From 86be5860c4a017704e7a0f3bceb37a9acc639133 Mon Sep 17 00:00:00 2001
From: qoijjj <129108030+qoijjj@users.noreply.github.com>
Date: Mon, 19 Aug 2024 14:12:43 -0700
Subject: [PATCH] feat: add optional pin for luks tpm2 unlock just command
 (#297)

Co-authored-by: Kyle Gospodnetich <me@kylegospodneti.ch>
---
 build/ublue-os-luks/luks-enable-tpm2-autounlock | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/build/ublue-os-luks/luks-enable-tpm2-autounlock b/build/ublue-os-luks/luks-enable-tpm2-autounlock
index 0e232c9..cb5741d 100755
--- a/build/ublue-os-luks/luks-enable-tpm2-autounlock
+++ b/build/ublue-os-luks/luks-enable-tpm2-autounlock
@@ -43,6 +43,13 @@ else
   exit 1
 fi
 
+SET_PIN_ARG=""
+read -p "Would you like to set a pin? " -n 1 -r
+echo
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+  SET_PIN_ARG=" --tpm2-with-pin=yes "
+fi
+
 # Specify Crypt Disk by-uuid
 CRYPT_DISK="/dev/disk/by-uuid/$DISK_UUID"
 
@@ -63,7 +70,7 @@ fi
 
 ## Run crypt enroll
 echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password"
-systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 "$CRYPT_DISK"
+systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 "$SET_PIN_ARG" "$CRYPT_DISK"
 
 
 if lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null; then