diff options
| -rw-r--r-- | sys/boot/detached-luks.nix | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/sys/boot/detached-luks.nix b/sys/boot/detached-luks.nix index 78ae35c..d3e7c29 100644 --- a/sys/boot/detached-luks.nix +++ b/sys/boot/detached-luks.nix @@ -75,6 +75,7 @@ in { touch ${escapeShellArg hardwareKeyPath} unseal_tpm_key() { + [ -e ${tpmPath}/auth.sig ] || return tpm2 createprimary -Q -C owner -g sha256 -G ecc -c /tpm/prim.ctx || return tpm2 loadexternal -Q -C owner -G rsa -u ${tpmPath}/signing-key.pub -c /tpm/signing-key.ctx -n /tpm/signing-key.name || return @@ -113,5 +114,29 @@ in { tpm.initrd.enable = mkDefault config.local.boot.tpm.enable; }; + + systemd.services = { + clear-tpm2-boot-auth = let + inherit (config.local.boot.efi.esp) mountpoint; + mountUnit = concatStringsSep "-" (splitString "/" (removePrefix "/" mountpoint)) + ".mount"; + tpmBootPath = "${mountpoint}/${cfg.tpmStorageFromBoot}"; + in { + after = ["tpm2.target" mountUnit]; + wantedBy = ["tpm2.target"]; + + serviceConfig = { + Type = "oneshot"; + }; + + script = '' + for file in auth.policy auth.sig; do + path="${tpmBootPath}/$file" + [ -f "$path" ] && shred -fu -- "$path" + done + + sync -f "${mountpoint}" + ''; + }; + }; }; } |