91 lines
3.5 KiB
YAML
91 lines
3.5 KiB
YAML
---
|
|
- name: Enroll TPM2 for LUKS
|
|
block:
|
|
- name: Create temporary passphrase file for TPM2 enrollment
|
|
ansible.builtin.tempfile:
|
|
path: /mnt/tmp
|
|
prefix: luks-passphrase-
|
|
state: file
|
|
register: configuration_luks_tpm2_passphrase_tempfile
|
|
|
|
- name: Write passphrase into temporary file for TPM2 enrollment
|
|
ansible.builtin.copy:
|
|
dest: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
|
|
content: "{{ configuration_luks_passphrase_effective }}"
|
|
owner: root
|
|
group: root
|
|
mode: "0600"
|
|
no_log: true
|
|
|
|
- name: Enroll TPM2 token
|
|
vars:
|
|
configuration_luks_enroll_args: >-
|
|
{{
|
|
[
|
|
'/usr/bin/systemd-cryptenroll',
|
|
'--tpm2-device=' + configuration_luks_tpm2_device,
|
|
'--tpm2-with-pin=false',
|
|
'--wipe-slot=tpm2',
|
|
'--unlock-key-file=' + (
|
|
configuration_luks_tpm2_passphrase_tempfile.path
|
|
| regex_replace('^/mnt', '')
|
|
)
|
|
]
|
|
+ (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_effective]
|
|
if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
|
|
+ [configuration_luks_device]
|
|
}}
|
|
configuration_luks_enroll_chroot_args: "{{ ['arch-chroot', '/mnt'] + configuration_luks_enroll_args }}"
|
|
ansible.builtin.command:
|
|
argv: "{{ configuration_luks_enroll_chroot_args }}"
|
|
register: configuration_luks_tpm2_enroll_chroot
|
|
changed_when: configuration_luks_tpm2_enroll_chroot.rc == 0
|
|
failed_when: false
|
|
|
|
- name: Retry TPM2 enrollment in installer environment
|
|
when:
|
|
- (configuration_luks_tpm2_enroll_chroot.rc | default(1)) != 0
|
|
vars:
|
|
configuration_luks_enroll_args: >-
|
|
{{
|
|
[
|
|
'/usr/bin/systemd-cryptenroll',
|
|
'--tpm2-device=' + configuration_luks_tpm2_device,
|
|
'--tpm2-with-pin=false',
|
|
'--wipe-slot=tpm2',
|
|
'--unlock-key-file=' + configuration_luks_tpm2_passphrase_tempfile.path
|
|
]
|
|
+ (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_effective]
|
|
if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
|
|
+ [configuration_luks_device]
|
|
}}
|
|
ansible.builtin.command:
|
|
argv: "{{ configuration_luks_enroll_args }}"
|
|
register: configuration_luks_tpm2_enroll_host
|
|
changed_when: configuration_luks_tpm2_enroll_host.rc == 0
|
|
failed_when: false
|
|
|
|
- name: Validate TPM2 enrollment succeeded
|
|
ansible.builtin.assert:
|
|
that:
|
|
- >-
|
|
(configuration_luks_tpm2_enroll_chroot.rc | default(1)) == 0
|
|
or (configuration_luks_tpm2_enroll_host.rc | default(1)) == 0
|
|
fail_msg: >-
|
|
TPM2 enrollment failed.
|
|
chroot rc={{ configuration_luks_tpm2_enroll_chroot.rc | default('n/a') }},
|
|
host rc={{ configuration_luks_tpm2_enroll_host.rc | default('n/a') }},
|
|
chroot stderr={{ configuration_luks_tpm2_enroll_chroot.stderr | default('') }},
|
|
host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
|
|
rescue:
|
|
- name: Fallback to keyfile auto-decrypt
|
|
ansible.builtin.set_fact:
|
|
configuration_luks_auto_method: keyfile
|
|
always:
|
|
- name: Remove TPM2 enrollment passphrase file
|
|
when: configuration_luks_tpm2_passphrase_tempfile.path is defined
|
|
ansible.builtin.file:
|
|
path: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
|
|
state: absent
|
|
changed_when: false
|