From 86be5860c4a017704e7a0f3bceb37a9acc639133 Mon Sep 17 00:00:00 2001 From: qoijjj <129108030+qoijjj@users.noreply.github.com> Date: Mon, 19 Aug 2024 14:12:43 -0700 Subject: [PATCH 1/5] feat: add optional pin for luks tpm2 unlock just command (#297) Co-authored-by: Kyle Gospodnetich --- build/ublue-os-luks/luks-enable-tpm2-autounlock | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/build/ublue-os-luks/luks-enable-tpm2-autounlock b/build/ublue-os-luks/luks-enable-tpm2-autounlock index 0e232c96..cb5741de 100755 --- a/build/ublue-os-luks/luks-enable-tpm2-autounlock +++ b/build/ublue-os-luks/luks-enable-tpm2-autounlock @@ -43,6 +43,13 @@ else exit 1 fi +SET_PIN_ARG="" +read -p "Would you like to set a pin? " -n 1 -r +echo +if [[ $REPLY =~ ^[Yy]$ ]]; then + SET_PIN_ARG=" --tpm2-with-pin=yes " +fi + # Specify Crypt Disk by-uuid CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID" @@ -63,7 +70,7 @@ fi ## Run crypt enroll echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password" -systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 "$CRYPT_DISK" +systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 "$SET_PIN_ARG" "$CRYPT_DISK" if lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null; then From ed22efb47b6872462e19a3268f7e650618563fc4 Mon Sep 17 00:00:00 2001 From: qoijjj <129108030+qoijjj@users.noreply.github.com> Date: Mon, 19 Aug 2024 15:00:25 -0700 Subject: [PATCH 2/5] feat: add warning about faulTPM (#313) Co-authored-by: Kyle Gospodnetich --- build/ublue-os-luks/luks-enable-tpm2-autounlock | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/build/ublue-os-luks/luks-enable-tpm2-autounlock b/build/ublue-os-luks/luks-enable-tpm2-autounlock index cb5741de..aacc064f 100755 --- a/build/ublue-os-luks/luks-enable-tpm2-autounlock +++ b/build/ublue-os-luks/luks-enable-tpm2-autounlock @@ -4,6 +4,11 @@ set -eou pipefail [ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;} +echo "WARNING: Do NOT use this if your CPU is vulnerable to faulTPM!" +echo "All AMD Zen2 and Zen3 Processors are known to be affected!" +echo "All AMD Zen1 processors are also likely affected, with Zen4 unknown!" +echo "If you have an AMD CPU, you likely shouldn't use this!" +echo "----------------------------------------------------------------------------" echo "This script uses systemd-cryptenroll to enable TPM2 auto-unlock." echo "You can review systemd-cryptenroll's manpage for more information." echo "This script will modify your system." From a25680da96900da51dfa6aab37d75b02f93e7b4f Mon Sep 17 00:00:00 2001 From: qoijjj <129108030+qoijjj@users.noreply.github.com> Date: Tue, 20 Aug 2024 08:58:59 -0700 Subject: [PATCH 3/5] feat: use PCR 14 as well for tpm2 unlock (#315) * feat: use PCR 14 as well for tpm2 unlock * remove unnecessary parentheses --- build/ublue-os-luks/luks-enable-tpm2-autounlock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/ublue-os-luks/luks-enable-tpm2-autounlock b/build/ublue-os-luks/luks-enable-tpm2-autounlock index aacc064f..09d52dd9 100755 --- a/build/ublue-os-luks/luks-enable-tpm2-autounlock +++ b/build/ublue-os-luks/luks-enable-tpm2-autounlock @@ -13,7 +13,7 @@ echo "This script uses systemd-cryptenroll to enable TPM2 auto-unlock." echo "You can review systemd-cryptenroll's manpage for more information." echo "This script will modify your system." echo "It will enable TPM2 auto-unlock of your LUKS partition for your root device!" -echo "It will bind to PCR 7 only which is tied to your secureboot state." +echo "It will bind to PCR 7 and 14 which is tied to your secureboot and moklist state." read -p "Are you sure are good with this and want to enable TPM2 auto-unlock? " -n 1 -r echo if [[ ! $REPLY =~ ^[Yy]$ ]]; then @@ -75,7 +75,7 @@ fi ## Run crypt enroll echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password" -systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 "$SET_PIN_ARG" "$CRYPT_DISK" +systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+14 $SET_PIN_ARG "$CRYPT_DISK" if lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null; then From 735feb80cebfe28bea626063a313111b7b1c13c9 Mon Sep 17 00:00:00 2001 From: qoijjj <129108030+qoijjj@users.noreply.github.com> Date: Wed, 21 Aug 2024 15:29:27 -0700 Subject: [PATCH 4/5] feat: set Recommends=false by default to minimize layer size (#316) https://github.com/coreos/rpm-ostree/pull/4974 https://github.com/ublue-os/main/issues/632 --- files/etc/rpm-ostreed.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/files/etc/rpm-ostreed.conf b/files/etc/rpm-ostreed.conf index aa5106e3..747a445f 100644 --- a/files/etc/rpm-ostreed.conf +++ b/files/etc/rpm-ostreed.conf @@ -5,3 +5,4 @@ [Daemon] AutomaticUpdatePolicy=stage #IdleExitTimeout=60 +Recommends=false From 79101cd310a2ebbdd0b8c91460d74d8f5dd0a7e1 Mon Sep 17 00:00:00 2001 From: "Jorge O. Castro" Date: Sun, 25 Aug 2024 01:57:08 -0400 Subject: [PATCH 5/5] Revert "feat: set Recommends=false by default to minimize layer size (#316)" (#317) This reverts commit 735feb80cebfe28bea626063a313111b7b1c13c9. --- files/etc/rpm-ostreed.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/files/etc/rpm-ostreed.conf b/files/etc/rpm-ostreed.conf index 747a445f..aa5106e3 100644 --- a/files/etc/rpm-ostreed.conf +++ b/files/etc/rpm-ostreed.conf @@ -5,4 +5,3 @@ [Daemon] AutomaticUpdatePolicy=stage #IdleExitTimeout=60 -Recommends=false