feat: Add ujust setup-luks-tpm-unlock

chore: justfile cleanup
ublue-os · Apr 27, 2024 · 5402f53 · Kerwood · May 29, 2024 · 5402f53
1 parent 7444f02
commit 5402f53
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 11 deletions.
diff --git a/...sr/share/ublue-os/just/90-bazzite-de.just → ...sr/share/ublue-os/just/90-bazzite-de.just b/...sr/share/ublue-os/just/90-bazzite-de.just → ...sr/share/ublue-os/just/90-bazzite-de.just
diff --git a/system_files/desktop/shared/usr/libexec/luks-enable-tpm2-autounlock b/system_files/desktop/shared/usr/libexec/luks-enable-tpm2-autounlock
@@ -0,0 +1,54 @@
+#!/bin/bash
+## setup auto-unlock LUKS2 encrypted root on Fedora/Silverblue/maybe others
+## From https://github.com/bsherman/ublue-custom/blob/main/usr/bin/luks-enable-tpm2-autounlock
+set -u
+
+[ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
+
+read -p "This will modify your system and enable TPM2 auto-unlock of your LUKS partition! Are you sure you've read the script and are good with this? " -n 1 -r
+echo
+if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 # handle exits from shell or function but don't exit interactive shell
+fi
+
+## Inspect crypttab to find disk info, should look like this
+#sudo cat /etc/crypttab
+#luks-912462a2-39ce-abcd-1234-89c6c0304cb4 UUID=912462a2-39ce-abcd-1234-89c6c0304cb4 none discard
+DISK_UUID=$(sudo awk '{ print $2 }' /etc/crypttab | cut -d= -f2)
+CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
+
+## Backup the crypttab
+if [ -f /etc/crypttab.known-good ]; then
+  echo "Our backup already exists at /etc/crypttab.known-good\nExiting..."
+  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+fi
+cp -a /etc/crypttab /etc/crypttab.known-good
+
+## modify the crypttab
+grep tpm2-device /etc/crypttab > /dev/null
+if [ 0 -eq $? ]; then
+  echo "TPM2 already present in /etc/crypttab. Exiting..."
+  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+fi
+sed -i "s/discard/discard,tpm2-device=auto/" /etc/crypttab
+
+cryptsetup luksDump $CRYPT_DISK | grep systemd-tpm2 > /dev/null
+if [ 0 -eq $? ]; then
+  KEYSLOT=$(cryptsetup luksDump $CRYPT_DISK|grep -A23 systemd-tpm2|grep Keyslot|awk '{print $2}')
+  echo "TPM2 already present in LUKS Keyslot $KEYSLOT of $CRYPT_DISK. Exiting..."
+  [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+fi
+
+## Run crypt enroll
+echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password"
+echo
+systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 $CRYPT_DISK
+
+## Now reboot
+echo
+echo "TPM2 LUKS auto-unlock configured. Reboot now."
+
+
+# References:
+#  https://www.reddit.com/r/Fedora/comments/uo4ufq/any_way_to_get_systemdcryptenroll_working_on/
+#  https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
diff --git a/system_files/desktop/shared/usr/share/ublue-os/just/80-bazzite.just b/system_files/desktop/shared/usr/share/ublue-os/just/80-bazzite.just
@@ -36,13 +36,18 @@ install-gamemode-video:
     rm -f $HOME/.local/share/Steam/config/uioverrides/movies/deck_startup.webm
     cp /usr/share/ublue-os/bazzite/bazzite.webm $HOME/.local/share/Steam/config/uioverrides/movies/deck_startup.webm
 
+# Set up automatic LUKS unlock via TPM
+setup-luks-tpm-unlock:
+    #!/usr/bin/bash
+    sudo /usr/libexec/luks-enable-tpm2-autounlock
+
 # Force-enable AMD pstate
 pstate-force-enable:
     rpm-ostree kargs --append-if-missing=amd_pstate=active
 
 # Configure grub bootmenu visibility and fix duplicate entries
 configure-grub ACTION="":
-    #!/bin/bash
+    #!/usr/bin/bash
     source /usr/lib/ujust/ujust.sh
     GRUB_STATE="$(grep -P "^GRUB_TIMEOUT_STYLE=hidden" /etc/default/grub)"
     OPTION={{ ACTION }}
@@ -100,7 +105,7 @@ add-user-to-input-group:
 
 # Configure watchdog (default: enabled, recovers the system in the event of a malfunction)
 configure-watchdog ACTION="":
-    #!/bin/bash
+    #!/usr/bin/bash
     source /usr/lib/ujust/ujust.sh
     WATCHDOG_STATE="$(rpm-ostree kargs)"
     CPU_MODEL=$(lscpu --json | jq -r '."lscpu"[7]."data"')
@@ -143,7 +148,7 @@ configure-watchdog ACTION="":
 
 # Set the default powerprofile to load when the desktop starts
 configure-powerprofile ACTION="":
-    #!/bin/bash
+    #!/usr/bin/bash
     source /usr/lib/ujust/ujust.sh
     OPTION={{ ACTION }}
     if [ "$OPTION" == "help" ]; then
@@ -179,7 +184,7 @@ configure-powerprofile ACTION="":
 
 # Install and configure Decky Loader (https://github.com/SteamDeckHomebrew/decky-loader) and plugins for alternative handhelds
 setup-decky ACTION="":
-    #!/bin/bash
+    #!/usr/bin/bash
     source /usr/lib/ujust/ujust.sh
     DECKY_STATE="${b}${red}Not Installed${n}"
     if [[ -d $HOME/homebrew/plugins ]]; then
@@ -234,7 +239,7 @@ setup-decky ACTION="":
 
 # Ptyxis terminal transparency
 ptyxis-transparency opacity="0.95":
-    #!/usr/bin/env bash
+    #!/usr/bin/bash
     set -euxo pipefail
     if [[ -n "$(echo "{{ opacity }}" | grep -v '^[.0-9]*$')" ]]; then
       printf "Value must be numeric: %s.\n" "{{ opacity }}"

diff --git a/system_files/desktop/shared/usr/share/ublue-os/just/82-bazzite-apps.just b/system_files/desktop/shared/usr/share/ublue-os/just/82-bazzite-apps.just
@@ -119,7 +119,7 @@ install-opentabletdriver:
 
 # This installs ollama, a way to run various open LLMs locally on the CPU or GPU
 install-ollama:
-    #!/usr/bin/env bash
+    #!/usr/bin/bash
     echo 'Follow the prompts and check the tutorial: '
     echo
     GPU_CHOICES=()
@@ -194,7 +194,7 @@ install-ollama:
 # Create fedora distrobox if it doesn't exist
 [private]
 distrobox-check-fedora:
-    #!/bin/env bash
+    #!/usr/bin/bash
     source /usr/lib/ujust/ujust.sh
     if grep -qvz "fedora" <<< $(distrobox list); then
       echo "Setting up Fedora distrobox"

diff --git a/system_files/desktop/shared/usr/share/ublue-os/just/82-bazzite-cdemu.just b/system_files/desktop/shared/usr/share/ublue-os/just/82-bazzite-cdemu.just
@@ -2,7 +2,7 @@
 
 # Setup and configure CDEmu Daemon and Client plus GUI Apps
 setup-cdemu ACTION="":
-    #!/bin/bash
+    #!/usr/bin/bash
     source /usr/lib/ujust/ujust.sh
     CDEMU_STATE="$(rpm -qa cdemu-daemon)"
     SERVICE_STATE="$(systemctl is-enabled --user cdemu-daemon.service)"

diff --git a/system_files/desktop/shared/usr/share/ublue-os/just/82-bazzite-sunshine.just b/system_files/desktop/shared/usr/share/ublue-os/just/82-bazzite-sunshine.just
@@ -2,7 +2,7 @@
 
 # Setup and configure Sunshine Game Streaming host
 setup-sunshine ACTION="":
-    #!/bin/bash
+    #!/usr/bin/bash
     source /usr/lib/ujust/ujust.sh
     SUNSHINE_STATE="$(rpm -qa sunshine)"
     SERVICE_STATE="$(systemctl is-enabled --user sunshine.service)"

diff --git a/system_files/desktop/shared/usr/share/ublue-os/just/83-bazzite-audio.just b/system_files/desktop/shared/usr/share/ublue-os/just/83-bazzite-audio.just
@@ -2,7 +2,7 @@
 
 # Add virtual audio channels/sinks named Game, Voice, Browser and Music which you can split audio to using qpwgraph, helvum, carla or other pipewire patchbays for use in OBS and other use cases
 setup-virtual-channels ACTION="":
-    #!/bin/bash
+    #!/usr/bin/bash
     source /usr/lib/ujust/ujust.sh
     IMAGE_INFO="/usr/share/ublue-os/image-info.json"
     IMAGE_NAME=$(jq -r '."image-name"' < $IMAGE_INFO)
@@ -96,7 +96,7 @@ setup-virtual-channels ACTION="":
 
 # Setup a simple Virtual Surround 7.1 sink using the ASH Control Room 1 convolver file (you can change this yourself after setup)
 setup-virtual-surround ACTION="":
-    #!/bin/bash
+    #!/usr/bin/bash
     source /usr/lib/ujust/ujust.sh
     mkdir -p ~/.config/pipewire/pipewire.conf.d
     mkdir -p ~/.config/pipewire/hrir_hesuvi