From a2f5682cec2e96c1cc52298420dd086560c3780e Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Wed, 5 Sep 2018 15:12:53 +0200
Subject: [PATCH] pre-pivot.sh: don't remove the initial keyslot

It is needed, if the user wants to set a password
---
 pre-pivot.sh | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pre-pivot.sh b/pre-pivot.sh
index 28472d5..07d6078 100644
--- a/pre-pivot.sh
+++ b/pre-pivot.sh
@@ -58,10 +58,8 @@ if cryptsetup isLuks --type luks2 "$datadev"; then
 	    export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
 	    
 	    if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then
-		echo -n "zero key" | cryptsetup luksRemoveKey "$datadev" /dev/stdin || die "Failed to remove key from LUKS"
 		clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
 	    elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
-		echo -n "zero key" | cryptsetup luksRemoveKey "$datadev" /dev/stdin || die "Failed to remove key from LUKS"
 		clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
 	    else
 		warn "Failed to bind disk to TPM2"