Closed ancorgs closed 8 months ago
Just for the records: failing tests on leap is expected. Changes in this PR require a new version of libstorage-ng which is not submitted to leap (only to Tumbleweed).
In general, running unit tests on leap for the master branch is useless. Note that SLE-15-SPX branches have already diverged.
:heavy_check_mark: Internal Jenkins job #1143 successfully finished :heavy_check_mark: Created OBS submit request #1122814
Problem
Both ALP and openSUSE Tumbleweed include a package called
fde-tools
that allow to setup encrypted devices (using LUKS2) to be automatically unlocked during boot without user intervention based on information stored and validated in the TPM of the system.The process has its limitations but it certainly works as proven by the preliminary (and rather hacky) support present at Agama. So it's time to move that support from Agama to the core of YaST.
Some more-or-less related links
Solution
This introduces a new encryption method (
TPM_FDE
) in yast2-storage-ng. Thus, TPM unlocking based on fde-tools can be configured by both AutoYaST and Agama.For more information about the process, check the fde-tools documentation.
If the system meets all the technical requirements to use the new method, it will be used by Agama. In that regard, check below the associated pull request.
Even if the mentioned technical requirements are met, the new method will still not be available in YaST. There are several reasons for that:
Associated pull requests
https://github.com/openSUSE/agama/pull/826
Testing
Unit tests included.
Tested manually in Agama with fde-tools 0.7.1 in several situations:
Review
Pull request structured in several meaningful commit for easier review.