From 38b30f2ab74fee7299255fcede7bf66feba71c7d Mon Sep 17 00:00:00 2001
From: SharkPlush <86890204+SharkPlush@users.noreply.github.com>
Date: Sat, 6 Dec 2025 15:49:03 +0200
Subject: [PATCH 1/3] sync yuga-check with aeon-check

---
 yuga-check | 66 ++++++++++++++++++++++--------------------------------
 1 file changed, 27 insertions(+), 39 deletions(-)

diff --git a/yuga-check b/yuga-check
index 0d1dc74..3bba0ca 100644
--- a/yuga-check
+++ b/yuga-check
@@ -10,42 +10,6 @@ exec 3>&1 4>&2
 trap 'exec 2>&4 1>&3' 0 1 2 3
 exec 1>>/var/log/yuga-check.log 2>&1
 
-boo1228416() {
-    # Problem: boo1228416. TPM2 using pcr hashes not pcrlock
-    # Solution: Configure and enrol pcrlock for FDE
-
-    # Determine root device
-    rootdev=/dev/$(dmsetup deps -o devname /dev/mapper/yuga_root | cut -d '(' -f2 | cut -d ')' -f1)
-    # Check for failure conditions
-    tpm2hashpcrs=$(cryptsetup luksDump ${rootdev} | grep 'tpm2-hash-pcrs:' | tr -d ' \t' | cut -d ':' -f2)
-    tpm2pcrlock=$(cryptsetup luksDump ${rootdev} | grep 'tpm2-pcrlock:' | tr -d ' \t' | cut -d ':' -f2)
-    # For boo1228416 to be an issue hashpcrs must be 7 and pcrlock must be false. Be paranoid, only match on both
-    if [ "${tpm2hashpcrs}" == "7" ] && [ "${tpm2pcrlock}" == "false" ]; then
-        echo "boo1228416 detected - TPM2 using pcr hashes not pcrlock - correcting"
-
-        # Need a keyfile to avoid requesting the recovery key when re-enrolling
-        keyfile=$(mktemp /tmp/yuga-check.XXXXXXXXXX)
-        dd bs=512 count=4 if=/dev/urandom of=${keyfile} iflag=fullblock
-        chmod 400 ${keyfile}
-
-        # Should be slot 2, but better to check and be sure
-        tpm2slot=$(systemd-cryptenroll ${rootdev} | grep tpm2 | xargs | cut -d ' ' -f1)
-
-        # Writing keyfile to slot 31 (end of the LUKS2 space) to avoid clashes with any customisation/extra keys
-        cryptsetup luksAddKey --token-only --batch-mode --new-key-slot=31 ${rootdev} ${keyfile}
-
-        # Drop existing enrollment and re enroll
-        systemd-cryptenroll --wipe-slot=${tpm2slot} ${rootdev}
-        systemd-cryptenroll --unlock-key-file=${keyfile} --tpm2-device=auto ${rootdev}
-
-        # Wipe out keyfile and keyfile keyslot
-        systemd-cryptenroll --wipe-slot=31 ${rootdev}
-        rm ${keyfile}
-
-        echo "boo1228416 corrected"
-    fi
-}
-
 boo1234234() {
     # Problem: boo1234234 and related bugs. TPM2 enrolments failing because PCR0 invalidated by firmware updates.
     # Solution: Stop measuring PCR0 and update-predictions with the reduced PCR list
@@ -84,10 +48,34 @@ boo1246605() {
     fi
 }
 
+issue7() {
+    # Problem: Yuga should have systemd-growfs-root.service masked as it tries to run when it shouldn't
+    # Solution: Mask systemd-growfs-root.service
+    if ! [ -L /etc/systemd/system/systemd-growfs-root.service ]; then
+        echo 'issue7 detected - systemd-growfs-root.service not masked - correcting'
+	  systemctl mask systemd-growfs-root.service
+    	echo 'issue7 corrected'
+    fi
+}
+
+#issue6() {
+#    # Problem: Yuga should have 'tpm2-measure-pcr=yes' set in /etc/crypttab if using normal encryption mode
+#    # Solution: add tpm2-measure-pcr=yes if tpm2-device=auto is set
+#    if grep '^yuga_root' /etc/crypttab | grep -qF 'tpm2-device=auto'; then
+#	       # Default Mode detected, now search for missing config
+#	       if ! grep '^yuga_root' /etc/crypttab | grep -qF 'tpm2-measure-pcr=yes'; then
+#                echo 'issue6 detected  - tpm2-measure-pcr=yes not set - correcting'
+#                sed -i '/^yuga_root/ s/$/,tpm2-measure-pcr=yes/' /etc/crypttab
+#                sdbootutil mkinitrd
+#                echo 'issue6 corrected'
+#	       fi
+#    fi
+#}
+
+
 # Active fixes executed in order of importance
 boo1246605
 boo1243182
 boo1234234
-
-# Deprecated fixes likely to be dropped in future Yuga-check releases
-boo1228416
+issue7
+#issue6

From 81f20341c191f4fb94dacf3ca5195d577622b2bb Mon Sep 17 00:00:00 2001
From: SharkPlush <86890204+SharkPlush@users.noreply.github.com>
Date: Sat, 6 Dec 2025 15:49:45 +0200
Subject: [PATCH 2/3] Fix indentation for systemd service masking

---
 yuga-check | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/yuga-check b/yuga-check
index 3bba0ca..da8029c 100644
--- a/yuga-check
+++ b/yuga-check
@@ -53,8 +53,8 @@ issue7() {
     # Solution: Mask systemd-growfs-root.service
     if ! [ -L /etc/systemd/system/systemd-growfs-root.service ]; then
         echo 'issue7 detected - systemd-growfs-root.service not masked - correcting'
-	  systemctl mask systemd-growfs-root.service
-    	echo 'issue7 corrected'
+	systemctl mask systemd-growfs-root.service
+    echo 'issue7 corrected'
     fi
 }
 

From 33e457bf641e734a62469247f49efd4d2c9f6408 Mon Sep 17 00:00:00 2001
From: SharkPlush <86890204+SharkPlush@users.noreply.github.com>
Date: Sat, 6 Dec 2025 15:54:38 +0200
Subject: [PATCH 3/3] Remove extra line

---
 yuga-check | 1 -
 1 file changed, 1 deletion(-)

diff --git a/yuga-check b/yuga-check
index da8029c..31bf746 100644
--- a/yuga-check
+++ b/yuga-check
@@ -72,7 +72,6 @@ issue7() {
 #    fi
 #}
 
-
 # Active fixes executed in order of importance
 boo1246605
 boo1243182