ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-19 21:17:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

WiP TPM DUK cleanup

Browse Source
This commit is contained in:
Thierry Laurion 2023-09-02 01:53:31 -04:00
parent e9dbce2adf
commit 52947e2767
No known key found for this signature in database
GPG Key ID: E7B4A71658E36A93
2 changed files with 7 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
initrd/bin/kexec-save-default
View File

@ -317,18 +317,15 @@ if [ "$save_key" = "y" ]; then
# Modify each retained crypttab line to contain to be injected /secret.key at next default boots
modified_filepath_entries=$(echo "$current_filepath_entries" | sed 's/none/\/secret.key/g')
DEBUG "Modified crypttab entries in $filepath: $modified_filepath_entries"
# Mofify paths to remove path of where files were extracted to be those files need to be put in initramfs
modified_filepath_entries=$(echo "$modified_filepath_entries" | awk -v var="$initrd_decompressed" '{gsub(var,"")}1')
DEBUG "Modified crypttab filepath entries in $filepath: $modified_filepath_entries"
# Get the relative path of the filepath
modified_filepath=$(echo "$filepath" | cut -d'/' -f2-)
echo "$modified_filepath_entries" | while read single_modified_filepath_entry; do
# Get the relative path of the filepath which will correspond to local path of the crypttab file in initrd
initrd_filepath_entries=$(echo "$modified_filepath_entries" | cut -d'/' -f3-)
DEBUG "Modified crypttab initrd local path entries in $filepath: $initrd_filepath_entries"
echo "$initrd_filepath_entries" | while read initrd_filepath_entry; do
# Append each found filepath:entry into additional kexec_ file that will be part of detached signed digest
echo "$modified_filepath:$single_modified_filepath_entry" >>$bootdir/kexec_initrd_crypttab_overrides.txt
echo "$modified_filepath_entries:$initrd_filepath_entry" >>$bootdir/kexec_initrd_crypttab_overrides.txt
done
done
#insert current default boot's initrd crypttab locations into tracking file to be overwritten into initramfs at kexec-inject-key
echo "+++ The following OS crypttab file:entry were modified from default boot's initrd:"
cat $bootdir/kexec_initrd_crypttab_overrides.txt

4
initrd/bin/kexec-seal-key
View File

@ -81,10 +81,10 @@ for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do
# Check if slot 1 is the only one existing
if cryptsetup luksDump $dev | grep -q "Slot 1: ENABLED"; then
warn "Slot 1 is the only one existing on $dev. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key"
die "Slot 1 should not be the only one existing on $dev. Fix your custom setup"
die "Slot 1 should not be the only slot existing on $dev. Fix your custom setup"
fi
else
DEBUG "Slot 1 is not the only one existing on $dev"
DEBUG "Slot 1 is not the only existing slot on $dev"
DEBUG "$dev Slot 1 will be used to store LUKS Disk Unlock Key that will be sealed into TPM next"
fi
done