Do not merge (depends on storage-ng) - Supporting LUKS2 encryption by TPM2 device (jsc#PED-10703)

package/yast2-bootloader.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Mar 14 14:06:16 UTC 2025 - Stefan Schubert <[email protected]>
+
+- Selecting grub2-bls bootloader if a TPM2 device is used for
+  checking encryptions (jsc#PED-10703).
+- 5.0.16
+
 -------------------------------------------------------------------
 Thu Feb 27 08:44:41 UTC 2025 - Stefan Schubert <[email protected]>
 

package/yast2-bootloader.spec

@@ -17,7 +17,7 @@
 
 
 Name:           yast2-bootloader
-Version:        5.0.15
+Version:        5.0.16
 Release:        0
 Summary:        YaST2 - Bootloader Configuration
 License:        GPL-2.0-or-later
@@ -30,8 +30,8 @@ BuildRequires:  yast2 >= 4.5.16
 BuildRequires:  yast2-devtools >= 4.2.2
 # yast/rspec/helpers.rb
 BuildRequires:  yast2-ruby-bindings >= 4.4.7
-# BlkDevice#preferred_name and Filesystems::BlkFilesystem#preferred_name
-BuildRequires:  yast2-storage-ng >= 4.3.36
+# Supporting LUKS2 encryption by TPM2 device
+BuildRequires:  yast2-storage-ng >= 5.0.28
 # lenses needed also for tests
 BuildRequires:  augeas-lenses
 BuildRequires:  rubygem(%rb_default_ruby_abi:cfa_grub2) >= 1.0.1
@@ -47,8 +47,8 @@ Requires:       yast2 >= 4.5.16
 Requires:       yast2-core >= 2.18.7
 Requires:       yast2-packager >= 2.17.24
 Requires:       yast2-pkg-bindings >= 2.17.25
-# Y2Storage::Arch#efibootmgr?
-Requires:       yast2-storage-ng >= 4.4.22
+# Supporting LUKS2 encryption by TPM2 device
+Requires:       yast2-storage-ng >= 5.0.28
 # Support for multiple values in GRUB_TERMINAL
 Requires:       rubygem(%rb_default_ruby_abi:cfa_grub2) >= 1.0.1
 # lenses are needed as cfa_grub2 depends only on augeas bindings, but also

src/lib/bootloader/bls.rb

@@ -2,6 +2,7 @@
 
 require "fileutils"
 require "yast"
+require "y2storage"
 require "bootloader/sysconfig"
 require "bootloader/cpu_mitigations"
 require "cfa/grub2/default"
@@ -22,7 +23,7 @@ def initialize
     end
 
     def self.create_menu_entries
-      Yast::Execute.on_target!(SDBOOTUTIL, "--verbose", "add-all-kernels")
+      Yast::Execute.on_target!(SDBOOTUTIL, "add-all-kernels")
     rescue Cheetah::ExecutionFailed => e
       Yast::Report.Error(
         format(_(
@@ -34,8 +35,7 @@ def self.create_menu_entries
     end
 
     def self.install_bootloader
-      Yast::Execute.on_target!(SDBOOTUTIL, "--verbose",
-        "install")
+      Yast::Execute.on_target!(SDBOOTUTIL, "install")
     rescue Cheetah::ExecutionFailed => e
       Yast::Report.Error(
       format(_(
@@ -75,15 +75,19 @@ def self.menu_timeout
     end
 
     def self.write_default_menu(default)
-      Yast::Execute.on_target!(SDBOOTUTIL, "set-default", default)
-    rescue Cheetah::ExecutionFailed => e
-      Yast::Report.Error(
-      format(_(
-               "Cannot write default boot menu entry:\n" \
-               "Command `%{command}`.\n" \
-               "Error output: %{stderr}"
-             ), command: e.commands.inspect, stderr: e.stderr)
-    )
+      return if default.empty?
+
+      begin
+        Yast::Execute.on_target!(SDBOOTUTIL, "set-default", default)
+      rescue Cheetah::ExecutionFailed => e
+        Yast::Report.Error(
+          format(_(
+                   "Cannot write default boot menu entry:\n" \
+                   "Command `%{command}`.\n" \
+                   "Error output: %{stderr}"
+                 ), command: e.commands.inspect, stderr: e.stderr)
+        )
+      end
     end
 
     def self.default_menu
@@ -99,7 +103,66 @@ def self.default_menu
         )
         output = ""
       end
-      output
+      output.strip
+    end
+
+    # Enabe TPM2, if it is required
+    def self.enable_tpm2
+      return unless Y2Storage::StorageManager.instance.encryption_use_tpm2
+
+      export_password
+      generate_machine_id
+
+      begin
+        Yast::Execute.on_target!("/usr/bin/sdbootutil",
+          "enroll", "--method=tpm2")
+      rescue Cheetah::ExecutionFailed => e
+        Yast::Report.Error(
+          format(_(
+                   "Cannot enroll TPM2 method:\n" \
+                   "Command `%{command}`.\n" \
+                   "Error output: %{stderr}"
+                 ), command: e.commands.inspect, stderr: e.stderr)
+        )
+      end
+    end
+
+    def self.generate_machine_id
+      Yast::SCR.Execute(Yast::Path.new(".target.remove"), "/etc/machine-id")
+      begin
+        Yast::Execute.on_target!("/usr/bin/dbus-uuidgen",
+          "--ensure=/etc/machine-id")
+      rescue Cheetah::ExecutionFailed => e
+        Yast::Report.Error(
+          format(_(
+                   "Cannot Cannot create machine-id:\n" \
+                   "Command `%{command}`.\n" \
+                   "Error output: %{stderr}"
+                 ), command: e.commands.inspect, stderr: e.stderr)
+        )
+      end
+    end
+
+    def self.export_password
+      pwd = Y2Storage::StorageManager.instance.encryption_tpm2_password
+      if pwd.empty?
+        Yast::Report.Error(_("Cannot pass empty password via the keyring."))
+        return
+      end
+
+      begin
+        Yast::Execute.on_target!("keyctl", "padd", "user", "cryptenroll", "@u",
+          stdout: :capture,
+          stdin:  pwd)
+      rescue Cheetah::ExecutionFailed => e
+        Yast::Report.Error(
+          format(_(
+                   "Cannot pass the password via the keyring:\n" \
+                   "Command `%{command}`.\n" \
+                   "Error output: %{stderr}"
+                 ), command: e.commands.inspect, stderr: e.stderr)
+        )
+      end
     end
   end
 end

src/lib/bootloader/bls_sections.rb

@@ -16,27 +16,35 @@ class BlsSections
     # or an empty array
     attr_reader :all
 
-    # @return [String] title of default boot section.
-    attr_reader :default
-
     def initialize
       @all = []
       @default = ""
     end
 
+    # @return [String] title of default boot section.
+    def default
+      return unless @data
+
+      entry = @data.select { |d| d["id"] == @default }
+      if entry.empty?
+        ""
+      else
+        entry.first["title"]
+      end
+    end
+
     # Sets default section internally.
     # @param [String] value of new boot title to boot
     # @note to write it to system use #write later
     def default=(value)
-      log.info "set new default to '#{value.inspect}'"
-
-      # empty value mean no default specified
-      if !all.empty? && !all.include?(value) && !value.empty?
-        log.warn "Invalid value #{value} trying to set as default. Fallback to default"
-        value = ""
+      entry = @data.select { |d| d["title"] == value }
+      if entry.empty?
+        log.warn "Invalid value '#{value}'"
+        @default = ""
+      else
+        @default = entry.first["id"]
+        log.info "set new default to '#{value.inspect}' --> '#{@default}'"
       end
-
-      @default = value
     end
 
     # writes default to system making it persistent

src/lib/bootloader/bootloader_factory.rb

@@ -135,6 +135,10 @@ def proposed_name
           return prefered_bootloader
         end
 
+        if bls_installable? && Y2Storage::StorageManager.instance.encryption_use_tpm2
+          return "grub2-bls" # TPM2 chips should be used by grub2-bls bootloader
+        end
+
         if ["systemd-boot", "grub2-bls"].include?(prefered_bootloader) && bls_installable?
           return prefered_bootloader
         end

src/lib/bootloader/grub2bls.rb

@@ -107,9 +107,11 @@ def proposed?
 
     # writes configuration to target disk
     def write(*)
-      Bls.install_bootloader if Yast::Stage.initial # while new installation only (currently)
-      Bls.create_menu_entries
-      Bls.install_bootloader
+      if Yast::Stage.initial # while new installation only
+        Bls.install_bootloader
+        Bls.create_menu_entries
+        Bls.enable_tpm2
+      end
       @sections.write
       Bls.write_menu_timeout(grub_default.timeout)
 
@@ -155,7 +157,7 @@ def packages
       res = super
       res << ("grub2-" + grub2bls_architecture + "-efi-bls")
       res << "sdbootutil"
-      res << "shim" if secure_boot
+      res << "shim"
       res
     end
 

src/lib/bootloader/systemdboot.rb

@@ -120,7 +120,10 @@ def read
     def write(etc_only: false)
       super
       log.info("Writing settings...")
-      Bls.install_bootloader if Yast::Stage.initial # while new installation only (currently)
+      if Yast::Stage.initial # while new installation only (currently)
+        Bls.install_bootloader
+        Bls.enable_tpm2
+      end
       write_kernel_parameter
       Bls.create_menu_entries
       Bls.write_menu_timeout(menu_timeout)
@@ -179,7 +182,7 @@ def packages
 
       case Yast::Arch.architecture
       when "x86_64"
-        res << "shim" if secure_boot
+        res << "shim"
       else
         log.warn "Unknown architecture #{Yast::Arch.architecture} for systemdboot"
       end

src/modules/BootSupportCheck.rb

@@ -52,6 +52,8 @@ def SystemSupported
         supported = GRUB2EFI() && supported
       when "systemd-boot"
         supported = SYSTEMDBOOT() && supported
+      when "grub2-bls"
+        supported = GRUB2BLS() && supported
       end
 
       log.info "Configuration supported: #{supported}"
@@ -174,26 +176,39 @@ def check_mbr
       false
     end
 
+    def check_tpm2
+      return true unless Y2Storage::StorageManager.instance.encryption_use_tpm2
+
+      add_new_problem(_("This bootloader cannot handle encryption supported by a TPM2 device. "))
+      false
+    end
+
     # GRUB2-related check
     def GRUB2
       ret = []
       ret << check_gpt_reserved_partition if Arch.x86_64
       ret << check_activate_partition if Arch.x86_64 || Arch.ppc64
       ret << check_mbr if Arch.x86_64
+      ret << check_tpm2
 
       ret.all?
     end
 
     # GRUB2EFI-related check
     def GRUB2EFI
-      true
+      check_tpm2
     end
 
     # systemd-boot-related check
     def SYSTEMDBOOT
       true
     end
 
+    # grub2-bls-related check
+    def GRUB2BLS
+      true
+    end
+
     def stage1
       ::Bootloader::BootloaderFactory.current.stage1
     end

test/bls_sections_test.rb

@@ -15,10 +15,10 @@
       .and_return("openSUSE")
     allow(Yast::Execute).to receive(:on_target)
       .with("/usr/bin/bootctl", "--json=short", "list", stdout: :capture)
-      .and_return("[{\"title\" : \"openSUSE Tumbleweed\", \"isDefault\" : true }," \
-                  "{\"title\" : \"Snapper: *openSUSE Tumbleweed 20241107\", \"isDefault\" : false}]")
+      .and_return("[{\"title\" : \"openSUSE Tumbleweed\", \"id\" : \"openSUSE.conf\", \"isDefault\" : true }," \
+                  "{\"title\" : \"Snapper: *openSUSE Tumbleweed 20241107\", \"id\" : \"Snapper.conf\", \"isDefault\" : false}]")
     allow(Bootloader::Bls).to receive(:default_menu)
-      .and_return("openSUSE Tumbleweed")
+      .and_return("openSUSE.conf")
 
     subject.read
   end
@@ -49,7 +49,7 @@
     it "writes default value if set" do
       subject.default = "Snapper: *openSUSE Tumbleweed 20241107"
       expect(Bootloader::Bls).to receive(:write_default_menu)
-        .with(subject.default)
+        .with("Snapper.conf")
 
       subject.write
     end

test/bls_test.rb

@@ -8,15 +8,15 @@
   describe "#create_menu_entries" do
     it "calls sdbootutil add-all-kernels" do
       expect(Yast::Execute).to receive(:on_target!)
-        .with("/usr/bin/sdbootutil", "--verbose", "add-all-kernels")
+        .with("/usr/bin/sdbootutil", "add-all-kernels")
       subject.create_menu_entries
     end
   end
 
   describe "#install_bootloader" do
     it "calls sdbootutil install" do
       expect(Yast::Execute).to receive(:on_target!)
-        .with("/usr/bin/sdbootutil", "--verbose", "install")
+        .with("/usr/bin/sdbootutil", "install")
       subject.install_bootloader
     end
   end
@@ -56,4 +56,26 @@
     end
   end
 
+  describe "#enable_tpm2" do
+    context "TPM2 is used for encryption" do
+      before do
+        allow(Y2Storage::StorageManager.instance).to receive(:encryption_use_tpm2).and_return(true)
+        allow(Y2Storage::StorageManager.instance).to receive(:encryption_tpm2_password).and_return("123456")
+      end
+
+      it "enrolls the TPM2" do
+        expect(Yast::Execute).to receive(:on_target!)
+          .with("keyctl", "padd", "user", "cryptenroll", "@u",
+            stdout: :capture,
+            stdin:  "123456")
+        expect(Yast::Execute).to receive(:on_target!)
+          .with("/usr/bin/sdbootutil", "enroll", "--method=tpm2")
+        expect(Yast::Execute).to receive(:on_target!)
+          .with("/usr/bin/dbus-uuidgen",
+            "--ensure=/etc/machine-id")
+
+        subject.enable_tpm2
+      end
+    end
+  end
 end