; do
@@ -18,7 +18,7 @@
return 0
fi
- if [ -n "$password" ] && d --yesno $"Use root password as encryption
password?" 0 0; then
+ if [ -n "$password" ] && dialog $dialog_alternate_screen --backtitle
"$PRETTY_NAME" --yesno $"Use root password as encryption password?" 0 0; then
crypt_pw="$password"
else
while true; do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231114.702dff6/jeos-firstboot-enroll
new/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-enroll
--- old/disk-encryption-tool-1+git20231114.702dff6/jeos-firstboot-enroll
1970-01-01 01:00:00.000000000 +0100
+++ new/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-enroll
2023-12-14 11:04:59.000000000 +0100
@@ -0,0 +1,136 @@
+#!/bin/bash
+
+crypt_keyid=""
+with_fido2=
+with_tpm2=
+
+# After the enrolling, other tools can find this list in the LUKS
+# header
+pcrs="0,2,4,7,9"
+
+enroll_systemd_firstboot() {
+ crypt_keyid="$(keyctl id %user:cryptenroll)"
+ [ -n "$crypt_keyid" ] || return 0
+ [ -e /usr/bin/systemd-cryptenroll ] || return 0
+
+ local has_fido2=${JEOS_HAS_FIDO2:-}
+ local has_tpm2=
+
+ [ -z "$(systemd-cryptenroll --fido2-device=list 2>/dev/null)" ] ||
has_fido2=1
+ [ -e '/sys/class/tpm/tpm0' ] && has_tpm2=1
+
+ # For now seems that if a FIDO2 key is enrolled, it will take
+ # precedence over the TPM2 and the key will be asked to be present
+ # in subsequent boots.
+ if [ "$has_fido2" = '1' ] && [ "$has_tpm2" = '1' ]; then
+ local list=('FIDO2' 'FIDO2' 'TPM2' 'TPM2' 'none' $"Skip")
+ d --no-tags --default-item 'FIDO2' --menu $"Select unlock device" 0 0
"$(menuheight ${#list[@]})" "${list[@]}"
+ [ "$result" = 'FIDO2' ] && with_fido2=1
+ [ "$result" = 'TPM2' ] && with_tpm2=1
+ elif [ "$has_fido2" ]; then
+ dialog $dialog_alternate_screen --backtitle "$PRETTY_NAME" --yesno
$"Unlock encrypted disk via FIDO2 token?" 0 0 && with_fido2=1
+ elif [ "$has_tpm2" ]; then
+ dialog $dialog_alternate_screen --backtitle "$PRETTY_NAME" --yesno
$"Unlock encrypted disk via TPM?" 0 0 && with_tpm2=1
+ fi
+ return 0
+}
+
+enroll_fido2() {
+ local dev="$1"
+
+ echo "Enrolling with FIDO2: $dev"
+
+ # The password is read from "cryptenroll" kernel keyring
+ run systemd-cryptenroll --fido2-device=auto "$dev"
+}
+
+generate_key() {
+ [ -z "$dry" ] && mkdir -p /etc/systemd
+ run pcr-oracle \
+ --rsa-generate-key \
+ --private-key /etc/systemd/tpm2-pcr-private-key.pem \
+ --public-key /etc/systemd/tpm2-pcr-public-key.pem \
+ store-public-key
+}
+
+enroll_tpm2() {
+ local dev="$1"
+
+ echo "Enrolling with TPM2: $dev"
+
+ # The password is read from "cryptenroll" kernel keyring
+ # XXX: Wipe is separated by now (possible systemd bug)
+ run systemd-cryptenroll \
+ --wipe-slot=tpm2 \
+ "$dev"
+
+ run systemd-cryptenroll \
+ --tpm2-device=auto \
+ --tpm2-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
+ --tpm2-public-key-pcrs="$pcrs" \
+ "$dev"
+}
+
+update_crypttab_options() {
+ # This version will share the same options for all crypto_LUKS
+ # devices. This imply that all of them will be unlocked by the
+ # same TPM2, or the same FIDO2 key
+ local options="$1"
+
+ # TODO: this needs to be unified with disk-encryption-tool
+ local crypttab
+ if [ -z "$dry" ]; then
+ crypttab="$(mktemp -t disk-encryption-tool.crypttab.XXXXXX)"
+ else
+ crypttab=/dev/stdout
+ fi
+ echo "# File created by jeos-firstboot-enroll. Comments will be removed"
> "$crypttab"
+
+ local name
+ local device
+ local key
+ local opts
+ while read -r name device key opts; do
+ [[ "$name" = \#* ]] && continue
+ echo "$name $device $key $options" >> "$crypttab"
+ done < /etc/crypttab
+
+ run mv "$crypttab" /etc/crypttab
+ run chmod 644 /etc/crypttab
+}
+
+enroll_post() {
+ [ -n "$crypt_keyid" ] || return 0
+ [ -e /usr/bin/systemd-cryptenroll ] || return 0
+
+ local dev
+ local fstype
+ if [ -z "$crypt_devs" ]; then
+ while read -r dev fstype; do
+ [ "$fstype" = 'crypto_LUKS' ] || continue
+ crypt_devs+=("$dev")
+ done < <(lsblk --noheadings -o PATH,FSTYPE)
+ fi
+
+ crypttab_options="x-initrd.attach"
+
+ if [ "$with_fido2" = '1' ]; then
+ for dev in "${crypt_devs[@]}"; do
+ enroll_fido2 "$dev"
+ done
+ crypttab_options+=",fido2-device=auto"
+ fi
+
+ if [ "$with_tpm2" = '1' ]; then
+ generate_key
+
+ for dev in "${crypt_devs[@]}"; do
+ enroll_tpm2 "$dev"
+ done
+ crypttab_options+=",tpm2-device=auto"
+ fi
+
+ update_crypttab_options "$crypttab_options"
+
+ run sdbootutil add-all-kernels --no-reuse-initrd
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231114.702dff6/module-setup.sh
new/disk-encryption-tool-1+git20231214.1708e01/module-setup.sh
--- old/disk-encryption-tool-1+git20231114.702dff6/module-setup.sh
2023-11-14 17:06:49.000000000 +0100
+++ new/disk-encryption-tool-1+git20231214.1708e01/module-setup.sh
2023-12-14 11:04:59.000000000 +0100
@@ -15,7 +15,7 @@
# called by dracut
install() {
inst_multiple -o cryptsetup-reencrypt
- inst_multiple cryptsetup btrfs mktemp getopt mountpoint findmnt sfdisk
tac sed hexdump keyctl
+ inst_multiple cryptsetup btrfs mktemp getopt mountpoint findmnt sfdisk
tac sed hexdump keyctl partx
inst_script "$moddir"/disk-encryption-tool /usr/bin/disk-encryption-tool
inst_script "$moddir"/disk-encryption-tool-dracut
/usr/bin/disk-encryption-tool-dracut
++++++ disk-encryption-tool.obsinfo ++++++
--- /var/tmp/diff_new_pack.jYsabc/_old 2023-12-15 21:47:32.466724400 +0100
+++ /var/tmp/diff_new_pack.jYsabc/_new 2023-12-15 21:47:32.470724547 +0100
@@ -1,5 +1,5 @@
name: disk-encryption-tool
-version: 1+git20231114.702dff6
-mtime: 1699978009
-commit: 702dff62d37b74244b58b41f78b41cd2befe581b
+version: 1+git20231214.1708e01
+mtime: 1702548299
+commit: 1708e014184aba1d69c3294a990594a35abbe71c
