heads/initrd/bin/gui-init

#!/bin/sh
# Boot from a local disk installation

CONFIG_BOOT_GUI_MENU_NAME='Heads Boot Menu'

. /etc/functions
. /etc/config

mount_boot()
{
  # Mount local disk if it is not already mounted
  if ! grep -q /boot /proc/mounts ; then
    mount -o ro /boot \
      || recovery "Unable to mount /boot"
  fi
}


last_half=X
while true; do
  MAIN_MENU_OPTIONS=""
  unset totp_confirm
  # update the TOTP code every thirty seconds
  date=`date "+%Y-%m-%d %H:%M:%S"`
  seconds=`date "+%s"`
  half=`expr \( $seconds % 60 \) / 30`
  if [ "$CONFIG_TPM" = n ]; then
    TOTP="NO TPM"
  elif [ "$half" != "$last_half" ]; then
    last_half=$half;
    TOTP=`unseal-totp`
    if [ $? -ne 0 ]; then
      whiptail --clear --title "ERROR: TOTP Generation Failed!" \
        --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you have just reflashed your BIOS, you will need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 20 60 4 \
        'g' ' Generate new TOTP secret' \
        'i' ' Ignore error and continue to default boot menu' \
        'x' ' Exit to recovery shell' \
        2>/tmp/whiptail || recovery "GUI menu failed"

      totp_confirm=$(cat /tmp/whiptail)
    fi
  fi

  if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then 
    whiptail --clear --title "$CONFIG_BOOT_GUI_MENU_NAME" \
      --menu "$date\nTOTP code: $TOTP" 20 60 8 \
      'y' ' Default boot' \
      'r' ' TOTP does not match, refresh code' \
      'n' ' TOTP does not match after refresh, troubleshoot' \
      'm' ' Show OS boot menu' \
      'u' ' USB boot' \
      'g' ' Generate new TOTP secret' \
      'i' ' Ignore tampering and force a boot (Unsafe!)' \
      'x' ' Exit to recovery shell' \
      2>/tmp/whiptail || recovery "GUI menu failed"

    totp_confirm=$(cat /tmp/whiptail)
  fi

  if [ "$totp_confirm" = "x" ]; then
    recovery "User requested recovery shell"
  fi

  if [ "$totp_confirm" = "r" ]; then
    continue
  fi

  if [ "$totp_confirm" = "n" ]; then
    if (whiptail --title "TOTP code mismatched" \
      --yesno "TOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 60) then
      echo ""
      echo "To correct clock drift: 'date -s HH:MM:SS'"
      echo "and save it to the RTC: 'hwclock -w'"
      echo "then reboot and try again"
      echo ""
      recovery "TOTP mismatch"
    else
      continue
    fi
  fi

  if [ "$totp_confirm" = "u" ]; then
    exec /bin/usb-init
    continue
  fi

  if [ "$totp_confirm" = "g" ]; then
    if (whiptail --title 'Generate new TOTP secret' \
        --yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 16 60) then
      echo "Scan the QR code to add the new TOTP secret"
      /bin/seal-totp
      echo "Once you have scanned the QR code, hit Enter to reboot"
      read
      /bin/reboot
    else
      echo "Returning to the main menu"
    fi
    continue
  fi

  if [ "$totp_confirm" = "m" ]; then
    # Try to select a kernel from the menu
    mount_boot
    kexec-select-boot -m -b /boot -c "grub.cfg" -g
    continue
  fi

  if [ "$totp_confirm" = "i" ]; then
    # Run the menu selection in "force" mode, bypassing hash checks
    if (whiptail --title 'Unsafe Forced Boot Selected!' \
        --yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 16 60) then
      mount_boot
      kexec-select-boot -m -b /boot -c "grub.cfg" -g -f
    else
      echo "Returning to the main menu"
    fi
    continue
  fi

  if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then
    # Try to boot the default
    mount_boot
	  DEFAULT_FILE=`find /boot/kexec_default.*.txt 2>/dev/null | head -1`
    if [ -r "$DEFAULT_FILE" ]; then
      kexec-select-boot -b /boot -c "grub.cfg" \
      || recovery "Failed default boot"
    else
      if (whiptail --title 'No Default Boot Option Configured' \
          --yesno "There is no default boot option configured yet. Would you like to load a menu of boot options? Otherwise you will return to the main menu." 16 60) then
        kexec-select-boot -m -b /boot -c "grub.cfg" -g
      else
        echo "Returning to the main menu"
      fi
      continue
    fi
  fi

done

recovery "Something failed during boot"
Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed. 2018-02-20 23:35:37 +00:00			`#!/bin/sh`
			`# Boot from a local disk installation`

Add menu for TOTP updates, provide sample board config to use gui-init 2018-02-21 23:58:54 +00:00			`CONFIG_BOOT_GUI_MENU_NAME='Heads Boot Menu'`

Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed. 2018-02-20 23:35:37 +00:00			`. /etc/functions`
			`. /etc/config`

			`mount_boot()`
			`{`
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus. 2018-02-23 20:13:21 +00:00			`# Mount local disk if it is not already mounted`
			`if ! grep -q /boot /proc/mounts ; then`
			`mount -o ro /boot \`
			`\|\| recovery "Unable to mount /boot"`
			`fi`
Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed. 2018-02-20 23:35:37 +00:00			`}`


Add menu for TOTP updates, provide sample board config to use gui-init 2018-02-21 23:58:54 +00:00			`last_half=X`
Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed. 2018-02-20 23:35:37 +00:00			`while true; do`
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus. 2018-02-23 20:13:21 +00:00			`MAIN_MENU_OPTIONS=""`
Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed. 2018-02-20 23:35:37 +00:00			`unset totp_confirm`
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus. 2018-02-23 20:13:21 +00:00			`# update the TOTP code every thirty seconds`
			date=`date "+%Y-%m-%d %H:%M:%S"`
			seconds=`date "+%s"`
			half=`expr \( $seconds % 60 \) / 30`
			`if [ "$CONFIG_TPM" = n ]; then`
			`TOTP="NO TPM"`
			`elif [ "$half" != "$last_half" ]; then`
			`last_half=$half;`
			TOTP=`unseal-totp`
			`if [ $? -ne 0 ]; then`
			`whiptail --clear --title "ERROR: TOTP Generation Failed!" \`
			`--menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you have just reflashed your BIOS, you will need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 20 60 4 \`
			`'g' ' Generate new TOTP secret' \`
			`'i' ' Ignore error and continue to default boot menu' \`
			`'x' ' Exit to recovery shell' \`
			`2>/tmp/whiptail \|\| recovery "GUI menu failed"`

			`totp_confirm=$(cat /tmp/whiptail)`
			`fi`
			`fi`

			`if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then`
			`whiptail --clear --title "$CONFIG_BOOT_GUI_MENU_NAME" \`
			`--menu "$date\nTOTP code: $TOTP" 20 60 8 \`
			`'y' ' Default boot' \`
			`'r' ' TOTP does not match, refresh code' \`
			`'n' ' TOTP does not match after refresh, troubleshoot' \`
			`'m' ' Show OS boot menu' \`
			`'u' ' USB boot' \`
			`'g' ' Generate new TOTP secret' \`
Add a "force" option to kexec-select-boot to bypass hash checks The point of this change is to provide a failsafe (failunsafe?) mode for less technically-savvy users who will ultimately be using Heads by default on Librem laptops. There are some scenarios where an end user might forget to update hashes in /boot after an initrd change or might have some other hash mismatch. Currently that user would then be stuck in a recovery console in Heads not knowing what to do within that limited shell environment to fix the situation. This change adds a 'force' mode to kexec-select-boot that goes straight into a boot menu and bypasses the hash checks so the user could more easily get back into their system to attempt to repair it. It adds appropriate warnings about why this is a risky option and moves it down toward the bottom of the menu. The goal would be to just have this be an emergency option our support could guide a user to if they ended up in this situation. 2018-03-05 22:46:15 +00:00			`'i' ' Ignore tampering and force a boot (Unsafe!)' \`
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus. 2018-02-23 20:13:21 +00:00			`'x' ' Exit to recovery shell' \`
			`2>/tmp/whiptail \|\| recovery "GUI menu failed"`

			`totp_confirm=$(cat /tmp/whiptail)`
			`fi`

			`if [ "$totp_confirm" = "x" ]; then`
			`recovery "User requested recovery shell"`
			`fi`

			`if [ "$totp_confirm" = "r" ]; then`
			`continue`
			`fi`

			`if [ "$totp_confirm" = "n" ]; then`
			`if (whiptail --title "TOTP code mismatched" \`
			`--yesno "TOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 60) then`
			`echo ""`
			`echo "To correct clock drift: 'date -s HH:MM:SS'"`
			`echo "and save it to the RTC: 'hwclock -w'"`
			`echo "then reboot and try again"`
			`echo ""`
			`recovery "TOTP mismatch"`
			`else`
			`continue`
			`fi`
			`fi`

			`if [ "$totp_confirm" = "u" ]; then`
			`exec /bin/usb-init`
			`continue`
			`fi`

			`if [ "$totp_confirm" = "g" ]; then`
			`if (whiptail --title 'Generate new TOTP secret' \`
			`--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 16 60) then`
Add menu for TOTP updates, provide sample board config to use gui-init 2018-02-21 23:58:54 +00:00			`echo "Scan the QR code to add the new TOTP secret"`
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus. 2018-02-23 20:13:21 +00:00			`/bin/seal-totp`
			`echo "Once you have scanned the QR code, hit Enter to reboot"`
Add menu for TOTP updates, provide sample board config to use gui-init 2018-02-21 23:58:54 +00:00			`read`
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus. 2018-02-23 20:13:21 +00:00			`/bin/reboot`
			`else`
			`echo "Returning to the main menu"`
			`fi`
			`continue`
			`fi`

			`if [ "$totp_confirm" = "m" ]; then`
			`# Try to select a kernel from the menu`
			`mount_boot`
			`kexec-select-boot -m -b /boot -c "grub.cfg" -g`
			`continue`
			`fi`

Add a "force" option to kexec-select-boot to bypass hash checks The point of this change is to provide a failsafe (failunsafe?) mode for less technically-savvy users who will ultimately be using Heads by default on Librem laptops. There are some scenarios where an end user might forget to update hashes in /boot after an initrd change or might have some other hash mismatch. Currently that user would then be stuck in a recovery console in Heads not knowing what to do within that limited shell environment to fix the situation. This change adds a 'force' mode to kexec-select-boot that goes straight into a boot menu and bypasses the hash checks so the user could more easily get back into their system to attempt to repair it. It adds appropriate warnings about why this is a risky option and moves it down toward the bottom of the menu. The goal would be to just have this be an emergency option our support could guide a user to if they ended up in this situation. 2018-03-05 22:46:15 +00:00			`if [ "$totp_confirm" = "i" ]; then`
			`# Run the menu selection in "force" mode, bypassing hash checks`
			`if (whiptail --title 'Unsafe Forced Boot Selected!' \`
			`--yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 16 60) then`
			`mount_boot`
			`kexec-select-boot -m -b /boot -c "grub.cfg" -g -f`
			`else`
			`echo "Returning to the main menu"`
			`fi`
			`continue`
			`fi`

Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus. 2018-02-23 20:13:21 +00:00			`if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then`
			`# Try to boot the default`
			`mount_boot`
			DEFAULT_FILE=`find /boot/kexec_default.*.txt 2>/dev/null \| head -1`
			`if [ -r "$DEFAULT_FILE" ]; then`
			`kexec-select-boot -b /boot -c "grub.cfg" \`
			`\|\| recovery "Failed default boot"`
			`else`
			`if (whiptail --title 'No Default Boot Option Configured' \`
			`--yesno "There is no default boot option configured yet. Would you like to load a menu of boot options? Otherwise you will return to the main menu." 16 60) then`
			`kexec-select-boot -m -b /boot -c "grub.cfg" -g`
			`else`
			`echo "Returning to the main menu"`
			`fi`
			`continue`
			`fi`
			`fi`
Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed. 2018-02-20 23:35:37 +00:00
			`done`

			`recovery "Something failed during boot"`