ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

oem-factory-reset: fix bug where it was impossible to just change LUKS passphrase without reencrypting encrypted container.

Browse Source 
Since /etc/luks-functions are currently exporting passphrases tested good per cryptsetup to be reused in the code,
the logic calling both luks_reencrypt and luks_change_passphrase testing for non-empty luks_current_Disk_Recovery_Key_passphrase
was bogus.

This commit includes a new variable luks_new_Disk_Recovery_Key_desired which is set when reencryption is desired.
The 3 use cases (reencrypt+passphrase change, reencrypt no passphrase change and passphrase change alone now only test
for luks_new_Disk_Recovery_Key_desired and luks_new_Disk_Recovery_Key_passphrase_desired, nothing else.
This commit is contained in:
Thierry Laurion 2022-05-03 16:14:51 -04:00
parent 46d64e9f16
commit 37bb4906ce
No known key found for this signature in database
GPG Key ID: E7B4A71658E36A93
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
initrd/bin/oem-factory-reset
View File

@ -385,6 +385,7 @@ echo
if [ "$prompt_output" == "y" \
-o "$prompt_output" == "Y" ];then
test_luks_current_disk_recovery_key_passphrase
luks_new_Disk_Recovery_Key_desired=1
echo -e "\n"
fi
@ -565,14 +566,14 @@ if [[ "$SKIP_BOOT" == "n" ]]; then
fi
if [ -n "$luks_current_Disk_Recovery_Key_passphrase" -a -n "$luks_new_Disk_Recovery_Key_passphrase" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
if [ -n "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
#Reencryption of disk, disk recovery key and Disk Recovery Key passphrase change is requested
luks_reencrypt
luks_change_passphrase
elif [ -n "$luks_current_Disk_Recovery_Key_passphrase" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
elif [ -n "$luks_new_Disk_Recovery_Key_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
#Reencryption of disk was requested but not passphrase change
luks_reencrypt
elif [ -n "$luks_new_Disk_Recovery_Key_passphrase" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
elif [ -z "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
#Passphrase change is requested without disk reencryption
luks_change_passphrase
fi