Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add ability to handle multiple encrypted disks with luks-tpm. #294

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Add ability to handle multiple encrypted disks with luks-tpm. #294

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 27 additions & 22 deletions build/ublue-os-luks/luks-disable-tpm2-autounlock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,26 +29,28 @@ if ! grep -q "${RD_LUKS_UUID}" <<< "$(lsblk)" ; then
printf "Exiting...\n"
exit 1
fi

DISKS=(${RD_LUKS_UUID})
CRYPT_DISKS=()
# Cut off the luks-
LUKS_PREFIX="luks-"
if grep -q ^${LUKS_PREFIX} <<< "${RD_LUKS_UUID}"; then
DISK_UUID=${RD_LUKS_UUID#"$LUKS_PREFIX"}
else
echo "LUKS UUID format mismatch."
echo "Exiting..."
exit 1
fi

# Specify Crypt Disk by-uuid
CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
for disk in ${DISKS[@]}; do
if grep -q ^${LUKS_PREFIX} <<< "${disk}"; then
CRYPT_DISKS+=("/dev/disk/by-uuid/"${disk#"$LUKS_PREFIX"})
else
echo "LUKS UUID format mismatch."
echo "Exiting..."
exit 1
fi
done

# Check to make sure crypt disk exists
if [[ ! -L "$CRYPT_DISK" ]]; then
printf "LUKS device not listed in block devices.\n"
printf "Exiting...\n"
exit 1
fi
for disk in ${CRYPT_DISKS[@]}; do
if [[ ! -L "$disk" ]]; then
printf "LUKS device $disk not listed in block devices.\n"
printf "Exiting...\n"
exit 1
fi
done

## Restore the crypttab
cp -a /etc/crypttab /etc/crypttab.working-before-disable-tpm2
Expand All @@ -58,12 +60,15 @@ if [ -f /etc/crypttab.known-good ]; then
fi

## Wipe luks slot
if cryptsetup luksDump "$CRYPT_DISK" | grep systemd-tpm2 > /dev/null; then
echo "Wiping systemd-tpm2 from LUKS on $CRYPT_DISK"
systemd-cryptenroll --wipe-slot=tpm2 "$CRYPT_DISK"
else
echo "No systemd-tpm2 found in LUKS to wipe"
fi
for disk in ${CRYPT_DISKS[@]}; do
cryptsetup luksDump $disk | grep systemd-tpm2 > /dev/null
if [ 0 -eq $? ]; then
echo "Wiping systemd-tpm2 from LUKS on $disk"
systemd-cryptenroll --wipe-slot=tpm2 $disk
else
echo "No systemd-tpm2 found in LUKS to wipe"
fi
done

## Disable initramfs
if rpm-ostree initramfs | grep tpm2 > /dev/null; then
Expand Down
63 changes: 38 additions & 25 deletions build/ublue-os-luks/luks-enable-tpm2-autounlock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#!/bin/bash
## setup auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
## enable auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
set -eou pipefail

[ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
Expand Down Expand Up @@ -33,38 +33,51 @@ if ! grep -q "${RD_LUKS_UUID}" <<< "$(lsblk)" ; then
exit 1
fi

DISKS=(${RD_LUKS_UUID})
CRYPT_DISKS=()
# Cut off the luks-
LUKS_PREFIX="luks-"
if grep -q ^${LUKS_PREFIX} <<< "${RD_LUKS_UUID}"; then
DISK_UUID=${RD_LUKS_UUID#"$LUKS_PREFIX"}
else
echo "LUKS UUID format mismatch."
echo "Exiting..."
exit 1
fi

# Specify Crypt Disk by-uuid
CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
for disk in ${DISKS[@]}; do
if grep -q ^${LUKS_PREFIX} <<< "${disk}"; then
CRYPT_DISKS+=("/dev/disk/by-uuid/"${disk#"$LUKS_PREFIX"})
else
echo "LUKS UUID format mismatch for disk $disk."
echo "Exiting..."
exit 1
fi
done

# Check to make sure crypt disk exists
if [[ ! -L "$CRYPT_DISK" ]]; then
printf "LUKS device not listed in block devices.\n"
printf "Exiting...\n"
exit 1
fi
for disk in ${CRYPT_DISKS[@]}; do
if [[ ! -L "$disk" ]]; then
printf "LUKS device $disk not listed in block devices.\n"
printf "Exiting...\n"
exit 1
fi
done

if cryptsetup luksDump "$CRYPT_DISK" | grep systemd-tpm2 > /dev/null; then
KEYSLOT=$(cryptsetup luksDump "$CRYPT_DISK"|grep -A29 systemd-tpm2|grep Keyslot|awk '{print $2}')
echo "TPM2 already present in LUKS Keyslot $KEYSLOT of $CRYPT_DISK."
echo "Remove the existing TPM2 enrollment with ujust remove-luks-tpm2-autounlock"
echo "Exiting..."
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
fi

for disk in ${CRYPT_DISKS[@]}; do
cryptsetup luksDump $disk | grep systemd-tpm2 > /dev/null
if cryptsetup luksDump "$disk" | grep systemd-tpm2 > /dev/null; then
KEYSLOT=$(cryptsetup luksDump "$disk"|grep -A29 systemd-tpm2|grep Keyslot|awk '{print $2}')
echo "TPM2 already present in LUKS Keyslot $KEYSLOT of $disk."
echo "Remove the existing TPM2 enrollment with ujust remove-luks-tpm2-autounlock"
echo "Exiting..."
[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
fi
done

## modify the crypttab
sed -i "s/discard/discard,tpm2-device=auto/" /etc/crypttab

## Run crypt enroll
echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password"
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 "$CRYPT_DISK"

echo
for disk in ${CRYPT_DISKS[@]}; do
echo "Enrolling TPM2 unlock for $disk"
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 $disk
done

if lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null; then
## add tpm2-tss to initramfs
Expand Down