Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package disk-encryption-tool for openSUSE:Factory checked in at 2023-12-15 21:47:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/disk-encryption-tool (Old) and /work/SRC/openSUSE:Factory/.disk-encryption-tool.new.25432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "disk-encryption-tool" Fri Dec 15 21:47:23 2023 rev:2 rq:1133050 version:1+git20231214.1708e01 Changes: -------- --- /work/SRC/openSUSE:Factory/disk-encryption-tool/disk-encryption-tool.changes 2023-11-17 20:50:31.083291519 +0100 +++ /work/SRC/openSUSE:Factory/.disk-encryption-tool.new.25432/disk-encryption-tool.changes 2023-12-15 21:47:31.570691649 +0100 @@ -1,0 +2,39 @@ +Thu Dec 14 10:05:42 UTC 2023 - lnussel@suse.com + +- Update to version 1+git20231214.1708e01: + * Add ExclusiveArch for 64-bit EFI architectures + * Don't set rw systems ro + +------------------------------------------------------------------- +Wed Dec 13 16:47:45 UTC 2023 - lnussel@suse.com + +- Update to version 1+git20231213.cfe4cb3: + * Drop the second wipe + * Comment where to find the PCRs later + * Drop pcr-oracle RSA PEM parameter + * Include PCR#9 in the predictions + * Drop TPM2 from cryptab + +------------------------------------------------------------------- +Mon Dec 11 07:46:39 UTC 2023 - lnussel@suse.com + +- Update to version 1+git20231130.dac7e54: + * Silence shellcheck + * Drop TPM2 from crypttab + +------------------------------------------------------------------- +Wed Nov 29 13:55:58 UTC 2023 - lnussel@suse.com + +- Update to version 1+git20231129.5fb1e1a: + * Require tpm2.0-tools + * FIDO2 and TPM2 dialog improvements + * Fix yesno dialog call o_O + * Fix partition resizing on first boot + * Add jeos-firstboot-enroll + * Requires pcr-enroll + * Store generated key as 'cryptenroll' keyring + * Update README + * Require keyutils + * Rename to disk-encryption-tool + +------------------------------------------------------------------- Old: ---- disk-encryption-tool-1+git20231114.702dff6.obscpio New: ---- disk-encryption-tool-1+git20231214.1708e01.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ disk-encryption-tool.spec ++++++ --- /var/tmp/diff_new_pack.jYsabc/_old 2023-12-15 21:47:32.338719722 +0100 +++ /var/tmp/diff_new_pack.jYsabc/_new 2023-12-15 21:47:32.338719722 +0100 @@ -1,7 +1,7 @@ # -# spec file for package aaa_base +# spec file for package disk-encryption-tool # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,6 +16,7 @@ # # icecream 0 + %if 0%{?_build_in_place} %define git_version %(git log '-n1' '--date=format:%Y%m%d' '--no-show-signature' "--pretty=format:+git%cd.%h") BuildRequires: git-core @@ -27,7 +28,7 @@ %endif Name: disk-encryption-tool -Version: 1+git20231114.702dff6%{git_version} +Version: 1+git20231214.1708e01%{git_version} Release: 0 Summary: Tool to reencrypt kiwi raw images License: MIT @@ -35,6 +36,10 @@ Source: disk-encryption-tool-%{version}.tar Requires: cryptsetup Requires: keyutils +Requires: pcr-oracle +# something needs to require it. Can be us. +Requires: tpm2.0-tools +ExclusiveArch: aarch64 ppc64le riscv64 x86_64 %description Convert a plain text kiwi image into one with LUKS full disk @@ -59,6 +64,7 @@ install -D -m 644 jeos-firstboot-diskencrypt-override.conf \ %{buildroot}/usr/lib/systemd/system/jeos-firstboot.service.d/jeos-firstboot-diskencrypt-override.conf install -D -m 644 jeos-firstboot-diskencrypt %buildroot/usr/share/jeos-firstboot/modules/diskencrypt +install -D -m 644 jeos-firstboot-enroll %buildroot/usr/share/jeos-firstboot/modules/enroll %files %license LICENSE @@ -70,6 +76,7 @@ %dir /usr/share/jeos-firstboot %dir /usr/share/jeos-firstboot/modules /usr/share/jeos-firstboot/modules/diskencrypt +/usr/share/jeos-firstboot/modules/enroll %dir /usr/lib/systemd/system/jeos-firstboot.service.d /usr/lib/systemd/system/jeos-firstboot.service.d/jeos-firstboot-diskencrypt-override.conf ++++++ _service ++++++ --- /var/tmp/diff_new_pack.jYsabc/_old 2023-12-15 21:47:32.362720599 +0100 +++ /var/tmp/diff_new_pack.jYsabc/_new 2023-12-15 21:47:32.366720746 +0100 @@ -1,7 +1,7 @@ <services> <service name="obs_scm" mode="manual"> <param name="scm">git</param> - <param name="url">https://github.com/lnussel/disk-encryption-tool.git</param> + <param name="url">https://github.com/openSUSE/disk-encryption-tool.git</param> <param name="revision">master</param> <param name="versionformat">1+git%cd.%h</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.jYsabc/_old 2023-12-15 21:47:32.382721330 +0100 +++ /var/tmp/diff_new_pack.jYsabc/_new 2023-12-15 21:47:32.386721477 +0100 @@ -1,6 +1,8 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/lnussel/disk-encryption-tool.git</param> - <param name="changesrevision">702dff62d37b74244b58b41f78b41cd2befe581b</param></service></servicedata> + <param name="changesrevision">702dff62d37b74244b58b41f78b41cd2befe581b</param></service><service name="tar_scm"> + <param name="url">https://github.com/openSUSE/disk-encryption-tool.git</param> + <param name="changesrevision">1708e014184aba1d69c3294a990594a35abbe71c</param></service></servicedata> (No newline at EOF) ++++++ disk-encryption-tool-1+git20231114.702dff6.obscpio -> disk-encryption-tool-1+git20231214.1708e01.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/disk-encryption-tool-1+git20231114.702dff6/README.md new/disk-encryption-tool-1+git20231214.1708e01/README.md --- old/disk-encryption-tool-1+git20231114.702dff6/README.md 2023-11-14 17:06:49.000000000 +0100 +++ new/disk-encryption-tool-1+git20231214.1708e01/README.md 2023-12-14 11:04:59.000000000 +0100 @@ -1,23 +1,36 @@ -Convert a plain text kiwi image into one with LUKS full disk -encryption. Supports both raw and qcow2 images. It assumes that the -third partition is the root fs using btrfs. -After encrypting the disk, the fs is mounted and a new initrd -created as well as the grub2 config adjusted. - -The script can either encrypt the image directly, or alternatively -add code to the initrd of the image. In the latter case the image -would encrypt itself on first boot. +Tool to turn a plain text image into one using LUKS full disk +encryption. There are three modes: -Example to encrypt an image: +* Directly encrypt a disk image on a host system. The image can then + be deployed somewhere else +* Prime a disk image by adding code to the initrd of the image that + encrypts the image on first boot +* Include the initrd code already when building an image. The image + would then encrypt itself on first boot. + +In general the tool is developed with [kiwi](https://github.com/OSInside/kiwi) +in mind. It assumes that the image contains a single root fs using btrfs in the +third partition. Both grub2 and systemd-boot are supported. The tool generates +a + +Example to directly encrypt an image: disk-encryption-tool -v SLE-Micro.x86_64-5.4.0-Default-GM.raw -Example to encrypt on first boot: +Example to prime a plain text image to encrypt on first boot: disk-encryption-tool -v --prime SLE-Micro.x86_64-5.4.0-Default-GM.raw + +When run on first boot the tool integrates with +[jeos-firstboot](https://github.com/openSUSE/jeos-firstboot/). The encryption +in initrd deploys an automatically generated recovery key, compatible with +[systemd-cryptenroll](https://www.freedesktop.org/software/systemd/man/latest/systemd-cryptenroll....). +Later in the real root a jeos-firsboot module then offers to deploy +either the root password or another custom passphrase as well. + Parameters for cryptsetup-reencrypt(8) can be passed via -/etc/encrypt_options. One option per line, e.g. +`/etc/encrypt_options`. One option per line, e.g. --type=luks1 --iter-time=2000 @@ -28,7 +41,7 @@ #!/bin/bash # combustion: encrypt if [ "$1" = "--encrypt" ]; then - echo 12345 | disk-encryption-tool -v + echo 12345 | disk-encryption-tool -v --gen-key else echo root:12345 | chpasswd fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/disk-encryption-tool-1+git20231114.702dff6/disk-encryption-tool new/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool --- old/disk-encryption-tool-1+git20231114.702dff6/disk-encryption-tool 2023-11-14 17:06:49.000000000 +0100 +++ new/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool 2023-12-14 11:04:59.000000000 +0100 @@ -208,6 +208,9 @@ make_rw() { + local prop + read -r prop < <(btrfs prop get -t s "$mp" ro) + [ "$prop" = "ro=true" ] || return 0 log_info "switch to rw" btrfs prop set -t s "$mp" ro false switched_rw=1 @@ -355,7 +358,9 @@ if [ -n "$gen_key" ]; then read -r password < <(generate-recovery-key) echo -e "Recovery key: \e[1m$password\e[m" - read -r key_id < <(echo -n "$password" | keyctl padd user disk-encryption-tool-recovery-key @u) + if [ -e /etc/initrd-release ]; then + read -r key_id < <(echo -n "$password" | keyctl padd user cryptenroll @u) + fi fi echo "Encrypting..." @@ -363,6 +368,16 @@ log_info "grow partition again" echo ", +" | sfdisk --no-reread -q -N "$partno" "$blkdev" +if [ -e /etc/initrd-release ]; then + # seems to be the only way to tell the kernel about a specific partition change + partx -u --nr "$partno" "$blkdev" || : + # now resize the mapping. For some reason cryptsetup wants a passphrase. Hack + # around this by installing a token that makes it read the key we installed + # before, then remove the token again o_O + cryptsetup token add --key-slot 0 --key-description cryptenroll --token-id 9 "$blkpart" + cryptsetup resize "$cr_name" < /dev/null + cryptsetup token remove --token-id 9 "$blkpart" +fi if [ -z "$mounted" ]; then mount -o rw "$cr_dev" "/mnt" @@ -383,13 +398,13 @@ make_rw -crypttab_options="x-initrd.attach" -# this triggers dracut to add tpm2 code. should actually look at tokens -if [ -e "/sys/class/tpm/tpm0" ]; then - crypttab_options+=",tpm2-device=auto" -fi +declare loop_UUID eval "$(blkid -c /dev/null -o export "$blkpart"|sed 's/^/loop_/')" -echo "$cr_name /dev/disk/by-uuid/$loop_UUID none $crypttab_options" > "$mp"/etc/crypttab +if [ -n "$loop_UUID" ]; then + echo "$cr_name /dev/disk/by-uuid/$loop_UUID none x-initrd.attach" > "$mp"/etc/crypttab +else + warn "Can't determine device UUID. Can't generate crypttab" +fi mountstuff diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/disk-encryption-tool-1+git20231114.702dff6/disk-encryption-tool-dracut.service new/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool-dracut.service --- old/disk-encryption-tool-1+git20231114.702dff6/disk-encryption-tool-dracut.service 2023-11-14 17:06:49.000000000 +0100 +++ new/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool-dracut.service 2023-12-14 11:04:59.000000000 +0100 @@ -29,6 +29,7 @@ [Service] Type=oneshot +KeyringMode=shared ExecStart=/usr/bin/disk-encryption-tool-dracut [Install] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/disk-encryption-tool-1+git20231114.702dff6/disk-encryption-tool.spec new/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool.spec --- old/disk-encryption-tool-1+git20231114.702dff6/disk-encryption-tool.spec 2023-11-14 17:06:49.000000000 +0100 +++ new/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool.spec 2023-12-14 11:04:59.000000000 +0100 @@ -35,6 +35,10 @@ Source: disk-encryption-tool-%{version}.tar Requires: cryptsetup Requires: keyutils +Requires: pcr-oracle +# something needs to require it. Can be us. +Requires: tpm2.0-tools +ExclusiveArch: aarch64 ppc64le riscv64 x86_64 %description Convert a plain text kiwi image into one with LUKS full disk @@ -59,6 +63,7 @@ install -D -m 644 jeos-firstboot-diskencrypt-override.conf \ %{buildroot}/usr/lib/systemd/system/jeos-firstboot.service.d/jeos-firstboot-diskencrypt-override.conf install -D -m 644 jeos-firstboot-diskencrypt %buildroot/usr/share/jeos-firstboot/modules/diskencrypt +install -D -m 644 jeos-firstboot-enroll %buildroot/usr/share/jeos-firstboot/modules/enroll %files %license LICENSE @@ -70,6 +75,7 @@ %dir /usr/share/jeos-firstboot %dir /usr/share/jeos-firstboot/modules /usr/share/jeos-firstboot/modules/diskencrypt +/usr/share/jeos-firstboot/modules/enroll %dir /usr/lib/systemd/system/jeos-firstboot.service.d /usr/lib/systemd/system/jeos-firstboot.service.d/jeos-firstboot-diskencrypt-override.conf diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/disk-encryption-tool-1+git20231114.702dff6/jeos-firstboot-diskencrypt new/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-diskencrypt --- old/disk-encryption-tool-1+git20231114.702dff6/jeos-firstboot-diskencrypt 2023-11-14 17:06:49.000000000 +0100 +++ new/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-diskencrypt 2023-12-14 11:04:59.000000000 +0100 @@ -5,7 +5,7 @@ crypt_devs=() diskencrypt_systemd_firstboot() { - crypt_keyid="$(keyctl search @u user disk-encryption-tool-recovery-key)" + crypt_keyid="$(keyctl id %user:cryptenroll)" [ -n "$crypt_keyid" ] || return 0 local dev while read -r dev fstype; do @@ -18,7 +18,7 @@ return 0 fi - if [ -n "$password" ] && d --yesno $"Use root password as encryption password?" 0 0; then + if [ -n "$password" ] && dialog $dialog_alternate_screen --backtitle "$PRETTY_NAME" --yesno $"Use root password as encryption password?" 0 0; then crypt_pw="$password" else while true; do diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/disk-encryption-tool-1+git20231114.702dff6/jeos-firstboot-enroll new/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-enroll --- old/disk-encryption-tool-1+git20231114.702dff6/jeos-firstboot-enroll 1970-01-01 01:00:00.000000000 +0100 +++ new/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-enroll 2023-12-14 11:04:59.000000000 +0100 @@ -0,0 +1,136 @@ +#!/bin/bash + +crypt_keyid="" +with_fido2= +with_tpm2= + +# After the enrolling, other tools can find this list in the LUKS +# header +pcrs="0,2,4,7,9" + +enroll_systemd_firstboot() { + crypt_keyid="$(keyctl id %user:cryptenroll)" + [ -n "$crypt_keyid" ] || return 0 + [ -e /usr/bin/systemd-cryptenroll ] || return 0 + + local has_fido2=${JEOS_HAS_FIDO2:-} + local has_tpm2= + + [ -z "$(systemd-cryptenroll --fido2-device=list 2>/dev/null)" ] || has_fido2=1 + [ -e '/sys/class/tpm/tpm0' ] && has_tpm2=1 + + # For now seems that if a FIDO2 key is enrolled, it will take + # precedence over the TPM2 and the key will be asked to be present + # in subsequent boots. + if [ "$has_fido2" = '1' ] && [ "$has_tpm2" = '1' ]; then + local list=('FIDO2' 'FIDO2' 'TPM2' 'TPM2' 'none' $"Skip") + d --no-tags --default-item 'FIDO2' --menu $"Select unlock device" 0 0 "$(menuheight ${#list[@]})" "${list[@]}" + [ "$result" = 'FIDO2' ] && with_fido2=1 + [ "$result" = 'TPM2' ] && with_tpm2=1 + elif [ "$has_fido2" ]; then + dialog $dialog_alternate_screen --backtitle "$PRETTY_NAME" --yesno $"Unlock encrypted disk via FIDO2 token?" 0 0 && with_fido2=1 + elif [ "$has_tpm2" ]; then + dialog $dialog_alternate_screen --backtitle "$PRETTY_NAME" --yesno $"Unlock encrypted disk via TPM?" 0 0 && with_tpm2=1 + fi + return 0 +} + +enroll_fido2() { + local dev="$1" + + echo "Enrolling with FIDO2: $dev" + + # The password is read from "cryptenroll" kernel keyring + run systemd-cryptenroll --fido2-device=auto "$dev" +} + +generate_key() { + [ -z "$dry" ] && mkdir -p /etc/systemd + run pcr-oracle \ + --rsa-generate-key \ + --private-key /etc/systemd/tpm2-pcr-private-key.pem \ + --public-key /etc/systemd/tpm2-pcr-public-key.pem \ + store-public-key +} + +enroll_tpm2() { + local dev="$1" + + echo "Enrolling with TPM2: $dev" + + # The password is read from "cryptenroll" kernel keyring + # XXX: Wipe is separated by now (possible systemd bug) + run systemd-cryptenroll \ + --wipe-slot=tpm2 \ + "$dev" + + run systemd-cryptenroll \ + --tpm2-device=auto \ + --tpm2-public-key=/etc/systemd/tpm2-pcr-public-key.pem \ + --tpm2-public-key-pcrs="$pcrs" \ + "$dev" +} + +update_crypttab_options() { + # This version will share the same options for all crypto_LUKS + # devices. This imply that all of them will be unlocked by the + # same TPM2, or the same FIDO2 key + local options="$1" + + # TODO: this needs to be unified with disk-encryption-tool + local crypttab + if [ -z "$dry" ]; then + crypttab="$(mktemp -t disk-encryption-tool.crypttab.XXXXXX)" + else + crypttab=/dev/stdout + fi + echo "# File created by jeos-firstboot-enroll. Comments will be removed" > "$crypttab" + + local name + local device + local key + local opts + while read -r name device key opts; do + [[ "$name" = \#* ]] && continue + echo "$name $device $key $options" >> "$crypttab" + done < /etc/crypttab + + run mv "$crypttab" /etc/crypttab + run chmod 644 /etc/crypttab +} + +enroll_post() { + [ -n "$crypt_keyid" ] || return 0 + [ -e /usr/bin/systemd-cryptenroll ] || return 0 + + local dev + local fstype + if [ -z "$crypt_devs" ]; then + while read -r dev fstype; do + [ "$fstype" = 'crypto_LUKS' ] || continue + crypt_devs+=("$dev") + done < <(lsblk --noheadings -o PATH,FSTYPE) + fi + + crypttab_options="x-initrd.attach" + + if [ "$with_fido2" = '1' ]; then + for dev in "${crypt_devs[@]}"; do + enroll_fido2 "$dev" + done + crypttab_options+=",fido2-device=auto" + fi + + if [ "$with_tpm2" = '1' ]; then + generate_key + + for dev in "${crypt_devs[@]}"; do + enroll_tpm2 "$dev" + done + crypttab_options+=",tpm2-device=auto" + fi + + update_crypttab_options "$crypttab_options" + + run sdbootutil add-all-kernels --no-reuse-initrd +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/disk-encryption-tool-1+git20231114.702dff6/module-setup.sh new/disk-encryption-tool-1+git20231214.1708e01/module-setup.sh --- old/disk-encryption-tool-1+git20231114.702dff6/module-setup.sh 2023-11-14 17:06:49.000000000 +0100 +++ new/disk-encryption-tool-1+git20231214.1708e01/module-setup.sh 2023-12-14 11:04:59.000000000 +0100 @@ -15,7 +15,7 @@ # called by dracut install() { inst_multiple -o cryptsetup-reencrypt - inst_multiple cryptsetup btrfs mktemp getopt mountpoint findmnt sfdisk tac sed hexdump keyctl + inst_multiple cryptsetup btrfs mktemp getopt mountpoint findmnt sfdisk tac sed hexdump keyctl partx inst_script "$moddir"/disk-encryption-tool /usr/bin/disk-encryption-tool inst_script "$moddir"/disk-encryption-tool-dracut /usr/bin/disk-encryption-tool-dracut ++++++ disk-encryption-tool.obsinfo ++++++ --- /var/tmp/diff_new_pack.jYsabc/_old 2023-12-15 21:47:32.466724400 +0100 +++ /var/tmp/diff_new_pack.jYsabc/_new 2023-12-15 21:47:32.470724547 +0100 @@ -1,5 +1,5 @@ name: disk-encryption-tool -version: 1+git20231114.702dff6 -mtime: 1699978009 -commit: 702dff62d37b74244b58b41f78b41cd2befe581b +version: 1+git20231214.1708e01 +mtime: 1702548299 +commit: 1708e014184aba1d69c3294a990594a35abbe71c