#!/bin/sh
# shellcheck shell=dash
# initialize and/or read key from TPM chip

set -e

# This script is a NON SECURE version to fake reading
# a key from a TPM chip. For production the commented
# code block needs to be set active ! Thus all of the
# following is just to illustrate the idea
#
echo "my-non-secure-key"

# trap "rm -f /run/key" EXIT

# select one encrypted registry device for initial key check
# is_insecure=0
# container_store_dev=/dev/disk/by-partlabel/p.lxinstance
# if cryptsetup --key-file /dev/zero --keyfile-size 32 luksOpen $container_store_dev luksInstances &>/dev/null;then
#     is_insecure=1
#     cryptsetup luksClose luksInstances &>/dev/null
# fi
#
# if [ "$is_insecure" = "1" ]; then
#     tpm_key=/run/key
#     tpm_takeownership -y -z
#     tpm_nvrelease -i 1 -y || true # in case NVRAM area does not exist
#     tpm_nvdefine -i 1 -s 32 -p "AUTHREAD|AUTHWRITE" -y -z
#     pwgen 32 1 > "${tpm_key}"
#     tpm_nvwrite -i 1 -s 32 -f "${tpm_key}" -z
#     tpm_nvread -i 1 -s 32 -z
# else
#     tpm_nvread -i 1 -s 32 -z
# fi
