From 6db03b0bdd4263127694652a2584429656f9bf9f Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 19 Jan 2024 12:32:04 -0500 Subject: [PATCH] Uniformize vocabulary: LUKS TPM Disk Unlock Key & LUKS Disk Recovery Key When playing with long fbwhiptail/whiptail messages, this commit played around the long string using fold. ''' echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s ''' Which gave the exact output of what will be inside of the fbwhiptail prompt, fixed to 70 chars width: ''' This will replace the encrypted container content and its LUKS Disk Recovery Key. The passphrase associated with this key will be asked from the user under the following conditions: 1-Every boot if no Disk Unlock Key was added to the TPM 2-If the TPM fails (hardware failure) 3-If the firmware has been tampered with/modified by the user This process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present. At the next prompt, you may be asked to select which file corresponds to the LUKS device container. Hit Enter to continue. ''' Therefore, for long prompts in the future, one can just deal with "\n 1-" alignments to be respected in prompts and have fold deal with cutting the length of strings properly. Signed-off-by: Thierry Laurion --- FAQ.md | 2 +- initrd/bin/kexec-insert-key | 2 +- initrd/bin/kexec-save-default | 12 +++++------ initrd/bin/kexec-save-key | 2 +- initrd/bin/kexec-seal-key | 28 ++++++++++++------------- initrd/bin/oem-factory-reset | 12 +++++------ initrd/etc/functions | 10 ++++----- initrd/etc/luks-functions | 39 ++++++++++++++++++----------------- modules/zstd | 2 +- 9 files changed, 55 insertions(+), 54 deletions(-) diff --git a/FAQ.md b/FAQ.md index 4a175e3b..e3909b1d 100644 --- a/FAQ.md +++ b/FAQ.md @@ -110,7 +110,7 @@ to deceive you and steal your login password? Maybe! It wouldn't get your disk password, which is perhaps an improvement. -Disk key in TPM (TPM Disk Unlock Key) or user passphrase? +Disk key in TPM (LUKS TPM Disk Unlock Key) or user passphrase? --- Depends on your threat model. With the disk key in the TPM an attacker would need to have the entire machine (or a backdoor in the TPM) diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key index 4d0fc930..877e4509 100755 --- a/initrd/bin/kexec-insert-key +++ b/initrd/bin/kexec-insert-key @@ -59,7 +59,7 @@ if [ "$unseal_failed" = "y" ]; then confirm_boot="n" read \ -n 1 \ - -p "Do you wish to boot and use the disk recovery key? [Y/n] " \ + -p "Do you wish to boot and use the LUKS Disk Recovery Key? [Y/n] " \ confirm_boot if [ "$confirm_boot" != 'y' \ diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default index e21dd13e..6462ffb3 100755 --- a/initrd/bin/kexec-save-default +++ b/initrd/bin/kexec-save-default @@ -189,10 +189,10 @@ save_key="n" if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ "$CONFIG_BASIC" != y ]; then DEBUG "TPM is enabled and TPM_NO_LUKS_DISK_UNLOCK is not set" - DEBUG "Checking if a a TPM Disk Unlock Key was previously set up from $KEY_DEVICES" + DEBUG "Checking if a a LUKS TPM Disk Unlock Key was previously set up from $KEY_DEVICES" #check if $KEY_DEVICES file exists and is not empty if [ -r "$KEY_DEVICES" ] && [ -s "$KEY_DEVICES" ]; then - DEBUG "TPM Disk Unlock Key was previously set up from $KEY_DEVICES" + DEBUG "LUKS TPM Disk Unlock Key was previously set up from $KEY_DEVICES" read \ -n 1 \ -p "Do you want to reseal a disk key to the TPM [y/N]: " \ @@ -218,7 +218,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ save_key="y" fi else - DEBUG "No previous TPM Disk Unlock Key was set up for LUKS devices, confirming to add a Disk Encryption Key to the TPM" + DEBUG "No previous LUKS TPM Disk Unlock Key was set up, confirming to add a Disk Encryption Key to the TPM" read \ -n 1 \ -p "Do you wish to add a disk encryption to the TPM [y/N]: " \ @@ -234,7 +234,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ if [ "$save_key" = "y" ]; then if [ -n "$old_key_devices" ] || [ -n "$old_lvm_volume_group" ]; then - DEBUG "Previous TPM Disk Unlock Key was set up for LUKS devices $old_key_devices $old_lvm_volume_group" + DEBUG "Previous LUKS TPM Disk Unlock Key was set up for $old_key_devices $old_lvm_volume_group" read \ -n 1 \ -p "Do you want to reuse configured Encrypted LVM groups/Block devices? (Y/n):" \ @@ -252,7 +252,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ prompt_for_existing_encrypted_lvms_or_disks fi else - DEBUG "No previous TPM Disk Unlock Key was set up for LUKS devices, setting up new one" + DEBUG "No previous LUKS TPM Disk Unlock Key was set up, setting up" prompt_for_existing_encrypted_lvms_or_disks fi @@ -263,7 +263,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ save_key_params="$save_key_params $key_devices" fi kexec-save-key $save_key_params || - die "Failed to save the TPM Disk Unlock Key" + die "Failed to save the LUKS TPM Disk Unlock Key" fi fi diff --git a/initrd/bin/kexec-save-key b/initrd/bin/kexec-save-key index 87e36195..6ab0668c 100755 --- a/initrd/bin/kexec-save-key +++ b/initrd/bin/kexec-save-key @@ -72,7 +72,7 @@ for dev in $key_devices; do done kexec-seal-key $paramsdir || - die "Failed to save and generate TPM Disk Unlock Key" + die "Failed to save and generate LUKS TPM Disk Unlock Key" if [ "$skip_sign" != "y" ]; then extparam= diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index a76555c2..1d43f3b8 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -47,13 +47,13 @@ DEBUG "$(pcrs)" # LUKS Key slot 0 is the manual recovery pass phrase # that they user entered when they installed OS, # key slot 1 is the one that we've generated. -read -s -p "Enter Disk Recovery Key/passphrase: " disk_password +read -s -p "Enter LUKS Disk Recovery Key/passphrase: " disk_password echo -n "$disk_password" >"$RECOVERY_KEY" echo -read -s -p "New TPM Disk Unlock Key passphrase for booting: " key_password +read -s -p "New LUKS TPM Disk Unlock Key passphrase for booting: " key_password echo -read -s -p "Repeat TPM Disk Unlock Key passphrase for booting: " key_password2 +read -s -p "Repeat LUKS TPM Disk Unlock Key passphrase for booting: " key_password2 echo if [ "$key_password" != "$key_password2" ]; then @@ -61,7 +61,7 @@ if [ "$key_password" != "$key_password2" ]; then fi # Generate key file -echo "++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by TPM Disk Unlock Key passphrase" +echo "++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by LUKS TPM Disk Unlock Key passphrase" dd \ if=/dev/urandom \ of="$KEY_FILE" \ @@ -100,29 +100,29 @@ for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do # Check if slot 1 is the only one existing if [ "$(cryptsetup luksDump "$dev" | grep -c "Slot 1: ENABLED")" -eq 1 ] || [ "$(cryptsetup luksDump "$dev" | grep -c "1: luks2")" -eq 1 ]; then warn "Slot 1 is the only one existing on $dev LUKS header. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key" - warn "Slot 1 should not be the only slot existing on $dev LUKS header. Slot 0 should be used to store Disk Recovery Key/passphrase" + warn "Slot 1 should not be the only slot existing on $dev LUKS header. Slot 0 should be used to store LUKS Disk Recovery Key/passphrase" die "You can safely fix this before continuing through Heads recovery shell: cryptsetup luksAddKey $dev" fi else DEBUG "Slot 1 is not the only existing slot on $dev LUKS header." - DEBUG "$dev LUKS header's slot 1 will store LUKS Disk Unlock Key that TPM will seal/unseal with TPM Disk Unlock Key passphrase" + DEBUG "$dev LUKS header's slot 1 will store LUKS Disk Unlock Key that TPM will seal/unseal with LUKS TPM Disk Unlock Key passphrase" fi done # Remove all the old keys from slot 1 for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do - echo "++++++ $dev: Removing old TPM Disk Unlock Key in LUKS slot 1" + echo "++++++ $dev: Removing old LUKS TPM Disk Unlock Key in LUKS slot 1" cryptsetup luksKillSlot \ --key-file "$RECOVERY_KEY" \ $dev 1 || - warn "$dev: removal of TPM Disk Unlock Key in LUKS slot 1 failed: might not exist. Continuing" + warn "$dev: removal of LUKS TPM Disk Unlock Key in LUKS slot 1 failed: might not exist. Continuing" - echo "++++++ $dev: Adding TPM Disk Unlock Key to LUKS slot 1" + echo "++++++ $dev: Adding LUKS TPM Disk Unlock Key to LUKS slot 1" cryptsetup luksAddKey \ --key-file "$RECOVERY_KEY" \ --key-slot 1 \ $dev "$KEY_FILE" || - die "$dev: Unable to add TPM Disk Unlock Key to LUKS slot 1" + die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS slot 1" done # Now that we have setup the new keys, measure the PCRs @@ -140,23 +140,23 @@ tpmr pcrread -a 3 "$pcrf" # Note that PCR 4 needs to be set with the "normal-boot" path value, read it from event log. tpmr calcfuturepcr 4 >>"$pcrf" if [ "$CONFIG_USB_KEYBOARD" = "y" -o -r /lib/modules/libata.ko -o -x /bin/hotp_verification ]; then - DEBUG "Sealing TPM Disk Unlock key with PCR5 involvement (additional kernel modules are loaded per board config)..." + DEBUG "Sealing LUKS TPM Disk Unlock Key with PCR5 involvement (additional kernel modules are loaded per board config)..." # Here, we take pcr 5 into consideration if modules are expected to be measured+loaded tpmr pcrread -a 5 "$pcrf" else - DEBUG "Sealing TPM Disk Unlock Key with PCR5=0 (NO additional kernel modules are loaded per board config)..." + DEBUG "Sealing LUKS TPM Disk Unlock Key with PCR5=0 (NO additional kernel modules are loaded per board config)..." #no kernel modules are expected to be measured+loaded tpmr calcfuturepcr 5 >>"$pcrf" fi # Precompute the value for pcr 6 -DEBUG "Precomputing TPM future value for PCR6 sealing/unsealing of TPM Disk Unlock Key..." +DEBUG "Precomputing TPM future value for PCR6 sealing/unsealing of LUKS TPM Disk Unlock Key..." tpmr calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf" # We take into consideration user files in cbfs tpmr pcrread -a 7 "$pcrf" DO_WITH_DEBUG --mask-position 7 \ tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \ - "$TPM_SIZE" "$key_password" || die "Unable to write TPM Disk Unlock Key to NVRAM" + "$TPM_SIZE" "$key_password" || die "Unable to write LUKS TPM Disk Unlock Key to NVRAM" # should be okay if this fails shred -n 10 -z -u "$pcrf" 2>/dev/null || diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 6ddf1c75..656f85f7 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -626,7 +626,7 @@ generate_checksums() { mount -o remount,rw /boot || whiptail_error_die "Unable to mount /boot" fi - #Check if previous TPM Disk unlock Key was set + #Check if previous LUKS TPM Disk Unlock Key was set if [ -e /boot/kexec_key_devices.txt ]; then TPM_DISK_ENCRYPTION_KEY_SET=1 fi @@ -657,7 +657,7 @@ generate_checksums() { fi fi - # set default boot option only if no TPM Disk Unlock Key previously set + # set default boot option only if no LUKS TPM Disk Unlock Key previously set if [ -z "$TPM_DISK_ENCRYPTION_KEY_SET" ]; then set_default_boot_option fi @@ -903,7 +903,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then echo -e "\n" fi - echo -e -n "Would you like to re-encrypt LUKS encrypted container and generate new Disk Recovery key?\n (Highly recommended if you didn't install the operating system yourself: this would prevent any LUKS backed up header to be restored to access encrypted data) [y/N]: " + echo -e -n "Would you like to re-encrypt LUKS encrypted container and generate new LUKS Disk Recovery Key?\n (Highly recommended if you didn't install the operating system yourself: this would prevent any LUKS backed up header to be restored to access encrypted data) [y/N]: " read -n 1 prompt_output echo if [ "$prompt_output" == "y" \ @@ -1022,13 +1022,13 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then # We catch here if changing LUKS Disk Recovery Key passphrase was desired # but yet undone. This is if not being covered by the single password - echo -e "\nEnter desired replacement for current Disk Recovery Key passphrase (At least 8 characters long):" + echo -e "\nEnter desired replacement for current LUKS Disk Recovery Key passphrase (At least 8 characters long):" while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do { read -r luks_new_Disk_Recovery_Key_passphrase } done - #We test that current Disk Recovery Key passphrase is known prior of going further + #We test that current LUKS Disk Recovery Key passphrase is known prior of going further test_luks_current_disk_recovery_key_passphrase echo -e "\n" fi @@ -1147,7 +1147,7 @@ if [[ "$SKIP_BOOT" == "n" ]]; then fi if [ -n "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then - #Reencryption of disk, disk recovery key and Disk Recovery Key passphrase change is requested + #Reencryption of disk, LUKS Disk Recovery Key and LUKS Disk Recovery Key passphrase change is requested luks_change_passphrase luks_reencrypt elif [ -n "$luks_new_Disk_Recovery_Key_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then diff --git a/initrd/etc/functions b/initrd/etc/functions index 7e6a6351..637beef0 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -82,12 +82,12 @@ confirm_totp() { reseal_tpm_disk_decryption_key() { TRACE "Under /etc/functions:reseal_tpm_disk_decryption_key" - #For robustness, exit early if TPM Disk Unlock Key is prohibited in board configs + #For robustness, exit early if LUKS TPM Disk Unlock Key is prohibited in board configs if [ "$CONFIG_TPM_DISK_UNLOCK_KEY" == "n" ]; then - DEBUG "TPM Disk Unlock Key is prohibited in board configs" + DEBUG "LUKS TPM Disk Unlock Key is prohibited in board configs" return else - DEBUG "TPM Disk Unlock Key is allowed in board configs. Continuing" + DEBUG "LUKS TPM Disk Unlock Key is allowed in board configs. Continuing" fi if ! grep -q /boot /proc/mounts; then @@ -96,8 +96,8 @@ reseal_tpm_disk_decryption_key() { fi if [ -s /boot/kexec_key_devices.txt ] || [ -s /boot/kexec_key_lvm.txt ]; then - warn "TPM sealed Disk Unlock Key secret needs to be resealed alongside TOTP/HOTP secret" - echo "Resealing TPM LUKS Disk Unlock Key to be unsealed by TPM Disk Unlock Key passphrase" + warn "LUKS TPM sealed Disk Unlock Key secret needs to be resealed alongside TOTP/HOTP secret" + echo "Resealing LUKS TPM Disk Unlock Key to be unsealed by LUKS TPM Disk Unlock Key passphrase" while ! kexec-seal-key /boot; do warn "Recovery Disk Encryption key passphrase/TPM Owner Password may be invalid. Please try again" done diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index e962be01..8f8e5ad7 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -299,15 +299,15 @@ test_luks_current_disk_recovery_key_passphrase() while :; do select_luks_container || return 1 if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then - #if no external provisioning provides current Disk Recovery Key passphrase - echo -e "\nEnter the current Disk Recovery Key passphrase (Configured at OS installation or by OEM):" + #if no external provisioning provides current LUKS Disk Recovery Key passphrase + echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" read -r luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Testing opening "$LUKS" LUKS encrypted drive content with the current Disk Recovery Key passphrase..." + warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..." cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase else echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Testing opening "$LUKS" LUKS encrypted drive content with the current Disk Recovery Key passphrase..." + warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..." cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase fi #Validate past cryptsetup-reencrypt attempts @@ -315,7 +315,7 @@ test_luks_current_disk_recovery_key_passphrase() whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60 shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null - #unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again Disk Recovery Key passphrase prompt on next round + #unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round unset luks_current_Disk_Recovery_Key_passphrase #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. #maybe the container was not the right one @@ -339,22 +339,23 @@ luks_reencrypt() { TRACE "Under /etc/luks-functions:luks_reencrypt()" while :; do select_luks_container || return 1 - #If the user just set a new Disk Recovery Key passphrase + #If the user just set a new LUKS Disk Recovery Key passphrase if [ -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then luks_current_Disk_Recovery_Key_passphrase="$luks_new_Disk_Recovery_Key_passphrase" fi if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then - #if no external provisioning provides current Disk Recovery Key passphrase + #if no external provisioning provides current LUKS Disk Recovery Key passphrase + msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s) whiptail --title 'Reencrypt LUKS encrypted container ?' \ - --msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under\nthe following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete the TPM Disk Unlock Key slot, if set up, by setting a default\n boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80 - echo -e "\nEnter the current Disk Recovery Key passphrase:" + --msgbox "$msg" 0 80 + echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:" read -r luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new Disk Recovery Key. Do NOT shut down or reboot!" + warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!" cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase else echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new Disk Recovery Key. Do NOT shut down or reboot!" + warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!" cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase fi #Validate past cryptsetup-reencrypt attempts @@ -362,7 +363,7 @@ luks_reencrypt() { whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60 shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null - #unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again Disk Recovery Key passphrase prompt on next round + #unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round unset luks_current_Disk_Recovery_Key_passphrase #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. #maybe the container was not the right one @@ -384,32 +385,32 @@ luks_change_passphrase() TRACE "Under /etc/luks-functions:luks_change_passphrase()" while :; do select_luks_container || return 1 - #if actual or new Disk Recovery Key is not provisioned by oem-provisioning file + #if actual or new LUKS Disk Recovery Key is not provisioned by oem-provisioning file if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \ - "Please enter the current Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60 + "Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60 if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then - echo -e "\nEnter your desired replacement for the actual Disk Recovery Key passphrase (At least 8 characters long):" + echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):" while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do { read -r luks_new_Disk_Recovery_Key_passphrase };done fi if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then - echo -e "\nEnter the current Disk Recovery Key passphrase (Configured at OS installation or by OEM):" + echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" read -r luks_current_Disk_Recovery_Key_passphrase fi export luks_current_Disk_Recovery_Key_passphrase export luks_new_Disk_Recovery_Key_passphrase echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new Disk Recovery Key passphrase..." + warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..." cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase else - #If current and new Disk Recovery Key were exported + #If current and new LUKS Disk Recovery Key were exported echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new Disk Recovery Key passphrase..." + warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..." cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase fi diff --git a/modules/zstd b/modules/zstd index cf980812..e1fc3f71 100644 --- a/modules/zstd +++ b/modules/zstd @@ -1,5 +1,5 @@ # ZSTD is always included, unless explicitly turned off -# Needed by initrd/bin/unpack_initramfs.sh under TPM Disk Unlock Key setup +# Needed by initrd/bin/unpack_initramfs.sh under LUKS TPM Disk Unlock Key setup CONFIG_ZSTD ?= y modules-$(CONFIG_ZSTD) += zstd