aboutsummarylogtreecommitdiffstats
path: root/install_tpm
diff options
context:
space:
mode:
Diffstat (limited to 'install_tpm')
-rw-r--r--install_tpm45
1 files changed, 9 insertions, 36 deletions
diff --git a/install_tpm b/install_tpm
index 3fc5f3308a38..aeb5cd103a76 100644
--- a/install_tpm
+++ b/install_tpm
@@ -1,56 +1,29 @@
#!/bin/bash
build() {
- local mod
-
add_module "tpm_tis"
add_binary "/usr/bin/tpm_unsealdata" "/usr/bin/tpm_unsealdata"
- add_binary "/usr/sbin/tpm_version" "/usr/bin/tpm_version"
+ add_binary "/usr/bin/tpm_version" "/usr/bin/tpm_version"
add_binary "/usr/sbin/tcsd" "/usr/bin/tcsd"
-
+
add_dir "/var/lib/tpm"
add_file "/var/lib/tpm/system.data"
- add_file "/usr/lib/initcpio/tpm/hosts" "/etc/hosts"
+ add_file "/usr/lib/initcpio/tpm/hosts" "/etc/hosts"
add_file "/usr/lib/initcpio/tpm/passwd" "/etc/passwd"
- add_file "/usr/lib/initcpio/tpm/shadow" "/etc/shadow"
add_file "/usr/lib/libnss_files.so.2"
- add_file "/etc/nsswitch.conf"
-
- add_module dm-crypt
- if [[ $CRYPTO_MODULES ]]; then
- for mod in $CRYPTO_MODULES; do
- add_module "$mod"
- done
- else
- add_all_modules '/crypto/'
- fi
-
- add_binary "cryptsetup"
- add_binary "dmsetup"
- add_file "/usr/lib/udev/rules.d/10-dm.rules"
- add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
- add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
- add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
add_runscript
}
help() {
cat <<HELPEOF
-This hook allows for an encrypted root device. Users should specify the device
-to be unlocked using 'cryptdevice=device:dmname' on the kernel command line,
-where 'device' is the path to the raw device, and 'dmname' is the name given to
-the device after unlocking, and will be available as /dev/mapper/dmname.
-
-For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
-the kernel cmdline, where 'device' represents the raw block device where the key
-exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
-the absolute path of the keyfile within the device.
+This hook allows for an encrypted root device to use a key file sealed by the
+TPM. It should be placed immediately before the 'encrypt' hook.
-Without specifying a keyfile, you will be prompted for the password at runtime.
-This means you must have a keyboard available to input it, and you may need
-the keymap hook as well to ensure that the keyboard is using the layout you
-expect.
+After generating a TPM-sealed keyfile, 'tpmkey=device:fstype:path' should be
+specified on the kernel cmdline, where 'device' represents the raw block device
+where the key exists, 'fstype' is the filesystem type of 'device' (or auto),
+and 'path' is the absolute path of the keyfile within the device.
HELPEOF
}