diff --git a/grub.d.my.7z b/grub.d.my.7z index e7718ad..2cb231c 100644 Binary files a/grub.d.my.7z and b/grub.d.my.7z differ diff --git a/install-ucba.sh b/install-ucba.sh new file mode 100755 index 0000000..299b643 --- /dev/null +++ b/install-ucba.sh @@ -0,0 +1,27 @@ +#!/bin/bash +if [ $# -ne 2 ]; then + echo "install-ucba "; + echo ""; + echo " : The LUKS Device"; + echo " : LUKS Slot for regeneration" + exit 1; +fi +echo "[+] Installing the update clevis binding auto service!"; +echo "[!] WARNING Service requires the update-clevis-command to be install." +echo "Enter the Password to the LUKS slot used to auto-renew the clevis slot:"; +read -s password; +if [[ -z $password ]]; then + echo "A password is required for LUKS unlock!"; + exit 2; +fi +cat update-clevis-binding-source-files/update_clevis_binding_auto.service.p1 | head -c -1 | sudo tee /etc/systemd/system/update_clevis_binding_auto.service > /dev/null; +echo -n "$1 $2" | sudo tee -a /etc/systemd/system/update_clevis_binding_auto.service > /dev/null; +cat update-clevis-binding-source-files/update_clevis_binding_auto.service.p2 | head -c -1 | sudo tee -a /etc/systemd/system/update_clevis_binding_auto.service > /dev/null; +sudo systemctl daemon-reload; +sudo systemctl enable update_clevis_binding_auto.service; +sudo touch /root/ucba.pwd; +sudo chown root:root /root/ucba.pwd; +sudo chmod u=rw,g=,o= /root/ucba.pwd; +echo "$password" | sudo tee /root/ucba.pwd > /dev/null; +echo "[+] Finished installing the update clevis binding auto service!"; +exit 0; diff --git a/local-sbin/sign-boot b/local-sbin/sign-boot index cb403ae..0e80c7b 100755 --- a/local-sbin/sign-boot +++ b/local-sbin/sign-boot @@ -36,4 +36,5 @@ do /usr/bin/gpg --batch --detach-sign $i; done; /usr/bin/rm -f /run/sign-verify-boot-flag; +/usr/bin/touch /opt/ucba-required; echo "[*] Signing Complete!"; diff --git a/local-sbin/update-clevis-binding b/local-sbin/update-clevis-binding new file mode 100755 index 0000000..ef7b0b1 --- /dev/null +++ b/local-sbin/update-clevis-binding @@ -0,0 +1,7 @@ +#!/bin/bash +if [ $# -ne 2 ]; then + echo 'update-clevis-binding '; + exit 1; +fi +/usr/bin/clevis luks regen -q -d "$1" -s "$2" +exit $?; diff --git a/update-clevis-binding-source-files/update_clevis_binding_auto.service.p1 b/update-clevis-binding-source-files/update_clevis_binding_auto.service.p1 new file mode 100644 index 0000000..684a8c1 --- /dev/null +++ b/update-clevis-binding-source-files/update_clevis_binding_auto.service.p1 @@ -0,0 +1,6 @@ +[Unit] +Description=Update the clevis LUKS slot on the specified device automatically on boot if enabled + +[Service] +Type=oneshot +ExecStart=bash -c 'if [ -f /opt/ucba-required ]; then /usr/local/sbin/update-clevis-binding diff --git a/update-clevis-binding-source-files/update_clevis_binding_auto.service.p2 b/update-clevis-binding-source-files/update_clevis_binding_auto.service.p2 new file mode 100644 index 0000000..2b7b313 --- /dev/null +++ b/update-clevis-binding-source-files/update_clevis_binding_auto.service.p2 @@ -0,0 +1,6 @@ + < /root/ucba.pwd; rm -f /opt/ucba-required; fi' +User=root +Group=root + +[Install] +WantedBy=multi-user.target