initrd/bin/kexec-seal-key initrd/etc/luks-functions: last fixups

- fi misplaced
- rework reencryption loop
- added verbose output on TPM DUK key addition when LUKS container can be unlocked with DRK

Current state, left todo for future work:

TPM DUK:
- TPM DUK setup on defautl boot reuses /boot/kexec_key_devices.txt if present
- If not, list all LUKS partitions, asks user for selection and makes sure LUKS passphrase can unlock all
- Works on both LUKSv1 and LUKSv2 containers, reusing OS installer settings (Heads doesn't enforce better then OS installer LUKS parameters)

LUKS passphrase change/LUKS reencryption:
- Reuses /boot/kexec_key_devices.txt if existing
- If not, prompts for LUKS passphase, list all LUKS containers not being USB based and attempt to unlock all those, listing only the ones successfully unlocked
- Prompts user to reuse found unlockable LUKS partitions with LUKS passphrase, caches and reuse in other LUKS operations (passphrase change as well from oem factory reset/re-ownership)
- Deals properly with LUKSv1/LUKSv2/multiple LUKS containers and reencrypt/passphrase changes them all if accepted, otherwise asks user to select individual LUKS container

Tested on luksv1,luksv2, btrfs under luks (2x containers) and TPM DUK setup up to booting OS. All good

TODO:
- LUKS passphrase check is done multiple times across TPM DUK, reencryption and luks passphrase. Could refactor to change this, but since this op is done only one reencrypt+passphrase change) upon hardare reception from OEM, I stopped caring here.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

initrd/bin/kexec-seal-key

@@ -78,7 +78,7 @@ for dev in $key_devices	; do
 
 		DEBUG "Testing $DISK_RECOVERY_KEY_FILE keyfile created from provided passphrase against $dev individual key slots"
 		if cryptsetup open $dev --test-passphrase --key-file "$DISK_RECOVERY_KEY_FILE" >/dev/null 2>&1; then
-			DEBUG "LUKS device $dev unlocked successfully with the DRK passphrase"
+			echo "++++++ $dev: LUKS device unlocked successfully with the DRK passphrase"
 			luks_drk_passphrase_valid=1
 			break
 		else

initrd/etc/luks-functions

@@ -364,7 +364,6 @@ select_luks_container() {
 	elif [ -z "$LUKS" ]; then
 			main_luks_selection
 	fi
-	fi
 }
 
 # Test LUKS current disk recovery key passphrase
@@ -420,7 +419,6 @@ luks_reencrypt() {
 	TRACE_FUNC
 	DEBUG "luks_containers: ${luks_containers[@]}"
 
-	for luks_container in "${luks_containers[@]}"; do
 	if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
 		if [ -f /tmp/secret/luks_current_Disk_Recovery_Key_passphrase ]; then
 			luks_current_Disk_Recovery_Key_passphrase=$(cat /tmp/secret/luks_current_Disk_Recovery_Key_passphrase)
@@ -435,6 +433,7 @@ luks_reencrypt() {
 		echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_current_Disk_Recovery_Key_passphrase
 	fi
 
+	for luks_container in "${luks_containers[@]}"; do
 		DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
 		if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase >/dev/null 2>&1; then
 			whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
@@ -449,8 +448,7 @@ luks_reencrypt() {
 			continue
 		fi
 
-		DEBUG "Test opening ${luks_containers[@]} successful. Now testing key slots to determine which holds master key"
-		for luks_container in "${luks_containers[@]}"; do
+		DEBUG "Test opening ${luks_container} successful. Now testing key slots to determine which holds master key"
 		DRK_KEYSLOT=-1
 		DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
 		for i in $(seq 0 31); do
@@ -477,11 +475,6 @@ luks_reencrypt() {
 			continue
 		fi
 
-			# Now reencrypt the LUKS container with the same key slot
-			# Warn and launch actual reencryption
-			echo -e "\nReencrypting $luks_container LUKS encrypted drive content with current Recovery Disk Key passphrase..."
-			warn "DO NOT POWER DOWN MACHINE, UNPLUG AC OR REMOVE BATTERY DURING REENCRYPTION PROCESS"
-			
 		# --perf-no_read_workqueue and/or --perf-no_write_workqueue improve encryption/reencrypton performance on kernel 5.10.9+
 		# bypassing dm-crypt queues.
 		# Ref https://github.com/cloudflare/linux/issues/1#issuecomment-729695518
@@ -489,6 +482,9 @@ luks_reencrypt() {
 		# --force-offline-reencrypt forces the reencryption to be done offline (no read/write operations on the device)
 		# --disable-locks disables the lock feature of cryptsetup, which is enabled by default
 
+		echo -e "\nReencrypting $luks_container LUKS encrypted drive content with current Recovery Disk Key passphrase..."
+		warn "DO NOT POWER DOWN MACHINE, UNPLUG AC OR REMOVE BATTERY DURING REENCRYPTION PROCESS"
+
 		if ! DO_WITH_DEBUG cryptsetup reencrypt \
 			--perf-no_read_workqueue --perf-no_write_workqueue \
 			--resilience=none --force-offline-reencrypt --disable-locks \
@@ -497,9 +493,6 @@ luks_reencrypt() {
 			whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
 				"If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
 			TRACE_FUNC
-
-				#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
-				#maybe the container was not the right one
 			detect_boot_device
 			mount -o remount,rw /boot
 			rm -f /boot/kexec_key_devices.txt
@@ -507,13 +500,10 @@ luks_reencrypt() {
 			luks_secrets_cleanup
 			unset LUKS
 		else
-				#Reencryption was successful. Cleanup should be called only when done
-				#Exporting successfully used passphrase possibly reused by oem-factory-reset
 			export luks_current_Disk_Recovery_Key_passphrase
 			export LUKS
 		fi
 	done
-	done
 }
 
 # Function to change LUKS passphrase