Merge branch 'main' into feat/ujust-k8s-dev-tools

build/ublue-os-luks/luks-enable-tpm2-autounlock

@@ -4,11 +4,16 @@ set -eou pipefail
 
 [ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
 
+echo "WARNING: Do NOT use this if your CPU is vulnerable to faulTPM!"
+echo "All AMD Zen2 and Zen3 Processors are known to be affected!"
+echo "All AMD Zen1 processors are also likely affected, with Zen4 unknown!"
+echo "If you have an AMD CPU, you likely shouldn't use this!"
+echo "----------------------------------------------------------------------------"
 echo "This script uses systemd-cryptenroll to enable TPM2 auto-unlock."
 echo "You can review systemd-cryptenroll's manpage for more information."
 echo "This script will modify your system."
 echo "It will enable TPM2 auto-unlock of your LUKS partition for your root device!"
-echo "It will bind to PCR 7 only which is tied to your secureboot state."
+echo "It will bind to PCR 7 and 14 which is tied to your secureboot and moklist state."
 read -p "Are you sure are good with this and want to enable TPM2 auto-unlock? " -n 1 -r
 echo
 if [[ ! $REPLY =~ ^[Yy]$ ]]; then
@@ -43,6 +48,13 @@ else
   exit 1
 fi
 
+SET_PIN_ARG=""
+read -p "Would you like to set a pin? " -n 1 -r
+echo
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+  SET_PIN_ARG=" --tpm2-with-pin=yes "
+fi
+
 # Specify Crypt Disk by-uuid
 CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
 
@@ -63,7 +75,7 @@ fi
 
 ## Run crypt enroll
 echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password"
-systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 "$CRYPT_DISK"
+systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+14 $SET_PIN_ARG "$CRYPT_DISK"
 
 
 if lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null; then