#!/usr/bin/env bash # SPDX-License-Identifier: LGPL-2.1-or-later set -eux set -o pipefail export SYSTEMD_LOG_LEVEL=debug bootctl CURRENT_UKI=$(bootctl --print-stub-path) echo "CURRENT UKI ($CURRENT_UKI):" ukify inspect "$CURRENT_UKI" if test -f /run/systemd/stub/profile; then echo "CURRENT PROFILE:" cat /run/systemd/stub/profile fi echo "CURRENT MEASUREMENT:" /usr/lib/systemd/systemd-measure --current if test -f /run/systemd/tpm2-pcr-signature.json; then echo "CURRENT SIGNATURE:" jq /root/encrypted.secret cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom /root/encrypted.raw --key-file=/root/encrypted.secret systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --tpm2-public-key=/root/pcrsign.public.pem --unlock-key-file=/root/encrypted.secret /root/encrypted.raw rm -f /root/encrypted.secret reboot exit 0 else # shellcheck source=/dev/null . /run/systemd/stub/profile # Validate that with the current profile we can fulfill the PCR 11 policy systemd-cryptsetup attach multiprof /root/encrypted.raw - tpm2-device=auto,headless=1 systemd-cryptsetup detach multiprof if [ "$ID" = "profile0" ]; then grep -v testprofile /proc/cmdline echo "default $(basename "$CURRENT_UKI")@profile1" >"$(bootctl -p)/loader/loader.conf" reboot exit 0 elif [ "$ID" = "profile1" ]; then grep testprofile1=1 /proc/cmdline echo "default $(basename "$CURRENT_UKI")@profile2" >"$(bootctl -p)/loader/loader.conf" reboot exit 0 elif [ "$ID" = "profile2" ]; then grep testprofile2=1 /proc/cmdline rm /root/encrypted.raw else exit 1 fi fi touch /testok