kexec-seal/save-key /etc/functions : some more uniformisation of TPM DUK verbiage

2024-12-19 21:17:55 +00:00 · 2023-09-02 04:17:50 -04:00 · 2023-09-02 04:17:50 -04:00 · 8b0fc0f129
commit 8b0fc0f129
parent 51b1ad39c3
3 changed files with 4 additions and 4 deletions
--- a/initrd/bin/kexec-save-key
+++ b/initrd/bin/kexec-save-key
@ -73,7 +73,7 @@ for dev in $key_devices; do
 done

 kexec-seal-key $paramsdir ||
-	die "Failed to save and generate key in TPM"
+	die "Failed to save and generate TPM Disk Unlock Key"

 if [ "$skip_sign" != "y" ]; then
 	extparam=
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@ -61,7 +61,7 @@ if [ "$key_password" != "$key_password2" ]; then
 fi

 # Generate key file
-echo "++++++ Generating new randomized 128 bytes key file that will be unsealed by TPM Disk Unlock Key passphrase"
+echo "++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by TPM Disk Unlock Key passphrase"
 dd \
 	if=/dev/urandom \
 	of="$KEY_FILE" \
@ -85,7 +85,7 @@ for dev in $(cat "$KEY_DEVICES" | cut -d\  -f1); do
 		fi
 	else
 		DEBUG "Slot 1 is not the only existing slot on $dev"
-		DEBUG "$dev Slot 1 will be used to store LUKS Disk Unlock Key that will be sealed into TPM next"
+		DEBUG "$dev Slot 1 will be used to store LUKS Disk Unlock Key that TPM will seal/unseal with TPM Disk Unlock Key passphrase"
 	fi
 done

--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@ -96,7 +96,7 @@ reseal_tpm_disk_decryption_key() {
 	fi

 	if [ -s /boot/kexec_key_devices.txt ] || [ -s /boot/kexec_key_lvm.txt ]; then
-		warn "A TPM Disk Unlock Key previously sealed is now invalid since firmware measurements cannot be unsealed"
+		warn "A TPM Disk Unlock Key previously sealed is now invalid since firmware measurements could not unseal TOTP"
 		echo "Renewing LUKS Disk Unlock Key to be unsealed by TPM Disk Unlock Key passphrase"
 		while ! kexec-seal-key /boot; do
 			warn "Recovery Disk Encryption key passphrase invalid. Try again!"