heads/initrd/bin/qubes-init

#!/bin/sh
# Boot a Qubes installation that has already been setup.
# This depends on the PCR 4 being "normal-boot":
# f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d
# which is only set if the top level /init script has started
# without user intervention or dropping into a recovery shell.

. /etc/functions
. /etc/config

if [ "$1" = "recovery" ]; then
	warn "Recovery mode boot; ignoring key failures"
	RECOVERY=1
fi

# TODO: Allow /boot to be encrypted?
# This would require a different TPM key, a user passphrase to decrypt it,
# or loading the USB modules to talk to a Yubikey to get the thing.
if ! grep -q /boot /proc/mounts ; then
	mount -o ro "$CONFIG_QUBES_BOOT_DEV" /boot \
		|| recovery '$CONFIG_BOOT_DEV: Unable to mount /boot'
fi

BOOT_HASHES=/boot/boot.hashes
if [ ! -r "$BOOT_HASHES" ]; then
	recovery "$BOOT_HASHES does not exist; re-run qubes-update"
fi

# Verify the signature on the hashes
gpgv "$BOOT_HASHES.asc" "$BOOT_HASHES" \
	|| recovery 'boot hashes signature failed'

# Retrieve the TPM counter ID and generate its current value
TPM_COUNTER=`grep counter $BOOT_HASHES | cut -d- -f2`
if [ -z "$TPM_COUNTER" ]; then
	recovery "$BOOT_HASHES: TPM counter not found?"
fi

tpm counter_read -ix "$TPM_COUNTER" | tee "/tmp/counter-$TPM_COUNTER"

# Check the hashes of all the files
sha256sum -c "$BOOT_HASHES" \
|| recovery "$BOOT_HASHES: hash mismatch"

XEN=`grep /boot/xen $BOOT_HASHES | cut -d\  -f3 | tail -1`
KERNEL=`grep /boot/vmlin $BOOT_HASHES | cut -d\  -f3 | tail -1`
INITRD=`grep /boot/initram $BOOT_HASHES | cut -d\  -f3 | tail -1`

# Activate the dom0 group
lvm vgchange -a y "$CONFIG_QUBES_VG" \
	|| recovery "$CONFIG_QUBES_VG: LVM volume group activate failed"

# Measure the LUKS headers before we unseal the disk key
qubes-measure-luks /dev/$CONFIG_QUBES_VG/* \
	|| recovery "LUKS measure failed"

# Unpack the initrd and fixup the /etc/crypttab
# this is a hack to split it into two parts since
# we know that the first 0x3400 bytes are the microcode
INITRD_DIR=/tmp/secret/initrd
SECRET_CPIO=/tmp/secret/initrd.cpio
mkdir -p "$INITRD_DIR/etc"

# Attempt to unseal the disk key from the TPM
# should we give this some number of tries?
if ! unseal-key "$INITRD_DIR/secret.key" ; then
	warn 'Unseal disk key failed'
	if [ -z "$RECOVERY" ]; then
		recovery 'Starting recovery shell'
	fi
fi

# Override PCR 4 so that user can't read the key
tpm extend -ix 4 -ic qubes \
	|| recovery 'Unable to scramble PCR'

echo '+++ Building initrd'
( cd "$INITRD_DIR" ; find . | cpio -H newc -o ) > "$SECRET_CPIO"
cat "$INITRD" >> "$SECRET_CPIO"

/bin/qubes-boot "$XEN" "$KERNEL" "$SECRET_CPIO"

recovery "Something failed..."
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-02 03:02:00 +00:00			`#!/bin/sh`
			`# Boot a Qubes installation that has already been setup.`
			`# This depends on the PCR 4 being "normal-boot":`
			`# f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d`
			`# which is only set if the top level /init script has started`
			`# without user intervention or dropping into a recovery shell.`

Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			`. /etc/functions`
			`. /etc/config`
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-02 03:02:00 +00:00
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			`if [ "$1" = "recovery" ]; then`
			`warn "Recovery mode boot; ignoring key failures"`
			`RECOVERY=1`
			`fi`
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-02 03:02:00 +00:00
			`# TODO: Allow /boot to be encrypted?`
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			`# This would require a different TPM key, a user passphrase to decrypt it,`
			`# or loading the USB modules to talk to a Yubikey to get the thing.`
			`if ! grep -q /boot /proc/mounts ; then`
			`mount -o ro "$CONFIG_QUBES_BOOT_DEV" /boot \`
			`\|\| recovery '$CONFIG_BOOT_DEV: Unable to mount /boot'`
Move Qubes startup script to /boot/boot.sh This also adds a set of files in the qubes/ directory that are meant to be copied to the /boot partition. Issue #154: for ease of upgrading Qubes, the script should live on /boot instead of in the ROM. This requires a GPG signature on the startup script to avoid attacks by modifying the boot script. Issue #123: this streamlines the boot process for Qubes, although the disk password is still not passed in correctly to the initrd (issue #29). This does not address issues #110 of how to find the root device. The best approach is probably disk labels, which will require special installation instructions. 2017-04-03 02:21:49 +00:00			`fi`

Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			`BOOT_HASHES=/boot/boot.hashes`
			`if [ ! -r "$BOOT_HASHES" ]; then`
			`recovery "$BOOT_HASHES does not exist; re-run qubes-update"`
			`fi`
Move Qubes startup script to /boot/boot.sh This also adds a set of files in the qubes/ directory that are meant to be copied to the /boot partition. Issue #154: for ease of upgrading Qubes, the script should live on /boot instead of in the ROM. This requires a GPG signature on the startup script to avoid attacks by modifying the boot script. Issue #123: this streamlines the boot process for Qubes, although the disk password is still not passed in correctly to the initrd (issue #29). This does not address issues #110 of how to find the root device. The best approach is probably disk labels, which will require special installation instructions. 2017-04-03 02:21:49 +00:00
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			`# Verify the signature on the hashes`
			`gpgv "$BOOT_HASHES.asc" "$BOOT_HASHES" \`
			`\|\| recovery 'boot hashes signature failed'`
Move Qubes startup script to /boot/boot.sh This also adds a set of files in the qubes/ directory that are meant to be copied to the /boot partition. Issue #154: for ease of upgrading Qubes, the script should live on /boot instead of in the ROM. This requires a GPG signature on the startup script to avoid attacks by modifying the boot script. Issue #123: this streamlines the boot process for Qubes, although the disk password is still not passed in correctly to the initrd (issue #29). This does not address issues #110 of how to find the root device. The best approach is probably disk labels, which will require special installation instructions. 2017-04-03 02:21:49 +00:00
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			`# Retrieve the TPM counter ID and generate its current value`
			TPM_COUNTER=`grep counter $BOOT_HASHES \| cut -d- -f2`
			`if [ -z "$TPM_COUNTER" ]; then`
			`recovery "$BOOT_HASHES: TPM counter not found?"`
			`fi`
Move Qubes startup script to /boot/boot.sh This also adds a set of files in the qubes/ directory that are meant to be copied to the /boot partition. Issue #154: for ease of upgrading Qubes, the script should live on /boot instead of in the ROM. This requires a GPG signature on the startup script to avoid attacks by modifying the boot script. Issue #123: this streamlines the boot process for Qubes, although the disk password is still not passed in correctly to the initrd (issue #29). This does not address issues #110 of how to find the root device. The best approach is probably disk labels, which will require special installation instructions. 2017-04-03 02:21:49 +00:00
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			`tpm counter_read -ix "$TPM_COUNTER" \| tee "/tmp/counter-$TPM_COUNTER"`
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-02 03:02:00 +00:00
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			`# Check the hashes of all the files`
			`sha256sum -c "$BOOT_HASHES" \`
			`\|\| recovery "$BOOT_HASHES: hash mismatch"`
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-02 03:02:00 +00:00
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			XEN=`grep /boot/xen $BOOT_HASHES \| cut -d\ -f3 \| tail -1`
			KERNEL=`grep /boot/vmlin $BOOT_HASHES \| cut -d\ -f3 \| tail -1`
			INITRD=`grep /boot/initram $BOOT_HASHES \| cut -d\ -f3 \| tail -1`
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-02 03:02:00 +00:00
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			`# Activate the dom0 group`
			`lvm vgchange -a y "$CONFIG_QUBES_VG" \`
			`\|\| recovery "$CONFIG_QUBES_VG: LVM volume group activate failed"`
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-02 03:02:00 +00:00
			`# Measure the LUKS headers before we unseal the disk key`
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			`qubes-measure-luks /dev/$CONFIG_QUBES_VG/* \`
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-02 03:02:00 +00:00			`\|\| recovery "LUKS measure failed"`

Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			`# Unpack the initrd and fixup the /etc/crypttab`
			`# this is a hack to split it into two parts since`
			`# we know that the first 0x3400 bytes are the microcode`
			`INITRD_DIR=/tmp/secret/initrd`
			`SECRET_CPIO=/tmp/secret/initrd.cpio`
			`mkdir -p "$INITRD_DIR/etc"`

qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-02 03:02:00 +00:00			`# Attempt to unseal the disk key from the TPM`
			`# should we give this some number of tries?`
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			`if ! unseal-key "$INITRD_DIR/secret.key" ; then`
			`warn 'Unseal disk key failed'`
			`if [ -z "$RECOVERY" ]; then`
			`recovery 'Starting recovery shell'`
			`fi`
			`fi`

			`# Override PCR 4 so that user can't read the key`
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-02 03:02:00 +00:00			`tpm extend -ix 4 -ic qubes \`
			`\|\| recovery 'Unable to scramble PCR'`

Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys. 2017-04-12 10:57:58 +00:00			`echo '+++ Building initrd'`
			`( cd "$INITRD_DIR" ; find . \| cpio -H newc -o ) > "$SECRET_CPIO"`
			`cat "$INITRD" >> "$SECRET_CPIO"`

			`/bin/qubes-boot "$XEN" "$KERNEL" "$SECRET_CPIO"`

			`recovery "Something failed..."`