mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
parent
8b0fc0f129
commit
e291797e65
@ -263,7 +263,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
|
|||||||
save_key_params="$save_key_params $key_devices"
|
save_key_params="$save_key_params $key_devices"
|
||||||
fi
|
fi
|
||||||
kexec-save-key $save_key_params ||
|
kexec-save-key $save_key_params ||
|
||||||
die "Failed to save the disk key"
|
die "Failed to save the TPM Disk Unlock Key"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -292,17 +292,13 @@ fi
|
|||||||
|
|
||||||
if [ "$save_key" = "y" ]; then
|
if [ "$save_key" = "y" ]; then
|
||||||
# logic to parse OS initrd to extract crypttab, its filepaths and its OS defined options
|
# logic to parse OS initrd to extract crypttab, its filepaths and its OS defined options
|
||||||
mkdir -p /tmp/initrd_extract
|
initrd_decompressed="/tmp/initrd_extract"
|
||||||
cd /tmp/initrd_extract
|
mkdir -p "$initrd_decompressed"
|
||||||
# Get initrd filename selected to be default initrd that OS could be using to configure LUKS on boot by deploying crypttab files
|
# Get initrd filename selected to be default initrd that OS could be using to configure LUKS on boot by deploying crypttab files
|
||||||
current_default_initrd=$(cat /boot/kexec_default_hashes.txt | grep initr | awk -F " " {'print $NF'} | sed 's/\.\//\/boot\//g')
|
current_default_initrd=$(cat /boot/kexec_default_hashes.txt | grep initr | awk -F " " {'print $NF'} | sed 's/\.\//\/boot\//g')
|
||||||
|
|
||||||
# Get crypttab files paths from initrd
|
|
||||||
echo "+++ Checking current selected default boot's $current_default_initrd for existing crypttab files..."
|
|
||||||
# First either decompress or use the original if it's not compressed
|
|
||||||
initrd_decompressed="/tmp/initrd_extract"
|
|
||||||
echo "+++ Extracting current selected default boot's $current_default_initrd to find crypttab files..."
|
echo "+++ Extracting current selected default boot's $current_default_initrd to find crypttab files..."
|
||||||
unpack_initramfs.sh "$current_default_initrd" "$initrd_decompressed" >/dev/null 2>&1 || true
|
unpack_initramfs.sh "$current_default_initrd" "$initrd_decompressed"
|
||||||
crypttab_files=$(find "$initrd_decompressed" | grep crypttab 2>/dev/null) || true
|
crypttab_files=$(find "$initrd_decompressed" | grep crypttab 2>/dev/null) || true
|
||||||
|
|
||||||
if [ ! -z "$crypttab_files" ]; then
|
if [ ! -z "$crypttab_files" ]; then
|
||||||
@ -310,19 +306,18 @@ if [ "$save_key" = "y" ]; then
|
|||||||
rm -f $bootdir/kexec_initrd_crypttab_overrides.txt || true
|
rm -f $bootdir/kexec_initrd_crypttab_overrides.txt || true
|
||||||
|
|
||||||
#Parsing each crypttab file found
|
#Parsing each crypttab file found
|
||||||
echo "$crypttab_files" | while read filepath; do
|
echo "$crypttab_files" | while read crypttab_file; do
|
||||||
# Keep only non-commented lines
|
# Change crypttab file path to be relative to initrd for string manipulation
|
||||||
current_filepath_entries=$(cat "$filepath" | grep -v "^#")
|
final_initrd_filepath=${crypttab_file#/tmp/initrd_extract}
|
||||||
DEBUG "Found crypttab entries in $filepath: $current_filepath_entries"
|
DEBUG "Final initramfs crypttab path:$final_initrd_filepath"
|
||||||
# Modify each retained crypttab line to contain to be injected /secret.key at next default boots
|
# Keep only non-commented lines for crypttab entries
|
||||||
modified_filepath_entries=$(echo "$current_filepath_entries" | sed 's/none/\/secret.key/g')
|
current_crypttab_entries=$(cat "$crypttab_file" | grep -v "^#")
|
||||||
DEBUG "Modified crypttab entries in $filepath: $modified_filepath_entries"
|
DEBUG "Found initrd crypttab entries $final_initrd_filepath:$current_crypttab_entries"
|
||||||
# Get the relative path of the filepath which will correspond to local path of the crypttab file in initrd
|
# Modify each retained crypttab line for /secret.key under intramfs to be considered as a keyfile
|
||||||
initrd_filepath_entries=$(echo "$modified_filepath_entries" | cut -d'/' -f3-)
|
modified_crypttab_entries=$(echo "$current_crypttab_entries" | sed 's/none/\/secret.key/g')
|
||||||
DEBUG "Modified crypttab initrd local path entries in $filepath: $initrd_filepath_entries"
|
DEBUG "Modified crypttab entries $final_initrd_filepath:$modified_crypttab_entries"
|
||||||
echo "$initrd_filepath_entries" | while read initrd_filepath_entry; do
|
echo "$modified_crypttab_entries" | while read modified_crypttab_entry; do
|
||||||
# Append each found filepath:entry into additional kexec_ file that will be part of detached signed digest
|
echo "$final_initrd_filepath:$modified_crypttab_entry" >>$bootdir/kexec_initrd_crypttab_overrides.txt
|
||||||
echo "$modified_filepath_entries:$initrd_filepath_entry" >>$bootdir/kexec_initrd_crypttab_overrides.txt
|
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user