fix

src/install/security.rs

@@ -4,7 +4,7 @@ use yansi::{Color, Paint};
 
 use crate::{
     config::DriveConfig,
-    linux::{arch_chroot, install_file, run_command},
+    linux::{arch_chroot, install_file, run_command, systemd_service_enable},
     pkg::install_pkgs,
 };
 
@@ -37,25 +37,14 @@ pub fn setup_tpm_unlock(conf: &DriveConfig) {
 
     install_file("/mnt/root/recovery.key", &recovery_key, 0o400);
 
-    arch_chroot(
-        &vec![
-            "systemd-run",
-            "--pipe",
-            "--collect",
-            "-p",
-            format!(
-                "SetCredential=cryptenroll.passphrase:{}",
-                conf.encryption.as_ref().unwrap()
-            )
-            .as_str(),
-            "systemd-cryptenroll",
-            "--tpm2-device=auto",
-            &conf.root,
-            "--tpm2-pcrs=7",
-        ],
-        None,
-        false,
+    install_file(
+        "/mnt/etc/systemd/system/tpm-enroll.service",
+        &include_str!("../root/tpm-enroll.service")
+            .replace("<PASSPHRASE>", conf.encryption.as_ref().unwrap())
+            .replace("<ROOT>", &conf.root),
+        0o644,
     );
+    systemd_service_enable("tpm-enroll.service");
 }
 
 // SECURE BOOT

src/root/tpm-enroll.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=TPM Enrollment Service
+
+[Service]
+Type=oneshot
+ExecStart=systemd-cryptenroll --tpm2-device=auto <ROOT> --tpm2-pcrs=7 && rm /etc/systemd/system/tpm-enroll.service
+SetCredential=cryptenroll.passphrase:<PASSPHRASE>
+User=root
+
+[Install]
+WantedBy=multi-user.target