feat: add tpm2 unlock improvements

2025-11-02 11:28:06 +00:00 · 2024-08-18 20:00:33 -07:00
parent 3b4e75781a
commit 357ce2934e
4 changed files with 29 additions and 2 deletions
--- a/files/scripts/improve-luks-tpm-script.patch
+++ b/files/scripts/improve-luks-tpm-script.patch
@@ -0,0 +1,18 @@
+6a7,11
+> echo "WARNING: Do NOT use this if your CPU is vulnerable to faulTPM!"
+> echo "All AMD Zen2 and Zen3 Processors are known to be affected!"
+> echo "All AMD Zen1 processors are also likely affected, with Zen4 unknown!"
+> echo "If you have an AMD CPU, you likely shouldn't use this!"
+> echo "----------------------------------------------------------------------------"
+45a51,57
+> SET_PIN_ARG=""
+> read -p "Would you like to set a pin? " -n 1 -r
+> echo
+> if [[ $REPLY =~ ^[Yy]$ ]]; then
+>   SET_PIN_ARG=" --tpm2-with-pin=yes "
+> fi
+> 
+66c78
+< systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 "$CRYPT_DISK"
+---
+> systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+14 "$SET_PIN_ARG" "$CRYPT_DISK"
--- a/files/scripts/enablewheellessbrewjust.sh
+++ b/files/scripts/enablewheellessbrewjust.sh
@@ -4,4 +4,5 @@
 set -oue pipefail

 patch /usr/share/ublue-os/just/05-brew.just < enable-wheelless-brew-installation.patch 
-
+patch /usr/share/ublue-os/just/15-brew.just < use-pkexec-in-luks-just.patch
+patch /usr/libexec/luks-enable-tpm2-autounlock < improve-luks-tpm-script.patch 
--- a/files/scripts/use-pkexec-in-luks-just.patch
+++ b/files/scripts/use-pkexec-in-luks-just.patch
@@ -0,0 +1,8 @@
+6c6
+<     sudo /usr/libexec/luks-enable-tpm2-autounlock
+---
+>     pkexec /usr/libexec/luks-enable-tpm2-autounlock
+11c11
+<     sudo /usr/libexec/luks-disable-tpm2-autounlock
+---
+>     pkexec /usr/libexec/luks-disable-tpm2-autounlock
--- a/recipes/common/common-scripts.yml
+++ b/recipes/common/common-scripts.yml
@@ -8,4 +8,4 @@ scripts:
  - createmissingdirectories.sh
  - removesuid.sh
  - disablegeoclue.sh
-  - enablewheellessbrewjust.sh
+  - justfilehardening.sh