From 70572fd1006842ead4f25dc73c3dfb5408a2fa91 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 13 Apr 2022 14:24:59 -0400 Subject: [PATCH] oem-factory-reset: Only set default boot option if no TPM Disk Unlock Key This continues to generate checksums and sign them per new GPG User PIN, but does not set a default boot option. The user hitting Default Boot on reboot will go through having to setup a new boot default, which will ask him to setup a Disk Unlock Key if desired. Otherwise, hitting Default Boot goes into asking the user for its Disk Recovery Key passphrase, and requires to manually setup a default boot option. --- initrd/bin/oem-factory-reset | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 48bf6d8d..67ea5adc 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -156,6 +156,11 @@ generate_checksums() mount -o remount,rw /boot || whiptail_error_die "Unable to mount /boot" fi + #Check if previous TPM Disk unlock Key was set + if [ -e /boot/kexec_key_devices.txt ]; then + TPM_DISK_ENCRYPTION_KEY_SET=1 + fi + # clear any existing checksums/signatures rm /boot/kexec* 2>/dev/null @@ -181,8 +186,10 @@ generate_checksums() echo "0" > /boot/kexec_hotp_counter fi - # set default boot option - set_default_boot_option + # set default boot option only if no TPM Disk Unlock Key previously set + if [ -z "$TPM_DISK_ENCRYPTION_KEY_SET" ]; then + set_default_boot_option + fi # generate hashes find /boot -type f ! -name '*kexec*' -print0 \