Systemd/Shell scripts to automate ESP cloning and clevis tpm2 pcr's changing on sysboot upgrades
-
install.sh - get, setup, clean.
-
update.sh - setup scripts to system.
-
boot-integrity.service - systemd start/stop service for main script.
-
boot-integrity.sh - main script.
Requirements:
- curl
- git
- systemd
- cryptsetup
- clevis, clevis-luks, clevis-pin-tpm2
/bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/biocoderh/boot-integrity/master/install.sh)"All settings set throught environment variables.
/etc/boot-integrity.env file loads in script, key=value shell syntax
EFI_MIRROR=/boot/efi2
CLEVIS_LUKS_SLOT=1
CLEVIS_LUKS_CONFIG='{"hash":"sha256","key":"ecc","pcr_bank":"sha256","pcr_ids":"0,1,2,3,4,5,7,9"}'
CLEVIS_LUKS_UPGRADE_CONFIG='{"hash":"sha256","key":"ecc","pcr_bank":"sha256","pcr_ids":"0,1,2,3,5,7"}'Usage: boot-integrity <operation> [...]
<operation> is one of:
efi-sync - sync EFI, /boot/efi -> $EFI_MIRROR, both ESP should persist in /etc/fstab
clevis-luks-regen-all - regen pins on all luks partitions, password promted
clevis-luks-edit-all <config> - set config to all luks devices if changed
tpm2-pcr-diff - diff TPM2 pcr pins from last boot
status - show EFI/BOOT status measured on FS modification time
start - set default config to all devices if changed
stop - if any changes run esp-sync and set clevis upgrade config
environment variables:
EFI_MIRROR - ESP mirror mountpint, should be present in /etc/fstab: /etc/efi2
CLEVIS_LUKS_SLOT - default clevis luks tpm2 slot: 1
CLEVIS_LUKS_CONFIG - default clevis luks config: '{"hash":"sha256","key":"ecc","pcr_bank":"sha256","pcr_ids":"0,1,2,3,4,5,7,9"}'
CLEVIS_LUKS_UPGRADE_CONFIG - upgrade clevis luks config: '{"hash":"sha256","key":"ecc","pcr_bank":"sha256","pcr_ids":"0,1,2,3,5,7"}'
Safe automatic decryption of LUKS partition using TPM2
Decrypt LUKS volumes with a TPM on Fedora Linux (systemd-cryptenroll)