From 34c343715c609e04874a59f118f22b7ead54110f Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 17 Aug 2024 12:01:42 -0400 Subject: [PATCH] luks-functions: fix luks_change_passphrase which was only occuring on first LUKS volume, not all Signed-off-by: Thierry Laurion --- initrd/etc/luks-functions | 49 +++++++++++++++++---------------------- 1 file changed, 21 insertions(+), 28 deletions(-) diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index 169c335c5..1e26c4ff7 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -381,7 +381,7 @@ test_luks_current_disk_recovery_key_passphrase() # We export the LUKS volume(s) that was/were validated via passphrase test export LUKS TRACE_FUNC - DEBUG "$LUKS exported to be reused" + DEBUG "LUKS container(s) $PRINTABLE_LUKS exported to be reused" break; fi done @@ -414,7 +414,7 @@ luks_reencrypt() { # Split the $LUKS variable into an array of LUKS containers luks_containers=($LUKS) TRACE_FUNC - DEBUG "luks_containers: $luks_containers" + DEBUG "luks_containers: ${luks_containers[@]}" # Loop through each LUKS container for luks_container in "${luks_containers[@]}"; do @@ -508,34 +508,30 @@ luks_reencrypt() { done } -luks_change_passphrase() { +luks_change_passphrase() +{ TRACE_FUNC select_luks_container || return 1 - # Count the number of containers to be processed - num_containers=$(echo "$LUKS" | wc -w) - changed_containers=0 - # Split the $LUKS variable into an array of LUKS containers - IFS=' ' read -ra luks_containers <<< "$LUKS" + luks_containers=($LUKS) + TRACE_FUNC + DEBUG "luks_containers: ${luks_containers[@]}" + # Loop through each LUKS container for luks_container in "${luks_containers[@]}"; do if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \ "Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 0 80 - if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then - echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):" - while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do - read -r luks_new_Disk_Recovery_Key_passphrase - done - fi - - if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then - echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" - read -r luks_current_Disk_Recovery_Key_passphrase - fi + echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):" + while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do + read -r luks_new_Disk_Recovery_Key_passphrase + done + + echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" + read -r luks_current_Disk_Recovery_Key_passphrase fi echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase @@ -551,7 +547,7 @@ luks_change_passphrase() { rm -f /boot/kexec_key_devices.txt mount -o remount,ro /boot luks_secrets_cleanup - unset LUKS + unset LUKS continue fi @@ -563,16 +559,13 @@ luks_change_passphrase() { fi echo "Success changing passphrase for $luks_container." - changed_containers=$((changed_containers + 1)) done - if [ $changed_containers -eq $num_containers ]; then - # All containers processed successfully - luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase - export luks_current_Disk_Recovery_Key_passphrase - export luks_new_Disk_Recovery_Key_passphrase - export LUKS - fi + # Export the new passphrase if all containers were processed successfully + luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase + export luks_current_Disk_Recovery_Key_passphrase + export luks_new_Disk_Recovery_Key_passphrase + export LUKS } luks_secrets_cleanup()