Merge pull request #1162 from tlaurion/oem-factory-reset_passwd_change-without_reencryption-fix

bugfix: oem-factory-reset - permit LUKS passphrase change without reencryption
2025-01-30 08:03:55 +00:00 · 2022-05-03 21:07:26 -04:00 · 2022-05-03 21:07:26 -04:00 · 79486b5dc8
commit 79486b5dc8
parent 46d64e9f16 dd0e4b0a8d
2 changed files with 7 additions and 4 deletions
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@ -385,6 +385,7 @@ echo
 if [ "$prompt_output" == "y" \
  -o "$prompt_output" == "Y" ];then
  test_luks_current_disk_recovery_key_passphrase
+  luks_new_Disk_Recovery_Key_desired=1
  echo -e "\n"
 fi

@ -565,14 +566,14 @@ if [[ "$SKIP_BOOT" == "n" ]]; then
 fi


-if [ -n "$luks_current_Disk_Recovery_Key_passphrase" -a -n "$luks_new_Disk_Recovery_Key_passphrase" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
+if [ -n "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
  #Reencryption of disk, disk recovery key and Disk Recovery Key passphrase change is requested
  luks_reencrypt
  luks_change_passphrase
-elif [ -n "$luks_current_Disk_Recovery_Key_passphrase" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
+elif [ -n "$luks_new_Disk_Recovery_Key_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
  #Reencryption of disk was requested but not passphrase change
  luks_reencrypt
-elif [ -n "$luks_new_Disk_Recovery_Key_passphrase" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
+elif [ -z "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
  #Passphrase change is requested without disk reencryption
  luks_change_passphrase
 fi
--- a/initrd/etc/luks-functions
+++ b/initrd/etc/luks-functions
@ -40,10 +40,11 @@ test_luks_current_disk_recovery_key_passphrase()
 			echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):"
 			read -r luks_current_Disk_Recovery_Key_passphrase
 			echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
+			warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
 			cryptsetup luksOpen $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
 		else
 			echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
-			warn "Testing opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
+			warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
 			cryptsetup luksOpen $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
 		fi
 		#Validate past cryptsetup-reencrypt attempts
@ -81,6 +82,7 @@ while : ; do
 		echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):"
 		read -r luks_current_Disk_Recovery_Key_passphrase
 		echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
+		warn "Reencrypting "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
 		cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
 	else
 		echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase