mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-18 20:47:55 +00:00
79da79a5e4
Restricted Boot mode only allows booting from signed files, whether that is signed kernels in /boot or signed ISOs on mounted USB disks. This disables booting from abitrary USB disks as well as the forced "unsafe" boot mode. This also disables the recovery console so you can't bypass this mode simply by running kexec manually. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
15 lines
410 B
Bash
Executable File
15 lines
410 B
Bash
Executable File
#!/bin/bash
|
|
# Wipe the sealed TOTP/HOTP secret. The secret is overwritten with all-0,
|
|
# rather than deleted, because deletion requires authorization. Wiping the
|
|
# secret will cause the next boot to prompt to regenerate the secret.
|
|
|
|
. /etc/functions
|
|
|
|
TPM_NVRAM_SPACE=4d47
|
|
TPM_SIZE=312
|
|
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
tpmr destroy "$TPM_NVRAM_SPACE" "$TPM_SIZE" \
|
|
|| die "Unable to wipe sealed secret"
|
|
fi
|