Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package disk-encryption-tool for
openSUSE:Factory checked in at 2024-08-13 13:22:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/disk-encryption-tool (Old)
and /work/SRC/openSUSE:Factory/.disk-encryption-tool.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "disk-encryption-tool"
Tue Aug 13 13:22:45 2024 rev:8 rq:1193435 version:1+git20240812.fd4668d
Changes:
--------
---
/work/SRC/openSUSE:Factory/disk-encryption-tool/disk-encryption-tool.changes
2024-07-08 19:07:17.944630953 +0200
+++
/work/SRC/openSUSE:Factory/.disk-encryption-tool.new.7232/disk-encryption-tool.changes
2024-08-13 13:22:49.817212099 +0200
@@ -1,0 +2,21 @@
+Mon Aug 12 12:59:27 UTC 2024 - apla...@suse.com
+
+- Update to version 1+git20240812.fd4668d:
+ * Add %pre(un)/%post(un) calls
+
+-------------------------------------------------------------------
+Mon Aug 12 11:20:56 UTC 2024 - apla...@suse.com
+
+- Update to version 1+git20240812.9dc5b0c:
+ * Create initrd if only enrolled by password
+ * Add enrollment systemd service
+ * Add initial component with tpm2+pin
+ * Rename rd.encrypt credential
+ * Add 'force' in rd.encrypt creds
+ * Read the password when resizing
+ * Add .dir-locals.el
+ * Revert "Start the module after ignition is done"
+ * Use sdbootutil enroll
+ * Start the module after ignition is done
+
+-------------------------------------------------------------------
Old:
----
disk-encryption-tool-1+git20240704.5a6539c.obscpio
New:
----
disk-encryption-tool-1+git20240812.fd4668d.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ disk-encryption-tool.spec ++++++
--- /var/tmp/diff_new_pack.NSWygW/_old 2024-08-13 13:22:50.857255432 +0200
+++ /var/tmp/diff_new_pack.NSWygW/_new 2024-08-13 13:22:50.861255599 +0200
@@ -28,12 +28,13 @@
%endif
Name: disk-encryption-tool
-Version: 1+git20240704.5a6539c%{git_version}
+Version: 1+git20240812.fd4668d%{git_version}
Release: 0
Summary: Tool to reencrypt kiwi raw images
License: MIT
URL: https://github.com/lnussel/disk-encryption-tool
Source: disk-encryption-tool-%{version}.tar
+BuildRequires: systemd-rpm-macros
Requires: cryptsetup
Requires: keyutils
Requires: pcr-oracle
@@ -41,6 +42,8 @@
Requires: tpm2.0-tools
Requires: qrencode
ExclusiveArch: aarch64 ppc64le riscv64 x86_64
+BuildArch: noarch
+%{?systemd_requires}
%description
Convert a plain text kiwi image into one with LUKS full disk
@@ -65,10 +68,25 @@
install -D -m 644 jeos-firstboot-diskencrypt-override.conf \
%{buildroot}/usr/lib/systemd/system/jeos-firstboot.service.d/jeos-firstboot-diskencrypt-override.conf
install -D -m 644 jeos-firstboot-enroll
%buildroot/usr/share/jeos-firstboot/modules/enroll
+install -m 755 disk-encryption-tool-enroll
%buildroot/usr/bin/disk-encryption-tool-enroll
+install -D -m 644 disk-encryption-tool-enroll.service
%buildroot/%{_unitdir}/disk-encryption-tool-enroll.service
+
+%preun
+%service_del_preun disk-encryption-tool-enroll.service
+
+%postun
+%service_del_postun disk-encryption-tool-enroll.service
+
+%pre
+%service_add_pre disk-encryption-tool-enroll.service
+
+%post
+%service_add_post disk-encryption-tool-enroll.service
%files
%license LICENSE
/usr/bin/disk-encryption-tool
+/usr/bin/disk-encryption-tool-enroll
/usr/bin/generate-recovery-key
%dir /usr/lib/dracut
%dir /usr/lib/dracut/modules.d
@@ -78,4 +96,5 @@
/usr/share/jeos-firstboot/modules/enroll
%dir /usr/lib/systemd/system/jeos-firstboot.service.d
/usr/lib/systemd/system/jeos-firstboot.service.d/jeos-firstboot-diskencrypt-override.conf
+%{_unitdir}/disk-encryption-tool-enroll.service
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.NSWygW/_old 2024-08-13 13:22:50.905257432 +0200
+++ /var/tmp/diff_new_pack.NSWygW/_new 2024-08-13 13:22:50.909257599 +0200
@@ -3,6 +3,6 @@
<param
name="url">https://github.com/lnussel/disk-encryption-tool.git</param>
<param
name="changesrevision">702dff62d37b74244b58b41f78b41cd2befe581b</param></service><service
name="tar_scm">
<param
name="url">https://github.com/openSUSE/disk-encryption-tool.git</param>
- <param
name="changesrevision">5a6539cf2c99215060723662c89ba57752b00ee0</param></service></servicedata>
+ <param
name="changesrevision">fd4668df5b6dd6e7b1efe62257acfdb084d9ea13</param></service></servicedata>
(No newline at EOF)
++++++ disk-encryption-tool-1+git20240704.5a6539c.obscpio ->
disk-encryption-tool-1+git20240812.fd4668d.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240704.5a6539c/.dir-locals.el
new/disk-encryption-tool-1+git20240812.fd4668d/.dir-locals.el
--- old/disk-encryption-tool-1+git20240704.5a6539c/.dir-locals.el
1970-01-01 01:00:00.000000000 +0100
+++ new/disk-encryption-tool-1+git20240812.fd4668d/.dir-locals.el
2024-08-12 14:58:05.000000000 +0200
@@ -0,0 +1 @@
+((sh-mode . ((sh-basic-offset . 8))))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240704.5a6539c/disk-encryption-tool
new/disk-encryption-tool-1+git20240812.fd4668d/disk-encryption-tool
--- old/disk-encryption-tool-1+git20240704.5a6539c/disk-encryption-tool
2024-07-04 08:26:10.000000000 +0200
+++ new/disk-encryption-tool-1+git20240812.fd4668d/disk-encryption-tool
2024-08-12 14:58:05.000000000 +0200
@@ -367,16 +367,11 @@
encrypt "$@"
log_info "grow partition again"
-echo ", +" | sfdisk --no-reread -q -N "$partno" "$blkdev"
+echo ", +" | sfdisk --no-reread -q -N "$partno" "$blkdev" &> /dev/null
if [ -e /etc/initrd-release ]; then
# seems to be the only way to tell the kernel about a specific
partition change
partx -u --nr "$partno" "$blkdev" || :
- # now resize the mapping. For some reason cryptsetup wants a
passphrase. Hack
- # around this by installing a token that makes it read the key we
installed
- # before, then remove the token again o_O
- cryptsetup token add --key-slot 0 --key-description cryptenroll
--token-id 9 "$blkpart"
- cryptsetup resize "$cr_name" < /dev/null
- cryptsetup token remove --token-id 9 "$blkpart"
+ cryptsetup resize "$cr_name" <<<"$password"
fi
if [ -z "$mounted" ]; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240704.5a6539c/disk-encryption-tool-dracut
new/disk-encryption-tool-1+git20240812.fd4668d/disk-encryption-tool-dracut
--- old/disk-encryption-tool-1+git20240704.5a6539c/disk-encryption-tool-dracut
2024-07-04 08:26:10.000000000 +0200
+++ new/disk-encryption-tool-1+git20240812.fd4668d/disk-encryption-tool-dracut
2024-08-12 14:58:05.000000000 +0200
@@ -15,7 +15,7 @@
}
encrypt=
-if get_credential encrypt rd.encrypt && [ "$encrypt" = "no" ]; then
+if get_credential encrypt disk-encryption-tool-dracut.encrypt && [ "$encrypt"
= "no" ]; then
exit 0
fi
@@ -27,7 +27,7 @@
# XXX: this is so dirty
systemctl start sysroot.mount
mount --target-prefix /sysroot --fstab /sysroot/etc/fstab /var
-if [ ! -e /sysroot/var/lib/YaST2/reconfig_system ]; then
+if [ ! -e /sysroot/var/lib/YaST2/reconfig_system ] && [ "$encrypt" != "force"
]; then
echo "system already configured, no encryption"
umount /sysroot/var
exit 0
@@ -36,9 +36,12 @@
# silence systemd
kill -SIGRTMIN+21 1
-echo -ne '\n\n\a'
-read -n1 -s -r -t 10 -p "*** Press ESC to prevent encrypting the disk"
inhibitor
-echo
+inhibitor=
+if [ "$encrypt" != "force" ]; then
+ echo -ne '\n\n\a'
+ read -n1 -s -r -t 10 -p "*** Press ESC to prevent encrypting the disk"
inhibitor
+ echo
+fi
if [ "$inhibitor" != $'\e' ]; then
/usr/bin/disk-encryption-tool -v --gen-key || die "Encryption failed"
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240704.5a6539c/disk-encryption-tool-dracut.service
new/disk-encryption-tool-1+git20240812.fd4668d/disk-encryption-tool-dracut.service
---
old/disk-encryption-tool-1+git20240704.5a6539c/disk-encryption-tool-dracut.service
2024-07-04 08:26:10.000000000 +0200
+++
new/disk-encryption-tool-1+git20240812.fd4668d/disk-encryption-tool-dracut.service
2024-08-12 14:58:05.000000000 +0200
@@ -26,7 +26,7 @@
Type=oneshot
KeyringMode=shared
ExecStart=/usr/bin/disk-encryption-tool-dracut
-ImportCredential=rd.encrypt
+ImportCredential=disk-encryption-tool-dracut.*
[Install]
RequiredBy=firstboot.target
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240704.5a6539c/disk-encryption-tool-enroll
new/disk-encryption-tool-1+git20240812.fd4668d/disk-encryption-tool-enroll
--- old/disk-encryption-tool-1+git20240704.5a6539c/disk-encryption-tool-enroll
1970-01-01 01:00:00.000000000 +0100
+++ new/disk-encryption-tool-1+git20240812.fd4668d/disk-encryption-tool-enroll
2024-08-12 14:58:05.000000000 +0200
@@ -0,0 +1,85 @@
+#!/bin/bash
+
+get_credential() {
+ local var="${1:?}"
+ local name="${2:?}"
+ local keyid
+ keyid="$(keyctl id %user:"$name" 2> /dev/null)" || true
+
+ if [ -e "$CREDENTIALS_DIRECTORY/$name" ]; then
+ read -r "$var" < "$CREDENTIALS_DIRECTORY/$name"
+ elif [ -n "$keyid" ]; then
+ read -r "$var" <<< "$(keyctl pipe "$keyid")"
+ fi
+}
+
+have_luks2() {
+ lsblk --noheadings -o PATH,FSTYPE | grep -q crypto_LUKS
+}
+
+write_issue_file() {
+ if [ -e '/usr/sbin/issue-generator' ]; then
+ mkdir -p "/run/issue.d/"
+ issuefile="/run/issue.d/90-diskencrypt.conf"
+ else
+ issuefile='/dev/stdout'
+ fi
+
+ echo -ne "Encryption recovery key:\n " > "$issuefile"
+ keyctl pipe "$crypt_keyid" >> "$issuefile"
+ echo -e "\n" >> "$issuefile"
+ if [ -x /usr/bin/qrencode ]; then
+ echo "You can also scan it with your mobile phone:" >>
"$issuefile"
+ keyctl pipe "$crypt_keyid" | qrencode -t utf8i >> "$issuefile"
+ fi
+
+ issue-generator
+ cat "$issuefile"
+}
+
+
+[ ! -e "/var/lib/YaST2/reconfig_system" ] || exit 0
+have_luks2 || exit 0
+crypt_keyid="$(keyctl id %user:cryptenroll 2> /dev/null)" || exit 0
+[ -n "$crypt_keyid" ] || {
+ echo "Recovery key not registered in the keyring. Aborting" >
/dev/stderr
+ exit 1
+}
+
+write_issue_file
+
+# Proceed with the enrollment
+
+pw=
+get_credential pw "disk-encryption-tool-enroll.pw"
+
+tpm2_pin=
+get_credential tpm2_pin "disk-encryption-tool-enroll.tpm2+pin"
+
+tpm2=
+get_credential tpm2 "disk-encryption-tool-enroll.tpm2"
+
+fido2=
+get_credential fido2 "disk-encryption-tool-enroll.fido2"
+
+[ -z "$pw" ] || {
+ echo "Enrolling password"
+ extra=
+ if [ -z "$tpm2_pin" ] && [ -z "$tpm2" ] && [ -z "$fido2" ]; then
+ extra="--no-reuse-initrd"
+ fi
+ PW="$pw" sdbootutil enroll --method=password "$extra"
+}
+
+if [ -n "$tpm2_pin" ]; then
+ echo "Enrolling TPM2 with PIN"
+ SDB_ADD_INITIAL_COMPONENT=1 PIN="$crypt_tpm_pin" sdbootutil enroll
--method=tpm2+pin
+elif [ -n "$tpm2" ]; then
+ echo "Enrolling TPM2"
+ SDB_ADD_INITIAL_COMPONENT=1 sdbootutil enroll --method=tpm2
+fi
+
+[ -z "$fido2" ] || {
+ echo "Enrolling a FIDO2 key"
+ sdbootutil enroll --method=fido2
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240704.5a6539c/disk-encryption-tool-enroll.service
new/disk-encryption-tool-1+git20240812.fd4668d/disk-encryption-tool-enroll.service
---
old/disk-encryption-tool-1+git20240704.5a6539c/disk-encryption-tool-enroll.service
1970-01-01 01:00:00.000000000 +0100
+++
new/disk-encryption-tool-1+git20240812.fd4668d/disk-encryption-tool-enroll.service
2024-08-12 14:58:05.000000000 +0200
@@ -0,0 +1,16 @@
+[Unit]
+Description=Enroll encrypted root disk
+DefaultDependencies=false
+
+After=jeos-firstboot.service
+#ConditionPathExists=/var/lib/YaST2/enroll_system
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+KeyringMode=shared
+ExecStart=/usr/bin/disk-encryption-tool-enroll
+ImportCredential=disk-encryption-tool-enroll.*
+
+[Install]
+WantedBy=default.target
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240704.5a6539c/disk-encryption-tool.spec
new/disk-encryption-tool-1+git20240812.fd4668d/disk-encryption-tool.spec
--- old/disk-encryption-tool-1+git20240704.5a6539c/disk-encryption-tool.spec
2024-07-04 08:26:10.000000000 +0200
+++ new/disk-encryption-tool-1+git20240812.fd4668d/disk-encryption-tool.spec
2024-08-12 14:58:05.000000000 +0200
@@ -33,6 +33,7 @@
License: MIT
URL: https://github.com/lnussel/disk-encryption-tool
Source: disk-encryption-tool-%{version}.tar
+BuildRequires: systemd-rpm-macros
Requires: cryptsetup
Requires: keyutils
Requires: pcr-oracle
@@ -40,6 +41,8 @@
Requires: tpm2.0-tools
Requires: qrencode
ExclusiveArch: aarch64 ppc64le riscv64 x86_64
+BuildArch: noarch
+%{?systemd_requires}
%description
Convert a plain text kiwi image into one with LUKS full disk
@@ -55,7 +58,7 @@
%install
mkdir -p %buildroot/usr/lib/dracut/modules.d/95disk-encryption-tool
-for i in disk-encryption-tool{,-dracut,-dracut.service} module-setup.sh
generate-recovery-key; do
+for i in disk-encryption-tool{,-dracut,-dracut.service} module-setup.sh
generate-recovery-key; do
cp "$i" %buildroot/usr/lib/dracut/modules.d/95disk-encryption-tool/"$i"
done
mkdir -p %buildroot/usr/bin
@@ -64,10 +67,25 @@
install -D -m 644 jeos-firstboot-diskencrypt-override.conf \
%{buildroot}/usr/lib/systemd/system/jeos-firstboot.service.d/jeos-firstboot-diskencrypt-override.conf
install -D -m 644 jeos-firstboot-enroll
%buildroot/usr/share/jeos-firstboot/modules/enroll
+install -m 755 disk-encryption-tool-enroll
%buildroot/usr/bin/disk-encryption-tool-enroll
+install -D -m 644 disk-encryption-tool-enroll.service
%buildroot/%{_unitdir}/disk-encryption-tool-enroll.service
+
+%preun
+%service_del_preun disk-encryption-tool-enroll.service
+
+%postun
+%service_del_postun disk-encryption-tool-enroll.service
+
+%pre
+%service_add_pre disk-encryption-tool-enroll.service
+
+%post
+%service_add_post disk-encryption-tool-enroll.service
%files
%license LICENSE
/usr/bin/disk-encryption-tool
+/usr/bin/disk-encryption-tool-enroll
/usr/bin/generate-recovery-key
%dir /usr/lib/dracut
%dir /usr/lib/dracut/modules.d
@@ -77,6 +95,7 @@
/usr/share/jeos-firstboot/modules/enroll
%dir /usr/lib/systemd/system/jeos-firstboot.service.d
/usr/lib/systemd/system/jeos-firstboot.service.d/jeos-firstboot-diskencrypt-override.conf
+%{_unitdir}/disk-encryption-tool-enroll.service
%changelog
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20240704.5a6539c/jeos-firstboot-enroll
new/disk-encryption-tool-1+git20240812.fd4668d/jeos-firstboot-enroll
--- old/disk-encryption-tool-1+git20240704.5a6539c/jeos-firstboot-enroll
2024-07-04 08:26:10.000000000 +0200
+++ new/disk-encryption-tool-1+git20240812.fd4668d/jeos-firstboot-enroll
2024-08-12 14:58:05.000000000 +0200
@@ -11,36 +11,13 @@
luks2_devices=()
-# After the enrolling, other tools can find this list in
-# /etc/sysconfig/fde-tools
-if [ $(sdbootutil bootloader) = "systemd-boot" ]; then
- FDE_SEAL_PCR_LIST="0,2,4,7,9"
-elif [ $(sdbootutil bootloader) = "grub2" ]; then
- FDE_SEAL_PCR_LIST="0,2,4,7,8,9"
-else
- d --msgbox "Error: Bootloader not detected" 0 0
-fi
-
-have_luks2()
-{
- [ "${#luks2_devices[@]}" -gt 0 ]
-}
-
-detect_luks2()
-{
- local dev fstype
- [ -z "$luks2_devices" ] || return 0
- while read -r dev fstype; do
- [ "$fstype" = 'crypto_LUKS' ] || continue
- cryptsetup isLuks --type luks2 "$dev" || continue
- luks2_devices+=("$dev")
- done < <(lsblk --noheadings -o PATH,FSTYPE)
- have_luks2
+have_luks2() {
+ lsblk --noheadings -o PATH,FSTYPE | grep -q crypto_LUKS
}
# exit early without defining any helper functions if there are no luks devices
-detect_luks2 || return 0
+have_luks2 || return 0
enroll_systemd_firstboot() {
[ -e /usr/bin/systemd-cryptenroll ] || return 0
@@ -53,13 +30,7 @@
local has_tpm2=
[ -z "$(systemd-cryptenroll --fido2-device=list 2>/dev/null)" ] ||
has_fido2=1
- if [ -e '/sys/class/tpm/tpm0' ]; then
- if have_pcrlock && ! is_pcr_oracle; then
- has_tpm2=lock
- elif have_pcr_oracle; then
- has_tpm2=oracle
- fi
- fi
+ [ ! -e '/sys/class/tpm/tpm0' ] || has_tpm2=lock
while true; do
local list=()
@@ -125,104 +96,6 @@
return 0
}
-enroll_fido2() {
- local dev="$1"
-
- echo "Enrolling with FIDO2: $dev"
-
- # The password is read from "cryptenroll" kernel keyring
- run systemd-cryptenroll --fido2-device=auto "$dev"
-}
-
-generate_rsa_key() {
- [ -z "$dry" ] && mkdir -p /etc/systemd
- run pcr-oracle \
- --rsa-generate-key \
- --private-key /etc/systemd/tpm2-pcr-private-key.pem \
- --public-key /etc/systemd/tpm2-pcr-public-key.pem \
- store-public-key
-}
-
-enroll_tpm2_pcr_oracle() {
- local dev="$1"
-
- echo "Enrolling with TPM2 (pcr-oracle): $dev"
-
- # The password is read from "cryptenroll" kernel keyring
- # XXX: Wipe is separated by now (possible systemd bug)
- run systemd-cryptenroll \
- --wipe-slot=tpm2 \
- "$dev"
-
- NEWPIN="$crypt_tpm_pin" run systemd-cryptenroll \
- --tpm2-device=auto \
- "${cryptenroll_tpm_extra_args[@]}" \
- --tpm2-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
- --tpm2-public-key-pcrs="$FDE_SEAL_PCR_LIST" \
- "$dev"
-}
-
-enroll_tpm2_pcrlock() {
- local dev="$1"
-
- echo "Enrolling with TPM2 (pcrlock): $dev"
-
- # The password is read from "cryptenroll" kernel keyring
- # XXX: Wipe is separated by now (possible systemd bug)
- run systemd-cryptenroll \
- --wipe-slot=tpm2 \
- "$dev"
-
- # Note that the PCRs are now not stored in the LUKS2 header
- NEWPIN="$crypt_tpm_pin" run systemd-cryptenroll \
- --tpm2-device=auto \
- "${cryptenroll_tpm_extra_args[@]}" \
- --tpm2-pcrlock=/var/lib/systemd/pcrlock.json \
- "$dev"
-}
-
-update_crypttab_options() {
- # This version will share the same options for all crypto_LUKS
- # devices. This imply that all of them will be unlocked by the
- # same TPM2, or the same FIDO2 key
- local options="$1"
-
- # TODO: this needs to be unified with disk-encryption-tool
- local crypttab
- if [ -z "$dry" ]; then
- crypttab="$(mktemp -t disk-encryption-tool.crypttab.XXXXXX)"
- else
- crypttab=/dev/stdout
- fi
- echo "# File created by jeos-firstboot-enroll. Comments will be
removed" > "$crypttab"
-
- local name
- local device
- local key
- local opts
- while read -r name device key opts; do
- [[ "$name" = \#* ]] && continue
- echo "$name $device $key $options" >> "$crypttab"
- done < /etc/crypttab
-
- run mv "$crypttab" /etc/crypttab
- run chmod 644 /etc/crypttab
-}
-
-have_pcrlock() {
- [ -e /usr/lib/systemd/systemd-pcrlock ]
-}
-
-have_pcr_oracle() {
- [ -e /usr/bin/pcr-oracle ]
-}
-
-is_pcr_oracle() {
- have_pcr_oracle && \
- [ -e /etc/systemd/tpm2-pcr-public-key.pem ] && \
- [ -e /etc/systemd/tpm2-pcr-private-key.pem ]
-}
-
write_issue_file() {
if [ -e '/usr/sbin/issue-generator' ] && [ -z "$dry" ]; then
mkdir -p "/run/issue.d/"
@@ -243,80 +116,32 @@
[ -n "$dry" ] || cat "$issuefile"
}
-add_password() {
- [ -n "$crypt_pw" ] || return 0
- local dev
- for dev in "${luks2_devices[@]}"; do
- echo "adding password to $dev"
- echo -n "$crypt_pw" | run cryptsetup luksAddKey --verbose
--batch-mode --force-password --key-file <(keyctl pipe "$crypt_keyid") "$dev"
- done
-}
-
enroll_post() {
[ -e /usr/bin/systemd-cryptenroll ] || return 0
[ -n "$crypt_keyid" ] || return 0
write_issue_file
-
- add_password
-
- enroll_tpm_and_fido
+ do_enroll
}
-enroll_tpm_and_fido() {
- # For now is a first step before moving into fde-tools
- local fde_cfg='/etc/sysconfig/fde-tools'
- if [ -e "$fde_cfg" ]; then
- . "$fde_cfg"
- else
- [ -z "$dry" ] || fde_cfg=/dev/stdout
- echo "FDE_SEAL_PCR_LIST=${FDE_SEAL_PCR_LIST}" > "$fde_cfg"
- fi
-
- local dev
- local fstype
-
- local crypttab_options="x-initrd.attach"
-
- # Generate first the crypttab + initrd, so the predictions can be
- # done in case of pcrlock
- if [ "$with_fido2" = '1' ]; then
- crypttab_options+=",fido2-device=auto"
- elif [ -n "$with_tpm2" ]; then
- crypttab_options+=",tpm2-device=auto"
- fi
- update_crypttab_options "$crypttab_options"
-
- if [ "$with_tpm2" = 'oracle' ]; then
- generate_rsa_key
- else
- # sdbootutil will generate predictions for pcrlock
- SDB_ADD_INITIAL_COMPONENT=1 run sdbootutil add-all-kernels
--no-reuse-initrd
- fi
+do_enroll() {
+ [ -z "$crypt_pw" ] || {
+ extra=
+ if [ -z "$tpm2_pin" ] && [ -z "$tpm2" ] && [ -z "$fido2" ]; then
+ extra="--no-reuse-initrd"
+ fi
+ PW="$crypt_pw" run sdbootutil enroll --method=password "$extra"
+ }
- if [ "$with_fido2" = '1' ]; then
- for dev in "${luks2_devices[@]}"; do
- enroll_fido2 "$dev"
- done
- elif [ -n "$with_tpm2" ]; then
+ if [ -n "$with_tpm2" ]; then
if [ -n "$crypt_tpm_pin" ]; then
- # XXX ./src/cryptenroll/cryptenroll-tpm2.c lacks accept
cached
- #echo -n "$crypt_tpm_pin" | run keyctl padd user
tpm2-pin @u
- cryptenroll_tpm_extra_args+=(--tpm2-with-pin=1)
+ SDB_ADD_INITIAL_COMPONENT=1 PIN="$crypt_tpm_pin" run
sdbootutil enroll --method=tpm2+pin
+ else
+ SDB_ADD_INITIAL_COMPONENT=1 run sdbootutil enroll
--method=tpm2
fi
- for dev in "${luks2_devices[@]}"; do
- if [ "$with_tpm2" = 'lock' ]; then
- enroll_tpm2_pcrlock "$dev"
- else
- enroll_tpm2_pcr_oracle "$dev"
- fi
- done
fi
- if [ "$with_tpm2" = 'oracle' ]; then
- # with pcr-oracle we pick up settings from the luks header
- run sdbootutil add-all-kernels --no-reuse-initrd
- fi
+ [ -z "$with_fido2" ] || run sdbootutil enroll --method=fido2
}
enroll_jeos_config() {
@@ -326,8 +151,5 @@
echo -n "$result" | keyctl padd user cryptenroll @u
enroll_systemd_firstboot
-
- add_password
-
- enroll_tpm_and_fido
+ do_enroll
}
++++++ disk-encryption-tool.obsinfo ++++++
--- /var/tmp/diff_new_pack.NSWygW/_old 2024-08-13 13:22:51.029262599 +0200
+++ /var/tmp/diff_new_pack.NSWygW/_new 2024-08-13 13:22:51.033262765 +0200
@@ -1,5 +1,5 @@
name: disk-encryption-tool
-version: 1+git20240704.5a6539c
-mtime: 1720074370
-commit: 5a6539cf2c99215060723662c89ba57752b00ee0
+version: 1+git20240812.fd4668d
+mtime: 1723467485
+commit: fd4668df5b6dd6e7b1efe62257acfdb084d9ea13
