1 files changed, 0 insertions, 93 deletions
diff --git a/README.md b/README.md
deleted file mode 100644
index 2c54834a43bc..000000000000
--- a/README.md
+++ /dev/null
@@ -1,93 +0,0 @@
-mkinitcpio TPM2 hook
-====================
-
-This mkinitcpio hook allows for an encrypted root device to use a key sealed by
-a TPM 2.0. It should be placed immediately before the `encrypt` hook in
-`/etc/mkinitcpio.conf`.
-
-    HOOKS="base udev ... block tpm2 encrypt filesystems 
-
-The `tpm2` hook attempts to "unseal" a LUKS keyfile previously sealed by the
-TPM. The sealed files must reside on an unencrypted filesystem available to the
-kernel at boot or may be stored in TPM non-volatile memory (NVRAM). For example,
-assuming your unencrypted keyfile is at `/root/mykey` and a primary TPM key has
-been persisted to `0x81000001`:
-
-    # tpm2_createpolicy --policy-pcr -l sha1:0,2,4,7 -L pcr.pol
-    # tpm2_create -C 0x81000001 -g sha256 -G keyedhash -a 0x492 -i /root/mykey \
-      -L pcr.pol -r /boot/mykey.priv -u /boot/mykey.pub
-
-After generating a TPM-sealed key, both `tpmkey` and `tpmpcr` should be specified
-on the kernel command line.
-
-The `tpmkey` parameter has several formats:
-
-    tpmkey=[device]:[path]:[handle]
-    tpmkey=[device]:[publicpath]:[privatepath]:[handle]
-    tpmkey=nvram:[index]
-    tpmkey=nvram:[index]:[offset]:[size]
-
-Where `[device]` represents the raw block device on which the key exists,
-`[path]` is the absolute base path of the sealed files within the device, and
-`[handle]` is the TPM handle of the key's parent object. If only `[path]` is
-specified, '.pub' and '.priv' will be appended to the path to locate the public
-and private files, respectively. The absolute `[publicpath]` and `[privatepath]`
-can be specified separately if needed. For example, if `/dev/sda1` is an EFI
-partition mounted at `/boot`:
-
-    tpmkey=/dev/sda1:/mykey:0x81000001
-
-Setting `[device]` to 'nvram' indicates that the key is stored in TPM NVRAM. In
-this case `[index]` is the NVRAM area index, `[offset]` is the offset of the key
-in bytes and `[size]` is the size of the key in bytes.
-
-The `tpmpcr` parameter should hold the TPM2 PCR bank specification that will
-unlock the sealed key.
-
-    tpmpcr=sha1:0,2,7
-
-Multiple specs can be separated by a '|' and key decryption will be attempted
-with each set of banks.
-
-    tpmpcr=sha1:0,2,4,7|sha1:0,2,7
-
-Instead of a bank specification, the first item in the `tpmpcr` parameter may be
-used to indicate a PCR to extend _after_ the key has been unsealed.
-
-    extend:[pcrnum]:[alg]
-
-Where `[pcrnum]` is the PCR number to extend and `[alg]` is the bank algorithm.
-For example, to extend PCR 8 in the sha1 bank:
-
-    tpmpcr=extend:8:sha1|sha1:0,2,7
-
-If the `tpmprompt` command line parameter is set, the user will be prompted for
-the parent encryption key password during boot. This password will be used while
-loading the sealed key. This option has no effect when the key is stored in
-NVRAM.
-
-    tpmprompt=1
-
-In recent kernel versions, some systems may not generate enough entropy early in
-the boot process to utilize the TPM. There are several possible solutions to
-this problem. On x86_64 systems, the following kernel parameter may help:
-
-    random.trust_cpu=on
-
-You may also need to add the `vfat` file system driver to the `MODULES` array:
-
-    MODULES=(vfat)
-
-Finally, rebuild the initramfs:
-
-    # mkinitcpio -p linux
-
-During boot, the hook will initialize the TPM and attempt to unseal the key. If
-the key is successfully unsealed, it will be passed to the `encrypt` hook to
-perform the actual decryption of the root file system.
-
-Depending on the PCR banks to which the sealed key is bound, system changes such
-as kernel updates or firmware adjustments may prevent the key from being
-unsealed. If this happens, the disk must be manually unlocked with a passphrase
-and a new sealed key file needs to be generated. For this reason, it is CRUCIAL
-to add a separate "recovery" passphrase to the LUKS keys.