From fda1a228371adae9d2a4fcf8b2e427c852b48879 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Mon, 16 Mar 2026 19:13:54 -0600
Subject: sys/boot: tpm: remove tpm2-boot auth signature after successfull boot

---
 sys/boot/detached-luks.nix | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

(limited to 'sys/boot')

diff --git a/sys/boot/detached-luks.nix b/sys/boot/detached-luks.nix
index 78ae35c..d3e7c29 100644
--- a/sys/boot/detached-luks.nix
+++ b/sys/boot/detached-luks.nix
@@ -75,6 +75,7 @@ in {
             touch ${escapeShellArg hardwareKeyPath}
 
             unseal_tpm_key() {
+              [ -e ${tpmPath}/auth.sig ] || return
               tpm2 createprimary -Q -C owner -g sha256 -G ecc -c /tpm/prim.ctx || return
 
               tpm2 loadexternal -Q -C owner -G rsa -u ${tpmPath}/signing-key.pub -c /tpm/signing-key.ctx -n /tpm/signing-key.name || return
@@ -113,5 +114,29 @@ in {
 
       tpm.initrd.enable = mkDefault config.local.boot.tpm.enable;
     };
+
+    systemd.services = {
+      clear-tpm2-boot-auth = let
+        inherit (config.local.boot.efi.esp) mountpoint;
+        mountUnit = concatStringsSep "-" (splitString "/" (removePrefix "/" mountpoint)) + ".mount";
+        tpmBootPath = "${mountpoint}/${cfg.tpmStorageFromBoot}";
+      in {
+        after = ["tpm2.target" mountUnit];
+        wantedBy = ["tpm2.target"];
+
+        serviceConfig = {
+          Type = "oneshot";
+        };
+
+        script = ''
+          for file in auth.policy auth.sig; do
+              path="${tpmBootPath}/$file"
+              [ -f "$path" ] && shred -fu -- "$path"
+          done
+
+          sync -f "${mountpoint}"
+        '';
+      };
+    };
   };
 }
-- 
cgit v1.2.3