diff --git a/build/ublue-os-luks/luks-disable-tpm2-autounlock b/build/ublue-os-luks/luks-disable-tpm2-autounlock
index e8eadacc..ae1aa910 100755
--- a/build/ublue-os-luks/luks-disable-tpm2-autounlock
+++ b/build/ublue-os-luks/luks-disable-tpm2-autounlock
@@ -29,26 +29,28 @@ if ! grep -q "${RD_LUKS_UUID}" <<< "$(lsblk)" ; then
printf "Exiting...\n"
exit 1
fi
-
+DISKS=(${RD_LUKS_UUID})
+CRYPT_DISKS=()
# Cut off the luks-
LUKS_PREFIX="luks-"
-if grep -q ^${LUKS_PREFIX} <<< "${RD_LUKS_UUID}"; then
- DISK_UUID=${RD_LUKS_UUID#"$LUKS_PREFIX"}
-else
- echo "LUKS UUID format mismatch."
- echo "Exiting..."
- exit 1
-fi
-
-# Specify Crypt Disk by-uuid
-CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
+for disk in ${DISKS[@]}; do
+ if grep -q ^${LUKS_PREFIX} <<< "${disk}"; then
+ CRYPT_DISKS+=("/dev/disk/by-uuid/"${disk#"$LUKS_PREFIX"})
+ else
+ echo "LUKS UUID format mismatch."
+ echo "Exiting..."
+ exit 1
+ fi
+done
# Check to make sure crypt disk exists
-if [[ ! -L "$CRYPT_DISK" ]]; then
- printf "LUKS device not listed in block devices.\n"
- printf "Exiting...\n"
- exit 1
-fi
+for disk in ${CRYPT_DISKS[@]}; do
+ if [[ ! -L "$disk" ]]; then
+ printf "LUKS device $disk not listed in block devices.\n"
+ printf "Exiting...\n"
+ exit 1
+ fi
+done
## Restore the crypttab
cp -a /etc/crypttab /etc/crypttab.working-before-disable-tpm2
@@ -58,12 +60,15 @@ if [ -f /etc/crypttab.known-good ]; then
fi
## Wipe luks slot
-if cryptsetup luksDump "$CRYPT_DISK" | grep systemd-tpm2 > /dev/null; then
- echo "Wiping systemd-tpm2 from LUKS on $CRYPT_DISK"
- systemd-cryptenroll --wipe-slot=tpm2 "$CRYPT_DISK"
-else
- echo "No systemd-tpm2 found in LUKS to wipe"
-fi
+for disk in ${CRYPT_DISKS[@]}; do
+ cryptsetup luksDump $disk | grep systemd-tpm2 > /dev/null
+ if [ 0 -eq $? ]; then
+ echo "Wiping systemd-tpm2 from LUKS on $disk"
+ systemd-cryptenroll --wipe-slot=tpm2 $disk
+ else
+ echo "No systemd-tpm2 found in LUKS to wipe"
+ fi
+done
## Disable initramfs
if rpm-ostree initramfs | grep tpm2 > /dev/null; then
diff --git a/build/ublue-os-luks/luks-enable-tpm2-autounlock b/build/ublue-os-luks/luks-enable-tpm2-autounlock
index 0e232c96..0a26083a 100755
--- a/build/ublue-os-luks/luks-enable-tpm2-autounlock
+++ b/build/ublue-os-luks/luks-enable-tpm2-autounlock
@@ -1,15 +1,12 @@
#!/bin/bash
-## setup auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
-set -eou pipefail
+## disable auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
+set -euo pipefail
[ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
-echo "This script uses systemd-cryptenroll to enable TPM2 auto-unlock."
+echo "This script utilizes systemd-cryptenroll for removing tpm2 auto-unlock."
echo "You can review systemd-cryptenroll's manpage for more information."
-echo "This script will modify your system."
-echo "It will enable TPM2 auto-unlock of your LUKS partition for your root device!"
-echo "It will bind to PCR 7 only which is tied to your secureboot state."
-read -p "Are you sure are good with this and want to enable TPM2 auto-unlock? " -n 1 -r
+read -p "This will modify your system and disable TPM2 auto-unlock of your LUKS partition! Are you sure you are good with this? " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
@@ -33,38 +30,51 @@ if ! grep -q "${RD_LUKS_UUID}" <<< "$(lsblk)" ; then
exit 1
fi
+DISKS=(${RD_LUKS_UUID})
+CRYPT_DISKS=()
# Cut off the luks-
LUKS_PREFIX="luks-"
-if grep -q ^${LUKS_PREFIX} <<< "${RD_LUKS_UUID}"; then
- DISK_UUID=${RD_LUKS_UUID#"$LUKS_PREFIX"}
-else
- echo "LUKS UUID format mismatch."
- echo "Exiting..."
- exit 1
-fi
-
-# Specify Crypt Disk by-uuid
-CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
+for disk in ${DISKS[@]}; do
+ if grep -q ^${LUKS_PREFIX} <<< "${disk}"; then
+ CRYPT_DISKS+=("/dev/disk/by-uuid/"${disk#"$LUKS_PREFIX"})
+ else
+ echo "LUKS UUID format mismatch for disk $disk."
+ echo "Exiting..."
+ exit 1
+ fi
+done
# Check to make sure crypt disk exists
-if [[ ! -L "$CRYPT_DISK" ]]; then
- printf "LUKS device not listed in block devices.\n"
- printf "Exiting...\n"
- exit 1
-fi
+for disk in ${CRYPT_DISKS[@]}; do
+ if [[ ! -L "$disk" ]]; then
+ printf "LUKS device $disk not listed in block devices.\n"
+ printf "Exiting...\n"
+ exit 1
+ fi
+done
-if cryptsetup luksDump "$CRYPT_DISK" | grep systemd-tpm2 > /dev/null; then
- KEYSLOT=$(cryptsetup luksDump "$CRYPT_DISK"|grep -A29 systemd-tpm2|grep Keyslot|awk '{print $2}')
- echo "TPM2 already present in LUKS Keyslot $KEYSLOT of $CRYPT_DISK."
- echo "Remove the existing TPM2 enrollment with ujust remove-luks-tpm2-autounlock"
- echo "Exiting..."
- [[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
-fi
+
+for disk in ${CRYPT_DISKS[@]}; do
+ cryptsetup luksDump $disk | grep systemd-tpm2 > /dev/null
+ if cryptsetup luksDump "$disk" | grep systemd-tpm2 > /dev/null; then
+ KEYSLOT=$(cryptsetup luksDump "$disk"|grep -A29 systemd-tpm2|grep Keyslot|awk '{print $2}')
+ echo "TPM2 already present in LUKS Keyslot $KEYSLOT of $disk."
+ echo "Remove the existing TPM2 enrollment with ujust remove-luks-tpm2-autounlock"
+ echo "Exiting..."
+ [[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
+ fi
+done
+
+## modify the crypttab
+sed -i "s/discard/discard,tpm2-device=auto/" /etc/crypttab
## Run crypt enroll
echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password"
-systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 "$CRYPT_DISK"
-
+echo
+for disk in ${CRYPT_DISKS[@]}; do
+ echo "Enrolling TPM2 unlock for $disk"
+ systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 $disk
+done
if lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null; then
## add tpm2-tss to initramfs