heads

mirror of https://github.com/linuxboot/heads.git synced 2025-03-23 12:35:24 +00:00

History

Thierry Laurion adda59c675

LUKS header change validation at both sealing and unsealing of TPM Disk Unlock Key.

Fixes linuxboot#1092.
Supersedes linuxboot#1093

- Cherry-picks ed1c23a (credit to @hardened-vault) thank you!)
- Addresses and correct self-review under linuxboot#1093 (@hardened-vault: you don't answer often here!)
  - kexec-unseal-key: Warn a user who attempts to default boot while his Disk Unlock Key passphrase fails to unseal because LUKS headers changed.
    (linuxboot#1093 (comment))
  - kexec-seal-key: Identical as in ed1c23a
  - kexec-add-key: Tell the user that the Headers did not change when changing TPM released Disk Unlock Key
    (Through changing default boot at Options->Boot Options -> Show OS boot options: select a new boot option
    and set a Disk Unlock Key in TPM, accept to modify disk and sign /boot options)
    - Here, we cancel the diff output shown on screen linuxboot#1093 (comment)
    - And we change the warning given to the user to past tense "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change."

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

2024-04-11 14:44:07 -04:00

.gnupg

gpg2: make sure dirmngr is not spawn to refresh keys under initrd/.gnupg/gpg.conf

2024-01-09 12:53:56 -05:00

bin

LUKS header change validation at both sealing and unsealing of TPM Disk Unlock Key.

2024-04-11 14:44:07 -04:00

etc

Update tails.key

2024-04-04 02:42:02 +02:00

run/cryptsetup

[WIP] cross build json-c and cryptsetup