From 601d32bc92aa24e6b39206720537c43ba891f72e Mon Sep 17 00:00:00 2001 From: JMARyA Date: Sun, 5 Jan 2025 11:39:16 +0100 Subject: [PATCH] fix --- src/install/security.rs | 27 ++++++++------------------- src/root/tpm-enroll.service | 11 +++++++++++ 2 files changed, 19 insertions(+), 19 deletions(-) create mode 100644 src/root/tpm-enroll.service diff --git a/src/install/security.rs b/src/install/security.rs index 41d6f15..33d525d 100644 --- a/src/install/security.rs +++ b/src/install/security.rs @@ -4,7 +4,7 @@ use yansi::{Color, Paint}; use crate::{ config::DriveConfig, - linux::{arch_chroot, install_file, run_command}, + linux::{arch_chroot, install_file, run_command, systemd_service_enable}, pkg::install_pkgs, }; @@ -37,25 +37,14 @@ pub fn setup_tpm_unlock(conf: &DriveConfig) { install_file("/mnt/root/recovery.key", &recovery_key, 0o400); - arch_chroot( - &vec![ - "systemd-run", - "--pipe", - "--collect", - "-p", - format!( - "SetCredential=cryptenroll.passphrase:{}", - conf.encryption.as_ref().unwrap() - ) - .as_str(), - "systemd-cryptenroll", - "--tpm2-device=auto", - &conf.root, - "--tpm2-pcrs=7", - ], - None, - false, + install_file( + "/mnt/etc/systemd/system/tpm-enroll.service", + &include_str!("../root/tpm-enroll.service") + .replace("", conf.encryption.as_ref().unwrap()) + .replace("", &conf.root), + 0o644, ); + systemd_service_enable("tpm-enroll.service"); } // SECURE BOOT diff --git a/src/root/tpm-enroll.service b/src/root/tpm-enroll.service new file mode 100644 index 0000000..562c0f6 --- /dev/null +++ b/src/root/tpm-enroll.service @@ -0,0 +1,11 @@ +[Unit] +Description=TPM Enrollment Service + +[Service] +Type=oneshot +ExecStart=systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 && rm /etc/systemd/system/tpm-enroll.service +SetCredential=cryptenroll.passphrase: +User=root + +[Install] +WantedBy=multi-user.target