From 84569e37388ca0759e0a2134b67dee1072c11911 Mon Sep 17 00:00:00 2001
From: Jonathon Hall <jonathon.hall@puri.sm>
Date: Fri, 30 Jun 2023 14:37:38 -0400
Subject: [PATCH] kexec-save-default: Don't seal LUKS disk unlock key in basic
 mode

Basic mode allows (but does not require) setting a default boot option.
Don't seal disk unlock keys in Basic mode.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
---
 initrd/bin/kexec-save-default | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default
index ab290c09..559813b0 100755
--- a/initrd/bin/kexec-save-default
+++ b/initrd/bin/kexec-save-default
@@ -48,7 +48,7 @@ fi
 KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
 KEY_LVM="$paramsdir/kexec_key_lvm.txt"
 save_key="n"
-if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ]; then
+if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ "$CONFIG_BASIC" != y ]; then
 	if [ ! -r "$KEY_DEVICES" ]; then
 		read \
 			-n 1 \