ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-19 13:07:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2ab90623f9
heads/initrd/bin/gui-init

273 lines
10 KiB
Plaintext
Raw Normal View History

Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed.
2018-02-20 23:35:37 +00:00
#!/bin/sh
# Boot from a local disk installation
Add menu for TOTP updates, provide sample board config to use gui-init
2018-02-21 23:58:54 +00:00
CONFIG_BOOT_GUI_MENU_NAME='Heads Boot Menu'
Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed.
2018-02-20 23:35:37 +00:00
. /etc/functions
. /etc/config
mount_boot()
{
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \
|| recovery "Unable to mount /boot"
fi
Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed.
2018-02-20 23:35:37 +00:00
}
Add GUI package update handler w/ checksum update function Part of the Heads workflow involves handling legitimate changes to /boot as part of the package manager. This is a challenging workflow to handle as package managers on many systems work in a completely unattended way (and some even reboot first, apply updates, and then reboot again). We need to be able to detect changes that are potentially caused by a package manager so to do that I've set up a trigger within the OS (currently just for Debian) that runs both before and after package updates. It verifies the signatures in /boot and if they fail before package updates it creates a log file in /boot/kexec_package_trigger_pre.txt. If they fail after package updates run /boot/kexec_package_trigger_post.txt is created. These files contain the following fields: CHANGED_FILES: A list of files in /boot that failed the sha256sum check UPDATE_INITRAMFS_PACKAGE: An (optional) list of packages known to trigger initramfs changes Following those fields is a list of log output from the last package manager run which contains its own formatted fields (I'm pulling from /var/lib/dpkg/info). When a user selects a boot option, gui-init first verifies the checksums just to catch errors before calling kexec-select-boot. If there are any errors it looks for these package logs and if they exist, it displays appropriate warnings. If the files are absent it displays a more generic warning. The user is also given an opportunity to re-sign the /boot hashes.
2018-04-03 22:20:34 +00:00
verify_global_hashes()
{
# Check the hashes of all the files, ignoring signatures for now
check_config /boot force
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
TMP_PACKAGE_TRIGGER_PRE="/tmp/kexec/kexec_package_trigger_pre.txt"
TMP_PACKAGE_TRIGGER_POST="/tmp/kexec/kexec_package_trigger_post.txt"
if cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ; then
return 0
elif [ ! -f $TMP_HASH_FILE ]; then
Colorize warning and error messages in fbwhiptail Since fbwhiptail allows us to customize the background colors, we should colorize warnings and error messages to provide a user with an additional subtle cue that there might be a problem. I have added two additional configuration options: CONFIG_WARNING_BG_COLOR CONFIG_ERROR_BG_COLOR and in the librem13v2.config file you can see an example for how to set them to be yellow and red gradients, respectively. I've also updated the main two scripts that use whiptail to include those background colors. If you decide to use regular whiptail, just don't set these config options and it should behave as expected.
2018-04-25 20:21:56 +00:00
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Missing Hash File!' \
Allow lines to be wrapped closer to the edge
2018-05-03 17:45:45 +00:00
--yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update\nyour list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to update your checksums now?" 30 90) then
Add GUI package update handler w/ checksum update function Part of the Heads workflow involves handling legitimate changes to /boot as part of the package manager. This is a challenging workflow to handle as package managers on many systems work in a completely unattended way (and some even reboot first, apply updates, and then reboot again). We need to be able to detect changes that are potentially caused by a package manager so to do that I've set up a trigger within the OS (currently just for Debian) that runs both before and after package updates. It verifies the signatures in /boot and if they fail before package updates it creates a log file in /boot/kexec_package_trigger_pre.txt. If they fail after package updates run /boot/kexec_package_trigger_post.txt is created. These files contain the following fields: CHANGED_FILES: A list of files in /boot that failed the sha256sum check UPDATE_INITRAMFS_PACKAGE: An (optional) list of packages known to trigger initramfs changes Following those fields is a list of log output from the last package manager run which contains its own formatted fields (I'm pulling from /var/lib/dpkg/info). When a user selects a boot option, gui-init first verifies the checksums just to catch errors before calling kexec-select-boot. If there are any errors it looks for these package logs and if they exist, it displays appropriate warnings. If the files are absent it displays a more generic warning. The user is also given an opportunity to re-sign the /boot hashes.
2018-04-03 22:20:34 +00:00
update_checksums
fi
return 1
else
CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':')
# if files changed before package manager started, show stern warning
if [ -f "$TMP_PACKAGE_TRIGGER_PRE" ]; then
PRE_CHANGED_FILES=$(grep '^CHANGED_FILES' $TMP_PACKAGE_TRIGGER_POST | cut -f 2 -d '=' | tr -d '"')
Wrap whiptail text that's over 80 characters While the whiptail program wraps text appropriately based on column size, the fbwhiptail program doesn't, leading to text that scrolls off the window where it can no longer be read. This change wraps the longer text output so it all fits.
2018-05-01 21:23:56 +00:00
TEXT="The following files failed the verification process BEFORE package updates ran:\n${PRE_CHANGED_FILES}\n\nCompare against the files Heads has detected have changed:\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums anyway?"
Add GUI package update handler w/ checksum update function Part of the Heads workflow involves handling legitimate changes to /boot as part of the package manager. This is a challenging workflow to handle as package managers on many systems work in a completely unattended way (and some even reboot first, apply updates, and then reboot again). We need to be able to detect changes that are potentially caused by a package manager so to do that I've set up a trigger within the OS (currently just for Debian) that runs both before and after package updates. It verifies the signatures in /boot and if they fail before package updates it creates a log file in /boot/kexec_package_trigger_pre.txt. If they fail after package updates run /boot/kexec_package_trigger_post.txt is created. These files contain the following fields: CHANGED_FILES: A list of files in /boot that failed the sha256sum check UPDATE_INITRAMFS_PACKAGE: An (optional) list of packages known to trigger initramfs changes Following those fields is a list of log output from the last package manager run which contains its own formatted fields (I'm pulling from /var/lib/dpkg/info). When a user selects a boot option, gui-init first verifies the checksums just to catch errors before calling kexec-select-boot. If there are any errors it looks for these package logs and if they exist, it displays appropriate warnings. If the files are absent it displays a more generic warning. The user is also given an opportunity to re-sign the /boot hashes.
2018-04-03 22:20:34 +00:00
# if files changed after package manager started, probably caused by package manager
elif [ -f "$TMP_PACKAGE_TRIGGER_POST" ]; then
LAST_PACKAGE_LIST=$(grep -E "^(Install|Remove|Upgrade|Reinstall):" $TMP_PACKAGE_TRIGGER_POST)
UPDATE_INITRAMFS_PACKAGE=$(grep '^UPDATE_INITRAMFS_PACKAGE' $TMP_PACKAGE_TRIGGER_POST | cut -f 2 -d '=' | tr -d '"')
if [ "$UPDATE_INITRAMFS_PACKAGE" != "" ]; then
TEXT="The following files failed the verification process AFTER package updates ran:\n${CHANGED_FILES}\n\nThis is likely due to package triggers in$UPDATE_INITRAMFS_PACKAGE.\n\nYou will need to update your checksums for all files in /boot.\n\nWould you like to update your checksums now?"
else
TEXT="The following files failed the verification process AFTER package updates ran:\n${CHANGED_FILES}\n\nThis might be due to the following package updates:\n$LAST_PACKAGE_LIST.\n\nYou will need to update your checksums for all files in /boot.\n\nWould you like to update your checksums now?"
fi
else
TEXT="The following files failed the verification process:\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?"
fi
Extend whiptail window to 90 columns wide Wrapping text to 80 characters works but due to font size and padding the maximum 80 character lines start to get truncated. Extending the window to 90 characters will resolve this.
2018-05-01 22:20:35 +00:00
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 90) then
Add GUI package update handler w/ checksum update function Part of the Heads workflow involves handling legitimate changes to /boot as part of the package manager. This is a challenging workflow to handle as package managers on many systems work in a completely unattended way (and some even reboot first, apply updates, and then reboot again). We need to be able to detect changes that are potentially caused by a package manager so to do that I've set up a trigger within the OS (currently just for Debian) that runs both before and after package updates. It verifies the signatures in /boot and if they fail before package updates it creates a log file in /boot/kexec_package_trigger_pre.txt. If they fail after package updates run /boot/kexec_package_trigger_post.txt is created. These files contain the following fields: CHANGED_FILES: A list of files in /boot that failed the sha256sum check UPDATE_INITRAMFS_PACKAGE: An (optional) list of packages known to trigger initramfs changes Following those fields is a list of log output from the last package manager run which contains its own formatted fields (I'm pulling from /var/lib/dpkg/info). When a user selects a boot option, gui-init first verifies the checksums just to catch errors before calling kexec-select-boot. If there are any errors it looks for these package logs and if they exist, it displays appropriate warnings. If the files are absent it displays a more generic warning. The user is also given an opportunity to re-sign the /boot hashes.
2018-04-03 22:20:34 +00:00
update_checksums
fi
return 1
fi
}
update_checksums()
{
if (whiptail --title 'Update Checksums and sign all files in /boot' \
Extend whiptail window to 90 columns wide Wrapping text to 80 characters works but due to font size and padding the maximum 80 character lines start to get truncated. Extending the window to 90 characters will resolve this.
2018-05-01 22:20:35 +00:00
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that the files in /boot have not been tampered with.\n\nYou will need your GPG key to continue and this change will modify your disk.\n\nDo you want to continue?" 16 90) then
Add GUI package update handler w/ checksum update function Part of the Heads workflow involves handling legitimate changes to /boot as part of the package manager. This is a challenging workflow to handle as package managers on many systems work in a completely unattended way (and some even reboot first, apply updates, and then reboot again). We need to be able to detect changes that are potentially caused by a package manager so to do that I've set up a trigger within the OS (currently just for Debian) that runs both before and after package updates. It verifies the signatures in /boot and if they fail before package updates it creates a log file in /boot/kexec_package_trigger_pre.txt. If they fail after package updates run /boot/kexec_package_trigger_post.txt is created. These files contain the following fields: CHANGED_FILES: A list of files in /boot that failed the sha256sum check UPDATE_INITRAMFS_PACKAGE: An (optional) list of packages known to trigger initramfs changes Following those fields is a list of log output from the last package manager run which contains its own formatted fields (I'm pulling from /var/lib/dpkg/info). When a user selects a boot option, gui-init first verifies the checksums just to catch errors before calling kexec-select-boot. If there are any errors it looks for these package logs and if they exist, it displays appropriate warnings. If the files are absent it displays a more generic warning. The user is also given an opportunity to re-sign the /boot hashes.
2018-04-03 22:20:34 +00:00
mount_boot
mount -o rw,remount /boot
cd /boot
find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
# Remove any package trigger log files
# We don't need them after the user decides to sign
rm -f /boot/kexec_package_trigger*
# sign and auto-roll config counter
extparam=
if [ "$CONFIG_TPM" = "y" ]; then
extparam=-u
fi
kexec-sign-config -p /boot $extparam \
|| die "Failed to sign default config"
Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed.
2018-02-20 23:35:37 +00:00
Add GUI package update handler w/ checksum update function Part of the Heads workflow involves handling legitimate changes to /boot as part of the package manager. This is a challenging workflow to handle as package managers on many systems work in a completely unattended way (and some even reboot first, apply updates, and then reboot again). We need to be able to detect changes that are potentially caused by a package manager so to do that I've set up a trigger within the OS (currently just for Debian) that runs both before and after package updates. It verifies the signatures in /boot and if they fail before package updates it creates a log file in /boot/kexec_package_trigger_pre.txt. If they fail after package updates run /boot/kexec_package_trigger_post.txt is created. These files contain the following fields: CHANGED_FILES: A list of files in /boot that failed the sha256sum check UPDATE_INITRAMFS_PACKAGE: An (optional) list of packages known to trigger initramfs changes Following those fields is a list of log output from the last package manager run which contains its own formatted fields (I'm pulling from /var/lib/dpkg/info). When a user selects a boot option, gui-init first verifies the checksums just to catch errors before calling kexec-select-boot. If there are any errors it looks for these package logs and if they exist, it displays appropriate warnings. If the files are absent it displays a more generic warning. The user is also given an opportunity to re-sign the /boot hashes.
2018-04-03 22:20:34 +00:00
# switch back to ro mode
mount -o ro,remount /boot
else
echo "Returning to the main menu"
fi
}
Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed.
2018-02-20 23:35:37 +00:00
Add menu for TOTP updates, provide sample board config to use gui-init
2018-02-21 23:58:54 +00:00
last_half=X
Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed.
2018-02-20 23:35:37 +00:00
while true; do
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
MAIN_MENU_OPTIONS=""
Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed.
2018-02-20 23:35:37 +00:00
unset totp_confirm
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
# update the TOTP code every thirty seconds
date=`date "+%Y-%m-%d %H:%M:%S"`
seconds=`date "+%s"`
half=`expr \( $seconds % 60 \) / 30`
if [ "$CONFIG_TPM" = n ]; then
TOTP="NO TPM"
elif [ "$half" != "$last_half" ]; then
last_half=$half;
TOTP=`unseal-totp`
if [ $? -ne 0 ]; then
Colorize warning and error messages in fbwhiptail Since fbwhiptail allows us to customize the background colors, we should colorize warnings and error messages to provide a user with an additional subtle cue that there might be a problem. I have added two additional configuration options: CONFIG_WARNING_BG_COLOR CONFIG_ERROR_BG_COLOR and in the librem13v2.config file you can see an example for how to set them to be yellow and red gradients, respectively. I've also updated the main two scripts that use whiptail to include those background colors. If you decide to use regular whiptail, just don't set these config options and it should behave as expected.
2018-04-25 20:21:56 +00:00
whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \
Allow lines to be wrapped closer to the edge
2018-05-03 17:45:45 +00:00
--menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nHow would you like to proceed?" 30 90 4 \
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
'g' ' Generate new TOTP secret' \
'i' ' Ignore error and continue to default boot menu' \
Add a menu option to reset TPM for bootstrapping. Widen menus. One of the other core functions a user needs when bootstrapping is taking over the TPM. I've added a new option in the menu for this and it revealed that some of the menus needed more space so I've widened all the menus and also made the main menu longer so the options don't scroll.
2018-03-09 00:36:56 +00:00
'p' ' Reset the TPM' \
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
'x' ' Exit to recovery shell' \
2>/tmp/whiptail || recovery "GUI menu failed"
totp_confirm=$(cat /tmp/whiptail)
fi
fi
if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then
whiptail --clear --title "$CONFIG_BOOT_GUI_MENU_NAME" \
Extend whiptail window to 90 columns wide Wrapping text to 80 characters works but due to font size and padding the maximum 80 character lines start to get truncated. Extending the window to 90 characters will resolve this.
2018-05-01 22:20:35 +00:00
--menu "$date\nTOTP code: $TOTP" 20 90 10 \
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
'y' ' Default boot' \
'r' ' TOTP does not match, refresh code' \
'n' ' TOTP does not match after refresh, troubleshoot' \
Create nested menus and add option to rehash/sign /boot The number of options we want in the menu is starting to get large enough that it's worth slimming things down in the main menu and move options to nested menus. Along with this nested menu change is the option to re-sign and re-hash files in /boot directly from the menu.
2018-03-14 17:14:22 +00:00
'o' ' Other Boot Options -->' \
'a' ' Advanced Settings -->' \
'x' ' Exit to recovery shell' \
2>/tmp/whiptail || recovery "GUI menu failed"
totp_confirm=$(cat /tmp/whiptail)
fi
if [ "$totp_confirm" = "o" ]; then
whiptail --clear --title "Other Boot Options" \
Extend whiptail window to 90 columns wide Wrapping text to 80 characters works but due to font size and padding the maximum 80 character lines start to get truncated. Extending the window to 90 characters will resolve this.
2018-05-01 22:20:35 +00:00
--menu "Select A Boot Option" 20 90 10 \
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
'm' ' Show OS boot menu' \
'u' ' USB boot' \
Add a "force" option to kexec-select-boot to bypass hash checks The point of this change is to provide a failsafe (failunsafe?) mode for less technically-savvy users who will ultimately be using Heads by default on Librem laptops. There are some scenarios where an end user might forget to update hashes in /boot after an initrd change or might have some other hash mismatch. Currently that user would then be stuck in a recovery console in Heads not knowing what to do within that limited shell environment to fix the situation. This change adds a 'force' mode to kexec-select-boot that goes straight into a boot menu and bypasses the hash checks so the user could more easily get back into their system to attempt to repair it. It adds appropriate warnings about why this is a risky option and moves it down toward the bottom of the menu. The goal would be to just have this be an emergency option our support could guide a user to if they ended up in this situation.
2018-03-05 22:46:15 +00:00
'i' ' Ignore tampering and force a boot (Unsafe!)' \
Create nested menus and add option to rehash/sign /boot The number of options we want in the menu is starting to get large enough that it's worth slimming things down in the main menu and move options to nested menus. Along with this nested menu change is the option to re-sign and re-hash files in /boot directly from the menu.
2018-03-14 17:14:22 +00:00
'r' ' <-- Return to main menu' \
2>/tmp/whiptail || recovery "GUI menu failed"
totp_confirm=$(cat /tmp/whiptail)
fi
if [ "$totp_confirm" = "a" ]; then
whiptail --clear --title "Advanced Settings" \
Extend whiptail window to 90 columns wide Wrapping text to 80 characters works but due to font size and padding the maximum 80 character lines start to get truncated. Extending the window to 90 characters will resolve this.
2018-05-01 22:20:35 +00:00
--menu "Configure Advanced Settings" 20 90 10 \
Create nested menus and add option to rehash/sign /boot The number of options we want in the menu is starting to get large enough that it's worth slimming things down in the main menu and move options to nested menus. Along with this nested menu change is the option to re-sign and re-hash files in /boot directly from the menu.
2018-03-14 17:14:22 +00:00
'g' ' Generate new TOTP secret' \
Add a menu option to reset TPM for bootstrapping. Widen menus. One of the other core functions a user needs when bootstrapping is taking over the TPM. I've added a new option in the menu for this and it revealed that some of the menus needed more space so I've widened all the menus and also made the main menu longer so the options don't scroll.
2018-03-09 00:36:56 +00:00
'p' ' Reset the TPM' \
Create nested menus and add option to rehash/sign /boot The number of options we want in the menu is starting to get large enough that it's worth slimming things down in the main menu and move options to nested menus. Along with this nested menu change is the option to re-sign and re-hash files in /boot directly from the menu.
2018-03-14 17:14:22 +00:00
's' ' Update checksums and sign all files in /boot' \
'r' ' <-- Return to main menu' \
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
2>/tmp/whiptail || recovery "GUI menu failed"
totp_confirm=$(cat /tmp/whiptail)
fi
if [ "$totp_confirm" = "x" ]; then
recovery "User requested recovery shell"
fi
if [ "$totp_confirm" = "r" ]; then
continue
fi
if [ "$totp_confirm" = "n" ]; then
Colorize warning and error messages in fbwhiptail Since fbwhiptail allows us to customize the background colors, we should colorize warnings and error messages to provide a user with an additional subtle cue that there might be a problem. I have added two additional configuration options: CONFIG_WARNING_BG_COLOR CONFIG_ERROR_BG_COLOR and in the librem13v2.config file you can see an example for how to set them to be yellow and red gradients, respectively. I've also updated the main two scripts that use whiptail to include those background colors. If you decide to use regular whiptail, just don't set these config options and it should behave as expected.
2018-04-25 20:21:56 +00:00
if (whiptail $CONFIG_WARNING_BG_COLOR --title "TOTP code mismatched" \
Extend whiptail window to 90 columns wide Wrapping text to 80 characters works but due to font size and padding the maximum 80 character lines start to get truncated. Extending the window to 90 characters will resolve this.
2018-05-01 22:20:35 +00:00
--yesno "TOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 90) then
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
echo ""
echo "To correct clock drift: 'date -s HH:MM:SS'"
echo "and save it to the RTC: 'hwclock -w'"
echo "then reboot and try again"
echo ""
recovery "TOTP mismatch"
else
continue
fi
fi
if [ "$totp_confirm" = "u" ]; then
exec /bin/usb-init
continue
fi
if [ "$totp_confirm" = "g" ]; then
if (whiptail --title 'Generate new TOTP secret' \
Extend whiptail window to 90 columns wide Wrapping text to 80 characters works but due to font size and padding the maximum 80 character lines start to get truncated. Extending the window to 90 characters will resolve this.
2018-05-01 22:20:35 +00:00
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 16 90) then
Add a menu option to reset TPM for bootstrapping. Widen menus. One of the other core functions a user needs when bootstrapping is taking over the TPM. I've added a new option in the menu for this and it revealed that some of the menus needed more space so I've widened all the menus and also made the main menu longer so the options don't scroll.
2018-03-09 00:36:56 +00:00
echo "Scan the QR code to add the new TOTP secret"
/bin/seal-totp
echo "Once you have scanned the QR code, hit Enter to reboot"
read
/bin/reboot
else
echo "Returning to the main menu"
fi
continue
fi
if [ "$totp_confirm" = "p" ]; then
if (whiptail --title 'Reset the TPM' \
Extend whiptail window to 90 columns wide Wrapping text to 80 characters works but due to font size and padding the maximum 80 character lines start to get truncated. Extending the window to 90 characters will resolve this.
2018-05-01 22:20:35 +00:00
--yesno "This will clear the TPM, erase the old TPM password and replace it with a new one!\n\nDo you want to proceed?" 16 90) then
Add a menu option to reset TPM for bootstrapping. Widen menus. One of the other core functions a user needs when bootstrapping is taking over the TPM. I've added a new option in the menu for this and it revealed that some of the menus needed more space so I've widened all the menus and also made the main menu longer so the options don't scroll.
2018-03-09 00:36:56 +00:00
/bin/tpm-reset
Add GUI package update handler w/ checksum update function Part of the Heads workflow involves handling legitimate changes to /boot as part of the package manager. This is a challenging workflow to handle as package managers on many systems work in a completely unattended way (and some even reboot first, apply updates, and then reboot again). We need to be able to detect changes that are potentially caused by a package manager so to do that I've set up a trigger within the OS (currently just for Debian) that runs both before and after package updates. It verifies the signatures in /boot and if they fail before package updates it creates a log file in /boot/kexec_package_trigger_pre.txt. If they fail after package updates run /boot/kexec_package_trigger_post.txt is created. These files contain the following fields: CHANGED_FILES: A list of files in /boot that failed the sha256sum check UPDATE_INITRAMFS_PACKAGE: An (optional) list of packages known to trigger initramfs changes Following those fields is a list of log output from the last package manager run which contains its own formatted fields (I'm pulling from /var/lib/dpkg/info). When a user selects a boot option, gui-init first verifies the checksums just to catch errors before calling kexec-select-boot. If there are any errors it looks for these package logs and if they exist, it displays appropriate warnings. If the files are absent it displays a more generic warning. The user is also given an opportunity to re-sign the /boot hashes.
2018-04-03 22:20:34 +00:00
# now that the TPM is reset, remove invalid kexec_rollback.txt file
mount_boot
mount -o rw,remount /boot
rm -f /boot/kexec_rollback.txt
mount -o ro,remount /boot
Add menu for TOTP updates, provide sample board config to use gui-init
2018-02-21 23:58:54 +00:00
echo "Scan the QR code to add the new TOTP secret"
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
/bin/seal-totp
echo "Once you have scanned the QR code, hit Enter to reboot"
Add menu for TOTP updates, provide sample board config to use gui-init
2018-02-21 23:58:54 +00:00
read
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
/bin/reboot
else
echo "Returning to the main menu"
fi
continue
fi
if [ "$totp_confirm" = "m" ]; then
# Try to select a kernel from the menu
mount_boot
Add GUI package update handler w/ checksum update function Part of the Heads workflow involves handling legitimate changes to /boot as part of the package manager. This is a challenging workflow to handle as package managers on many systems work in a completely unattended way (and some even reboot first, apply updates, and then reboot again). We need to be able to detect changes that are potentially caused by a package manager so to do that I've set up a trigger within the OS (currently just for Debian) that runs both before and after package updates. It verifies the signatures in /boot and if they fail before package updates it creates a log file in /boot/kexec_package_trigger_pre.txt. If they fail after package updates run /boot/kexec_package_trigger_post.txt is created. These files contain the following fields: CHANGED_FILES: A list of files in /boot that failed the sha256sum check UPDATE_INITRAMFS_PACKAGE: An (optional) list of packages known to trigger initramfs changes Following those fields is a list of log output from the last package manager run which contains its own formatted fields (I'm pulling from /var/lib/dpkg/info). When a user selects a boot option, gui-init first verifies the checksums just to catch errors before calling kexec-select-boot. If there are any errors it looks for these package logs and if they exist, it displays appropriate warnings. If the files are absent it displays a more generic warning. The user is also given an opportunity to re-sign the /boot hashes.
2018-04-03 22:20:34 +00:00
verify_global_hashes
if [ $? -ne 0 ]; then
continue
fi
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
kexec-select-boot -m -b /boot -c "grub.cfg" -g
continue
fi
Add a "force" option to kexec-select-boot to bypass hash checks The point of this change is to provide a failsafe (failunsafe?) mode for less technically-savvy users who will ultimately be using Heads by default on Librem laptops. There are some scenarios where an end user might forget to update hashes in /boot after an initrd change or might have some other hash mismatch. Currently that user would then be stuck in a recovery console in Heads not knowing what to do within that limited shell environment to fix the situation. This change adds a 'force' mode to kexec-select-boot that goes straight into a boot menu and bypasses the hash checks so the user could more easily get back into their system to attempt to repair it. It adds appropriate warnings about why this is a risky option and moves it down toward the bottom of the menu. The goal would be to just have this be an emergency option our support could guide a user to if they ended up in this situation.
2018-03-05 22:46:15 +00:00
if [ "$totp_confirm" = "i" ]; then
# Run the menu selection in "force" mode, bypassing hash checks
Colorize warning and error messages in fbwhiptail Since fbwhiptail allows us to customize the background colors, we should colorize warnings and error messages to provide a user with an additional subtle cue that there might be a problem. I have added two additional configuration options: CONFIG_WARNING_BG_COLOR CONFIG_ERROR_BG_COLOR and in the librem13v2.config file you can see an example for how to set them to be yellow and red gradients, respectively. I've also updated the main two scripts that use whiptail to include those background colors. If you decide to use regular whiptail, just don't set these config options and it should behave as expected.
2018-04-25 20:21:56 +00:00
if (whiptail $CONFIG_WARNING_BG_COLOR --title 'Unsafe Forced Boot Selected!' \
Extend whiptail window to 90 columns wide Wrapping text to 80 characters works but due to font size and padding the maximum 80 character lines start to get truncated. Extending the window to 90 characters will resolve this.
2018-05-01 22:20:35 +00:00
--yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 16 90) then
Add a "force" option to kexec-select-boot to bypass hash checks The point of this change is to provide a failsafe (failunsafe?) mode for less technically-savvy users who will ultimately be using Heads by default on Librem laptops. There are some scenarios where an end user might forget to update hashes in /boot after an initrd change or might have some other hash mismatch. Currently that user would then be stuck in a recovery console in Heads not knowing what to do within that limited shell environment to fix the situation. This change adds a 'force' mode to kexec-select-boot that goes straight into a boot menu and bypasses the hash checks so the user could more easily get back into their system to attempt to repair it. It adds appropriate warnings about why this is a risky option and moves it down toward the bottom of the menu. The goal would be to just have this be an emergency option our support could guide a user to if they ended up in this situation.
2018-03-05 22:46:15 +00:00
mount_boot
kexec-select-boot -m -b /boot -c "grub.cfg" -g -f
else
echo "Returning to the main menu"
fi
continue
fi
Create nested menus and add option to rehash/sign /boot The number of options we want in the menu is starting to get large enough that it's worth slimming things down in the main menu and move options to nested menus. Along with this nested menu change is the option to re-sign and re-hash files in /boot directly from the menu.
2018-03-14 17:14:22 +00:00
if [ "$totp_confirm" = "s" ]; then
Add GUI package update handler w/ checksum update function Part of the Heads workflow involves handling legitimate changes to /boot as part of the package manager. This is a challenging workflow to handle as package managers on many systems work in a completely unattended way (and some even reboot first, apply updates, and then reboot again). We need to be able to detect changes that are potentially caused by a package manager so to do that I've set up a trigger within the OS (currently just for Debian) that runs both before and after package updates. It verifies the signatures in /boot and if they fail before package updates it creates a log file in /boot/kexec_package_trigger_pre.txt. If they fail after package updates run /boot/kexec_package_trigger_post.txt is created. These files contain the following fields: CHANGED_FILES: A list of files in /boot that failed the sha256sum check UPDATE_INITRAMFS_PACKAGE: An (optional) list of packages known to trigger initramfs changes Following those fields is a list of log output from the last package manager run which contains its own formatted fields (I'm pulling from /var/lib/dpkg/info). When a user selects a boot option, gui-init first verifies the checksums just to catch errors before calling kexec-select-boot. If there are any errors it looks for these package logs and if they exist, it displays appropriate warnings. If the files are absent it displays a more generic warning. The user is also given an opportunity to re-sign the /boot hashes.
2018-04-03 22:20:34 +00:00
update_checksums
Create nested menus and add option to rehash/sign /boot The number of options we want in the menu is starting to get large enough that it's worth slimming things down in the main menu and move options to nested menus. Along with this nested menu change is the option to re-sign and re-hash files in /boot directly from the menu.
2018-03-14 17:14:22 +00:00
continue
fi
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then
# Try to boot the default
mount_boot
Add GUI package update handler w/ checksum update function Part of the Heads workflow involves handling legitimate changes to /boot as part of the package manager. This is a challenging workflow to handle as package managers on many systems work in a completely unattended way (and some even reboot first, apply updates, and then reboot again). We need to be able to detect changes that are potentially caused by a package manager so to do that I've set up a trigger within the OS (currently just for Debian) that runs both before and after package updates. It verifies the signatures in /boot and if they fail before package updates it creates a log file in /boot/kexec_package_trigger_pre.txt. If they fail after package updates run /boot/kexec_package_trigger_post.txt is created. These files contain the following fields: CHANGED_FILES: A list of files in /boot that failed the sha256sum check UPDATE_INITRAMFS_PACKAGE: An (optional) list of packages known to trigger initramfs changes Following those fields is a list of log output from the last package manager run which contains its own formatted fields (I'm pulling from /var/lib/dpkg/info). When a user selects a boot option, gui-init first verifies the checksums just to catch errors before calling kexec-select-boot. If there are any errors it looks for these package logs and if they exist, it displays appropriate warnings. If the files are absent it displays a more generic warning. The user is also given an opportunity to re-sign the /boot hashes.
2018-04-03 22:20:34 +00:00
verify_global_hashes
if [ $? -ne 0 ]; then
continue
fi
DEFAULT_FILE=`find /boot/kexec_default.*.txt 2>/dev/null | head -1`
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
if [ -r "$DEFAULT_FILE" ]; then
Merge branch 'add_gui_hash_alert' of https://github.com/kylerankin/heads
2018-03-08 19:41:44 +00:00
kexec-select-boot -b /boot -c "grub.cfg" -g \
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
|| recovery "Failed default boot"
else
if (whiptail --title 'No Default Boot Option Configured' \
Extend whiptail window to 90 columns wide Wrapping text to 80 characters works but due to font size and padding the maximum 80 character lines start to get truncated. Extending the window to 90 characters will resolve this.
2018-05-01 22:20:35 +00:00
--yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 16 90) then
Replace remaining text-only options in main workflow w/ gui menus In particular I added a GUI menu to instruct the user if there is no TOTP code registered (as is the case upon first flash) and also added better handling of the case the user selects 'default boot' when there is no default boot set yet. Apart from that where there were text-only menus left in gui-init I've replaced them with GUI menus.
2018-02-23 20:13:21 +00:00
kexec-select-boot -m -b /boot -c "grub.cfg" -g
else
echo "Returning to the main menu"
fi
continue
fi
fi
Add graphical init menu that uses whiptail This is a modified version of the generic-init script that uses whiptail to generate a graphical menu. I changed two of the options so that the user can refresh the menu to get an updated TOTP code if needed.
2018-02-20 23:35:37 +00:00
done
recovery "Something failed during boot"
Reference in New Issue Copy Permalink