From 0cae2d7805868b9ee5d1a81a36b4424589e69aef Mon Sep 17 00:00:00 2001
From: Matt DeVillier <matt.devillier@puri.sm>
Date: Thu, 21 Nov 2019 16:01:50 -0600
Subject: [PATCH] kexec-save-default: guard TPM LUKS usage with config option

Add CONFIG_TPM_NO_LUKS_DISK_UNLOCK to allow Librem boards to opt
out of using TPM to store LUKS key, and use it to guard the user
option to add the disk encryption key to the TPM.

Select this option for all Librem boards; all other boards which
select CONFIG_TPM=y will have no change in functionality.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
---
 boards/librem13v2/librem13v2.config | 1 +
 boards/librem13v4/librem13v4.config | 1 +
 boards/librem15v3/librem15v3.config | 1 +
 boards/librem15v4/librem15v4.config | 1 +
 initrd/bin/kexec-save-default       | 2 +-
 5 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config
index 776256be..312fb722 100644
--- a/boards/librem13v2/librem13v2.config
+++ b/boards/librem13v2/librem13v2.config
@@ -25,6 +25,7 @@ CONFIG_LIBREMKEY=y
 CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=y
+export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config
index 1b0a83ab..765c0d83 100644
--- a/boards/librem13v4/librem13v4.config
+++ b/boards/librem13v4/librem13v4.config
@@ -25,6 +25,7 @@ CONFIG_LIBREMKEY=y
 CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=y
+export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config
index c73f5b8f..82d2ad8b 100644
--- a/boards/librem15v3/librem15v3.config
+++ b/boards/librem15v3/librem15v3.config
@@ -27,6 +27,7 @@ CONFIG_LIBREMKEY=y
 CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=y
+export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config
index b2349799..0fcddcbb 100644
--- a/boards/librem15v4/librem15v4.config
+++ b/boards/librem15v4/librem15v4.config
@@ -27,6 +27,7 @@ CONFIG_LIBREMKEY=y
 CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=y
+export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default
index 85ac3f27..fe04e864 100755
--- a/initrd/bin/kexec-save-default
+++ b/initrd/bin/kexec-save-default
@@ -45,7 +45,7 @@ fi
 KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
 KEY_LVM="$paramsdir/kexec_key_lvm.txt"
 save_key="n"
-if [ "$CONFIG_TPM" = "y" ]; then
+if [[ "$CONFIG_TPM" = "y" && "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ]]; then
 	if [ ! -r "$KEY_DEVICES" ]; then
 		read \
 			-n 1 \