2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-26 03:19:48 +00:00

Do not seal to PCR 7

At least without secureboot, PCR 7 is not defined.

This would potentially be worth a conditional to
check on secureboot.
This commit is contained in:
Jarrod Johnson 2020-06-17 16:23:13 -04:00
parent d4736e0aad
commit e1270b2926

View File

@ -1,4 +1,4 @@
#!/bin/sh
cryptdisk=$(blkid -t TYPE="crypto_LUKS"|sed -e s/:.*//)
clevis luks bind -f -d $cryptdisk -k - tpm2 '{"pcr_bank": "sha256", "pcr_ids": "7"}' < /etc/confluent/confluent.apikey
clevis luks bind -f -d $cryptdisk -k - tpm2 '{}' < /etc/confluent/confluent.apikey
cryptsetup luksRemoveKey $cryptdisk < /etc/confluent/confluent.apikey