Make it possible to report headers of which LUKSes to be unlocked via…

… TPM change.
linuxboot · Jan 20, 2022 · ed1c23a · ed1c23a
1 parent b4b0bc4
commit ed1c23a
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key
@@ -51,6 +51,8 @@ tpm extend -ix 4 -ic generic \
 
 # Check to continue
 if [ "$unseal_failed" = "y" ]; then
+	diff "$(dirname $INITRD)/kexec_lukshdr_hash.txt" /tmp/luksDump.txt \
+		&& echo "Headers of LUKSes to be unlocked via TPM do not change."
 	confirm_boot="n"
 	read \
 		-n 1 \

diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key
@@ -152,3 +152,6 @@ fi
 
 shred -n 10 -z -u "$TPM_SEALED" 2> /dev/null \
 || warn "Failed to delete the sealed secret - continuing"
+
+cp /tmp/luksDump.txt "$paramsdir/kexec_lukshdr_hash.txt" \
+|| warn "Failed to have hashes of LUKS header - continuing"