ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-20 05:28:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

oem-factory-reset: Only set default boot option if no TPM Disk Unlock Key

Browse Source 
This continues to generate checksums and sign them per new GPG User PIN, but does not set a default boot option.
The user hitting Default Boot on reboot will go through having to setup a new boot default, which will ask him to setup a Disk Unlock Key if desired.

Otherwise, hitting Default Boot goes into asking the user for its Disk Recovery Key passphrase, and requires to manually setup a default boot option.
This commit is contained in:
Thierry Laurion 2022-04-13 14:24:59 -04:00
parent 3201cd4d95
commit 70572fd100
No known key found for this signature in database
GPG Key ID: E7B4A71658E36A93
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
initrd/bin/oem-factory-reset
View File

@ -156,6 +156,11 @@ generate_checksums()
mount -o remount,rw /boot || whiptail_error_die "Unable to mount /boot"
fi
#Check if previous TPM Disk unlock Key was set
if [ -e /boot/kexec_key_devices.txt ]; then
TPM_DISK_ENCRYPTION_KEY_SET=1
fi
# clear any existing checksums/signatures
rm /boot/kexec* 2>/dev/null
@ -181,8 +186,10 @@ generate_checksums()
echo "0" > /boot/kexec_hotp_counter
fi
# set default boot option
set_default_boot_option
# set default boot option only if no TPM Disk Unlock Key previously set
if [ -z "$TPM_DISK_ENCRYPTION_KEY_SET" ]; then
set_default_boot_option
fi
# generate hashes
find /boot -type f ! -name '*kexec*' -print0 \