pre-pivot.sh: only wait for tpmrm0 if clevis is used
This commit is contained in:
Harald Hoyer
parent
e4226db63f
commit
832454ea89
|
|
@ -28,7 +28,6 @@ case "$root" in
|
||||||
rootok=1 ;;
|
rootok=1 ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
udevadm settle --exit-if-exists=/dev/tpmrm0
|
|
||||||
udevadm settle --exit-if-exists="$root"
|
udevadm settle --exit-if-exists="$root"
|
||||||
|
|
||||||
unset FOUND
|
unset FOUND
|
||||||
|
|
@ -50,13 +49,15 @@ for datadev in $disk*; do
|
||||||
done
|
done
|
||||||
|
|
||||||
if cryptsetup isLuks --type luks2 "$datadev"; then
|
if cryptsetup isLuks --type luks2 "$datadev"; then
|
||||||
export TPM2TOOLS_TCTI_NAME=device
|
|
||||||
export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
|
|
||||||
luksname=luks-$(blkid -o value -s UUID "$datadev")
|
luksname=luks-$(blkid -o value -s UUID "$datadev")
|
||||||
mapdev=/dev/mapper/$luksname
|
mapdev=/dev/mapper/$luksname
|
||||||
|
|
||||||
if ! [[ -b $mapdev ]]; then
|
if ! [[ -b $mapdev ]]; then
|
||||||
if ! cryptsetup luksDump "$datadev" | grep -F -q clevis ; then
|
if ! cryptsetup luksDump "$datadev" | grep -F -q clevis ; then
|
||||||
|
udevadm settle --exit-if-exists=/dev/tpmrm0
|
||||||
|
export TPM2TOOLS_TCTI_NAME=device
|
||||||
|
export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
|
||||||
|
|
||||||
if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then
|
if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then
|
||||||
echo -n "zero key" | cryptsetup luksRemoveKey "$datadev" /dev/stdin || die "Failed to remove key from LUKS"
|
echo -n "zero key" | cryptsetup luksRemoveKey "$datadev" /dev/stdin || die "Failed to remove key from LUKS"
|
||||||
clevis-luks-unlock -d "$datadev" || die "Failed to unlock $datadev"
|
clevis-luks-unlock -d "$datadev" || die "Failed to unlock $datadev"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue