Make it possible to report headers of which LUKSes to be unlocked via TPM change.

2024-12-18 20:47:55 +00:00 · 2022-01-20 14:45:48 +02:00 · 2022-01-20 14:45:48 +02:00 · ed1c23aaa3
commit ed1c23aaa3
parent b4b0bc4a7a
2 changed files with 5 additions and 0 deletions
--- a/initrd/bin/kexec-insert-key
+++ b/initrd/bin/kexec-insert-key
@ -51,6 +51,8 @@ tpm extend -ix 4 -ic generic \

 # Check to continue
 if [ "$unseal_failed" = "y" ]; then
+	diff "$(dirname $INITRD)/kexec_lukshdr_hash.txt" /tmp/luksDump.txt \
+		&& echo "Headers of LUKSes to be unlocked via TPM do not change."
 	confirm_boot="n"
 	read \
 		-n 1 \
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@ -152,3 +152,6 @@ fi

 shred -n 10 -z -u "$TPM_SEALED" 2> /dev/null \
 || warn "Failed to delete the sealed secret - continuing"
+
+cp /tmp/luksDump.txt "$paramsdir/kexec_lukshdr_hash.txt" \
+|| warn "Failed to have hashes of LUKS header - continuing"