New EncryptionMethod using fde-tools for TPM-based unlocking

[ancorgs]

Problem

Both ALP and openSUSE Tumbleweed include a package called fde-tools that allow to setup encrypted devices (using LUKS2) to be automatically unlocked during boot without user intervention based on information stored and validated in the TPM of the system.

The process has its limitations but it certainly works as proven by the preliminary (and rather hacky) support present at Agama. So it's time to move that support from Agama to the core of YaST.

Some more-or-less related links

• https://github.com/yast/yast-installation/issues/1088
• https://trello.com/c/5x8G7xj8/89-d-installer-better-support-for-tpm-unlocking-of-fde
• https://jira.suse.com/browse/PM-2766
• https://jira.suse.com/browse/PM-2395
• https://bugzilla.suse.com/show_bug.cgi?id=1210512

Solution

This introduces a new encryption method (TPM_FDE) in yast2-storage-ng. Thus, TPM unlocking based on fde-tools can be configured by both AutoYaST and Agama.

For more information about the process, check the fde-tools documentation.

If the system meets all the technical requirements to use the new method, it will be used by Agama. In that regard, check below the associated pull request.

Even if the mentioned technical requirements are met, the new method will still not be available in YaST. There are several reasons for that:

• Lack of support in the inst-sys. It cannot check whether the TPM works.
• No specific form in the Expert Partitioner
• We need to ensure all affected devices share the recovery password.
• During installation, the UI and the AutoYaST documentation need to properly explain the need to boot from the target device after installation (no DVD → boot from hard disk) and check any possible interaction with the second stage.
• When creating new devices with that encryption method in an already installed system: it’s not 100% clear how the feature should work.

Associated pull requests

https://github.com/openSUSE/agama/pull/826

Testing

Unit tests included.

Tested manually in Agama with fde-tools 0.7.1 in several situations:

• With a single partition
• With separate / and /var partitions
• With an LVM extending over several disks

Review

Pull request structured in several meaningful commit for easier review.

[coveralls]

coverage: 97.782% (+0.02%) from 97.767% when pulling dea440c8c861d46f7d8f0034a5c723b8eafab4c4 on ancorgs:tpm_master into 70f4fa76b9169feacddc0ee67412cd86034d82f1 on yast:master.

[joseivanlopez]

Just for the records: failing tests on leap is expected. Changes in this PR require a new version of libstorage-ng which is not submitted to leap (only to Tumbleweed).

In general, running unit tests on leap for the master branch is useless. Note that SLE-15-SPX branches have already diverged.

[yast-bot]

:x: Internal Jenkins job #1142 failed

[yast-bot]

:heavy_check_mark: Internal Jenkins job #1143 successfully finished :heavy_check_mark: Created OBS submit request #1122814