diff options
| author | Alejandro Soto <alejandro@34project.org> | 2026-03-16 19:13:54 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2026-03-16 19:24:52 -0600 |
| commit | fda1a228371adae9d2a4fcf8b2e427c852b48879 (patch) | |
| tree | 967703709e118edcb634ba982a9dd7dbf334543e /sys | |
| parent | 271149ad49f485793ceb7bb0d8edba9c6e1d29e6 (diff) | |
sys/boot: tpm: remove tpm2-boot auth signature after successfull boot
Diffstat (limited to '')
| -rw-r--r-- | sys/boot/detached-luks.nix | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/sys/boot/detached-luks.nix b/sys/boot/detached-luks.nix index 78ae35c..d3e7c29 100644 --- a/sys/boot/detached-luks.nix +++ b/sys/boot/detached-luks.nix @@ -75,6 +75,7 @@ in { touch ${escapeShellArg hardwareKeyPath} unseal_tpm_key() { + [ -e ${tpmPath}/auth.sig ] || return tpm2 createprimary -Q -C owner -g sha256 -G ecc -c /tpm/prim.ctx || return tpm2 loadexternal -Q -C owner -G rsa -u ${tpmPath}/signing-key.pub -c /tpm/signing-key.ctx -n /tpm/signing-key.name || return @@ -113,5 +114,29 @@ in { tpm.initrd.enable = mkDefault config.local.boot.tpm.enable; }; + + systemd.services = { + clear-tpm2-boot-auth = let + inherit (config.local.boot.efi.esp) mountpoint; + mountUnit = concatStringsSep "-" (splitString "/" (removePrefix "/" mountpoint)) + ".mount"; + tpmBootPath = "${mountpoint}/${cfg.tpmStorageFromBoot}"; + in { + after = ["tpm2.target" mountUnit]; + wantedBy = ["tpm2.target"]; + + serviceConfig = { + Type = "oneshot"; + }; + + script = '' + for file in auth.policy auth.sig; do + path="${tpmBootPath}/$file" + [ -f "$path" ] && shred -fu -- "$path" + done + + sync -f "${mountpoint}" + ''; + }; + }; }; } |