mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
WiP TPM DUK cleanup
This commit is contained in:
parent
e9dbce2adf
commit
52947e2767
@ -317,18 +317,15 @@ if [ "$save_key" = "y" ]; then
|
||||
# Modify each retained crypttab line to contain to be injected /secret.key at next default boots
|
||||
modified_filepath_entries=$(echo "$current_filepath_entries" | sed 's/none/\/secret.key/g')
|
||||
DEBUG "Modified crypttab entries in $filepath: $modified_filepath_entries"
|
||||
# Mofify paths to remove path of where files were extracted to be those files need to be put in initramfs
|
||||
modified_filepath_entries=$(echo "$modified_filepath_entries" | awk -v var="$initrd_decompressed" '{gsub(var,"")}1')
|
||||
DEBUG "Modified crypttab filepath entries in $filepath: $modified_filepath_entries"
|
||||
# Get the relative path of the filepath
|
||||
modified_filepath=$(echo "$filepath" | cut -d'/' -f2-)
|
||||
echo "$modified_filepath_entries" | while read single_modified_filepath_entry; do
|
||||
# Get the relative path of the filepath which will correspond to local path of the crypttab file in initrd
|
||||
initrd_filepath_entries=$(echo "$modified_filepath_entries" | cut -d'/' -f3-)
|
||||
DEBUG "Modified crypttab initrd local path entries in $filepath: $initrd_filepath_entries"
|
||||
echo "$initrd_filepath_entries" | while read initrd_filepath_entry; do
|
||||
# Append each found filepath:entry into additional kexec_ file that will be part of detached signed digest
|
||||
echo "$modified_filepath:$single_modified_filepath_entry" >>$bootdir/kexec_initrd_crypttab_overrides.txt
|
||||
echo "$modified_filepath_entries:$initrd_filepath_entry" >>$bootdir/kexec_initrd_crypttab_overrides.txt
|
||||
done
|
||||
done
|
||||
|
||||
|
||||
#insert current default boot's initrd crypttab locations into tracking file to be overwritten into initramfs at kexec-inject-key
|
||||
echo "+++ The following OS crypttab file:entry were modified from default boot's initrd:"
|
||||
cat $bootdir/kexec_initrd_crypttab_overrides.txt
|
||||
|
@ -81,10 +81,10 @@ for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do
|
||||
# Check if slot 1 is the only one existing
|
||||
if cryptsetup luksDump $dev | grep -q "Slot 1: ENABLED"; then
|
||||
warn "Slot 1 is the only one existing on $dev. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key"
|
||||
die "Slot 1 should not be the only one existing on $dev. Fix your custom setup"
|
||||
die "Slot 1 should not be the only slot existing on $dev. Fix your custom setup"
|
||||
fi
|
||||
else
|
||||
DEBUG "Slot 1 is not the only one existing on $dev"
|
||||
DEBUG "Slot 1 is not the only existing slot on $dev"
|
||||
DEBUG "$dev Slot 1 will be used to store LUKS Disk Unlock Key that will be sealed into TPM next"
|
||||
fi
|
||||
done
|
||||
|
Loading…
Reference in New Issue
Block a user