harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

pre-pivot.sh: only wait for tpmrm0 if clevis is used

Browse source
This commit is contained in:
Harald Hoyer 2018-09-05 13:17:31 +02:00
parent e4226db63f
commit 832454ea89
1 changed files with 4 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
pre-pivot.sh
View file

@ -28,7 +28,6 @@ case "$root" in
rootok=1 ;;
esac
udevadm settle --exit-if-exists=/dev/tpmrm0
udevadm settle --exit-if-exists="$root"
unset FOUND
@ -50,13 +49,15 @@ for datadev in $disk*; do
done
if cryptsetup isLuks --type luks2 "$datadev"; then
export TPM2TOOLS_TCTI_NAME=device
export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
luksname=luks-$(blkid -o value -s UUID "$datadev")
mapdev=/dev/mapper/$luksname
if ! [[ -b $mapdev ]]; then
if ! cryptsetup luksDump "$datadev" | grep -F -q clevis ; then
udevadm settle --exit-if-exists=/dev/tpmrm0
export TPM2TOOLS_TCTI_NAME=device
export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then
echo -n "zero key" | cryptsetup luksRemoveKey "$datadev" /dev/stdin || die "Failed to remove key from LUKS"
clevis-luks-unlock -d "$datadev" || die "Failed to unlock $datadev"