heads/initrd/bin/wipe-totp

#!/bin/bash
# Wipe the sealed TOTP/HOTP secret.  The secret is overwritten with all-0,
# rather than deleted, because deletion requires authorization.  Wiping the
# secret will cause the next boot to prompt to regenerate the secret.

. /etc/functions

TPM_NVRAM_SPACE=4d47
TPM_SIZE=312

if [ "$CONFIG_TPM" = "y" ]; then
	tpmr destroy "$TPM_NVRAM_SPACE" "$TPM_SIZE" \
		|| die "Unable to wipe sealed secret"
fi
Implement Restricted Boot Mode Restricted Boot mode only allows booting from signed files, whether that is signed kernels in /boot or signed ISOs on mounted USB disks. This disables booting from abitrary USB disks as well as the forced "unsafe" boot mode. This also disables the recovery console so you can't bypass this mode simply by running kexec manually. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm> 2022-10-25 22:09:15 +00:00			`#!/bin/bash`
			`# Wipe the sealed TOTP/HOTP secret. The secret is overwritten with all-0,`
			`# rather than deleted, because deletion requires authorization. Wiping the`
			`# secret will cause the next boot to prompt to regenerate the secret.`

			`. /etc/functions`

			`TPM_NVRAM_SPACE=4d47`
			`TPM_SIZE=312`

			`if [ "$CONFIG_TPM" = "y" ]; then`
			`tpmr destroy "$TPM_NVRAM_SPACE" "$TPM_SIZE" \`
			`\|\| die "Unable to wipe sealed secret"`
			`fi`