2017-04-02 03:02:00 +00:00
|
|
|
#!/bin/sh
|
|
|
|
# Boot a Qubes installation that has already been setup.
|
|
|
|
# This depends on the PCR 4 being "normal-boot":
|
|
|
|
# f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d
|
|
|
|
# which is only set if the top level /init script has started
|
|
|
|
# without user intervention or dropping into a recovery shell.
|
|
|
|
|
|
|
|
recovery() {
|
|
|
|
echo >&2 "!!!!! $@"
|
|
|
|
rm -f /tmp/secret.key
|
|
|
|
tpm extend -ix 4 -if recovery
|
|
|
|
|
|
|
|
echo >&2 "!!!!! Starting recovery shell"
|
|
|
|
exec /bin/ash
|
|
|
|
}
|
|
|
|
|
|
|
|
. /config
|
|
|
|
|
|
|
|
# TODO: Allow /boot to be encrypted?
|
|
|
|
# This would require a different TPM key or a user
|
|
|
|
# passphrase to decrypt it.
|
|
|
|
mount -o ro "$CONFIG_QUBES_BOOT_DEV" /boot \
|
|
|
|
|| recovery '$CONFIG_BOOT_DEV: Unable to mount /boot'
|
|
|
|
|
2017-04-03 02:21:49 +00:00
|
|
|
BOOT_SCRIPT=/boot/boot.sh
|
|
|
|
if [ ! -x /boot/boot.sh ]; then
|
|
|
|
recovery "$BOOT_SCRIPT does not exist"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Hand control over to the user boot script
|
|
|
|
echo "+++ Checking $BOOT_SCRIPT"
|
|
|
|
gpgv "$BOOT_SCRIPT.asc" "$BOOT_SCRIPT" \
|
|
|
|
|| recovery 'boot script signature failed'
|
|
|
|
|
|
|
|
exec "$BOOT_SCRIPT"
|
|
|
|
|
|
|
|
recovery 'Boot script exec failed?'
|
|
|
|
|
|
|
|
############################
|
|
|
|
# For historical reference
|
|
|
|
|
2017-04-02 03:02:00 +00:00
|
|
|
# TODO: Allow these to be specified on the /boot device
|
|
|
|
XEN=/boot/xen-4.6.3.heads
|
|
|
|
INITRD=/boot/initramfs-4.4.31-11.pvops.qubes.x86_64.img
|
|
|
|
KERNEL=/boot/vmlinuz-4.4.31-11.pvops.qubes.x86_64
|
|
|
|
|
|
|
|
echo "+++ Checking $XEN"
|
|
|
|
gpgv "${XEN}.asc" "${XEN}" \
|
|
|
|
|| recovery 'Xen signature failed'
|
|
|
|
|
|
|
|
echo "+++ Checking $INITRD"
|
|
|
|
gpgv "${INITRD}.asc" "${INITRD}" \
|
|
|
|
|| recovery 'Initrd signature failed'
|
|
|
|
|
|
|
|
echo "+++ Checking $KERNEL"
|
|
|
|
gpgv "${KERNEL}.asc" "${KERNEL}" \
|
|
|
|
|| recovery 'Kernel signature failed'
|
|
|
|
|
|
|
|
# Measure the LUKS headers before we unseal the disk key
|
|
|
|
/bin/qubes-measure-luks $CONFIG_QUBES_DEVS \
|
|
|
|
|| recovery "LUKS measure failed"
|
|
|
|
|
|
|
|
# Attempt to unseal the disk key from the TPM
|
|
|
|
# should we give this some number of tries?
|
|
|
|
unseal-key \
|
|
|
|
|| recovery 'Unseal disk key failed. Starting recovery shell'
|
|
|
|
|
|
|
|
# command line arguments are in the hash, so they are "correct".
|
|
|
|
kexec \
|
|
|
|
-l \
|
2017-04-03 02:21:49 +00:00
|
|
|
--module "${KERNEL} root=LABEL=root ro rd.qubes.hide_all_usb rhgb" \
|
2017-04-02 03:02:00 +00:00
|
|
|
--module "${INITRD}" \
|
2017-04-03 02:21:49 +00:00
|
|
|
--command-line "no-real-mode reboot=no"
|
2017-04-02 03:02:00 +00:00
|
|
|
"${XEN}" \
|
|
|
|
|| recovery "kexec load failed"
|
|
|
|
|
2017-04-03 02:21:49 +00:00
|
|
|
|
|
|
|
kexec -l \
|
|
|
|
--module "${KERNEL} root=UUID=257b593f-d4ae-46ee-b499-14bc9ffd37d4 ro rd.qubes.hide_all_usb" \
|
|
|
|
--module "/boot/initramfs-4.4.31-11.pvops.qubes.x86_64.img" \
|
|
|
|
--command-line "no-real-mode reboot=no" \
|
|
|
|
/boot/xen-4.6.3.heads
|
|
|
|
|
2017-04-02 03:02:00 +00:00
|
|
|
# Last step is to override PCR 6 so that user can't read the key
|
|
|
|
tpm extend -ix 4 -ic qubes \
|
|
|
|
|| recovery 'Unable to scramble PCR'
|
|
|
|
|
|
|
|
echo "+++ Starting Qubes..."
|
|
|
|
exec kexec -e
|