Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package sdbootutil for openSUSE:Factory
checked in at 2024-09-01 19:20:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sdbootutil (Old)
and /work/SRC/openSUSE:Factory/.sdbootutil.new.2698 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sdbootutil"
Sun Sep 1 19:20:58 2024 rev:31 rq:1197874 version:1+git20240830.7f696c8
Changes:
--------
--- /work/SRC/openSUSE:Factory/sdbootutil/sdbootutil.changes 2024-08-30
13:25:59.314411476 +0200
+++ /work/SRC/openSUSE:Factory/.sdbootutil.new.2698/sdbootutil.changes
2024-09-01 19:21:08.607319190 +0200
@@ -1,0 +2,11 @@
+Fri Aug 30 13:57:35 UTC 2024 - apla...@suse.com
+
+- Update to version 1+git20240830.7f696c8:
+ * Use parameter "snapshot" instead the global one
+ * Add update-entry and update-all-entries commands
+ * Generate tpm2 public key before enroll_pcroracle
+ * Fix function names for enrolling pcr-oracle
+ * Check if enroll functions worked correctly
+ * Warn when pcrlock.json or tpm2-pcr-signature.json are missing
+
+-------------------------------------------------------------------
Old:
----
sdbootutil-1+git20240829.1b5aa4d.obscpio
New:
----
sdbootutil-1+git20240830.7f696c8.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sdbootutil.spec ++++++
--- /var/tmp/diff_new_pack.gLGhiF/_old 2024-09-01 19:21:09.299347522 +0200
+++ /var/tmp/diff_new_pack.gLGhiF/_new 2024-09-01 19:21:09.299347522 +0200
@@ -27,7 +27,7 @@
%define git_version %{nil}
%endif
Name: sdbootutil
-Version: 1+git20240829.1b5aa4d%{git_version}
+Version: 1+git20240830.7f696c8%{git_version}
Release: 0
Summary: script to install shim with sd-boot
License: MIT
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.gLGhiF/_old 2024-09-01 19:21:09.351349651 +0200
+++ /var/tmp/diff_new_pack.gLGhiF/_new 2024-09-01 19:21:09.355349815 +0200
@@ -3,6 +3,6 @@
<param
name="url">https://github.com/lnussel/sdbootutil.git</param>
<param
name="changesrevision">708592a5033bb41d14e378172466ae9e90dfb3c4</param></service><service
name="tar_scm">
<param
name="url">https://github.com/openSUSE/sdbootutil.git</param>
- <param
name="changesrevision">1b5aa4dff0d80c2b6871e3224fb1a5e8eb4d92f8</param></service></servicedata>
+ <param
name="changesrevision">7f696c8465e607a23eb1a7be342f2218bf6e8a51</param></service></servicedata>
(No newline at EOF)
++++++ sdbootutil-1+git20240829.1b5aa4d.obscpio ->
sdbootutil-1+git20240830.7f696c8.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sdbootutil-1+git20240829.1b5aa4d/sdbootutil
new/sdbootutil-1+git20240830.7f696c8/sdbootutil
--- old/sdbootutil-1+git20240829.1b5aa4d/sdbootutil 2024-08-29
19:17:34.000000000 +0200
+++ new/sdbootutil-1+git20240830.7f696c8/sdbootutil 2024-08-30
15:56:05.000000000 +0200
@@ -131,6 +131,12 @@
Show fields for an entry with an specified kernel
version
+ update-entry VERSION [SNAPSHOT]
+ Update "options" field from /etc/cmdline for an entry
+
+ update-all-entries [SNAPSHOT]
+ Update "options" field from /etc/cmdline for all
entries
+
set-default-snapshot [SNAPSHOT]
Make SNAPSHOT the default for next boot.
Also install all kernels if needed
@@ -827,7 +833,6 @@
log_info "installing $kv"
install_kernel "${snapshot}" "$kv"
done
-
}
remove_all_kernels()
@@ -905,7 +910,7 @@
id="$(entry_conf_file "$kernel_version" "$snapshot")"
local conf
- conf="$(find_conf_file "${kernel_version}" "${snapshot}")"
+ conf="$(find_conf_file "$kernel_version" "$snapshot")"
[ -z "$verbose" ] || echo -e "ID\t$id"
local k
@@ -1039,6 +1044,54 @@
done
}
+update_entry_conf()
+{
+ local conf="$1"
+ local snapshot="$2"
+
+ local subvol=""
+ [ -z "$have_snapshots" ] ||
subvol="${subvol_prefix}/.snapshots/${snapshot}/snapshot"
+
+ local boot_options=
+ for i in /etc/kernel/cmdline /usr/lib/kernel/cmdline /proc/cmdline; do
+ [ -f "$i" ] || continue
+ boot_options="$(sedrootflags "$subvol" < "$i")"
+ break
+ done
+
+ cp "$conf" "$tmpdir/entry.conf"
+ sed -i "s|^options\s*.*$|options $boot_options|g"
"$tmpdir/entry.conf"
+ cp "$tmpdir/entry.conf" "$conf"
+}
+
+update_entry()
+{
+ local snapshot="$1"
+ local kernel_version="$2"
+
+ settle_entry_token "${snapshot}"
+ local id
+ id="$(entry_conf_file "$kernel_version" "$snapshot")"
+
+ local conf="$(find_conf_file "$kernel_version" "$snapshot")"
+ [ -f "$conf" ] || return 0
+
+ echo "Updating $id"
+ update_entry_conf "$conf" "$snapshot"
+
+ # This action will require to update the PCR predictions
+ update_predictions=1
+}
+
+update_all_entries()
+{
+ local snapshot="$1"
+ update_entries_for_snapshot "$1"
+ while read -r conf; do
+ update_entry_conf "$conf" "$snapshot"
+ done < <(jq '.[]|.path' < "$entryfile")
+}
+
list_snapshots()
{
[ -n "$have_snapshots" ] || { log_info "System does not support
snapshots."; return 0; }
@@ -2101,6 +2154,10 @@
extra_args+=(--tpm2-with-pin=1)
fi
+ if [ ! -f /var/lib/systemd/pcrlock.json ]; then
+ warn "Could not find /var/lib/systemd/pcrlock.json"
+ fi
+
# The password is read from "cryptenroll" kernel keyring
# XXX: Wipe is separated by now (possible systemd bug)
systemd-cryptenroll \
@@ -2113,6 +2170,9 @@
"${extra_args[@]}" \
--tpm2-pcrlock=/var/lib/systemd/pcrlock.json \
"$dev"
+ # cryptenroll exits successfully even if the token was not enrolled
+ # Manually check if the device has a tpm2 slot enrolled
+ systemd-cryptenroll "$dev" | grep "tpm2"
}
enroll_pcroracle()
@@ -2128,6 +2188,10 @@
extra_args+=(--tpm2-with-pin=1)
fi
+ if [ ! -f /etc/systemd/tpm2-pcr-signature.json ]; then
+ warn "Could not find /etc/systemd/tpm2-pcr-signature.json"
+ fi
+
# The password is read from "cryptenroll" kernel keyring
# XXX: Wipe is separated by now (possible systemd bug)
systemd-cryptenroll \
@@ -2141,6 +2205,9 @@
--tpm2-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
--tpm2-public-key-pcrs="${FDE_SEAL_PCR_LIST}" \
"$dev"
+ # cryptenroll exits successfully even if the token was not enrolled
+ # Manually check if the device has a tpm2 slot enrolled
+ systemd-cryptenroll "$dev" | grep "tpm2"
}
enroll_fido2()
@@ -2181,11 +2248,14 @@
enroll_pcrlock "$dev" "$pin_or_pw" || {
echo "Enrollment with systemd-pcrlock
failed"
echo "Re-trying with pcr-oracle"
- unernroll_pcrlock
- enroll_pcr_oracle "$dev" "$pin_or_pw"
+ unenroll_pcrlock
+ # this function generates
/etc/systemd/tpm2-pcr-public-key.pem
+ # which is needed by enroll_pcroracle
+ generate_rsa_key
+ enroll_pcroracle "$dev" "$pin_or_pw"
}
elif have_pcr_oracle; then
- enroll_pcr_oracle "$dev" "$pin_or_pw"
+ enroll_pcroracle "$dev" "$pin_or_pw"
else
log_info "No TMP2 enrollment mechanism found"
fi
@@ -2449,7 +2519,7 @@
fi
case "$1" in
-
install|needs-update|update|force-update|add-kernel|remove-kernel|set-default-snapshot|add-all-kernels|mkinitrd|remove-all-kernels|is-installed|list-snapshots|list-entries|list-kernels|show-entry|is-bootable|enroll|unenroll|update-predictions|bootloader)
;;
+
install|needs-update|update|force-update|add-kernel|remove-kernel|set-default-snapshot|add-all-kernels|mkinitrd|remove-all-kernels|is-installed|list-snapshots|list-entries|list-kernels|show-entry|update-entry|update-all-entries|is-bootable|enroll|unenroll|update-predictions|bootloader)
;;
kernels|snapshots|entries|"") stty_size; interactive=1 ;;
*) err "unknown command $1" ;;
esac
@@ -2554,6 +2624,10 @@
list_snapshots
elif [ "$1" = "show-entry" ]; then
show_entry_fields "${3:-$root_snapshot}" "$2"
+elif [ "$1" = "update-entry" ]; then
+ update_entry "${3:-$root_snapshot}" "$2"
+elif [ "$1" = "update-all-entries" ]; then
+ update_all_entries "${2:-$root_snapshot}"
elif [ "$1" = "is-bootable" ]; then
is_bootable "${2:-$root_snapshot}"
elif [ "$1" = "enroll" ]; then
++++++ sdbootutil.obsinfo ++++++
--- /var/tmp/diff_new_pack.gLGhiF/_old 2024-09-01 19:21:09.491355383 +0200
+++ /var/tmp/diff_new_pack.gLGhiF/_new 2024-09-01 19:21:09.495355547 +0200
@@ -1,5 +1,5 @@
name: sdbootutil
-version: 1+git20240829.1b5aa4d
-mtime: 1724951854
-commit: 1b5aa4dff0d80c2b6871e3224fb1a5e8eb4d92f8
+version: 1+git20240830.7f696c8
+mtime: 1725026165
+commit: 7f696c8465e607a23eb1a7be342f2218bf6e8a51
