Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WiP: Fix TPM DUK retries/vocabilary (again) and CapsLock warning #1592

Draft
wants to merge 10 commits into
base: master
Choose a base branch
from
Draft

WiP: Fix TPM DUK retries/vocabilary (again) and CapsLock warning #1592

wants to merge 10 commits into from

Commits on Jan 17, 2024

  1. WiP: Suggest all lvms/luks partitions in staing<->array conversion 

    Signed-off-by: Thierry Laurion <[email protected]>
    @tlaurion
    tlaurion committed Jan 17, 2024
    Configuration menu
    Copy the full SHA
    121991d View commit details
    Browse the repository at this point in the history

  2. WiP: Suggest all lvms/luks partitions in staing<->array conversion 

    Signed-off-by: Thierry Laurion <[email protected]>
    @tlaurion
    tlaurion committed Jan 17, 2024
    Configuration menu
    Copy the full SHA
    4759e73 View commit details
    Browse the repository at this point in the history

Commits on Jan 18, 2024

  1. WiP: Suggest all lvms/luks partitions in staing<->array conversion 

    Move function on top of file, first pass to replace strings with array and deal with arrays only.

Signed-off-by: Thierry Laurion <[email protected]>
    @tlaurion
    tlaurion committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    0b66030 View commit details
    Browse the repository at this point in the history

  2. initrd/bin/kexec-seal-key: Fix check for number of LUKS keyslots used… 

    … for both LUKSv1 and LUKSv2

Signed-off-by: Thierry Laurion <[email protected]>
    @tlaurion
    tlaurion committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    eb5254d View commit details
    Browse the repository at this point in the history

  3. initrd/bin/kexec-seal-key: fix unary comparison 

    Signed-off-by: Thierry Laurion <[email protected]>
    @tlaurion
    tlaurion committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    25ed0c2 View commit details
    Browse the repository at this point in the history

  4. initrd/bin/kexec-save-default: Precise reason to reseal a TPM DUK key… 

    …+passphrase, justifying choosing N in most cases.

Display key_devices for confirmation as well.

Signed-off-by: Thierry Laurion <[email protected]>
    @tlaurion
    tlaurion committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    4b6f37f View commit details
    Browse the repository at this point in the history

  5. initrd/bin/kexec-save-default: remove sort to store luks devices in s… 

    …uggested_devices.

Otherwise presented order is /dev/sdb1 /dev/sda2

Signed-off-by: Thierry Laurion <[email protected]>
    @tlaurion
    tlaurion committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    37a250d View commit details
    Browse the repository at this point in the history

  6. initrd/bin/kexec-unseal-key: make TPM Disk Unlock Key actually retry … 

    …(pipefail prevented retries) + cleanup.

Apply workaround stating that capslock might be on, TPM might be in locked state: poweroff/poweron to retry cleanly.
Output pcrs only in debug mode, otherwise disclosing unauthenticated final PCRs values to possible attacker. Should be available from authenticated Recovery console and from Debug only.
Unify LUKS/TPM Disk Unlock Key output to end user for clarity

Signed-off-by: Thierry Laurion <[email protected]>
    @tlaurion
    tlaurion committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    df27306 View commit details
    Browse the repository at this point in the history

  7. initrd/bin/kexec-insert-key: insert newline before output on console 

    Signed-off-by: Thierry Laurion <[email protected]>
    @tlaurion
    tlaurion committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    30e52ef View commit details
    Browse the repository at this point in the history

Commits on Jan 19, 2024

  1. initrd/bin/kexec-save-default: remove mount-usb --mode rw and dmesg.t… 

    …xt output to usb thumb drive

Really handy btw. Would be nice to add that into sysrq magic to output to usb thumb drive and have ctrl-alt-delete output dmesg to external storage when in debug mode. Would work also for headless debug when porting

TODO: squash allrelated commits together.

Signed-off-by: Thierry Laurion <[email protected]>
    @tlaurion
    tlaurion committed Jan 19, 2024
    Configuration menu
    Copy the full SHA
    e33af25 View commit details
    Browse the repository at this point in the history