Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2025-05-20 09:31:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.30101 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fde-tools" Tue May 20 09:31:12 2025 rev:27 rq:1277521 version:0.7.3 Changes: -------- --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2025-03-11 20:42:49.091931267 +0100 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.30101/fde-tools.changes 2025-05-20 09:31:18.688255854 +0200 @@ -1,0 +2,37 @@ +Thu May 15 02:54:23 UTC 2025 - Gary Ching-Pang Lin <g...@suse.com> + +- Update to version 0.7.3 + + Detect the supported RSA key size + + Take snapshot when signing + + Switch to "--target-platform" when available + + Allow RPM_MACRO_DIR to be defined during build time + + Fix naming and disable ccid + + tpm: fix tpm-present with the newer pcr-oracle + + firstboot: make "Pass phrase" mandatory + + firstboot: disable FDE/TPM2 when secure boot is off + + Conditional helper + + firstboot: replace the key file path in crypttab + + firstboot: add more alias bootloader functions + + firstboot: detect the early reencryption +- Refresh fde-tools-firstboot-alp-snapshot.patch +- Drop merged patches + + fde-tools-bsc1213945-set-rsa-key-size.patch + + fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch + + fde-tools-bsc1223002-firstboot-disable-ccid.patch + + fde-tools-bsc1218181-replace-crypttab-key-path.patch + + fde-tools-bsc1220160-conditional-requires.patch + + fde-tools-change-rpm-macro-dir.patch + + fde-tools-bsc1243166-firstboot-disable-tpm2-when-sb-is-off.patch + + fde-tools-bsc1222970-firstboot-replace-ALP.patch + + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch + + fde-tools-bsc1238593-firstboot-more-bootloader-functions.patch + + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch + +------------------------------------------------------------------- +Wed May 14 08:17:56 UTC 2025 - Gary Ching-Pang Lin <g...@suse.com> + +- Add fde-tools-bsc1243166-firstboot-disable-tpm2-when-sb-is-off.patch + to not skip the encryption process when Secure Boot is off + (bsc#1243166) + +------------------------------------------------------------------- Old: ---- fde-tools-0.7.2.tar.bz2 fde-tools-bsc1213945-set-rsa-key-size.patch fde-tools-bsc1218181-replace-crypttab-key-path.patch fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch fde-tools-bsc1220160-conditional-requires.patch fde-tools-bsc1222970-firstboot-replace-ALP.patch fde-tools-bsc1223002-firstboot-disable-ccid.patch fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch fde-tools-bsc1238593-firstboot-more-bootloader-functions.patch fde-tools-change-rpm-macro-dir.patch New: ---- fde-tools-0.7.3.tar.bz2 BETA DEBUG BEGIN: Old:- Drop merged patches + fde-tools-bsc1213945-set-rsa-key-size.patch + fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch Old: + fde-tools-bsc1223002-firstboot-disable-ccid.patch + fde-tools-bsc1218181-replace-crypttab-key-path.patch + fde-tools-bsc1220160-conditional-requires.patch Old: + fde-tools-bsc1238593-firstboot-more-bootloader-functions.patch + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch Old: + fde-tools-bsc1222970-firstboot-replace-ALP.patch + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch + fde-tools-bsc1238593-firstboot-more-bootloader-functions.patch Old: + fde-tools-bsc1218181-replace-crypttab-key-path.patch + fde-tools-bsc1220160-conditional-requires.patch + fde-tools-change-rpm-macro-dir.patch Old: + fde-tools-bsc1243166-firstboot-disable-tpm2-when-sb-is-off.patch + fde-tools-bsc1222970-firstboot-replace-ALP.patch + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch Old: + fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch + fde-tools-bsc1223002-firstboot-disable-ccid.patch + fde-tools-bsc1218181-replace-crypttab-key-path.patch Old: + fde-tools-bsc1213945-set-rsa-key-size.patch + fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch + fde-tools-bsc1223002-firstboot-disable-ccid.patch Old: + fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch + fde-tools-bsc1238593-firstboot-more-bootloader-functions.patch + fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch Old: + fde-tools-bsc1220160-conditional-requires.patch + fde-tools-change-rpm-macro-dir.patch + fde-tools-bsc1243166-firstboot-disable-tpm2-when-sb-is-off.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fde-tools.spec ++++++ --- /var/tmp/diff_new_pack.m1msfN/_old 2025-05-20 09:31:19.196276756 +0200 +++ /var/tmp/diff_new_pack.m1msfN/_new 2025-05-20 09:31:19.200276921 +0200 @@ -21,7 +21,7 @@ %endif Name: fde-tools -Version: 0.7.2 +Version: 0.7.3 Release: 0 Summary: Tools required for Full Disk Encryption License: GPL-2.0-only @@ -30,16 +30,6 @@ Source: https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2 Source1: fde-tools.service Patch0: fde-tools-firstboot-alp-snapshot.patch -Patch1: fde-tools-bsc1213945-set-rsa-key-size.patch -Patch2: fde-tools-change-rpm-macro-dir.patch -Patch3: fde-tools-bsc1220160-conditional-requires.patch -Patch4: fde-tools-bsc1222970-firstboot-replace-ALP.patch -Patch5: fde-tools-bsc1223002-firstboot-disable-ccid.patch -Patch6: fde-tools-bsc1218390-Switch-to-target-platform-when-available.patch -Patch7: fde-tools-bsc1218390-fix-tpm-present-with-the-newer-pcr-oracle.patch -Patch8: fde-tools-bsc1223771-firstboot-make-Pass-phrase-mandatory.patch -Patch9: fde-tools-bsc1218181-replace-crypttab-key-path.patch -Patch10: fde-tools-bsc1238593-firstboot-more-bootloader-functions.patch BuildRequires: help2man BuildRequires: pkgconfig(json-c) BuildRequires: pkgconfig(libcryptsetup) ++++++ fde-tools-0.7.2.tar.bz2 -> fde-tools-0.7.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.2/Makefile new/fde-tools-0.7.3/Makefile --- old/fde-tools-0.7.2/Makefile 2023-09-19 07:52:51.927609722 +0200 +++ new/fde-tools-0.7.3/Makefile 2025-05-14 09:25:32.483540754 +0200 @@ -7,12 +7,14 @@ SBINDIR ?= /usr/sbin DATADIR ?= /usr/share SYSCONFDIR ?= /etc +LOCALSTATEDIR ?= /var SYSCONFIGDIR = $(SYSCONFDIR)/sysconfig FDE_CONFIG_DIR = ${SYSCONFDIR}/fde FDE_SHARE_DIR = $(DATADIR)/fde FIRSTBOOTDIR = $(DATADIR)/jeos-firstboot FDE_HELPER_DIR = $(LIBEXECDIR)/fde -RPM_MACRO_DIR = /etc/rpm +FDE_LOG_DIR = $(LOCALSTATEDIR)/log/fde +RPM_MACRO_DIR ?= /etc/rpm FIDO_LINK = -lfido2 -lcrypto CRPYT_LINK = -lcryptsetup -ljson-c TOOLS = fde-token fdectl-grub-tpm2 @@ -38,7 +40,8 @@ commands/tpm-disable \ commands/tpm-authorize \ commands/tpm-present \ - commands/tpm-wipe + commands/tpm-wipe \ + commands/tpm-inspect _LIBSCRIPTS = $(addprefix share/,$(LIBSCRIPTS)) @@ -74,6 +77,7 @@ @mkdir -p $(DESTDIR)$(SBINDIR) @install -m 555 -v fde.sh $(DESTDIR)$(SBINDIR)/fdectl @install -m 755 -v -d $(DESTDIR)$(FDE_CONFIG_DIR) + @install -m 755 -v -d $(DESTDIR)$(FDE_LOG_DIR) $(SUBDIRS): $(MAKE) -C $@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.2/fde.sh new/fde-tools-0.7.3/fde.sh --- old/fde-tools-0.7.2/fde.sh 2023-11-01 08:18:03.416914490 +0100 +++ new/fde-tools-0.7.3/fde.sh 2025-05-15 04:36:45.448329189 +0200 @@ -22,7 +22,7 @@ : ${SHAREDIR:=/usr/share/fde} -version=0.7.2 +version=0.7.3 opt_bootloader=grub2 opt_uefi_bootdir="" @@ -196,6 +196,7 @@ fi FDE_CONFIG_DIR=/etc/fde +FDE_LOG_DIR=/var/log/fde . /etc/sysconfig/fde-tools . "$SHAREDIR/ui/$opt_ui" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.2/firstboot/fde new/fde-tools-0.7.3/firstboot/fde --- old/fde-tools-0.7.2/firstboot/fde 2023-09-07 08:05:01.314932675 +0200 +++ new/fde-tools-0.7.3/firstboot/fde 2025-05-15 04:22:23.193426205 +0200 @@ -37,6 +37,7 @@ # Values and locations used by KIWI ################################################################## KIWI_ROOT_KEYFILE=/root/.root.keyfile +KIWI_REENCRYPTION_KEYFILE=/run/.kiwi_reencrypt.keyfile ################################################################## # Aliases are not expanded in non-interactive mode. @@ -51,6 +52,18 @@ grub_get_fde_password "$@" } +function bootloader_platform_parameters { + grub_platform_parameters +} + +function bootloader_rsa_sizes { + grub_rsa_sizes +} + +function bootloader_stop_event { + grub_stop_event +} + ################################################################## # FDE Firstboot functions ################################################################## @@ -74,6 +87,8 @@ with_tpm=false with_ccid=false + is_reencrypted=false + for method in $FDE_PROTECTION; do case $method in pass) with_pass=true;; @@ -99,6 +114,20 @@ return 1 fi + # KIWI may save sha256sum of the LUKS header in initrd before reencrypting + # the root partition. If the checksum differs from the one of the current + # LUKS header, the root partition is already reencryted. + luks_hdr_sum_kiwi="`lsinitrd --file root/.luks.header /boot/initrd`" + if [ "${luks_hdr_sum_kiwi}" != "" ]; then + cryptsetup luksHeaderBackup ${luks_dev} --header-backup-file /root/.luks.header + luks_hdr_sum_cur="`sha256sum /root/.luks.header | cut -f1 -d' '`" + rm -f /root/.luks.header + + if [ "${luks_hdr_sum_cur}" != "${luks_hdr_sum_kiwi}" ]; then + is_reencrypted=true + fi + fi + luks_current_password="${luks_recovery_pass}" # Check if the installer/imager has created a secondary slot that is protected @@ -107,11 +136,20 @@ # header that has more than one valid key slot. To avoid any ugly gymnastics, # simply drop that slot. if [ -n "$luks_keyfile" ]; then - if ! luks_drop_key "${luks_dev}" "${luks_keyfile}"; then - display_errorbox "Failed to remove initial random key" - return 1 + # Skip luks_drop_key if the partition is already reencrypted + if [ "$is_reencrypted" == "false" ]; then + if ! luks_drop_key "${luks_dev}" "${luks_keyfile}"; then + display_errorbox "Failed to remove initial random key" + return 1 + fi fi + rm -f "${luks_keyfile}" + + # Replace the key file path in /etc/crypttab with "/.virtual-root.key" + # to avoid errors when unmounting the LUKS partition (bsc#1218181) + sed -i "s,${luks_keyfile},/.virtual-root.key,g" /etc/crypttab + luks_keyfile="" fi @@ -127,11 +165,15 @@ fi fi + # Write the current password to a file for the later operations + pass_keyfile=$(luks_write_password pass "${luks_current_password}") + # Reencrypt with the new password # FIXME: only do this if the LUKS master key is well-known, eg when dealing with # a VM image. - pass_keyfile=$(luks_write_password pass "${luks_current_password}") - luks_reencrypt "${luks_dev}" "${pass_keyfile}" + if [ "$is_reencrypted" = "false" ]; then + luks_reencrypt "${luks_dev}" "${pass_keyfile}" + fi if $with_tpm; then if ! fdectl regenerate-key --passfile "${pass_keyfile}"; then @@ -152,11 +194,12 @@ # Remove the password file rm -f ${pass_keyfile} - # Update /boot/grub2/grub.cfg + # Update initrd and /boot/grub2/grub.cfg if test -d "/boot/writable"; then - transactional-update grub.cfg + transactional-update initrd grub.cfg transactional-update apply else + dracut -f grub2-mkconfig -o /boot/grub2/grub.cfg fi @@ -203,15 +246,22 @@ function __fde_valid_protections { + pass_warn=true for tag in $*; do case $tag in - pass|tpm) : ;; + pass) pass_warn=false ;; + tpm) : ;; *) display_errorbox "FDE key protection scheme $tag not yet implemented" return 1;; esac done + if $pass_warn; then + display_errorbox "Pass phrase is mandatory" + return 1 + fi + return 0 } @@ -228,16 +278,19 @@ FDE_PROTECTION="" - message="ALP can be installed with an encrypted root and boot partition. Please choose the desired protection method(s) or press Cancel to install without encryption" + message="This system can be installed with an encrypted root and boot partition. Please choose the desired protection method(s) or press Cancel to install without encryption" options+=(pass 'Pass phrase' on) if ! tpm_present_and_working; then - display_infobox "This system does not seem to have a working TPM device." + display_errorbox "This system does not seem to have a working TPM device." + elif ! uefi_secure_boot_enabled; then + display_errorbox "This system does not seem to use Secure Boot. Full disk encryption with TPM2 disabled" else options+=(tpm 'Stored inside the TPM chip' on) fi - options+=(ccid 'Stored inside a CCID capable token' off) + # Disable the ccid option until we really implement it + # options+=(ccid 'Stored inside a CCID capable token' off) while true; do d --title "Full Disk Encryption" --checklist \ @@ -252,10 +305,6 @@ FDE_PROTECTION="$result" fde_trace "user selected protections: <$FDE_PROTECTION>" - if [ -z "$FDE_PROTECTION" ]; then - return 1 - fi - if __fde_valid_protections $FDE_PROTECTION; then break fi @@ -279,18 +328,19 @@ function fde_systemd_firstboot { - if ! uefi_secure_boot_enabled; then - display_infobox "This system does not seem to use Secure Boot. Full disk encryption not available" - return 1 - fi - display_infobox "Full Disk Encryption with TPM2 support" # Redirect the fde_trace messages from stderr to journald exec 2> >(systemd-cat -t fde-tools -p info) - # Get the password that was used during installation. - fde_root_passphrase=$(bootloader_get_fde_password) + if [ -f "$KIWI_REENCRYPTION_KEYFILE" ]; then + # Use the reencryption password from KIWI + fde_root_passphrase="$(<${KIWI_REENCRYPTION_KEYFILE})" + else + # Try the default password + fde_root_passphrase=$(bootloader_get_fde_password) + fi + if [ -z "$fde_root_passphrase" ]; then display_errorbox "Cannot find the initial FDE password for the root file system" return 1 @@ -300,8 +350,6 @@ KIWI_ROOT_KEYFILE="" fi - # FIXME: rather than hard-coding the recovery password here, - # have kiwi write it to /.root.something and read it from there fde_firstboot $(luks_device_for_path "/") "$KIWI_ROOT_KEYFILE" "$fde_root_passphrase" fde_clean_tempdir diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.2/rpm-build/macros.fde-tpm-helper new/fde-tools-0.7.3/rpm-build/macros.fde-tpm-helper --- old/fde-tools-0.7.2/rpm-build/macros.fde-tpm-helper 2023-10-04 04:43:48.243362226 +0200 +++ new/fde-tools-0.7.3/rpm-build/macros.fde-tpm-helper 2025-05-14 09:25:32.491540704 +0200 @@ -1,16 +1,20 @@ -%fde_tpm_update_requires Requires(posttrans): fde-tpm-helper +%fde_tpm_update_requires Requires(posttrans): (fde-tpm-helper if fde-tools) %fde_tpm_update_post() \ -mkdir -p %{_rundir}/fde-tpm-helper/ \ -touch %{_rundir}/fde-tpm-helper/update \ -for bl in %{?*}; do \ - echo ${bl} >> %{_rundir}/fde-tpm-helper/update \ -done \ +if test -x %{_libexecdir}/fde/fde-tpm-helper; then \ + mkdir -p %{_rundir}/fde-tpm-helper/ \ + touch %{_rundir}/fde-tpm-helper/update \ + for bl in %{?*}; do \ + echo ${bl} >> %{_rundir}/fde-tpm-helper/update \ + done \ +fi \ %nil %fde_tpm_update_posttrans() \ -if test -f %{_rundir}/fde-tpm-helper/update; then \ - %{_libexecdir}/fde/fde-tpm-helper "`cat %{_rundir}/fde-tpm-helper/update | uniq`" || : \ - rm -f %{_rundir}/fde-tpm-helper/update \ +if test -x %{_libexecdir}/fde/fde-tpm-helper; then \ + if test -f %{_rundir}/fde-tpm-helper/update; then \ + %{_libexecdir}/fde/fde-tpm-helper "`cat %{_rundir}/fde-tpm-helper/update | uniq`" || : \ + rm -f %{_rundir}/fde-tpm-helper/update \ + fi \ fi \ %nil diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.2/share/commands/tpm-inspect new/fde-tools-0.7.3/share/commands/tpm-inspect --- old/fde-tools-0.7.2/share/commands/tpm-inspect 1970-01-01 01:00:00.000000000 +0100 +++ new/fde-tools-0.7.3/share/commands/tpm-inspect 2025-05-14 09:25:32.491540704 +0200 @@ -0,0 +1,25 @@ +# +# Copyright (C) 2023 SUSE LLC +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +# Written by Gary Lin <g...@suse.com> + +alias cmd_requires_luks_device=false +alias cmd_perform=cmd_tpm_inspect + +function cmd_tpm_inspect { + tpm_inspect +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.2/share/grub2 new/fde-tools-0.7.3/share/grub2 --- old/fde-tools-0.7.2/share/grub2 2023-11-01 08:17:56.360959136 +0100 +++ new/fde-tools-0.7.3/share/grub2 2025-05-14 09:25:32.495540678 +0200 @@ -33,6 +33,9 @@ alias bootloader_get_keyslots=grub_get_keyslots alias bootloader_remove_keyslots=grub_remove_keyslots alias bootloader_wipe=grub_wipe +alias bootloader_rsa_sizes=grub_rsa_sizes +alias bootloader_stop_event=grub_stop_event +alias bootloader_platform_parameters=grub_platform_parameters ################################################################## # Edit a variable in /etc/default/grub @@ -78,10 +81,12 @@ ################################################################## function grub_update_early_config { - sealed_key_file="$1" + local sealed_key_file="$1" + local rsa_key_size=$(tpm_get_rsa_key_size) grub_set_control GRUB_ENABLE_CRYPTODISK "y" grub_set_control GRUB_TPM2_SEALED_KEY "$sealed_key_file" + grub_set_control GRUB_TPM2_SRK_ALG "RSA${rsa_key_size}" # Do not clear the password implicitly; require fdectl or # jeos firstboot to do so explicitly. @@ -223,3 +228,29 @@ grub_remove_keyslots ${luks_dev} } + +function grub_rsa_sizes { + + # Check if the shim-install script supports the SRK algorithm selection. + if ! grep -q "GRUB_TPM2_SRK_ALG" "/usr/sbin/shim-install"; then + echo "2048" + return 0 + fi + + # Check if grub2 supports the RSA4096 SRK. + if grub2-protect --help | grep -q "RSA4096"; then + echo "4096 3072 2048" + return 0 + fi + + # TPM 2.0 should at least support RSA2048. + echo "2048" +} + +function grub_stop_event { + echo "grub-file=grub.cfg" +} + +function grub_platform_parameters { + echo "--target-platform tpm2.0" +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.2/share/systemd-boot new/fde-tools-0.7.3/share/systemd-boot --- old/fde-tools-0.7.2/share/systemd-boot 2023-09-07 08:05:01.318932648 +0200 +++ new/fde-tools-0.7.3/share/systemd-boot 2025-05-14 09:25:32.495540678 +0200 @@ -36,7 +36,9 @@ alias bootloader_get_keyslots=systemd_get_keyslots alias bootloader_remove_keyslots=systemd_remove_keyslots alias bootloader_wipe=systemd_wipe - +alias bootloader_rsa_sizes=systemd_rsa_sizes +alias bootloader_stop_event=systemd_stop_event +alias bootloader_platform_parameters=systemd_platform_parameters function not_implemented { @@ -175,3 +177,27 @@ not_implemented } + +################################################################## +# This function lists all the supported RSA key sizes for SRK. +################################################################## +function systemd_rsa_sizes { + echo "2048" +} + +################################################################## +# This function shows the boot loader specific stop event. +################################################################## +function systemd_stop_event { + + not_implemented +} + +################################################################## +# This function shows the boot loader specific parameters for +# pcr-oracle. +################################################################## +function systemd_platform_parameters { + + echo "--target-platform systemd" +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.2/share/tpm new/fde-tools-0.7.3/share/tpm --- old/fde-tools-0.7.2/share/tpm 2023-10-17 03:58:25.343073403 +0200 +++ new/fde-tools-0.7.3/share/tpm 2025-05-14 09:25:32.495540678 +0200 @@ -19,10 +19,6 @@ FDE_DEFAULT_AUTHORIZED_POLICY="authorized-policy" -# FIXME: this needs work for boot loaders other than grub -# Maybe we should introduce a bootloader_stop_event() function. -FDE_STOP_EVENT="grub-file=grub.cfg" - ################################################################## # Check whether a TPM is present and working reasonably well ################################################################## @@ -42,26 +38,152 @@ return 0 } +function tpm_get_rsa_key_size { + + declare -g __fde_rsa_key_size + + if [ -n "$__fde_rsa_key_size" ]; then + echo "$__fde_rsa_key_size" + return + fi + + if [ -n "$FDE_RSA_KEY_SIZE" ]; then + # TODO validate $FDE_RSA_KEY_SIZE + __fde_rsa_key_size="${FDE_RSA_KEY_SIZE}" + echo "$__fde_rsa_key_size" + return + fi + + # Check if pcr-oracle supports rsa-test + # If pcr-oracle prints "Unknown action", fall back to default. + if pcr-oracle rsa-test 2>&1 | grep -q "Unknown action"; then + __fde_rsa_key_size="2048" + echo "$__fde_rsa_key_size" + return + fi + + # Find the highest supported RSA key size + sizes_to_test=$(bootloader_rsa_sizes) + + for size in ${sizes_to_test}; do + if pcr-oracle --rsa-bits ${size} rsa-test > /dev/null 2>&1; then + __fde_rsa_key_size="${size}" + echo "$__fde_rsa_key_size" + return + fi + done + + fde_trace "Failed to find a valid RSA key size. Fall back to 2048" + __fde_rsa_key_size="2048" + echo "$__fde_rsa_key_size" +} + +function tpm_snapshot { + local snapshot="tpm-snapshot" + local tmpdir=$(fde_make_tempfile snapshot) + + mkdir -p ${tmpdir} + + local stop_event=$(bootloader_stop_event) + + pcr-oracle \ + --from eventlog \ + --create-testcase ${tmpdir}/${snapshot} \ + --stop-event "$stop_event" \ + --after \ + predict all > /dev/null + + if [ -z "$FDE_LOG_DIR" ]; then + FDE_LOG_DIR=/var/log/fde + fi + + tar Jcf ${FDE_LOG_DIR}/${snapshot}.tar.xz -C ${tmpdir} ${snapshot} + + rm -rf ${tmpdir} +} + +function tpm_inspect { + local snapshot="tpm-snapshot" + local snapshot_file="${FDE_LOG_DIR}/${snapshot}.tar.xz" + local tmpdir=$(fde_make_tempfile inspect) + + # FIXME use bootloader specific snapshot + local grubsnapshot="/sys/firmware/efi/efivars/GrubPcrSnapshot-7ce323f2-b841-4d30-a0e9-5474a76c9a3f" + + if [ ! -r ${grubsnapshot} -o ! -r ${snapshot_file} ]; then + fde_trace "snapshot not available" + return 1 + fi + + mkdir -p ${tmpdir} + + tar xf ${snapshot_file} -C ${tmpdir} + + local stop_event=$(bootloader_stop_event) + + pcr-oracle \ + --from eventlog \ + --verify snapshot \ + --replay-testcase ${tmpdir}/${snapshot} \ + --stop-event "$stop_event" \ + --after \ + predict ${FDE_SEAL_PCR_LIST} + + rm -rf ${tmpdir} +} + +function tpm_platform_parameters { + declare -g __fde_platform_param + + if [ -n "$__fde_platform_param" ]; then + echo "$__fde_platform_param" + return + fi + + # Check if pcr-oracle supports "--target-platform" + if pcr-oracle --target-platform 2>&1 | grep -q "unrecognized option"; then + __fde_platform_param="--key-format tpm2.0" + echo "$__fde_platform_param" + return + fi + + __fde_platform_param=$(bootloader_platform_parameters) + echo "$__fde_platform_param" +} + function tpm_seal_key { - secret=$1 - sealed_secret=$2 + local secret=$1 + local sealed_secret=$2 + + local extra_opts=$(tpm_platform_parameters) + local rsa_size=$(tpm_get_rsa_key_size) + + if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then + extra_opts="${extra_opts} --rsa-bits ${rsa_size}" + fi + + local stop_event=$(bootloader_stop_event) echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2 - pcr-oracle --input "$secret" --output "$sealed_secret" \ - --key-format tpm2.0 \ + pcr-oracle ${extra_opts} \ + --input "$secret" --output "$sealed_secret" \ --algorithm "$FDE_SEAL_PCR_BANK" \ --from eventlog \ - --stop-event "$FDE_STOP_EVENT" \ + --stop-event "$stop_event" \ --after \ seal-secret \ "$FDE_SEAL_PCR_LIST" + + tpm_snapshot } function tpm_test { key_size=$1 + local extra_opts=$(tpm_platform_parameters) + secret=$(fde_make_tempfile secret) dd if=/dev/zero of=$secret bs=$key_size count=1 status=none >&2 @@ -73,18 +195,18 @@ dd if=/dev/zero of=$secret bs=$key_size count=1 status=none >&2 fde_trace "Testing TPM seal/unseal" - pcr-oracle \ + pcr-oracle ${extra_opts} \ --algorithm "$FDE_SEAL_PCR_BANK" \ --input "$secret" \ --output "$sealed_secret" \ --from current \ seal-secret "$FDE_SEAL_PCR_LIST" - pcr-oracle \ + pcr-oracle ${extra_opts} \ --algorithm "$FDE_SEAL_PCR_BANK" \ --input "$sealed_secret" \ --output "$recovered" \ - unseal-secret "$FDE_SEAL_PCR_LIST" + unseal-secret if ! cmp "$secret" "$recovered"; then fde_trace "BAD: Unable to recover original secret" @@ -97,18 +219,24 @@ return $result } - function tpm_seal_secret { - secret="$1" - sealed_secret="$2" - authorized_policy="$3" + local secret="$1" + local sealed_secret="$2" + local authorized_policy="$3" + + local extra_opts=$(tpm_platform_parameters) + local rsa_size=$(tpm_get_rsa_key_size) + + if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then + extra_opts="${extra_opts} --rsa-bits ${rsa_size}" + fi # If we are expected to use an authorized policy, seal the secret # against that, using pcr-oracle rather than the tpm2 tools if [ -n "$authorized_policy" ]; then - pcr-oracle --authorized-policy "$authorized_policy" \ - --key-format tpm2.0 \ + pcr-oracle ${extra_opts} \ + --authorized-policy "$authorized_policy" \ --input $secret \ --output $sealed_secret \ seal-secret @@ -149,14 +277,19 @@ function tpm_create_authorized_policy { - secret_key="$1" - output_policy="$2" - public_key="$3" + local secret_key="$1" + local output_policy="$2" + local public_key="$3" # Generate the private key if it does not exist - extra_opts= + local extra_opts= if [ ! -f "$secret_key" ]; then + local rsa_size=$(tpm_get_rsa_key_size) + extra_opts="--rsa-generate-key" + if [ -n "$rsa_size" -a "$rsa_size" -ne 2048 ]; then + extra_opts="${extra_opts} --rsa-bits ${rsa_size}" + fi fi pcr-oracle $extra_opts \ @@ -182,18 +315,22 @@ function tpm_authorize { - private_key_file="$1" - sealed_key_file="$2" - signed_key_file="$3" + local private_key_file="$1" + local sealed_key_file="$2" + local signed_key_file="$3" - pcr-oracle \ - --key-format tpm2.0 \ + local extra_opts=$(tpm_platform_parameters) + local stop_event=$(bootloader_stop_event) + + pcr-oracle ${extra_opts} \ --algorithm "$FDE_SEAL_PCR_BANK" \ --private-key "$private_key_file" \ --from eventlog \ - --stop-event "$FDE_STOP_EVENT" \ + --stop-event "$stop_event" \ --after \ --input "$sealed_key_file" \ --output "$signed_key_file" \ sign "$FDE_SEAL_PCR_LIST" + + tpm_snapshot } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.2/sysconfig.fde new/fde-tools-0.7.3/sysconfig.fde --- old/fde-tools-0.7.2/sysconfig.fde 2023-10-23 07:54:00.911620084 +0200 +++ new/fde-tools-0.7.3/sysconfig.fde 2025-05-14 09:25:32.495540678 +0200 @@ -36,3 +36,8 @@ # the bootloader update # Set to yes/no FDE_TPM_AUTO_UPDATE="yes" + +# The RSA key size to be used for SRK and the private sign key +# Expected values: 2048, 3072, 4096, or just leave it empty to let fdectl +# to determine the size at runtime +FDE_RSA_KEY_SIZE="" ++++++ fde-tools-firstboot-alp-snapshot.patch ++++++ --- /var/tmp/diff_new_pack.m1msfN/_old 2025-05-20 09:31:19.304281201 +0200 +++ /var/tmp/diff_new_pack.m1msfN/_new 2025-05-20 09:31:19.308281365 +0200 @@ -1,13 +1,13 @@ firstboot/fde | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -Index: fde-tools-0.6.2/firstboot/fde +Index: fde-tools-0.7.3/firstboot/fde =================================================================== ---- fde-tools-0.6.2.orig/firstboot/fde -+++ fde-tools-0.6.2/firstboot/fde -@@ -285,8 +285,8 @@ function fde_systemd_firstboot { - # Get the password that was used during installation. - fde_root_passphrase=$(bootloader_get_fde_password) +--- fde-tools-0.7.3.orig/firstboot/fde ++++ fde-tools-0.7.3/firstboot/fde +@@ -342,8 +342,8 @@ function fde_systemd_firstboot { + fi + if [ -z "$fde_root_passphrase" ]; then - display_errorbox "Cannot find the initial FDE password for the root file system" - return 1
