New EncryptionMethod using fde-tools for TPM-based unlocking

[ancorgs]

Problem

Both ALP and openSUSE Tumbleweed include a package called fde-tools that allow to setup encrypted devices (using LUKS2) to be automatically unlocked during boot without user intervention based on information stored and validated in the TPM of the system.

The process has its limitations but it certainly works as proven by the preliminary (and rather hacky) support present at Agama. So it's time to move that support from Agama to the core of YaST.

Some more-or-less related links

• [TW] Use LUKS2 and offer TPM-auth in installer yast-installation#1088
• https://trello.com/c/5x8G7xj8/89-d-installer-better-support-for-tpm-unlocking-of-fde
• https://jira.suse.com/browse/PM-2766
• https://jira.suse.com/browse/PM-2395
• https://bugzilla.suse.com/show_bug.cgi?id=1210512

Solution

This introduces a new encryption method (TPM_FDE) in yast2-storage-ng. Thus, TPM unlocking based on fde-tools can be configured by both AutoYaST and Agama.

For more information about the process, check the fde-tools documentation.

If the system meets all the technical requirements to use the new method, it will be used by Agama. In that regard, check below the associated pull request.

Even if the mentioned technical requirements are met, the new method will still not be available in YaST. There are several reasons for that:

• Lack of support in the inst-sys. It cannot check whether the TPM works.
• No specific form in the Expert Partitioner
• We need to ensure all affected devices share the recovery password.
• During installation, the UI and the AutoYaST documentation need to properly explain the need to boot from the target device after installation (no DVD → boot from hard disk) and check any possible interaction with the second stage.
• When creating new devices with that encryption method in an already installed system: it’s not 100% clear how the feature should work.

Associated pull requests

openSUSE/agama#826

Testing

Unit tests included.

Tested manually in Agama with fde-tools 0.7.1 in several situations:

• With a single partition
• With separate / and /var partitions
• With an LVM extending over several disks

Review

Pull request structured in several meaningful commit for easier review.

[coveralls]

coverage: 97.782% (+0.02%) from 97.767% when pulling dea440c on ancorgs:tpm_master into 70f4fa7 on yast:master.

[joseivanlopez]

NP: why not to directly call it #tpm_present?

[ancorgs]

No strong reason. I just wanted to have the method names equivalent to the fdectl commands (obviously turning hyphens into underscores). Since the fdectl subcommands are tpm-present, add-secondary-password and add-secondary-key...

[joseivanlopez]

I left some comments, but I haven't finished with the review yet :)

[joseivanlopez]

NP: maybe this could be moved to the base class.

[joseivanlopez]

Just for the records: failing tests on leap is expected. Changes in this PR require a new version of libstorage-ng which is not submitted to leap (only to Tumbleweed).

In general, running unit tests on leap for the master branch is useless. Note that SLE-15-SPX branches have already diverged.

[joseivanlopez]

LGTM

[imobachgs]

The changelog looks good (the rest was already reviewed).

[yast-bot]

❌ Internal Jenkins job #1142 failed

[yast-bot]

✔️ Internal Jenkins job #1143 successfully finished
✔️ Created OBS submit request #1122814