diff --git a/files/scripts/improve-luks-tpm-script.patch b/files/scripts/improve-luks-tpm-script.patch new file mode 100644 index 0000000..23449be --- /dev/null +++ b/files/scripts/improve-luks-tpm-script.patch @@ -0,0 +1,18 @@ +6a7,11 +> echo "WARNING: Do NOT use this if your CPU is vulnerable to faulTPM!" +> echo "All AMD Zen2 and Zen3 Processors are known to be affected!" +> echo "All AMD Zen1 processors are also likely affected, with Zen4 unknown!" +> echo "If you have an AMD CPU, you likely shouldn't use this!" +> echo "----------------------------------------------------------------------------" +45a51,57 +> SET_PIN_ARG="" +> read -p "Would you like to set a pin? " -n 1 -r +> echo +> if [[ $REPLY =~ ^[Yy]$ ]]; then +> SET_PIN_ARG=" --tpm2-with-pin=yes " +> fi +> +66c78 +< systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 "$CRYPT_DISK" +--- +> systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+14 "$SET_PIN_ARG" "$CRYPT_DISK" diff --git a/files/scripts/enablewheellessbrewjust.sh b/files/scripts/justfilehardening.sh similarity index 53% rename from files/scripts/enablewheellessbrewjust.sh rename to files/scripts/justfilehardening.sh index e9c7107..27ef5d5 100644 --- a/files/scripts/enablewheellessbrewjust.sh +++ b/files/scripts/justfilehardening.sh @@ -4,4 +4,5 @@ set -oue pipefail patch /usr/share/ublue-os/just/05-brew.just < enable-wheelless-brew-installation.patch - +patch /usr/share/ublue-os/just/15-brew.just < use-pkexec-in-luks-just.patch +patch /usr/libexec/luks-enable-tpm2-autounlock < improve-luks-tpm-script.patch diff --git a/files/scripts/use-pkexec-in-luks-just.patch b/files/scripts/use-pkexec-in-luks-just.patch new file mode 100644 index 0000000..c16a666 --- /dev/null +++ b/files/scripts/use-pkexec-in-luks-just.patch @@ -0,0 +1,8 @@ +6c6 +< sudo /usr/libexec/luks-enable-tpm2-autounlock +--- +> pkexec /usr/libexec/luks-enable-tpm2-autounlock +11c11 +< sudo /usr/libexec/luks-disable-tpm2-autounlock +--- +> pkexec /usr/libexec/luks-disable-tpm2-autounlock diff --git a/recipes/common/common-scripts.yml b/recipes/common/common-scripts.yml index 5482084..f8009e1 100644 --- a/recipes/common/common-scripts.yml +++ b/recipes/common/common-scripts.yml @@ -8,4 +8,4 @@ scripts: - createmissingdirectories.sh - removesuid.sh - disablegeoclue.sh - - enablewheellessbrewjust.sh + - justfilehardening.sh