This Bash script automates the process of clearing TPM PCRs from the LUKS header, registering new PCRs, and regenerating the initramfs. As a Fedora user it became a pain to manually complete this process every time the kernel gets updated, so I wrote this script to make the process easier. This is a full-featured script with a help message, error logging, and checks for proper command syntax. Unfortunately, for the moment, this script will only work on distributions that use dracut for regenerating the initramfs. If people find this script useful and I have enough time, I might add the ability to use mkinitramfs to regenerate the initramfs, but I have not gotten that far yet.
In oder to run this script your system needs to meet the following requirements:
-
A volume encrypted with LUKS2 format. LUKS(1) volumes will not work.
-
You can check this with the command:
cryptsetup luksDump /dev/your_device
-
-
An active TPM2 chip.
-
Packages:
systemd-cryptenrolltpm2-tssorsd-encryptdracut
-
You will need to configure
/etc/crypttabto tell the boot process to use the TPM2 chip.- If your
/rootvolume is encrypted you will need to edit the/etc/default/grubconfig file. - Instructions for this process can be found here.
- If your
-
Clone the Github repo:
git clone https://github.com/benhaube/Update-LUKS-PCRs-script.git -
Enter the directory:
cd Update-LUKS-PCRs-script/ -
Copy the file
update-pcrsto the/usr/local/bin/directory:sudo cp update-pcrs /usr/local/bin/ -
Set the execution permission for the
update-pcrsscript:sudo chmod +x /usr/local/bin/update-pcrs -
You can now run the script (with
sudo) from any directory:sudo update-pcrs [options] /dev/your_luks_device [optional_pcrs_list]
