2023-02-08 21:01:48 +00:00
|
|
|
#!/bin/bash
|
2017-07-08 20:59:37 +00:00
|
|
|
# Generic configurable boot script via kexec
|
2017-07-12 04:17:45 +00:00
|
|
|
set -e -o pipefail
|
2018-12-06 23:24:28 +00:00
|
|
|
. /tmp/config
|
2017-07-03 03:01:04 +00:00
|
|
|
. /etc/functions
|
2024-06-06 22:59:13 +00:00
|
|
|
. /etc/gui_functions
|
2017-07-03 03:01:04 +00:00
|
|
|
|
2024-02-01 19:30:31 +00:00
|
|
|
TRACE_FUNC
|
2023-02-18 17:58:43 +00:00
|
|
|
|
2017-07-04 23:49:14 +00:00
|
|
|
add=""
|
|
|
|
|
remove=""
|
|
|
|
|
config="*.cfg"
|
|
|
|
|
unique="n"
|
2017-07-08 20:59:37 +00:00
|
|
|
valid_hash="n"
|
|
|
|
|
valid_global_hash="n"
|
|
|
|
|
valid_rollback="n"
|
2017-07-22 18:57:46 +00:00
|
|
|
force_menu="n"
|
2018-02-22 21:18:16 +00:00
|
|
|
gui_menu="n"
|
2018-03-05 22:46:15 +00:00
|
|
|
force_boot="n"
|
2019-05-19 01:13:32 +00:00
|
|
|
skip_confirm="n"
|
|
|
|
|
while getopts "b:d:p:a:r:c:uimgfs" arg; do
|
2017-07-04 23:49:14 +00:00
|
|
|
case $arg in
|
2023-11-02 18:17:38 +00:00
|
|
|
b) bootdir="$OPTARG" ;;
|
|
|
|
|
d) paramsdev="$OPTARG" ;;
|
|
|
|
|
p) paramsdir="$OPTARG" ;;
|
|
|
|
|
a) add="$OPTARG" ;;
|
|
|
|
|
r) remove="$OPTARG" ;;
|
|
|
|
|
c) config="$OPTARG" ;;
|
|
|
|
|
u) unique="y" ;;
|
|
|
|
|
m) force_menu="y" ;;
|
|
|
|
|
i)
|
|
|
|
|
valid_hash="y"
|
|
|
|
|
valid_rollback="y"
|
|
|
|
|
;;
|
|
|
|
|
g) gui_menu="y" ;;
|
|
|
|
|
f)
|
|
|
|
|
force_boot="y"
|
|
|
|
|
valid_hash="y"
|
|
|
|
|
valid_rollback="y"
|
|
|
|
|
;;
|
|
|
|
|
s) skip_confirm="y" ;;
|
2017-07-04 23:49:14 +00:00
|
|
|
esac
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
if [ -z "$bootdir" ]; then
|
2017-07-17 16:43:14 +00:00
|
|
|
die "Usage: $0 -b /boot"
|
2017-07-04 23:49:14 +00:00
|
|
|
fi
|
2017-07-03 03:01:04 +00:00
|
|
|
|
2017-07-04 23:49:14 +00:00
|
|
|
if [ -z "$paramsdev" ]; then
|
|
|
|
|
paramsdev="$bootdir"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ -z "$paramsdir" ]; then
|
|
|
|
|
paramsdir="$bootdir"
|
|
|
|
|
fi
|
2017-07-03 03:01:04 +00:00
|
|
|
|
2017-07-22 18:25:39 +00:00
|
|
|
bootdir="${bootdir%%/}"
|
|
|
|
|
paramsdev="${paramsdev%%/}"
|
|
|
|
|
paramsdir="${paramsdir%%/}"
|
|
|
|
|
|
2023-11-02 18:17:38 +00:00
|
|
|
PRIMHASH_FILE="$paramsdir/kexec_primhdl_hash.txt"
|
|
|
|
|
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
|
|
|
|
if [ -r "$PRIMHASH_FILE" ]; then
|
|
|
|
|
sha256sum -c "$PRIMHASH_FILE" ||
|
|
|
|
|
{
|
|
|
|
|
echo "FATAL: Hash of TPM2 primary key handle mismatch!"
|
|
|
|
|
warn "If you have not intentionally regenerated TPM2 primary key,"
|
|
|
|
|
warn "your system may have been compromised"
|
|
|
|
|
DEBUG "Hash of TPM2 primary key handle mismatched for $PRIMHASH_FILE"
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
warn "Hash of TPM2 primary key handle does not exist"
|
2024-06-03 22:07:08 +00:00
|
|
|
warn "Please rebuild the TPM2 primary key handle by settings a default OS to boot."
|
|
|
|
|
warn "Select Options-> Boot Options -> Show OS Boot Menu -> <Pick OS> -> Make default"
|
2024-03-27 14:04:10 +00:00
|
|
|
#TODO: Simplify/Automatize TPM2 firmware upgrade process. Today: upgrade, reboot, reseal(type TPM owner pass), resign, boot
|
2023-11-02 18:17:38 +00:00
|
|
|
default_failed="y"
|
|
|
|
|
DEBUG "Hash of TPM2 primary key handle does not exist under $PRIMHASH_FILE"
|
|
|
|
|
fi
|
|
|
|
|
fi
|
2023-10-23 21:23:38 +00:00
|
|
|
|
2023-11-02 18:17:38 +00:00
|
|
|
verify_global_hashes() {
|
2017-07-08 20:59:37 +00:00
|
|
|
echo "+++ Checking verified boot hash file "
|
|
|
|
|
# Check the hashes of all the files
|
2023-11-02 18:17:38 +00:00
|
|
|
if verify_checksums "$bootdir" "$gui_menu"; then
|
2017-07-08 20:59:37 +00:00
|
|
|
echo "+++ Verified boot hashes "
|
|
|
|
|
valid_hash='y'
|
|
|
|
|
valid_global_hash='y'
|
|
|
|
|
else
|
2018-03-08 19:41:44 +00:00
|
|
|
if [ "$gui_menu" = "y" ]; then
|
|
|
|
|
CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':')
|
2024-06-06 22:59:13 +00:00
|
|
|
whiptail_error --title 'ERROR: Boot Hash Mismatch' \
|
2022-11-09 16:51:27 +00:00
|
|
|
--msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 0 80
|
2018-03-08 19:41:44 +00:00
|
|
|
fi
|
2017-07-08 20:59:37 +00:00
|
|
|
die "$TMP_HASH_FILE: boot hash mismatch"
|
|
|
|
|
fi
|
2023-11-02 18:17:38 +00:00
|
|
|
# If user enables it, check root hashes before boot as well
|
|
|
|
|
if [[ "$CONFIG_ROOT_CHECK_AT_BOOT" = "y" && "$force_menu" == "n" ]]; then
|
|
|
|
|
if root-hashes-gui.sh -c; then
|
|
|
|
|
echo "+++ Verified root hashes, continuing boot "
|
|
|
|
|
# if user re-signs, it wipes out saved options, so scan the boot directory and generate
|
|
|
|
|
if [ ! -r "$TMP_MENU_FILE" ]; then
|
|
|
|
|
scan_options
|
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
# root-hashes-gui.sh handles the GUI error menu, just die here
|
|
|
|
|
if [ "$gui_menu" = "y" ]; then
|
2024-06-06 22:59:13 +00:00
|
|
|
whiptail_error --title 'ERROR: Root Hash Mismatch' \
|
2023-11-02 18:17:38 +00:00
|
|
|
--msgbox "The root hash check failed!\nExiting to a recovery shell" 0 80
|
|
|
|
|
fi
|
|
|
|
|
die "root hash mismatch, see /tmp/hash_output_mismatches for details"
|
|
|
|
|
fi
|
|
|
|
|
fi
|
2017-07-08 20:59:37 +00:00
|
|
|
}
|
|
|
|
|
|
2023-11-02 18:17:38 +00:00
|
|
|
verify_rollback_counter() {
|
|
|
|
|
TPM_COUNTER=$(grep counter $TMP_ROLLBACK_FILE | cut -d- -f2)
|
2017-07-08 20:59:37 +00:00
|
|
|
if [ -z "$TPM_COUNTER" ]; then
|
|
|
|
|
die "$TMP_ROLLBACK_FILE: TPM counter not found?"
|
|
|
|
|
fi
|
|
|
|
|
|
2023-11-02 18:17:38 +00:00
|
|
|
read_tpm_counter $TPM_COUNTER ||
|
|
|
|
|
die "Failed to read TPM counter"
|
2017-07-08 20:59:37 +00:00
|
|
|
|
2023-11-02 18:17:38 +00:00
|
|
|
sha256sum -c $TMP_ROLLBACK_FILE ||
|
|
|
|
|
die "Invalid TPM counter state"
|
2017-07-08 20:59:37 +00:00
|
|
|
|
|
|
|
|
valid_rollback="y"
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-03 17:07:03 +00:00
|
|
|
first_menu="y"
|
2017-07-03 03:01:04 +00:00
|
|
|
get_menu_option() {
|
2023-11-02 18:17:38 +00:00
|
|
|
num_options=$(cat $TMP_MENU_FILE | wc -l)
|
2017-07-03 17:07:03 +00:00
|
|
|
if [ $num_options -eq 0 ]; then
|
2017-07-08 20:59:37 +00:00
|
|
|
die "No boot options"
|
2017-07-03 17:07:03 +00:00
|
|
|
fi
|
2017-07-03 03:01:04 +00:00
|
|
|
|
2017-07-03 17:07:03 +00:00
|
|
|
if [ $num_options -eq 1 -a $first_menu = "y" ]; then
|
|
|
|
|
option_index=1
|
2018-02-22 21:18:16 +00:00
|
|
|
elif [ "$gui_menu" = "y" ]; then
|
|
|
|
|
MENU_OPTIONS=""
|
|
|
|
|
n=0
|
2023-11-02 18:17:38 +00:00
|
|
|
while read option; do
|
2018-02-22 21:18:16 +00:00
|
|
|
parse_option
|
2023-11-02 18:17:38 +00:00
|
|
|
n=$(expr $n + 1)
|
2018-02-22 21:18:16 +00:00
|
|
|
name=$(echo $name | tr " " "_")
|
2022-03-15 17:00:20 +00:00
|
|
|
MENU_OPTIONS="$MENU_OPTIONS $n ${name} "
|
2023-11-02 18:17:38 +00:00
|
|
|
done <$TMP_MENU_FILE
|
2018-02-22 21:18:16 +00:00
|
|
|
|
2022-11-15 20:11:58 +00:00
|
|
|
whiptail --title "Select your boot option" \
|
2022-11-09 16:51:27 +00:00
|
|
|
--menu "Choose the boot option [1-$n, a to abort]:" 0 80 8 \
|
2018-02-22 21:18:16 +00:00
|
|
|
-- $MENU_OPTIONS \
|
|
|
|
|
2>/tmp/whiptail || die "Aborting boot attempt"
|
|
|
|
|
|
|
|
|
|
option_index=$(cat /tmp/whiptail)
|
2017-07-03 17:07:03 +00:00
|
|
|
else
|
|
|
|
|
echo "+++ Select your boot option:"
|
|
|
|
|
n=0
|
2023-11-02 18:17:38 +00:00
|
|
|
while read option; do
|
2017-07-03 17:07:03 +00:00
|
|
|
parse_option
|
2023-11-02 18:17:38 +00:00
|
|
|
n=$(expr $n + 1)
|
2017-07-03 17:07:03 +00:00
|
|
|
echo "$n. $name [$kernel]"
|
2023-11-02 18:17:38 +00:00
|
|
|
done <$TMP_MENU_FILE
|
2017-07-03 17:07:03 +00:00
|
|
|
|
|
|
|
|
read \
|
|
|
|
|
-p "Choose the boot option [1-$n, a to abort]: " \
|
|
|
|
|
option_index
|
2017-07-03 03:01:04 +00:00
|
|
|
|
2017-07-03 17:07:03 +00:00
|
|
|
if [ "$option_index" = "a" ]; then
|
2017-07-08 20:59:37 +00:00
|
|
|
die "Aborting boot attempt"
|
2017-07-03 17:07:03 +00:00
|
|
|
fi
|
2017-07-03 03:01:04 +00:00
|
|
|
fi
|
2017-07-03 17:07:03 +00:00
|
|
|
first_menu="n"
|
2017-07-03 03:01:04 +00:00
|
|
|
|
2023-11-02 18:17:38 +00:00
|
|
|
option=$(head -n $option_index $TMP_MENU_FILE | tail -1)
|
2017-07-03 03:01:04 +00:00
|
|
|
parse_option
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
confirm_menu_option() {
|
2018-02-28 20:06:06 +00:00
|
|
|
if [ "$gui_menu" = "y" ]; then
|
2022-03-15 17:01:49 +00:00
|
|
|
default_text="Make default"
|
|
|
|
|
[[ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" = "y" ]] && default_text="${default_text} and boot"
|
2024-06-06 22:59:13 +00:00
|
|
|
whiptail_warning --title "Confirm boot details" \
|
2023-11-02 18:17:38 +00:00
|
|
|
--menu "Confirm the boot details for $name:\n\n$(echo $kernel | fold -s -w 80) \n\n" 0 80 8 \
|
2022-03-15 17:01:49 +00:00
|
|
|
-- 'd' "${default_text}" 'y' "Boot one time" \
|
2018-02-22 21:18:16 +00:00
|
|
|
2>/tmp/whiptail || die "Aborting boot attempt"
|
2017-07-03 03:01:04 +00:00
|
|
|
|
2018-02-22 21:18:16 +00:00
|
|
|
option_confirm=$(cat /tmp/whiptail)
|
2018-02-28 20:06:06 +00:00
|
|
|
else
|
2018-02-22 21:18:16 +00:00
|
|
|
echo "+++ Please confirm the boot details for $name:"
|
|
|
|
|
echo $option
|
|
|
|
|
|
|
|
|
|
read \
|
|
|
|
|
-n 1 \
|
|
|
|
|
-p "Confirm selection by pressing 'y', make default with 'd': " \
|
|
|
|
|
option_confirm
|
|
|
|
|
echo
|
2018-02-28 20:06:06 +00:00
|
|
|
fi
|
2017-07-03 03:01:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
parse_option() {
|
2023-11-02 18:17:38 +00:00
|
|
|
name=$(echo $option | cut -d\| -f1)
|
|
|
|
|
kernel=$(echo $option | cut -d\| -f3)
|
2017-07-03 03:01:04 +00:00
|
|
|
}
|
|
|
|
|
|
2017-07-04 23:49:14 +00:00
|
|
|
scan_options() {
|
2017-07-03 03:01:04 +00:00
|
|
|
echo "+++ Scanning for unsigned boot options"
|
|
|
|
|
option_file="/tmp/kexec_options.txt"
|
2022-11-16 19:24:28 +00:00
|
|
|
scan_boot_options "$bootdir" "$config" "$option_file"
|
2020-07-29 03:26:20 +00:00
|
|
|
if [ ! -s $option_file ]; then
|
2017-07-08 20:59:37 +00:00
|
|
|
die "Failed to parse any boot options"
|
2017-07-03 03:01:04 +00:00
|
|
|
fi
|
2017-07-04 23:49:14 +00:00
|
|
|
if [ "$unique" = 'y' ]; then
|
2023-11-02 18:17:38 +00:00
|
|
|
sort -r $option_file | uniq >$TMP_MENU_FILE
|
2017-07-04 23:49:14 +00:00
|
|
|
else
|
|
|
|
|
cp $option_file $TMP_MENU_FILE
|
|
|
|
|
fi
|
|
|
|
|
}
|
2017-07-03 03:01:04 +00:00
|
|
|
|
2017-07-08 20:59:37 +00:00
|
|
|
save_default_option() {
|
2022-03-15 17:03:04 +00:00
|
|
|
if [ "$gui_menu" != "y" ]; then
|
|
|
|
|
read \
|
|
|
|
|
-n 1 \
|
|
|
|
|
-p "Saving a default will modify the disk. Proceed? (Y/n): " \
|
|
|
|
|
default_confirm
|
|
|
|
|
echo
|
|
|
|
|
fi
|
2017-07-08 20:59:37 +00:00
|
|
|
|
2019-07-09 16:43:06 +00:00
|
|
|
[ "$default_confirm" = "" ] && default_confirm="y"
|
|
|
|
|
if [[ "$default_confirm" = "y" || "$default_confirm" = "Y" ]]; then
|
2017-07-08 20:59:37 +00:00
|
|
|
if kexec-save-default \
|
|
|
|
|
-b "$bootdir" \
|
|
|
|
|
-d "$paramsdev" \
|
|
|
|
|
-p "$paramsdir" \
|
|
|
|
|
-i "$option_index" \
|
2023-11-02 18:17:38 +00:00
|
|
|
; then
|
2017-07-08 20:59:37 +00:00
|
|
|
echo "+++ Saved defaults to device"
|
|
|
|
|
sleep 2
|
|
|
|
|
default_failed="n"
|
2017-07-22 18:57:46 +00:00
|
|
|
force_menu="n"
|
2017-07-08 20:59:37 +00:00
|
|
|
return
|
|
|
|
|
else
|
|
|
|
|
echo "Failed to save defaults"
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
option_confirm="n"
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-04 23:49:14 +00:00
|
|
|
default_select() {
|
|
|
|
|
# Attempt boot with expected parameters
|
|
|
|
|
|
|
|
|
|
# Check that entry matches that which is expected from menu
|
2023-11-02 18:17:38 +00:00
|
|
|
default_index=$(basename "$TMP_DEFAULT_FILE" | cut -d. -f 2)
|
2017-07-04 23:49:14 +00:00
|
|
|
|
|
|
|
|
# Check to see if entries have changed - useful for detecting grub update
|
2023-11-02 18:17:38 +00:00
|
|
|
expectedoption=$(cat $TMP_DEFAULT_FILE)
|
|
|
|
|
option=$(head -n $default_index $TMP_MENU_FILE | tail -1)
|
2017-07-04 23:49:14 +00:00
|
|
|
if [ "$option" != "$expectedoption" ]; then
|
2018-04-04 21:25:22 +00:00
|
|
|
if [ "$gui_menu" = "y" ]; then
|
2024-06-06 22:59:13 +00:00
|
|
|
whiptail_error --title 'ERROR: Boot Entry Has Changed' \
|
2023-06-30 18:21:11 +00:00
|
|
|
--msgbox "The list of boot entries has changed\n\nPlease set a new default" 0 80
|
2018-04-04 21:25:22 +00:00
|
|
|
fi
|
2023-08-22 18:34:29 +00:00
|
|
|
warn "Boot entry has changed - please set a new default"
|
2018-04-04 21:27:31 +00:00
|
|
|
return
|
2017-07-04 23:49:14 +00:00
|
|
|
fi
|
|
|
|
|
parse_option
|
|
|
|
|
|
2023-06-21 18:36:28 +00:00
|
|
|
if [ "$CONFIG_BASIC" != "y" ]; then
|
2022-03-15 17:05:04 +00:00
|
|
|
# Enforce that default option hashes are valid
|
|
|
|
|
echo "+++ Checking verified default boot hash file "
|
|
|
|
|
# Check the hashes of all the files
|
2023-11-02 18:17:38 +00:00
|
|
|
if (cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" >/tmp/hash_output); then
|
2022-03-15 17:05:04 +00:00
|
|
|
echo "+++ Verified default boot hashes "
|
|
|
|
|
valid_hash='y'
|
|
|
|
|
else
|
|
|
|
|
if [ "$gui_menu" = "y" ]; then
|
|
|
|
|
CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':')
|
2024-06-06 22:59:13 +00:00
|
|
|
whiptail_error --title 'ERROR: Default Boot Hash Mismatch' \
|
2022-03-15 17:05:04 +00:00
|
|
|
--msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 0 80
|
|
|
|
|
fi
|
2018-03-08 19:41:44 +00:00
|
|
|
fi
|
2017-07-04 23:49:14 +00:00
|
|
|
fi
|
2017-07-03 03:01:04 +00:00
|
|
|
|
2017-07-04 23:49:14 +00:00
|
|
|
echo "+++ Executing default boot for $name:"
|
2017-07-08 20:59:37 +00:00
|
|
|
do_boot
|
|
|
|
|
warn "Failed to boot default option"
|
2017-07-04 23:49:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user_select() {
|
|
|
|
|
# No default expected boot parameters, ask user
|
|
|
|
|
|
|
|
|
|
option_confirm=""
|
2023-11-02 18:17:38 +00:00
|
|
|
while [ "$option_confirm" != "y" -a "$option_confirm" != "d" ]; do
|
2017-07-04 23:49:14 +00:00
|
|
|
get_menu_option
|
2023-11-02 18:17:38 +00:00
|
|
|
# In force boot mode, no need offer the option to set a default, just boot
|
2019-05-19 01:13:32 +00:00
|
|
|
if [[ "$force_boot" = "y" || "$skip_confirm" = "y" ]]; then
|
2018-04-20 21:11:49 +00:00
|
|
|
do_boot
|
|
|
|
|
else
|
|
|
|
|
confirm_menu_option
|
|
|
|
|
fi
|
2017-07-04 23:49:14 +00:00
|
|
|
|
|
|
|
|
if [ "$option_confirm" = 'd' ]; then
|
2017-07-08 20:59:37 +00:00
|
|
|
save_default_option
|
2017-07-04 23:49:14 +00:00
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
if [ "$option_confirm" = "d" ]; then
|
2017-07-22 18:57:46 +00:00
|
|
|
if [ ! -r "$TMP_KEY_DEVICES" ]; then
|
2023-03-25 21:06:47 +00:00
|
|
|
# continue below to boot the new default option
|
|
|
|
|
true
|
2017-07-22 18:57:46 +00:00
|
|
|
else
|
|
|
|
|
echo "+++ Rebooting to start the new default option"
|
|
|
|
|
sleep 2
|
2023-02-23 22:05:15 +00:00
|
|
|
if [ "$CONFIG_DEBUG_OUTPUT" != "y" ]; then
|
2023-11-02 18:17:38 +00:00
|
|
|
reboot ||
|
|
|
|
|
die "!!! Failed to reboot system"
|
2023-02-23 22:05:15 +00:00
|
|
|
else
|
|
|
|
|
DEBUG "Rebooting is required prior of booting default boot entry"
|
2023-02-24 21:47:07 +00:00
|
|
|
# Instead of rebooting, drop to a recovery shell
|
|
|
|
|
# for a chance to inspect debug output
|
2023-03-09 18:28:04 +00:00
|
|
|
recovery "Entering recovery to permit inspection of /tmp/debug.log output, reboot to continue"
|
2023-02-23 22:05:15 +00:00
|
|
|
fi
|
2017-07-22 18:57:46 +00:00
|
|
|
fi
|
2017-07-04 23:49:14 +00:00
|
|
|
fi
|
|
|
|
|
|
2017-07-08 20:59:37 +00:00
|
|
|
do_boot
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-02 18:17:38 +00:00
|
|
|
do_boot() {
|
2023-07-07 18:34:05 +00:00
|
|
|
if [ "$CONFIG_BASIC" != y ] && [ "$CONFIG_BOOT_REQ_ROLLBACK" = "y" ] && [ "$valid_rollback" = "n" ]; then
|
2017-07-22 18:57:46 +00:00
|
|
|
die "!!! Missing required rollback counter state"
|
2017-07-08 20:59:37 +00:00
|
|
|
fi
|
|
|
|
|
|
2023-07-07 18:34:05 +00:00
|
|
|
if [ "$CONFIG_BASIC" != y ] && [ "$CONFIG_BOOT_REQ_HASH" = "y" ] && [ "$valid_hash" = "n" ]; then
|
2017-07-22 18:57:46 +00:00
|
|
|
die "!!! Missing required boot hashes"
|
2017-07-04 23:49:14 +00:00
|
|
|
fi
|
|
|
|
|
|
2023-07-07 18:34:05 +00:00
|
|
|
if [ "$CONFIG_BASIC" != y ] && [ "$CONFIG_TPM" = "y" ] && [ -r "$TMP_KEY_DEVICES" ]; then
|
2023-11-02 18:17:38 +00:00
|
|
|
INITRD=$(kexec-boot -b "$bootdir" -e "$option" -i) ||
|
|
|
|
|
die "!!! Failed to extract the initrd from boot option"
|
2017-07-12 04:17:45 +00:00
|
|
|
if [ -z "$INITRD" ]; then
|
|
|
|
|
die "!!! No initrd file found in boot option"
|
|
|
|
|
fi
|
|
|
|
|
|
2023-11-02 18:17:38 +00:00
|
|
|
kexec-insert-key $INITRD ||
|
2024-03-27 14:04:10 +00:00
|
|
|
die "!!! Failed to prepare TPM Disk Unlock Key for boot"
|
2017-07-12 04:17:45 +00:00
|
|
|
|
|
|
|
|
kexec-boot -b "$bootdir" -e "$option" \
|
2023-11-02 18:17:38 +00:00
|
|
|
-a "$add" -r "$remove" -o "/tmp/secret/initrd.cpio" ||
|
|
|
|
|
die "!!! Failed to boot w/ options: $option"
|
2017-07-12 04:17:45 +00:00
|
|
|
else
|
2023-11-02 18:17:38 +00:00
|
|
|
kexec-boot -b "$bootdir" -e "$option" -a "$add" -r "$remove" ||
|
|
|
|
|
die "!!! Failed to boot w/ options: $option"
|
2017-07-12 04:17:45 +00:00
|
|
|
fi
|
2017-07-04 23:49:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while true; do
|
2023-06-21 18:36:28 +00:00
|
|
|
if [ "$force_boot" = "y" -o "$CONFIG_BASIC" = "y" ]; then
|
2023-11-02 18:17:38 +00:00
|
|
|
check_config $paramsdir force
|
2018-03-14 17:24:14 +00:00
|
|
|
else
|
2023-11-02 18:17:38 +00:00
|
|
|
check_config $paramsdir
|
2018-03-14 17:24:14 +00:00
|
|
|
fi
|
2023-11-02 18:17:38 +00:00
|
|
|
TMP_DEFAULT_FILE=$(find /tmp/kexec/kexec_default.*.txt 2>/dev/null | head -1) || true
|
2017-07-04 23:49:14 +00:00
|
|
|
TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt"
|
|
|
|
|
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
|
2022-12-31 17:41:24 +00:00
|
|
|
TMP_TREE_FILE="/tmp/kexec/kexec_tree.txt"
|
2017-07-04 23:49:14 +00:00
|
|
|
TMP_DEFAULT_HASH_FILE="/tmp/kexec/kexec_default_hashes.txt"
|
2017-07-08 20:59:37 +00:00
|
|
|
TMP_ROLLBACK_FILE="/tmp/kexec/kexec_rollback.txt"
|
2017-07-12 04:17:45 +00:00
|
|
|
TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
|
|
|
|
|
TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt"
|
|
|
|
|
|
2023-11-02 18:17:38 +00:00
|
|
|
# Allow a way for users to ignore warnings and boot into their systems
|
|
|
|
|
# even if hashes don't match
|
2018-03-05 22:46:15 +00:00
|
|
|
if [ "$force_boot" = "y" ]; then
|
|
|
|
|
scan_options
|
2023-06-21 18:36:28 +00:00
|
|
|
if [ "$CONFIG_BASIC" != "y" ]; then
|
2022-03-15 17:05:04 +00:00
|
|
|
# Remove boot splash and make background red in the event of a forced boot
|
|
|
|
|
add="$add vt.default_red=0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff"
|
|
|
|
|
remove="$remove splash quiet"
|
|
|
|
|
fi
|
2018-03-05 22:46:15 +00:00
|
|
|
user_select
|
|
|
|
|
fi
|
|
|
|
|
|
tpm2-tools: Change sense of CONFIG_TPM to mean any TPM, not just TPM1.
Most logic throughout Heads doesn't need to know TPM1 versus TPM2 (and
shouldn't, the differences should be localized). Some checks were
incorrect and are fixed by this change. Most checks are now unchanged
relative to master.
There are not that many places outside of tpmr that need to
differentiate TPM1 and TPM2. Some of those are duplicate code that
should be consolidated (seal-hotpkey, unseal-totp, unseal-hotp), and
some more are probably good candidates for abstracting in tpmr so the
business logic doesn't have to know TPM1 vs. TPM2.
Previously, CONFIG_TPM could be variously 'y', 'n', or empty. Now it
is always 'y' or 'n', and 'y' means "any TPM". Board configs are
unchanged, setting CONFIG_TPM2_TOOLS=y implies CONFIG_TPM=y so this
doesn't have to be duplicated and can't be mistakenly mismatched.
There were a few checks for CONFIG_TPM = n that only coincidentally
worked for TPM2 because CONFIG_TPM was empty (not 'n'). This test is
now OK, but the checks were also cleaned up to '!= "y"' for robustness.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-02-22 21:30:07 +00:00
|
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
2022-08-25 18:43:31 +00:00
|
|
|
if [ ! -r "$TMP_KEY_DEVICES" ]; then
|
|
|
|
|
# Extend PCR4 as soon as possible
|
TPM extend ops: Augment output of TPM1/TMP22 for filename and file content hash ops
Debug logtrace, screenshots of non-debug will be added in PR #1758
TPM1:
[ 4.815559] [U] hello world
[ 5.099000] DEBUG: Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)
[ 5.122059] TRACE: Under init
[ 5.165917] DEBUG: Applying panic_on_oom setting to sysctl
[ 5.388757] TRACE: /bin/cbfs-init(5): main
[ 5.516637] TRACE: /bin/cbfs-init(24): main
[ 5.662271] DEBUG: TPM: Will extend PCR[7] with hash of filename /.gnupg/pubring.kbx
[ 5.732223] TRACE: /bin/tpmr(790): main
[ 5.785372] DEBUG: TPM: Extending PCR[7] with hash 7ccf4f64044946cf4e5b0efe3d959f00562227ae
[ 5.838082] DEBUG: exec tpm extend -ix 7 -ic /.gnupg/pubring.kbx
[ 6.081466] DEBUG: TPM: Will extend PCR[7] hash content of file /.gnupg/pubring.kbx
[ 6.147455] TRACE: /bin/tpmr(790): main
[ 6.196545] DEBUG: TPM: Extending PCR[7] with hash ee79223a3b9724ad1aab290a3785132805c79eae
[ 6.251251] DEBUG: exec tpm extend -ix 7 -if /.gnupg/pubring.kbx
[ 6.445119] TRACE: /bin/cbfs-init(24): main
[ 6.585854] DEBUG: TPM: Will extend PCR[7] with hash of filename /.gnupg/trustdb.gpg
[ 6.659172] TRACE: /bin/tpmr(790): main
[ 6.707564] DEBUG: TPM: Extending PCR[7] with hash 7236ea8e612c1435259a8a0f8e0a8f1f5dba7042
[ 6.757645] DEBUG: exec tpm extend -ix 7 -ic /.gnupg/trustdb.gpg
[ 7.013547] DEBUG: TPM: Will extend PCR[7] hash content of file /.gnupg/trustdb.gpg
[ 7.082863] TRACE: /bin/tpmr(790): main
[ 7.131022] DEBUG: TPM: Extending PCR[7] with hash ca8898407cacd96d6f2de90ae90825351be81c62
[ 7.183344] DEBUG: exec tpm extend -ix 7 -if /.gnupg/trustdb.gpg
[ 7.413787] TRACE: /bin/key-init(6): main
[ 8.718367] TRACE: Under /etc/ash_functions:combine_configs
[ 8.803914] TRACE: Under /etc/ash_functions:pause_recovery
!!! Hit enter to proceed to recovery shell !!!
[ 9.045341] TRACE: /bin/setconsolefont.sh(6): main
[ 9.096853] DEBUG: Board does not ship setfont, not checking console font
[ 9.320494] TRACE: /bin/gui-init(641): main
[ 9.356729] TRACE: Under /etc/ash_functions:enable_usb
[ 9.445981] TRACE: /sbin/insmod(9): main
[ 9.609464] TRACE: /sbin/insmod(53): main
[ 9.660145] DEBUG: No module parameters, extending only with the module's content
[ 9.791896] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/ehci-hcd.ko
[ 9.860477] TRACE: /bin/tpmr(790): main
[ 9.914849] DEBUG: TPM: Extending PCR[5] with hash bc9ff28a99e314cda69695ba34b26ed0d8b1e4ed
[ 9.976867] DEBUG: exec tpm extend -ix 5 -if /lib/modules/ehci-hcd.ko
[ 10.146966] DEBUG: Loading /lib/modules/ehci-hcd.ko with busybox insmod
[ 10.184086] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 10.276564] TRACE: /sbin/insmod(9): main
[ 10.433503] TRACE: /sbin/insmod(53): main
[ 10.486272] DEBUG: No module parameters, extending only with the module's content
[ 10.620200] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/uhci-hcd.ko
[ 10.698710] TRACE: /bin/tpmr(790): main
[ 10.750637] DEBUG: TPM: Extending PCR[5] with hash bcb2f15c7eb52484072a76fc8a0d7399f6cf2189
[ 10.808379] DEBUG: exec tpm extend -ix 5 -if /lib/modules/uhci-hcd.ko
[ 10.996254] DEBUG: Loading /lib/modules/uhci-hcd.ko with busybox insmod
[ 11.026108] uhci_hcd: USB Universal Host Controller Interface driver
[ 11.040703] uhci_hcd 0000:00:1d.0: UHCI Host Controller
[ 11.053129] uhci_hcd 0000:00:1d.0: new USB bus registered, assigned bus number 1
[ 11.061568] uhci_hcd 0000:00:1d.0: detected 2 ports
[ 11.070973] uhci_hcd 0000:00:1d.0: irq 16, io base 0x0000ff00
[ 11.089004] hub 1-0:1.0: USB hub found
[ 11.097535] hub 1-0:1.0: 2 ports detected
[ 11.114890] uhci_hcd 0000:00:1d.1: UHCI Host Controller
[ 11.123848] uhci_hcd 0000:00:1d.1: new USB bus registered, assigned bus number 2
[ 11.134989] uhci_hcd 0000:00:1d.1: detected 2 ports
[ 11.142404] uhci_hcd 0000:00:1d.1: irq 17, io base 0x0000fee0
[ 11.153338] hub 2-0:1.0: USB hub found
[ 11.160572] hub 2-0:1.0: 2 ports detected
[ 11.176481] uhci_hcd 0000:00:1d.2: UHCI Host Controller
[ 11.183898] uhci_hcd 0000:00:1d.2: new USB bus registered, assigned bus number 3
[ 11.193509] uhci_hcd 0000:00:1d.2: detected 2 ports
[ 11.201574] uhci_hcd 0000:00:1d.2: irq 18, io base 0x0000fec0
[ 11.211182] hub 3-0:1.0: USB hub found
[ 11.219256] hub 3-0:1.0: 2 ports detected
[ 11.314467] TRACE: /sbin/insmod(9): main
[ 11.468430] TRACE: /sbin/insmod(53): main
[ 11.521914] DEBUG: No module parameters, extending only with the module's content
[ 11.656647] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/ohci-hcd.ko
[ 11.726721] TRACE: /bin/tpmr(790): main
[ 11.778253] DEBUG: TPM: Extending PCR[5] with hash f563e46fbbed46423a1e10219953233d310792f5
[ 11.831718] DEBUG: exec tpm extend -ix 5 -if /lib/modules/ohci-hcd.ko
[ 12.010752] DEBUG: Loading /lib/modules/ohci-hcd.ko with busybox insmod
[ 12.044192] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 12.136462] TRACE: /sbin/insmod(9): main
[ 12.293409] TRACE: /sbin/insmod(53): main
[ 12.345947] DEBUG: No module parameters, extending only with the module's content
[ 12.481562] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/ohci-pci.ko
[ 12.547754] TRACE: /bin/tpmr(790): main
[ 12.604827] DEBUG: TPM: Extending PCR[5] with hash a24699fdaac9976cc9447fd0cd444a469299ad2f
[ 12.661256] DEBUG: exec tpm extend -ix 5 -if /lib/modules/ohci-pci.ko
[ 12.847247] DEBUG: Loading /lib/modules/ohci-pci.ko with busybox insmod
[ 12.870986] ohci-pci: OHCI PCI platform driver
[ 12.959387] TRACE: /sbin/insmod(9): main
[ 13.112275] TRACE: /sbin/insmod(53): main
[ 13.163112] DEBUG: No module parameters, extending only with the module's content
[ 13.291360] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/ehci-pci.ko
[ 13.364853] TRACE: /bin/tpmr(790): main
[ 13.438536] DEBUG: TPM: Extending PCR[5] with hash b80a90e11a01eba40bb7e566f3374d0aad326acb
[ 13.505500] DEBUG: exec tpm extend -ix 5 -if /lib/modules/ehci-pci.ko
[ 13.679865] DEBUG: Loading /lib/modules/ehci-pci.ko with busybox insmod
[ 13.704539] ehci-pci: EHCI PCI platform driver
[ 13.725570] ehci-pci 0000:00:1d.7: EHCI Host Controller
[ 13.735562] ehci-pci 0000:00:1d.7: new USB bus registered, assigned bus number 4
[ 13.745092] ehci-pci 0000:00:1d.7: irq 19, io mem 0xfcf80000
[ 13.773286] ehci-pci 0000:00:1d.7: USB 2.0 started, EHCI 1.00
[ 13.783544] hub 4-0:1.0: USB hub found
[ 13.791110] hub 4-0:1.0: 6 ports detected
[ 13.800844] hub 1-0:1.0: USB hub found
[ 13.807808] hub 1-0:1.0: 2 ports detected
[ 13.823094] hub 2-0:1.0: USB hub found
[ 13.829910] hub 2-0:1.0: 2 ports detected
[ 13.839182] hub 3-0:1.0: USB hub found
[ 13.846231] hub 3-0:1.0: 2 ports detected
[ 13.946297] TRACE: /sbin/insmod(9): main
[ 14.099143] TRACE: /sbin/insmod(53): main
[ 14.149765] DEBUG: No module parameters, extending only with the module's content
[ 14.291413] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/xhci-hcd.ko
[ 14.372815] TRACE: /bin/tpmr(790): main
[ 14.426919] DEBUG: TPM: Extending PCR[5] with hash 1fc55e846b9d5c93e58c6c8b6f867e744fa694bc
[ 14.482815] DEBUG: exec tpm extend -ix 5 -if /lib/modules/xhci-hcd.ko
[ 14.670419] DEBUG: Loading /lib/modules/xhci-hcd.ko with busybox insmod
[ 14.783374] TRACE: /sbin/insmod(9): main
[ 14.939364] TRACE: /sbin/insmod(53): main
[ 14.995136] DEBUG: No module parameters, extending only with the module's content
[ 15.135482] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/xhci-pci.ko
[ 15.204263] TRACE: /bin/tpmr(790): main
[ 15.255478] DEBUG: TPM: Extending PCR[5] with hash bbdd85242570aa438b908420a43b8d7042db8b4f
[ 15.305598] DEBUG: exec tpm extend -ix 5 -if /lib/modules/xhci-pci.ko
[ 15.480844] DEBUG: Loading /lib/modules/xhci-pci.ko with busybox insmod
[ 15.512476] xhci_hcd 0000:00:04.0: xHCI Host Controller
[ 15.528230] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 5
[ 15.540456] xhci_hcd 0000:00:04.0: hcc params 0x00087001 hci version 0x100 quirks 0x0000000000000010
[ 15.554225] hub 5-0:1.0: USB hub found
[ 15.562061] hub 5-0:1.0: 4 ports detected
[ 15.572058] xhci_hcd 0000:00:04.0: xHCI Host Controller
[ 15.589966] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 6
[ 15.598116] xhci_hcd 0000:00:04.0: Host supports USB 3.0 SuperSpeed
[ 15.606150] usb usb6: We don't know the algorithms for LPM for this host, disabling LPM.
[ 15.616354] hub 6-0:1.0: USB hub found
[ 15.623767] hub 6-0:1.0: 4 ports detected
[ 15.909854] usb 5-1: new high-speed USB device number 2 using xhci_hcd
[ 16.193548] usb 6-2: new SuperSpeed Gen 1 USB device number 2 using xhci_hcd
[ 16.345381] usb 5-3: new full-speed USB device number 3 using xhci_hcd
[ 17.674973] TRACE: /etc/functions(715): detect_boot_device
[ 17.718114] TRACE: /etc/functions(682): mount_possible_boot_device
[ 17.759829] TRACE: /etc/functions(642): is_gpt_bios_grub
[ 17.833271] TRACE: /dev/vda1 is partition 1 of vda
[ 17.925490] TRACE: /etc/functions(619): find_lvm_vg_name
[ 18.068352] TRACE: Try mounting /dev/vda1 as /boot
[ 18.114444] EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null)
[ 18.158648] TRACE: /bin/gui-init(319): clean_boot_check
[ 18.247883] TRACE: /bin/gui-init(348): check_gpg_key
[ 18.338052] TRACE: /bin/gui-init(185): update_totp
[ 18.419286] TRACE: /bin/unseal-totp(8): main
[ 18.511352] TRACE: /bin/tpmr(614): tpm1_unseal
[ 18.624811] DEBUG: Running at_exit handlers
[ 18.661992] TRACE: /bin/tpmr(390): cleanup_shred
[ 18.692897] !!! ERROR: Unable to unseal TOTP secret !!!
[ 21.295284] TRACE: /bin/unseal-totp(8): main
[ 21.386377] TRACE: /bin/tpmr(614): tpm1_unseal
[ 21.496183] DEBUG: Running at_exit handlers
[ 21.527060] TRACE: /bin/tpmr(390): cleanup_shred
[ 21.558625] !!! ERROR: Unable to unseal TOTP secret !!!
[ 24.162881] TRACE: /bin/unseal-totp(8): main
[ 24.249549] TRACE: /bin/tpmr(614): tpm1_unseal
[ 24.362331] DEBUG: Running at_exit handlers
[ 24.394154] TRACE: /bin/tpmr(390): cleanup_shred
[ 24.427400] !!! ERROR: Unable to unseal TOTP secret !!!
[ 26.475340] DEBUG: CONFIG_TPM: y
[ 26.521538] DEBUG: CONFIG_TPM2_TOOLS:
[ 26.578490] DEBUG: Show PCRs
[ 26.730805] DEBUG: PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 26.751488] PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 26.778571] PCR-02: C0 A9 54 C8 45 5C 78 49 80 EC 1C DB D8 E8 9B CC 65 11 58 BF
[ 26.808771] PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 26.830508] PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 26.849538] PCR-05: 2C 3A 40 05 70 DB 21 89 4F CD C2 F8 D6 AE 40 DA 56 E1 B6 74
[ 26.878951] PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 26.895421] PCR-07: 7A 8A 4C E6 BA B0 AA 26 22 B1 26 A2 F6 36 BD F3 86 23 50 B6
TPM2:
[ 5.305235] [U] hello world
[ 5.591175] DEBUG: Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)
[ 5.615802] TRACE: Under init
[ 5.657823] DEBUG: Applying panic_on_oom setting to sysctl
[ 5.831457] TRACE: /bin/tpmr(349): tpm2_startsession
[ 6.567984] TRACE: /bin/cbfs-init(5): main
[ 6.695758] TRACE: /bin/cbfs-init(24): main
[ 6.811665] TRACE: /bin/tpmr(832): main
[ 6.870411] DEBUG: TPM: Extending PCR[7] with /.gnupg/pubring.kbx
[ 6.907262] TRACE: /bin/tpmr(234): tpm2_extend
[ 6.983504] TRACE: /bin/tpmr(247): tpm2_extend
[ 7.037543] DEBUG: TPM: Will extend PCR[7] with hash of string /.gnupg/pubring.kbx
[ 7.192665] TRACE: /bin/tpmr(265): tpm2_extend
[ 7.246318] DEBUG: TPM: Extended PCR[7] with hash 96ab5053e4630a040d55549ba73cff2178d401d763147776771f9774597b86a1
[ 7.355327] TRACE: /bin/tpmr(832): main
[ 7.409042] DEBUG: TPM: Extending PCR[7] with /.gnupg/pubring.kbx
[ 7.446920] TRACE: /bin/tpmr(234): tpm2_extend
[ 7.485782] TRACE: /bin/tpmr(252): tpm2_extend
[ 7.540496] DEBUG: TPM: Will extend PCR[7] with hash of file content /.gnupg/pubring.kbx
[ 7.759033] TRACE: /bin/tpmr(265): tpm2_extend
[ 7.811693] DEBUG: TPM: Extended PCR[7] with hash f196f9cae98362568d31638e7522eee5042286b2c18627b06b30a0275207872e
[ 7.903033] TRACE: /bin/cbfs-init(24): main
[ 8.026099] TRACE: /bin/tpmr(832): main
[ 8.077074] DEBUG: TPM: Extending PCR[7] with /.gnupg/trustdb.gpg
[ 8.108061] TRACE: /bin/tpmr(234): tpm2_extend
[ 8.180580] TRACE: /bin/tpmr(247): tpm2_extend
[ 8.234748] DEBUG: TPM: Will extend PCR[7] with hash of string /.gnupg/trustdb.gpg
[ 8.412522] TRACE: /bin/tpmr(265): tpm2_extend
[ 8.469868] DEBUG: TPM: Extended PCR[7] with hash 53b843fe9bb52894d3a7d00197c776d56f3059f6a285124c7916724cd5013b0b
[ 8.596316] TRACE: /bin/tpmr(832): main
[ 8.655651] DEBUG: TPM: Extending PCR[7] with /.gnupg/trustdb.gpg
[ 8.690508] TRACE: /bin/tpmr(234): tpm2_extend
[ 8.723206] TRACE: /bin/tpmr(252): tpm2_extend
[ 8.782554] DEBUG: TPM: Will extend PCR[7] with hash of file content /.gnupg/trustdb.gpg
[ 8.999969] TRACE: /bin/tpmr(265): tpm2_extend
[ 9.066744] DEBUG: TPM: Extended PCR[7] with hash abf745ef9f960af5d8b19a1acd4bc0a19da056f607b06cce6b920eab83cbbdec
[ 9.215143] TRACE: /bin/key-init(6): main
[ 10.661503] TRACE: Under /etc/ash_functions:combine_configs
[ 10.749050] TRACE: Under /etc/ash_functions:pause_recovery
!!! Hit enter to proceed to recovery shell !!!
[ 10.998267] TRACE: /bin/setconsolefont.sh(6): main
[ 11.059640] DEBUG: Board does not ship setfont, not checking console font
[ 11.303012] TRACE: /bin/gui-init(641): main
[ 11.334099] TRACE: Under /etc/ash_functions:enable_usb
[ 11.421487] TRACE: /sbin/insmod(9): main
[ 11.578754] TRACE: /sbin/insmod(53): main
[ 11.630500] DEBUG: No module parameters, extending only with the module's content
[ 11.741780] TRACE: /bin/tpmr(832): main
[ 11.789365] DEBUG: TPM: Extending PCR[5] with /lib/modules/ehci-hcd.ko
[ 11.823496] TRACE: /bin/tpmr(234): tpm2_extend
[ 11.862739] TRACE: /bin/tpmr(252): tpm2_extend
[ 11.920404] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/ehci-hcd.ko
[ 12.123507] TRACE: /bin/tpmr(265): tpm2_extend
[ 12.175292] DEBUG: TPM: Extended PCR[5] with hash 40c5206f06702e45d8e6632632255258af433be0641c96f514ea75ac14523a30
[ 12.234130] DEBUG: Loading /lib/modules/ehci-hcd.ko with busybox insmod
[ 12.278479] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 12.371875] TRACE: /sbin/insmod(9): main
[ 12.523874] TRACE: /sbin/insmod(53): main
[ 12.578418] DEBUG: No module parameters, extending only with the module's content
[ 12.697785] TRACE: /bin/tpmr(832): main
[ 12.753607] DEBUG: TPM: Extending PCR[5] with /lib/modules/uhci-hcd.ko
[ 12.786940] TRACE: /bin/tpmr(234): tpm2_extend
[ 12.819199] TRACE: /bin/tpmr(252): tpm2_extend
[ 12.879805] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/uhci-hcd.ko
[ 13.088925] TRACE: /bin/tpmr(265): tpm2_extend
[ 13.158660] DEBUG: TPM: Extended PCR[5] with hash 1877332107fb8737a5636da26d4db2c10ffe4d1db2bcbde30b47774cdf05e02f
[ 13.223888] DEBUG: Loading /lib/modules/uhci-hcd.ko with busybox insmod
[ 13.253700] uhci_hcd: USB Universal Host Controller Interface driver
[ 13.269580] uhci_hcd 0000:00:1d.0: UHCI Host Controller
[ 13.278675] uhci_hcd 0000:00:1d.0: new USB bus registered, assigned bus number 1
[ 13.287280] uhci_hcd 0000:00:1d.0: detected 2 ports
[ 13.296481] uhci_hcd 0000:00:1d.0: irq 16, io base 0x0000ff00
[ 13.314557] hub 1-0:1.0: USB hub found
[ 13.332614] hub 1-0:1.0: 2 ports detected
[ 13.352400] uhci_hcd 0000:00:1d.1: UHCI Host Controller
[ 13.361016] uhci_hcd 0000:00:1d.1: new USB bus registered, assigned bus number 2
[ 13.368653] uhci_hcd 0000:00:1d.1: detected 2 ports
[ 13.376700] uhci_hcd 0000:00:1d.1: irq 17, io base 0x0000fee0
[ 13.395046] hub 2-0:1.0: USB hub found
[ 13.403107] hub 2-0:1.0: 2 ports detected
[ 13.418573] uhci_hcd 0000:00:1d.2: UHCI Host Controller
[ 13.426975] uhci_hcd 0000:00:1d.2: new USB bus registered, assigned bus number 3
[ 13.434733] uhci_hcd 0000:00:1d.2: detected 2 ports
[ 13.442497] uhci_hcd 0000:00:1d.2: irq 18, io base 0x0000fec0
[ 13.460237] hub 3-0:1.0: USB hub found
[ 13.467466] hub 3-0:1.0: 2 ports detected
[ 13.579102] TRACE: /sbin/insmod(9): main
[ 13.730892] TRACE: /sbin/insmod(53): main
[ 13.781345] DEBUG: No module parameters, extending only with the module's content
[ 13.891152] TRACE: /bin/tpmr(832): main
[ 13.954015] DEBUG: TPM: Extending PCR[5] with /lib/modules/ohci-hcd.ko
[ 13.995207] TRACE: /bin/tpmr(234): tpm2_extend
[ 14.031074] TRACE: /bin/tpmr(252): tpm2_extend
[ 14.095694] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/ohci-hcd.ko
[ 14.315253] TRACE: /bin/tpmr(265): tpm2_extend
[ 14.369608] DEBUG: TPM: Extended PCR[5] with hash 8a12ce4abfc87f11a023d4f1c26c225f5cffae248f9dad1fd30e78022996df02
[ 14.425800] DEBUG: Loading /lib/modules/ohci-hcd.ko with busybox insmod
[ 14.455207] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 14.548050] TRACE: /sbin/insmod(9): main
[ 14.693175] TRACE: /sbin/insmod(53): main
[ 14.742761] DEBUG: No module parameters, extending only with the module's content
[ 14.855233] TRACE: /bin/tpmr(832): main
[ 14.908035] DEBUG: TPM: Extending PCR[5] with /lib/modules/ohci-pci.ko
[ 14.940321] TRACE: /bin/tpmr(234): tpm2_extend
[ 14.970307] TRACE: /bin/tpmr(252): tpm2_extend
[ 15.018421] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/ohci-pci.ko
[ 15.226408] TRACE: /bin/tpmr(265): tpm2_extend
[ 15.279951] DEBUG: TPM: Extended PCR[5] with hash 2065ee6544d78a5d31e67983166a9b8cf60dbe61bf0ee99c39e92816cc3a98db
[ 15.335930] DEBUG: Loading /lib/modules/ohci-pci.ko with busybox insmod
[ 15.360537] ohci-pci: OHCI PCI platform driver
[ 15.446600] TRACE: /sbin/insmod(9): main
[ 15.597149] TRACE: /sbin/insmod(53): main
[ 15.649850] DEBUG: No module parameters, extending only with the module's content
[ 15.753738] TRACE: /bin/tpmr(832): main
[ 15.809086] DEBUG: TPM: Extending PCR[5] with /lib/modules/ehci-pci.ko
[ 15.847559] TRACE: /bin/tpmr(234): tpm2_extend
[ 15.878030] TRACE: /bin/tpmr(252): tpm2_extend
[ 15.930320] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/ehci-pci.ko
[ 16.131948] TRACE: /bin/tpmr(265): tpm2_extend
[ 16.190395] DEBUG: TPM: Extended PCR[5] with hash 116145df2c495dfd58354025799fe5bb9b4d8e078960e8d0d7ceda746e4f2d06
[ 16.247675] DEBUG: Loading /lib/modules/ehci-pci.ko with busybox insmod
[ 16.275465] ehci-pci: EHCI PCI platform driver
[ 16.296704] ehci-pci 0000:00:1d.7: EHCI Host Controller
[ 16.306151] ehci-pci 0000:00:1d.7: new USB bus registered, assigned bus number 4
[ 16.316293] ehci-pci 0000:00:1d.7: irq 19, io mem 0xfcf80000
[ 16.340527] ehci-pci 0000:00:1d.7: USB 2.0 started, EHCI 1.00
[ 16.357688] hub 4-0:1.0: USB hub found
[ 16.365707] hub 4-0:1.0: 6 ports detected
[ 16.376687] hub 1-0:1.0: USB hub found
[ 16.384573] hub 1-0:1.0: 2 ports detected
[ 16.393986] hub 2-0:1.0: USB hub found
[ 16.401424] hub 2-0:1.0: 2 ports detected
[ 16.410387] hub 3-0:1.0: USB hub found
[ 16.418087] hub 3-0:1.0: 2 ports detected
[ 16.513839] TRACE: /sbin/insmod(9): main
[ 16.670778] TRACE: /sbin/insmod(53): main
[ 16.721953] DEBUG: No module parameters, extending only with the module's content
[ 16.835964] TRACE: /bin/tpmr(832): main
[ 16.888003] DEBUG: TPM: Extending PCR[5] with /lib/modules/xhci-hcd.ko
[ 16.919798] TRACE: /bin/tpmr(234): tpm2_extend
[ 16.957470] TRACE: /bin/tpmr(252): tpm2_extend
[ 17.013535] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/xhci-hcd.ko
[ 17.225097] TRACE: /bin/tpmr(265): tpm2_extend
[ 17.281099] DEBUG: TPM: Extended PCR[5] with hash 7f5a6bd0f7de6104e49374e1e5ce421e11795fcc4f53014ef9259d630d7876bc
[ 17.337551] DEBUG: Loading /lib/modules/xhci-hcd.ko with busybox insmod
[ 17.448660] TRACE: /sbin/insmod(9): main
[ 17.595458] TRACE: /sbin/insmod(53): main
[ 17.653305] DEBUG: No module parameters, extending only with the module's content
[ 17.763612] TRACE: /bin/tpmr(832): main
[ 17.817350] DEBUG: TPM: Extending PCR[5] with /lib/modules/xhci-pci.ko
[ 17.849196] TRACE: /bin/tpmr(234): tpm2_extend
[ 17.879069] TRACE: /bin/tpmr(252): tpm2_extend
[ 17.927859] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/xhci-pci.ko
[ 18.126778] TRACE: /bin/tpmr(265): tpm2_extend
[ 18.188056] DEBUG: TPM: Extended PCR[5] with hash 5502fa8c101f7e509145b9826094f06dd0e225c2311a14edc9ae9c812518a250
[ 18.247945] DEBUG: Loading /lib/modules/xhci-pci.ko with busybox insmod
[ 18.286509] xhci_hcd 0000:00:04.0: xHCI Host Controller
[ 18.294553] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 5
[ 18.308276] xhci_hcd 0000:00:04.0: hcc params 0x00087001 hci version 0x100 quirks 0x0000000000000010
[ 18.320288] hub 5-0:1.0: USB hub found
[ 18.328425] hub 5-0:1.0: 4 ports detected
[ 18.337635] xhci_hcd 0000:00:04.0: xHCI Host Controller
[ 18.344430] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 6
[ 18.351769] xhci_hcd 0000:00:04.0: Host supports USB 3.0 SuperSpeed
[ 18.360900] usb usb6: We don't know the algorithms for LPM for this host, disabling LPM.
[ 18.371095] hub 6-0:1.0: USB hub found
[ 18.378046] hub 6-0:1.0: 4 ports detected
[ 18.673695] usb 5-1: new high-speed USB device number 2 using xhci_hcd
[ 18.960744] usb 6-2: new SuperSpeed Gen 1 USB device number 2 using xhci_hcd
[ 19.112485] usb 5-3: new full-speed USB device number 3 using xhci_hcd
[ 20.433294] TRACE: /etc/functions(715): detect_boot_device
[ 20.489580] TRACE: /etc/functions(682): mount_possible_boot_device
[ 20.546126] TRACE: /etc/functions(642): is_gpt_bios_grub
[ 20.653417] TRACE: /dev/vda1 is partition 1 of vda
[ 20.777737] TRACE: /etc/functions(619): find_lvm_vg_name
[ 20.946450] TRACE: Try mounting /dev/vda1 as /boot
[ 20.997145] EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null)
[ 21.053058] TRACE: /bin/gui-init(319): clean_boot_check
[ 21.157752] TRACE: /bin/gui-init(348): check_gpg_key
[ 21.260339] TRACE: /bin/gui-init(185): update_totp
[ 21.376906] TRACE: /bin/unseal-totp(8): main
[ 21.497372] TRACE: /bin/tpmr(569): tpm2_unseal
[ 21.574501] DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
[ 22.212056] DEBUG: Running at_exit handlers
[ 22.247818] TRACE: /bin/tpmr(374): cleanup_session
[ 22.301292] DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session
[ 22.423005] !!! ERROR: Unable to unseal TOTP secret !!!
[ 25.058227] TRACE: /bin/unseal-totp(8): main
[ 25.205031] TRACE: /bin/tpmr(569): tpm2_unseal
[ 25.284388] DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
[ 25.914243] DEBUG: Running at_exit handlers
[ 25.947988] TRACE: /bin/tpmr(374): cleanup_session
[ 26.001694] DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session
[ 26.126464] !!! ERROR: Unable to unseal TOTP secret !!!
[ 28.766165] TRACE: /bin/unseal-totp(8): main
[ 28.898452] TRACE: /bin/tpmr(569): tpm2_unseal
[ 28.982708] DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
[ 29.609216] DEBUG: Running at_exit handlers
[ 29.643372] TRACE: /bin/tpmr(374): cleanup_session
[ 29.696741] DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session
[ 29.822748] !!! ERROR: Unable to unseal TOTP secret !!!
[ 31.890980] DEBUG: CONFIG_TPM: y
[ 31.945147] DEBUG: CONFIG_TPM2_TOOLS: y
[ 31.999643] DEBUG: Show PCRs
[ 32.157607] DEBUG: sha256:
[ 32.190288] 0 : 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.221302] 1 : 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.251240] 2 : 0x9FC171D45D54BDD49D40E8438BCF15808427BA72B11EC2DF1ACE877CA0CF4F14
[ 32.282127] 3 : 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.315382] 4 : 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.345767] 5 : 0xD76470232B7C3FD7D18D4DF3B77DACAFFDB876DBF3E84C996D74F7ECFA0FF60F
[ 32.379099] 6 : 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.409630] 7 : 0x2E3147A8ADA1FEBEB2D32D7F50F25DC10F47D7CD48DF1D61A2D6BF958114A231
[ 32.439780] 8 : 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.508514] 9 : 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.537395] 10: 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.583510] 11: 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.622661] 12: 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.651831] 13: 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.687298] 14: 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.721766] 15: 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.751345] 16: 0x0000000000000000000000000000000000000000000000000000000000000000
[ 32.782919] 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[ 32.813071] 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[ 32.841994] 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[ 32.869358] 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[ 32.907215] 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[ 32.937346] 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[ 32.967810] 23: 0x0000000000000000000000000000000000000000000000000000000000000000
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-09-06 19:07:51 +00:00
|
|
|
TRACE_FUNC
|
2024-08-24 16:49:10 +00:00
|
|
|
DEBUG "TPM: Extending PCR[4] to prevent further secret unsealing"
|
2023-11-02 18:17:38 +00:00
|
|
|
tpmr extend -ix 4 -ic generic ||
|
2024-08-24 16:49:10 +00:00
|
|
|
die "Failed to extend TPM PCR[4]"
|
2022-08-25 18:43:31 +00:00
|
|
|
fi
|
2017-07-12 04:17:45 +00:00
|
|
|
fi
|
2017-07-04 23:49:14 +00:00
|
|
|
|
|
|
|
|
# if no saved options, scan the boot directory and generate
|
2017-07-08 20:59:37 +00:00
|
|
|
if [ ! -r "$TMP_MENU_FILE" ]; then
|
2017-07-04 23:49:14 +00:00
|
|
|
scan_options
|
|
|
|
|
fi
|
|
|
|
|
|
2023-06-30 17:13:48 +00:00
|
|
|
if [ "$CONFIG_BASIC" != "y" ]; then
|
2017-12-05 08:29:07 +00:00
|
|
|
# Optionally enforce device file hashes
|
|
|
|
|
if [ -r "$TMP_HASH_FILE" ]; then
|
|
|
|
|
valid_global_hash="n"
|
2017-07-08 20:59:37 +00:00
|
|
|
|
2017-12-05 08:29:07 +00:00
|
|
|
verify_global_hashes
|
2017-07-08 20:59:37 +00:00
|
|
|
|
2017-12-05 08:29:07 +00:00
|
|
|
if [ "$valid_global_hash" = "n" ]; then
|
|
|
|
|
die "Failed to verify global hashes"
|
|
|
|
|
fi
|
2017-07-08 20:59:37 +00:00
|
|
|
fi
|
|
|
|
|
|
2022-08-25 18:43:31 +00:00
|
|
|
if [ "$CONFIG_IGNORE_ROLLBACK" != "y" -a -r "$TMP_ROLLBACK_FILE" ]; then
|
2017-12-05 08:29:07 +00:00
|
|
|
# in the case of iso boot with a rollback file, do not assume valid
|
|
|
|
|
valid_rollback="n"
|
2017-07-08 20:59:37 +00:00
|
|
|
|
2017-12-05 08:29:07 +00:00
|
|
|
verify_rollback_counter
|
|
|
|
|
fi
|
2017-07-08 20:59:37 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ "$default_failed" != "y" \
|
2017-07-22 18:57:46 +00:00
|
|
|
-a "$force_menu" = "n" \
|
2017-07-08 20:59:37 +00:00
|
|
|
-a -r "$TMP_DEFAULT_FILE" \
|
|
|
|
|
-a -r "$TMP_DEFAULT_HASH_FILE" ] \
|
2023-11-02 18:17:38 +00:00
|
|
|
; then
|
2017-07-04 23:49:14 +00:00
|
|
|
default_select
|
2017-07-08 20:59:37 +00:00
|
|
|
default_failed="y"
|
2017-07-04 23:49:14 +00:00
|
|
|
else
|
|
|
|
|
user_select
|
|
|
|
|
fi
|
|
|
|
|
done
|
2017-07-08 20:59:37 +00:00
|
|
|
|
2022-12-31 17:41:24 +00:00
|
|
|
die "!!! Shouldn't get here"
|
