Allow boot without unseal of TPM LUKS key

Closes issue #226

Also changed to procedure to show LVM volume groups and block
device ids to aid in choosing the right combination during the
TPM LUKS key sealing process.

initrd/bin/kexec-insert-key

@@ -39,14 +39,32 @@ mkdir -p "$INITRD_DIR/etc"
 
 # Attempt to unseal the disk key from the TPM
 # should we give this some number of tries?
+unseal_failed="n"
 if ! kexec-unseal-key "$INITRD_DIR/secret.key" ; then
-	die 'Unseal disk key failed'
+	unseal_failed="y"
+	echo "!!! Failed to unseal the TPM LUKS disk key"
 fi
 
 # Override PCR 4 so that user can't read the key
 tpm extend -ix 4 -ic generic \
 	|| die 'Unable to scramble PCR'
 
+# Check to continue
+if [ "$unseal_failed" = "y" ]; then
+	confirm_boot="n"
+	read \
+		-n 1 \
+		-p "Do you wish to boot and use the disk recovery key? [Y/n] " \
+		confirm_boot
+
+	if [ "$confirm_boot" != 'y' \
+		-a "$confirm_boot" != 'Y' \
+		-a -n "$confirm_boot" ] \
+	; then
+		die "!!! Aborting boot due to failure to unseal TPM disk key"
+	fi
+fi
+
 echo '+++ Building initrd'
 # pad the initramfs (dracut doesn't pad the last gz blob)
 # without this the kernel init/initramfs.c fails to read
@@ -54,8 +72,10 @@ echo '+++ Building initrd'
 dd if="$INITRD" of="$SECRET_CPIO" bs=512 conv=sync \
 || die "Failed to copy initrd to /tmp"
 
-# overwrite /etc/crypttab to mirror the behavior for in seal-key
-for uuid in `cat "$TMP_KEY_DEVICES" | cut -d\  -f2`; do
-	echo "luks-$uuid UUID=$uuid /secret.key" >> "$INITRD_DIR/etc/crypttab"
-done
-( cd "$INITRD_DIR" ; find . -type f | cpio -H newc -o ) >> "$SECRET_CPIO"
+if [ "$unseal_failed" = "n" ]; then
+	# overwrite /etc/crypttab to mirror the behavior for in seal-key
+	for uuid in `cat "$TMP_KEY_DEVICES" | cut -d\  -f2`; do
+		echo "luks-$uuid UUID=$uuid /secret.key" >> "$INITRD_DIR/etc/crypttab"
+	done
+	( cd "$INITRD_DIR" ; find . -type f | cpio -H newc -o ) >> "$SECRET_CPIO"
+fi

initrd/bin/kexec-save-default

@@ -41,8 +41,10 @@ if [ -z "$entry" ]; then
 	die "Invalid menu index $index"
 fi
 
-KEY_DEVICE_FILE="$paramsdir/kexec_key_devices.txt"
-if [ ! -r "$KEY_DEVICE_FILE" ]; then
+KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
+KEY_LVM="$paramsdir/kexec_key_lvm.txt"
+save_key="n"
+if [ ! -r "$KEY_DEVICES" ]; then
 	read \
 		-n 1 \
 		-p "Do you wish to add a disk encryption to the TPM [y/N]: " \
@@ -52,24 +54,59 @@ if [ ! -r "$KEY_DEVICE_FILE" ]; then
 	if [ "$add_key_confirm" = "y" \
 		-o "$add_key_confirm" = "Y" ] \
 	; then
-		read \
-			-p "Encrypted LVM group? (e.g. qubes_dom0 or blank): " \
-			lvm_volume_group
-
-		read \
-			-p "Encrypted devices? (e.g. /dev/sda2 or blank): " \
-			key_devices
-
-		save_key_params="-s -p $paramsdev"
-		if [ -n "$lvm_volume_group" ]; then
-			save_key_params="$save_key_params -l $lvm_volume_group $key_devices"
-		else
-			save_key_params="$save_key_params $key_devices"
-		fi
-		echo "Running kexec-save-key with params: $save_key_params"
-		kexec-save-key $save_key_params \
-		|| die "Failed to save the disk key"
+		lvm_suggest="e.g. qubes_dom0 or blank"
+		devices_suggest="e.g. /dev/sda2 or blank"
+		save_key="y"
 	fi
+else
+	read \
+		-n 1 \
+		-p "Do you want to reseal a disk key to the TPM [y/N]: " \
+		change_key_confirm
+	echo
+
+	if [ "$change_key_confirm" = "y" \
+		-o "$change_key_confirm" = "Y" ] \
+	; then
+		old_lvm_volume_group=""
+		if [ -r "$KEY_LVM" ]; then
+			old_lvm_volume_group=`cat $KEY_LVM` || true
+			old_key_devices=`cat $KEY_DEVICES | cut -d\  -f1 \
+				| grep -v "$old_lvm_volume_group" | xargs` || true
+		else
+			old_key_devices=`cat $KEY_DEVICES | cut -d\  -f1 | xargs` || true
+		fi
+
+		lvm_suggest="was '$old_lvm_volume_group'"
+		devices_suggest="was '$old_key_devices'"
+		save_key="y"
+	fi
+fi
+
+if [ "$save_key" = "y" ]; then
+	echo "+++ LVM volume groups (lvm vgscan): "
+	lvm vgscan || true
+
+	read \
+		-p "Encrypted LVM group? ($lvm_suggest): " \
+		lvm_volume_group
+
+	echo "+++ Block devices (blkid): "
+	blkid || true
+
+	read \
+		-p "Encrypted devices? ($devices_suggest): " \
+		key_devices
+
+	save_key_params="-s -p $paramsdev"
+	if [ -n "$lvm_volume_group" ]; then
+		save_key_params="$save_key_params -l $lvm_volume_group $key_devices"
+	else
+		save_key_params="$save_key_params $key_devices"
+	fi
+	echo "Running kexec-save-key with params: $save_key_params"
+	kexec-save-key $save_key_params \
+	|| die "Failed to save the disk key"
 fi
 
 # try to switch to rw mode

initrd/bin/kexec-unseal-key

@@ -24,9 +24,13 @@ tpm nv_readvalue \
 || die "Unable to read key from TPM NVRAM"
 
 for tries in 1 2 3; do
-	read -s -p "Enter unlock password: " tpm_password
+	read -s -p "Enter unlock password (blank to abort): " tpm_password
 	echo
 
+	if [ -z "$tpm_password" ]; then
+		die "Aborting unseal disk encryption key"
+	fi
+
 	if tpm unsealfile \
 		-if "$sealed_file" \
 		-of "$key_file" \