Ease TPM Disk Unlock Key sealing/resealing after TOTP mismatch (firmware upgrade) + warn and die changes #1482
Commits on Aug 30, 2023
-
TPM Disk Unlock Key sealing/renewal cleanup (Triggered automatically …
…when resealing TOTP) Changes: - As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP - Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into: - Regenerating checksums and signing them - Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM - LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot - When no previous Disk Unlock Key was setuped, the user is guided into: - The above, plus - Detection of LUKS containers,suggesting only relevant partitions - Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding - Were missing under TPM Disk Unlock Key setup codepaths - Fixes for linuxboot#645 : We now check if only one slots exists and we do not use it if its slot1. - Also shows in DEBUG traces now Unrelated staged changes - ash_functions: warn and die now contains proper spacing and eye attaction - all warn and die calls modified if containing warnings and too much punctuation - unify usage of term TPM Disk Unlock Key and Disk Recovery Key -
TPM DISK Unlock Key : add cryptroot/crypttab to fix linuxboot#1474
Tested working on both TPM1/TPM2 under debian bookwork, standard encrypted TLVM setup
Commits on Aug 31, 2023
-
modules/zstd: now included by default. Deactivated under legacy-flash…
… boards Rationale: cpio -t alone cannot extract initrd past early cpio (microcode) in most packed initrd. unpack_initramfs.sh already under master comes to the rescue, but its usage up to today was limited to pass firmware blobs to final OS under boards/librem_mini_v2 Debian OSes (and probably others) need to have cryptroot/crypttab overriden directly, otherwise generic generation of crypttab is not enough. Extracting crypttab and overriding directly what is desired by final OS and exposed into /boot/initrd is the way to go otherwise hacking on top of hacks. This brings default packed modules under Heads to 5 modules, which needs to be deactivate in board configs if undesired: user@heads-tests-deb12:~/heads$ grep -Rn "?= y" modules/ | grep -v MUSL modules/zlib:1:CONFIG_ZLIB ?= y modules/zstd:3:CONFIG_ZSTD ?= y modules/exfatprogs:2:CONFIG_EXFATPROGS ?= y modules/busybox:2:CONFIG_BUSYBOX ?= y modules/e2fsprogs:2:CONFIG_E2FSPROGS ?= y
-
WiP: Staging commit to facilitate review, will squash into previous c…
…ommits once confirmed good
Commits on Sep 1, 2023
-
TPM Disk Unlock Key setup: use unpack_initrd.sh, replace none with /s…
…ecret.key. Still no joy
Commits on Sep 2, 2023
-
-
-
-
kexec-save-default: Fix multiple LUKS/LVM+LUKS suggestion + other wor…
…king uniformization for DUK
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.