alfred/bash-stuff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update grub configuration.

Browse Source 
Added clevis binding auto updating support (Password still required for first unlock).
This commit is contained in:
Captain ALM 2024-11-23 18:01:14 +00:00
parent 174a7a3eaa
commit 772287c27f
Signed by: alfred
GPG Key ID: 4E4ADD02609997B1
6 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
grub.d.my.7z
View File

Binary file not shown.

27
install-ucba.sh Executable file
View File

@ -0,0 +1,27 @@
#!/bin/bash
if [ $# -ne 2 ]; then
echo "install-ucba <device> <slot>";
echo "";
echo "<device> : The LUKS Device";
echo "<slot> : LUKS Slot for regeneration"
exit 1;
fi
echo "[+] Installing the update clevis binding auto service!";
echo "[!] WARNING Service requires the update-clevis-command to be install."
echo "Enter the Password to the LUKS slot used to auto-renew the clevis slot:";
read -s password;
if [[ -z $password ]]; then
echo "A password is required for LUKS unlock!";
exit 2;
fi
cat update-clevis-binding-source-files/update_clevis_binding_auto.service.p1 | head -c -1 | sudo tee /etc/systemd/system/update_clevis_binding_auto.service > /dev/null;
echo -n "$1 $2" | sudo tee -a /etc/systemd/system/update_clevis_binding_auto.service > /dev/null;
cat update-clevis-binding-source-files/update_clevis_binding_auto.service.p2 | head -c -1 | sudo tee -a /etc/systemd/system/update_clevis_binding_auto.service > /dev/null;
sudo systemctl daemon-reload;
sudo systemctl enable update_clevis_binding_auto.service;
sudo touch /root/ucba.pwd;
sudo chown root:root /root/ucba.pwd;
sudo chmod u=rw,g=,o= /root/ucba.pwd;
echo "$password" | sudo tee /root/ucba.pwd > /dev/null;
echo "[+] Finished installing the update clevis binding auto service!";
exit 0;

1
local-sbin/sign-boot
View File

@ -36,4 +36,5 @@ do
/usr/bin/gpg --batch --detach-sign $i; /usr/bin/gpg --batch --detach-sign $i;
done; done;
/usr/bin/rm -f /run/sign-verify-boot-flag; /usr/bin/rm -f /run/sign-verify-boot-flag;
/usr/bin/touch /opt/ucba-required;
echo "[*] Signing Complete!"; echo "[*] Signing Complete!";

7
local-sbin/update-clevis-binding Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
if [ $# -ne 2 ]; then
echo 'update-clevis-binding <device> <slot>';
exit 1;
fi
/usr/bin/clevis luks regen -q -d "$1" -s "$2"
exit $?;

6
update-clevis-binding-source-files/update_clevis_binding_auto.service.p1 Normal file
View File

@ -0,0 +1,6 @@
[Unit]
Description=Update the clevis LUKS slot on the specified device automatically on boot if enabled
[Service]
Type=oneshot
ExecStart=bash -c 'if [ -f /opt/ucba-required ]; then /usr/local/sbin/update-clevis-binding

6
update-clevis-binding-source-files/update_clevis_binding_auto.service.p2 Normal file
View File

@ -0,0 +1,6 @@
< /root/ucba.pwd; rm -f /opt/ucba-required; fi'
User=root
Group=root
[Install]
WantedBy=multi-user.target