now adding unufied kernel to EFI loader automatically

create-luks-tpm.sh

@@ -4,16 +4,9 @@ set -e
 CRYPTFS=/dev/nvme0n1p3
 
 echo "creating secret key"
-dd if=/dev/random of=/root/secret.bin bs=32 count=1
+tpm2_getrandom 32 -o /root/secret.bin
 cryptsetup luksAddKey $CRYPTFS /root/secret.bin
 
-echo "Creating TPM Policy with current available PCRs"
+/usr/sbin/update-luks-tpm.sh
-tpm2_clear
+
-tpm2_createpolicy --policy-pcr -l sha256:0,1,4,5,7 -L /root/policy.digest
-tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/primary.context
-tpm2_create -g sha256 -u /root/obj.pub -r /root/obj.priv -C /root/primary.context -L /root/policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin
-tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/load.context
-tpm2_evictcontrol -C o -c /root/load.context 0x81000000
-# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin 
-rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context
 

install.sh

@@ -11,4 +11,5 @@ awk -i inplace '/luks/{print $0 ",discard,initramfs,keyscript=/usr/sbin/passphra
 
 /usr/sbin/create-luks-tpm.sh
 /usr/sbin/update-kernel.sh
+efibootmgr --create --disk $DISK --part 1 --label "ubuntu unified" --loader "\EFI\BOOT\Linux\Linux.efi" --verbose
 echo "Installed successfully! Please reboot and execute update-luks-tpm.sh afterwards"

update-kernel.sh

@@ -1,11 +1,13 @@
 #!/usr/bin/bash
 set -e
 PARTITION_ROOT=/dev/mapper/ubuntu--vg-ubuntu--lv
+DISK=/dev/nvme0n1
+
 mkdir -p /boot/efi/EFI/Linux
 update-initramfs -u -k all
 LATEST=`ls -t /boot/vmlinuz* | head -1`
 VERSION=`file -bL $LATEST | grep -o 'version [^ ]*' | cut -d ' ' -f 2`
-# echo "/vmlinuz-$VERSION root=/dev/mapper/vg-root rw loglevel=3 cryptdevice=PARTUUID=$(blkid -o value $PARTITION_ROOT | tail -n 1):lvm:allow-discards rd.luks.options=discard" > /boot/kernel-command-line.txt #Arch command line
+### echo "/vmlinuz-$VERSION root=/dev/mapper/vg-root rw loglevel=3 cryptdevice=PARTUUID=$(blkid -o value $PARTITION_ROOT | tail -n 1):lvm:allow-discards rd.luks.options=discard" > /boot/kernel-command-line.txt #Arch command line
 echo "/vmlinuz-$VERSION root=$PARTITION_ROOT ro" > /boot/kernel-command-line.txt #Ubuntu command line
 objcopy \
   --add-section .osrel="/usr/lib/os-release" --change-section-vma .osrel=0x20000 \
@@ -13,4 +15,4 @@ objcopy \
   --add-section .linux="/boot/vmlinuz-$VERSION" --change-section-vma .linux=0x40000 \
   --add-section .initrd="/boot/initrd.img-$VERSION" --change-section-vma .initrd=0x3000000 \
   "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/efi/EFI/Linux/Linux.efi"
-cp -v /boot/efi/EFI/Linux/Linux.efi /boot/efi/EFI/BOOT/BOOTX64.EFI
+

update-luks-tpm.sh

@@ -1,12 +1,14 @@
 #!/usr/bin/bash
-set -e
-
 echo "Updating TPM Policy with current available PCRs"
+
+set +e
 tpm2_evictcontrol -C o -c 0x81000000
+
+set -e
 tpm2_createpolicy --policy-pcr -l sha256:0,1,4,5,7 -L /root/policy.digest
 tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/primary.context
 tpm2_create -g sha256 -u /root/obj.pub -r /root/obj.priv -C /root/primary.context -L /root/policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin
 tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/load.context
 tpm2_evictcontrol -C o -c /root/load.context 0x81000000
-# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin 
+# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin #proof that the persistence worked
 rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context