New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ease TPM Disk Unlock Key sealing/resealing after TOTP mismatch (firmware upgrade) + warn and die changes #1482
Commits on Aug 30, 2023
-
TPM Disk Unlock Key sealing/renewal cleanup (Triggered automatically …
…when resealing TOTP) Changes: - As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP - Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into: - Regenerating checksums and signing them - Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM - LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot - When no previous Disk Unlock Key was setuped, the user is guided into: - The above, plus - Detection of LUKS containers,suggesting only relevant partitions - Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding - Were missing under TPM Disk Unlock Key setup codepaths - Fixes for linuxboot#645 : We now check if only one slots exists and we do not use it if its slot1. - Also shows in DEBUG traces now Unrelated staged changes - ash_functions: warn and die now contains proper spacing and eye attaction - all warn and die calls modified if containing warnings and too much punctuation - unify usage of term TPM Disk Unlock Key and Disk Recovery Key
Configuration menu - View commit details
-
Copy full SHA for 4910c11 - Browse repository at this point
Copy the full SHA 4910c11View commit details -
TPM DISK Unlock Key : add cryptroot/crypttab to fix linuxboot#1474
Tested working on both TPM1/TPM2 under debian bookwork, standard encrypted TLVM setup
Configuration menu - View commit details
-
Copy full SHA for 67c865d - Browse repository at this point
Copy the full SHA 67c865dView commit details
Commits on Aug 31, 2023
-
modules/zstd: now included by default. Deactivated under legacy-flash…
… boards Rationale: cpio -t alone cannot extract initrd past early cpio (microcode) in most packed initrd. unpack_initramfs.sh already under master comes to the rescue, but its usage up to today was limited to pass firmware blobs to final OS under boards/librem_mini_v2 Debian OSes (and probably others) need to have cryptroot/crypttab overriden directly, otherwise generic generation of crypttab is not enough. Extracting crypttab and overriding directly what is desired by final OS and exposed into /boot/initrd is the way to go otherwise hacking on top of hacks. This brings default packed modules under Heads to 5 modules, which needs to be deactivate in board configs if undesired: user@heads-tests-deb12:~/heads$ grep -Rn "?= y" modules/ | grep -v MUSL modules/zlib:1:CONFIG_ZLIB ?= y modules/zstd:3:CONFIG_ZSTD ?= y modules/exfatprogs:2:CONFIG_EXFATPROGS ?= y modules/busybox:2:CONFIG_BUSYBOX ?= y modules/e2fsprogs:2:CONFIG_E2FSPROGS ?= y
Configuration menu - View commit details
-
Copy full SHA for 03d8f93 - Browse repository at this point
Copy the full SHA 03d8f93View commit details -
WiP: Staging commit to facilitate review, will squash into previous c…
…ommits once confirmed good
Configuration menu - View commit details
-
Copy full SHA for 64ad01f - Browse repository at this point
Copy the full SHA 64ad01fView commit details
Commits on Sep 1, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 4a7e23b - Browse repository at this point
Copy the full SHA 4a7e23bView commit details -
TPM Disk Unlock Key setup: use unpack_initrd.sh, replace none with /s…
…ecret.key. Still no joy
Configuration menu - View commit details
-
Copy full SHA for a2a3002 - Browse repository at this point
Copy the full SHA a2a3002View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0ba10e5 - Browse repository at this point
Copy the full SHA 0ba10e5View commit details
Commits on Sep 2, 2023
-
Configuration menu - View commit details
-
Copy full SHA for e9dbce2 - Browse repository at this point
Copy the full SHA e9dbce2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 52947e2 - Browse repository at this point
Copy the full SHA 52947e2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 51b1ad3 - Browse repository at this point
Copy the full SHA 51b1ad3View commit details -
Configuration menu - View commit details
-
Copy full SHA for 8b0fc0f - Browse repository at this point
Copy the full SHA 8b0fc0fView commit details -
Configuration menu - View commit details
-
Copy full SHA for e291797 - Browse repository at this point
Copy the full SHA e291797View commit details -
kexec-save-default: Fix multiple LUKS/LVM+LUKS suggestion + other wor…
…king uniformization for DUK
Configuration menu - View commit details
-
Copy full SHA for 47eba7d - Browse repository at this point
Copy the full SHA 47eba7dView commit details