fix: luks allow wipe for re-enroll and improve prompt/output

ublue-os / config

A layer to provide configuration files (udev rules, service units, etc)

https://universal-blue.org

Apache License 2.0

47 stars 32 forks source link

fix: luks allow wipe for re-enroll and improve prompt/output #336

Closed bsherman closed 2 weeks ago

bsherman commented 2 weeks ago

luks tpm2 auto lock/unlock scripts should not actually reference ujust since they can be used without it.

if user has found these ujust recipes, it should be obvious what to do from the ujust list of recipes.

Also, why not wipe and re-enroll.

Closes: #326

antheas commented 2 weeks ago

Speaking of, might as well fix this instead of tweaking the message.

The script should re-enroll the signature if its called again. It's very annoying to have to call unenroll when the hash gets invalidated to re-enroll it.

antheas commented 2 weeks ago

I think you can remove the whole block that checks if tpm2 is enrolled and just append --wipe-slot=tpm2 in the place you enroll.