ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-20 05:28:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

WiP TPM DUK cleanup

Browse Source
This commit is contained in:
Thierry Laurion 2023-09-02 01:53:31 -04:00
parent e9dbce2adf
commit 52947e2767
No known key found for this signature in database
GPG Key ID: E7B4A71658E36A93
2 changed files with 7 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
initrd/bin/kexec-save-default
View File

@ -317,18 +317,15 @@ if [ "$save_key" = "y" ]; then
# Modify each retained crypttab line to contain to be injected /secret.key at next default boots # Modify each retained crypttab line to contain to be injected /secret.key at next default boots
modified_filepath_entries=$(echo "$current_filepath_entries" | sed 's/none/\/secret.key/g') modified_filepath_entries=$(echo "$current_filepath_entries" | sed 's/none/\/secret.key/g')
DEBUG "Modified crypttab entries in $filepath: $modified_filepath_entries" DEBUG "Modified crypttab entries in $filepath: $modified_filepath_entries"
# Mofify paths to remove path of where files were extracted to be those files need to be put in initramfs # Get the relative path of the filepath which will correspond to local path of the crypttab file in initrd
modified_filepath_entries=$(echo "$modified_filepath_entries" | awk -v var="$initrd_decompressed" '{gsub(var,"")}1') initrd_filepath_entries=$(echo "$modified_filepath_entries" | cut -d'/' -f3-)
DEBUG "Modified crypttab filepath entries in $filepath: $modified_filepath_entries" DEBUG "Modified crypttab initrd local path entries in $filepath: $initrd_filepath_entries"
# Get the relative path of the filepath echo "$initrd_filepath_entries" | while read initrd_filepath_entry; do
modified_filepath=$(echo "$filepath" | cut -d'/' -f2-)
echo "$modified_filepath_entries" | while read single_modified_filepath_entry; do
# Append each found filepath:entry into additional kexec_ file that will be part of detached signed digest # Append each found filepath:entry into additional kexec_ file that will be part of detached signed digest
echo "$modified_filepath:$single_modified_filepath_entry" >>$bootdir/kexec_initrd_crypttab_overrides.txt echo "$modified_filepath_entries:$initrd_filepath_entry" >>$bootdir/kexec_initrd_crypttab_overrides.txt
done done
done done
#insert current default boot's initrd crypttab locations into tracking file to be overwritten into initramfs at kexec-inject-key #insert current default boot's initrd crypttab locations into tracking file to be overwritten into initramfs at kexec-inject-key
echo "+++ The following OS crypttab file:entry were modified from default boot's initrd:" echo "+++ The following OS crypttab file:entry were modified from default boot's initrd:"
cat $bootdir/kexec_initrd_crypttab_overrides.txt cat $bootdir/kexec_initrd_crypttab_overrides.txt

4
initrd/bin/kexec-seal-key
View File

@ -81,10 +81,10 @@ for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do
# Check if slot 1 is the only one existing # Check if slot 1 is the only one existing
if cryptsetup luksDump $dev | grep -q "Slot 1: ENABLED"; then if cryptsetup luksDump $dev | grep -q "Slot 1: ENABLED"; then
warn "Slot 1 is the only one existing on $dev. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key" warn "Slot 1 is the only one existing on $dev. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key"
die "Slot 1 should not be the only one existing on $dev. Fix your custom setup" die "Slot 1 should not be the only slot existing on $dev. Fix your custom setup"
fi fi
else else
DEBUG "Slot 1 is not the only one existing on $dev" DEBUG "Slot 1 is not the only existing slot on $dev"
DEBUG "$dev Slot 1 will be used to store LUKS Disk Unlock Key that will be sealed into TPM next" DEBUG "$dev Slot 1 will be used to store LUKS Disk Unlock Key that will be sealed into TPM next"
fi fi
done done