openSUSE / agama / 7567637398
72%

DEFAULT BRANCH: master
Ran
Jobs 3
Files 655
Run time 31s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 74.871% (+0.006%) from 74.865%
7567637398

push

github

web-flow 
Make TPM-based encryption more explicit (#995)

## Problem

Sometimes, Agama decides to use the encryption method `TPM_FDE` which
results in the system being configured via `fde-tools` to open the
encryption devices automatically during system boot without needing to
enter the password.

That happens if the configuration parameter `encryption.tpm_luks_open`
is set AND the system supports TPM unlocking. If that the case, the
`TPM_FDE` encryption method is used without even asking the user. In any
other case, the encryption method specified at the configuration
parameter `encryption.method` is used.

That's all quite obscure, the users don't know whether TPM-based
unlocking is going to be configured. Not even if it's possible to
configure it or not.

## Solution

This pull request introduces some changes in how the whole thing is
managed.

Now if the system or the distribution being installed don't support
TPM-based decryption, the encryption method `LUKS2` is used and nothing
is shown in the UI.


![tpm_not_available](https://github.com/openSUSE/agama/assets/3638289/f53925cf-8101-4b13-a1ba-e19b6d78907d)

So no big change for the user except the fact that now LUKS2 with PBKDF2
as derivation function is the default for all distributions (it's a
pretty sensible default for distributions based on Grub2 at 2024).

But if the system and the distribution both support to configure
TPM-based opening of the LUKS devices, the user can choose between the
`TPM_FDE` and the `LUKS2` encryption methods via a checkbox shown in the
UI.


![attempt](https://github.com/openSUSE/agama/assets/3638289/ed539bbb-08f8-4761-9834-c3fa05c6b27f)

The default encryption method (and thus, the default value of the
checkbox) is configured per-product at `encryption.method`. If the value
there is `"tpm_fde"` but the system does not support such a method (eg.
there is no TPMv2 chip), Agama will use the default encryption method
(`LUKS2`) as fa... (continued)

1423 of 2166 branches covered (0.0%)

Branch coverage included in aggregate %.

16049 of 21170 relevant lines covered (75.81%)

22.53 hits per line

Subprojects
ID Flag name Job ID Ran Files Coverage
1 web 7567637398.1 287
74.16
 GitHub Action Run
1 service 7541721730.1 304
84.79
 GitHub Action Run
1 rust 7539750092.1 64
41.75
 GitHub Action Run
Source Files on build 7567637398