cryptsetup-efi-tpm: retrieve passphrase from TPM

Attempt to retrieve the LUKS passphrase from TPM nvram during boot. Change-type: patch Signed-off-by: Joseph Kogut <joseph@balena.io>
balena-os · Sep 30, 2024 · 3c72794 · 3c72794
1 parent 04fb01e
commit 3c72794
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/meta-balena-common/recipes-core/initrdscripts/files/cryptsetup-efi-tpm b/meta-balena-common/recipes-core/initrdscripts/files/cryptsetup-efi-tpm
@@ -112,7 +112,9 @@ cryptsetup_run() {
         tpm2_policyor -S "${SESSION_CTX}" "sha256:$(echo "${POLICIES}" | sed 's/ /,/g')"
     fi
 
-    if hw_decrypt_passphrase "$EFI_MOUNT_DIR" "session:${SESSION_CTX}" "$PASSPHRASE_FILE"; then
+    if hw_retrieve_passphrase "session:${SESSION_CTX}" "$PASSPHRASE_FILE"; then
+        info "Successfully retrieved passphrase from TPM NVRAM"
+    elif hw_decrypt_passphrase "$EFI_MOUNT_DIR" "session:${SESSION_CTX}" "$PASSPHRASE_FILE"; then
         info "Successfully unlocked LUKS passphrase using the TPM"
     elif hw_decrypt_passphrase "$EFI_MOUNT_DIR" "pcr:sha256:0,1,2,3" "$PASSPHRASE_FILE"; then
         info "Unlocked LUKS passphrase without PCR7, will re-encrypt after rollback-health"