Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: luks allow wipe for re-enroll and improve prompt/output #336

Merged
merged 4 commits into from
Nov 2, 2024
Merged

fix: luks allow wipe for re-enroll and improve prompt/output #336

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8d3c9ac
fix: luks scripts messaging
bsherman Nov 2, 2024
c1a92f0
attempt wipe if tpm2 slot already found so re-enroll can occur
bsherman Nov 2, 2024
051cfd0
add (Y/n) prompt to PIN question
bsherman Nov 2, 2024
ad59420
(y/N): prompts, and wipe for re-enroll
bsherman Nov 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions build/ublue-os-luks/luks-disable-tpm2-autounlock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ set -euo pipefail

echo "This script utilizes systemd-cryptenroll for removing tpm2 auto-unlock."
echo "You can review systemd-cryptenroll's manpage for more information."
read -p "This will modify your system and disable TPM2 auto-unlock of your LUKS partition! Are you sure you are good with this? " -n 1 -r
echo "This will modify your system and disable TPM2 auto-unlock of your LUKS partition!"
read -p "Are you sure are good with this and want to disable TPM2 auto-unlock? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
Expand Down Expand Up @@ -78,4 +79,3 @@ else
fi

echo "TPM2 auto-unlock disabled..."
echo "To reenroll TPM2 auto unlock please run ujust setup-luks-tpm-unlock..."
19 changes: 13 additions & 6 deletions build/ublue-os-luks/luks-enable-tpm2-autounlock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ echo "You can review systemd-cryptenroll's manpage for more information."
echo "This script will modify your system."
echo "It will enable TPM2 auto-unlock of your LUKS partition for your root device!"
echo "It will bind to PCR 7 and 14 which is tied to your secureboot and moklist state."
read -p "Are you sure are good with this and want to enable TPM2 auto-unlock? " -n 1 -r
read -p "Are you sure are good with this and want to enable TPM2 auto-unlock? (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
Expand Down Expand Up @@ -49,7 +49,7 @@ else
fi

SET_PIN_ARG=""
read -p "Would you like to set a pin? " -n 1 -r
read -p "Would you like to set a PIN? (y/N): " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
SET_PIN_ARG=" --tpm2-with-pin=yes "
Expand All @@ -67,10 +67,17 @@ fi

if cryptsetup luksDump "$CRYPT_DISK" | grep systemd-tpm2 > /dev/null; then
KEYSLOT=$(cryptsetup luksDump "$CRYPT_DISK"|grep -A29 systemd-tpm2|grep Keyslot|awk '{print $2}')
echo "TPM2 already present in LUKS Keyslot $KEYSLOT of $CRYPT_DISK."
echo "Remove the existing TPM2 enrollment with ujust remove-luks-tpm2-autounlock"
echo "Exiting..."
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
echo "TPM2 already present in LUKS keyslot $KEYSLOT of $CRYPT_DISK."
read -p "Wipe it and re-enroll? (y/N): " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
systemd-cryptenroll --wipe-slot=tpm2 "$CRYPT_DISK"
else
echo
echo "Either clear the existing TPM2 keyslot before retrying, else choose 'y' next time."
echo "Exiting..."
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
fi
fi

## Run crypt enroll
Expand Down