Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package fde-tools for openSUSE:Factory checked in at 2023-10-24 20:06:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fde-tools (Old) and /work/SRC/openSUSE:Factory/.fde-tools.new.24901 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fde-tools" Tue Oct 24 20:06:47 2023 rev:13 rq:1119546 version:0.7.1 Changes: -------- --- /work/SRC/openSUSE:Factory/fde-tools/fde-tools.changes 2023-10-05 20:03:09.654729915 +0200 +++ /work/SRC/openSUSE:Factory/.fde-tools.new.24901/fde-tools.changes 2023-10-24 20:06:49.661188106 +0200 @@ -1,0 +2,13 @@ +Mon Oct 23 05:57:33 UTC 2023 - Gary Ching-Pang Lin <g...@suse.com> + +- Update to version 0.7.1 + + add-secondary-key: remove the generation of the secondary + password + + add-secondary-key: remove the inclusion of + 'add-secondary-password' + + luks: list all underlying LUKS device + + Introduce FDE_DEVS to list all LUKS devices +- Drop upstreamd patch + + fde-tools-remove-redundant-2nd-pw-creation.patch + +------------------------------------------------------------------- Old: ---- fde-tools-0.7.0.tar.bz2 fde-tools-remove-redundant-2nd-pw-creation.patch New: ---- fde-tools-0.7.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fde-tools.spec ++++++ --- /var/tmp/diff_new_pack.Gx7q05/_old 2023-10-24 20:06:50.305211520 +0200 +++ /var/tmp/diff_new_pack.Gx7q05/_new 2023-10-24 20:06:50.309211665 +0200 @@ -17,7 +17,7 @@ Name: fde-tools -Version: 0.7.0 +Version: 0.7.1 Release: 0 Summary: Tools required for Full Disk Encryption License: GPL-2.0-only @@ -26,7 +26,6 @@ Source: https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2 Source1: fde-tools.service Patch: fde-tools-firstboot-alp-snapshot.patch -Patch1: fde-tools-remove-redundant-2nd-pw-creation.patch BuildRequires: help2man BuildRequires: pkgconfig(libcryptsetup) BuildRequires: pkgconfig(libfido2) ++++++ fde-tools-0.7.0.tar.bz2 -> fde-tools-0.7.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.0/fde.sh new/fde-tools-0.7.1/fde.sh --- old/fde-tools-0.7.0/fde.sh 2023-09-19 07:56:12.454296022 +0200 +++ new/fde-tools-0.7.1/fde.sh 2023-10-23 07:54:57.691250724 +0200 @@ -22,7 +22,7 @@ : ${SHAREDIR:=/usr/share/fde} -version=0.7.0 +version=0.7.1 opt_bootloader=grub2 opt_uefi_bootdir="" @@ -204,17 +204,29 @@ . "$SHAREDIR/commands/$command" if cmd_requires_luks_device; then + # Merge FDE_EXTRA_DEVS into FDE_DEVS and unset FDE_EXTRA_DEVS + FDE_DEVS="${FDE_DEVS} ${FDE_EXTRA_DEVS}" + FDE_EXTRA_DEVS="" + fsdev=$(luks_device_for_path /) if [ ! -b "$fsdev" ]; then fde_bad_argument "Unable to determine partition to operate on" fi - luks_dev=$(luks_get_volume_for_fsdev "$fsdev") - if [ -z "$luks_dev" ]; then + luks_devices=$(luks_get_volume_for_fsdev "$fsdev") + if [ -z "$luks_devices" ]; then display_errorbox "Cannot find the underlying partition for $fsdev" exit 1 fi + # Merge FDE_DEVS and detected devices and remove duplicate devices + luks_devices=$(tr -s '[:space:]' '\n' <<<"${luks_devices} ${FDE_DEVS}" | sed '/^$/d' | sort -u) + + # Extract the first device as the main root device and set others + # to FDE_EXTRA_DEVS. + luks_dev=$(head -n 1 <<<${luks_devices}) + FDE_EXTRA_DEVS=$(grep -v "${luks_dev}" <<<${luks_devices}) + cmd_perform "$luks_dev" else cmd_perform diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.0/man/fdectl.8 new/fde-tools-0.7.1/man/fdectl.8 --- old/fde-tools-0.7.0/man/fdectl.8 2023-06-30 11:05:51.588318859 +0200 +++ new/fde-tools-0.7.1/man/fdectl.8 1970-01-01 01:00:00.000000000 +0100 @@ -1,125 +0,0 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.5. -.TH FDECTL "8" "June 2023" "fdectl 0.6.3" "System Administration Utilities" -.SH NAME -fdectl \- Tool for controlling Full Disk Encryption -.SH SYNOPSIS -.B fdectl -[\fI\,global-options\/\fR] \fI\,command \/\fR[\fI\,cmd-options\/\fR] -.SH DESCRIPTION -The primary objective of this tool is to streamline the TPM seal/unseal process -for system administrators and installers. To achieve this, it heavily depends -on \fBpcr-oracle\fP to forecast the relevant TPM Platform Configuration -Registers (PCRs) values at the point when the boot loader needs to unseal the -key. The primary configuration file for this tool is located at -\fB/etc/sysconfig/fde-tools\fP. -.SS "Global options:" -.HP -\fB\-\-help\fR -.IP -Display this message -.HP -\fB\-\-version\fR -.IP -Print program version -.HP -\fB\-\-device\fR -.IP -Specify the partition to operate on. Can be a device -name or a mount point. Defaults to the current root -device. -.HP -\fB\-\-bootloader\fR -.IP -Specify the boot loader being used [grub2]. -.HP -\fB\-\-uefi\-boot\-dir\fR -.IP -Specify the location of the UEFI ESP [/boot/efi]. -.HP -\fB\-\-use\-dialog\fR -.IP -Use the dialog(1) utility to interact with the user. -.HP -\fB\-\-keyfile\fR -.IP -Specify the path to a LUKS key for use with tpm\-enable. -.HP -\fB\-\-password\fR -.IP -Specify the LUKS recovery password. Should be used by the -installer only. -.SS "Commands:" -.TP -help -display this message -.TP -passwd -change the password protecting the partition -.TP -add\-secondary\-password -protect partition with a passphrase and use that to unlock on next boot -.TP -remove\-secondary\-password -remove passphrase installed by add\-secondary\-password -.TP -regenerate\-key -regenerate the random key to replace the old key and seal the new key -.TP -tpm\-present -check whether a TPM2 chip is present and working -.TP -tpm\-enable -enable TPM protection -.TP -tpm\-disable -disable TPM protection -.TP -tpm\-wipe -wipe out the keyslot for the sealed key -.SH EXAMPLES -Testing for the presence of a TPM - -.B -.nf -fdectl tpm-present -.PP -.fi - -This will return an exit status of 0 (success) or 1 (absent). - -If the users asks for the LUKS partition to be protected by the TPM, the -installer needs to create a secondary key and pass this to the installed -system, like this: - -.B -.nf -fdectl add-secondary-key --keyfile /root/.root.key -.PP -.fi - -This will prompt for the recovery password that is able to unlock the LUKS -partition. Alternatively, you can pass the password on the command like using -the \fI--password\fP option. - -After booting into the installed system, TPM protection needs to be enabled -using this command: - -.B -.nf -fdectl tpm-enable --keyfile /root/.root.keyfile -.PP -.fi - -This will create a _new_ LUKS key, which is then sealed against the predicted -TPM state, and installed in the UEFI System Partition. The old key, which was -created by the installer, is removed. - -Note, when using \fBfdectl add-secondary-password\fP as described above, -\fItpm-enable\fP will also have to remove this well-known password from the -LUKS header. - -Usually, the \fItpm-enable\fP command is invoked automatically on first boot -via the \fBfde-tools.service\fP unit file. -.SH "SEE ALSO" -.BR pcr-oracle (8), -.BR cryptsetup (8) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.0/share/commands/add-secondary-key new/fde-tools-0.7.1/share/commands/add-secondary-key --- old/fde-tools-0.7.0/share/commands/add-secondary-key 2023-09-07 08:05:01.314932675 +0200 +++ new/fde-tools-0.7.1/share/commands/add-secondary-key 2023-10-23 07:54:00.911620084 +0200 @@ -17,9 +17,6 @@ # # Written by Olaf Kirch <o...@suse.com> -# Needed by the secondary-password hack below. -. $SHAREDIR/commands/add-secondary-password - alias cmd_requires_luks_device=true alias cmd_perform=cmd_add_secondary_key @@ -37,17 +34,6 @@ return 1 fi - # HACK ATTACK - # This is here as a workaround, while we're waiting for d-installer to call - # fdectl add-secondary-password - # prior to adding the secondary key. - if [ -z "$(bootloader_get_fde_password)" ]; then - fde_trace "WORKAROUND: silently adding secondary password to allow hands-free reboot" - fde_trace "WORKAROUND: please remove this after adding support for add-secondary-password to the installer" - add_secondary_password "$luks_dev" - bootloader_commit_config - fi - if ! enroll_tpm_secondary_key "${luks_dev}"; then return 1 fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.0/share/luks new/fde-tools-0.7.1/share/luks --- old/fde-tools-0.7.0/share/luks 2023-09-07 08:05:01.318932648 +0200 +++ new/fde-tools-0.7.1/share/luks 2023-10-23 07:54:00.911620084 +0200 @@ -84,7 +84,7 @@ } ################################################################## -# Locate the underlying partition of LUKS encrypted device +# Locate the underlying partition(s) of LUKS encrypted device ################################################################## function luks_get_volume_for_fsdev { @@ -101,7 +101,7 @@ dev="/dev/mapper/$dm_name" fi - # Trace back the block devices to locate the first device with + # Trace back the block devices to locate the devices with # 'crypto_LUKS' file system type # - lsblk options # -s: inverse dependencies @@ -109,9 +109,12 @@ # -r: raw format # -p: full device path # -o: print only NAME and FSTYPE - dev_path=$(lsblk -snrp -o NAME,FSTYPE ${dev} | grep -m 1 crypto_LUKS | cut -d' ' -f 1) + # + # NOTE: A LVM device may contain multiple 'crypto_LUKS' devices. + # Use 'tac' to invert the order again since '-s' is used in 'lsblk'. + luks_devices=$(lsblk -snrp -o NAME,FSTYPE ${dev} | grep crypto_LUKS | cut -d' ' -f 1 | tac) - echo "${dev_path}" + echo "${luks_devices}" return 0 } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fde-tools-0.7.0/sysconfig.fde new/fde-tools-0.7.1/sysconfig.fde --- old/fde-tools-0.7.0/sysconfig.fde 2023-09-19 07:52:51.927609722 +0200 +++ new/fde-tools-0.7.1/sysconfig.fde 2023-10-23 07:54:00.911620084 +0200 @@ -25,10 +25,12 @@ # to enroll on the next reboot FDE_ENROLL_NEW_KEY="" -# Specify the devices to be managed by fdectl other than the root partition -# NOTE: Those devices must use the same recovery password as the one of the -# root partition. -FDE_EXTRA_DEVS="" +# Specify the devices to be managed by fdectl +# NOTE: Those devices must use the same recovery password. +FDE_DEVS="" + +# [DEPRECATED] Use FDE_DEVS instead +# FDE_EXTRA_DEVS="" # Configure whether to update the authorized policy in the sealed key after # the bootloader update
