diff options
Diffstat (limited to 'install_tpm')
-rw-r--r-- | install_tpm | 45 |
1 files changed, 9 insertions, 36 deletions
diff --git a/install_tpm b/install_tpm index 3fc5f3308a38..aeb5cd103a76 100644 --- a/install_tpm +++ b/install_tpm @@ -1,56 +1,29 @@ #!/bin/bash build() { - local mod - add_module "tpm_tis" add_binary "/usr/bin/tpm_unsealdata" "/usr/bin/tpm_unsealdata" - add_binary "/usr/sbin/tpm_version" "/usr/bin/tpm_version" + add_binary "/usr/bin/tpm_version" "/usr/bin/tpm_version" add_binary "/usr/sbin/tcsd" "/usr/bin/tcsd" - + add_dir "/var/lib/tpm" add_file "/var/lib/tpm/system.data" - add_file "/usr/lib/initcpio/tpm/hosts" "/etc/hosts" + add_file "/usr/lib/initcpio/tpm/hosts" "/etc/hosts" add_file "/usr/lib/initcpio/tpm/passwd" "/etc/passwd" - add_file "/usr/lib/initcpio/tpm/shadow" "/etc/shadow" add_file "/usr/lib/libnss_files.so.2" - add_file "/etc/nsswitch.conf" - - add_module dm-crypt - if [[ $CRYPTO_MODULES ]]; then - for mod in $CRYPTO_MODULES; do - add_module "$mod" - done - else - add_all_modules '/crypto/' - fi - - add_binary "cryptsetup" - add_binary "dmsetup" - add_file "/usr/lib/udev/rules.d/10-dm.rules" - add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" - add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" - add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" add_runscript } help() { cat <<HELPEOF -This hook allows for an encrypted root device. Users should specify the device -to be unlocked using 'cryptdevice=device:dmname' on the kernel command line, -where 'device' is the path to the raw device, and 'dmname' is the name given to -the device after unlocking, and will be available as /dev/mapper/dmname. - -For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on -the kernel cmdline, where 'device' represents the raw block device where the key -exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is -the absolute path of the keyfile within the device. +This hook allows for an encrypted root device to use a key file sealed by the +TPM. It should be placed immediately before the 'encrypt' hook. -Without specifying a keyfile, you will be prompted for the password at runtime. -This means you must have a keyboard available to input it, and you may need -the keymap hook as well to ensure that the keyboard is using the layout you -expect. +After generating a TPM-sealed keyfile, 'tpmkey=device:fstype:path' should be +specified on the kernel cmdline, where 'device' represents the raw block device +where the key exists, 'fstype' is the filesystem type of 'device' (or auto), +and 'path' is the absolute path of the keyfile within the device. HELPEOF } |