mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-18 20:47:55 +00:00
luks-functions: fix luks_change_passphrase which was only occuring on first LUKS volume, not all
Remove unneeded loop under luks_reencrypt Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
parent
03746e3e11
commit
1c8c45c689
@ -381,7 +381,7 @@ test_luks_current_disk_recovery_key_passphrase()
|
|||||||
# We export the LUKS volume(s) that was/were validated via passphrase test
|
# We export the LUKS volume(s) that was/were validated via passphrase test
|
||||||
export LUKS
|
export LUKS
|
||||||
TRACE_FUNC
|
TRACE_FUNC
|
||||||
DEBUG "$LUKS exported to be reused"
|
DEBUG "LUKS container(s) $PRINTABLE_LUKS exported to be reused"
|
||||||
break;
|
break;
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@ -394,11 +394,12 @@ luks_reencrypt() {
|
|||||||
# then loop on that list of devices that could be opened and reencrypt/change passphrase for all the devices that could be tested opened with that passphrase
|
# then loop on that list of devices that could be opened and reencrypt/change passphrase for all the devices that could be tested opened with that passphrase
|
||||||
select_luks_container || return 1
|
select_luks_container || return 1
|
||||||
|
|
||||||
# Count the number of containers to be reencrypted
|
# Split the $LUKS variable into an array of LUKS containers
|
||||||
num_containers=$(echo "$LUKS" | wc -w)
|
luks_containers=($LUKS)
|
||||||
reencrypted_containers=0
|
TRACE_FUNC
|
||||||
|
DEBUG "luks_containers: ${luks_containers[@]}"
|
||||||
|
|
||||||
while [ $reencrypted_containers -lt $num_containers ]; do
|
for luks_container in "${luks_containers[@]}"; do
|
||||||
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
|
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
|
||||||
#if no external provisioning provides current LUKS Disk Recovery Key passphrase
|
#if no external provisioning provides current LUKS Disk Recovery Key passphrase
|
||||||
msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s)
|
msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s)
|
||||||
@ -411,13 +412,7 @@ luks_reencrypt() {
|
|||||||
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
|
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Split the $LUKS variable into an array of LUKS containers
|
|
||||||
luks_containers=($LUKS)
|
|
||||||
TRACE_FUNC
|
|
||||||
DEBUG "luks_containers: $luks_containers"
|
|
||||||
|
|
||||||
# Loop through each LUKS container
|
|
||||||
for luks_container in "${luks_containers[@]}"; do
|
|
||||||
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
|
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
|
||||||
if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then
|
if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then
|
||||||
whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
|
whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
|
||||||
@ -433,7 +428,6 @@ luks_reencrypt() {
|
|||||||
unset LUKS
|
unset LUKS
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
done
|
|
||||||
|
|
||||||
DEBUG "Test opening ${luks_containers[@]} successful. Now testing key slots to determine which holds master key"
|
DEBUG "Test opening ${luks_containers[@]} successful. Now testing key slots to determine which holds master key"
|
||||||
for luks_container in "${luks_containers[@]}"; do
|
for luks_container in "${luks_containers[@]}"; do
|
||||||
@ -500,43 +494,36 @@ luks_reencrypt() {
|
|||||||
#Exporting successfully used passphrase possibly reused by oem-factory-reset
|
#Exporting successfully used passphrase possibly reused by oem-factory-reset
|
||||||
export luks_current_Disk_Recovery_Key_passphrase
|
export luks_current_Disk_Recovery_Key_passphrase
|
||||||
export LUKS
|
export LUKS
|
||||||
|
|
||||||
# Increment the count of reencrypted containers
|
|
||||||
reencrypted_containers=$((reencrypted_containers + 1))
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
luks_change_passphrase() {
|
luks_change_passphrase()
|
||||||
|
{
|
||||||
TRACE_FUNC
|
TRACE_FUNC
|
||||||
|
|
||||||
select_luks_container || return 1
|
select_luks_container || return 1
|
||||||
|
|
||||||
# Count the number of containers to be processed
|
|
||||||
num_containers=$(echo "$LUKS" | wc -w)
|
|
||||||
changed_containers=0
|
|
||||||
|
|
||||||
# Split the $LUKS variable into an array of LUKS containers
|
# Split the $LUKS variable into an array of LUKS containers
|
||||||
IFS=' ' read -ra luks_containers <<< "$LUKS"
|
luks_containers=($LUKS)
|
||||||
|
TRACE_FUNC
|
||||||
|
DEBUG "luks_containers: ${luks_containers[@]}"
|
||||||
|
|
||||||
|
# Loop through each LUKS container
|
||||||
for luks_container in "${luks_containers[@]}"; do
|
for luks_container in "${luks_containers[@]}"; do
|
||||||
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
|
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
|
||||||
whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \
|
whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \
|
||||||
"Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 0 80
|
"Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 0 80
|
||||||
|
|
||||||
if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
|
|
||||||
echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):"
|
echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):"
|
||||||
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
|
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
|
||||||
read -r luks_new_Disk_Recovery_Key_passphrase
|
read -r luks_new_Disk_Recovery_Key_passphrase
|
||||||
done
|
done
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
|
|
||||||
echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
|
echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
|
||||||
read -r luks_current_Disk_Recovery_Key_passphrase
|
read -r luks_current_Disk_Recovery_Key_passphrase
|
||||||
fi
|
fi
|
||||||
fi
|
|
||||||
|
|
||||||
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
|
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||||
echo -n "$luks_new_Disk_Recovery_Key_passphrase" > /tmp/luks_new_Disk_Recovery_Key_passphrase
|
echo -n "$luks_new_Disk_Recovery_Key_passphrase" > /tmp/luks_new_Disk_Recovery_Key_passphrase
|
||||||
@ -563,16 +550,13 @@ luks_change_passphrase() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Success changing passphrase for $luks_container."
|
echo "Success changing passphrase for $luks_container."
|
||||||
changed_containers=$((changed_containers + 1))
|
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ $changed_containers -eq $num_containers ]; then
|
# Export the new passphrase if all containers were processed successfully
|
||||||
# All containers processed successfully
|
|
||||||
luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase
|
luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase
|
||||||
export luks_current_Disk_Recovery_Key_passphrase
|
export luks_current_Disk_Recovery_Key_passphrase
|
||||||
export luks_new_Disk_Recovery_Key_passphrase
|
export luks_new_Disk_Recovery_Key_passphrase
|
||||||
export LUKS
|
export LUKS
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
luks_secrets_cleanup()
|
luks_secrets_cleanup()
|
||||||
|
Loading…
Reference in New Issue
Block a user