From 8b0fc0f1296e26e3c36095adc0657caa62a6edbf Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 2 Sep 2023 04:17:50 -0400 Subject: [PATCH] kexec-seal/save-key /etc/functions : some more uniformisation of TPM DUK verbiage --- initrd/bin/kexec-save-key | 2 +- initrd/bin/kexec-seal-key | 4 ++-- initrd/etc/functions | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/initrd/bin/kexec-save-key b/initrd/bin/kexec-save-key index be92ba32..3ba8e932 100755 --- a/initrd/bin/kexec-save-key +++ b/initrd/bin/kexec-save-key @@ -73,7 +73,7 @@ for dev in $key_devices; do done kexec-seal-key $paramsdir || - die "Failed to save and generate key in TPM" + die "Failed to save and generate TPM Disk Unlock Key" if [ "$skip_sign" != "y" ]; then extparam= diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index b405abeb..fe36808c 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -61,7 +61,7 @@ if [ "$key_password" != "$key_password2" ]; then fi # Generate key file -echo "++++++ Generating new randomized 128 bytes key file that will be unsealed by TPM Disk Unlock Key passphrase" +echo "++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by TPM Disk Unlock Key passphrase" dd \ if=/dev/urandom \ of="$KEY_FILE" \ @@ -85,7 +85,7 @@ for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do fi else DEBUG "Slot 1 is not the only existing slot on $dev" - DEBUG "$dev Slot 1 will be used to store LUKS Disk Unlock Key that will be sealed into TPM next" + DEBUG "$dev Slot 1 will be used to store LUKS Disk Unlock Key that TPM will seal/unseal with TPM Disk Unlock Key passphrase" fi done diff --git a/initrd/etc/functions b/initrd/etc/functions index 84a8592a..2163587b 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -96,7 +96,7 @@ reseal_tpm_disk_decryption_key() { fi if [ -s /boot/kexec_key_devices.txt ] || [ -s /boot/kexec_key_lvm.txt ]; then - warn "A TPM Disk Unlock Key previously sealed is now invalid since firmware measurements cannot be unsealed" + warn "A TPM Disk Unlock Key previously sealed is now invalid since firmware measurements could not unseal TOTP" echo "Renewing LUKS Disk Unlock Key to be unsealed by TPM Disk Unlock Key passphrase" while ! kexec-seal-key /boot; do warn "Recovery Disk Encryption key passphrase invalid. Try again!"