ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-19 04:57:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Make it possible to report headers of which LUKSes to be unlocked via TPM change.

Browse Source
This commit is contained in:
HardenedVault 2022-01-20 14:45:48 +02:00
parent b4b0bc4a7a
commit ed1c23aaa3
2 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
initrd/bin/kexec-insert-key
View File

@ -51,6 +51,8 @@ tpm extend -ix 4 -ic generic \
# Check to continue # Check to continue
if [ "$unseal_failed" = "y" ]; then if [ "$unseal_failed" = "y" ]; then
diff "$(dirname $INITRD)/kexec_lukshdr_hash.txt" /tmp/luksDump.txt \
&& echo "Headers of LUKSes to be unlocked via TPM do not change."
confirm_boot="n" confirm_boot="n"
read \ read \
-n 1 \ -n 1 \

3
initrd/bin/kexec-seal-key
View File

@ -152,3 +152,6 @@ fi
shred -n 10 -z -u "$TPM_SEALED" 2> /dev/null \ shred -n 10 -z -u "$TPM_SEALED" 2> /dev/null \
|| warn "Failed to delete the sealed secret - continuing" || warn "Failed to delete the sealed secret - continuing"
cp /tmp/luksDump.txt "$paramsdir/kexec_lukshdr_hash.txt" \
|| warn "Failed to have hashes of LUKS header - continuing"