Allow TPM LUKS key to be set during default selection

Closes #222

initrd/bin/kexec-save-default

@@ -3,7 +3,7 @@
 set -e -o pipefail
 . /etc/functions
 
-while getopts "b:d:p:e:i:" arg; do
+while getopts "b:d:p:i:" arg; do
 	case $arg in
 		b) bootdir="$OPTARG" ;;
 		d) paramsdev="$OPTARG" ;;
@@ -41,6 +41,37 @@ if [ -z "$entry" ]; then
 	die "Invalid menu index $index"
 fi
 
+KEY_DEVICE_FILE="$paramsdir/kexec_key_devices.txt"
+if [ ! -r "$KEY_DEVICE_FILE" ]; then
+	read \
+		-n 1 \
+		-p "Do you wish to add a disk encryption to the TPM [y/N]: " \
+		add_key_confirm
+	echo
+
+	if [ "$add_key_confirm" = "y" \
+		-o "$add_key_confirm" = "Y" ] \
+	; then
+		read \
+			-p "Encrypted LVM group? (e.g. qubes_dom0 or blank): " \
+			lvm_volume_group
+
+		read \
+			-p "Encrypted devices? (e.g. /dev/sda2 or blank): " \
+			key_devices
+
+		save_key_params="-s -p $paramsdev"
+		if [ -n "$lvm_volume_group" ]; then
+			save_key_params="$save_key_params -l $lvm_volume_group $key_devices"
+		else
+			save_key_params="$save_key_params $key_devices"
+		fi
+		echo "Running kexec-save-key with params: $save_key_params"
+		kexec-save-key $save_key_params \
+		|| die "Failed to save the disk key"
+	fi
+fi
+
 # try to switch to rw mode
 mount -o rw,remount $paramsdev
 

initrd/bin/kexec-save-key

@@ -4,8 +4,10 @@ set -e -o pipefail
 . /etc/functions
 
 lvm_volume_group=""
-while getopts "p:d:l:" arg; do
+skip_sign="n"
+while getopts "sp:d:l:" arg; do
 	case $arg in
+		s) skip_sign="y" ;;
 		p) paramsdir="$OPTARG" ;;
 		d) paramsdev="$OPTARG" ;;
 		l) lvm_volume_group="$OPTARG" ;;
@@ -15,7 +17,7 @@ shift `expr $OPTIND - 1`
 key_devices="$@"
 
 if [ -z "$paramsdir" ]; then
-	die "Usage: $0 -p /boot [-l qubes_dom0] [/dev/sda2 /dev/sda5 ...] "
+	die "Usage: $0 [-s] -p /boot [-l qubes_dom0] [/dev/sda2 /dev/sda5 ...] "
 fi
 
 if [ -z "$paramsdev" ]; then
@@ -58,9 +60,11 @@ done
 kexec-seal-key $paramsdir \
 || die "Failed to save and generate key in TPM"
 
-# sign and auto-roll config counter
-kexec-sign-config -p $paramsdir -u \
-|| die "Failed to sign updated config"
+if [ "$skip_sign" != "y" ]; then
+	# sign and auto-roll config counter
+	kexec-sign-config -p $paramsdir -u \
+	|| die "Failed to sign updated config"
+fi
 
 # switch back to ro mode
 mount -o ro,remount $paramsdev

initrd/bin/kexec-sign-config

@@ -54,6 +54,8 @@ for tries in 1 2 3; do
 		-a \
 		> $paramsdir/kexec.sig \
 	; then
+		# successful - update the validated params
+		check_config $paramsdir
 		exit 0
 	fi
 done

initrd/bin/usb-scan

@@ -7,13 +7,13 @@ set -e -o pipefail
 # Unmount any previous boot device
 if grep -q /boot /proc/mounts ; then
 	umount /boot \
-		|| die '$CONFIG_USB_BOOT_DEV: Unable to unmount /boot'
+		|| die "Unable to unmount /boot"
 fi
 
 # Mount the USB boot device
 if ! grep -q /media /proc/mounts ; then
 	mount-usb "$CONFIG_USB_BOOT_DEV" \
-		|| die '$CONFIG_USB_BOOT_DEV: Unable to mount /media'
+		|| die "Unable to mount /media"
 fi
 
 # Check for ISO first

initrd/etc/functions

@@ -70,6 +70,19 @@ confirm_totp()
 
 confirm_gpg_card()
 {
+	read \
+		-n 1 \
+		-p "Please confirm that your GPG card is inserted [Y/n]: " \
+		card_confirm
+	echo
+
+	if [ "$card_confirm" != "y" \
+		-a "$card_confirm" != "Y" \
+		-a -n "$card_confirm" ] \
+	; then
+		die "gpg card not confirmed"
+	fi
+
 	# setup the USB so we can reach the GPG card
 	if ! lsmod | grep -q ehci_hcd; then
 		insmod /lib/modules/ehci-hcd.ko \