From ed1c23aaa3f8d5264c5b6e5f66ad359406bed166 Mon Sep 17 00:00:00 2001
From: HardenedVault <root@hardenedvault.net>
Date: Thu, 20 Jan 2022 14:45:48 +0200
Subject: [PATCH] Make it possible to report headers of which LUKSes to be
 unlocked via TPM change.

---
 initrd/bin/kexec-insert-key | 2 ++
 initrd/bin/kexec-seal-key   | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key
index 5b4020ec..37ff6456 100755
--- a/initrd/bin/kexec-insert-key
+++ b/initrd/bin/kexec-insert-key
@@ -51,6 +51,8 @@ tpm extend -ix 4 -ic generic \
 
 # Check to continue
 if [ "$unseal_failed" = "y" ]; then
+	diff "$(dirname $INITRD)/kexec_lukshdr_hash.txt" /tmp/luksDump.txt \
+		&& echo "Headers of LUKSes to be unlocked via TPM do not change."
 	confirm_boot="n"
 	read \
 		-n 1 \
diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key
index 7000070b..a12ad563 100755
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@@ -152,3 +152,6 @@ fi
 
 shred -n 10 -z -u "$TPM_SEALED" 2> /dev/null \
 || warn "Failed to delete the sealed secret - continuing"
+
+cp /tmp/luksDump.txt "$paramsdir/kexec_lukshdr_hash.txt" \
+|| warn "Failed to have hashes of LUKS header - continuing"