sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(configuration): auto-bind PCR 7 when Secure Boot and FDE are both enabled

Browse Source
This commit is contained in:
sandwich
2026-04-02 04:37:03 +02:00
committed by MORAWSKI Norbert
parent ceb11852ec
commit 2055863673
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
roles/configuration/tasks/encryption.yml
View File

@@ -8,7 +8,7 @@
block: block:
- name: Set LUKS configuration facts - name: Set LUKS configuration facts
vars: vars:
luks_tpm2_pcrs: >- _raw_pcrs: >-
{{ {{
( (
system_cfg.luks.tpm2.pcrs system_cfg.luks.tpm2.pcrs
@@ -20,6 +20,12 @@
| regex_replace('\\s+', '') | regex_replace('\\s+', '')
| regex_replace('^\\+|\\+$', '') | regex_replace('^\\+|\\+$', '')
}} }}
luks_tpm2_pcrs: >-
{{
_raw_pcrs
if _raw_pcrs | length > 0
else ('7' if (system_cfg.features.secure_boot.enabled | bool) else '')
}}
ansible.builtin.set_fact: ansible.builtin.set_fact:
configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}" configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}"
configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}" configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"