kexec-save-default: Don't seal LUKS disk unlock key in basic mode

Basic mode allows (but does not require) setting a default boot option. Don't seal disk unlock keys in Basic mode. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2025-04-09 04:14:34 +00:00 · 2023-06-30 14:37:38 -04:00 · 2023-06-30 14:37:38 -04:00 · 84569e3738
commit 84569e3738
parent 6618dd652c
1 changed files with 1 additions and 1 deletions
--- a/initrd/bin/kexec-save-default
+++ b/initrd/bin/kexec-save-default
@ -48,7 +48,7 @@ fi
 KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
 KEY_LVM="$paramsdir/kexec_key_lvm.txt"
 save_key="n"
-if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ]; then
+if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ "$CONFIG_BASIC" != y ]; then
 	if [ ! -r "$KEY_DEVICES" ]; then
 		read \
 			-n 1 \