Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2026-02-02 14:55:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.1995 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fde-tools" Mon Feb 2 14:55:16 2026 rev:34 rq:1330344 version:0.7.3 Changes: -------- --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2026-01-01 15:00:01.536459810 +0100 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.1995/fde-tools.changes 2026-02-02 14:55:53.532288128 +0100 @@ -1,0 +2,6 @@ +Fri Jan 30 06:38:56 UTC 2026 - Gary Ching-Pang Lin <[email protected]> + +- Add fde-tools-bsc1248516-tpm-Support-persistent-SRK.patch to + suppoert persistent SRK (bsc#1248516) + +------------------------------------------------------------------- New: ---- fde-tools-bsc1248516-tpm-Support-persistent-SRK.patch ----------(New B)---------- New: - Add fde-tools-bsc1248516-tpm-Support-persistent-SRK.patch to suppoert persistent SRK (bsc#1248516) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fde-tools.spec ++++++ --- /var/tmp/diff_new_pack.3esGUx/_old 2026-02-02 14:55:55.060352716 +0100 +++ /var/tmp/diff_new_pack.3esGUx/_new 2026-02-02 14:55:55.060352716 +0100 @@ -1,7 +1,7 @@ # # spec file for package fde-tools # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2026 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,6 +34,7 @@ Patch1: fde-tools-bsc1243877-firstboot-remove-key-conf.patch Patch2: fde-tools-bsc1244323-firstboot-fix-lsinitrd.patch Patch3: fde-tools-bsc1246464-use-default-uefi-boot-path.patch +Patch4: fde-tools-bsc1248516-tpm-Support-persistent-SRK.patch BuildRequires: help2man BuildRequires: pkgconfig(json-c) BuildRequires: pkgconfig(libcryptsetup) ++++++ fde-tools-bsc1248516-tpm-Support-persistent-SRK.patch ++++++ >From 9d15b48478534a9555b1ba17c5e82261385c93df Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> Date: Thu, 30 Oct 2025 15:40:27 +0800 Subject: [PATCH] tpm: Support persistent SRK If pcr-oracle supports persistent SRK and the user assigns the persistent handle in the config file, make SRK persistent when sealing the disk key. Signed-off-by: Gary Lin <[email protected]> --- share/tpm | 14 ++++++++++++++ sysconfig.fde | 7 +++++++ 2 files changed, 21 insertions(+) diff --git a/share/tpm b/share/tpm index 63a4ae6..d69cf2b 100644 --- a/share/tpm +++ b/share/tpm @@ -260,6 +260,13 @@ function tpm_seal_key { extra_opts="${extra_opts} --rsa-bits ${rsa_size}" fi + if [ -n "$FDE_TPM_PERSISTENT_SRK" ]; then + # Check if pcr-oracle supports '--persistent-srk' + if ! pcr-oracle --persistent-srk 2>&1 | grep -q "unrecognized option"; then + extra_opts="${extra_opts} --persistent-srk ${FDE_TPM_PERSISTENT_SRK}" + fi + fi + local stop_event=$(bootloader_stop_event) echo "Sealing secret against PCR policy covering $FDE_SEAL_PCR_LIST" >&2 @@ -350,6 +357,13 @@ function tpm_seal_secret { # If we are expected to use an authorized policy, seal the secret # against that, using pcr-oracle rather than the tpm2 tools if [ -n "$authorized_policy" ]; then + if [ -n "$FDE_TPM_PERSISTENT_SRK" ]; then + # Check if pcr-oracle supports '--persistent-srk' + if ! pcr-oracle --persistent-srk 2>&1 | grep -q "unrecognized option"; then + extra_opts="${extra_opts} --persistent-srk ${FDE_TPM_PERSISTENT_SRK}" + fi + fi + pcr-oracle ${extra_opts} \ --authorized-policy "$authorized_policy" \ --input $secret \ diff --git a/sysconfig.fde b/sysconfig.fde index 741f5b4..0a32b19 100644 --- a/sysconfig.fde +++ b/sysconfig.fde @@ -41,3 +41,10 @@ FDE_TPM_AUTO_UPDATE="yes" # Expected values: 2048, 3072, 4096, or just leave it empty to let fdectl # to determine the size at runtime FDE_RSA_KEY_SIZE="" + +# Specify the TPM persistent handle to store SRK +# The valid range of this variable is 0x81000000~0x817FFFFF. +# If this variable is unset, grub2 will generate SRK dynamically. +# NOTE: The persistent handle will be overwritten. Please make sure that no +# other program is using the same handle before setting this variable. +FDE_TPM_PERSISTENT_SRK="" -- 2.51.0
