heads/qubes/boot.sh

#!/bin/sh
# /boot/boot.sh -- Startup Qubes
#
# The signature on this script will be verified by the ROM,
# and this script lives on the /boot partition to allow
# the system owner to change the specific Qubes boot parameters
#
# This depends on the PCR 4 being "normal-boot":
# f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d
# which is only set if the top level /init script has started
# without user intervention or dropping into a recovery shell.
#
# To sign this script and the other bootable components:
#
#	gpg -a --sign --detach-sign boot.sh
#

XEN=/boot/xen-4.6.4.heads
INITRD=/boot/initramfs-4.4.38-11.pvops.qubes.x86_64.img
KERNEL=/boot/vmlinuz-4.4.38-11.pvops.qubes.x86_64


recovery() {
	echo >&2 "!!!!! $@"
	rm -f /tmp/secret.key
	tpm extend -ix 4 -if recovery

	echo >&2 "!!!!! Starting recovery shell"
	exec /bin/ash
}

. /config

echo "+++ Checking $XEN"
gpgv "${XEN}.asc" "${XEN}" \
	|| recovery 'Xen signature failed'

echo "+++ Checking $INITRD"
gpgv "${INITRD}.asc" "${INITRD}" \
	|| recovery 'Initrd signature failed'

echo "+++ Checking $KERNEL"
gpgv "${KERNEL}.asc" "${KERNEL}" \
	|| recovery 'Kernel signature failed'

# Measure the LUKS headers before we unseal the disk key
qubes-measure-luks $CONFIG_QUBES_DEVS \
	|| recovery "LUKS measure failed"

# Attempt to unseal the disk key from the TPM
# should we give this some number of tries?
unseal-key \
	|| recovery 'Unseal disk key failed. Starting recovery shell'

# command line arguments are include in the signature on this script,
# although the root UUID should be specified in some better manner.
kexec \
	-l \
	--module "${KERNEL} root=UUID=257b593f-d4ae-46ee-b499-14bc9ffd37d4 ro rd.qubes.hide_all_usb" \
	--module "${INITRD}" \
	--command-line "no-real-mode reboot=no" \
	"${XEN}" \
|| recovery "kexec load failed"

# Last step is to override PCR 4 so that user can't read the key
tpm extend -ix 4 -ic qubes \
	|| recovery 'Unable to scramble PCR'

echo "+++ Starting Qubes..."
exec kexec -e
Move Qubes startup script to /boot/boot.sh This also adds a set of files in the qubes/ directory that are meant to be copied to the /boot partition. Issue #154: for ease of upgrading Qubes, the script should live on /boot instead of in the ROM. This requires a GPG signature on the startup script to avoid attacks by modifying the boot script. Issue #123: this streamlines the boot process for Qubes, although the disk password is still not passed in correctly to the initrd (issue #29). This does not address issues #110 of how to find the root device. The best approach is probably disk labels, which will require special installation instructions. 2017-04-03 02:21:49 +00:00			`#!/bin/sh`
			`# /boot/boot.sh -- Startup Qubes`
			`#`
			`# The signature on this script will be verified by the ROM,`
			`# and this script lives on the /boot partition to allow`
			`# the system owner to change the specific Qubes boot parameters`
			`#`
			`# This depends on the PCR 4 being "normal-boot":`
			`# f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d`
			`# which is only set if the top level /init script has started`
			`# without user intervention or dropping into a recovery shell.`
			`#`
			`# To sign this script and the other bootable components:`
			`#`
			`# gpg -a --sign --detach-sign boot.sh`
			`#`

			`XEN=/boot/xen-4.6.4.heads`
			`INITRD=/boot/initramfs-4.4.38-11.pvops.qubes.x86_64.img`
			`KERNEL=/boot/vmlinuz-4.4.38-11.pvops.qubes.x86_64`


			`recovery() {`
			`echo >&2 "!!!!! $@"`
			`rm -f /tmp/secret.key`
			`tpm extend -ix 4 -if recovery`

			`echo >&2 "!!!!! Starting recovery shell"`
			`exec /bin/ash`
			`}`

			`. /config`

			`echo "+++ Checking $XEN"`
			`gpgv "${XEN}.asc" "${XEN}" \`
			`\|\| recovery 'Xen signature failed'`

			`echo "+++ Checking $INITRD"`
			`gpgv "${INITRD}.asc" "${INITRD}" \`
			`\|\| recovery 'Initrd signature failed'`

			`echo "+++ Checking $KERNEL"`
			`gpgv "${KERNEL}.asc" "${KERNEL}" \`
			`\|\| recovery 'Kernel signature failed'`

			`# Measure the LUKS headers before we unseal the disk key`
			`qubes-measure-luks $CONFIG_QUBES_DEVS \`
			`\|\| recovery "LUKS measure failed"`

			`# Attempt to unseal the disk key from the TPM`
			`# should we give this some number of tries?`
			`unseal-key \`
			`\|\| recovery 'Unseal disk key failed. Starting recovery shell'`

			`# command line arguments are include in the signature on this script,`
			`# although the root UUID should be specified in some better manner.`
			`kexec \`
			`-l \`
			`--module "${KERNEL} root=UUID=257b593f-d4ae-46ee-b499-14bc9ffd37d4 ro rd.qubes.hide_all_usb" \`
			`--module "${INITRD}" \`
			`--command-line "no-real-mode reboot=no" \`
			`"${XEN}" \`
			`\|\| recovery "kexec load failed"`

			`# Last step is to override PCR 4 so that user can't read the key`
			`tpm extend -ix 4 -ic qubes \`
			`\|\| recovery 'Unable to scramble PCR'`

			`echo "+++ Starting Qubes..."`
			`exec kexec -e`