Merge pull request #1162 from tlaurion/oem-factory-reset_passwd_change-without_reencryption-fix

bugfix: oem-factory-reset - permit LUKS passphrase change without reencryption

initrd/bin/oem-factory-reset

@@ -385,6 +385,7 @@ echo
 if [ "$prompt_output" == "y" \
   -o "$prompt_output" == "Y" ];then
   test_luks_current_disk_recovery_key_passphrase
+  luks_new_Disk_Recovery_Key_desired=1
   echo -e "\n"
 fi
 
@@ -565,14 +566,14 @@ if [[ "$SKIP_BOOT" == "n" ]]; then
 fi
 
 
-if [ -n "$luks_current_Disk_Recovery_Key_passphrase" -a -n "$luks_new_Disk_Recovery_Key_passphrase" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
+if [ -n "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
   #Reencryption of disk, disk recovery key and Disk Recovery Key passphrase change is requested
   luks_reencrypt
   luks_change_passphrase
-elif [ -n "$luks_current_Disk_Recovery_Key_passphrase" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
+elif [ -n "$luks_new_Disk_Recovery_Key_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
   #Reencryption of disk was requested but not passphrase change
   luks_reencrypt
-elif [ -n "$luks_new_Disk_Recovery_Key_passphrase" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
+elif [ -z "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
   #Passphrase change is requested without disk reencryption
   luks_change_passphrase
 fi

initrd/etc/luks-functions

@@ -40,10 +40,11 @@ test_luks_current_disk_recovery_key_passphrase()
 			echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):"
 			read -r luks_current_Disk_Recovery_Key_passphrase
 			echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
+			warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
 			cryptsetup luksOpen $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
 		else
 			echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
-			warn "Testing opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
+			warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
 			cryptsetup luksOpen $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
 		fi
 		#Validate past cryptsetup-reencrypt attempts
@@ -81,6 +82,7 @@ while : ; do
 		echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):"
 		read -r luks_current_Disk_Recovery_Key_passphrase
 		echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
+		warn "Reencrypting "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
 		cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
 	else
 		echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase