Primary key is be generated at every update of the PCRs - loading should be possible (future work)

create-luks-tpm.sh

@@ -4,11 +4,10 @@ set -e
 CRYPTFS=/dev/nvme0n1p3
 
 echo "creating secret key"
+kdir -p /root/keys
 tpm2_getrandom 32 -o /root/keys/fde-secret.bin
 chmod 600 /root/keys/fde-secret.bin
 cryptsetup luksAddKey $CRYPTFS /root/keys/fde-secret.bin
-mkdir -p /root/keys
-tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/keys/e-primary.context
 
 # /usr/sbin/update-luks-tpm.sh #not reqired before reboot
 

update-luks-tpm.sh

@@ -5,9 +5,10 @@ set +e
 tpm2_evictcontrol -C o -c 0x81000000
 
 set -e
+tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/keys/e-primary.context
 tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/keys/pcr-policy.digest
-tpm2_create -g sha256 -u /root/keys/obj.pub -r /root/keys/obj.priv -C /root/keys/e-primary.context -L /root/pcr-policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/keys/secret.bin
+tpm2_create -g sha256 -u /root/keys/obj.pub -r /root/keys/obj.priv -C /root/keys/e-primary.context -L /root/keys/pcr-policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/keys/fde-secret.bin
 tpm2_load -C /root/keys/e-primary.context -u /root/keys/obj.pub -r /root/keys/obj.priv -c /root/keys/load.context
 tpm2_evictcontrol -C o -c /root/keys/load.context 0x81000000
-# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin #proof that the persistence worked
+# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /root/test.bin #proof that the persistence worked
 rm -f /root/keys/load.context /root/keys/obj.priv /root/keys/obj.pub /root/keys/pcr-policy.digest